1. Manuals
  2. Brands
  3. Allnet Manuals
  4. Gateway
  5. ALL7008
  6. User manual

Allnet ALL7008 User Manual

Hide thumbs Also See for ALL7008:
1
Table Of Contents
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
Table of Contents

Advertisement

Quick Links

Download this manual
ALL7008
User's Manual

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the ALL7008 and is the answer not in the manual?

Questions and answers

Related Manuals for Allnet ALL7008

Summary of Contents for Allnet ALL7008

  • Page 1 ALL7008 User’s Manual...

  • Page 2: Table Of Contents

    Table of Contents System Chapter 1 Administration ……………………………………………. 5 Admin ……………………………………………………... 7 Permitted IPs …………………………………………….. 9 Logout ………………………………………………….…. 10 Software Update …………………………………………. 11 Chapter 2 Configure ………………………………………………….. 13 Setting ………………………………………………….…. 18 Date/Time …………………………………………………. 23 Multiple Subnet ………………………………...………… 24 Route Table ………………………………………………... 27 DHCP ……………………………………………………….
  • Page 3 Chapter 5 Service ………………………………………………….…. 69 Custom ………………………………….………………… 72 Group ………………………………….………………….. 76 Chapter 6 Schedule …………………………………………………. Chapter 7 QoS ………………………………………………….……. 83 Example ………………………………….………………. Chapter 8 Authentication …………………………………………… Auth User ………………………………….…………….. Auth User Group ………………………………….…….. RADIUS ………………………………….……………… POP3 Server ………………………………….…………. Chapter 9 Content Blocking …………………………………………...
  • Page 4 Mail Security Chapter13 Configure ………………………………………………….. 301 Mail Relay ………………………………………………… 304 Chapter14 Anti-Spam …………………………………………………. 309 Example ………………………………….……………….. 324 Chapter15 Anti-Virus ………………………………………………..365 Example ………………………………….……………….. 371 Anti-Attack Chapter16 Alert Setting ………………………………………………. 381 Internal Alert ……………………………………………… 386 Chapter17 Atack Alarm ………………………………………………. 391 Internal Alarm …………………………………………….. 393 External Alarm ………………………………………………...
  • Page 5 Chapter21 Status …………………………………………….………… 423 Interface ……………………….………………………….. 424 Authentication ……………………….…………………… 426 ARP Table ……………………….………………………... 427 DHCP Clients ……………………….……………………. 428...

  • Page 6: Administration

    “System” is the managing of settings such as the privileges of packets that pass through the ALL7008 and monitoring controls. The System Administrators can manage, monitor, and configure the ALL7008 settings. But all configurations are “read-only” for all users other than the System Administrator; those users are not...

  • Page 7: Admin

    Define the required fields of Administrator Administrator Name: The username of Administrators and Sub Administrator for the ALL7008. The admin user name cannot be removed; and the sub-admin user can be removed or configure. The default Account: admin; Password: admin Privilege: The privileges of Administrators (Admin or Sub Admin).
  • Page 8 Adding a new Sub Administrator STEP 1﹒In the Admin WebUI, click the New Sub Admin button to create a new Sub Administrator. STEP 2﹒In the Add New Sub Administrator WebUI (Figure 1-1) and enter the following setting: Sub Admin Name: sub_admin Password: 12345 Confirm Password: 12345 STEP 3﹒Click OK to add the user or click Cancel to cancel it.
  • Page 9 Modify the Administrator’s Password STEP 1﹒In the Admin WebUI, locate the Administrator name you want to edit, and click on Modify in the Configure field. STEP 2﹒The Modify Administrator Password WebUI will appear. Enter the following information: Password: admin New Password: 52364 Confirm Password: 52364 (Figure1-2) STEP 3﹒Click OK to confirm password change.

  • Page 10: Permitted Ips

    To make Permitted IPs be effective, it must cancel the Ping and WebUI selection in the WebUI of ALL7008 that Administrator enter. (LAN, WAN, or DMZ Interface) Before canceling the WebUI selection of Interface, must set up the Permitted IPs first,...

  • Page 11: Logout

    Logout STEP 1﹒Click Logout in System to protect the system while Administrator are away. (Figure1-5) Figure1-5 Confirm Logout WebUI STEP 2﹒Click OK and the logout message will appear in WebUI. (Figure1-6) Figure1-6 Logout WebUI Message...

  • Page 12: Software Update

    To obtain the version number from Version Number and obtain the latest version from Internet. And save the latest version in the hardware of the PC, which manage the ALL7008 Click Browse and choose the latest software version file. Click OK and the system will update automatically. (Figure1-7) Figure1-7 Software Update It takes 3 minutes to update software.

  • Page 14: Configure

    Chapter 2 Configure The Configure is according to the basic setting of the ALL7008. In this chapter the definition is Setting, Date/Time, Multiple Subnet, Route Table, DHCP, Dynamic DNS, Hosts Table, and Language settings.

  • Page 15: Setting

    Define the required fields of Settings ALL7008 Configuration: The Administrator can import or export the system settings. Click OK to import the file into the ALL7008 or click Cancel to cancel importing. You also can revive to default value here. Email Settings: Select Enable E-mail Alert Notification under E-mail Settings.
  • Page 16 Administration Packet Logging: After enable this function; the ALL7008 will record packet which source IP or destination address is ALL7008. And record in Traffic Log for System Manager to inquire about. Define the required fields of Time Settings Synchronize Time/Date: Synchronizing the ALL7008 with the System Clock.
  • Page 17 NAT Mode: It allows Internal Network to set multiple subnet address and connect with the Internet through different WAN IP Addresses. For example:The lease line of a company applies several real IP Addresses 168.85.88.0/24, and the company is divided into R&D department, service, sales department, procurement department, accounting department, the company can distinguish each department by different subnet for the purpose of managing conveniently.
  • Page 18 Define the required fields of DHCP Subnet: The domain name of LAN NetMask: The LAN Netmask Gateway: The default Gateway IP address of LAN Broadcast IP: The Broadcast IP of LAN Define the required fields of DDNS Domain Name: The domain name that provided by DDNS WAN IP Address: The WAN IP Address, which the domain name corresponds to.
  • Page 19 STEP 2﹒When the File Download pop-up window appears, choose the destination place where to save the exported file and click on Save. The setting value of ALL7008 will copy to the appointed site instantly. (Figure2-1) Figure2-1 Select the Destination Place to Save the Exported File...
  • Page 20 STEP 1﹒In System Setting WebUI, click on the Browse button next to Import System Settings from Client. When the Choose File pop-up window appears, select the file to which contains the saved ALL7008 Settings, then click OK. (Figure2-2) STEP 2﹒Click OK to import the file into the ALL7008 (Figure2-3)

  • Page 21: Restoring Factory Default Settings

    Restoring Factory Default Settings STEP 1﹒Select Reset Factory Settings in ALL7008 Configuration WebUI STEP 2﹒Click OK at the bottom-right of the page to restore the factory settings. (Figure2-4) Figure2-4 Reset Factory Settings...
  • Page 22 Enabling E-mail Alert Notification STEP 1﹒Select Enable E-mail Alert Notification under E-Mail Settings. STEP 2﹒Sender Address: Enter the Sender Address. (Required by some ISPs.) STEP 3﹒SMTP Server IP: Enter SMTP server’s IP address. STEP 4﹒E-Mail Address 1: Enter the e-mail address of the first user to be notified.
  • Page 23 Reboot ALL7008 STEP 1﹒Reboot ALL7008:Click Reboot button next to Reboot ALL7008 Appliance. STEP 2﹒A confirmation pop-up page will appear. STEP 3﹒Follow the confirmation pop-up page; click OK to restart ALL7008. (Figure2-6) Figure2-6 Reboot ALL7008...

  • Page 24: Date/Time

    STEP 4﹒Set the interval time to synchronize with outside servers. Figure2-7 System Time Setting Click on the Sync button and then the ALL7008’s date and time will be synchronized to the Administrator’s PC The value of Set Offset From GMT and Server IP / Name can be looking for from...

  • Page 25: Multiple Subnet

    Connect to the Internet through Multiple Subnet NAT or Routing Mode by the IP address that set by the LAN user’s network card Preparation ALL7008 WAN1 (10.10.10.1) connect to the ISP Router (10.10.10.2) and the subnet that provided by ISP is 162.172.50.0/24 To connect to Internet, WAN2 IP (211.22.22.22) connects with ATUR.
  • Page 26 Adding Multiple Subnet Add the following settings in Multiple Subnet of System function: Click on New Entry Alias IP of LAN Interface: Enter 162.172.50.1 Netmask:Enter 255.255.255.0 WAN1: Enter Interface IP 10.10.10.1, and choose Routing in Forwarding Mode WAN2:Enter Interface IP 211.22.22.22, and choose NAT in Forwarding Mode Click OK Complete Adding Multiple Subnet (Figure2-8)
  • Page 27 ․162.172.50.xx, it uses Routing mode through WAN1 (The Internet Server can see your IP 162.172.50.xx directly). And uses NAT mode through WAN2 (The Internet Server can see your IP as WAN2 IP)(Figure2-9) Figure 2-9 Multiple Subnet Network The ALL7008’s Interface Status: WAN1 IP: 10.10.10.1 WAN2 IP:211.22.22.22 LAN Port IP:192.168.1.1...

  • Page 28: Route Table

    Route Table To connect two different subnet router with the ALL7008 and makes them to connect to Internet through ALL7008 Preparation Company A: WAN1 (61.11.11.11) connects with ATUR to Internet WAN2 (211.22.22.22) connects with ATUR to Internet LAN subnet: 192.168.1.1/24 The Router1 which connect with LAN (10.10.10.1, support RIPv2)
  • Page 29 Route Table STEP 1﹒Enter the following settings in Route Table in System function: 【Destination IP】: Enter 192.168.10.1 【Netmask】: Enter 255.255.255.0。 【Gateway】: Enter 192.168.1.252 【Interface】: Select LAN Click OK (Figure 2-10) Figure2-10 Add New Static Route1 STEP 2﹒Enter the following settings in Route Table in System function: 【Destination IP】: Enter 192.168.20.1 【Netmask】: Enter 255.255.255.0 【Gateway】: Enter 192.168.1.252...
  • Page 30 STEP 3﹒Enter the following setting in Route Table in System function: 【Destination IP】: Enter 10.10.10.0 【Netmask】: Enter 255.255.255.0 【Gateway】: Enter 192.168.1.252 【Interface】: Select LAN Click OK (Figure 2-12) Figure2-12 Add New Static Route3...
  • Page 31 STEP 4﹒Adding successful. At this time the computer of 192.168.10.1/24, 192.168.20.1/24 and 192.168.1.1/24 can connect with each other and connect to Internet by NAT (Figure 2-13) Figure 2-13 Route Table Setting...
  • Page 32 LAN IP: 192.168.10.X Multiple Subnet: 192.168.85.X Company B WAN IP: 211.22.22.22 LAN IP: 192.168.20.X This example takes two ALL7008 as flattop. Suppose Company B 192.168.20.100 is going to have VPN connection with Company A 192.168.10.100, 192.168.85.100 and download the resource.
  • Page 33 STEP 1﹒Enter the following setting in PPTP Server of VPN function in the ALL7008 of Company A (Figure 2-14, 2-15) Figure 2-14 PPTP VPN Server Connection Setting Figure 2-15 Complete PPTP VPN Server Setting...
  • Page 34 STEP 2﹒Add the following settings in PPTP Server of VPN function in the ALL7008 of Company B: (Figure2-16, 2-17) Figure 2-16 PPTP VPN Client Setting Figure 2-17 Complete PPTP VPN Client Setting...
  • Page 35 STEP 3﹒Enter the following setting in Route Table in Configure function in ALL7008 of Company B: 【Destination IP】: Enter 192.168.85.0 【Netmask】: Enter 255.255.255.0 【Gateway】: Enter nothing 【Interface】: LAN Click OK (Figure 2-18, 2-19) Figure2-18 Add New Static Route Figure 2-19 Complete Adding New Static Route...
  • Page 36 STEP 4﹒Complete PPTP VPN Connection. (Figure 2-20) Figure 2-20 PPTP VPN Connection Setting...

  • Page 37: Dhcp

    DHCP STEP 1﹒Select DHCP in System and enter the following settings: Domain Name:Enter the Domain Name DNS Server 1: Enter the distributed IP address of DNS Server1. DNS Server 2: Enter the distributed IP address of DNS Server2. WINS Server 1: Enter the distributed IP address of WINS Server1. WINS Server 2: Enter the distributed IP address of WINS Server2.
  • Page 38 Figure 2-21 DHCP WebUI When selecting Automatically Get DNS, the DNS Server will lock it as LAN Interface IP. (Using Occasion: When the system Administrator starts Authentication, the users’ first DNS Server must be the same as LAN Interface IP in order to enter Authentication WebUI)

  • Page 39: Ddns

    Dynamic DNS Settings STEP 1﹒Select Dynamic DNS in System function (Figure2-22). Click New Entry button Service providers:Select service providers. Automatically fill in the WAN 1/2 IP:Check to automatically fill in the WAN 1/2 IP.。 User Name:Enter the registered user name. Password:Enter the password Domain name:Enter Your host domain name Click OK to add Dynamic DNS.
  • Page 40 Chart Meaning Update Incorrect Connecting Unknown error successfully username or to server password If System Administrator had not registered a DDNS account, click on Sign up then can enter the website of the provider. If you do not select Automatically fill in the WAN IP and then you can enter a specific IP in WAN IP.

  • Page 41: Host Table

    Click OK to add Host Table. (Figure2-24) Figure2-24 Add New Host Table To use Host Table, the user PC’s first DNS Server must be the same as the LAN Port or DMZ Port IP of ALL7008. That is, the default gateway.

  • Page 42: Language

    Language Select the Language version (English Version/ Traditional Chinese Version or Simplified Chinese Version) and click OK. (Figure2-25) Figure2-25 Language Setting WebUI...

  • Page 44: Interface

    Chapter 3 Interface In this section, the Administrator can set up the IP addresses for the office network. The Administrator may configure the IP addresses of the LAN network, the WAN 1/2 network, and the DMZ network. The netmask and gateway IP addresses are also configured in this section.

  • Page 45: Lan

    Select this function to allow the LAN users to ping the Interface IP Address. HTTP: Select to enable the user to enter the WebUI of ALL7008 from Interface IP. WAN: The System Administrator can set up the WAN network of ALL7008.
  • Page 46 Dynamic IP Address (Cable Modem User) Static IP Address Saturated Connections: Set the number for saturation whenever session numbers reach it, the ALL7008 switches to the next agent on the list. Priority: Set priority of WAN for Internet Access. Connection Test: To test if the WAN network can connect to Internet or not.

  • Page 47: Dmz

    DMZ: The Administrator uses the DMZ Interface to set up the DMZ network. The DMZ includes: NAT Mode:In this mode, the DMZ is an independent virtual subnet. This virtual subnet can be set by the Administrator but cannot be the same as LAN Interface.
  • Page 48 We set up four Interface Address examples in this chapter: Suitable Example Page Situation Modify LAN Interface Settings Setting WAN Interface Address Setting DMZ Interface Address (NAT Mode) Setting DMZ Interface Address (Transparent Mode)
  • Page 49 LAN IP Address on the computer , he/she have to restart the System to make the new IP address effective. (when the computer obtain IP by DHCP) Do not cancel WebUI selection before not setting Permitted IPs yet. It will cause the Administrator cannot be allowed to enter the ALL7008’s WebUI from LAN.
  • Page 50 Setting WAN Interface Address STEP 1﹒Select WAN in Interface and click Modify in WAN1 Interface. The setting of WAN2 Interface is almost the same as WAN1. The difference is that WAN2 has a selection of Disable. The System Administrator can close WAN2 Interface by this selection.
  • Page 51 Figure3-3 ICMP Connection Figure 3-4 DNS Service Connection test is used for ALL7008 to detect if the WAN can connect or not. So the Alive Indicator Site IP, DNS Server IP Address, or Domain Name must be able to use permanently. Or it will cause judgmental mistakes of the device.
  • Page 52 STEP 3﹒Select the Connecting way: PPPoE (ADSL User) (Figure3-5): 1. Select PPPoE 2. Enter User Name as an account 3. Enter Password as the password 4. Select Dynamic or Fixed in IP Address provided by ISP. If you select Fixed, please enter IP Address, Netmask, and Default Gateway.
  • Page 53 Figure3-5 PPPoE Connection Figure3-6 Complete PPPoE Connection Setting If the connection is PPPoE, you can choose Service-On-Demand for WAN Interface to connect automatically when disconnect; or to set up Auto Disconnect if idle (not recommend)
  • Page 54 Dynamic IP Address (Cable Modem User) (Figure3-7): 1. Select Dynamic IP Address (Cable Modem User) 2. Click Renew in the right side of IP Address and then can obtain IP automatically. 3. If the MAC Address is required for ISP then click on Clone MAC Address to obtain MAC IP automatically.
  • Page 55 Figure3-8 Complete Dynamic IP Connection Setting...
  • Page 56 Static IP Address (Figure3-9) 1. Select Static IP Address 2. Enter IP Address, Netmask, and Default Gateway that provided by ISP 3. Enter DNS Server1 and DNS Server2 In WAN2, the connecting of Static IP Address does not need to set DNS Server 4.
  • Page 57 When selecting Ping and WebUI on WAN network Interface, users will be able to ping the ALL7008 and enter the WebUI WAN network. It may influence network security. The suggestion is to Cancel Ping and WebUI after all the settings have finished. And if the System Administrator needs to enter UI from WAN, he/she can use Permitted IPs to enter.
  • Page 58 Setting DMZ Interface Address (NAT Mode) STEP 1﹒Click DMZ Interface STEP 2﹒Select NAT Mode in DMZ Interface Select NAT in DMZ Interface Enter IP Address and Netmask STEP 3﹒Select Ping and HTTP STEP 4﹒Click OK (Figure3-11) Figure3-11 Setting DMZ Interface Address (NAT Mode) WebUI...
  • Page 59 Setting DMZ Interface Address (Transparent Mode) STEP 1﹒Select DMZ Interface STEP 2﹒Select Transparent Mode in DMZ Interface Select DMZ_Transparent in DMZ Interface STEP 1﹒Select Ping and HTTP STEP 2﹒Click OK (Figure3-12) Figure 3-12 Setting DMZ Interface Address (Transparent Mode) WebUI In WAN, the connecting way must be Static IP Address and can choose Transparent Mode in DMZ.

  • Page 60: Address

    Chapter 4 Address The ALL7008 allows the Administrator to set Interface addresses of the LAN network, LAN network group, WAN network, WAN network group, DMZ and DMZ group. An IP address in the Address Table can be an address of a computer or a sub network.
  • Page 61 Define the required fields of Address Name: The System Administrator set up a name as IP Address that is easily recognized. IP Address: It can be a PC’s IP Address or several IP Address of Subnet. Different network area can be: Internal IP Address, External IP Address, and DMZ IP Address.

  • Page 62: Example

    We set up two Address examples in this chapter: Suitable Example Page Situation Under DHCP circumstances, assign the specific IP to static users and restrict them to access FTP net service only through policy. LAN Group Set up a policy that only allows partial users to connect with specific IP (External Specific IP)
  • Page 63 Under DHCP situation, assign the specific IP to static users and restrict them to access FTP net service only through policy STEP 1﹒Select LAN in Address and enter the following settings: Click New Entry button (Figure4-1) Name: Enter Rayearth IP Address: Enter 192.168.3.2 Netmask: Enter 255.255.255.255 MAC Address : Enter the user’s MAC Address (00:B0:18:25:F5:89)...
  • Page 64 STEP 2﹒Adding the following setting in Outgoing Policy: (Figure4-3) Figure 4-3 Add a Policy of Restricting the Specific IP to Access to Internet STEP 3﹒Complete assigning the specific IP to static users in Outgoing Policy and restrict them to access FTP net service only through policy: (Figure4-4) Figure 4-4 Complete the Policy of Restricting the Specific IP to Access to Internet...
  • Page 65 ALL7008 to fill out the user’s MAC Address automatically. In LAN of Address function, the ALL7008 will default an Inside Any address represents the whole LAN network automatically. Others like WAN, DMZ also have the Outside Any and DMZ Any default address setting to represent the whole subnet.
  • Page 66 Setup a policy that only allows partial users to connect with specific IP (External Specific IP) STEP 1﹒Setting several LAN network Address. (Figure4-5) Figure4-5 Setting Several LAN Network Address...
  • Page 67 STEP 2﹒Enter the following settings in LAN Group of Address: Click New Entry (Figure 4-6) Enter the Name of the group Select the users in the Available Address column and click Add Click OK (Figure 4-7) Figure4-6 Add New LAN Address Group Figure4-7 Complete Adding LAN Address Group The setting mode of WAN Group and DMZ Group of Address are the same as LAN Group.
  • Page 68 STEP 3﹒Enter the following settings in WAN of Address function: Click New Entry (Figure4-8) Enter the following data (Name, IP Address, Netmask) Click OK (Figure4-9) Figure4-8 Add New WAN Address Figure4-9 Complete the Setting of WAN Address...
  • Page 69 STEP 4﹒To exercise STEP1~3 in Policy (Figre4-10, 4-11) Figure4-10 To Exercise Address Setting in Policy Figure4-11 Complete the Policy Setting The Address function really take effect only if use with Policy.

  • Page 70: Service

    TCP and UDP protocols support varieties of services, and each service consists of a TCP Port or UDP port number, such as TELNET (23), SMTP (21), SMTP (25), POP3 (110), etc. The ALL7008 includes two services: Pre-defined Service and Custom Service.
  • Page 71 Define the required fields of Service Pre-defined WebUI’s Chart and Illustration: Chart Illustration Any Service TCP Service, For example:FTP, FINGER, HTTP, HTTPS , IMAP, SMTP, POP3, ANY, AOL, BGP, GOPHER, Inter Locator, IRC, L2TP, LDAP, NetMeeting, NNTP, PPTP, Real Media, RLOGIN, SSH, TCP ANY, TELNET, VDO Live, WAIS, WINFRAME, X-WINDOWS, …etc.

  • Page 72: Group

    We set up two Service examples in this chapter: Suitable Example Page Situation Custom Allow external user to communicate with internal user by VoIP through policy. (VoIP Port: TCP 1720, TCP 15325-15333, UDP 15325-15333) Group Setting service group and restrict the specific users only can access to service resource that provided by this group through policy.
  • Page 73 Allow external user to communicate with internal user by VoIP through policy. (VoIP Port: TCP 1720, TCP 15328-15333, UDP 15328-15333) STEP 1﹒Set LAN and LAN Group in Address function as follows: (Figure5-1, 5-2) Figure5-1 Setting LAN Address Book WebUI Figure5-2 Setting LAN Group Address Book WebUI...
  • Page 74 STEP 2﹒Enter the following setting in Custom of Service function: Click New Entry (Figure5-3) Service Name: Enter the preset name VoIP Protocol#1 select TCP, need not to change the Client Port, and set the Server Port as: 1720:1720 Protocol#2 select TCP, need not to change the Client Port, and set the Server Port as: 15328:15333 Protocol#3 select UDP, need not to change the Client Port, and set the Server Port as: 15328:15333...
  • Page 75 Under general circumstances, the range of port number of client is 1024-65535. Change the client range in Custom of is not suggested. If the port numbers that enter in the two spaces are different port number, then enable the port number under the range between the two different port numbers (for example: 15328:15333).
  • Page 76 STEP 3﹒Compare Service to Virtual Server. (Figure5-5) Figure5-5 Compare Service to Virtual Server STEP 4﹒Compare Virtual Server to Incoming Policy. (Figure5-6) Figure5-6 Complete the Policy for External VoIP to Connect with Internal VoIP STEP 5﹒In Outgoing Policy, complete the setting of internal users using VoIP to connect with external network VoIP: (Figure5-7) Figure5-7 Complete the Policy for Internal VoIP to Connect with External VoIP Service must cooperate with Policy and Virtual Server that the function can take...
  • Page 77 Setting service group and restrict the specific users only can access to service resource that provided by this group through policy (Group: HTTP, POP3, SMTP, DNS) STEP 1﹒Enter the following setting in Group of Service: Click New Entry (Figure 5-8) Name: Enter Main_Service Select HTTP, POP3, SMTP, DNS in Available Service and click Click OK (Figure 5-9)
  • Page 78 Figure5-9 Complete the setting of Adding Service Group If you want to remove the service you choose from Selected Service, choose the service you want to delete and click Remove.
  • Page 79 STEP 2﹒In LAN Group of Address function, Setting an Address Group that can include the service of access to Internet. (Figure5-10) Figure5-10 Setting Address Book Group STEP 3﹒Compare Service Group to Outgoing Policy. (Figure5-11) Figure5-11 Setting Policy...

  • Page 80: Schedule

    Chapter 6 Schedule In this chapter, the ALL7008 provides the Administrator to configure a schedule for policy to take effect and allow the policies to be used at those designated times. And then the Administrator can set the start time and stop time or VPN connection in Policy or VPN.
  • Page 81 To configure the valid time periods for LAN users to access to Internet in a day STEP 1﹒Enter the following in Schedule: Click New Entry (Figure6-1) Enter Schedule Name Set up the working time of Schedule for each day Click OK (Figure6-2) Figure6-1 Setting Schedule WebUI Figure6-2 Complete the Setting of Schedule...
  • Page 82 STEP 2﹒Compare Schedule with Outgoing Policy (Figure6-3) Figure6-3 Complete the Setting of Comparing Schedule with Policy The Schedule must compare with Policy or VPN (Figure6-4, 6-5, 6-6) Figure6-4 Compare Policy with VPN or IPSec Autokey Figure6-5 Compare Schedule with VPN or PPTP Server Figure6-6 Compare Schedule with VPN or PPTP Server...

  • Page 84: Qos

    The ALL7008 configures the bandwidth by different QoS, and selects the suitable QoS through Policy to control and efficiently distribute bandwidth. The ALL7008 also makes it convenient for the administrator to make the Bandwidth to reach the best utility. (Figure7-1, 7-2)
  • Page 85 Figure7-2 the Flow After Using QoS (Max. Bandwidth: 400Kbps, Guaranteed Bandwidth: 200Kbps)
  • Page 86 Define the required fields of QoS WAN: Display WAN1 and WAN2 Downstream Bandwidth: To configure the Guaranteed Bandwidth and Maximum Bandwidth according to the bandwidth range you apply from ISP Upstream Bandwidth: To configure the Guaranteed Bandwidth and Maximum Bandwidth according to the bandwidth range you apply from ISP Priority: To configure the priority of distributing Upstream/Downstream and unused...

  • Page 87: Example

    We set up two QoS examples in this chapter: No Suitable Example Page Situation Setting a policy that can restrict the user’s downstream and upstream bandwidth. Setting a connection of IPSec Autokey in VPN that can restrict the traffic.
  • Page 88 Setting a policy that can restrict the user’s downstream and upstream bandwidth STEP 1﹒Enter the following settings in QoS: Click New Entry (Figure7-3) Name: The name of the QoS you want to configure. Enter the bandwidth in WAN1, WAN2 Select QoS Priority Click OK (Figure7-4) Figure7-3 QoS WebUI Setting Figure7-4 Complete the QoS Setting...
  • Page 89 STEP 2﹒Use the QoS that set by STEP1 in Outgoing Policy. (Figure7-5, 7-6) Figure7-5 Setting the QoS in Policy Figure7-6 Complete Policy Setting...
  • Page 90 Setting a connection of IPSec Autokey in VPN that can restrict the traffic STEP 1﹒Enter the following in QoS: Click New Entry (Figure7-7) Name: The name of the QoS you want to configure. Enter the bandwidth you want to restrict in Downstream Bandwidth and Upstream Bandwidth QoS Priority:Select Middle Click OK (Figure7-8)
  • Page 91 STEP 2﹒Select the QoS that set by STEP1 in IPSec of VPN. (Figure7-9) Figure7-9 QoS Setting of IPSec When the administrator are setting QoS, the bandwidth range that can be set is the value that system administrator set in the WAN of Interface. So when the System Administrator sets the downstream and upstream bandwidth in WAN of Interface, he/she must set up precisely.

  • Page 92: Authentication

    VPN and IPSec) connection authority. The user has to pass the authentication to access to Internet. The ALL7008 configures the authentication of LAN’s user by setting account and password to identify the privilege. Or by the RADIUS that set by yourself. The...
  • Page 93 Define the required fields of Authentication Authentication Management Provide the Administrator the port number and valid time to setup ALL7008 authentication. (Have to setup the Authentication first) Authentication Port: The internal user have to pass the authentication to access to the Internet when enable ALL7008.
  • Page 94 When the user connect to external network by Authentication, the following page will be displayed: (Figure8-2) Figure8-2 Authentication Login WebUI...
  • Page 95 It will connect to the appointed website after passing Authentication: (Figure8-3) Figure8-3 Connecting to the Appointed Website After Authentication If the user ask for authentication positively, can enter the LAN IP by the Authentication port number. And then the Authentication WebUI will be displayed.

  • Page 96: Auth User

    The user account for Authentication you want to set. Password: The password when setting up Authentication. Confirm Password: Enter the password that correspond to Password Shared Secret: The password for authentication of the ALL7008 and RADIUS Server 802.1xRADIUS: The Authentication to RADIUS Server of wireless network...

  • Page 97: Radius

    We set up four Authentication examples in this chapter: Suitable Example Page Situation Setting a specific user to connect with external Auth User network only before passing the authentication of policy. (Adopt the built-in Auth User Function) Auth Group Setting external users to connect with internal network only before passing the authentication of VPN IPSec Autokey.(Adopt the built-in Auth User Group Function)...
  • Page 98 Auth User Function) STEP 1﹒Setting the user’s Address in LAN of Address function. (Figure8-4) Figure8-4 LAN Address Setting To use Authentication, the DNS Server of the user’s network card must be the same as the LAN Interface Address of ALL7008.
  • Page 99 STEP 2﹒Enter the following setting in Auth of Authentication function: Click New User Auth-User Name: Enter guest Password: Enter 1234 Confirm Password: Enter 1234 Click OK Complete Authentication Setting (Figure8-5) Figure8-5 Add New Auth-User WebUI...
  • Page 100 STEP 3﹒Add a policy in Outgoing Policy and input the Address and Authentication of STEP1, 2 (Figure8-6, 8-7) Figure8-6 Auth-User Policy Setting Figure8-7 Complete the Policy Setting of Auth-User...
  • Page 101 STEP 4﹒When user_01 is going to access to Internet through browser, the authentication UI will appear in Browser. After entering the correct user name and password, click OK to access to Internet. (Figure8-8) STEP 5﹒If the user does not need to access to Internet anymore and is going to logout, he/she can click LOGOUT Auth-User to logout the system.
  • Page 102 Setting external users to connect with internal network only before passing the authentication of VPN IPSec Autokey. (Adopt the built-in Auth User Group Function) STEP 1﹒Setup several Auth User in Authentication. (Figire8-10) Figure8-10 Setting Several Auth Users WebUI...
  • Page 103 STEP 2﹒Add Auth User Group Setting in Authentication function and enter the following settings: Click New Entry Name: Enter laboratory Select the Auth User you want and Add to Selected Auth User Click OK Complete the setting of Auth User Group (Figure8-11) Figure8-11 Setting Auth Group WebUI...
  • Page 104 STEP 2. (Figure8-12) Figure8-12 Compare Authentication with IPSec Autokey STEP 4﹒When external users try to connect with the PC of the ALL7008 by IPSec Autokey, they must pass the authentication first. (Figure8-13) Figure8-13 Set Up the IPSec VPN Connection by Authentication...
  • Page 105 STEP 5﹒If the remote user does not need connection and is going to logout, he/she can click the LOGOUT Auth-User button or enter the Logout Authentication WebUI (http:// LAN Interface: Authentication port number/ logout.html) to logout (Figure8-14) Figure8-14 Logout Auth-User WebUI...
  • Page 106 Setting the users to connect with external network only before passing the authentication of policy. (Adopt external RADIUS Server built-in Windows 2003 Server Authentication) ※ Windows 2003 RADIUS Server Setting Way STEP 1﹒Click [Start] [Control Panel] [Add/Remove Program], Choose [Add/Remove Windows] and then you can see [Window Component Wizard] STEP 2﹒Choose Networking Services and click Details (Figure8-15) Figure8-15 Add Windows Components WebUI...
  • Page 107 STEP 3﹒Choose Internet Authentication Service (IAS) (Figure8-16) Figure8-16 Add New Internet Authentication Services WebUI...
  • Page 108 STEP 4﹒Click [Start] [Control Panel] [Administrative Tools], Choose [Internet Authentication Service] (Figure8-17) Figure8-17 Choose Internet Authentication Service...
  • Page 109 STEP 5﹒Press right button on RADIUS Clients and choose New RADIUS Client (Figure8-18) Figure8-18 Add New RADIUS Client...
  • Page 110 STEP 6﹒Enter the Name and Client Address (also the ALL7008 IP) (Figure8-19) Figure8-19 Add New RADIUS Client Name and Address...
  • Page 111 STEP 7﹒Choose RADIUS Standard; enter Shared Secret and Confirm Shared Secret. (The settings must be the same as RADIUS of ALL7008) (Figure8-20) Figure8-20 Add New RADIUS Client and Password WebUI...
  • Page 112 STEP 8﹒Press the right button on Remote Access Policies and select to add New Remote Access Policy. (Figure8-21) Figure8-21 Add New Remote Access Policy...
  • Page 113 STEP 9﹒Select Use the wizard to set up a typical policy for a common scenario and enter the Policy name. (Figure8-22) Figure8-22 Add Remote Access Policy and Name...
  • Page 114 STEP 10﹒Select Ethernet (Figure8-23) Figure8-23 Add New Remote Access Policy Method...
  • Page 115 STEP 11﹒Choose User (Figure8-24) Figure8-24 Add New Remote Access Policy of User or Group Access...
  • Page 116 STEP 12﹒Select MD5-Challenge (Figure8-25) Figure8-25 Authentication Methods of Adding New Remote Access Policy...
  • Page 117 STEP 13﹒Press the right button on Radius and choose Properties. (Figure8-26) Figure8-26 Internet Authentication Service Setting WebUI...
  • Page 118 STEP 14﹒Select Grant remote access permission and Remove the original setting, click Add to add a new one. (Figure8-27) Figure8-27 RADIUS Properties Settings...
  • Page 119 STEP 15﹒Add Service-Type (Figure8-28) Figure8-28 Add New RADIUS Attribute...
  • Page 120 STEP 16﹒Add Authenticate Only from the left side. (Figure8-29) Figure8-29 Add RADIUS Service-Type...
  • Page 121 STEP 17﹒Press Edit Profile button and select Authentication and select Unencrypted authentication (PAP, SPAP) (Figure8-30) Figure8-30 Edit DADIUS Dial-in Property...
  • Page 122 STEP 18﹒Add Auth User. Click [Start] [Setting] [Control Panel] [Administrative Tools], Choose [Computer Management] (Figure8-31) Figure8-31 Enter Computer Management...
  • Page 123 STEP 19﹒Press the right button on the Users and select New User. (Figure8-32) Figure8-32 Add New User STEP 20﹒Complete the setting of Windows 2003 RADIUS Server.
  • Page 124 STEP 21﹒Enter IP, Port and Shared Secret (The setting must be the same as RADIUS Server) in RADIUS of Authentication (Figure8-33) Figure8-33 Setting RADIUS Server STEP 22﹒Add Radius User in Auth User Group of Authentication. (Figure8-34) Figure8-34 Add New RADIUS Auth Group...
  • Page 125 STEP 23﹒Add a policy of Auth User Group (RADIUS) that set by STEP 22 in Outgoing Policy. (Figure8-35, 8-36) Figure8-35 RADIUS Authentication Policy Setting WebUI Figure8-36 Complete RADIUS Authentication of Policy Setting...
  • Page 126 STEP 24﹒When the user is going to connect with Internet through browser, the Authentication windows will appear in browser. After entering the correct account and password can connect with Internet through ALL7008. (Figure8-37) Figure8-37 Access to Internet by Authentication WebUI...

  • Page 127: Pop3 Server

    Setting the users to connect with external network only before passing the authentication of policy. (Adopt the external POP3 Server Authentication) STEP 1﹒Enter the following setting in POP3 in Authentication (Figure8-38) Figure8-38 POP3 Server Setting WebUI STEP 2﹒Add POP3 User in New Authentication Group. (Figure8-39) Figure8-39 Add New POP3 User WebUI...
  • Page 128 STEP 3﹒Add a policy of Authentication User Group that set in STEP2 in Outgoing Policy. (Figure8-40, 8-41) Figure8-40 POP3 Server Authentication Policy Setting Figure8-41 Complete POP3 Server Authentication Policy Setting...
  • Page 129 STEP 4﹒When the user is going to access to Internet by browser, the Authentication WebUI will display in the browser. After entering correct account and password, click on OK and then can access to Internet by ALL7008: (Figure8-42) Figure8-42 the Authentication WebUI...

  • Page 130: Url

    Chapter 9 Content Filtering Content Filtering includes「URL」,「Script」,「P2P」,「IM」,「Download」. 【URL Blocking】 : The administrator can set up to “Allow” or “Restrict” entering the specific website by complete domain name, key words, and metacharacter (~and*). 【Script Blocking】 : The access authority of Popup, ActiveX, Java, Cookies 【P2P Blocking】...
  • Page 131 Define the required fields of Content Blocking URL String: The domain name that restricts to enter or only allow entering. Popup Blocking: Prevent the pop-up WebUI appearing ActiveX Blocking: Prevent ActiveX packets Java Blocking: Prevent Java packets Cookies Blocking: Prevent Cookies packets eDonkey Blocking: Prevent users to deliver files by eDonkey and eMule BitTorrent Blocking:...
  • Page 132 Prevent users to deliver specific sub-name file by http All Type: Prevent users to send the Audio, Video types, and sub-name file…etc. by http protocol.

  • Page 133: Script

    We set up five Content Blocking examples in this chapter: Suitable Example Page Situation URL Blocking Restrict the Internal Users only can access to some specific Website Restrict the Internal Users to access to Script Script Blocking file of Website. Restrict the Internal Users to access to the P2P Blocking file on Internet by P2P.

  • Page 134: Url Blocking

    Restrict the Internal Users only can access to some specific Website ※URL Blocking: Symbol: ~ means open up; * means metacharacter Restrict not to enter specific website: Enter the 「complete domain name」 or 「key word」 of the website you want to restrict in URL String. For example: www.kcg.gov.tw or gov.
  • Page 135 STEP 1﹒Enter the following in URL of Content Filtering function: Click New Entry URL String: Enter ~yahoo, and click OK Click New Entry URL String: Enter ~google, and click OK Click New Entry URL String: Enter *, and click OK Complete setting a URL Blocking policy (Figure9-1) Figure9-1 Content Filtering Table...
  • Page 136 STEP 2﹒Add a Outgoing Policy and use in Content Blocking function: (Figure9-2) Figure9-2 URL Blocking Policy Setting STEP 3﹒Complete the policy of permitting the internal users only can access to some specific website in Outgoing Policy function: (Figure9-3) Figure9-3 Complete Policy Settings Afterwards the users only can browse the website that include “yahoo”...
  • Page 137 Restrict the Internal Users to access to Script file of Website STEP 1﹒Select the following data in Script of Content Blocking function: Select Popup Blocking Select ActiveX Blocking Select Java Blocking Select Cookies Blocking Click OK Complete the setting of Script Blocking (Figure9-4) Figure9-4 Script Blocking WebUI...
  • Page 138 STEP 2﹒Add a new Outgoing Policy and use in Content Blocking function: (Figure9-5) Figure9-5 New Policy of Script Blocking Setting STEP 3﹒Complete the policy of restricting the internal users to access to Script file of Website in Outgoing Policy: (Figure9-6) Figure9-6 Complete Script Blocking Policy Setting The users may not use the specific function (like JAVA, cookie…etc.) to browse the website through this policy.

  • Page 139: P2P

    Restrict the Internal Users to access to the file on Internet by STEP 1﹒Select the following data in P2P of Content Blocking function: Select eDonkey Blocking Select BitTorrent Blocking Select WinMX Blocking Click OK Complete the setting of P2P Blocking (Figure9-7) Figure9-7 P2P Blocking WebUI...
  • Page 140 STEP 2﹒Add a new Outgoing Policy and use in Content Blocking function: (Figure9-8) Figure9-8 Add New Policy of P2P Blocking STEP 3﹒Complete the policy of restricting the internal users to access to the file on Internet by P2P in Outgoing Policy: (Figure9-9) Figure9-9 Complete P2P Blocking Policy Setting P2P Transfer will occupy large bandwidth so that it may influence other users.
  • Page 141 Restrict the Internal Users to send message, files, video and audio by Instant Messaging STEP 1﹒Enter as following in IM Blocking of Content Blocking function: Select MSN Messenger, Yahoo Messenger, ICQ Messenger, QQ Messenger and Skype. Click OK Complete the setting of IM Blocking. (Figure9-10) Figure9-10 IM Blocking WebUI...
  • Page 142 STEP 2﹒Add a new Outgoing Policy and use in Content Blocking function: (Figire9-11) Figure9-11 Add New IM Blocking Policy STEP 3﹒Complete the policy of restricting the internal users to send message, files, audio, and video by instant messaging in Outgoing Policy: (Figure9-12) Figure9-12 Complete IM Blocking Policy Setting...

  • Page 143: Download

    Restrict the Internal Users to access to video, audio, and some specific sub-name file from http or ftp protocol directly STEP 1﹒Enter the following settings in Download of Content Blocking function: Select All Types Blocking Click OK Complete the setting of Download Blocking. (Figure9-13) Figure9-13 Download Blocking WebUI...
  • Page 144 STEP 2﹒Add a new Outgoing Policy and use in Content Blocking function: (Figure9-14) Figure9-14 Add New Download Blocking Policy Setting STEP 3﹒Complete the Outgoing Policy of restricting the internal users to access to video, audio, and some specific sub-name file by http protocol directly: (Figure9-15) Figure9-15 Complete Download Blocking Policy Setting...

  • Page 146: Chapter10 Virtual Server

    IP address. The ALL7008’s Virtual Server function can solve this problem. A Virtual Server has set the real IP address of the ALL7008’s WAN network interface to be the Virtual Server IP. Through the Virtual Server function, the ALL7008 translates the Virtual Server’s IP address into the private IP address in the LAN network.
  • Page 147 IP Address directly. The user must connect to the ALL7008’s WAN subnet’s Real IP and then map Real IP to Private IP of LAN by the ALL7008. It is a one-to-one mapping. That is, to map all the service of one WAN Real IP Address to one LAN Private IP Address.
  • Page 148 Define the required fields of Virtual Server WAN IP: WAN IP Address (Real IP Address) Map to Virtual IP: Map the WAN Real IP Address into the LAN Private IP Address Virtual Server Real IP: The WAN IP address which mapped by the Virtual Server. Service name (Port Number):...

  • Page 149: Example

    We set up four Virtual Server examples in this chapter: Suitable Example Page Situation Make a single server that provides several Mapped IP services such as FTP, Web, and Mail, to provide service by policy. Virtual Server Make several servers that provide a single service, to provide service through policy by Virtual Server.
  • Page 150 Make a single server that provides several services such as FTP, Web, and Mail, to provide service by policy STEP 1﹒Setting a server that provide several services in LAN, and set up the network card’s IP as 192.168.1.100 DNS is External DNS Server. STEP 2﹒Enter the following setting in LAN of Address function: (Figure10-1) Figure10-1 Mapped IP Settings of Server in Address STEP 3﹒Enter the following data in Mapped IP of Virtual Server function:...
  • Page 151 STEP 4﹒Group the services (DNS, FTP, HTTP, POP3, SMTP…) that provided and used by server in Service function. And add a new service group for server to send mails at the same time. (Figure10-3) Figure10-3 Service Setting STEP 5﹒Add a policy that includes settings of STEP3, 4 in Incoming Policy. (Figure10-4) Figure10-4 Complete the Incoming Policy STEP 6﹒Add a policy that includes STEP2, 4 in Outgoing Policy.
  • Page 152 STEP 7﹒Complete the setting of providing several services by mapped IP. (Figure10-6) Figure10-6 A Single Server that Provides Several Services by Mapped IP Strong suggests not to choose ANY when setting Mapped IP and choosing service. Otherwise the Mapped IP will be exposed to Internet easily and may be attacked by Hacker.

  • Page 153: Example

    Make several servers that provide a single service, to provide service through policy by Virtual Server (Take Web service for example) STEP 1﹒Setting several servers that provide Web service in LAN network, which IP Address is 192.168.1.101, 192.168.1.102, 192.168.1.103, and 192.168.1.104...
  • Page 154 STEP 2﹒Enter the following data in Server 1 of Virtual Server function: Click the button next to Virtual Server Real IP (“click here to configure”) in Server 1 Virtual Server Real IP: Enter 211.22.22.23 (click Assist for assistance) Click OK (Figure10-7) Figure10-7 Virtual Server Real IP Setting Click New Entry Service: Select HTTP (80)
  • Page 155 STEP 3﹒Add a new policy in Incoming Policy, which includes the virtual server, set by STEP2. (Figure10-9) Figure10-9 Complete Virtual Server Policy Setting In this example, the external users must change its port number to 8080 before entering the Website that set by the Web server. STEP 4﹒Complete the setting of providing a single service by virtual server.
  • Page 156 The external user use VoIP to connect with VoIP of LAN (VoIP Port: TCP 1720, TCP 15328-15333, UDP 15328-15333) STEP 1﹒Set up VoIP in LAN network, and its IP is 192.168.1.100 STEP 2﹒Enter the following setting in LAN of Address function: (Figure10-11) Figure10-11 Setting LAN Address WebUI STEP 3﹒Add new VoIP service group in Custom of Service function.
  • Page 157 STEP 4﹒Enter the following setting in Server1 of Virtual Server function: Click the button next to Virtual Server Real IP (“click here to configure”) in Server1 Virtual Server Real IP: Enter 61.11.11.12 (click Assist for assistance) (Use WAN) Click OK (Figure10-13) Figure10-13 Virtual Server Real IP Setting WebUI Click New Entry Service: Select (Custom Service) VoIP_Service...
  • Page 158 STEP 5﹒Add a new Incoming Policy, which includes the virtual server that set by STEP4: (Figure10-15) Figure10-15 Complete the Policy includes Virtual Server Setting STEP 6﹒Enter the following setting of the internal users using VoIP to connect with external network VoIP in Outgoing Policy: (Figure10-16) Figure10-16 Complete the Policy Setting of VoIP Connection...
  • Page 159 STEP 7﹒Complete the setting of the external/internal user using specific service to communicate with each other by Virtual Server. (Figure10-17) Figure10-17 Complete the Setting of the External/Internal User using specific service to communicate with each other by Virtual Server...
  • Page 160 Make several servers that provide several same services, to provide service through policy by Virtual Server. (Take HTTP, POP3, SMTP, and DNS Group for example) STEP 1﹒Setting several servers that provide several services in LAN network. Its network card’s IP is 192.168.1.101, 192.168.1.102, 192.168.1.103, 192.168.1.104 and the DNS setting is External DNS server.
  • Page 161 STEP 3﹒Group the service of server in Custom of Service. Add a Service Group for server to send e-mail at the same time. (Figure10-20) Figure10-20 Add New Service Group...
  • Page 162 STEP 4﹒Enter the following data in Server1 of Virtual Server: Click the button next to Virtual Server Real IP (“click here to configure”) in Server1 Virtual Server Real IP: Enter 211.22.22.23 (click Assist for assistance) Click OK (Figure10-21) Figure10-21 Virtual Server Real IP Setting Click New Entry Service: Select (Group Service) Main_Service External Service Port: From-Service (Group)
  • Page 163 STEP 5﹒Add a new Incoming Policy, which includes the virtual server that set by STEP 3: (Figure10-23) Figure10-23 Complete Incoming Policy Setting STEP 6﹒Add a new policy that includes the settings of STEP2, 3 in Outgoing Policy. It makes server can send e-mail to external mail server by mail service.
  • Page 164 STEP 7﹒Complete the setting of providing several services by Virtual Server. (Figure10-25) Figure10-25 Complete the Setting of Providing Several Services by Several Virtual Server...
  • Page 166 Chapter 11 The ALL7008 adopts VPN to set up safe and private network service. And combine the remote Authentication system in order to integrate the remote network and PC of the enterprise. Also provide the enterprise and remote users a safe encryption way to have best efficiency and encryption when delivering data.
  • Page 167 Define the required fields of VPN: RSA: A public-key cryptosystem for encryption and authentication. Preshared Key: The IKE VPN must be defined with a Preshared Key. The Key may be up to 128 bytes long. ISAKMP (Internet Security Association Key Management Protocol): An extensible protocol-encoding scheme that complies to the Internet Key Exchange (IKE) framework for establishment of Security Associations (SAs).
  • Page 168 DES (Data Encryption Standard): The Data Encryption Standard developed by IBM in 1977 is a 64-bit block encryption block cipher using a 56-bit key. Triple-DES (3DES): The DES function performed three times with either two or three cryptographic keys. AES (Advanced Encryption Standard): An encryption algorithm yet to be decided that will be used to replace the aging DES encryption algorithm and that the NIST hopes will last for the next 20 to 30 years.
  • Page 169 Define the required fields of IPSec Function Name: The VPN name to identify the VPN tunnel definition. The name must be the only one and cannot be repeated. Gateway IP: The WAN interface IP address of the remote Gateway. Destination Subnet: Destination network subnet Algorithm: To display the Algorithm way...
  • Page 170 Define the required fields of PPTP Server Function PPTP Server: To select Enable or Disable Client IP Range: Setting the IP addresses range for PPTP Client connection User Name: Display the PPTP Client user’s name when connecting to PPTP Server Client IP: Display the PPTP Client’s IP address when connecting to PPTP Server Uptime:...
  • Page 171 Define the required fields of PPTP Client Function User Name: Displays the PPTP Client user’s name when connecting to PPTP Server Server Address: Display the PPTP Server IP addresses when connecting to PPTP Server Uptime: Displays the connection time between PPTP Server and Client Status:...
  • Page 172 We set up six VPN examples in this chapter: Suitable Situation Example Page IPSec Autokey Setting IPSec VPN connection between two ALL7008 Setting VPN connection between ALL7008 IPSec Autokey IPSec VPN and Windows 2000 IPSec VPN IPSec Autokey Setting IPSec VPN connection between two ALL7008...
  • Page 173 VPN connection with Company B 192.168.20.100 downloading the sharing file. The Default Gateway of Company A is the LAN IP of the ALL7008 192.168.10.1. Follow the steps below: STEP 1﹒Enter the default IP of Gateway of Company A’s ALL7008, 192.168.10.1 and select IPSec Autokey in VPN.
  • Page 174 STEP 2﹒In the list of IPSec Autokey, fill in Name with VPN_A, and select LAN in From Source. Also fill in Subnet: 192.168.10.0 and Mask: 255.255.255.0 (Figure11-5) Figure11-5 IPSec VPN Autokey Tunnel Setting STEP 3﹒Select Remote Gateway-Fixed IP In To Destination list and enter the IP Address, Subnet 192.168.20.0, and Mask 255.255.255.0 of Company B.
  • Page 175 STEP 5﹒Select ISAKMP Algorithm in Encapsulation list. Choose the Algorithm when setup connection. Please select ENC Algorithm (3DES/DES/AES), AUTH Algorithm (MD5/SHA1), Group (GROUP1, 2,5). Both sides have to choose the same group. Here we select 3DES for ENC Algorithm, MD5 for AUTH Algorithm, and GROUP1 for group.
  • Page 176 STEP 7﹒After selecting Perfect Forward Secrecy and enter 28800 seconds in IPSec Lifetime, also can enter the Keep Alive IP of Company B: 192.168.20.100 to prevent disconnection. (Figure11-10) Figure11-10 IPSec Perfect Forward Secrecy Setting STEP 8﹒Select Schedule and if it is permissive to transfer data with each other by Show remote Network Neighborhood.
  • Page 177 The Default Gateway of Company B is the LAN IP of the ALL7008 192.168.20.1. Follow the steps below: STEP 1﹒Enter the default IP of Gateway of Company B’s ALL7008, 192.168.20.1 and select IPSec Autokey in VPN. Click New Entry (Figure11-13) Figure11-13 IPSec Autokey WebUI STEP 2﹒In the list of IPSec Autokey, fill in Name with VPN_B, and select LAN...
  • Page 178 STEP 3﹒Select Remote Gateway-Fixed IP In To Destination list and enter the IP Address, Subnet 192.168.10.0, and Mask 255.255.255.0 of Company A. (Figure11-15) Figure11-15 IPSec To Destination Setting STEP 4﹒Select Preshare in Authentication Method and enter the Preshared Key (max: 100 bits) (Figure11-16) Figure11-16 IPSec Authentication Method Setting STEP 5﹒Select ISAKMP Algorithm in Encapsulation list.
  • Page 179 STEP 6﹒You can choose Data Encryption+Authentication or Authentication Only to communicate in IPSec Algorithm list: ENC Algorithm: 3DES/DES/AES/NULL AUTH Algorithm: MD5/SHA1 Here we select 3DES for ENC Algorithm and MD5 for AUTH Algorithm to make sure the encapsulation way for data transmission. (Figure11-18) Figure11-18 IPSec Algorithm Setting STEP 7﹒After selecting Perfect Forward Secrecy and enter 28800 seconds in...
  • Page 180 STEP 9﹒Click OK to complete the setting of Company B (Figure11-21) Figure11-21 Complete Company B IPSec VPN Setting STEP 10﹒Complete IPSec VPN Connection (Figure11-22) Figure11-22 IPSec VPN Setting...
  • Page 181 Company A, 192.168.10.100 for downloading the sharing file. The Default Gateway of Company A is the LAN IP of ALL7008 192.168.10.1. Follow the steps below: STEP 1﹒Enter the default IP of ALL7008 in Company A 192.168.10.1 and select IPSec Autokey in VPN. Click New Entry. (Figure11-23)
  • Page 182 STEP 2﹒In the list of IPSec Autokey, fill in Name with VPN_A, and select LAN in From Source. Also fill in Subnet: 192.168.10.0 and Mask: 255.255.255.0 (Figure11-24) Figure11-24 IPSec VPN Auto keyed Tunnel Setting STEP 3﹒Select Remote Client-Fixed IP or Dynamic IP In To Destination list. (Figure11-25) Figure11-25 IPSec To Destination Setting STEP 4﹒Select Preshare in Authentication Method and enter the Preshared...
  • Page 183 STEP 5﹒Select ISAKMP Algorithm in Encapsulation list. Choose the Algorithm when setup connection. Please select ENC Algorithm (3DES/DES/AES), AUTH Algorithm (MD5/SHA1), Group (GROUP1, 2,5). Both sides have to choose the same group. Here we select 3DES for ENC Algorithm, MD5 for AUTH Algorithm, and GROUP2 for Group.
  • Page 184 STEP 7﹒After selecting Perfect Forward Secrecy and enter 28800 seconds in IPSec Lifetime, also can enter the Keep Alive IP of Company B: 211.22.22.22 to prevent disconnection. (Figure11-29) Figure11-29 IPSec Perfect Forward Secrecy Setting STEP 8﹒Select Schedule, QoS, and Authentication-User and if it is permissive to transfer data with each other by Show remote Network Neighborhood.
  • Page 185 The PC of Company B use Real IP Address: 211.22.22.22. Follow the steps below: STEP 1﹒Enter Windows2000 and select Run in Start. (Figure11-32) Figure11-32 Start Windows 2000 IPSec VPN Setting...
  • Page 186 STEP 2﹒In the Run WebUI, enter the command: mmc in Open field. (Figure11-33) Figure11-33 Enable Windows 2000 IPSec VPN Setting STEP 3﹒Enter File in Console1 WebUI, select File option and then select Add/Remote Snap-ins Option. (Figure11-34) Figure11-34 Add/Remote Snap-ins...
  • Page 187 STEP 4﹒Enter Add in Add/Remote Snap-ins. And add IP Security Policy Management in Add Standalone Snap-in WebUI. (Figure11-35) Figure11-35 Add IP Security Policy Management...
  • Page 188 STEP 5﹒Select Local computer to complete adding (Figure11-36) Figure11-36 Select Computer or Domain...
  • Page 189 STEP 6﹒Complete adding IP Security Policy Management (Figure11-37) Figure11-37 Complete Adding IP Security Policy Management...
  • Page 190 STEP 7﹒Press the right button of the mouse in IP Security Policies on Local Computer selection and select Create IP Security Policy. (Figure11-38) Figure11-38 Create IP Security Policy...
  • Page 191 STEP 8﹒Click on Next (Figure11-39) Figure11-39 Enable IP Security Policy...
  • Page 192 STEP 9﹒Enter IP Security Policy Name and Description and click on Next in IP Security Policy Wizard WebUI. (Figure11-40) Figure11-40 Setting IP Security Policy Name and Description...
  • Page 193 STEP 10﹒Please cancel Active the default response rule selection and click on Next. (Figure11-41) Figure11-41 Cancel Active the Default Response Rule Selection...
  • Page 194 STEP 11﹒Complete setting IP Security Policy and click on Finish. Select the Edit properties (Figure11-42) Figure11-42 Complete the IP Security Policy Wizard...
  • Page 195 STEP 12﹒Enter VPN_B Properties WebUI and do not select Use Add Wizard. Select Add and enter Edit Properties (Figure11-43) Figure11-43 VPN_B Properties WebUI...
  • Page 196 STEP 13﹒Click on Add in New Rule Properties WebUI (Figure11-44) Figure11-44 Add New IP Filter List...
  • Page 197 STEP 14﹒Please do not select Use Add Wizard in IP Filter List. Change the name as VPN_B WAN TO LAN and click Add (Figure11-45) Figure11-45 IP Filter List WebUI...
  • Page 198 STEP 15﹒After entering Filter Properties, please select A specific IP Address in Source address and enter the WAN IP of Company B: 211.22.22.22, Subnet Mask: 255.255.255.255. And select A specific IP Subnet in Destination address and enter the LAN IP of Company A: 192.168.10.0, Subnet Mask: 255.255.255.0.
  • Page 199 STEP 16﹒Complete the setting and close IP Filter List Window. (Figure11-47) Figure11-47 Complete IP Filter List...
  • Page 200 STEP 17﹒Select Require Security in Filter Action WebUI and click Edit. (Figure11-48) Figure11-48 Filter Action Setting...
  • Page 201 STEP 18﹒Enter Require Security Properties WebUI and select Negotiate security. (Figure11-49) Figure11-49 Select Session key perfect forward secrecy...
  • Page 202 STEP 19﹒Please select Custom/None/3DES/MD5 click Edit (Figure11-50) Figure11-50 Edit Security Method...
  • Page 203 STEP 20﹒Click Custom (provide for professional users) and select Settings. (Figure11-51) Figure11-51 Custom Security Method...
  • Page 204 STEP 21﹒Please select ESP and choose MD5 and 3DES. Also select Generate a new key every. Enter 28800 seconds and click OK triple times to go back to Rule Properties. (Figure11-52) Figure11-52 Custom Security Method Settings...
  • Page 205 STEP 22﹒Enter Connection Type and select All network connections (Figure11-53) Figure11-53 Connection Type Setting...
  • Page 206 STEP 23﹒Enter Tunnel Setting WebUI. Select The tunnel endpoint is specified by this IP address and enter the WAN IP of Company A. (Figure11-54) Figure11-54 Tunnel Setting...
  • Page 207 STEP 24﹒Enter Authentication Methods WebUI select Edit. (Figure11-55) Figure11-55 Authentication Method Setting WebUI...
  • Page 208 STEP 25﹒Select the item Use this string to protect preshared key and enter the preshared key: 123456789 (Figure11-56) Figure11-56 Setting VPN Connection Preshared Key...
  • Page 209 STEP 26﹒Complete Setting and close the WebUI (Figure11-57) Figure11-57 Complete Authentication Methods Setting...
  • Page 210 STEP 27﹒Complete the VPN_B WAN TO LAN Settings (Figure11-58) Figure11-58 Complete VPN_B WAN TO LAN Setting...
  • Page 211 STEP 28﹒Please enter VPN_B Properties WebUI again and do not select Use Add Wizard. Select Add to enter Edit Properties (Figure11-59) Figure11-59 VPN_B Properties WebUI...
  • Page 212 STEP 29﹒Please select Add in New Rule Properties WebUI. (Figure11-60) Figure11-60 Add New Rule Properties WebUI...
  • Page 213 STEP 30﹒Please do not select Use Add Wizard in IP Filter List. Please change the name as VPN_B LAN TO WAN and select Add. (Figure11-61) Figure11-61 IP Filter List WebUI...
  • Page 214 STEP 31﹒Enter Filter Properties and select A specific IP Subnet in Source address and enter the LAN IP of Company A: 192.168.10.0, Subnet mask: 255.255.255.0. Select A specific IP Address in Destination address and enter the WAN IP of Company B: 211.22.22.22, Subnet mask: 255.255.255.255.
  • Page 215 STEP 32﹒Complete Setting and close IP Filter List WebUI (Figure11-63) Figure11-63 Complete IP Filter List Setting...
  • Page 216 STEP 33﹒Select Require Security in Filter Action WebUI and click Edit (Figure11-64) Figure11-64 Filter Action WebUI...
  • Page 217 STEP 34﹒Enter Require Security Properties WebUI and select Session key perfect forward secrecy (PFS) (Figure11-65) Figure11-65 Select PFS...
  • Page 218 STEP 35﹒Select Custom/ None/ 3DES/ MD5 and choose Edit (Figure11-66) Figure11-66 Setting Security Methods...
  • Page 219 STEP 36﹒Select Custom (provide for professional users) and click Settings (Figure11-67) Figure11-67 Modify Security Method...
  • Page 220 STEP 37﹒Please select Data integrity and encryption (ESP) and choose MD5 and 3DES. Also select Generate a new key every. Enter 28800 seconds and click OK triple times to go back to Rule Properties WebUI. (Figure11-68) Figure11-68 Complete Custom Security Method Setting...
  • Page 221 STEP 38﹒Select All network connections in Connection Type. (Figure11-69) Figure11-69 Connection Type Setting...
  • Page 222 STEP 39﹒Enter Tunnel Setting WebUI. Select The tunnel endpoint is specified by this IP address and enter the WAN IP of Company B: 211.22.22.22 (Figure11-70) Figure11-70 Tunnel Setting WebUI...
  • Page 223 STEP 40﹒Enter Authentication Methods WebUI select Edit. (Figure11-71) Figure11-71 Authentication Methods Setting WebUI...
  • Page 224 STEP 41﹒Select the item Use this string (preshared key) to protect the key exchange (preshared key) and enter the preshared key: 123456789 (Figure11-72) Figure11-72 Complete Authentication Method Setting...
  • Page 225 STEP 42﹒Complete Setting and close the WebUI (Figure11-73) Figure11-73 Complete New Rule Properties Setting...
  • Page 226 STEP 43﹒Complete VPN_B LAN TO WAN Settings (Figure11-74) Figure11-74 Complete VPN_B LAN TO WAN Setting...
  • Page 227 STEP 44﹒Please enter General in VPN_B Properties WebUI and click Advanced (Figure11-75) Figure11-75 VPN_B Properties General WebUI...
  • Page 228 STEP 45﹒Please select Master key perfect forward secrecy (PFS) and click Methods. (Figure11-76) Figure11-76 Key Exchange Settings WebUI...
  • Page 229 STEP 46﹒Please move IKE/ 3DES/ MD5 /Medium (2) to the top and complete all the settings. (Figure11-77) Figure11-77 To Adjust Security Method Order...
  • Page 230 STEP 47﹒Complete all the Window2000 VPN Setting of Company B (Figure11-78) Figure11-78 Complete Windows2000 IPSec VPN Setting...
  • Page 231 STEP 48﹒Please press the right button of the mouse on VPN_B and enable VPN_B. (Figure11-79) Figure11-79 Enable VPN_B Security Method...
  • Page 232 STEP 49﹒To reboot IPSec Service, please begin with Start and select Settings then enter Control Panel. (Figure11-80) Figure11-80 Enter Control Panel...
  • Page 233 STEP 50﹒After entering Control Panel WebUI, please enter Administrative Tools. (Figure11-81) Figure11-81 Enter Administrative Tools...
  • Page 234 STEP 51﹒Please select Services item after entering Administrative Tools. (Figure11-82) Figure11-82 Enter Services item...
  • Page 235 STEP 52﹒After entering Services, please select IPSec Services to restart. (Figure11-83) Figure11-83 Restart IPSec Policy Agent...
  • Page 236 STEP 53﹒Complete all of the settings. (Figure11-84) Figure11-84 The IPSec VPN Setting of ALL7008 and Windows 2000...
  • Page 237 192.168.20.100 and download the resource. (Connection adopts Aggressive Mode Algorithm) The Default Gateway of Company A is the LAN IP of the ALL7008 192.168.10.1. Follow the steps below: STEP 1﹒Enter the default gateway of ALL7008 of Company A 192.168.10.1, and select IPSec Autokey in VPN function. Click New Entry...
  • Page 238 STEP 2﹒In the list of IPSec Autokey, fill in Name with VPN_A, and select LAN in From Source. Also select WAN1 in Use interface and fill in Subnet: 192.168.10.0 and Mask: 255.255.255.0 (Figure11-86) Figure11-86 IPSec VPN Autokey Tunnel Setting STEP 3﹒Select Remote Gateway-Fixed IP In To Destination list and enter the IP Address, Subnet 192.168.20.0, and Mask 255.255.255.0 of Company B.
  • Page 239 STEP 5﹒Select Aggressive Mode Algorithm in Encapsulation. When setup connection, it will choose the Algorithm as 3DES ENC Algorithm, MD5 AUTH Algorithm, and GROUP2 automatically. My ID/ Peer ID can choose to enter nothing; or enter different IP Address if you are willing to input. For example: 11.11.11.11, 22.22.22.22.
  • Page 240 STEP 7﹒After selecting Perfect Forward Secrecy and enter 28800 seconds in IPSec Lifetime, also can enter the Keep Alive IP of Company B: 192.168.20.100, to prevent disconnection. (Figure11-91) Figure11-91 IPSec Perfect Forward Secrecy Setting STEP 8﹒Select Schedule, QoS, and Authentication-User and if it is permissive to connect with each other by Show remote Network Neighborhood.
  • Page 241 The Default Gateway of Company B 192.168.20.100 is the LAN IP of the ALL7008 192.168.20.1. Follow the steps below: STEP 1﹒Enter the default gateway of the ALL7008 of Company B 192.168.20.1 and select IPSec Autokey in VPN. Click New Entry (Figure11-94) Figure11-94 IPSec Autokey WebUI STEP 2﹒In the list of IPSec Autokey, fill in Name with VPN_B, and select LAN...
  • Page 242 STEP 3﹒Select Remote Gateway-Fixed IP In To Destination list and enter the Remote IP Address, Subnet 192.168.10.0, and Mask 255.255.255.0 of Company A. (Figure11-96) Figure11-96 IPSec To Destination Setting STEP 4﹒Select Preshare in Authentication Method and enter the Preshared Key (max: 100 bits) (Figure11-97) Figure11-97 IPSec Authentication Method Setting...
  • Page 243 STEP 5﹒Select Aggressive Mode Algorithm in Encapsulation. When setup connection, it will choose the Algorithm as 3DES ENC Algorithm, MD5 AUTH Algorithm, and GROUP2 automatically. My ID/ Peer ID can choose to enter nothing; or enter different IP Address if you are willing to input. For example: 11.11.11.11, 22.22.22.22.
  • Page 244 STEP 7﹒After selecting Perfect Forward Secrecy and enter 28800 seconds in IPSec Lifetime, also can enter the Keep Alive IP of Company A: 192.168.10.100 to prevent disconnection. (Figure11-100) Figure11-100 IPSec Perfect Forward Secrecy Setting STEP 8﹒Select Schedule, QoS, and Authentication-User and if it is permissive to connect with each other by Show remote Network Neighborhood.
  • Page 245 STEP 10﹒Complete IPSec VPN Aggressive Mode Settings: (Figure11-103) Figure11-103 IPSec VPN Aggressive Mode Settings...
  • Page 246 192.168.20.100 and download the resource. (Connection adopts GRE/IPSec Algorithm) The Default Gateway of Company A is the LAN IP of the ALL7008 192.168.10.1. Follow the steps below: STEP 1﹒Enter the default gateway of ALL7008 of Company A 192.168.10.1 and select IPSec Autokey in VPN. Click New Entry (Figure11-104)
  • Page 247 STEP 2﹒In the list of IPSec Autokey, fill in Name with VPN_A, and select LAN in From Source. Also fill in Subnet: 192.168.10.0 and Mask: 255.255.255.0 of Company A. (Figure11-105) Figure11-105 IPSec VPN Autokey Tunnel Setting STEP 3﹒Select Remote Gateway-Fixed IP In To Destination list and enter the IP Address, Subnet 192.168.20.0, and Mask 255.255.255.0 of Company B.
  • Page 248 STEP 5﹒Select ISAKMP Algorithm in Encapsulation. Choose the Algorithm when setup connection. Please select Algorithm (3DES/DES/AES), AUTH Algorithm (MD5/SHA1), Group (GROUP1, 2,5). Both sides have to choose the same group. Here we select 3DES for ENC Algorithm, MD5 for AUTH Algorithm, and GROUP1 for connection.
  • Page 249 STEP 7﹒Select Data Encryption+Authentication in IPSec Algorithm. You can choose Data Encryption+Authentication or Authentication Only to communicate: ENC Algorithm: 3DES/DES/AES/NULL AUTH Algorithm: MD5/SHA1 Here we select 3DES for ENC Algorithm and MD5 for AUTH Algorithm to make sure the encapsulation way for connection. (Figure11-110) Figure11-110 IPSec Algorithm Setting STEP 8﹒After selecting Perfect Forward Secrecy and enter 28800 seconds in IPSec Lifetime, but the Keep Alive IP field must be blank.
  • Page 250 STEP 10﹒Click OK to complete the setting of Company A (Figure11-113) Figure11-113 Complete IPSec VPN Setting of Company A...
  • Page 251 The Default Gateway of Company B is the LAN IP of the ALL7008: 192.168.20.1. Follow the steps below: STEP 1﹒Enter the default gateway of ALL7008 of Company B 192.168.20.1 and select IPSec Autokey in VPN. Click New Entry (Figure11-114) Figure11-114 IPSec Autokey WebUI STEP 2﹒In the list of IPSec Autokey, fill in Name with VPN_B, and select LAN...
  • Page 252 STEP 3﹒Select Remote Gateway-Fixed IP In To Destination list and enter the Remote IP Address, Subnet 192.168.10.0, and Mask 255.255.255.0 of Company A. (Figure11-116) Figure11-116 IPSec To Destination Setting STEP 4﹒Select Preshare in Authentication Method and enter the Preshared Key (max: 100 bits) (Figure11-117) Figure11-117 IPSec Authentication Method Setting STEP 5﹒Select ISAKMP Algorithm in Encapsulation.
  • Page 253 STEP 6﹒Select GRE/IPSec and enter GRE Local IP: 192.168.50.200. GRE Remote IP: 192.168.50.100. (GRE Local IP must be at the same subnet (C class)) (Figure11-119) Figure11-119 GRE/IPSec Setting STEP 7﹒Select Data Encryption+Authentication in IPSec Algorithm. You can choose Data Encryption+Authentication or Authentication Only to communicate: ENC Algorithm: 3DES/DES/AES/NULL AUTH Algorithm: MD5/SHA1...
  • Page 254 STEP 9﹒Select Schedule, QoS, and Authentication-User and if it is permissive to connect with each other by Show remote Network Neighborhood. (Figure11-122) Figure11-122 IPSec Schedule and QoS Setting STEP 10﹒Click OK to complete the setting of Company B (Figure11-123) Figure11-123 Complete IPSec VPN Setting of Company B...
  • Page 255 STEP 11﹒Complete IPSec VPN GRE/IPSec Setting (Figure11-124) Figure11-124 IPSec VPN GRE/IPSec Setting...
  • Page 256 Company A WAN IP: 61.11.11.11 LAN IP: 192.168.10.X Company B WAN IP: 211.22.22.22 LAN IP: 192.168.20.X This example takes two ALL7008 as flattop. Suppose Company B 192.168.20.100 is going to have VPN connection with Company A 192.168.10.100 and download the resource.
  • Page 257 STEP 1﹒Enter PPTP Server of VPN function in the ALL7008 of Company A. Select Modify: Select Encryption Client IP Range: Enter 192.44.75.1-254 Idle Time: Enter 0 Schedule: Select Schedule_1 (Figure11-125) Figure11-125 Modify PPTP VPN Server Settings Idle Time: the setting time that the VPN Connection will auto-disconnect under...
  • Page 258 STEP 2﹒Add the following settings in PPTP Server of VPN function in the ALL7008 of Company A: Select New Entry User Name: Enter PPTP_Connection Password: Enter 123456789 Remote Client: Select Multi-Machine and enter 192.168.20.0 in IP Address; Netmask: 255.255.255.0 Client IP assigned by: Select IP Range (Figure11-126)
  • Page 259 STEP 3﹒Add the following settings in PPTP Client of VPN function in the ALL7008 of Company B: Select New Entry User Name: Enter PPTP_Connection Password: Enter123456789 Server Address: Enter 61.11.11.11 Select Encryption Remote Server: Select Multi-Machine and enter 192.168.10.0 in IP Address;...
  • Page 260 STEP 4﹒Complete PPTP VPN Connection (Figure11-128) Figure11-128 PPTP VPN Connection Setting...
  • Page 261 WAN IP: 61.11.11.11 LAN IP: 192.168.10.X Company B Windows 2000 PC WAN IP: 211.22.22.22 This example takes one ALL7008 and one Windows 2000 VPN-PPTP as flattop. Suppose Company B 211.22.22.22 is going to have VPN connection with Company A 192.168.10.100...
  • Page 262 The default gateway of Company A is the LAN IP of the ALL7008. Enter the following setting: STEP 1﹒Enter PPTP Server of VPN function in the ALL7008 of Company A. Select Modify: Select Encryption Client IP Range: Enter 192.44.75.1-254 Idle Time: Enter 0...
  • Page 263 STEP 2﹒Add the following settings in PPTP Server of VPN function in the ALL7008 of Company A: Select New Entry User Name: Enter PPTP_Connection Password: Enter 123456789 Remote Client: Select Single Machine Client IP assigned by: Select IP Range (Figure11-130)
  • Page 264 Enter the following settings in Company B (Real IP: 211.22.22.22): STEP 1﹒Enter Windows 2000, press the right key of the mouse in My Network Place and select Properties. (Figure11-131) Figure11-131 Start out Windows 2000 PPTP VPN Setting...
  • Page 265 STEP 2﹒Enter Network and Dial-up Connections WebUI and then enter Make New Connection. (Figure11-132) Figure11-132 Network and Dial-up Connections WebUI...
  • Page 266 STEP 3﹒In the Location Information WebUI, enter country/region, city code, and the phone system you use, and then click OK (Figure11-133) Figure11-133 Setup Location Information WebUI...
  • Page 267 STEP 4﹒Click OK in Phone And Modem Options WebUI. (Figure11-134) Figure11-134 Phone and Modem Options WebUI...
  • Page 268 STEP 5﹒Click on Next in Network Connection Wizard. (Figure11-135) Figure11-135 Network Connection Wizard WebUI...
  • Page 269 STEP 6﹒Select Connect to a private network through the Internet in Network Connection Wizard WebUI click Next (Figure11-136) Figrue11-136 Setup to connect to a private network through the Internet...
  • Page 270 STEP 7﹒Enter IP Address in Network Connection Wizard WebUI and click Next. (Figure11-137) Figure11-137 Host Name or IP Address Setting...
  • Page 271 STEP 8﹒In Network Connection Wizard WebUI, create the connection For all users and click on Next. (Figure11-138) Figure11-138 Connection Availability Setting...
  • Page 272 STEP 9﹒Click on Finish on Network Connection Wizard WebUI to Complete the New Connection Wizard setting (Figure11-139) Figure11-139 Complete the Network Connection Wizard Setting...
  • Page 273 STEP 10﹒Enter the following settings in Connect Virtual Private Connection function: (Figrue11-140) User name: Enter PPTP_Connection Password: Enter 123456789 Select Save Password Click on Connect Connecting VPN_Connection WebUI show up (Figure11-141) At last is Connection Complete WebUI (Figure11-142) Figure11-140 Connect Virtual Private Connection Setting WebUI Figure11-141 Connecting VPN Connection...
  • Page 274 Figure11-142 PPTP VPN Connection Complete...
  • Page 275 STEP 11﹒Complete PPTP VPN Connection Settings (Figure11-143) Figure11-143 PPTP VPN Connection Setting...

  • Page 276: Chapter12 Policy

    Every packet has to be detected if it corresponds with Policy or not when it passes the ALL7008. When the conditions correspond with certain policy, it will pass the ALL7008 by the setting of Policy without being detected by other policy. But if the packet cannot correspond with any Policy, the packet will be intercepted.
  • Page 277 WAN network. The system manager can set all the policy rules of DMZ to WAN packets in this function All the packets that go through ALL7008 must pass the policy permission (except VPN). Therefore, the LAN, WAN, and DMZ network have to set the applicable policy...
  • Page 278 Define the required fields of Policy Source and Destination: Source IP and Destination IP is according to the ALL7008’s point of view. The active side is the source; passive side is destination. Service: It is the service item that controlled by Policy. The user can choose default value or the custom services that the system manager set in Service function.
  • Page 279 Option: To display if every function of Policy is enabled or not. If the function is enabled and then the chart of the function will appear (See the chart and illustration below) Chart Name Illustration Traffic Log Enable traffic log Statistics Enable traffic statistics Authentication User...
  • Page 280 (the bandwidth is shared by the users who correspond to the Policy) Move: Every packet that passes the ALL7008 is detected from the front policy to the last one. So it can modify the priority of the policy from the selection.

  • Page 281: Example

    We set up six Policy examples in this chapter: No. Suitable Example Page Situation Set up the policy that can monitor the internal Outgoing users. (Take Logging, Statistics, Alarm Threshold for example) Outgoing Forbid the users to access to specific network. (Take specific WAN IP and Content Blocking for example) Outgoing...
  • Page 282 Set up the policy that can monitor the internal users. (Take Logging, Statistics, and Alarm Threshold for example) STEP 1﹒Enter the following setting in Outgoing Policy: Click New Entry Select Traafic Log Select Statistics Click OK (Figure12-1) Figure12-1 Setting the different Policies...
  • Page 283 STEP 2﹒Complete the setting of Traffic Log and Statistics in Outgoing Policy: (Figure12-2) Figure12-2 Complete Policy Setting STEP 3﹒Obtain the information in Traffic of Log function if you want to monitor all the packets of the ALL7008. (Figure12-3) Figure12-3 Traffic Log Monitor WebUI...
  • Page 284 STEP 4﹒To display the traffic record that through Policy to access to Internet in Policy Statistics of Statistics function. (Figure12-4) Figure12-4 Statistics WebUI...
  • Page 285 STEP 5﹒It will show up the policy rule when the internal users use exceeds the default Alarm Threshold in Traffic Alarm of Alarm function. (Figure12-5) Figure12-5 Traffic Alarm WebUI...
  • Page 286 Forbid the users to access to specific network. (Take specific WAN IP and Content Blocking for example) STEP 1﹒Enter the following setting in URL Blocking, Script Blocking, P2P Blocking, IM Blocking, and Download Blocking in Content Blocking function: (Figure12-6, 12-7, 12-8, 12-9, 12-10) Figure12-6 URL Blocking Setting Figure12-7 Script Blocking Setting Figure12-8 P2P Blocking Setting...
  • Page 287 Figure12-9 IM Blocking Setting Figure12-10 Download Blocking Setting 1. URL Blocking can restrict the Internal Users only can access to some specific Website. 2. Script Blocking can restrict the Internal Users to access to Script file of Website. (Java, Cookies…etc.) 3.
  • Page 288 STEP 2﹒Enter as following in WAN and WAN Group of Address function: (Figure12-11, 12-12) Figure12-11 Setting the WAN IP that going to block Figure12-12 WAN Address Group The Administrator can group the custom address in Address. It is more convenient when setting policy rule.
  • Page 289 STEP 3﹒Enter the following setting in Outgoing Policy: Click New Entry Destination Address: Select WAN_Group that set by STEP 2. (Blocking by IP) Action, WAN Port: Select Deny Click OK (Figure12-13) Figure12-13 Setting Blocking Policy...
  • Page 290 STEP 4﹒Enter the following setting in Outgoing Policy: Click New Entry Select Content Blocking Click OK (Figure12-14) Figure12-14 Setting Content Blocking Policy STEP 5﹒Complete the setting of forbidding the users to access to specific network. (Figure12-15) Figure12-15 Complete Policy Setting Deny in Policy can block the packets that correspond to the policy rule.
  • Page 291 Only allow the users who pass Authentication to access to Internet in particular time STEP 1﹒Enter the following in Schedule function: (Figure12-16) Figure12-16 Add New Schedule STEP 2﹒Enter the following in Auth User and Auth User Group in Authentication function: (Figure12-17) Figure12-17 Setting Auth User Group The Administrator can use group function the Authentication and Service.
  • Page 292 STEP 3﹒Enter the following setting in Outgoing Policy: Click New Entry Authentication User: Select laboratory Schedule: Select WorkingTime Click OK (Figure12-18) Figure12-18 Setting a Policy of Authentication and Schedule STEP 4﹒Complete the policy rule of only allows the users who pass authentication to access to Internet in particular time.
  • Page 293 The external user control the internal PC through remote control software (Take pcAnywhere for example) STEP 1﹒Set up a Internal PC controlled by external user, and Internal PC’s IP Address is 192.168.1.2 STEP 2﹒Enter the following setting in Virtual Server1 of Virtual Server function: (Figure12-20) Figure12-20 Setting Virtual Server...
  • Page 294 STEP 3﹒Enter the following in Incoming Policy: Click New Entry Destination Address: Select Virtual Server1 (61.11.11.12) Service: Select PC-Anywhere Click OK (Figure12-21) Figure12-21 Setting the External User Control the Internal PC Policy STEP 4﹒Complete the policy for the external user to control the internal PC through remote control software.

  • Page 295: Concurrent Sessions

    Set a FTP Server under DMZ NAT Mode and restrict the download bandwidth from external, Quota per Day, and MAX. Concurrent Sessions. STEP 1﹒Set a FTP Server under DMZ, which IP is 192.168.3.2 (The DMZ Interface Address is192.168.3.1/24) STEP 2﹒Enter the following setting in Virtual Server1 of Virtual Server function: (Figure12-23) Figure12-23 Setting up Virtual Server Corresponds to FTP Server When using the function of Incoming or WAN to DMZ in Policy, strong suggests...
  • Page 296 STEP 4﹒Enter the following in WAN to DMZ Policy: Click New Entry Destination Address: Select Virtual Server1 (61.11.11.12) Service: Select FTP (21) QoS: Select FTP_QoS MAX. Concurrent Sessions: Enter 100 Quota Per Day: Enter 100000 Mbytes Click OK (Figure12-25) Figure12-25 Add New Policy STEP 5﹒Complete the policy of restricting the external users to access to internal network server (which may occupy the resource of network) (Figure12-26)
  • Page 297 Set a Mail Server to allow the internal and external users to receive and send e-mail under DMZ Transparent Mode STEP 1﹒Set a Mail Server in DMZ and set its network card’s IP Address as 61.11.11.12. The DNS setting is external DNS Server. STEP 2﹒Add the following setting in DMZ of Address function: (Figure12-27) Figure12-27 the Mail Server’s IP Address Corresponds to Name Setting in Address Book of Mail Server...
  • Page 298 STEP 4﹒Enter the following setting in WAN to DMZ Policy: Click New Entry Destination Address: Select Mail_Server Service: Select E-mail Click OK (Figure12-29) Figure12-29 Setting a Policy to access Mail Service by WAN to DMZ STEP 5﹒Complete the policy to access mail service by WAN to DMZ. (Figure12-30) Figure12-30 Complete the Policy to access Mail Service by WAN to DMZ...
  • Page 299 STEP 6﹒Add the following setting in LAN to DMZ Policy: Click New Entry Destination Address: Select Mail_Server Service: Select E-mail Click OK (Figure12-31) Figure12-31 Setting a Policy to access Mail Service by LAN to DMZ STEP 7﹒Complete the policy to access mail service by LAN to DMZ (Figure12-32) Figure12-32 Complete the Policy to access Mail Service by LAN to DMZ...
  • Page 300 STEP 8﹒Add the following setting in DMZ to WAN Policy: Click New Entry Source Address: Select Mail_Server Service: Select E-mail Click OK (Figure12-33) Figure12-33 Setting the Policy of Mail Service by DMZ to WAN STEP 9﹒Complete the policy access to mail service by DMZ to WAN. (Figure12-34) Figure12-34 Complete the Policy access to Mail Service by DMZ to WAN...

  • Page 302: Chapter13 Configure

    According to the Mail Security Configure function, it means the dealing standard towards mail of ALL7008. In this chapter, it is defined as Setting and Mail Relay. After scanning the mails that sent to Internal Mail Server by Anti-Spam and...
  • Page 303 Define the required fields of Setting: Scanned Mail Setting: It can setup to deal with the size of mail in order to judge if to scan the mail or not. Unscanned Mail Setting: According to the unscanned mail, it can add an unscanned message in the mail subject.
  • Page 304 When receive unscanned mail, it will add the tag in front of the e-mail subject. (Figure13-2) Figure13-2 The Unscanned Mail Subject WebUI...

  • Page 305: Mail Relay

    Mail Relay setting is complete. The mails from external and its destination mail server have to be in the domain name setting, that can be received by ALL7008 and be sent to the appointed mail server after filtering. (Figure13-3) Figure13-3 Mail Relay Setting WebUI...
  • Page 306 To setup ALL7008 between the original Gateway and Mail Server (Mail Server is in DMZ, Transparent Mode) Preparation The Original Gateway’s LAN Subnet: 172.16.1.0/16 WAN Port IP: 61.11.11.11 ALL7008’s WAN Port IP: 172.16.1.12 Mail Server IP: 172.16.1.13 Map the DNS Domain Name (broadband.com.tw) to DNS Server IP (setup MX record is Mail Server IP) When LAN (172.16.1.0/16) user use the sender account of broadband.com.tw...
  • Page 307 STEP 1﹒Add the first setting in Mail Relay function of Configure: Select Domain Name of Internal Mail Server Domain Name of Mail Server: Enter the Domain Name IP Address of Mail Server: Enter the IP address that Mail Server’s domain name mapped to (Figure13-4) Figure13-4 The First Mail Relay Setting WebUI STEP 2﹒Add the second setting in Mail Relay function of Configure: Select Allowed External IP of Mail Relay...
  • Page 308 The Headquarters setup ALL7008 as Gateway (Mail Server is in DMZ, Transparent Mode) to make the Branch Company’s employees can send mails via Headquarters’ Mail Server Preparation WAN Port IP of ALL7008: 61.11.11.11 Mail Server IP: 61.11.11.12 WAN Port IP of the Branch Company’s Firewall: 211.22.22.22 Map the DNS Domain Name (broadband.com.tw) to DNS Server IP (setup MX...
  • Page 309 STEP 1﹒Add the first setting in Mail Relay function of Configure: Select Domain Name of Internal Mail Server Domain Name of Mail Server: Enter the Domain Name IP Address of Mail Server: Enter the IP address that Mail Server’s domain name mapped to (Figure13-6) Figure13-6 The First Mail Relay Setting WebUI STEP 2﹒Add the second setting in Mail Relay function of Configure: Select Allowed External IP of Mail Relay...

  • Page 310: Anti-Spam

    Chapter 14 Anti-Spam ALL7008 can filter the e-mails that are going to send to the mail server of enterprise. In order to make sure the e-mail account that communicates with outside won’t receive a mass advertisement or Spam mail, meanwhile, it can reduce the burden of mail server.
  • Page 311 Define the required fields of Setting: Spam Setting: It can choose the inspection way of the mails, where the mail server is placed in Internal (LAN or DMZ) or External (WAN) It can inspect all of the mails that are sent to the enterprise. Also can add score tag or message to the subject line of Spam mail while it exceeds the standard.
  • Page 312 Action of Spam Mail: The mail that considered as spam mail can be coped with Delete mail, Deliver to the recipient, Forward to another mail account After setup the relevant settings in Mail Relay function of Configure, add the following settings in this function: 1.
  • Page 313 When receive Spam mail, it will add score tag and message in front of the subject of the E-mail. (Figure14-2) Figure14-2 the subject of the mail that considered as spam mail WebUI...
  • Page 314 When receive Ham mail, it will only add score tag in front of the e-mail’s subject (Figure14-3) Figure14-3 the subject of the mail that considered as Spam mail WebUI...
  • Page 315 Define the required fields of Rule Rule Name: The name of the custom spam mail determination rule Comment: To explain the meaning of the custom rule Combination: Add: It must be fit in with all of the custom rule mails that would be considered as spam mail or ham mail.
  • Page 316 Auto-Training: When Classification is set as Spam and enable this function, and then the mails that correspond to this rule will be trained to identify as spam mail according to the setting time in Training function When Classification is set as Ham (Non-Spam) and enable this function, and then the mails correspond to this rule will be trained to identify as ham (non-spam) mail according to the setting time in Training function Item:...
  • Page 317 To raise the judgment rate of spam mail after the ALL7008 learning the file. Ham Mail for Training: The System Manager can import the file which is determined as spam mail here. To raise the judgment rate of ham mail after the ALL7008 learning the file...
  • Page 318 Training time: The System Manager can set the training time for ALL7008 to learn the import file each day here. Define the required fields of Spam Mail Top Total Spam: To show the top chart that represent the spam mail that recipient receive...
  • Page 319 Advance Instruction: When talking to Mail Server, it is the medium of sending or receiving all the e-mail in Internet. The indicative way of the e-mail is: acoount@server.name. In front of the @ means the account; behinds the @ mean the Master’s name. When you send e-mail to josh@yahoo.com.tw, your sending software will go to DNS Server to find the mail Master name, mapped IP, and MX record first.
  • Page 320 The flow of delivering e-mail: The three key element of sending e-mail are: MUA, MTA, MDA MUA (Mail User Agent): The PC of client cannot send mail directly. It must deliver mail by MUA. No matter to send or to receive the mail, the Client user still has to use mail system by MUA that provided by operation system.
  • Page 321 To introduce the delivery procedure of the mail by two Send and Receive way: If the user wants to send the mail, the steps can be divided as follows: Use MUA to send mail to MTA: Enter the following setting while the user write e-mail by MUA: 1.
  • Page 322 And the action of user to receive mail is as follows: The PC that used by remote user will connect to his/her MTA directly, to ask MTA to check if its mailbox has mails or not. After MTA check by MDA, it will transfer the mail to the user’s MUA.
  • Page 323 If anyone can deliver the mail by one of the mail server, we called this Open Relay mail server. To avoid this question, most of the mail server’s default value will not open up Relay function. It only will open up Relay function according to Localhost.

  • Page 324: Example

    Ex 1 To detect if the mail from External Mail Server is spam mail or not Ex 2 Take ALL7008 as Gateway and use Whitelist and Blacklist to filter the mail. (Mail Server is in DMZ and use Transparent Mode) Ex 3 Place ALL7008 between the original Gateway and Mail Server to set up the Rule to filter the mail.
  • Page 325 To detect if the mail from External Mail Server is spam mail or not STEP 1﹒In LAN Address to permit a PC receiving the mail from external mail server. Its network card is set as 192.168.139.12, and the DNS setting is DNS server.
  • Page 326 STEP 5﹒Add the following setting in Setting of Anti-Spam function: (Figure14-7) Figure14-7 Action of Spam Mail and Spam Setting...
  • Page 327 Anti-Spam function is enabled in default status. So the System Manager does not need to set up the additional setting and then the ALL7008 will filter the spam mail according to the mails that sent to the internal mail server or received from external mail server.
  • Page 328 STEP 6﹒When the internal users are receiving the mail from external mail account (js1720@ms21.pchome.com.tw), the ALL7008 will filter the mail at the same time and the chart will be in the Spam Mail in Anti-Spam function. (At this time, choose External to see the mail...
  • Page 329 Take ALL7008 as Gateway and use Whitelist and Blacklist to filter the mail. (Mail Server is in DMZ and use Transparent Mode) STEP 1﹒Set up a mail server in DMZ and set its network card IP as 61.11.11.12. The DNS setting is external DNS server, and the Master name is broadband.com.tw...
  • Page 330 STEP 6﹒Enter the following setting in Mail Relay function of Setting: (Figure14-14) Figure14-14 Mail Relay Setting of External Mail to Internal Mail Server Mail Relay function makes the mails that sent to DMZ’s mail server could be relayed to its mapped mail server by ALL7008...
  • Page 331 When select Delete mail in Action of Spam Mail, and then the other functions (Deliver to the recipient, or Forward to) cannot be selected. So when ALL7008 had scanned spam mail, it will delete it directly. But still can check the relevant chart in Spam Mail function.
  • Page 332 STEP 8﹒Enter the following setting in Whitelist of Anti-Spam function: Click New Entry Whitelist: Enter share2k01@yahoo.com.tw Direction: Select From Enable Auto-Training Click OK (Figure14-16) Enter New Entry again Whitelist: Enter josh@broadband.com.tw Direction: Select To Enable Auto-Training Click OK (Figure14-17) Complete setting (Figure14-18) Figure14-16 Add Whitelist Setting 1 Figure14-17 Add Whitelist Setting 2...
  • Page 333 Figure14-18 Complete Whitelist Setting When enable Auto-Training function, the mail that correspond to Whitelist setting will be trained as Ham Mail automatically according to the time setting in Training function.
  • Page 334 (For example: *yahoo* means the e-mail account that includes “yahoo” inside) The privilege of Whitelist is greater than Blacklist. So when ALL7008 is filtering the spam mail, it will adopt the standard of Whitelist first and then adopt Blacklist next.
  • Page 335 After ALL7008 had filtered the mail above, it will bring the chart as follows in the Spam Mail function of Anti-Spam. (Figure14-21)

  • Page 336: Transparent Mode

    Place ALL7008 between the original Gateway and Mail Server to set up the Rule to filter the mail. (Mail Server is in DMZ, Transparent Mode) The LAN Subnet of enterprise’s original Gateway: 172.16.1.0/16 The WAN IP of ALL7008: 172.16.1.12 STEP 1﹒Setup a Mail Server in DMZ and its network card IP is 172.16.1.13.
  • Page 337 STEP 4﹒Enter the following setting in WAN to DMZ Policy: (Figure14-24) Figure14-24 WAN to DMZ Policy Setting STEP 5﹒Enter the following setting in DMZ to WAN Policy: (Figure14-25) Figure14-25 DMZ to WAN Policy Setting STEP 6﹒Add the following setting in Mail Relay in Configure: (Figure14-26) Figure14-26 Mail Relay Setting of External Mail to Internal Mail Server...
  • Page 338 STEP 7﹒Enter the following setting in Rule of Anti-Spam function: Enter New Entry Rule Name: Enter HamMail Comments: Enter Ham Mail Combination: Select Or Classification: Select Ham (Non-Spam) Enable Auto-Training In the first field Item: Select From; Condition: Select Contains; Pattern: share2k01 Click Next Row In the second Item field: Select To;...
  • Page 339 STEP 8﹒Enter the following setting in Rule of Anti-Spam function: Enter New Entry Rule Name: Enter SpamMail Comments: Enter Spam Mail Combination: Select And Classification: Select Spam Action: Select Deliver to the recipient Enable Auto-Training Item: Select From; Condition: Select Contains; Pattern: yahoo (Figure14-29) Press OK (Figure14-30) Figure14-29 The Second Rule Setting...
  • Page 340 The privilege of Rule is greater than Whitelist and Blacklist. And in Rule function, the former rule has the greater privilege. So when the ALL7008 is filtering the spam mail, it will take Rule as filter standard first and then is Whitelist; Blacklist is the last one be taken.
  • Page 341 After ALL7008 had filtered the mail above, it will bring the chart as follows in the Spam Mail function of Anti-Spam. (Figure14-32)
  • Page 342 Use Training function of the ALL7008 to make the mail be determined as Spam mail or Ham mail after Training. (Take Outlook Express for example) To make the spam mail that had not detected as spam mail be considered as spam mail after training.
  • Page 343 Figure14-34 Create Folder WebUI...
  • Page 344 STEP 2﹒In Inbox-Outlook Express, move spam mail to SpamMail Folder: In Inbox, select all of the spam mails that do not judge correctly and press the right key of the mouse and move to the folder. (Figure14-35) In Move WebUI, select SpamMail Folder and click OK (Figure14-36) Figure14-35 Move Spam Mail WebUI...
  • Page 345 Figure14-36 Select Folder for Spam Mail to move to...
  • Page 346 STEP 3﹒Compress the SpamMail Folder in Outlook Express to shorten the data and upload to ALL7008 for training: Select SpamMail Folder (Figure14-37) Select Compact function in selection of the folder (Figure14-38) Figure14-37 Select SpamMail Folder...
  • Page 347 Figure14-38 Compact SpamMail Folder...
  • Page 348 STEP 4﹒To copy the route of SpamMail File in Outlook Express to convenient to upload the training to ALL7008: Press the right key of the mouse in SpamMail file and select Properties function. (Figure14-39) Copy the file address in SpamMail Properties WebUI.
  • Page 349 Figure14-40 Copy the File Address that SpamMail File Store...
  • Page 350 Training field in Training function of Anti-Spam. And press OK to deliver this file to ALL7008 instantly and to learn the uploaded mail file as spam mail in the appointed time. (Figure14-41) Figure14-41 Paste the File Address that SpamMail File Save to make ALL7008 to be Trained...
  • Page 351 The training file that uploads to ALL7008 can be any data file and not restricted in its sub-name, but the file must be ACS11 form When the training file of ALL7008 is Microsoft Office Outlook exporting file [.pst], it has to close Microsoft Office Outlook first to start Importing...
  • Page 352 STEP 6﹒Remove all of the mails in SpamMail File in Outlook Express so that new mails can be compressed and upload to ALL7008 to training directly next time. Select all of the mails in SpamMail File and press the right key of the mouse to select Delete function.
  • Page 353 Figure14-43 Confirm that All of the Mail in SpamMail File had been Deleted...
  • Page 354 To make the mail that is judged as spam mail can be received by recipient after training. STEP 1﹒Add a new HamMail folder in Outlook Express: Press the right key of the mouse in Local Folders and select New Folder. (Figure14-44) Enter HamMail in Folder Name in Create Folder WebUI and click OK.
  • Page 355 Figure14-45 Create Folder Function WebUI...
  • Page 356 STEP 2﹒In Inbox-Outlook Express, move spam mail to HamMail Folder: In Inbox, select the spam mail that all of the recipients need and press the right key of the mouse on the mail and choose Move to Folder function. (Figure14-46) Select HamMail folder in Move WebUI and click OK.
  • Page 357 Figure14-47 Select the Folder for Needed Spam Mail to Move to...
  • Page 358 STEP 3﹒Compact the HamMail folder in Outlook Express to shorten the data and upload to ALL7008 for training: Select HamMail File (Figure14-48) Select Compact function in selection of File (Figure14-49) Figure14-48 Select HamMail File...
  • Page 359 Figure14-49 Compact HamMail File...
  • Page 360 STEP 4﹒To copy the route of HamMail Folder in Outlook Express to convenient to upload the training to ALL7008: Press the right key of the mouse in HamMail file and select Properties function. (Figure14-50) Copy the file address in HamMail Properties WebUI.
  • Page 361 Figure14-51 Copy the File Address that HamMail File Store...
  • Page 362 Training function of Anti-Spam. And press OK to transfer this file to the ALL7008 instantly and to learn the uploaded mail file as ham mail in the appointed time. (Figure14-52) Figure14-52 Paste the File Address that HamMail File Save to make ALL7008 to be Trained...
  • Page 363 STEP 6﹒Remove all of the mails in HamMail File in Outlook Express so that new mails can be compressed and upload to ALL7008 to training directly next time. Select all of the mails in HamMail and press the right key of the mouse to select Delete function.
  • Page 364 Figure14-54 Make Sure all of the Mails in HamMail File had been Deleted...
  • Page 366 Chapter 15 Anti-Virus ALL7008 can scan the mail that sent to Internal Mail Server and prevent the e-mail account of enterprise to receive mails include virus so that it will cause the internal PC be attacked by virus and lose the important message of enterprise.
  • Page 367 Define the required fields of Setting: Anti-Virus Settings: It can detect the virus according to the mails that sent to internal mail server or receive from external mail server. It will add warning message in front of the subject of the mail that had been detected have virus.
  • Page 368 Action of Infected Mail: The mail that had been detected have virus can choose to Delete mail, Deliver to the recipient, or Forward to another mail account After setup the relevant settings in Mail Relay function of Configure, add the following settings in this function: 1.
  • Page 369 Add the message ---virus---in the subject line of infected mail (Figure15-2) Figure15-2 The Subject of Infected Mail WebUI When select Disable in Virus Scanner, it will stop the virus detection function to e-mail.
  • Page 370 Define the required fields of Virus Mail: Top Total Virus: To show the top chart that represent the virus mail that the recipient receives and the sender sent In Top Total Virus Report, it can choose to display the scanned mail that sent to Internal Mail Server or received from External Mail Server In Top Total Virus, it can sort the mail according to Recipient and Sender, Total Virus and Scanned Mail.
  • Page 371 We set up two Anti-Virus examples in this chapter: Example Page Ex 1 To detect if the mail that received from external Mail Server have virus or not. Ex 2 To detect the mail that send to Internal Mail Server have virus or not.
  • Page 372 To detect if the mail that received from external Mail Server have virus or not STEP 1﹒In LAN Address to permit a PC receiving the mail from external mail server. Its network card is set as 192.168.139.12, and the DNS setting is DNS server.
  • Page 373 STEP 5﹒Add the following setting in Setting of Anti-Virus function: (Figure15-6) Virus Scanner: Select Clam The Mail Server is placed in External (WAN) Add the message to the subject line: ---virus--- Select Remove virus mail and the attached file (Figure15-6) Figure15-6 Action of Infected Mail and Anti-Virus Settings...
  • Page 374 Anti-Virus function is enabled in default status. So the System Manager does not need to set up the additional setting and then the ALL7008 will scan the mails automatically, which sent to the internal mail server or received from external mail server.
  • Page 375 STEP 6﹒When the internal users are receiving the mail from external mail account (js1720@ms21.pchome.com.tw), the ALL7008 will scan the mail at the same time and the chart will be in the Virus Mail in Anti-Virus function. (At this time, choose External to see the mail...
  • Page 376 To detect the mail that send to Internal Mail Server have virus or not. (Mail Server is in LAN, NAT Mode) WAN IP of ALL7008: 61.11.11.12 LAN Subnet of ALL7008: 192.168.2.0/24 STEP 1﹒Set up a mail server in LAN and set its network card IP as 192.168.2.12.
  • Page 377 STEP 4﹒Enter the following setting in Server1 in Virtual Server function: (Figure15-11) Figure15-11 Virtual Server Setting WebUI STEP 5﹒Enter the following setting in Incoming Policy: (Figure15-12) Figure15-12 Incoming Policy Setting STEP 6﹒Enter the following setting in Outgoing Policy: (Figure15-13) Figure15-13 Outgoing Policy Setting...
  • Page 378 STEP 7﹒Enter the following setting in Mail Relay function of Configure: (Figure15-14) Figure15-14 Mail Relay Setting of External Mail to Internal Mail Server Mail Relay function makes the mails that sent to LAN’s mail server could be relayed to its mapped mail server by ALL7008.
  • Page 379 When select Delete mail in Action of Infected Mail, and then the other functions (Deliver to the recipient, or Forward to) cannot be selected. So when ALL7008 had scanned mail that have virus, it will delete it directly. But still can check the relevant...
  • Page 380 If it comes from other yahoo sender account share2k003@yahoo.com.tw, which attached file is safe includes no virus. After ALL7008 had scanned the mails above, it will bring the chart as follows in the Virus Mail function of Anti-Virus. (Figure15-16) Figure15-16 Report Chart When clicking on Remove button in Total Virus Mail, the record of the chart will be deleted and the record cannot be checked in Virus Mail function.

  • Page 382: Alert Setting

    Chapter 16 Alert Setting When the ALL7008 had detected attacks from hackers and the internal PC sending large DDoS attacks. The Internal Alert and External Alert will start on blocking these packets to maintain the whole network. In this chapter, we will have the detailed illustration about Internal Alert and...
  • Page 383 【ICMP Flood Threshold( Total) Pkts/Sec】: The System Administrator can enter the maximum number of ICMP packets per second that is allow to enter the network/ALL7008. If the value exceeds the setting one, and then the device will determine it as an attack.
  • Page 384 Administrator can enter the maximum number of ICMP packets per second from attacking source IP Address that is allow to enter the network / ALL7008. If the value exceeds the setting one, and then the device will determine it as an attack.
  • Page 385 Select this option to detect spoof attacks. Hackers disguise themselves as trusted users of the network in Spoof attacks. They use a fake identity to try to pass through the ALL7008 System and invade the network. Detect Port Scan Attack:...
  • Page 386 SYN on the TCP header is marked. Enable this function to detect such abnormal packets. After System Manager enable External Alert, if the ALL7008 has detected any abnormal situation, the alarm message will appear in External Alarm in Attack Alarm.

  • Page 387: Internal Alert

    ALL7008 Alarm and to prevent the computer which being attacked to send DDoS packets to LAN network STEP 1﹒Select Internal Alert in Alert Setting and enter the following settings: Enter The threshold sessions of infected Blaster (per Source IP) (the default value is 100 Sessions/Sec)
  • Page 388 Internal Alarm in Attack Alarm or send NetBIOS Alert notification to the infected PC Administrator’s PC (Figure16-2, 16-3, 16-4) If the Administrator starts the E-Mail Alert Notification in Setting, the ALL7008 will send e-mail to Administrator automatically. (Figure16-5)
  • Page 389 Figure16-4 NetBIOS Alert Notification to Administrator’s PC...
  • Page 390 Figure16-5 E-mail Virus Alert...

  • Page 392: Internal Alarm

    Attack Alarm ALL7008 has two alarm forms: Internal Alarm, and External Alarm. Internal Alarm: When the ALL7008 had detected the internal PC sending large DDoS attacks and then the Internal Alarm will start on blocking these packets to maintain the whole network.
  • Page 393 We set up two Alarm examples in the chapter: Suitable Example Page Situation Ex 1 To record the DDoS attack alarm from internal Internal Alarm Ex 2 External To record the attack alarm about Hacker Alarm attacks the ALL7008 and Intranet...
  • Page 394 To record the DDoS attack alarm from internal PC STEP 1﹒Select Internal Alarm in Attack Alarm when the device detects DDoS attacks, and then can know which computer is being affected. (Figure17-1) Figure17-1 Internal Alarm WebUI...
  • Page 395 To record the attack alarm about Hacker attacks the ALL7008 and Intranet STEP 1﹒Select the following settings in External Alert in Alert Setting function: (Figure17-2) Figure17-2 External Alert Setting WebUI...
  • Page 396 STEP 2﹒When Hacker attacks the ALL7008 and Intranet, select External Alarm in Attack Alarm function to have detailed records about the hacker attacks. (Figure17-3) Figure17-3 External Alarm WebUI...

  • Page 398: Chapter18 Log

    Administrator such as the time of change, settings that change, the IP address used to log in…etc. Connection Log records all of the connections of ALL7008. When the connection occurs some problem, the Administrator can trace back the problem from the information.
  • Page 399 Internet or Intranet by ALL7008. Ex 2 To record the detailed management events (such Event Log as Interface and event description of ALL7008) of the Administrator Ex 3 Connection To detect event description of WAN Connection...
  • Page 400 To detect the information and Protocol port that users use to access to Internet or Intranet by ALL7008 STEP 1﹒Add new policy in DMZ to WAN of Policy and select Enable Logging: (Figure18-1) Figure18-1 Logging Policy Setting STEP 2﹒Complete the Logging Setting in DMZ to WAN Policy: (Figrue18-2)
  • Page 401 STEP 3﹒Click Traffic Log. It will show up the packets records that pass this policy. (Figure18-3) Figure18-3 Traffic Log WebUI...
  • Page 402 STEP 4﹒Click on a specific IP of Source IP or Destination IP in Figure18-3, it will prompt out a WebUI about Protocol and Port of the IP. (Figure18-4) Figure18-4 The WebUI of detecting the Traffic Log by IP Address...
  • Page 403 STEP 5﹒Click on Download Logs and select Save in File Download WebUI. And then choose the place to save in PC and click OK; the records will be saved instantly. (Figure18-5) Figure18-5 Download Traffic Log Records WebUI...
  • Page 404 STEP 6﹒Click Clear Logs and click OK on the confirm WebUI; the records will be deleted from the ALL7008 instantly. (Figure18-6) Figure18-6 Clearing Traffic Log Records WebUI...
  • Page 405 To record the detailed management events (such as Interface and event description of ALL7008) of the Administrator STEP 1﹒Click Event log of LOG. The management event records of the administrator will show up (Figure18-7) Figure18-7 Event Log WebUI...
  • Page 406 STEP 2﹒Click on Download Logs and select Save in File Download WebUI. And then choose the place to save in PC and click OK; the records will be saved instantly. (Figure18-8) Figure18-8 Download Event Log Records WebUI...
  • Page 407 STEP 3﹒Click Clear Logs and click OK on the confirm WebUI; the records will be deleted from the ALL7008. (Figure18-9) Figure18-9 Clearing Event Log Records WebUI...
  • Page 408 To Detect Event Description of WAN Connection STEP 1﹒Click Connection in LOG. It can show up WAN Connection records of the ALL7008. (Figure18-10) Figure18-10 Connection records WebUI...
  • Page 409 STEP 2﹒Click on Download Logs and select Save in File Download WebUI. And then choose the place to save in PC and click OK; the records will be saved instantly. (Figure18-11) Figure18-11 Download Connection Log Records WebUI...
  • Page 410 STEP 3﹒Click Clear Logs and click OK on the confirm WebUI, the records will be deleted from the ALL7008 instantly. (Figure18-12) Figure18-12 Clearing Connection Log Records WebUI...

  • Page 411: Log Backup

    To save or receive the records that sent by the ALL7008 STEP 1﹒Enter Setting in System, select Enable E-mail Alert Notification function and set up the settings. (Figrue18-13) Figure18-13 E-mail Setting WebUI STEP 2﹒Enter Log Backup in Log, select Enable Log Mail Support and click...
  • Page 412 STEP 3﹒Enter Log Backup in Log, enter the following settings in Syslog Settings: Select Enable Syslog Messages Enter the IP in Syslog Host IP Address that can receive Syslog Enter the receive port in Syslog Host Port Click OK Complete the setting (Figure18-15) Figure18-15 Syslog Messages Setting WebUI...

  • Page 414: Chapter19 Alarm

    Chapter 19 Alarm Traffic Alarm: In control policies, the Administrator set the threshold value for traffic alarm. The System regularly checks whether the traffic for a policy exceeds its threshold value and adds a record to the traffic alarm file if it does.
  • Page 415 To show the alarm message about exceeding the Alarm Threshold of Policy STEP 1﹒Add the following setting in DMZ to WAN Policy: Alarm Threshold: Enter 10 Kbytes/Sec Click OK (Figure19-1) Figure19-1 Alarm Threshold Policy Setting STEP 2﹒Complete the Traffic Alarm setting in DMZ to WAN Policy function: (Figure19-2) Figure19-2 Complete Traffic Alarm Setting in DMZ to WAN Policy...
  • Page 416 Figure19-3 Traffic Alarm WebUI Traffic Alarm considers 15 minutes as one unit time. Take the average traffic in one unit (15 min.) time to compare with the Alarm Threshold of Policy, the ALL7008 will send warning in Traffic Alarm if exceeds the value.

  • Page 418: Chapter20 Statistics

    Policy Statistics: The statistics of Downstream/Upstream packets and Downstream/Upstream traffic record that pass Policy In this chapter, the Administrator can inquire the ALL7008 for statistics of packets and data that passes across the ALL7008. The statistics provides the Administrator with information about network traffics and network loads.
  • Page 419 Define the required fields of Statistics: Statistics Chart: Y-Coordinate:Network Traffic(Kbytes/Sec) X-Coordinate:Time(Hour/Minute) Source IP, Destination IP, Service, and Action: These fields record the original data of Policy. From the information above, the Administrator can know which Policy is the Policy Statistics belonged to. Time: To detect the statistics by minutes, hours, days, months, or years.

  • Page 420: Wan Statistics

    WAN Statistics STEP 1﹒Enter WAN in Statistics function, it will display all the statistics of Downstream/Upstream packets and Downstream/Upstream record that pass WAN Interface. (Figure20-1) Figure20-1 WAN Statistics function Time: To detect the statistics by minutes, hours, days, months, or years.
  • Page 421 STEP 3﹒Statistics Chart (Figure20-2) Y-Coordinate:Network Traffic(Kbytes/Sec) X-Coordinate:Time(Hour/Minute) Figure20-2 To Detect WAN Statistics...

  • Page 422: Policy

    Policy Statistics STEP 1﹒If you had select Statistics in Policy, it will start to record the chart of that policy in Policy Statistics. (Figure20-3) Figure20-3 Policy Statistics Function If you are going to use Policy Statistics function, the System Manager has to enable the Statistics in Policy first.
  • Page 423 STEP 3﹒Statistics Chart (Figure20-4) Y-Coordinate:Network Traffic(Kbytes/Sec) X-Coordinate:Time(Hour/Minute/Day) Figure20-4 To Detect Policy Statistics...

  • Page 424: Status

    The users can know the connection status in Status. For example: LAN IP, WAN IP, Subnet Netmask, Default Gateway, DNS Server Connection, and its IP…etc. Interface: Display all of the current Interface status of the ALL7008 Authentication: The Authentication information of ALL7008...

  • Page 425: Interface

    STEP 1﹒Enter Interface in Status function; it will list the setting for each Interface: (Figure21-1) PPPoE Con. Time: The last time of the ALL7008 to be enabled MAC Address: The MAC Address of the Interface IP Address/ Netmask: The IP Address and its Netmask of the Interface Rx Pkts, Err.
  • Page 426 Figure21-1 Interface Status...

  • Page 427: Authentication

    Authentication STEP 1﹒Enter Authentication in Status function, it will display the record of login status: (Figure21-2) IP Address: The authentication user IP Auth-User Name: The account of the auth-user to login Login Time: The login time of the user (Year/Month/Day Hour/Minute/Second) Figrue21-2 Authentication Status WebUI...

  • Page 428: Arp Table

    STEP 1﹒Enter ARP Table in Status function; it will display a table about IP Address, MAC Address, and the Interface information which is connecting to the ALL7008: (Figure21-3) NetBIOS Name: The identified name of the network IP Address: The IP Address of the network...

  • Page 429: Dhcp Clients

    DHCP Clients STEP 1﹒In DHCP Clients of Status function, it will display the table of DHCP Clients that are connected to the ALL7008: (Figure21-4) IP Address: The dynamic IP that provided by DHCP Server MAC Address: The IP that corresponds to the dynamic IP...

Table of Contents