1. Manuals
  2. Brands
  3. XnetSolutions Manuals
  4. Network Router
  5. SX-GATE
  6. User manual

XnetSolutions SX-GATE User Manual

Hide thumbs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
Table of Contents

Advertisement

Quick Links

Download this manual
User Guide
State: 2016-12-13, V7.0-2-0

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SX-GATE and is the answer not in the manual?

Questions and answers

Summary of Contents for XnetSolutions SX-GATE

  • Page 1 User Guide State: 2016-12-13, V7.0-2-0...

  • Page 2: Table Of Contents

    2.1 Warning..................... 9 2.2 For Your Safety..................10 2.3 The Power Plug..................11 2.4 Installation Site..................12 3 Preparing the new SX-GATE unit............. 13 3.1 Packaging....................13 3.2 Accessories Provided................14 3.3 Connecting the device................15 3.3.1 Connecting to ADSL dial-up lines............ 15 3.3.2 Connecting to an external router / xDSL-leased line Internet...
  • Page 3 8.3 Web-Mail....................39 8.4 Contact....................40 9 Statistics....................42 9.1 System load..................... 42 9.2 Network....................43 9.2.1 Connections..................43 9.2.2 Throughput..................43 9.2.3 Bandwidth..................43 9.3 Firewall....................45 9.3.1 Packet filter..................45 9.3.2 IDS/IPS.................... 45 9.4 Mail server....................46 9.5 Proxies..................... 47 9.5.1 Web proxy..................
  • Page 4 12.8 Licence....................152 13 Wizards.................... 153 13.1 LAN integration..................153 13.2 Internet access..................157 13.3 Proxy configuration................166 13.4 Email configuration................174 13.5 L2TP IPSec VPN................. 190 13.6 Support access..................195 14 Modules................... 199 14.1 Network....................199 14.1.1 Settings..................199 14.1.2 Interfaces..................
  • Page 5 15.1 Microsoft Windows................453 15.1.1 Automatic configuration..............454 15.1.2 Manual configuration..............457 15.2 Mac OS X.................... 473 15.3 Apple iPhone..................474 16 Contact.................... 477 17 SX-GATE Support................478 18 Technical Specifications..............479 19 CE Statement of Conformity............480 Table of content...

  • Page 6: Preface

    Preface Thank you for choosing the SX-GATE product. This device includes a router, Internet appliance server, firewall and e-mail server... and all concentrated in just one box! SX- GATE also offers you a whole choice of other features, depending on the specific SX- GATE model.
  • Page 7 This product includes software developed David Corcoran <corcoran@linuxnet.com> http://www.linuxnet.com (MUSCLE) This product includes software developed by Diego Rivera This product includes software developed by Emmanuel Dreyfus This product includes software developed by Gunnar Ritter and his contributors This product includes software developed by IAIK of Graz University of Technology. This product includes software developed by Inferno Nettverk A/S, Norway This product includes software developed by Jim Paris This product includes software developed by Lars Fenneberg...

  • Page 8: Trademarks

    Trademarks All companies and products that are named in this document are registered trademarks of their respective owners. SX-GATE is a registered trademark of XnetSolutions KG. The naming of unlisted trademarks does not necessarily mean their free availability. Copyright ©, XnetSolutions KG...

  • Page 9: Precautions And Guidelines

    Precautions and Guidelines Before you start to operate SX-GATE, please read through the following sections very carefully. Warning To prevent fire and electric shocks please keep this device away from rain and wet areas. 2 Precautions and Guidelines...

  • Page 10: For Your Safety

    For Your Safety Do not open the device casing or try to operate it while open under any circumstances, since this may cause an electrical shock. Furthermore, serious damage may be caused to the device itself. There are no parts inside the device which should be tampered with by non-specialists.

  • Page 11: The Power Plug

    The Power Plug Do not try and use the power plug with moist or wet hands. Keep the network cable away from heat and do not place any heavy objects on it. If the device starts to emit smoke, unusual noises or smells, remove the power plug immediately and contact customer services.

  • Page 12: Installation Site

    (more than 35°C), or areas that are moist (more than 90%) and dusty. Do not try and set up the device where vibrations may be present. Use a flat surface, otherwise the inside of the device will be prone to damage. Keep SX-GATE away from magnetic areas or areas that contain magnet, e.g. Speakers.

  • Page 13: Preparing The New Sx-Gate Unit

    (e.g. from a cold vehicle to a heated room), wait approx. 1 hour so it can become acclimatised. This is advisable since condensation may have built up in the device which can cause serious damage. 3 Preparing the new SX-GATE unit...

  • Page 14: Accessories Provided

    Accessories Provided Check the packaging contents with the following list. If any parts are missing, please contact your dealer (see chapter Contact [p.477]). • SX-GATE (Internet-Firewall-Gateway) • Power cable (220V) 3.2 Accessories Provided...

  • Page 15: Connecting The Device

    We recommend to connect the DSL modem directly through an otherwise unused network interface of SX-GATE. For the Internet connection usually a second network interface is provided in the system. The interface is called "eth1" and may also be labeled with the acronyms "DSL"...

  • Page 16: Connecting To An External Router / Xdsl-Leased Line Internet Connection

    3.3.2 Connecting to an external router / xDSL-leased line Internet connection Usually, the second built-in network interface is provided for an Internet connection. The interface is called "eth1" and may also be labeled with the acronyms "DSL" or "WAN". Connect this interface directly with the external router. This might require a crossover network cable which is not included.

  • Page 17: Connecting To The Local Network (Lan)

    3.3.3 Connecting to the local network (LAN) SX-GATE is connected to your LAN via the first network interface of the system. The interface is called "eth0" and may also be labeled with the acronym "LAN". Connect this interface with an unused port of your LAN switch.

  • Page 18: Connection With The Power Supply

    230 volts alternating current (AC). We recommend to connect the device with an uninterruptible power supply (UPS) unit. Otherwise, in case of a sudden power failure, the SX-GATE configuration and respective hardware components could be affected.

  • Page 19: Start-Up

    Start-up Prerequisites As all SX-GATE settings are made via web interface, a computer device with a web browser like for example Microsoft Internet Explorer or Mozilla Firefox is required. This device must be able to access SX-GATEs LAN interface via network. It might be necessary to temporarily change the device's IP configuration.

  • Page 20: Switching On And Booting

    Push the power button on the front of the device. The boot process takes about two minutes. Please wait for this period before you continue! Some SX-GATE models include an LCD display in the front panel. It indicates that the device is ready when the boot message is replaced by a status display.

  • Page 21: Setting Up Sx-Gate's Ip Address

    All devices on the network must use the same network mask. Note, that SX-GATE is not able to automatically obtain an IP address from an available DHCP server. SX-GATE must always have the same LAN IP address in order to provide its functionality.

  • Page 22: Changing The Ip Address With The Web Browser

    4.3.2 Changing the IP address with the web browser If your SX-GATE model does not include a builtin display you will have to change the IP address in the web administration interface. This requires a computer device with a web browser and an IP address between 192.168.0.1 and 192.168.0.253 with netmask 255.255.255.0.

  • Page 23: Check The Connection To Sx-Gate

    Check the connection to SX-GATE To verify the network connection between your computer and SX-GATE use the "ping" command. If SX-GATE answers to your computer's ping request, the IP connection is ok. Open the commandline of your computers operating system and enter the following command: ping 192.168.0.254...

  • Page 24: First Settings

    Make sure the browser is not configured to use a proxy which might interfere with the connection. In some cases a screen may appear, asking for the SX-GATE license key. You should have received the key from your SX-GATE dealer. The key consists of 5 groups of characters, each 5 characters long and separated by dashes.

  • Page 25: Basic Configuration

    IP. It's now time to reset your computer's IP address if you had to change it in order to access SX-GATE on its default IP. Then you will also have to adapt the IP in the browser's address bar to re-gain access to SX- GATE's administration interface.

  • Page 26: Configuring Computers In The Lan

    Configuring computers in the LAN In order to provide secure Internet access for LAN computers via SX-GATE, certain settings have to be made. Network parameters A suitable IP address and netmask is already sufficient for a computer system on the LAN to gain limited Internet access via SX-GATE.

  • Page 27: Setting Up The Web Browsers

    Look for network, connection or LAN settings or refer to the browser's manual. Enter the LAN IP of SX-GATE and port 8080 as proxy. In browsers used to configure SX-GATE you should exclude SX- GATE's LAN IP from proxy access.

  • Page 28: Home

    Home SX-GATE can be configured without relying on JavaScript or Cookies. However for full convenience and user experience JavaScript is required. Cookies are used to store each users individual customizations. The following features all rely on a modern browser with JavaScript enabled.

  • Page 29: Getting Started

    Getting started This docklet provides a checklist for SX-GATE's initial basic setup. Click on the texts to configure the corresponding subsystem or task. When done, close the docklet by clicking on the "X"...

  • Page 30: Services

    A yellow light is shown for a service which is currently running but won't be started while booting. SX-GATE info This docklet gives a brief overview of your SX-GATE and its licenses. SX-GATE status If a quick system check reveals something unusual, the observations are reported here.
  • Page 31 Filtering is case insensitive. For complex filter expressions so called "regular expressions" are supported. Here's a quick syntax overview: +-?.*^$()[]{}|\ Characters with a special meaning. To match one of these characters, precede it with a backslash. So e.g. "\." will match a dot. - (dash) at the beginning of the expression Inverts the meaning of the expression.

  • Page 32: My Account

    New password Here you can change your password which is required to access various services of SX-GATE. When typing the new password, an asterisk will be displayed for every character. To verify the new password you have to enter it twice.

  • Page 33: Email Options

    A SPAM mail is an unsolicited email, usually with dubious origin. The SPAM mail filter of SX-GATE classifies emails by identifying typical phrases and other attributes indicating an unsolicited email. SX-GATE contains a database of checks to perform and all matches result in a score which in turn allows filtering emails.
  • Page 34 "******* SPAM *******" and the SPAM score. Deliver tagged emails to As an option SX-GATE can deliver tagged SPAM mails into a separate SPAM folder. This folder is accessible with SX-GATE's web mailer or via IMAP (folder Mail/SPAM).
  • Page 35 To avoid loss of important emails you should be very carefully when activating this option. You should select a value which is rather to high than to low. Please note that automatically deleting email may be subject to legal constraints or might even be prohibited by law.
  • Page 36 * (Asterisk) It represents a sequence of arbitrary characters. The sequence may also be missing. As searching for such a sequence of any length is rather time-consuming, an asterisk matches no more than 30 characters. The pattern "a*d" will match e.g. "ad", "a_d"...
  • Page 37 SPAM filter blacklist If you receive SPAM mails from the same sender again and again and the SPAM mail filter does not identify these emails as SPAM, you should add the sender to this list. The SPAM filter will add 100 points to the SPAM score of a mail, if the sender is found in this list.
  • Page 38 Vacation message It is possible to generate an automatic reply to incoming mails. Typically it is used for a vacation autoreply. However you could also use this feature to automatically confirm email delivery. No reply will be generated for emails which have been tagged as SPAM.

  • Page 39: Web-Mail

    "system-mail". It is not required to be member of group "system-admin". However, users with this limitation will not be able to access web mail through the menu of SX-GATE's administration interface. They have to type in the direct URL https://NAME_or_IP/webmail/ Web mail requires that the browser is JavaScript enabled.

  • Page 40: Contact

    The included information will be stored and used solely for marketing and support of SX-GATE. The data will be made available to authorised SX-GATE partners only. You can have your details removed anytime by sending an email to the stated email address.
  • Page 41 Internet connection. 8.4-I Support Here you can find the details of the technical support for SX-GATE. Please do not forget to include the information stated on tab ID card in your inquiry. 8.4-J Info Here you can find the details of the manufacturer.

  • Page 42: Statistics

    Statistics In mainmenu "Statistics" you can look at various statistics for some of SX-GATE's modules. System load Selecting this menu item you will be presented graphical statistics which inform you about the system status. On the main page a scaled down image of all hourly stats is available.

  • Page 43: Network

    Network In this menu several different network statistics are available. These include hourly, daily, weekly, monthly and yearly graphs on each topic. The hourly and daily statistics are updated every 10 minutes. All other graphs are generated daily at midnight. 9.2.1 Connections The connection table of the stateful inspection firewall is used for this graph.
  • Page 44 can page through the entries or open the table in fullscreen mode. Pick an entry by clicking either its title or the pencil icon to enter the detail view. 9.2.3 Bandwidth...

  • Page 45: Firewall

    9.3.2 IDS/IPS This menu offers statistics of the events detected by SX-GATE's Intrusion Detection System (IDS). The stats are updated daily at midnight. Besides an overview of the last 12 months, a detailed statistics is available for each month.

  • Page 46: Mail Server

    Mail server If the mail server of SX-GATE has been activated, access statistics are provided here. The stats are updated daily at midnight. Besides an overview of the last 12 months, a detailed statistics is available for each month. Click on the respective month to change the view. The monthly statistics will provide an overview of each day and the distribution of requests per hour.

  • Page 47: Proxies

    Proxies 9.5.1 Web proxy This menu item allows you to inspect the usage of SX-GATE's web proxy. The statistics are updated daily at midnight. If the virusscan option of SX-GATE's web proxy is active, requests can bypass the scan when sent to the web cache running on port 8081.

  • Page 48: Reverse Proxy

    The amount of data received is given in kilobytes. 9.5.2 Reverse proxy If the reverse proxy of SX-GATE is running, access statistics are available here. The stats are updated daily at midnight. Besides an overview of the last 12 months, a detailed statistics is available for each month.

  • Page 49: Web Server

    Web server If the internet web server of SX-GATE has been activated, access statistics are provided here. The stats are updated daily at midnight. Besides an overview of the last 12 months, a detailed statistics is available for each month. Click on the respective month to change the view. The monthly statistics will provide an overview of each day and the distribution of requests per hour.

  • Page 50: Monitoring

    Monitoring In mainmenu "Monitoring" you can choose from a variety of diagnostic functions in order to get an impression about the current status of SX-GATE or to figure out reasons for any functionality problems. 10.1 Log files 10.1.1 Settings Besides archiving log files on SX-GATE itself, these can also be copied to an FTP, SMB or a secure shell server.
  • Page 51 URL in the format "scp://LOGIN@ADRESS/PATH/FILENAME" (e.g. scp://admin@127.0.0.1/logs/messages.log). SX-GATE will authenticate itself with a password, but with an RSA key. The secure shell server has to be configured accordingly. Also with secure shell the specification of a path is optional. If subdirectories are given they must exist on the server.

  • Page 52: Search

    Please select a log file from the list first. The following log files are available: important messages Errors and other important messages from all modules of SX-GATE. The log will also contains some system messages generated during the booting procedure.
  • Page 53 (priorities 2, 3 or 4). The final columns contain the layer 3 protocol, source and destination IP and the ports. IPSec This file contains the messages logged by SX-GATE's IPSec VPN server. Clustering This logfile records the actions of the cluster.
  • Page 54 POP3 and IMAP4 server of SX-GATE. Web cache access In this file any access made to SX-GATE's proxy server on port 8080 are logged. Web cache messages Messages from SX-GATE's web cache can be found in this log.
  • Page 55 Display up to The display is normally limited to 100 lines. However, you can define a different limit using this selection field. Search lines containing Enter a search pattern to display only matching lines from the selected log. The pattern must confirm to the rules of the so called "regular expressions".
  • Page 56 the left you can define filter expressions. A detailed explanation can be found in the live log documentation. 10.1.2 Search...

  • Page 57: Network

    Interfaces Interface table On this screen you can find an overview of all physical interfaces of SX-GATE. Per interface there is also a packet counter for incoming (RX) and outgoing (TX) packets. These can be useful to track down problems. For instance a high "carrier" counter indicates a faulty physical network connection.

  • Page 58: 1-Carp

    IP address reputation The dynamic firewall permanently evaluates the actions of IP addresses connected with or via SX-GATE. You can inspect the current scores here. Depending on the firewall configuration, addresses with a bad score may be blocked automatically. In this case the remaining blocking time will be listed as well.

  • Page 59: 1-Gipsec

    Name of the corresponding ipsec interface Type Connection type (Server, Client or L2tp) Name Connection name given in SX-GATE's configuration section Peer The peer's current IP address if the tunnel is active Peer's ID local / remote Net Local and remote end of the tunnel this connection refers to...

  • Page 60: Dial-Up

    The following information is provided here: Card (Channel) The ISDN adapters of SX-GATE are numbered consecutively. Counting starts with 0. Each ISDN adapter provides to B channels, denoted as channel 0 and 1. For each B channel you will see one line which includes both, the adapter and channel number.
  • Page 61 Click this button to hang up the ADSL line if it is online. Test ADSL line SX-GATE will send out a PADI packet on the selected interface if you click this button. If it is answered with a PADO packet, the name of your provider's DSL access concentrator is printed.

  • Page 62: Tools

    Here you can specify where to send the "ping". You can specify either an IP address or a DNS name. If you enter a DNS name, the name server of SX-GATE must be running and name resolution must be working.

  • Page 63: 3-Bipv6 Ping

    Here you can specify where to send the "ping". You can specify either an IP address or a DNS name. If you enter a DNS name, the name server of SX-GATE must be running and name resolution must be working.

  • Page 64: 3-Cipv4 Traceroute

    Here you can specify where to send the "traceroute". You can specify either an IP address or a DNS name. If you enter a DNS name, the name server of SX-GATE must be running and name resolution must be working.

  • Page 65: 3-Edns Query

    Here you can make a choice, to which name server the request will be sent. Usually name resolution uses SX-GATE's DNS. However if name servers of your provider have been configured, these will also be available here, so they can be contacted directly.

  • Page 66: Snmp

    Name servers currently used by SX-GATE The servers SX-GATE currently uses to resolve names are shown here. If the list is empty, SX-GATE uses the Internet root name servers. If SX-GATE is configured to accept DNS addresses on dial-up links, the server addresses received from the ISP will show up here.
  • Page 67 Privacy passphrase The SNMP communication is encrypted, using this passphrase. Please use a rather long string, consisting of upper and lower case characters, digits and special characters. At least 8 characters are required. Privacy protocol Please select the cipher. Contact This value serves for informational purposes only.

  • Page 68: Mail Server

    Queue Queued emails Mails waiting in SX-GATE's outgoing mail queue are listed in this area. Apart from the internal ID of the mail, you can also see its size in bytes, the time it was queued, the sender and the recipient. In case of any problems, the respective error message is displayed, too.
  • Page 69 Poll for Mails Retrieve mails now Press this button to start a recorded poll for emails by the SX-GATE mail client. A new browser window will open which allows you to observe the entire process of retrieving mails from the configured POP3 and ETRN servers. This is especially useful to trace problems e.g.
  • Page 70 Mailboxes Local mailboxes Here you see a list of all inboxes of SX-GATE's POP3/IMAP4 sever. Apart from the account name, the total size of the inbox is listed. The next column gives the date and the time of the last modification of the inbox (last incoming mail or last time mails have been deleted).
  • Page 71 Delete emails from selected mailbox Press this button to view the contents of the mailbox which has been selected in the list. You will then have the possibility to delete specific mails from this mailbox. Mailbox contents … Please select the emails to be deleted In this list you can select those emails you want to delete by clicking in "Finish".

  • Page 72: Web Proxy

    10.4 Web proxy The configuration options in this menu are structured by topic. You can change between the different screens by clicking on the tabs at the top. 10.4-A URL filter................72 10.4-B Content filter................. 72 10.4-A URL filter Here you can test the web proxy's URL filter. The URL you want to check.
  • Page 73 unknown (yellow) The virus scanner reported errors while scanning the file. Virus (red) A virus has been found. We suggest that files having a yellow or red state are scanned for viruses before accessing them on a workstation. 10.4 Content filter quarantine...

  • Page 74: Definitions

    Definitions In mainmenu "Definitions" you define various objects which will be used by various setup options. 11.1 IP objects Give a name to individual IP addresses or networks or group them. You can then use these definitions in various configuration options, e.g. firewall rules. This enhances readability and clarity.
  • Page 75 IPv6 address This option lets you create a single IPv6 address. It may depend upon a prefix. A prefix object contains for example the prefix "2001:db8:0:1::/64". Make the IPv6 address refer to the prefix, configure the interface ID "::1234" and you get the IP "2001:db8:0:1::1234".
  • Page 76 restarts, after changes in IP objects and at regular intervals as configured in menu "Modules > DNS > Settings" on tab "DNS IP objects". Since DNS data can be forged comparatively easily, we do not recommend to use them for sensitive settings like e.g. inbound firewall rules.
  • Page 77 Geolocation You can use IP objects of this type in firewall rules only. SX-GATE includes a builtin database of all IP addresses associated with the respective country. So this is not a DNS based solution. Database updates are shipped as part of the SX-GATE updates.

  • Page 78: Protocols

    11.2-A Protocol signature In multiple SX-GATE configuration screens you will find protocol selection lists. The firewall and the SOCKS proxy configuration are good examples. The available choices for these selection lists are configured here. There are already a couple of predefined protocols, but it's also possible to add your own entries here.
  • Page 79 Protocol Select one of TCP and UDP. For other protocols select the lowest switch and enter either the number or the name of the requested IP protocol. Src.port Select the source port here. TCP based applications usually allocate a random port from the range 1024-65535.

  • Page 80: Periods

    11.3 Periods You can restrict a firewall policy rule to a certain period of time on specific weekdays by assigning to it one of the periods defined here. A table gives you an overview of all available objects. If there are more than 10 entries, a navigation bar will appear below the right bottom hand corner of the table where you can page through the entries or open the table in fullscreen mode.

  • Page 81: Url Filter Lists

    11.4 URL filter lists In this menu you can define Internet access lists for the SX-GATE web proxy. These lists will then be applied to certain users, IPs or networks in the web proxy configuration. The URL filter has to be enabled and the lists must be assigned in the web proxy configuration.

  • Page 82: A Domains

    "mp3", ".mp3" or "*.mp3". All three formats refer to the extension "mp3". SX-GATE tests each request, if the filename ends with a dot, followed by one of the listed extensions. The comparison is case insensitive.

  • Page 83: C Database Categories

    11.4-C Database categories Entertainment Chat, private forums, gaming, shopping, sports and many more. German school project "Deutscher Bildungsserver" The German school project "Deutscher Bildungsserver" has kindly provided us with an online resources database. A whitelist has been generated which allows access to the addresses included.

  • Page 84: E Extended

    11.4-E Extended Description "…" This field serves for documentation only. Block addresses containing porn keywords If this option is activated, the requested address (URL) will be scanned for key words that may insinuate pornographic content. Also here only the address itself will be checked, not the actual contents of the addressed Internet server.

  • Page 85: System

    System You can find all needful issues for the day by day administration of your SX-GATE in the mainmenu "System". Among others it comprises the user administration as well as the backup and update functions. 12.1 Setup The configuration options in this menu are structured by topic. You can change between the different screens by clicking on the tabs at the top.
  • Page 86 12.1-B Download proxy Here you can configure a global proxy that must be used for downloads initiated by SX-GATE. This includes e.g. updates of SX-GATE, antivirus signatures, IDS and URL filter lists. 12.1-C Clustering With this function you have the ability to use two SX-GATEs as a failover cluster. No additional interface is needed, since the synchronisation can be done over the lan interface.
  • Page 87 Master IP In this field you insert the IP address for the interface on the master node, which is used for the synchronisation between the master and backup. Normally the lan interface is used. Backup IP In this field you insert the IP address for the interface on the backup node, which is used for synchronisation between the master and backup.
  • Page 88 Import or issue a new certificate Install a new certificate in here. SX-GATE can issue a self-signed certificate, but it also offers the required functions to obtain a certificate from a public certification authority (CA). Finally you can reinstall a certificate backup here.
  • Page 89 (CSR). The certificate which will be returned by the CA can be installed by selecting the option below. Select this option to request a "real" certificate for SX-GATE's administration server. The users' browser will then no longer complain about a certificate issued by an unknown CA.
  • Page 90 Issue the certificate to the address which is normally used to connect with the service from the Internet. Usually this is the Internet DNS name of SX-GATE. You can also issue a wildcard certificate (e.g. *.example.com).
  • Page 91 Old systems like e.g. Windows XP before SP3 might only support keys with max. 2048 bit and an SHA1 hash. Certificate request Entering this screen, a certificate request will be generated on SX-GATE. Select certificate file Here you can import the certificate you received back from the certificate authority.
  • Page 92 There's no way to restore a purchased certificate without backup. 12.1 Setup...

  • Page 93: Services

    12.2 Services Most SX-GATE services are shown in this menu. You can start, stop or restart services here. The green and red symbols indicates the current status of the services. "Start", "restart" and "stop" also determine if the service will be launched next time the system is booted.
  • Page 94 It is not possible to start this service if no ovpnc or ovpns interface has been configured yet. Firewall The SX-GATE firewall is always active. Therefore it is not possible to stop this service. However it can be restarted. Intrusion Detection The Intrusion Detection System (IDS) analyzes the contents of IP packets, using a signature database.
  • Page 95 This service is required for DNS name resolution. Clients in internal networks should send DNS requests to this service which in turn forwards them into the Internet. Besides using it as DNS forwarder, SX-GATE' DNS can also manage the DNS information of internet domains.
  • Page 96 "System > Setup". HTTP server If this server is running, SX-GATE provides a simple web server. It can be used to publish documents for the internal networks. An additional web space can be configured, which will also be available on the Internet.
  • Page 97 Windows shares Activate this service if you want to have access to SX-GATE's web server directories via Windows network shares. NTP time server The NTP time server allows clients to synchronise their system time with SX-GATE's. If the clients synchronise using the protocols time, daytime or the windows shares, it is not necessary to activate this service.
  • Page 98 TCP port 8080 must be used instead. FTP server FTP is used to download or upload files. On SX-GATE this is allowed for specific users only. Please refer to "Modules > FTP server" for further information. Telnet With telnet you can connect to SX-GATE's system level.
  • Page 99 SX-GATE. We suggest using the wizard "Proxy configuration" for this. Apcupsd UPS client If SX-GATE's power supply is backed by an APC UPS which is monitored with apcupsd, SX-GATE can query the UPS status and shutdown in time if necessary. 12.2 Services...
  • Page 100 On the master node of a SX-GATE cluster the SSH server is required for synchronizing the configuration. SX-GATE configuration The web administration interface of SX-GATE is operated by this service. Therefore it is not possible to stop it. When restarting this service, the browser will most likely report an error just after submitting the request.

  • Page 101: User Administration

    "system-mail" to the list "External mail addresses" on tab "Mail settings". system-proxy A user must be member of this group to gain access to those SX-GATE proxies which require authentication. system-admin Members of this group have access to the SX-GATE administration. The "My Account"...

  • Page 102: Settings

    Active Directory link You can link SX-GATE with Microsoft's Active Directory. This feature can be used to import users and groups once or sync them regularly. If SX-GATE's mail server forwards inbound emails to an internal Exchange server, SX-GATE can verify recipient addresses by looking them up in the Active Directory.
  • Page 103 Password If authentication is required by the Active Directory, the password goes in here. Use SSL encryption Enabling this option will encrypt all communication between SX-GATE and Active Directory. Check LDAP connection If at least the server address has been configured you can test the LDAP connection with this button.
  • Page 104 Now what about the users and groups which are available on SX-GATE but not in the Active Directory? In general it makes no difference if the respective user or group has been added on SX-GATE by hand or if it is an imported object which is no longer selected in the Active Directory.
  • Page 105 SX-GATE. This avoids the loss of data and settings. • The members of a SX-GATE system group will not be changed if this group is not or no longer found in the Active Directory. • A non-system group will loose all of its members. Note that the group will still serve e.g.
  • Page 106 Import now Press this button to start the user and group import. If the SX-GATE password DLL has been installed on the domain controller the user's password will be updated, too. A log of the whole process will be displayed in a new browser window.

  • Page 107: Users

    DLL in plaintext. The DLL will then compute a one-way hash which is used by SX-GATE to authenticate users. This hash value is saved in the Active Directory and SX-GATE reads it while importing the users. A one-way hash allows no reverse engineering of the original password.

  • Page 108: 2-A Groups

    By default, a new user will not be able to access any SX-GATE service which requires a password. The new user has to be added to system groups to be authorised for the respective services. The configuration options in this menu are structured by topic. You can change between the different screens by clicking on the tabs at the top.

  • Page 109: 2-B Password

    Optionally the user can be entitled to use the credentials for authenticated access to the mail relay server of SX-GATE. This is necessary if the mail server has been configured to forward mail to the Internet only after a successful SMTP-Auth login.

  • Page 110: 2-C Mail Administration

    This function allows you to set or clear a fixed mail password for the selected user. This password is required to access the POP3, IMAP4 and Webmail server on SX-GATE. Also SX-GATE's mail relay server uses this password for SMTP-Auth.

  • Page 111: 2-D Mail Forwarding

    A SPAM mail is an unsolicited email, usually with dubious origin. The SPAM mail filter of SX-GATE classifies emails by identifying typical phrases and other attributes indicating an unsolicited email. SX-GATE contains a database of checks to perform and all matches result in a score which in turn allows filtering emails.
  • Page 112 "******* SPAM *******" and the SPAM score. Deliver tagged emails to As an option SX-GATE can deliver tagged SPAM mails into a separate SPAM folder. This folder is accessible with SX-GATE's web mailer or via IMAP (folder Mail/SPAM).

  • Page 113: 2-Fspam Scores

    To avoid loss of important emails you should be very carefully when activating this option. You should select a value which is rather to high than to low. Please note that automatically deleting email may be subject to legal constraints or might even be prohibited by law.

  • Page 114: 2-Gspam Lists

    Search patterns ("matches") are case-insensitive. Some characters have a special meaning: * (Asterisk) It represents a sequence of arbitrary characters. The sequence may also be missing. As searching for such a sequence of any length is rather time-consuming, an asterisk matches no more than 30 characters. The pattern "a*d" will match e.g. "ad", "a_d"...

  • Page 115: 2-H Vacation

    list. The SPAM filter will add 100 points to the SPAM score of a mail, if the sender is found in this list. Thus all future emails of senders listed here will always be recognised as SPAM. The menu "Modules > Mail Server > SMTP settings" allows you to block incoming mails from certain sources for all users.

  • Page 116: 2-I Mail Folders

    At "Modules > Web proxy > Settings" you can activate user limits for Internet access via proxy. The actual per user limits will be defined on this screen. To be able to use this feature the SX-GATE configuration must comply with some conditions. You will find further information in the documentation of respective proxy settings.

  • Page 117: 2-Ksocks Proxy

    SOCKS proxy. Some programs even provide builtin SOCKS support. For protocols like e.g. HTTP, HTTPS and FTP SX-GATE offers dedicated proxy services. SOCKS should not be used for these protocols. Specialized proxies provide more features and better protocol support than a generic proxy.

  • Page 118: 2-Lssh Tcp Forwarding

    In return an SSH forwarding is easier to configure and maintain. The corresponding SX-GATE SSH server is available on port 2222. A separate firewall rule might be necessary for the remote access over the internet. Use the predefined protocol "SSH-FWD".
  • Page 119 This limitation may be dropped in future SX-GATE releases. Customize SX-GATE RDP USB stick With the SX-GATE RDP USB stick it's easy to connect with an internal RDP server in a secure way. Only connections with protocol "RDP" are considered when configuring the stick.

  • Page 120: 2-Mras Settings

    The WoL packet is sent on interface eth0. Assigned IP address All of SX-GATE's RAS services which require the client to authenticate will assign an IP address to the client. You can select among two options. Either an interface specific but user independent IP is assigned or a user will be assigned his own dedicated IP address.
  • Page 121 RAS interfaces will be ignored for this user. L2TP/IPSec VPN Use this control to determine if the currently selected user is accepted by SX-GATE's L2TP server and which IP is assigned. The maximum number of concurrent L2TP connections results from the number of IP addresses configured below "Modules >...

  • Page 122: 2-N Docklets

    12.3.2-N Docklets Activate the switches below to grant access to the various status and information windows usually displayed on the homepage. These settings are only available for members of group "system- mail". 12.3.2-O Menu Statistics Activate the switches below to grant access to the corresponding item from the "Statistics"...

  • Page 123: 2-R Menu System

    12.3.2-U User details The values on this tab are mostly exploratory. For users with a local mailbox (members of group "system-mail") the details will be available as address book in SX-GATE's web mailer and via LDAP. User's primary mail address Specify the user's main address.

  • Page 124: Groups

    12.3.3 Groups A mail distributor is automatically created for each group by the same name. Therefore you can for example set up a group "info". All members of this group will then receive a copy of emails addressed to this group. Users who are not member of the "system- mail"...
  • Page 125 SMTP-Auth accepted SX-GATE's mail server can be configured to relay mails to external recipients only for specific users. SX-GATE will accept logins only of those users, who are member of a group with this option enabled. Only members of group "system-mail" actually have the necessary account to log in.
  • Page 126 12.3.3-C Usage This table show in which settings the definition is used. 12.3.3 Groups...

  • Page 127: Certificates

    There's no pre-installed default CA certificate. On a new SX- GATE you have to create one first. The CA certificate is used to sign all certificates issued by SX-GATE. As it is the root of the certificate trust chain any certificate based authentication relies on it. Therefore the CA certificate is protected by a password which has to be entered for any operation which involves the CA certificate.
  • Page 128 Backup CA key-pair The key pair of the SX-GATE CA can be exported in PKCS#12 format to save a backup. Please note that this export also contains the private key which must remain completely secret.
  • Page 129 Don't forget to install the new revocation list on all relevant systems. At the end of the CRL update process you can continue installing the new CRL in SX-GATE's VPN server. Updating the VPN server CRL is also possible in menu "Modules > Network >...
  • Page 130 Here you can download the CA certificate's public key. It should be installed in all browser clients. Backup proxy key-pair The key pair of SX-GATE's proxy CA can be exported in PKCS#12 format to save a backup. Please note that this export also contains the private key which must remain completely secret.

  • Page 131: Certificates

    CA, using the SX-GATE CA is sufficient for certificates used by closed user groups. In the first place, the SX-GATE CA is used to issue certificates for VPN. The VPN server of SX-GATE requires a certificate of its own, too. Select the predefined entry "VPN" to issue the certificate for SX-GATE's VPN server.
  • Page 132 Issue new certificate With this function you can issue or renew the certificate. The new certificate will be signed by the SX-GATE CA and is valid for one year. You should renew a certificate only right before it expires. Otherwise it will not be possible to include the old certificate in the certificate revocation list.
  • Page 133 Windows IPSec-L2TP parameters Internet IP or servername of SX-GATE Please enter the DNS name or IP address the client will use to connect with SX-GATE. Allow direct Internet access If this option is disabled, there will be no direct Internet access for the client as soon as the VPN connection is established.
  • Page 134 Windows OpenVPN parameters Internet IP or servername of SX-GATE Please enter the DNS name or IP address the client will use to connect with SX-GATE. OpenVPN server interface Please select the OpenVPN server interface the client is going to connect with. Settings like protocol, port number and encryption parameters in the client configuration will be set accordingly.
  • Page 135 Setup for remote SX-GATE Setup package for remote SX-GATE This tar archive is intended to simplify the configuration of a VPN to an other SX-GATE. The archive consists of a PKCS#12 file with the private key, its corresponding certificate and the CA certificate. Also a config file with appropriate settings is included. Import this file on the remote SX-GATE.
  • Page 136 Issue local VPN server certificate With this function you can issue or renew the certificate of SX-GATE's own VPN server. The new certificate will be signed by the SX-GATE CA and is valid for up to 6 years. Issue new VPN server certificate On this screen you have to enter the certificate subject.
  • Page 137 Depending on the client and its configuration, a client may refuse to connect if the server certificate does not include this attribute. Signing certificate Entering this screen, the certificate will be signed. By pressing the "Finish" button, the new VPN server key will be installed. 12.4.2 Certificates...

  • Page 138: Backup

    You must upload unmodified .rbu files only. Some archivers will allow you to modify the contents of an archive. Saving the changes will damage the backup file. SX-GATE will refuse to accept it. The mail backup file contains an .rbu file for each user. Upload the respective file to restore the mail data of one specific user.
  • Page 139 IMAP program and the backup functions of the webmail client respectively. SX-GATE will restore a user's files only if all of the following conditions apply: • The user exists on SX-GATE •...

  • Page 140: B System Backup

    The password of the administrator will be reset to the default password. Show all configuration settings Press this button to show you all system- and user-settings of SX-GATE. A new browser window with a raw list of all settings will open. Please note that this is not a backup of your system.
  • Page 141 Login Enter the user name SX-GATE has use to authenticate itself. When storing the backup on a Windows network share you will usually have to specify the Windows domain name along with the user name. Please use the syntax "Domain/Username". Do not enter a backslash ("\") as you would in Windows.

  • Page 142: C User Backup

    SSH RSA key. Please configure the SSH server accordingly. Login Enter the user name SX-GATE has use to authenticate itself. When storing the backup on a Windows network share you will usually have to specify the Windows domain name along with the user name.

  • Page 143: D Mail Backup

    On this screen you can configure the backup of the inbox and home directories of all users. In the home directory the IMAP and webmail folders will be stored. Also the settings, address books, calendar entries and filter settings of the SX-GATE webmail client are kept in there.
  • Page 144 Login Enter the user name SX-GATE has use to authenticate itself. When storing the backup on a Windows network share you will usually have to specify the Windows domain name along with the user name.

  • Page 145: Eca Keys

    The filename can include variables, so previously created backup file will not be overwritten. The following variables are available: • %Y: 4 figure year (e.g. 2001) • %y: 2 figure year (e.g. 01) • %m: Month (from 01 to 12) •...

  • Page 146: F Server Keys

    Backups of CA keys made on this screen must be restored in menu "System > Certificates > Root CA". Backup CA key-pair The key pair of the SX-GATE CA can be exported in PKCS#12 format to save a backup. Please note that this export also contains the private key which must remain completely secret.
  • Page 147 Backup mail server key-pair The key pair can be exported in PKCS#12 format to save a backup. Please note that this export also contains the private key which must be kept secret. There's no way to restore a purchased certificate without backup.

  • Page 148: Update

    Please be sure to read the README file instructions on the respective update. After each update, your version of SX-GATE should display a new value. If this isn't the case, please consult technical support. If an automatic update has been planned, you will see a corresponding message on this side.
  • Page 149 Enter in the day and time when the update should be started. At the specified point in time, SX-GATE will download and install all available updates one by one. If the time you entered has already passed, the update will be started tomorrow at the given time.
  • Page 150 Confirm update Press "Finish" to complete the update procedure. Select file Please select a valid update file for your SX-GATE. 12.6 Installed release...

  • Page 151: Shutdown / Reboot

    12.7 Shutdown / Reboot Please choose If you have to restart or switch off SX-GATE, please select the respective option. reboot SX-GATE This option will re-start the system. Confirm by clicking on "Finish" . It may take up to 5 minutes before SX-GATE is in operation again.

  • Page 152: Licence

    Licence Licence key Here you can find the licence key of your SX-GATE. Among others this key controls the number of users and the available options. If for instance you purchase additional users, you will receive a new licence key which must be entered here.

  • Page 153: Wizards

    DNS on a workstation if these services are sufficient. However be aware that you cannot use the hostname of SX-GATE if you want to address it from a workstation without appropriate DNS setup. You have to address SX-GATE by its IP instead.
  • Page 154 "https://gateway.example.com" - presumed the DNS of the workstation is configured accordingly. Hostname of SX-GATE Enter the hostname of SX-GATE here. It may contain only the letters "a" through "z", digits and dashes. Domain Insert the domainname for SX-GATE here. If your company already reserved or connected an Internet domain you should use this one.
  • Page 155 In contrast to a primary DHCP server, SX-GATE as secondary will not reply immediately when a device asks for an IP address. SX-GATE will only reply when a few seconds have passed and the device continues to demand the IP address. In this case SX- GATE assumes that the primary DHCP server is not available and will thus assign an IP address.
  • Page 156 IP network. Save the changes Yet no changes have been made to the system configuration of SX-GATE. Press "Finish" to apply the changes you made or "Cancel" to dismiss them. If you altered the IP address of SX-GATE, it will no longer respond to the old address after you pressed the "Finish"...

  • Page 157: Internet Access

    Number (MSN) on this page. These settings depend on your local telephone network. If in doubt please check the documentation you received from your telephone company. If SX-GATE is connected to a private branch exchange (PBX) please take a look at its documentation or ask the person who's in charge of the PBX.
  • Page 158 ISDN protocol First of all, select the appropriate D channel protocol. If the SX-GATE ISDN card is connected directly to a socket of your telephone company then all over Europe you will most likely have to select the Euro-ISDN protocol.
  • Page 159 Login Please insert the username (login) required for the dial-in connection to your provider here. If you received different credentials (e.g. also for email and webhosting), please supply the credentials for ISDN dial-up (possibly labelled PPP, PAP or CHAP). Please read on at Use proxy server of ISP Credentials Please insert username (login) and password required for the dial-in connection to your...
  • Page 160 This network card may not be used for any other purpose. Link the Ethernet port of the external router directly with SX-GATE by using a crossover cable. Alternatively, you can connect SX-GATE and the router via a separate hub or switch.
  • Page 161 (broadcast address) ends with an odd number. Please check if the address range the provider gave you includes these reserved addresses or not. Of course you may not assign the same IP address to SX-GATE which is used by the router.
  • Page 162 Use the proxy server of your ISP The web proxy of SX-GATE can forward requests to a proxy server that is available from your provider. If your provider does not have a proxy server, or you do not want to use this one, the web proxy of SX-GATE will always connect directly to the requested destination address.
  • Page 163 If your provider operates a firewall which does not allow direct communication with the Internet, it may be necessary to handle all requests using their proxy server. Please activate the option in this case. Otherwise SX-GATE assumes a caching proxy used to speed up the Internet connection.
  • Page 164 This implies that only the direct communication partner (SX-GATE in this case) will authenticate at the relay server. For this reason, SX-GATE will always use the same login and password with SMTP-Auth. It is not possible to use different credentials depending on the actual sender of the email.
  • Page 165 SMTP-Auth password Enter the SMTP-Auth password here. Save the changes Yet no changes have been made to the system configuration of SX-GATE. Press "Finish" to apply the changes you made or "Cancel" to dismiss them. 13.2 Internet access...

  • Page 166: Proxy Configuration

    "8080". Use these values for all protocols except "SOCKS". At least for the administrator's PC it is advisable to connect to the SX-GATE administration directly and not via proxy. So please add SX-GATE's IP to the proxy bypass list. Centralized browser configuration In both, the browser's proxy settings and the Active Directory group policies, you can enter the address of a proxy autoconf file.
  • Page 167 DNS entries in its name server and instruct the intranet web server to redirect requests for "wpad.dat" to "http://<SX-GATE's LAN-IP>:8000/proxy.pac" . This is a predefined config file which instructs the browsers to use SX-GATE as web proxy. If the workstations are in different subdomains (e.g.
  • Page 168 HTTP, HTTPS, Gopher and WAIS, the proxy also supports browser access to FTP servers. The web proxy can not be used by true FTP clients. For these, SX-GATE provides an FTP proxy which can be enabled later on in this wizard.
  • Page 169 In the network configuration of the respective workstation SX-GATE has to be configured as default gateway. Otherwise transparent access will not work. Usually DNS is required, too. The transparent FTP proxy has to be enabled later on in this wizard if FTP access is required.
  • Page 170 Please enter the login name of a Windows administrator. If you have already created a machine trust account for SX-GATE it is not necessary to provide the credentials again. Leave the field blank. On the next screen SX-GATE will check if the account is still valid. Web proxy filters...
  • Page 171 Use SX-GATE's web proxy on port 8080 for non- transparent browser access to web servers. In the settings of the FTP client, SX-GATE has to be configured as proxy with port 2121. Common names for the proxy type to select are "USER with no login"or "USER user@host:port".
  • Page 172 To scan for viruses in files downloaded via the FTP proxy, this option has to be enabled. This option is without effect if no functional virus scanner is installed on SX-GATE. The virusscanner licenses are not included with SX-GATE and must be purchased separately.
  • Page 173 Specify the account and the server in the respective input fields and click "Add". The created rule will look like e.g. "webmaster@www.example.com". Save the changes Yet no changes have been made to the system configuration of SX-GATE. Press "Finish" to apply the changes you made or "Cancel" to dismiss them. 13.3 Proxy configuration...

  • Page 174: Email Configuration

    Configuration of the email services Which service do you want to configure? To configure all important aspects of the SX-GATE mail system you should begin with the option "local and internal domains". At the end of this topic you will have the possibility to continue with the other options.
  • Page 175 Domain type Deliver mail to Select "to SX-GATE mailbox" if you want SX-GATE to be your local mail-server. Emails to all the domains that you can specify later in this wizard will then be delivered to mailboxes on SX-GATE. Users can access their emails using the SX-GATE webmail client or with any mail client supporting the POP3 or the IMAP4 protocol.
  • Page 176 With this control you can assign members to SX-GATE's "system-mail" group. For each member, an email account is available on SX-GATE, which consists of a mailbox and an associated mail address. Users can access their mails with POP3, IMAP4 or with the SX-GATE webmail client.
  • Page 177 SMTP This is the most simple approach which works with almost all mail servers. For each inbound mail SX-GATE opens an SMTP connection to the internal mail server and The received sender and recipient addresses are forwarded to it.
  • Page 178 Usually this is the IP of the domain controller. LDAP searchbase Specify the LDAP path used by SX-GATE when binding to the Active Directory. All relevant users and groups must be situated below this path in the LDAP hierarchy. simplest...
  • Page 179 SPAM filter in relay mode. In this mode it examines every inbound email while passing the SX-GATE mail server. It is not possible to assign different thresholds to different users, as the mail users are not defined on SX-GATE but on the internal mail server.
  • Page 180 SPAM will be sent to this address. Refuse to accept mails when score exceeds Exceeding this threshold, SX-GATE's mail server will refuse to accept the email. The sending system in charge of a proper reaction like e.g. notifying the sender or an administrator.
  • Page 181 SPAM filter settings In addition to the builtin rules database the SX-GATE SPAM filter can query several Internet realtime lists. These have a notable impact on the detection ratio. The settings on this screen apply to the global relay SPAM filter as well as to the users' personal SPAM filter.
  • Page 182 Bayes filter is taken into account. Activate virus scanner Virusscan all emails Activate this option to check every emails passing the SX-GATE mail server for viruses. This applies to both, incoming an d outgoing emails. 13.4 Email configuration...
  • Page 183 Activate attachment filter Attachment filter Email attachments can be filtered by SX-GATE based on the filename extension. We recommend to enable the attachment filter as it can enhance the virus protection, even if you are already using virusscanners. Usually a virusscanner can detect a virus only if its signature is already known.
  • Page 184 The common way to retrieve incoming emails is by collecting them from a POP server. If SX-GATE is connected to the Internet using a dial-up line with fixed IP address, the ETRN protocol might be used as well. On a leased line and maybe also on an ISDN dial-up line with fixed IP and callback, SX-GATE can be addressed anytime by any mail server in the Internet.
  • Page 185 If DNS lists the Internet IP address of SX-GATE as Mail-Exchanger for your domain, any mail server in the Internet will send email for your domain directly to SX-GATE. Hence you should choose "* (any)" as "Internet source IP" and add the firewall rule.
  • Page 186 IMAP may be used instead of POP3 if the POP server uses very short connection idle timeouts. ETRN is a command of the ESMTP protocol. It might be used if SX-GATE is connected to the Internet with a dial-up line using a fixed IP address. The mail server of the provider tries to forward incoming emails directly to this fixed IP address.
  • Page 187 Configure multi-drop mailbox The disadvantage of single-drop mailboxes is the double administration expense of the accounts. These must be created locally on SX-GATE as well as with the provider. Multi-drop mailboxes might simplify administration. Most providers support POP3 multi-drop accounts. In a multi-drop mailbox emails addressed to a whole domain (or even multiple domains) are collected.
  • Page 188 Multi-drop domains To deduce the recipient search in email for these domains To reconstruct the original recipient of an email, SX-GATE has to know how the relevant addresses look like. Therefore SX-GATE searches in certain email headers for email addresses ending with one of the domains entered here. The domain part of a matching email address will be replaced by the target domain specified along with the mailbox.
  • Page 189 ETRN domains Call ETRN for the following domains SX-GATE will submit an ETRN call for every domain listed here. The mail server of the provider will then retry the delivery of queued emails for these domains. Please read on at...

  • Page 190: L2Tp Ipsec Vpn

    Recapitulating, when an L2TP client communicates with a device inside the LAN, between the client and SX-GATE the payload is embedded in L2TP which in turn is embedded in IPSec packets. Any routers in-between will only "see" the IPSec VPN.
  • Page 191 CA is used. If needed, the SX-GATE CA and the key for SX-GATE's VPN server will be initialized, first. Please read on at Issue new VPN server certificate Please read on at Trusted VPN CA Please read on at Client compatibility Issue new VPN server certificate On this screen you have to enter the certificate subject.
  • Page 192 Certificate Authority (CA). Currently the trusted CA is not SX-GATE's builtin CA. This is perfectly all right if an external CA issues certificates for you. Otherwise you have the possibility to replace it by SX-GATE's CA.
  • Page 193 L2TP IP addresses IP addresses assigned to L2TP clients Insert the IP addresses which SX-GATE will assign to the peers. The IPs must no be in use elsewhere. If possible, you should enter IPs from the network the L2TP client wants to connect with.
  • Page 194 When connecting to the L2TP server, the clients have to authenticate themselves with login and password. Only members of the SX-GATE group "system-ras" are able to do so. This control shows you to which users this right has been granted and which users are not able to connect.

  • Page 195: Support Access

    Via Internet (incoming) With this option the wizard will help you to modify the firewall policy of SX-GATE so that technical support can connect via Internet using Secure Shell. Furthermore the wizard allows you to disable or delete the relevant firewall rules.
  • Page 196 Number (MSN) on this page. These settings depend on your local telephone network. If in doubt please check the documentation you received from your telephone company. If SX-GATE is connected to a private branch exchange (PBX) please take a look at its documentation or ask the person who's in charge of the PBX.
  • Page 197 "0". This call prefix might be necessary when SX-GATE is connected to a PBX. If you know for sure whether you need to dial the prefix "0" or not, you should delete the improper entry.
  • Page 198 Connect Please select Technical support will give you the name of their server system. As soon as SX-GATE connects to this server, technical support can connect back to SX-GATE. If you close the connections all active sessions will be terminated and technical support will no longer be able to establish a new connection.

  • Page 199: Modules

    Select this option if SX-GATE should advertise itself as an IPv6 router in your network. Host mode If SX-GATE is used as e.g. proxy or mail relay server in a DMZ, this option should be used. Default route using interface Here you can specify which interface is used to connect to the Internet.
  • Page 200 SX-GATE waits until the ISDN line is hung up. To encourage a hangup, the interface's idle timeout is lowered to a minimum. Use the option "Fallback timeout" as a limit to avoid high costs. As soon as the line is hung up or the timeout has expired, SX-GATE switches the connection back.
  • Page 201 ISDN ISDN protocol Here you can select the appropriate ISDN D channel protocol. If the SX-GATE ISDN card is connected directly to a socket of your telephone company then all over Europe you will most likely have to select the Euro-ISDN protocol. Usually the same applies if SX-GATE is connected to a PBX.
  • Page 202 Both, IPSec and OpenVPN based VPNs use this certificate. This certificate is not part of the SX-GATE backups as it has to be kept secret. Use the export feature to backup the certificate. To specify the certificate you can either generate it yourself at "System > Certificates >...
  • Page 203 Issue or import VPN server key-pair To specify a new certificate for the SX-GATE VPN server, you can import it here from a PKCS#12 file or issue a new one by the local SX-GATE CA. If an other SX-GATE issued the certificate you might have received a setup archive.
  • Page 204 Issue local VPN server certificate With this function you can issue or renew the certificate of SX-GATE's own VPN server. The new certificate will be signed by the SX-GATE CA and is valid for up to 6 years. Issue new VPN server certificate On this screen you have to enter the certificate subject.
  • Page 205 Certificate based authentication usually implies checking if the presented certificate has been issued by a trusted certification authority (Root-CA). Here you can specify the CA trusted by SX-GATE's VPN server. You can use the local SX-GATE CA or upload the public key of a CA.
  • Page 206 Here you can specify, which CA will be the trusted CA for the SX-GATE VPN server. You can copy the public key of the local SX-GATE CA, import the public key of a CA in PEM format or extract it from a PKCS#12 file.

  • Page 207: Interfaces

    Interface type To create a new interface, please select the type of interface first. Ethernet (eth) The Ethernet adapters of SX-GATE are numbered consecutively starting with 0. Thus the interface eth2 refers to the third Ethernet adapter. VLAN 802.1Q (vlan) VLAN interfaces are logical network interfaces, which tag frames according to the IEEE 802.1Q standard.
  • Page 208 Ethernet adapter you want to use. OpenVPN Client (ovpnc) This interface type is required if SX-GATE is to connect to a OpenVPN server. Each interface can handle only one connection. Create multiple interfaces if you need to connect to multiple servers.

  • Page 209: Ethernet (Eth)

    So this setting is not available for eth0. automatic IP (DHCP) For example if a cable modem is used to connect SX-GATE with the Internet, the IP address might be assigned dynamically by DHCP. Select the corresponding option in this case.

  • Page 210: 1-Aip Addresses

    IP address here. In "Modules > Network > Settings" you can select which interface is to be used to connect to the Internet. Selecting this interface, SX-GATE will setup a default router via the gateway specified here.
  • Page 211 Enable this option to ask your provider for an additional IPv6 network prefix, which is then made available for internal networks by SX-GATE. As soon as SX-GATE receives such a prefix, an entry is created in menu "Definitions > IP objects" which will be named after the interface (e.g. "ipv6_prefix_eth1" for "eth1").

  • Page 212: 1-B Routing

    Specify the network address and the netmask of this remote network - this will automatically instruct the SX-GATE firewall to accept the network on this interface. Enter the IP address of the router as gateway.

  • Page 213: 1-Cipv6 Router Advertisement

    Add IPv6 prefixes clients may use for stateless automatic address configuration. The prefix may be based on a dynamic prefix SX-GATE requested from your provider. Therefor you can also select from the list of prefixes defined in menu "Definitions > IP objects"...

  • Page 214: 1-D Bandwidth Management / Qos

    DHCPv6 This setting tells device if a DHCPv6 server is available or not. no IP assignment, other information only (O flag) Select this option if DHCP is used to provide information like the DNS server IPs only. yes (M flag and O flag) To use DHCPv6 to assign IPv6 addresses to devices, you must select this option.
  • Page 215 Quality of Service (QoS) for Voice over IP (VoIP) For VoIP the latency time, i.e. the time it takes for a voice packet to travel from sender to recipient, is very important. Hence SX-GATE's traffic shaper optimizes delivery of VoIP data packets with a special quality-of-service module.
  • Page 216 Codec max. bandwidth (bit/s) G.722.1 32000 G.723.1 6400 G.726 40000 G.728 16000 G.729 8000 13000 iLBC 15200 Max. number of concurrent calls Enter the expected maxium number of simultaneous calls on this interface. It is used to calculate the overall bandwidth that needs to be reserved for VoIP traffic. The value "0"...

  • Page 217: 1-E Priorities

    The total bandwidth of the link must not be exceeded. Bitrate of the codec used in IPSec Enter the net bandwidth of the codec to be used. Take the codec with the largest bandwidth if different codecs are in use. When calculating the total required bandwidth the system will automatically take the IP and the IPSec overhead into account.

  • Page 218: 1-F Dynamic Dns

    With dynamic DNS it is possible to address a device which it is connected to the Internet with a dynamic IP address. Using this feature with SX-GATE, you can get access to the services offered by SX-GATE despite of its dynamic IP address.
  • Page 219 Dynamic DNS hostname of SX-GATE Usually the providers allow you to manage multiple dynamic DNS names with a single user account. Therefore you you have to supply SX-GATE's complete dynamic DNS name here (including the domain). Login No dynamic DNS updates without authentication. Please enter the login for the corresponding account here.

  • Page 220: 1-G Packet Monitor

    14.1.2.1-G Packet monitor Local networks Some IDS rules distinguish between internal and external IP addresses. Here you configure which addresses are considered to be internal. 14.1.2.1-H Server addresses Some IDS rules are tailor-made for specific server protocols. Enter the IP addresses of systems offering the respective services.

  • Page 221: 1-J Ethernet

    Non-business activities Logs activities which are usually not related to normal business operations. This includes e.g. online games, chat and the use of peer-to-peer software. Access from specific networks This switch enables a list of IP addresses which belong to dubious organizations or the Tor anonymization network.

  • Page 222: Vlan 802.1Q (Vlan)

    14.1.2.2-A IP addresses IPv4 address Specify the IPv4 address that the corresponding SX-GATE interface should use as its own address. The IP address assigned here may not be part of an IP subnet which has already been assigned to an other Ethernet or VLAN interface.
  • Page 223 IP subnet as the primary address. This is useful for example to bind multiple Internet IP addresses to SX-GATE and then use firewall rules to redirect connections to different internal addresses. However you may also add addresses of different networks if multiple IP subnets share the same physical Ethernet.

  • Page 224: 2-B Routing

    Enable this option to ask your provider for an additional IPv6 network prefix, which is then made available for internal networks by SX-GATE. As soon as SX-GATE receives such a prefix, an entry is created in menu "Definitions > IP objects" which will be named after the interface (e.g. "ipv6_prefix_eth1" for "eth1").

  • Page 225: 2-Cipv6 Router Advertisement

    Add IPv6 prefixes clients may use for stateless automatic address configuration. The prefix may be based on a dynamic prefix SX-GATE requested from your provider. Therefor you can also select from the list of prefixes defined in menu "Definitions > IP...

  • Page 226: 2-D Bandwidth Management / Qos

    In said menu you can also add entries of type "IPv6 prefix" yourself to e.g. subdivide the prefix SX-GATE received. DHCPv6 This setting tells device if a DHCPv6 server is available or not. no IP assignment, other information only (O flag) Select this option if DHCP is used to provide information like the DNS server IPs only.
  • Page 227 Quality of Service (QoS) for Voice over IP (VoIP) For VoIP the latency time, i.e. the time it takes for a voice packet to travel from sender to recipient, is very important. Hence SX-GATE's traffic shaper optimizes delivery of VoIP data packets with a special quality-of-service module.
  • Page 228 Codec max. bandwidth (bit/s) G.722.1 32000 G.723.1 6400 G.726 40000 G.728 16000 G.729 8000 13000 iLBC 15200 Max. number of concurrent calls Enter the expected maxium number of simultaneous calls on this interface. It is used to calculate the overall bandwidth that needs to be reserved for VoIP traffic. The value "0"...

  • Page 229: 2-E Priorities

    The total bandwidth of the link must not be exceeded. Bitrate of the codec used in IPSec Enter the net bandwidth of the codec to be used. Take the codec with the largest bandwidth if different codecs are in use. When calculating the total required bandwidth the system will automatically take the IP and the IPSec overhead into account.

  • Page 230: 2-F Info

    IPs usually requires two rules to catch both, in- and outbound packets: For inbound packets you would enter a SX-GATE IP, for outbound packets the internal IP (of the LAN client or the server addressed with DNAT).

  • Page 231: Isdn Syncppp (Ippp)

    Type of line With this control you enable leased line capabilities for the selected interface. To connect an ISDN leased line to SX-GATE, a dedicated ISDN card is required. First of all the D channel protocol must have been assigned correctly, to determine which ISDN card is used for the leased line.
  • Page 232 This option is intended for special cases and should only be used upon consultation of technical support. Login Insert the login here that SX-GATE uses to sign on to the peer. Leave this field blank if authentication is not required or if SX-GATE requires the peer to authenticate. Password Enter the password here that is used when the peer asks SX-GATE to authenticate with PAP or CHAP.

  • Page 233: 3-Bisdn Parameters

    Depending on the type of dial-up connection, either the peer may decide itself which IP address to use or SX-GATE assigns a specific IP address to the peer. On a dial-in interface (RAS) it is crucial to assign a specific IP address to the peer to prevent manipulation and misuse.

  • Page 234: 3-C Incoming Calls

    "Numbers to dial". peer calls back Selecting this option, SX-GATE will expect a callback when an outgoing call was not accepted by the peer. The callback must call the correct local MSN and has to be accepted by the settings of the caller identification.

  • Page 235: 3-D Idle Hangup

    14.1.2.3-E Limits If SX-GATE is connected to the Internet with a ISDN-PPP dial-up line you can define upper limits for the online time and the number of connections. These settings apply to SX-GATE's current default route interface.
  • Page 236 If the Internet connections is charged depending on the time spent online or the number of connections, in your own self- interest you should define reasonable limits here. This is the only way to protect yourself from high costs caused e.g. by a misconfigured system or application.

  • Page 237: 3-F Channel Bundling

    (policy based routing). Static routes must be added for networks behind the peer. Specify the network address and the netmask of this remote network - this will automatically instruct the SX-GATE firewall to accept the network on this interface.

  • Page 238: 3-H Bandwidth Management / Qos

    The evaluation order is not based on the order in the list. The priority depends on how specific a rule is, taking in account the rules configured across all devices. Routes with all three parameters defined (i.e. protocol, source and destination) will be considered first.
  • Page 239 Quality of Service (QoS) for Voice over IP (VoIP) For VoIP the latency time, i.e. the time it takes for a voice packet to travel from sender to recipient, is very important. Hence SX-GATE's traffic shaper optimizes delivery of VoIP data packets with a special quality-of-service module.

  • Page 240: 3-I Priorities

    Bitrate of the codec used Enter the net bandwidth of the codec to be used. Take the codec with the largest bandwidth if different codecs are in use. When calculating the total required bandwidth the system will automatically take the IP overhead into account. Lower bandwidth consumption causes more overhead.
  • Page 241 IPs usually requires two rules to catch both, in- and outbound packets: For inbound packets you would enter a SX-GATE IP, for outbound packets the internal IP (of the LAN client or the server addressed with DNAT).

  • Page 242: 3-J Dynamic Dns

    With dynamic DNS it is possible to address a device which it is connected to the Internet with a dynamic IP address. Using this feature with SX-GATE, you can get access to the services offered by SX-GATE despite of its dynamic IP address.

  • Page 243: Isdn Hdlc-Rawip (Isdn)

    Dynamic DNS hostname of SX-GATE Usually the providers allow you to manage multiple dynamic DNS names with a single user account. Therefore you you have to supply SX-GATE's complete dynamic DNS name here (including the domain). Login No dynamic DNS updates without authentication. Please enter the login for the corresponding account here.

  • Page 244: 4-A Connection

    If this option is inactive, incoming and outgoing calls will be prevented using this interface. Local IP address Here you have to specify the IP address used by SX-GATE on this interface. The IP address of the support interface isdn0 is assigned by the license key. Remote IP address Here you have to specify the peer's IP address.

  • Page 245: 4-C Incoming Calls

    "Numbers to dial". peer calls back Selecting this option, SX-GATE will expect a callback when an outgoing call was not accepted by the peer. The callback must call the correct local MSN and has to be accepted by the settings of the caller identification.

  • Page 246: 4-D Idle Hangup

    Do not hangup idle incoming calls Activating this feature is particularly useful for RAS dial-in connections. SX-GATE will not disconnect the line if no data is being transferred during incoming calls (when the caller is paying the fees).

  • Page 247: 4-E Channel Bundling

    (policy based routing). Static routes must be added for networks behind the peer. Specify the network address and the netmask of this remote network - this will automatically instruct the SX-GATE firewall to accept the network on this interface.
  • Page 248 Quality of Service (QoS) for Voice over IP (VoIP) For VoIP the latency time, i.e. the time it takes for a voice packet to travel from sender to recipient, is very important. Hence SX-GATE's traffic shaper optimizes delivery of VoIP data packets with a special quality-of-service module.
  • Page 249 shows the net bandwidth required by commonly used codecs. Some codecs are used at different bandwidths. In this case the maximum bandwidth is given. Codec max. bandwidth (bit/s) G.711 64000 G.722 64000 G.722.1 32000 G.723.1 6400 G.726 40000 G.728 16000 G.729 8000 13000...

  • Page 250: 4-H Priorities

    Max. number of calls via IPSec Enter the expected maxium number of simultaneous calls over VPN on this interface. It is used to calculate the overall bandwidth that needs to be reserved for VoIP traffic. The value "0" will disable this feature. Wenn enabled, VoIP data packets will be expedited.

  • Page 251: 4-I Info

    IPs usually requires two rules to catch both, in- and outbound packets: For inbound packets you would enter a SX-GATE IP, for outbound packets the internal IP (of the LAN client or the server addressed with DNAT).

  • Page 252: Adsl/Umts (Adsl)

    If this option is selected, all IPv6 parameters have to be configured manually. Router advertisements will be ignored. automatic IP (SLAAC/DHCPv6) Choose this option and SX-GATE will automatically determine its IPv6 configuration based on the router advertisements it receives. 14.1.2.5 ADSL/UMTS (adsl)

  • Page 253: 5-A Connection

    Connection type Please select the correct ADSL type here. ADSL/PPPoE Connect SX-GATE to a DSL router in bridge mode or a DSL modem if the DSL line is using PPP-over-Ethernet (PPPoE). ADSL/PPTP A DSL modem with integrated PPtP-to-PPPoA Relay is required to connect SX- GATE with a PPP-over-ATM (PPPoA) line.
  • Page 254 Modem IP This setting is only required for PPPoA connections. SX-GATE opens a PPtP connection to the address you fill in here. The default IP of many modems is 10.0.0.138. In addition to the adsl interface there must be an eth interface with an IP address in the same subnet as the modem.

  • Page 255: 5-Bip Addresses

    Enable this option to ask your provider for an additional IPv6 network prefix, which is then made available for internal networks by SX-GATE. As soon as SX-GATE receives such a prefix, an entry is created in menu "Definitions > IP objects" which will be named after the interface (e.g. "ipv6_prefix_adsl0" for "adsl0").

  • Page 256: 5-C Routing

    (policy based routing). Static routes must be added for networks behind the peer. Specify the network address and the netmask of this remote network - this will automatically instruct the SX-GATE firewall to accept the network on this interface.
  • Page 257 Quality of Service (QoS) for Voice over IP (VoIP) For VoIP the latency time, i.e. the time it takes for a voice packet to travel from sender to recipient, is very important. Hence SX-GATE's traffic shaper optimizes delivery of VoIP data packets with a special quality-of-service module.
  • Page 258 Codec max. bandwidth (bit/s) 13000 iLBC 15200 Max. number of concurrent calls Enter the expected maxium number of simultaneous calls on this interface. It is used to calculate the overall bandwidth that needs to be reserved for VoIP traffic. The value "0"...

  • Page 259: 5-E Priorities

    When calculating the total required bandwidth the system will automatically take the IP and the IPSec overhead into account. Lower bandwidth consumption causes more overhead. 14.1.2.5-E Priorities Use this feature to determine the priority of outgoing data packets. A proportional minimum bandwidth is assigned to each priority class.

  • Page 260: 5-F Dynamic Dns

    With dynamic DNS it is possible to address a device which it is connected to the Internet with a dynamic IP address. Using this feature with SX-GATE, you can get access to the services offered by SX-GATE despite of its dynamic IP address.
  • Page 261 Dynamic DNS hostname of SX-GATE Usually the providers allow you to manage multiple dynamic DNS names with a single user account. Therefore you you have to supply SX-GATE's complete dynamic DNS name here (including the domain). Login No dynamic DNS updates without authentication. Please enter the login for the corresponding account here.

  • Page 262: 5-G Limits

    14.1.2.5-G Limits If SX-GATE is connected to the Internet with a ADSL dial-up line you can define upper limits for the online time and the number of connections. These settings apply to SX- GATE's current default route interface. If the Internet connections is charged depending on the time spent online or the number of connections, in your own self- interest you should define reasonable limits here.

  • Page 263: 5-H Ethernet

    Reset totals The totals will be reset in the interval specified here. A stopped interface will not be restarted automatically when the totals are reset. Reset totals now You can reset the totals anytime by pressing this button. Also this command will not restart a disabled interface. You have to restart the corresponding service at "System >...

  • Page 264: L2Tp

    GATE. Nevertheless is is also possible to connect to the L2TP server without using a VPN connection. Local IP address Specify the IP address used by SX-GATE on this interface. It suggests itself to use the LAN IP address here. Remote IP address Insert the IP addresses which SX-GATE will assign to the peers.

  • Page 265: Openvpn Client (Ovpnc)

    14.1.2.6-B Assign DNS server With this setting you will determine which name server the client will use. Secondary DNS If required, you can enter an additional name server here. WINS 1 Here you can specify the primary WINS server. WINS is required by Windows to resolve hostnames in multi-subnetted networks.
  • Page 266 If this option is selected, the connection will be established only if the server presents a certificate which contains an nsCertType attribute with a value of "server". Certificates issued by SX-GATE's CA don't contain this attribute, so don't choose this option if the server uses such a certificate.
  • Page 267 Certificate SX-GATE always uses certificates to authenticate OpenVPN connections. SX-GATE VPN certificate By default SX-GATE uses the certificates from menu "Modules > Network" on tabs "VPN Certificate" and "Trusted VPN CA" to authenticate a connection. Dedicated certificate This alternative setting allows you to import individual keying material for use in this OpenVPN connection only.

  • Page 268: Openvpn Server (Ovpns)

    Split key If "tls-auth" is used, an additional "direction" parameter may be given. 14.1.2.7-D Info Description This field serves for documentation only. 14.1.2.8 OpenVPN Server (ovpns) The configuration options in this menu are structured by topic. You can change between the different screens by clicking on the tabs at the top.
  • Page 269 When running multiple OpenVPN server interfaces, they must either differ by protocol or by port. IPv4 transfer network This parameter determines the IPv4 pool assigned to clients. The network you configure here must not be used otherwise. We recommend using a subnet from the networks reserved for private use according to RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
  • Page 270 14.1.2.8-B Encryption Diffie Hellman Group The Diffie Hellman key exchange makes sure, that an attacker is unable to decrypt previously recorded VPN traffic, even though he now possesses the private key. Hash algorithm Please select the hash algorithm used to authenticate the individual data packets (HMAC).

  • Page 271: Openvpn Server (Ovpns) - Per-Client Setup

    14.1.2.9 OpenVPN Server (ovpns) - Per-client setup A table gives you an overview of all available objects. If there are more than 10 entries, a navigation bar will appear below the right bottom hand corner of the table where you can page through the entries or open the table in fullscreen mode.

  • Page 272: Ipsec Vpn (Ipsec)

    The IPv6 address may not be in use otherwise. In particular it must not be part of the address range which has been reserved for dynamically assigned transfer networks. The static IPv6 addresses of multiple clients in this OpenVPN interface may have the same network prefix.
  • Page 273 14.1.2.10-B Dynamic peer setup Common preshared key If there are connections to peers with a dynamic IP address, all connections authenticated by preshared key must use the same preshared key. So it is not possible to clearly identify the peer. Changing the preshared key requires making changes in the configuration of all peers.
  • Page 274 IPs usually requires two rules to catch both, in- and outbound packets: For inbound packets you would enter a SX-GATE IP, for outbound packets the internal IP (of the LAN client or the server addressed with DNAT).

  • Page 275: Ipsec Vpn (Ipsec) - Connections

    External IP/network Viewed from the perspective of the selected interface, you can enter a remote address here. This corresponds to the destination IP of outbound packets and the source IP of inbound packets. Priority Select the priority for matching packets. 14.1.2.10-D Info Description...

  • Page 276: Connection With Server

    VPN tunnel will always be established between the client and SX-GATE itself. Furthermore it will transmit L2TP connections only. After decrypting the VPN packets the L2TP data stream will be forwarded to the L2TP server of SX-GATE. It authenticates the user and, if requested, assigns an individual IP to the client.
  • Page 277 Tunnel SX-GATE <-> remote server If you have specified local or remote networks, there will be no VPN connection between SX-GATE itself with its external IP and the peer itself with its external IP. Activate this option to add this connection.

  • Page 278: 11.1-B Authentication

    SX-GATE's VPN server certificate must have been issued by the same CA or otherwise authentication will fail. As the certificate of the peer itself is not installed on SX-GATE it can be renewed by the peer anytime without local changes. The only requirement is that the new certificate also has to be issued by the trusted CA.
  • Page 279 If necessary, a different IP can be specified. Also hostnames or email addresses can be used instead of IPs. Here you can modify the ID SX-GATE sends to the peer. Remote ID (with PSK) If a peer with static IP has been configured, its external IP is expected as ID. In case the peer uses a different IP (e.g.

  • Page 280: 11.1-C Phase 1

    Here you can specify the public key of the peer. If the peer's certificate was issued by the local SX-GATE CA, you can copy it from there. Otherwise you have to import the public key from a file in PEM format.

  • Page 281: 11.1-D Phase 2

    Dead Peer Detection With Dead Peer Detection (DPD) enabled, SX-GATE checks every 30 seconds whether the peer is still alive. The check is only performed when the link is idle. If there's no reply for 120 seconds, the connection is terminated. In case of a peer with static IP address, SX-GATE tries to negotiate a new connection.

  • Page 282: 11.1-E Connection

    Here you have to determine how the VPN connection will be established. automatically The VPN server of SX-GATE tries to contact the peer in order to establish a VPN connection. Of course it will also respond if the peer contacts SX-GATE. This option is not available if the peer has a dynamic IP address.

  • Page 283: 11.1-F Commands

    Especially on dial-up connections an unlimited number of retries could cause vast expenses. Routing gateway For proper setup of the routing table you have to provide the gateway. If SX-GATE and the peer are members of the same network segment, please select the corresponding option.

  • Page 284: Connection With Client

    The VPN connection will be established to the networks you specify here. To add a connection to a single host you have to supply its IP. If no local networks have been specified, the target of the VPN connections will be SX-GATE itself. Tunnel SX-GATE <-> Client If you have specified local networks, there will be no VPN connection between SX- GATE itself with its external IP and the client.

  • Page 285: 11.2-B Authentication

    IPs has to use the same preshared key. specified X.509 certificates only Using this option, the public key of the client must be imported on SX-GATE. Drawback of this method: Whenever the peer changes its certificate (e.g. after expiration) the new public key has to be imported before the VPN connection can be reestablished.
  • Page 286 Import public key Here you can specify the public key of the client. If the client's certificate was issued by the local SX-GATE CA, you can copy it from there. Otherwise you have to import it from a file in PEM format.

  • Page 287: 11.2-C Phase 1

    Dead Peer Detection With Dead Peer Detection (DPD) enabled, SX-GATE checks every 30 seconds whether the peer is still alive. The check is only performed when the link is idle. If there's no reply for 120 seconds, the connection is terminated. In case of a peer with static IP address, SX-GATE tries to negotiate a new connection.

  • Page 288: 11.2-E Connection

    This setting will deactivate the corresponding VPN connection. Routing gateway For proper setup of the routing table you have to provide the gateway. If SX-GATE and the peer are members of the same network segment, please select the corresponding option.

  • Page 289: Connection With Xauth Client

    Disable connections Abort all connections. For the time being it will not be possible to re-connect. 14.1.2.11.3 Connection with XAuth Client The configuration options in this menu are structured by topic. You can change between the different screens by clicking on the tabs at the top. 14.1.2.11.3-A VPN-Tunnel.............
  • Page 290 IPs has to use the same preshared key. specified X.509 certificates only Using this option, the public key of the client must be imported on SX-GATE. Drawback of this method: Whenever the peer changes its certificate (e.g. after expiration) the new public key has to be imported before the VPN connection can be reestablished.
  • Page 291 Import public key Here you can specify the public key of the client. If the client's certificate was issued by the local SX-GATE CA, you can copy it from there. Otherwise you have to import it from a file in PEM format.

  • Page 292: 11.3-C Phase 1

    Phase 2 Dead Peer Detection With Dead Peer Detection (DPD) enabled, SX-GATE checks every 30 seconds whether the peer is still alive. The check is only performed when the link is idle. If there's no reply for 120 seconds, the connection is terminated. In case of a peer with static IP address, SX-GATE tries to negotiate a new connection.

  • Page 293: 11.3-E Connection

    This setting will deactivate the corresponding VPN connection. Routing gateway For proper setup of the routing table you have to provide the gateway. If SX-GATE and the peer are members of the same network segment, please select the corresponding option.

  • Page 294: Connection With L2Tp Client

    IPs has to use the same preshared key. specified X.509 certificates only Using this option, the public key of the client must be imported on SX-GATE. Drawback of this method: Whenever the peer changes its certificate (e.g. after expiration) the new public key has to be imported before the VPN connection can be reestablished.
  • Page 295 SX-GATE's VPN server certificate must have been issued by the same CA or otherwise authentication will fail. As the client's certificate is not installed on SX-GATE it can be renewed anytime without local changes. The only requirement is that the new certificate also has to be issued by the trusted CA.
  • Page 296 Import public key Here you can specify the public key of the client. If the client's certificate was issued by the local SX-GATE CA, you can copy it from there. Otherwise you have to import it from a file in PEM format.
  • Page 297 "optional" is not recommended, but may be necessary for interoperability with other IPSEC implementations. ESP-Proposals The phase 2 proposals determine acceptable ciphers and hash-algorithms for the actual data transmission. If no proposals have been entered here, all proposals SX-GATE supports are accepted. 14.1.2.11.4-D Connection Connect Here you can enable or disable the VPN connection.
  • Page 298 When enabled, both SX-GATE and the client seem to be behind NAT. Routing gateway For proper setup of the routing table you have to provide the gateway. If SX-GATE and the peer are members of the same network segment, please select the corresponding option.
  • Page 299 "Connection" is restored. Wait for inbound connections All established connections will be closed. SX-GATE waits for the peers to re- establish the connection. Disable connections Abort all connections. For the time being it will not be possible to re-connect.

  • Page 300: Firewall

    The IP header information as well as the actual payload is examined. The analysis is based on a signature database. The IDS is always enabled on SX-GATE's Internet interface. There it uses a subset of the available signatures, focusing on the detection of infected local systems. It tries to prevent that these systems transmit data into the Internet or try to infect other systems with malware.
  • Page 301 The update server address can be changed in menu "System > Update". Also a proxy can be configured there if necessary. Update IDS signatures automatically When enabled, SX-GATE will check for new signatures daily between 18:00 and 21:00. 14.2.1 Settings...

  • Page 302: Policies

    Connections passing through SX-GATE belong to this group. SX-GATE is neither the source nor the destination of the connection. The connection is routed by SX- GATE. Forwarding rules can be defined on tab "* > SX-GATE > … ". 14.2.2 Policies...
  • Page 303 Here we are talking about connections initiated by SX-GATE. Select the outgoing interface in SX-GATE's web administration and edit rules on tab "SX-GATE > … ". A table gives you an overview of all available objects. If there are more than 10 entries, a navigation bar will appear below the right bottom hand corner of the table where you can page through the entries or open the table in fullscreen mode.
  • Page 304 LAN to the Internet. To allow specific connections from the Internet to SX-GATE, you have to define them on the tab labeled " … > SX-GATE". Direct connections from LAN to the Internet can be allowed on tab "* >...

  • Page 305: 2-A General

    LAN networks have unlimited access to servers in the DMZ. In contrast, internet access to the DMZ has to be allowed on tab "* > SX-GATE > … ". To restrict DMZ access for the LAN networks, can change the corresponding setting on tab "General".
  • Page 306 If the destination of the connection after applying the DNAT rules is not SX-GATE itself, you have to activate "IPv4 routing" at "Modules > Firewall > Settings". A DNAT connection will work only if the new connection target returns the reply packets via SX-GATE. Only then SX-GATE can modify the reply packets so that the client will accept them.
  • Page 307 SX-GATE. to IP Please enter the new destination address here. This may be an IP of SX-GATE (except 127.0.0.1) or likewise the IP of any other system. Even for "discard" rules an address has to be specified, however the actual value is not considered.

  • Page 308: 2-C Transp. Proxy

    14.2.2-C Transp. proxy Some SX-GATE services can act as a transparent proxy. This allows the use of the proxy with all its benefits without having to reconfigure the clients. The checkboxes on this screen will activate firewall rules to redirect certain connections to the corresponding SX-GATE proxy.
  • Page 309 25 (SMTP) to Enable this option to intercept direct SMTP connections to the Internet and redirect them to a service on SX-GATE. From the technical point of view, the destination IP of connections to port 25 will be replaced by SX-GATE's IP.

  • Page 310: 2-D

    … > SX-GATE 14.2.2-D This tab addresses connections to SX-GATE. The destination is one of the applications SX-GATE offers. Input rules: Source …, destination SX-GATE A new entry is created by filling out the input fields and clicking on "Add". Select an existing entry and click "Copy"...

  • Page 311: 2-E * > Sx-Gate

    Comment Use this field for documentation. Up to 14 characters from this field will be included in the log if logging is enabled for this rule. * > SX-GATE > … 14.2.2-E Forwarding rules: Any source, destination … A new entry is created by filling out the input fields and clicking on "Add". Select an existing entry and click "Copy"...
  • Page 312 You should enable logging only for diagnostic purposes or for rules which are not used frequently. Otherwise your log files may grow rapidly. Protocol Select one of the protocols from the list. Each protocol represents a set of IP protocol and port definitions. You will find the details in menu "Definitions > Protocols".

  • Page 313: 2-Fsx-Gate

    However if access to the proxy servers of SX-GATE is allowed, these could be abused to get indirect access to the other network. With this control you can restrict these outgoing connections.

  • Page 314: 2-G * > Snat

    IP have to be forwarded to the Internet. SNAT can also be used to set a specific sender address for certain services if multiple Internet IPs are assigned to SX-GATE. In most cases it is not necessary to configure anything here.
  • Page 315 Source zone Use this setting to restrict the rule to connections originating in a specific zone or to connections established by SX-GATE itself. Source IP/network If you leave these fields blank, the rule will apply to any source IP. To grant access for a single client only, please enter its IP address.

  • Page 316: 2-H Options

    It is possible to associate a specific NAT IP address with each rule. This way you can create a static mapping between an internal and an external IP address if SX- GATE has multiple Internet IP addresses. If you do not impose an IP, SX-GATE will automatically use the interface's primary IP.
  • Page 317 For the sender of the traceroute it appears, that SX-GATE itself is the destination of the traceroute. If SX-GATE is used as a firewall protecting a network with Internet IP addresses (e.g. a DMZ), this feature can be used to hide the internal network structure and the actually active servers to a certain extend.

  • Page 318: Dhcp

    Dynamic IPv4 ranges Dynamically assigned IP ranges Here you can specify the IP addresses which SX-GATE will assign to devices requesting an IP by DHCP. Please make sure that none of the addresses entered here is already statically assigned to a device in the network. This could lead to conflicts with double IP addresses.

  • Page 319: B Static Ipv4 Addresses

    In contrast to a primary DHCP server, SX-GATE as secondary will not reply immediately when a device asks for an IP address. SX-GATE will only reply when a few seconds have passed and the device continues to demand the IP address. In this case SX- GATE assumes that the primary DHCP server is not available and will thus assign an IP address.

  • Page 320: C Network Parameters

    14.3-C Network parameters Most of the setting of this screen refer to SX-GATE. That's why the corresponding values are used by default. However you can alter these settings if required. Domainname This option determines which domainname will be assigned to DHCP clients.

  • Page 321: E Custom Options

    Enter the config file's URL here. The SX-GATE configuration server provides such a config file which you should use if the browsers must use SX-GATE as web proxy. However if it does not suit your needs you may as well enter the URL of your own config file.

  • Page 322: G Static Ipv6 Addresses

    Both, the assigned IPv6 address and the prefix may be based on a dynamic prefix SX-GATE requested from your provider. Therefor you can also select from the list of IPv6 addresses and prefixes defined in menu "Definitions > IP objects" when adding a new entry.
  • Page 323 DNS 1 The SX-GATE DHCP-Server will assign this IP address as primary name server. DNS 2 Optionally you can enter a secondary name server. It will be considered by the clients whenever the primary DNS is not available or answers with a delay. You can specify your provider's DNS server for example, or a DNS server within your LAN.

  • Page 324: Dns

    DNS queries for addresses SX-GATE cannot answer authoritatively will be forwarded to name servers in the Internet. SX-GATE should first pass the DNS query to the name servers of your provider, which can be filled in here. If multiple servers are available they will be asked in order of their speed of response.
  • Page 325 Forwarding DNS queries to the Internet (recursion) is restricted to local IPs, which limits the use of SX-GATE as DNS proxy to internal clients. Information from non-public DNS zones will be served only to local IP addresses.

  • Page 326: Zones

    Allows you to enter an arbitrary text. 14.4.1-D DNS IP objects Update interval Select how often SX-GATE updates the IP addresses of DNS based IP objects configured in menu "Definitions > IP objects". 14.4.2 Zones A table gives you an overview of all available objects. If there are more than 10 entries, a navigation bar will appear below the right bottom hand corner of the table where you 14.4.2 Zones...
  • Page 327 "New Entry" below the table on the left. Use the dustbin icon to delete entries. Type of zone Here you can add a new DNS zone for which SX-GATE will be the authoritative name server. DNS queries for these zones will not be forwarded to name servers in the Internet but answered by the DNS of SX-GATE.

  • Page 328: Domain

    Type Please select SX-GATE's role for the DNS zone. Master The entries in the zone file have to be configured on SX-GATE in this case. SX- GATE is the start of authority (SOA) for this zone. Slave In this mode, SX-GATE mirrors the contents of a DNS zone. The contents cannot be modified on SX-GATE.
  • Page 329 DNS entries can be specified absolute or relative. An entry which ends with a dot is considered to be absolute (e.g. "www.example.com."). A relative entry has no trailing dot. The current zone will be appended automatically to this entry. If for instance the current zone is "example.com", you only need to enter "www"...

  • Page 330: 1-Bsoa

    DNS servers decide whether the entries of a zone file have been updated and therefore a zone transfer is required. The serial number will be incremented automatically by SX-GATE after each modification. Nevertheless you can influence the serial number by specifying a value yourself.

  • Page 331: 1-E Access Control

    Allow zone transfer for IP If this zone has to be mirrored by secondary name servers, you have to add their IP addresses here. SX-GATE will accept a zone transfer only if it is requested by one of the IPs listed here.

  • Page 332: Ipv4 Reverse Lookup Zone

    Type Please select SX-GATE's role for the DNS zone. Master The entries in the zone file have to be configured on SX-GATE in this case. SX- GATE is the start of authority (SOA) for this zone. Slave In this mode, SX-GATE mirrors the contents of a DNS zone. The contents cannot be modified on SX-GATE.
  • Page 333 to the relative addressing (no trailing dot) this value will automatically expand to "10.5.16.172.in-addr.arpa.". The second field will take the hostname which corresponds to this address. Defines a name server for a reverse lookup zone. In the first field you have to fill in the zone for which you want to add a NS record. Enter the name relative to the currently selected zone.
  • Page 334 14.4.2.2-D Access control Master This option is only available when SX-GATE acts as a secondary server (slave) for this zone. Please specify from which name server SX-GATE can download the zone file. Public zone DNS queries on this zone will always be answered if the query was sent from an internal IP address.

  • Page 335: Ipv6 Reverse Lookup Zone

    Allow zone transfer for IP If this zone has to be mirrored by secondary name servers, you have to add their IP addresses here. SX-GATE will accept a zone transfer only if it is requested by one of the IPs listed here.
  • Page 336 Forward In contrast to the previous options, SX-GATE is not authoritative for the zone but rather forwards queries to an other name server. 14.4.2.3-A Entries Userdefined entries Here you can define entries for the selected zone. To specify NS records for the zone itself please use the tab specifically provided for these entries.
  • Page 337 14.4.2.3-D Access control Master This option is only available when SX-GATE acts as a secondary server (slave) for this zone. Please specify from which name server SX-GATE can download the zone file. Public zone DNS queries on this zone will always be answered if the query was sent from an internal IP address.
  • Page 338 Allow zone transfer for IP If this zone has to be mirrored by secondary name servers, you have to add their IP addresses here. SX-GATE will accept a zone transfer only if it is requested by one of the IPs listed here.

  • Page 339: Mail Server

    Mail Server 14.5.1 POP/IMAP server SX-GATE offers a mailbox to every member of group "system-mail". To have mails delivered into a SX-GATE mailbox, at least one domain with "Deliver to SX-GATE mailbox" must be configured. This service provides access to SX-GATE's mail accounts with POP3 and IMAP4.

  • Page 340: Smtp Settings

    Provider relay SMTP Relay Server for outgoing emails With this control you determine how outgoing emails will be forwarded. SX-GATE can deliver directly to the recipient's mail server. The address of this mail server is determined by DNS. If you specify the name of IP of a mail relay server (smarthost) here, outgoing emails will always be forwarded to this server.
  • Page 341 The SMTP auth credentials can be transmitted using different methods. Use this control to force one of them. If SX-GATE may choose one of the methods, it will prefer the MD5 based algorithms as the password won't be send in clear.

  • Page 342: 2-B Delivery Parameters

    Process send queue on Internet dial-in Activate this option if SX-GATE is directly connected to the Internet using an ISDN PPP or ADSL dial-up link. Each time a new dial-up connection is established, an attempt is made to deliver the emails waiting in the queue.

  • Page 343: 2-Cpgp / Smime

    The PGP/SMIME filter helps to enforce that emails to certain recipients have to be encrypted. If a user forgets to encrypt a mail, SX-GATE will refuse to accept it. Mails must be at least partially encrypted, using PGP (GPG) or S/MIME. As an exception, emails with an empty sender address as often used in e.g.

  • Page 344: 2-D Relay Control

    Internet mail per user. SMTP-Auth required for local users If this switch is active, SX-GATE will not relay emails to the Internet, if the mail was sent from a local IP address without authentication. Local IP addresses are those listed at "Local IP addresses"...

  • Page 345: 2-E Receiving Filters

    SMTP-Auth accepted for non-local users This switch is complementary to the previous. In general it is not allowed that a non local IP sends an email to the Internet via the SX-GATE mail server. Activating this switch this will be allowed for authenticated users.
  • Page 346 Verify internal addresses in advance When this option is enabled, SX-GATE will contact the internal mail server for every email it receives to verify if it is willing to accept a message for the given recipients. This is checked before the actual message body is transmitted to SX-GATE, so mails to non-existent recipients will be rejected before wasting bandwidth.
  • Page 347 Enable this option and SX-GATE will accept the mail without verification in both situations. SX-GATE will queue the mail if the internal mail server is unreachable. SX- GATE will return the mail to its sender if the internal mail server refuses to accept it (e.g.

  • Page 348: 2-F Resource Limits

    14.5.2-F Resource limits On this tab you can configure various limits which help to protect SX-GATE and downstream systems from being overloaded. The restrictions apply to all SMTP connections accepted by SX-GATE. It does not matter if a mail client program or an other mail server establishes the connection.

  • Page 349: 2-G Archiving / Milter

    In contrast to the previous option, only connections from external addresses will be monitored. So this setting won't have any effect if e.g. SX-GATE polls a POP server for emails. This option requires SX-GATE to receives emails directly per SMTP.
  • Page 350 If the relay SPAM filter decides to discard the mail, the archive recipient won't receive a copy. External milter You can make SX-GATE contact an external milter while processing mail. Select the stage of processing which suits best to the purpose of the filter. Address of Milter Enter the hostname or IP address of the external Milter.

  • Page 351: Spam/Virus/Malware

    The tests apply to all SMTP connections accepted by SX-GATE. It does not matter if a mail client program or an other mail server establishes the connection. An email which violates one of these checks will already be rejected before the actual payload is being transmitted.
  • Page 352 This option enables a sanity check on the hostname part of the welcome message, presented by the sending system. The hostname must include at least one dot and may not be equal to SX-GATE's hostname. Otherwise the mail will be rejected. This check is not performed for authenticated connections and connections from IPs listed below "Local IP addresses"...
  • Page 353 There are two different behaviours, depending on whether the SX-GATE mail client has been enabled in the configuration or not. If it is not used, the SX-GATE mail server will refuse delivery with a temporary error. Depending on its configuration, the sending mail server might retry delivery later before notifying the sender.

  • Page 354: 3-B Greylisting

    Hence the sender of an email will not become aware of the delay. As SX-GATE indicated a temporary problem, the sending relay server will retry delivery at a later point in time. This is the vital difference in comparison with the behaviour of many spammers and most viruses.
  • Page 355 It depends on the configuration of the sending relay server when and how often it will retry delivery. SX-GATE has no influence on this. In most cases the retransmission will take place in less then an hour. However longer delays are possible. It is even possible that some servers will not retry at all.
  • Page 356 SPAM to random recipient addresses. The best solution to this problem is probably to get rid of the catch-all behaviour. If this is an option and SX-GATE forwards mails to an internal mail server, please switch to menu "Modules > Mail Server >...
  • Page 357 If SX-GATE hosts the catch-all mailbox, you can disable it with the option "Emails to unknown local recipients" on the same tab. If however you must continue with a catch-all setup, this greylisting option will help to reduce both, SX- GATE's workload and the amount of SPAM.

  • Page 358: 3-Cspf Filter

    On the other hand delivery of requested emails might fail. Relay servers which retry delivery after longer periods of time will not be able to deliver emails to SX-GATE if the chosen value is too low. Timeout after last use After a retransmission, the corresponding combination of source IP, sender and recipient will be stored in the automatic whitelist.
  • Page 359 However it is often necessary to whitelist additional addresses: Backup MX If a backup MX is configured for your own domain, the SX-GATE SPF filter must not process emails it receives from the backup MX. This is because the backup MX is not an authorized sender in the terms of SPF for the sender domain.

  • Page 360: 3-D Virusscan

    Virusscan Virusscan enabled Activate this switch to scan all incoming and outgoing emails which pass the SX-GATE mail server for viruses. As an exception, email generated on the system level of SX- GATE like e.g. status reports and backups will not be checked. However emails written in the webmail interface of SX-GATE will be scanned.
  • Page 361 Enable this option if you want to look for unwanted attachments in inbound emails only. incoming and outgoing mails Use this setting to filter any email passing SX-GATE's mail server. While inbound emails are quarantined, outbound emails with unwanted attachments will be rejected.
  • Page 362 No other archive types are supported. Archive inspection is non- recursive, i.e. archives inside of archives will not be scanned. Quarantine mode for inbound emails Determine how to deal with emails containing unwanted attachments. No matter which setting you choose, an administrator can always inspect the attachments in menu "Monitoring >...

  • Page 363: 3-Fmime Filter Rules

    The administrator can still access the quarantine area anytime via administration interface. The virus scanner vendors publish new signatures at irregular intervals. It's not important when SX-GATE will check for new signatures, but that updated signatures are actually available.

  • Page 364: 3-Gmime Filter Options

    It makes no difference, if you specify an extension as e.g. "exe", ".exe" or "*.exe". All three formats refer to the extension "exe". SX-GATE tests each attachment, if its filename ends with a dot, followed by one of stated extensions. These are compared case insensitive.
  • Page 365 SPAM, phishing mails trying to get confidential information like passwords - just to mention a few. Enable this option to defeat most of these dangers. SX-GATE will then scan for critical HTML elements and rename them. The user's mail client will then no longer recognize these elements, so the user is quite safe.
  • Page 366 the original document can be reconstructed. Just erase every occurrence of the text "DEFANGED_" in the document. This filter will be applied to incoming emails only. Attached HTML files will be filtered, too. Send HTML files in archives to make sure these will not be altered. enabled Select this option to defang HTML in emails.

  • Page 367: 3-H Relay Spam Filter

    The SPAM mail filter of SX-GATE classifies emails by identifying typical phrases and other attributes indicating an unsolicited email. SX-GATE contains a database of checks to perform and all matches result in a score which in turn allows filtering emails.
  • Page 368 All the other SPAM related tabs here in menu "Mail Server" affect both ways of SPAM filtering. If SX-GATE forwards emails to an other (internal) mail server, you have to activate the SPAM filter in relay mode here on this tab. If however SX-GATE keeps the mailboxes for your domains, both ways of SPAM filtering are possible.

  • Page 369: 3-Ispam Scores

    Refuse to accept mails when score exceeds Exceeding this threshold, SX-GATE's mail server will refuse to accept the email. The sending system in charge of a proper reaction like e.g. notifying the sender or an administrator.
  • Page 370 Recipient Use this option to match the recipient (To header). Message header Allows you to examine an arbitrary mail header. Message body The actual contents of the email are analyzed when selecting this value. Rule This setting differs from the previous ones. It allows you to modify the score of SX- GATE's builtin rules.

  • Page 371: 3-Jspam Modules

    You can add a complete email address (e.g. user@example.com) to prevent filtering emails from this specific address. If you want to allow every email from a specific domain to pass, add only the domain part of the address (e.g. example.com). 14.5.3-J SPAM modules The settings made on this screen will not only apply to the relay SPAM filter, but also...
  • Page 372 With this feature it also becomes possible to learn unrecognized SPAM and emails which have been tagged as SPAM by mistake. A user account with mail permission (group system-mail) on SX-GATE is required and either IMAP or the SX-GATE webmailer must be used to access the mail account.

  • Page 373: 3-Kspam Settings

    OCR for images Some SPAM mails use images to convey their message, so traditional text analysis will fail. The character recognition tries to identify text in those images. Detecting typical SPAM phrases, the SPAM score is increased by a basic value and a surcharge per suspicious word.

  • Page 374: Tls Encryption

    14.5.4-B Mail server certificate............376 14.5.4-C Trusted CA..............379 SX-GATE supports the encrypted transmission of mails using the STARTTLS command. However, only the SMTP connection between the SX-GATE mail server and its communication partner will be encrypted. 14.5.4 TLS Encryption...
  • Page 375 (e.g. because there is a backup mail server operated by the ISP). If the addressed mail server does not support encryption, the mail will be queued. SX-GATE will retry the delivery at a later point in time.
  • Page 376 POP3 and IMAP4 server of SX-GATE also uses it for encrypted access. Import or issue a new certificate Install a new certificate in here. SX-GATE can issue a self-signed certificate, but it also offers the required functions to obtain a certificate from a public certification authority (CA).
  • Page 377 Issue the certificate to the address which is normally used to connect with the service from the Internet. Usually this is the Internet DNS name of SX-GATE. You can also issue a wildcard certificate (e.g. *.example.com).
  • Page 378 Old systems like e.g. Windows XP before SP3 might only support keys with max. 2048 bit and an SHA1 hash. Certificate request Entering this screen, a certificate request will be generated on SX-GATE. Select certificate file Here you can import the certificate you received back from the certificate authority.

  • Page 379: Domains

    Email domain Please enter a recipient domain. Mails to this domain are either going to be delivered to a local mailbox on SX-GATE or forwarded to a specific (internal) mail server. Deliver For each individual recipient domain you can select one on the following delivery targets: 14.5.5 Domains...
  • Page 380 Mails addressed to a domain of this type will be delivered to a user mailbox or group of SX-GATE. Select this option to forward inbound emails to a specific internal mailserver. A typical example would be an mail server in the LAN like e.g.

  • Page 381: 5-A Local Domain

    14.5.5-B Mail server Forward emails to SX-GATE will forward all mails with a recipient address in the currently selected domain to the mail server you enter here. Backup server If there is a backup system for the mail server configured above, you can fill in its address here.

  • Page 382: 5-C Virtual Recipients

    If you redirect to an internal address without domain, e.g. the name of a SX-GATE group or a SX-GATE mailbox, mail is delivered straight to it. Of course the configured behaviour of a group or a user's mailbox is preserved. This includes distributing an email to all members of a group or following forwarding rules of a user's mailbox.

  • Page 383: 5-D Mailrouting

    One user however has no access to SX-GATE and must poll the POP server himself. If a local user tries to send an email to this external user, SX-GATE would try to deliver this mail locally. An entry here allows you to forward mail for this recipient to the Internet instead.

  • Page 384: 5-E Sender Addresses

    14.5.5-E Sender addresses Mapping of sender addresses You can change the sender address of emails here. Each entry in the list consists of two values: the address to rewrite and the new value. Any sender address mapping configured for the rewritten address is ignored.

  • Page 385: 5-G Disclaimer

    According to the standard, SMTP-Auth is a "hot-to-hop" authentication. Thus it involves only the two systems directly connected. In this case the relay server asks the SX-GATE mail server to authenticate itself and not e.g. the user who wrote the email. Therefore SX-GATE can only use one specific login for SMTP-Auth.

  • Page 386: Pop/Imap Client

    14.6.1 Settings On this tab you can configure when SX-GATE has to poll POP or ETRN servers for new mails. If neither POP nor ETRN servers have been specified, these settings are ineffective. The same applies to POP servers with no mailboxes and ETRN servers with no domains.
  • Page 387 ETRN (ESMTP) ETRN is a command of the ESMTP protocol. It might be used if SX-GATE is connected to the Internet with a dial-up line using a fixed IP address. The mail server of the provider tries to forward incoming emails directly to this fixed IP address.
  • Page 388 Some POP servers supply the original recipient address in one of the headers, but prefix it with a certain string. Enter this string here to have SX-GATE remove it automatically. So the mail will be delivered to the correct recipient.
  • Page 389 If an email address with one of the domains listed here is found, only the recipients name will be used when forwarding the mail. As the domain part SX-GATE will use the value which was specified as recipient domain when adding the multi-drop mailbox.
  • Page 390 Max. number of messages per connection With this parameter you can limit the amount of mails retrieved in a single poll. If the mailbox on the POP server contains more messages, SX-GATE will download them in the next cycles. The POP server will delete retrieved mails at the end of the connection, provided it was terminated in a clean way.
  • Page 391 14.6.2-E ETRN Call ETRN for domain An ETRN command will be send to the respective ETRN server for each of the domains listed here. 14.6.2 Servers...

  • Page 392: Web Proxy

    (group "system-proxy"). by SX-GATE This option allows Internet access only after a successful authentication. You have to assign user accounts and passwords in the SX-GATE user administration (group "system-proxy"). 14.7 Web proxy...

  • Page 393: 1-A Client Access

    LDAP server If you select this option, Internet access is granted to those users, who can log on to an LDAP server. You don't have to add users on SX-GATE to use this authentication method. by Windows (obsolete) If you select this option, a user has to be able to access a certain file with his Windows username and Windows password if he want's to access the Internet.
  • Page 394 Digest. Per user time- and transferlimits With this switch the monitoring of the limits will be activated. The respective limits of a user are assigned in SX-GATE's user administration. Session timeout To account the time a user spent browsing via the proxy the download times are summed up.

  • Page 395: 1-Cntlm Authentication

    Select which users are authorized to use the proxy. Join Windows domain SX-GATE needs a machine trust account in the Windows domain to be able to perform NTLM authentication. Use this wizard to set the actual domain and to create the account.

  • Page 396: 1-D Windows Authentication

    Please enter the login name of a Windows administrator. If you have already created a machine trust account for SX-GATE it is not necessary to provide the credentials again. Leave the field blank. On the next screen SX-GATE will check if the account is still valid. 14.7.1-D Windows authentication This screen is available only if you selected the authentication option "by Windows...
  • Page 397 This convention is used by most LDAP servers. MS ActiveDirectory (SAM) If you select this option, SX-GATE will search for objects which have the login specified as "SAMAccountName" attribute. In the Microsoft ActiveDirectory, this attribute refers to the user login name for compatibility with "Windows NT 3.5x/4.0".

  • Page 398: 1-F Authentication Options

    LDAP search within the search path (in ActiveDirectory this involves read permission for "everyone"). If this is not possible or desired, SX-GATE must log on to the LDAP server. To do this, please enter the login for the LDAP account here.

  • Page 399: 1-Gpac File

    (IP 127.0.0.1 or primary IP of that host), connections to SX-GATE (LAN IP or fully qualified hostname according to "System > Setup") and connections to unqualified hostnames (i.e.

  • Page 400: 1-H Destination Ports

    "Accepted CONNECT destinations". If you access SX-GATE's configuration server by IP address via web proxy, it will probably deny further connections after enabling this feature. 14.7.1-I ICAP SX-GATE's web proxy can query external filters with an ICAP interface. 14.7.1 Settings...

  • Page 401: 1-J Size Limits

    14.7.1-K Provider proxy If your provider offers a proxy server, you can configure the SX-GATE web proxy to forward requests via this proxy. If your provider operates a caching proxy server, its use can speed up Internet access. In some cases it may be mandatory to use the proxy due to the security policy of your provider.

  • Page 402: 1-L Proxy Selection

    Also encrypted (https) connections may not be cached. ISP proxy login If necessary, the SX-GATE web proxy can log on to the provider proxy. Provide the required credentials in the corresponding fields. If authentication is not required these fields should remain blank.

  • Page 403: 1-M Cache Parameters

    If no expiration date was specified for an object, at some point in time the proxy of SX-GATE will start to ask the web server if the object was modified since it has been cached. If yes, it will be refreshed. When SX-GATE begins to send this type of requests depends linearly on the last time the file was modified on the web server.
  • Page 404 Delete cache This function will delete both, the memory and the disk cache of SX-GATE's web proxy. The proxy will be stopped for a short time and restarted with an empty cache. After this the former contents of the disk cache will be deleted in the background.

  • Page 405: Url Filter

    Email address for anonymous FTP login When accessing anonymous FTP servers, the server requests an arbitrary email address as password. The address sent by the SX-GATE web proxy when accessing such a server can be determined here. 14.7.2 URL filter The configuration options in this menu are structured by topic.
  • Page 406 14.7.2-A Policy URL filter policiy The URL filter tests each client request, whether it is acceptable or must be denied, by successively evaluating the rules configured on this screen. If a requests fulfills all preconditions of a rule (time, source IP, user) the requested URL is looked up in the URL filter list the rule references.
  • Page 407 At least two rules are necessary to grant access to approved URLs only. The first rule references an URL filter list with the allowed target. The second rule denies access to any URL (Filter list "*"). 14.7.2-B Options Proxy tunnel detection This option activates checks for tunneled connections (https) that try to bypass local security guidelines.
  • Page 408 You need to purchase a license to use this commercial database. Please contact your SX-GATE dealer. Update daily at This database can be updated daily. Please enter the time when you want to update.

  • Page 409: Content Filter

    Additionally some data is submitted for statistical evaluation: • Information on used hardware and operating system (e.g.. i686, number of processors, Linux 2.6.32.28) • Hostname (e.g. router) • Number of unique IPs querying the URL filter module. • Number of queries. •...
  • Page 410 Web server responses usually declare the file type in the HTTP header. Misconfigured or malicious web servers provide generic or false content types. By using this setting SX-GATE tries to find the real file type by looking at the first bytes of each transferred file.
  • Page 411 If virusscan or the option "Verify content type" is enabled, the content filter will modify requests to download only parts of a file, so that always complete files are downloaded. In particular some software updaters always expect partial content, even though the reply indicates that the complete file is served.
  • Page 412 This component will scan only those files which have been downloaded via the virusscanning proxy of SX-GATE. The virusscanning proxy has to be enabled. It is not possible to scan the contents of encrypted connections, unless the option to break SSL connections has been enabled.
  • Page 413 This component will scan only those files which have been downloaded via the virusscanning proxy of SX-GATE. The virusscanning proxy has to be enabled. It is not possible to scan the contents of encrypted connections, unless the option to break SSL connections has been enabled.
  • Page 414 Hide OBJECT tag Activate this switch to defang the tag "<object>". This tag is used to e.g. execute Java Applets, ActiveX controls and plugins. 14.7.3-D Tag filter whitelist Permitted applications With "Trusted servers (incl. subdomains)" on tab "General" you can disable filtering for specific servers.
  • Page 415 This component will scan only those files which have been downloaded via the virusscanning proxy of SX-GATE. The virusscanning proxy has to be enabled. It is not possible to scan the contents of encrypted connections, unless the option to break SSL connections has been enabled.
  • Page 416 What should the proxy do when it encounters a server certificate which is either self- signed or has been issued by a CA which is unknown to SX-GATE? When disabled, the proxy will issue a self-signed certificate for the server, so the browser will show a warning and the user has to decide if he wants to trust the connection or not.
  • Page 417 yes, accept OSCP errors Revocation status of certificates will be checked using OCSP. Only revoked certificates will block connections. yes, block on errors Revocation status of certificates will be checked using OCSP. In addition to revoked certificates connections will also be blocked if query errors (like connecting failure to the OCSP responder) occur.

  • Page 418: Reverse Proxy

    80 can not be used by the reverse proxy. Use a different, unused port like e.g. 8888. If internet access to SX-GATE's administration web server is not required, the firewall can redirect connections from the Internet on port 443 to the reverse proxy. Add an appropriate DNAT rule to the firewall configuration of the Internet interface.
  • Page 419 (https://) Clients connecting to the SX-GATE are required to use a SSL/TLS encrypted communication. authenticated (https://) With this setting the clients are required to authenticate themselves with a certificate issued by SX-GATE's CA. plaintext (http://) Communication between clients and SX-GATE is unencrypted.
  • Page 420 Upon request the reverse proxy will ask for a login before it forwards requests to certain backends. Only members of SX-GATE group "system-proxy" will be accepted. Web browsers usually open a small popup windows, asking for login and password. Among other things, the popup will display the message you enter here.
  • Page 421 This certificate is needed for encrypted access to the reverse proxy of SX-GATE. Import or issue a new certificate Install a new certificate in here. SX-GATE can issue a self-signed certificate, but it also offers the required functions to obtain a certificate from a public certification authority (CA).
  • Page 422 Issue the certificate to the address which is normally used to connect with the service from the Internet. Usually this is the Internet DNS name of SX-GATE. You can also issue a wildcard certificate (e.g. *.example.com).
  • Page 423 Issue the certificate to the address which is normally used to connect with the service from the Internet. Usually this is the Internet DNS name of SX-GATE. You can also issue a wildcard certificate (e.g. *.example.com), however wildcard certificates are usually much more expensive.
  • Page 424 Certificate request Entering this screen, a certificate request will be generated on SX-GATE. Select certificate file Here you can import the certificate you received back from the certificate authority. Make sure it is in PEM format. Check certificate Check the certificate you just uploaded. It will be installed in the next step.
  • Page 425 14.8.1-C Trusted CA Configure the certificate authority (CA) used to authenticate the clients. Trusted CA Please select the CA. Import trusted CA Select CA certificate file Now the certificate chain must be added to the certificate. This may include one or more intermediate CAs.
  • Page 426 You can restrict access to certain backends to requests which contain a specific host header value. Enter a DNS name or an IP of SX-GATE which is valid in the Internet and the reverse proxy will forward only those requests with the correct host header to corresponding backends.
  • Page 427 Exchange services: internal protocol To enable access to Exchange services, please select the protocol for the connection between SX-GATE and Exchange/IIS first. If you opt for unencrypted HTTP, remember to enable SSL offloading in the Exchange server configuration. Please take account of Microsoft's technical specifications. As a backend server, IIS must internally be running on port 443 (encrypted) or 80 (no encryption).
  • Page 428 To access EAC / ECP with a browser you have to append the corresponding base path to the URL (e.g. https:// www.example.com/ecp). Access with ActiveSync Mobile devices use the ActiveSync protocol to connect with Exchange. This option enables access to IIS path "/Microsoft-Server-ActiveSync". Access with RPC/Outlook Anywhere This option enables Outlook to establish an HTTPS tunnel to Exchange.
  • Page 429 14.8.2-B SX-GATE services The reverse proxy can be used to access the SX-GATE webmail client and the SX- GATE administration GUI. You might as well grant direct access to SX-GATE's HTTPS port, however using the reverse proxy allows you to limit access. Typically you might want to grant access to webmail but not to the SX-GATE administration.
  • Page 430 Auth. Access to the backends requires authentication if this option is enabled. The reverse proxy will solely accept the credentials of members of SX-GATE group "system-proxy". Enable this feature if access to the backends is limited to specific users. Information about the server software running on the backends or the kind of application provided will so remain invisible to unauthorized people.
  • Page 431 Load balancing Configure multiple backend server for the same URL path on tab "Backend servers" and SX-GATE will act as a load balancer for the corresponding requests. Basically a load balancer distributes requests to several backends, serving the same contents and applications. SX-GATE's reverse proxy chooses a random backend, taking into account the weighting factor you can assign to each backend.
  • Page 432 Subsequent requests using the same credentials will always be sent to the same backend server. It does not matter whether the backend or SX-GATE's reverse proxy requested the authentication. URL parameter Select this option if a session id is passed along with every request as value of a specific URL parameter.

  • Page 433: More Proxies

    In non-transparent mode any FTP client can use the proxy, too. If the FTP client allows you to configure an FTP proxy, you will have to enter SX-GATE as the proxy server on port 2121. The notations for the proxy type vary. Select something like "USER...
  • Page 434 "USER user@host:port". Even if the FTP client does not offer proxy configuration, SX-GATE's FTP proxy can be used easily. In this case you may no longer contact the FTP site directly. No matter which FTP site you want to contact, connect to SX-GATE instead.

  • Page 435: Sip Proxy

    Client connections running through a NAT device (Network Address Translation) are a problem for Voice over IP. Therefore SX-GATE provides a SIP proxy with integrated RTP proxy for IP phones supporting the SIP protocol. So both, signaling and the actual voice data can be proxied.
  • Page 436 In this case the IP phones register with a registrar in the Internet. Supplemental services like a voice box or a gateway into the public telephone system. Here the primary task of SX-GATE's proxy is to forward incoming calls to the correct IP phone.

  • Page 437: Pop3/Smtp Proxy

    IPs of your VoIP provider. Accept registrations of the following IP addresses The SX-GATE SIP proxy will refuse registration if the client IP is not listed here. This applies to both modes of operation (external registrar or SX-GATE as registrar).
  • Page 438 Virusscan When enabled, SX-GATE will perform a virus check on emails downloaded with POP3 or sent by SMTP via the proxy. A functional virusscanner must be installed on SX-GATE if you want to use this feature.

  • Page 439: Socks Proxy

    SOCKS proxy. Some programs even provide builtin SOCKS support. For protocols like e.g. HTTP, HTTPS and FTP SX-GATE offers dedicated proxy services. SOCKS should not be used for these protocols. Specialized proxies provide more features and better protocol support than a generic proxy.
  • Page 440 Protocols are defined in menu "Definitions > Protocols". Non UDP and TCP protocol signatures will be ignored. 14.9.4-B Client access Proxy access for source IP addresses SX-GATE's SOCKS proxy will refuse connections if the client's IP is not listed here. 14.9.4 SOCKS proxy...

  • Page 441: Http Server

    DNS entries in its name server and instruct the intranet web server to redirect requests for "wpad.dat" to "http://<SX-GATE's LAN-IP>:8000/proxy.pac" . This is a predefined config file which instructs the browsers to use SX-GATE as web proxy. 14.10 HTTP server...
  • Page 442 This user is not listed in the user administration menu of SX- GATE. 14.10-B SX-GATE offers you the possibility to operate a simple Internet web server. The upload of files is possible by FTP and windows network shares. Use the predefined user "www" as login.
  • Page 443 This user is not listed in the user administration menu of SX- GATE. 14.10-C Content maintenance The SX-GATE windows shares can be used to comfortably manage the SX-GATE web servers using windows. By default, the corresponding service is not active. Enable it in "System > Services".
  • Page 444 WWW CGI share enabled Use this switch to enable the network share "wwwcgi". This share can be used to update the CGI scripts of SX-GATE's web server. You have to connect to this share as user "www". The corresponding password is specified in the menu "Modules >...

  • Page 445: Ftp Server

    14.11 FTP server Here you can specify which class of users has access to the FTP server of SX-GATE. Restricting access using the option "allowed from local networks" refers to source IP addresses which belong to the "INTRANET" networks as defined in "Definitions > IP objects".

  • Page 446: Virusscanner

    The available license depends on the number of users and will only cover the installation of the scanner on SX-GATE. The license is valid for a certain period of time and therefore has to be renewed regularly. When buying or renewing the license you will receive a license key file.

  • Page 447: C F-Secure

    The available license depends on the number of users and will only cover the installation of the scanner on SX-GATE. The license is valid for a certain period of time and therefore has to be renewed regularly. When buying or renewing the license you will receive a license key file.

  • Page 448: E Mcafee

    Press this button to immediately update the Kaspersky signatures. 14.12-E McAfee On SX-GATE you can install the 32-bit version of the McAfee commandline scanner for Linux. Commonly the archive is named "vscl-l32-VERSION-l.tar.gz". Please reassure yourself that this scanner is part of the McAfee bundle you plan to purchase.

  • Page 449: F Install / Update / Uninstall

    The status "OK" indicates that the scanner is working as expected. 14.12-F Install / update / uninstall Virus scanner licenses are not part of SX-GATE and must therefore be purchased separately. You will find further information in the documentation of the scanner specific screen.
  • Page 450 Installing the Avira scanner requires a special archive which has been adapted to SX-GATE. This archive has the filename extension "*.rin". In addition you also have to install the Avira license key file here. This file has the filename extension "*.key".

  • Page 451: Time Server

    Internet. You can then synchronise other systems in your local LAN with the time of SX-GATE. To get the current time, connect to TCP port 13 (daytime) or 37 (time), UDP port 123 (NTP) or use the windows shares for time synchronisation.
  • Page 452 SX-GATE time Synchronise now If you want to contact the listed time servers immediately in order to synchronise the system time of SX-GATE, please clicking this button. Note that you will need to be connected to the Internet. SX-GATE timezone The timezone currently used by SX-GATE is shown here.

  • Page 453: Configuration Of An L2Tp Ipsec Vpn Client

    The SX-GATE VPN server should be already configured. It is highly recommended to use SX-GATE's wizard "L2TP IPSec VPN" from the "Wizards" menu. If you are using X.509 certificates for authentication, please make sure to have the required key and certificate files at hands.

  • Page 454: Automatic Configuration

    There are two different options a L2TP-IPSec-VPN connection can be configured Automatic configuration You use the setup package which is offered to you by SX-GATE as download after creating a new certificate. This package contains all the files which are necessary for doing an automatic import of the certificates and also configures the connection for you.
  • Page 455 The password is used to decode and import the certificates. If the certificate import fails, as e.g. the Windows version is too old, all the necessary files for a manual configuration will be copied into the user's home directory. Then the "Connection Manager Administration Kit" is used to configure the VPN connection.
  • Page 456 Now the Connection Manager is opened. Simply enter username and password and connect to SX-GATE. 15.1.1 Automatic configuration...

  • Page 457: Manual Configuration

    15.1.2 Manual configuration Select IPSec authentication type If the IPSec connection will not be authenticated by certificates, you can skip the description of the certificate import. X.509 certificate Please read on at Setup management console (p. 457) passphrase (preshared key) Please read on at Connection setup (p.
  • Page 458 Select "Add/Remove Snap-in" from the "File" menu Click "Add" for a list of available snap-ins. Select the snap-in "Certificates" and insert it with "Add". 15.1.2 Manual configuration...
  • Page 459 It is crucial to select "Computer account" as managed account type. Proceed with "Next". The snap-in has to manage certificates on the "local Computer". Press "Finish" to add the new snap-in. 15.1.2 Manual configuration...
  • Page 460 "Close" the list of available snap-ins. With "OK" the computer is prepared to import the VPN key. Import certificate Open the folders "Console Root" and "Certificates (Local Computer)" from the tree view. Right-click the "Personal" item and select "All Tasks > Import" from the context menu. 15.1.2 Manual configuration...
  • Page 461 Leave the welcome screen by clicking "Next". Select the PKCS#12 file (*.p12) which contains the required certificates and the private key. Proceed with "Next". You will now be prompted for the password protecting the PKCS#12 file. 15.1.2 Manual configuration...
  • Page 462 This password was assigned while issuing the certificate to protect the PKCS#12 file's private key. Do not confuse this password with the CA password, which has to be provided everytime a new certificate is signed. Press "Next". On the next screen, it is very important to pick "Automatically select the certificates store based on the type of certificate".
  • Page 463 Complete the import procedure with "Next" and "Finish". From the "Action" menu select "Reload" and the certificate you just imported should appear in folder "Certificates" below "Personal". Double-click the certificate and inspect it. The certificate icon on top of the dialog box must not be crossed out. If it is crossed out, it is invalid and you will not be able to establish the VPN connection.
  • Page 464 CA which issued the client's certificate. If not it has to be imported. Ask your CA for their certificate If you are using SX-GATE's builtin CA to issue certificates, the CA certificate will be imported automatically as it is part...
  • Page 465 "Next" will let you choose the type of connection. Pick "Virtual Private Network connection" and continue with "Next". Supply a descriptive name for the connection (e.g. your company's name) and click "Next". 15.1.2 Manual configuration...
  • Page 466 Specify SX-GATE's external (internet) IP address as VPN server. "Next" will finish the basic connection setup. It's recommended to let the wizard create a shortcut to this connection on your desktop. Connection settings Now start the lately added connection. 15.1.2 Manual configuration...
  • Page 467 Before connecting, you still have to adjust some settings by clicking "Properties". Change to tab "Networking". The type of VPN must be set to "L2TP IPSec VPN". On tab "Security" select the option "Advanced (custom settings)" and click the "Settings" button next to it. 15.1.2 Manual configuration...
  • Page 468 Select "Optional encryption" and allow the use of "Unencrypted Password (PAP). Although a security warning will pop up when pressing "OK", these settings are safe. PAP authentication is performed after the IPSec tunnel has been established. Its encryption will protected the transmission of the PAP password. 15.1.2 Manual configuration...
  • Page 469 How do you authenticate? Some Windows releases support authentication using a preshared key. In case this is configured on your SX-GATE you also have to set it up on your Windows system. How do you authenticate? X.509 certificate Please read on at Connect (p.
  • Page 470 Turn back to the connect screen by clicking "OK". Specify the login and password of a member of the SX-GATE group "system-ras". Press "Connect" to establish the L2TP connection with SX-GATE. Use e.g. ping to test if the remote network is reachable.
  • Page 471 IPSec or L2TP. Please inspect the corresponding logfiles, as they might contain error messages which help you to solve the problem. When problems occur while establishing the IPSec tunnel, SX-GATE's log "IPSec" from menu "Monitoring" -> Log files" might indicate the reason.
  • Page 472 "%SystemRoot%\debug\oakley.log". %SystemRoot% is the Windows base directory. In case you encounter problems in the L2TP stage, you will find further information in SX-GATE's log "PPP". If you are not able to find the cause of the problem by inspecting the three logs stated above, please send a cut-out of one connection attempt to technical support.

  • Page 473: Mac Os X

    15.2 Mac OS X Please read on at (p. 473) Please read on at (p. 473) Please read on at (p. 473) Please read on at (p. 473) 15.2 Mac OS X...

  • Page 474: Apple Iphone

    15.3 Apple iPhone Prerequisits The SX-GATE VPN server should already be configured. It is highly recommended to use SX-GATE's wizard "L2TP IPSec VPN" from the "Wizards" menu. The Wizard automatically sets up the vpn-server for certificate- based authentication. Unfortunately the iPhone supports only certificates purchased from certain CAs.
  • Page 475 This can either be an IP-Address or a DNS-Name of SX-GATE. At "Account" you set the username used to login to SX-GATE. Please make sure that the user already exists on SX-GATE and is a member of SX-GATE's "system-ras"...
  • Page 476 15.3 Apple iPhone...

  • Page 477: Contact

    Contact You can contact us in a number of ways. Support hotline: +49-(0)7032-95596-21 (Mon-Thu 9-12 o'clock, 13-17 o'clock, Fri 9-12 o'clock, 13-16 o'clock) Support email: support@xnetsolutions.de Postal address: XnetSolutions KG Benzstraße 32 D-71083 Herrenberg Germany Internet: http://www.xnetsolutions.de 16 Contact...

  • Page 478: Sx-Gate Support

    SX-GATE Support Your SX-GATE online support (remote maintenance) can take place, if agreed by you, via Internet. This is even possible even if your SX-GATE is no more capable to access the Internet. (Requires an ISDN connection) This service is available Monday to Thursday from 9 to 12 o'clock and from 13 to 17 o'clock an Fridays from 9 to 12 o'clock and from 13 to 16 o'clock.

  • Page 479: Technical Specifications

    Technical Specifications All technical specs can differ according to the model. Package dimensions: 19"-Gehäuse, 1U Weight: approx. 10 kg net Ethernet connection: 4x NIC, 2x 1000/100/10 Mbit LAN, 2x 10/100 Mbit LAN, RJ45 ISDN adapter: optional one port Interfaces: 1x 9-pin RS-232, 1x VGA rear, 2x USB front, 2x USB rear Processor: P4 2.8 GHz Memory:...

  • Page 480: Ce Statement Of Conformity

    CE Statement of Conformity This device fulfils all needs of the European General Policies, "Electro-magnetic acceptability" 89/336/EWG and "Low voltage policy" 73/23/EWG. 19 CE Statement of Conformity...

Table of Contents