Page 1: User Guide
® OfficeConnect Internet Firewall User Guide OfficeConnect Internet Firewall 25 3C16770 OfficeConnect Internet Firewall DMZ 3C16771 OfficeConnect Web Site Filter 3C16772 http://www.3com.com/ Part No. DUA1677-0AAA03 Published June 2000...
Page 2 Copyright © 2000, 3Com Technologies. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Technologies.
Page 3: Table Of Contents
Wichtige Sicherheitshinweise Consignes Importantes de Sécurité Before You Start Stacking the Units Together Securing the Internet Firewall with the Rubber Feet Stacking the Internet Firewall with the Clip Positioning the Internet Firewall Securing the Internet Firewall Internet Firewall Front Panel...
Page 4 UICK ETUP FOR THE NTERNET IREWALL Checklist for Setting up the Internet Firewall Cable Modem Users Initial Configuration Required Information for the Internet Firewall Wizard Setting up the Internet Firewall OMMAND EFERENCE Status Messages Setting the Clock Setting the Administrator Password...
Page 5 User Settings Establishing an Authenticated Session Automatic Proxy Forwarding Example of Installing a Proxy Server Specifying Intranet Settings Installing the Internet Firewall to Protect the Intranet Configuring the Internet Firewall to Protect the Intranet Intranet Window Boxes and Controls Static Routes...
Page 6 XAMPLE ONFIGURATIONS Introduction Protecting an Existing Network with the Internet Firewall 25 Increasing the number of IP addresses available using NAT Setting up the Internet Firewall 25 with an OfficeConnect 56K LAN Modem NTRODUCTION TO IP A DDRESSING Network Protocols...
Page 7 Reloading the Firmware ECHNICAL UPPORT Online Technical Services World Wide Web Site 3Com Knowledgebase Web Services 3Com FTP Site 3Com Facts Automated Fax Service Support from Your Network Supplier Support from 3Com Returning Products for Repair NDEX ORPORATION IMITED ARRANTY...
Page 9: About This Guide
The OfficeConnect Internet Firewall acts as a secure barrier to protect a private LAN from hacker attacks from the Internet. It can also be used to control the access that LAN users have to the Internet. The OfficeConnect Internet Firewall 25 supports up to 25 users on the LAN.
Page 10: How To Use This Guide
UIDE subscription. The Internet Firewall has a one-month free subscription for the Web Site Filter. This guide is intended for use by the person responsible for installing or managing the network. It assumes knowledge of the following: Basic familiarity with Ethernet networks and the Internet Protocol.
Page 11: Conventions
Table 1 Where to find specific information (continued) If you are looking for... Turn to... Information about IP port numbering. Appendix D Step by step examples of how you can configure your Internet Appendix E Firewall. A non-technical overview of IP addressing. Appendix F Information on resetting the Internet Firewall.
Page 12: Terminology
Press Ctrl+Alt+Del Words in italics Italics are used to: Emphasize a point. Denote a new term at the place where it is defined in the text. Identify menu names, menu commands, and software button names. Examples: From the Help menu, select Contents.
Page 13 IP Spoof — A type of DoS attack. An IP spoof uses a fake IP address to bypass security settings which may bar access from the real IP address.
Page 14: Year 2000 Compliance
PPPoE is a version of this protocol that operates over Ethernet. SYN FLood — A type of DoS attack. This is where a client opens a connection with a server but does not complete it. If the server queue fills up with partially-open connections, no other clients can make genuine connections to that server.
Page 15 Feedback about this User Guide Example: OfficeConnect Internet Firewall User Guide Part Number DUA1677-1AAA02 Page 24 Do not use this e-mail address for technical support questions. For information about contacting Technical Support, see Appendix...
Page 16 BOUT UIDE...
Page 17: Introduction
Internet and the LAN. The purpose of the Internet Firewall is to allow a private Local Area Network (LAN) to be securely connected to the Internet. You can use the Internet Firewall to: Prevent theft, destruction, and modification of data.
Page 18: Internet Firewall Security Functions
2, computers on the LAN also have full access to devices on the DMZ. Users on the Internet can access hosts on the DMZ, such as a Web server, but cannot access any resources on the LAN unless they are authorized remote users.
Page 19: Internet Firewall Features
Internet Firewall Features Figure 1 Internet Firewall 25 Security Functions Internet Firewall Features This section lists the features of the Internet Firewall. Firewall Security The OfficeConnect Internet Firewall is preconfigured to monitor Internet traffic, and detect and thwart Denial of Service ( DoS ) hacker attacks automatically.
Page 20 1: I HAPTER NTRODUCTION Teardrop — a DoS hacker tool which is widely available on the Internet. Figure 2 Internet Firewall DMZ Security Functions The Internet Firewall uses stateful packet inspection to determine if a data packet from the Internet is allowed through to the private LAN.
Page 21: Internet Filtering
The Internet Firewall maintains a log of all events that could be seen as security concerns. It can also track key events such as the top 25 most accessed Web sites, or the top 25 users of Internet bandwidth. You can also set up the...
Page 22: User Remote Access (From The Internet)
Internet Firewall by the remote user, using a Web browser, through an MD5-based encrypted security mechanism. Once logged in, remote users are able to access all IP resources on the LAN. See “Setting up the DHCP Server”...
Page 23: Installing The Hardware
WARNHINWEIS: Bitte lesen Sie den Abschnitt ‘Wichtige Sicherheitsinformationen’ sorgfältig durch, bevor Sie das Gerät einschalten. AVERTISSEMENT: Veuillez lire attentivement la section ‘Consignes importantes de sécurité’ avant de mettre en route. Appendix A for information about the cable ®...
Page 24: Wichtige Sicherheitshinweise
The socket outlet must be near to the unit and easily accessible. You can only remove power from the unit by disconnecting the power cord from the outlet.
Page 25: Consignes Importantes De Sécurité
IEC 950. Diese Bedingungen sind nur gegeben, wenn auch die an das Gerät angeschlossenen Geräte unter SELV-Bedingungen betrieben werden. Es sind keine von dem Benutzer zu ersetzende oder zu wartende Teile in dem Gerät vorhanden. Wenn Sie ein Problem mit dem Switch haben, das nicht mittels der...
Page 26: Before You Start
Stacking the Units Together You can place the Internet Firewall on a desk using the rubber feet to make sure it does not slip on the desk, or you can stack the Internet Firewall using the clip to attach it to other OfficeConnect devices.
Page 27: Stacking The Units Together
To fit another unit: 1 Rest the second unit on top of the clip and align it with the front of the unit below. 2 Press down gently on the unit to secure it onto the clip,...
Page 28: Positioning The Internet Firewall
You need two suitable screws. Make sure that the wall you are going to use is smooth, flat, dry and sturdy. Make two small diameter holes which are 142mm (5.6 in.) apart as a guide for the screws.
Page 29: Internet Firewall Front Panel
Internet Firewall Front Panel You can now connect the Internet Firewall to the network and set it up. Internet Firewall Front Panel Figure 4 shows the front panel of the Internet Firewall DMZ. Figure 4 Internet Firewall DMZ Front Panel The Internet Firewall 25 does not have DMZ LEDs.
Page 30: Internet Firewall Rear Panel
Link Green — indicates that the link between the port and the next piece of network equipment is OK. Off — indicates that nothing is connected to the port or that the link has failed. Internet Firewall Rear Panel Figure 5 shows the rear panel of the Internet Firewall DMZ.
Page 31: Attaching The Internet Firewall To The Network
Unless you are configuring the Internet Firewall DMZ for intranet support, devices on the WAN port are not directly accessible by users on the LAN. Do not attach servers or any device other than the Internet access device to the WAN port.
Page 32 3 Connect the Ethernet port labeled LAN to the LAN. If you are connecting the LAN port to a hub or switch using a standard 10BASE-T cable, make sure that the Uplink/Normal switch for the LAN port is in the Uplink position.
Page 33 During these diagnostics, which take about 90 seconds, the Power LED flashes. 8 Make sure that the Link LEDs are on for all ports that are connected. If not, see Chapter 6 for troubleshooting information.
Page 34 2: I HAPTER NSTALLING THE ARDWARE...
Page 35: Quick Setup For The Internet Firewall
Cable Modem Users If you are using the Internet Firewall with a cable modem, you may need to register the MAC address of the unit with your cable service provider before connecting the Internet Firewall to your network. You can find the MAC address of the Internet Firewall on a label on the underside of the unit.
Page 36: Required Information For The Internet Firewall Wizard
DNS Server Address This is the address of a Domain Name System server, and can be for a server either on the LAN or Internet. This is required for downloading updates of the OfficeConnect Web Site Filter, as well as for the Name Lookup tool.
Page 37 DHCP server. If you are using the Internet Firewall as a DHCP server you will now need to set all of the PCs on your network to obtain their IP address automatically. If you are using an existing DHCP server then you will...
Page 38: Setting Up The Internet Firewall
The Internet Firewall has a default IP address, 192.168.1.254 (my.3com.com), which you use to access it when you set it up initially. During this initial setup, your management station must have an IP address in the same subnet as the Internet Firewall. For example, set the IP address of the management station to 192.168.1.200...
Page 39 (the Internet Firewall default http://my.3com.com address) into the box at the top of the browser window. The Login dialog box is displayed. Figure 7 Login dialog box b In the User Name field, type the default user name:...
Page 40 Public IP address, the WAN router address and the WAN and DMZ subnet masks from a remote DHCP server on the WAN. If you use a modem to connect to the Internet, you may have to use this setting because some modem ISPs implement DHCP in their service.
Page 41 Setting up the Internet Firewall Choose NAT with PPPoE Client if you obtain your NAT Public IP addresses, WAN router address and WAN and DMZ subnet masks from your DSL operator using PPPoE. You will need to know your User Name and Password for the PPPoE server.
Page 42 Click Update to send the configuration data to the Internet Firewall. 6 Restart the Internet Firewall. a Click Tools on the left side of the browser window. b Select the Restart tab. c Click Restart Internet Firewall. d Click Yes to confirm the restart.
Page 43 The Status window displays the current status of the Internet Firewall. Any problems are listed in red text. For example, if the Internet access device was not contacted, or the default password was not changed, this is listed. Items listed in red...
Page 44 9 To register the Internet Firewall: a In the web browser, enter: http://www.3com.com/internetfirewall/ b Complete the registration form, and make a note of the registration code. c On the main screen, select Unit Status. A message is displayed stating that the Internet Firewall is not registered.
Page 45: Command Reference
OfficeConnect Internet Firewall. You access these command functions using a Web browser to launch the management interface. This chapter is divided into sections dedicated to the major windows and functions within the Web management interface. Figure 12 illustrates the menu tree structure of the Internet Firewall.
Page 46: Status Messages
EFERENCE Status Messages To display the current status of Internet Firewall DMZ, click the Home button. Then click the part of the image labelled Unit Status. A window similar to the following will be displayed. Figure 13 Unit Status Window The Status window displays the current status of the Internet Firewall DMZ.
Page 47: Setting The Clock
UTC. UTC stands for “Universal Time Co-ordinated”, and is the standard time common to all places in the world. It is also commonly referred to as Greenwich Mean Time or World Time. Many ISPs require firewall logs to be recorded to UTC (or within a fraction of it), as tracking hackers can be very difficult if reports of times are conflicting.
Page 48 EFERENCE You should also select your time zone from the drop-down list box at the top of the screen. If you cannot find your city in the list, you should set this to the one with the same offset from GMT as is used at your location.
Page 49: Setting The Administrator Password
1 In the Old Password box, type the old password. 2 In the New Password and Confirm New Password boxes type the new password 3 Click Update to send the configuration data to the Internet Firewall. If you are setting the password for the first time, the default password is “password”.
Page 50: Network Settings
Choose Standard if you have IP addresses allocated by your ISP for each machine that requires access to the Internet. Choose NAT Enabled if you want to use a single IP address for accessing the Internet, or if you do not have...
Page 51 DMZ subnet masks from your DSL operator using PPPoE. Standard When you select Standard, Network Address Translation (NAT) is disabled. All nodes on the LAN must use valid public IP addresses. The following information is required. For the LAN settings, specify: Internet Firewall Web Address.
Page 52 NAT Enabled Network Address Translation (NAT) provides anonymity to machines on the LAN by connecting the entire network to the Internet using a single IP address. This is useful for two purposes: Additional security is provided because all the addresses on the LAN are invisible to the outside world.
Page 53 Figure 17 Network Settings Window, NAT Enabled For the LAN settings, specify: Internet Firewall Web Address This is the IP address that is given to the Internet Firewall LAN interface and used to access it for configuration and monitoring. Choose a unique IP address from the LAN address range.
Page 54 LAN to the Internet. Public Address This is the IP address used to access the Internet. It will be the only address seen by Internet users and all activity on the Internet from the LAN will seem to originate from this address.
Page 55 Figure 18 Network Settings Window, NAT with DHCP Client For the LAN settings, specify: Internet Firewall Web Address This is the IP address that is given to the Internet Firewall LAN interface and used to access it for configuration and monitoring. Choose a unique IP address from the LAN address range.
Page 56 ISP DHCP server expires. Public Address This is the IP address used to access the Internet. It is the only address seen by Internet users and all activity on the Internet from the LAN seems to originate from this address.
Page 57 Figure 19 Network Settings Window, NAT with PPPoE Client For the LAN settings, specify: Internet Firewall Web Address This is the IP address that is given to the Internet Firewall LAN interface and used to access it for configuration and monitoring. Choose a unique IP address from the LAN address range.
Page 58: Specifying Dmz Addresses (Internet Firewall Dmz Only)
Internet. Servers on the DMZ are publicly accessible, but they are protected from attacks such as SYN Flooding and Ping of Death. Use of the DMZ port is optional and you do not have to connect it.
Page 59 Alternatively you can select DMZ Port Settings from the Home Screen graphic. Each of the servers on the DMZ needs a public IP address. Obtain these IP addresses from your ISP. Usually, the ISP can also supply information on setting up public Internet servers.
Page 60: Setting Up The Dhcp Server
Click this check box to enable or disable the DHCP server. This is disabled by default. Leave the DHCP server disabled if there already is a DHCP server on the LAN or if manual addressing is used on the LAN computers.
Page 61 Setting up the DHCP Server client the use of that IP address for the same amount of time. If the client no longer requires the IP address, the address is freed and returned to the pool of available addresses to be used again. The default value is 60 minutes.
Page 62 HAPTER OMMAND EFERENCE Dynamic Ranges When a client makes a request for an IP address, the Internet Firewall’s DHCP server leases an address from the Dynamic Ranges. Prior to offering an address from the Dynamic Range to a requesting client, the Internet Firewall first verifies that the address is not already in use by another machine on the LAN.
Page 63: Viewing The Dhcp Server Status
IP and MAC address of the bindings Type of binding (Dynamic, Dynamic BootP, or Static BootP). To delete a binding, which frees the IP address in the DHCP server, select the binding from the list and then click Delete. Figure 22 DHCP Server Status Window...
Page 64: Dns Name Lookup
A window similar to that in Figure 23 displayed. Type the host name to lookup in the Look up the name box and click Go. The Internet Firewall then queries the DNS server and displays the result at the bottom of the screen.
Page 65: Find Network Path
For example, if the Internet Firewall thinks that a machine known to be on the Internet is located on the LAN port, then there is a problem with the configuration of the network or intranet settings. Find Network Path also shows if the target node is behind a router, and the Ethernet address of the target node or router.
Page 66: Ping
If the network path is incorrect, check the intranet, static route, and DMZ settings. Find Network Path requires an IP address. Use the Internet Firewall’s DNS Name Lookup tool to find the IP address of a host. Ping The Ping tool bounces a packet off a machine on the Internet back to the sender.
Page 67: Packet Trace
Name Lookup tool to find the IP address of a host. Packet Trace Use the Packet Trace tool to track the status of a data packet or communications stream as it moves from source to destination. This is a useful tool to determine if a packet or communications stream is being stopped at the Internet Firewall, or is lost on the Internet.
Page 68: Technical Support Report
Firewall’s DNS Name Lookup tool to find the IP address of a host. 1 Enter the IP address of the remote host in the Trace on IP address box, and click Start. 2 Initiate an IP session with the remote host using an IP client, such as Web, FTP, or Telnet.
Page 69: Filter Settings
Filter Settings Figure 27 Tech Support Report Window Click Save Report to save the report as a text file to the local disk. Filter Settings Click Filter , and then select the Settings tab. A window similar to that in Figure 28 is displayed.
Page 70: Restricting The Web Features Available
Restricting the Web Features Available The following is a list of the web features that you can choose to allow access to. ActiveX ActiveX is a programming language that is used to embed small programs in Web pages.
Page 71: Blocking Options
Web Proxy When a proxy server is located on the WAN it is possible for LAN users to circumvent content filtering by pointing to this proxy server. This feature disables access to proxy servers located on the WAN.
Page 72: Specifying When Filtering Applies
Questionable/Illegal & Gambling Alcohol & Tobacco Specifying When Filtering Applies Use the Time of Day setting to define time periods during which Internet filtering is enabled. For example, in a school, it might be useful to enable Internet filtering during normal school hours to protect students, but to disable it after hours to give teachers complete access to the Internet.
Page 73: Update Filter
Many sites included in the Web Site Filter regularly change the IP address of the server to try to bypass the Web Site Filters. This makes maintaining a current list subscription critical for effective content filtering.
Page 74 4: C HAPTER OMMAND EFERENCE Click Filter, and then select the Filter Update tab at the top of the window. A window similar to that in Figure 29 displayed. Website Filter Status Shows the status of the Web Site Filter and the date it was last downloaded.
Page 75: Keywords
You can block Web URLs that contain specified keywords. This functions as a second line of defense against objectionable material. For example, if you specify the keyword , the following URL: http://www.new-site.com/xxx.html is blocked, even if it is not included in the Web Site Filter.
Page 76: Custom List
Update. To add a keyword, in the Add Keyword box, type the keyword to block and click Update. To remove a keyword, select it from the list and click Delete Keyword. Custom List This function allows you to block specific web sites, or restrict access to a list of approved web sites.
Page 77: Setting Up Trusted And Forbidden Domains
Up to 256 entries are shop.3com.com supported in the Trusted Domains list. Click Update to send the update to the Internet Firewall. To block a Web site which does not appear in the Web Site Filter, type its host name, such as into www.bad-site.com the Forbidden Domains box.
Page 78 Message to display when a site is blocked When a user attempts to access a site that is blocked by the Web Site Filter, a message is displayed on their screen. The default message is Web Site Blocked by .
Page 79: Consent
Consent Consent This page must reside on a Web server and be accessible as a URL by users on the LAN. Use the Consent function to specify which computers are always filtered and which are filtered only when such protection is requested by the user. You can also configure Consent to require users to agree to the terms outlined in an organization’s Acceptable Use Policy before you allow...
Page 80 EFERENCE the page defined in the Consent page URL box. Type the time limit, in minutes, in the Maximum web usage box. Specify the default value of zero (0) to disable this feature. User idle timeout After a period of inactivity, the Internet Firewall requires the user to agree to the terms outlined in the Consent tab before it allows any additional Web browsing.
Page 81 AUP are blocked and logged. You must include in this page a link to a page contained in the Internet Firewall which, when selected, tell the Internet Firewall that the user wishes to have filtering enabled.
Page 82: Logs And Alerts
If you want to be alerted of high-priority information, such as an attack on a server, you can specify that this information is immediately e-mailed, either to the main e-mail address used by the log, or to a different address, such as a paging service.
Page 83 Logs and Alerts Figure 33 View Log Window The log is displayed as a list in a table, but may appear differently when viewed with various browsers. You may have to adjust the browser’s font size and other viewing characteristics to display the log data most efficiently.
Page 84 EFERENCE parentheses is the ICMP code. The address information is usually preceded by the name of the service described by either the TCP or UDP port, or the ICMP type in quotation marks. Web, FTP, Gopher, or Newsgroup blocked The LAN IP and Ethernet addresses of a machine that attempted to connect to the blocked site or newsgroup is displayed.
Page 85: Log/Alert Settings
If the log message calls the attack ”probable”, contact the ISP to see if they can track down the source of the attack. In either case, the LAN and DMZ are protected and you do not need to take further steps.
Page 86 Internet Service Provider that you use to connect the network to the Internet or use the DNS Lookup tool (see page 90) to find the IP address of the mail server, if you know its name. If you leave this box blank, log and alert messages are not sent via e-mail.
Page 87 This pop-up menu is used to configure the frequency of log messages being sent as e-mail: daily, weekly, or only when the log is full. If the weekly or the daily option is selected, specify a time of day when the e-mail is to be sent.
Page 88 4: C HAPTER OMMAND EFERENCE Log Categories Click this check box to enable or disable the generation of the following log message categories. System Maintenance When enabled, log messages showing general system maintenance activity, such as administrator logins, automatic loading of Web Site Filters, activation and restarting the Internet Firewall, are generated.
Page 89 Alerts are events, such as an attack, which may warrant immediate attention. When an event generates an alert, a message is immediately sent to the e-mail account defined in the Send alerts to box on the Log Settings window (see page 85).
Page 90: Reports
4: C HAPTER OMMAND EFERENCE Reports The Internet Firewall can analyze the event log to show the following: Top 25 most accessed Web sites Top 25 users of bandwidth by IP address Top 25 services that consume the most bandwidth Click Log and then select the Reports tab.
Page 91 Web access is to sites considered applicable to the primary business function. If leisure, sports, or other similar sites are on this list, it may signal the need to change or more strictly enforce the organization’s Acceptable Use Policy. Bandwidth Usage by IP Address...
Page 92: Restarting The Internet Firewall
4: C HAPTER OMMAND EFERENCE Restarting the Internet Firewall To restart the Internet Firewall: 1 Click Tools and select the Restart tab. A window similar that in Figure 36 is displayed. Figure 36 Restart Window 2 Click Restart Internet Firewall.
Page 93: Saving And Restoring Configuration Settings
Figure 37 is displayed. Figure 37 Configuration Window Use the Configuration tab to specify where the settings for the Internet Firewall are saved to and retrieved from for backup purposes. You can also restore the default settings from the Configuration tab. 3Com recommends that you back up the Internet Firewall settings.
Page 94: Specifying The Export File
. This defaults to <Filename>.exp . The process may take up to a internetfirewall.exp minute. Reloading the Settings After exporting a settings file, you can import it back to the Internet Firewall. Click Import. A window similar to that in Figure 39 displayed.
Page 95: Restore Factory Defaults
Click Browse to find a file which was previously saved using Export . You may need to set File type to *.* to be able to see the .exp file you exported. Once you have selected the file, click Import .
Page 96: Upgrading The Software
The Internet Firewall checks to see if new software is available for download on a weekly basis. If there is a new software release, an e-mail notification is sent to the address in the Send log to box.
Page 97 Upgrading the Software To be notified automatically when new firmware is available: 1 Click the Send email when new firmware is available check 2 Click Update. To load the new firmware: 1 Click Upload Firmware Now. A window similar to that in Figure 41 is displayed.
Page 98 EFERENCE Figure 42 Firmware Upload Window 3 Click Browse... and select the software file you have downloaded from the 3Com FTP site to a local hard drive or server on the LAN. 4 Click Upload to begin the upload. Make sure that your Web browser supports HTTP uploads.
Page 99: Policy
The Services window contains a table showing the defined Network Access Rules. Rules are sorted from the most specific at the top, to the most general at the bottom. At the bottom of the table is the Default rule. The Default rule is all IP services.
Page 100 The default value is disabled; use caution when enabling. When the Warning Icon is displayed to the right of the check box, there is a Custom Rule in the Rules tab section that modifies the behavior of the listed Network Access Rule.
Page 101: Adding A Service
Firewall. You must restart the Internet Firewall for these changes to take effect. Adding a Service If a protocol is not listed in the Services window, you can add the service. Click Policy, and then select the Add Service tab. A window...
Page 102 4 From the Protocol drop-down list, select the IP protocol type. 5 Click Add. The new service appears in the list box. For a list of IP port numbers, see: http://www.normos.org/ietf/rfc/rfc1700.txt If you create multiple entries with the same name, they are grouped together as a single service and may not function as expected.
Page 103: Policy Rules
Network Access Rules evaluate network traffic’s source IP address, destination IP address, and IP protocol type to decide if the IP traffic is allowed to pass through the firewall. Custom rules take precedence, and may override the Internet Firewall’s default state packet inspection.
Page 104: Network Access Rule Logic List
Internet to an internal Notes server. Is the intent of the rule to allow or deny traffic? What is the flow of the traffic: from the LAN to the Internet, or from the Internet to the LAN? List which IP services will be affected.
Page 105 Internet to the LAN, it is better to allow only certain machines on the Internet to access the LAN. Once you have defined the logic of the rule, it is critical to consider the security ramifications created by the rule:...
Page 106: Understanding The Network Access Rule Hierarchy
Ethernet menu. If there are IP address restrictions on the destination of the traffic, such as limiting Telnet to a remote site, type the starting and ending IP addresses of the range in the Addr. Range Begin and Addr. Range End, respectively.
Page 107: Examples Of Network Access Rules
Internet. 1 For the Action, choose Deny. 2 From the Service list, choose NNTP. If the service is not listed in the menu, add it in the Add Service window. 3 Select LAN from the Source Ethernet list.
Page 108: User Privileges
Internet. However, Ping is a tool that many ISPs use to verify that the Internet connection is active. In this example, you limit the source to allow the ISP to ping the Internet Firewall only. 1 For the Action, choose Allow.
Page 109 Authenticated Session. This applies to Remote Access and Bypass Filters . User List The user list is a scrollable box which contains a list of all currently defined users. In addition, there is an entry at the top of the list labeled -New User- .
Page 110: Establishing An Authenticated Session
To establish an Authenticated Session, you point your Web browser at the Internet Firewall’s Web Address. This process is identical to the administrator login. A dialog box is displayed, asking you for the user name and password (see Figure 15). After filling in these boxes and...
Page 111: Automatic Proxy Forwarding
Internet, preventing password theft and replay attacks. Once authenticated, remote users can access all IP resources on the LAN, and users on the LAN can bypass the Web Site Filter. The connection closes if user inactivity on the connection exceeds the configured time-out period. In that case, the remote user must re-authenticate.
Page 112: Example Of Installing A Proxy Server
4: C HAPTER OMMAND EFERENCE The proxy server must be located on the WAN; it may not be located on the LAN. Click Advanced, and then select the Proxy Relay tab. A window similar to that in Figure 47 is displayed.
Page 113: Specifying Intranet Settings
Specifying Intranet Settings intranet settings to allow LAN users to access the proxy. If you do not do this, users cannot access the proxy. 1 Install the proxy server. a Install and configure the proxy server software using a valid IP address.
Page 114: Installing The Internet Firewall To Protect The Intranet
Figure 48 Connecting the Internet Firewall to protect the intranet Installing the Internet Firewall to Protect the Intranet 1 Connect the Ethernet port labeled LAN on the back of the Internet Firewall to the network segment that will be protected against unauthorized access.
Page 115: Configuring The Internet Firewall To Protect The Intranet
Internet Firewall’s LAN port. Use this method in cases such as a small accounting office in a large LAN, where it may be easier to identify the small number of machines with restricted access rather than the larger number of machines on the corporate network.
Page 116: Intranet Window Boxes And Controls
Using the exclusive method, you specify the IP addresses of the machines connected to the Internet Firewall’s WAN port. Use this method in cases such as a large school district with a small student computer lab where it would be easier...
Page 117: Static Routes
Use static routes if the LAN is segmented into subnets, either for size or practical considerations. For example, you can create a subnet which only contains an organization’s graphic design shop, isolating it from traffic on the rest of the LAN. Static Routes Window Boxes and Controls The IP Address and Subnet on the Internet Firewall’s...
Page 118: Setting Up One-To-One Nat
OMMAND EFERENCE DMZ/WAN The IP addresses of the DMZ, if appropriate, and WAN ports are shown. These differ from that of the LAN port if NAT is enabled. Configure these in the Network Settings window (see Figure 16). You can specify the Subnet mask, if it is different from the default.
Page 119 No corresponding valid IP Inaccessible except as Public address LAN Server You cannot include the NAT Public IP Address in a range. Click Advanced, and then select the One-to-One NAT tab. A window similar to that in Figure 51 is displayed.
Page 120 Type the number of IP addresses for the range. The range length may not exceed the number of valid IP address. You can add up to 64 ranges. To map a single address, use a Range Length of 1. Click Update. Restart the Internet Firewall for changes to take effect.
Page 121: The Office Connect
Company. This list is developed and maintained by The Learning Company's Cyber Patrol unit. The sites on the CyberNOT List are reviewed by a team of Internet professionals, including parents and teachers. They use a set of criteria that categorizes Internet sites and resources according to the level of possibly objectionable content.
Page 122 Internet unaccompanied by a parent or educator. Any easily accessible pages with graphics, text or audio which fall within the definition of the categories below will be considered sufficient to place the source in the category. Violence/Profanity: Violence: pictures exposing, text or audio describing...
Page 123 Pictures or text advocating the proper use of contraceptives. This topic would include condom use, the correct way to wear a condom and how to put a condom in place. Also included are sites relating to discussion about the use of the Pill, IUDs and other...
Page 124: Activating The Web Site Filter
Internet Firewall before Activating the Web Site Filter. See Chapter 3 for registration details. When you register the product you will be given 30 days free subscription to the Web Site Filter. To continue getting upgrades to the Web Site Filter (covering new Web Sites as...
Page 125 Web Site Filter subscription. To activate your annual subscription perform the following steps: 1 Using a Web browser, go to the Web Site Filter registration page http://www.3com.com/internetfirewall/ 2 Click the Activate Web Site Filter link.
Page 126 5: T HAPTER FFICE ONNECT ILTER CTIVATION...
Page 127: Troubleshooting Guide
The OfficeConnect Internet Firewall has been designed to help you detect and solve possible problems with the network. If you cannot find the solution to the problem in this chapter, please contact Technical Support (see Appendix H for information about contacting Technical Support).
Page 128: Power Led Flashes Continuously
Try replacing the cable with a known good cable. Is it the correct cable? Try using a standard 10BASE-T or crossover cable instead. If the problem is on the LAN or DMZ port, try setting the Uplink/Normal switch to the alternative position.
Page 129: Lan Users Cannot Access The Internet
Explorer 4 or higher versions are supported. During the initial configuration, make sure that you change the IP address for the management station to one in the same subnet as the Internet Firewall, such as 192.168.1.200 Make sure the Web browser has Java, JavaScript, or ActiveX enabled.
Page 130: Internet Firewall Does Not Save Changes
Try restarting the router or LAN machines. Make sure the LAN is not connected to the WAN port on the Internet Firewall. If DHCP is on, make sure no other DHCP servers are on the LAN. Machines on the WAN Are Not Reachable Make sure the Intranet settings in the Advanced section are correct.
Page 131: Cable Pecifications And Pinout Diagram
Cable Specifications ® The OfficeConnect Internet Firewall supports the following cable types and maximum lengths: 10BASE-T Twisted Pair Maximum cable length of 100 m (327.86 ft). Pinout Diagrams Table 5 shows the pinouts connections for RJ-45. Table 5 RJ-45 Pinouts Function RD –...
Page 132 A: C PPENDIX ABLE PECIFICATIONS AND INOUT IAGRAM Figure 52 Twisted Pair Pinouts...
Page 133 Interfaces 10BASE-T — two for the Internet Firewall, three for the Internet Firewall DMZ. Power 11W OfficeConnect Power Adapter Dimensions 228 x 185 x 54 mm (9.12 x 7.3 x 2.1in.) Weight 870 g (1.9 lbs) Standards Functional: ISO 8802/3 IEEE 802.3...
Page 134: Technical Specifications And Standards
B: T PPENDIX ECHNICAL PECIFICATIONS AND TANDARDS *See “Electromagnetic Compatibility” page 182 conditions of operation.
Page 135: Optional Direct Connection
Administrator Password. Though this is more an academic than a practical issue, using the Direct Connection option to set the password for the first time may be advisable if this is a concern. Direct Connection Instructions 1 Disconnect the management station from the local Ethernet network.
Page 136 PPENDIX PTIONAL IRECT ONNECTION To do this, connect a cable from the Ethernet port on the management station to the LAN Port of the Internet Firewall. 3 Switch on the Internet Firewall. To do this, connect the power adapter to the port on the back labeled Power.
Page 137: Ip Port Numbers
Many popular services, such as Web, FTP, SMTP/POP3 e-mail, DNS and so forth operate in this range. The assigned ports use a small portion of the possible port numbers. For many years the assigned ports were in the range 0–255.
Page 138 D: IP P PPENDIX UMBERS The Registered Ports are in the range 1024–65535. Visit http://www.normos.org/ietf/rfc/rfc1700.txt for a list of IP port numbers.
Page 139 ® features of the OfficeConnect Internet Firewall should actually be used (to back up the information in the rest of this manual), and also how some of the more advanced features can be set up, and be beneficial to you.
Page 140: Example Configurations
The Internet Firewall 25 must have its own IP address so that it can work properly and you can manage it. If all 16 IP addresses are in use, then the ISP will not support the addition of this extra IP address.
Page 141 Connect the WAN port of the Internet Firewall 25 to the Ethernet port on the cable modem. b Connect the LAN port to the hub or switch that all the PCs are connected together through, or directly to one PC from which you intend to manage the Internet Firewall 25 (the management station).
Page 142 Click Set Date & Time on the Home screen. b Select your time zone from the drop down list at the top of the screen. If you can’t find your city, use one with...
Page 143 Protecting an Existing Network with the Internet Firewall 25 c Here, you want to use NTP to set the firewall time so that the date and time are set by an atomic clock, and are hence highly accurate. Check the box marked “Use NTP to set time automatically”.
Page 144 Now switch back to the Services tab. You will notice that IRC is now in the list of services on this page. To disable it, simple uncheck the LAN Out box next to it, and click Update.
Page 145 Type the e-mail addresses you want the logs to be sent to in the Send log to box, and the Send alerts to box. You can use the same e-mail addresses. Use the full e-mail address; for example: system_administrator@3com.com.
Page 146: Increasing The Number Of Ip Addresses Available Using Nat
XAMPLE ONFIGURATIONS messages that the Internet Firewall sends out. This is not a valid e-mail address, and so no e-mails can be returned to it. However, you can change this e-mail address if you want. 15 Load the Web Site Filter list.
Page 147 172.20.54.217 to the Internet Firewall DMZ, because this is in the valid range provided by the ISP, and is not used by the servers, or any other PC that needs to be visible on the Internet. This example shows the servers using the DMZ port on the Internet Firewall DMZ, so that the servers are accessible from the Internet, but are protected from attacks.
Page 148 Wait for the power LED to stop flashing (approximately 90 seconds). b Make sure that the orange Alert LED is also out when the flashing stops. If the alert LED comes on, or the Power LED keeps flashing, see Chapter 6 for troubleshooting information.
Page 149 Web Site Filter list. a Click Set Date & Time on the Home screen. b Select your time zone from the drop down list at the top of the screen. If you can’t find your city, use one with the correct offset from GMT (all are covered).
Page 150 XAMPLE ONFIGURATIONS d Set WAN/DMZ Subnet Mask to the one provided by the 255.255.255.0 e Set the NAT Public Address to one of the available IP Click Update. addresses 172.20.54.217. 8 Switch on the cable modem, make sure that it is online, and restart the Internet Firewall DMZ.
Page 151 Firewall DMZ, set their IP addresses, for example, to through 192.168.1.212 192.168.1.214 13 Make sure that the IP addresses of these PCs are visible on the LAN. a Click Advanced and then, select the One to One NAT tab. Make sure that the Enable One-to-One NAT check box is selected.
Page 152: Setting Up The Internet Firewall 25 With An Officeconnect 56K Lan Modem
LAN Modem. In this example, you have 20 PCs networked together. The PCs have only been used for file and printer sharing, and so have not been set up with IP addresses. They have TCP/IP networking enabled, and are set to obtain IP addresses dynamically.
Page 153 Setting up the Internet Firewall 25 with an OfficeConnect 56K LAN Modem 153 Configure the OfficeConnect LAN modem and check that you can access the Internet. 1 Connect the LAN Modem to the Internet Firewall 25. a Disconnect the power from the LAN modem, and also disconnect the Ethernet cable from the PC that you used to manage it.
Page 154 – if not, repeat this step. 6 Set the date and time. The Internet Firewall 25 relies on this for logs, reports, and updates to the content filter list. a Click Set Date & Time on the Home screen b Select your time zone from the drop down list at the top of the screen.
Page 155 Click Restart Internet Firewall. When asked to confirm this action, select Yes. The Internet Firewall 25 restarts. 9 Assign an IP address to all the PCs on the network so that they have Internet access. The IP addresses are to be assigned dynamically by the DHCP server on the Internet Firewall 25.
Page 156 192.168.1.230 not need to change any other settings. Click Update. 12 Set up the web filtering so that users of the network can only access addresses on the domain 3Com.com. a Click Filter, and then select the Custom List tab.
Page 157 Setting up the Internet Firewall 25 with an OfficeConnect 56K LAN Modem 157 14 Register the Internet Firewall 25, over the Internet. a In the web browser, enter: http://www.3com.com/internetfirewall b Complete the registration form, and make a note of the registration code.
Page 158 E: E PPENDIX XAMPLE ONFIGURATIONS...
Page 159: Introduction To Ip Addressing
IP Addressing To become part of an IP network, a network device must have an IP address. An IP address is a unique number that differentiates one device from another on the network to avoid confusion during communication. To help illustrate IP...
Page 160: Ip Address
There are three classes of IP addresses: A, B, and C. Like a main business phone number that one can call and then be transferred through interchange numbers to an individual’s...
Page 161: Subnet Mask
InterNIC. Businesses or individuals can request one or many IP addresses from InterNIC; if you can estimate the future growth of the network, this can help you to work out the class and number of IP addresses you need. Most large centralized companies have a network manager in charge of all IP address numbers.
Page 162: Default Gateway
C IP addresses use a subnet mask of 255.255.255.0 Default Gateway A default gateway is like a long distance operator — users can dial the operator to get assistance connecting to the end party. In complex networks with many subnetworks, gateways keep traffic from traveling between different subnetworks unless addressed to travel there.
Page 163: Esetting The
For this reason, 3Com recommends that you save your firewall settings on a regular basis, and that you also have a copy of the latest firmware available locally. A copy is available on the companion CD to get you up and running again.
Page 164: Reloading The Firmware
IP address of 192.168.1.254 after a complete reset, so you must reconfigure your chosen management station to an IP address in the same subnet to access the management interface (for example, 192.168.1.200, as described on page 38).
Page 165 Make sure that you are using the browser that supports HTML uploads, otherwise you cannot upload the firmware. 2 In the box labeled Please select a firmware file , type in the full file and path name of the firmware image that you want to upload to the unit.
Page 166 If you do not have a saved settings file, you must set up the unit from scratch. See Chapter 3 for a quick start guide, Chapter 4 for a complete command reference of the user interface, and Appendix E for example configurations that illustrate some of your Internet Firewall’s features.
Page 167: H Technical Support
3Com provides easy access to technical support information through a variety of services. This appendix describes these services. Information contained in this appendix is correct at time of publication. For the most recent information, 3Com recommends that you access the 3Com Corporation World Wide Web site.
Page 168: 3Com Knowledgebase Web Services
Username: anonymous Password: <your Internet e-mail address> You do not need a user name and password with Web browser software such as Netscape Navigator and Internet Explorer. 3Com Facts Automated Fax Service The 3Com Facts automated fax service provides technical articles, diagrams, and troubleshooting instructions on 3Com products 24 hours a day, 7 days a week.
Page 169: Support From 3Com
Diagnostic error messages Details about recent configuration changes, if applicable If you are unable to contact your network supplier, see the following section on how to contact 3Com. Support from 3Com If you are unable to obtain assistance from the 3Com online technical resources or from your network supplier, 3Com offers technical telephone support services.
Page 170: Returning Products For Repair
Enterprise Customers: 1 800 876-3266 Returning Products for Repair Before you send a product directly to 3Com for repair, you must first obtain an authorization number. Products sent to 3Com without authorization numbers will be returned to the sender unopened, at the sender’s expense.
Page 171 +31 30 6029900 +31 30 6029999 and Middle East Latin America 1 408 326 2927 1 408 326 3355 From the following countries, you may call the toll-free numbers; select option 2 and then option 2: Austria 0800 297468 Belgium 0800 71429...
Page 173 91 3ComFacts 168 custom list 76 options 78 CyberNOT list 121 reviewers 121 acceptable use policy 78, 79, 80, 91 access to URLs, restricting 21 ActiveX blocking 84 data collection, starting 90 defined 70 date setting 42...
Page 174 28 expiration 75 uses 17 updating 74 wall mounting 28 filter settings 69 InterNIC 161 filters, specifying when they apply 72 intranet settings 113 Find Network Path Tool 65 configuring 113 firewall security 19 firmware addressing, introduction 159 e-mail notification 97...
Page 175 39 lost 163 setting for user authentication 109 ping of death 84 mail server option 86 Ping tool 66 main features of Internet Firewall 19 pinout diagram 131 management station 38 policy rules 103 maximum creating 104...
Page 176 Power LED 30 software warranty information 179 protecting an existing network 140 software, upgrading 96 protocols 159 specifications proxy server, installing on WAN 112 cable 131 proxy Web server 112 technical 133 public servers, DMZ port 18 specified addresses attaching to the LAN 116...
Page 177 NDEX troubleshooting (continued) Ethernet connection 128 VCCI statement 182 Internet access for LAN users 129 View Log tab 83 Link LED 128 log contents 127 machines on WAN not reachable 130 wall mounting the Internet Firewall 28 management interface 128...
Page 178 NDEX...
Page 179 January 1, 2000, and Customer notifies 3Com before the later of April 1, 2000, or ninety (90) days after purchase of the product from 3Com or its authorized reseller, 3Com shall, at its option and expense, provide a software update which would...
Page 180 The repaired or replaced item will be shipped to Customer, at 3Com's expense, not later than thirty (30) days after 3Com receives the defective product.
Page 181 When the implied warranties are not allowed to be excluded in their entirety, they will be limited to the duration of the applicable written warranty.
Page 182 FCC S TATEMENT This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules, and the Canadian Department of Communications Equipment Standards entitled, “Digital Apparatus,” ICES-003. These limits are designed to provide reasonable protection against harmful interference in a residential installation.

This manual is also suitable for:

Officeconnect 3c16770 Officeconnect 3c16772

3Com OfficeConnect 3C16771 User Manual

About this Guide

Introduction

Installing the Hardware

Quick Setup for the Internet Firewall

Command Reference

The Office Connect

Cable Pecifications and Pinout Diagram

Technical Specifications and Standards

Optional Direct Connection

500 D Ort Umbers

Ip Port Numbers

Example Configurations

Esetting the

H Technical Support

Quick Links

User Guide

Need help?

Questions and answers

Related Manuals for 3Com OfficeConnect 3C16771

Summary of Contents for 3Com OfficeConnect 3C16771

This manual is also suitable for:

Table of Contents