Planet MH-4000 User Manual
  1. Manuals
  2. Brands
  3. Planet Manuals
  4. Gateway
  5. MH-4000
  6. User manual

Planet MH-4000 User Manual

Multi-homing security gateway
Hide thumbs
Table of Contents

Advertisement

Quick Links

Multi-Homing Security Gateway User's Manual
Multi-Homing Security
Gateway
MH-2000, MH-4000
User's Manual

Advertisement

Table of Contents
loading

Related Manuals for Planet MH-4000

Summary of Contents for Planet MH-4000

  • Page 1 Multi-Homing Security Gateway User’s Manual Multi-Homing Security Gateway MH-2000, MH-4000 User’s Manual...

  • Page 2: Customer Service

    Copyright (C) 2005 PLANET Technology Corp. All rights reserved. The products and programs described in this User’s Manual are licensed products of PLANET Technology, This User’s Manual contains proprietary information protected by copyright, and this User’s Manual and all accompanying hardware, software, and documentation are copyrighted.

  • Page 3: Table Of Contents

    4.1.6 Blaster Alert ..............................31 4.1.7 Route Table ..............................31 4.1.8 DHCP ................................33 4.1.9 Dynamic DNS.............................. 35 4.1.10 Host Table..............................37 4.1.11 SNMP (MH-4000 only)..........................39 4.1.12 Permitted IPs............................. 40 4.1.13 Language..............................42 4.1.14 Logout ................................ 42 4.1.15 Software Update ............................43...
  • Page 4 UTHENTICATION ..............................81 4.7.1 Auth Setting ..............................81 4.7.2 Auth User ..............................82 4.7.3 Auth User Group............................86 4.7.4 Radius Server (MH-4000 Only) ........................ 89 4.7.5 POP3 (MH-4000 only)..........................89 4.7.6 LDAP (MH-4000 only)..........................90 4.8 C ONTENT FILTERING .............................. 92 4.8.1 URL Blocking...............................
  • Page 5 4.16.1 Interface Statistics ..........................226 4.16.2 Policy Statistics ............................227 4.17 S TATUS ................................230 4.17.1 Interface Status............................230 4.17.2 System Info (MH-4000 only) ......................... 230 4.17.3 Auth Status .............................. 231 4.17.4 ARP Table..............................232 4.17.5 DHCP Clients ............................233...

  • Page 6: Chapter 1: Introduction

    WAN connections. With embedded DNS server of MH-4000, connections from Internet are given the IP address of two WAN ports to balance the traffic over the links.

  • Page 7: Package Contents

    TCP/UDP port number and give guarantee and burst bandwidth with three levels of priority. ♦ User Authentication: User database can be configured on the devices, MH-4000 also supports the authenticated database through external RADIUS, POP3 and LDAP server. 1.2 Package Contents...

  • Page 8: Mh-2K/4K Rear Panel

    WAN1, Steady on indicates the port is connected to WAN2, LAN, other network device. Blink to indicates there is traffic on the port MH-4000 Front Panel Description Power is supplied to this device. WAN1, Green Steady on indicates the port is WAN2, LAN, connected to other network device.

  • Page 9: Specification

    Multi-Homing Security Gateway User’s Manual MH-4000 Rear Panel 1.5 Specification Product Multi-homing Security Gateway Model MH-2000 MH-4000 Hardware Ethernet 1 x 10/100Mbps RJ-45 2 x 10/100Mbps RJ-45 1 x 10/100Mbps RJ-45 POWER, STATUS, 10/100 and LNK/ACT for each LAN and WAN port Power 5VDC, 2.4A...

  • Page 10: Chapter 2: Hardware Installation

    Multi-Homing Security Gateway User’s Manual Chapter 2: Hardware Installation 2.1 Installation Requirements Before installing MH-2K/4K, make sure your network meets the following requirements. - Mechanical Requirements MH-2K/4K is installed between your Internet connection and local area network. You can place it on the table or rack, and locate the unit near the power outlet.

  • Page 11: Transparent Mode Connection Example

    Multi-Homing Security Gateway User’s Manual 2.2.1 Transparent Mode Connection Example The WAN1 and DMZ side IP addresses are on the same subnet. This application is suitable if you have a subnet of IP addresses and you do not want to change any IP configuration on the subnet. 2.2.2 NAT Mode Connecting Example DMZ and WAN1 IP addresses are on the different subnet.

  • Page 12: Chapter 3: Getting Started

    Multi-Homing Security Gateway User’s Manual Chapter 3: Getting Started 3.1 Web Configuration STEP 1: Connect the Administrator’s PC and the LAN port of MH-2K/4K to a hub or switch. Make sure there is a link light on the hub/switch for both connections. MH-2K/4K has an embedded web server used for management and configuration.

  • Page 13: Configure Wan 1 Interface

    Multi-Homing Security Gateway User’s Manual 3.2 Configure WAN 1 interface After entering the username and password, MH-2K/4K WebUI screen will display. Select the Interface tab on the left menu then click on WAN below it. Click on Modify button of WAN NO.1. The following page is shown. Alive Indicator Site IP: This feature is used to ping an address for detecting WAN connection status.
  • Page 14 Enter the amount of idle minutes before disconnection. Enter ‘0’ if you do not want the PPTP connection to disconnect at all. NOTE: This function is not supported on MH-4000. Ping: Select this to allow the WAN network to ping the IP Address of MH-2K/4K This will allow people from the Internet to be able to ping MH-2K/4K WAN IP.

  • Page 15: Configure Wan 2 Interface

    Multi-Homing Security Gateway User’s Manual WebUI: Select this to allow the device WebUI to be accessed from the WAN network. This will allow the WebUI to be configured from a user on the Internet. Keep in mind that the device always requires a username and password to enter the WebUI.
  • Page 16 Multi-Homing Security Gateway User’s Manual Destination Address – select “Outside_Any” Service - select “ANY” Action - select “Permit, ALL” Click on OK to apply the changes. STEP 4: The configuration is successful when the screen below is displayed. - 11 -...
  • Page 17 Multi-Homing Security Gateway User’s Manual Please make sure that all the computers that are connected to the LAN port have their Default Gateway IP Address set to MH-2K/4K’s LAN IP Address (i.e. 192.168.1.1). At this point, all the computers on the LAN network should gain access to the Internet immediately.

  • Page 18: Chapter 4: Web Configuration

    Multi-Homing Security Gateway User’s Manual Chapter 4: Web Configuration The functions of MH-2000 and MH-4000 have some differences. MH-4000 support more functions then MH-2000. Please find the following table for a list of their functions comparison. Menu items MH-2000 MH-4000...

  • Page 19: System

    Multi-Homing Security Gateway User’s Manual Virtual Server4 Policy Outgoing Incoming WAN to DMZ LAN to DMZ DMZ to WAN DMZ to LAN IPSec Autokey PPTP Server PPTP Client Inbound Balance Traffic Log Event Log Connection Log Log Backup Alarm Traffic Alarm Event Alarm Accounting Report Outbound...
  • Page 20 Multi-Homing Security Gateway User’s Manual Setting: The Administrator may use this function to backup MH-2K/4K configurations and export (save) them to an “Administrator” computer or anywhere on the network; or restore a configuration file to the device; or restore MH-2K/4K back to default factory settings. Under Setting, the Administrator may enable e-mail alert notification.

  • Page 21: Admin

    IP address in Dynamic DNS Server will be automatically updated with the new IP address provided by ISP. SNMP (MH-4000 only): Provide the System Administrator enabling SNMP Trap Alert Notification for sending email to the setting SNMP Trap receiver IP address when the network is disconnected/ connected and being attacked by hackers or when emergency conditions occur.
  • Page 22 Multi-Homing Security Gateway User’s Manual Settings of the Administration table Administrator Name: The username of Administrators for MH-2K/4K. The user admin cannot be removed. Privilege: The privileges of Administrators (Admin or Sub Admin) The username of the main Administrator is Administrator with read / write privilege. Sub Admins may be created by the Admin by clicking New Sub Admin .

  • Page 23: Settings

    Multi-Homing Security Gateway User’s Manual Removing a Sub Administrator Step 1. In the Administration table, locate the Administrator name you want to edit, and click on the Remove option in the Configure field. Step 2. The Remove confirmation pop-up box will appear. Click OK to remove that Sub Admin or click Cancel to cancel.
  • Page 24 Multi-Homing Security Gateway User’s Manual Exporting MH-2K/4K settings Step 1. Under Configuration, click on the Download button next to Export System Settings to Client. Step 2. When the File Download pop-up window appears, choose the destination place to save the exported file.
  • Page 25 Multi-Homing Security Gateway User’s Manual Importing MH-2K/4K settings Under Configuration, click on the Browse button next to Import System Settings. When the Choose File pop-up window appears, select the file which contains the saved MH-2K/4K Settings, then click OK. Click OK to import the file into MH-2K/4K or click Cancel to cancel importing. Restoring Factory Default Settings Step 1.
  • Page 26 HTTP or HTTPS port anytime. Step 2. Idle Timeout. Fill in the Idle Timeout setting, when time is up, the remote user will be logout automatically. 0 means no timeout. (Idle Timeout only supports with MH-4000) - 21 -...
  • Page 27 Multi-Homing Security Gateway User’s Manual MTU (set networking packet length) The administrator can modify the networking packet length. Step 1. MTU Setting. Modify the networking packet length. Link Speed / Duplex Mode Setting This function allows administrator to set the transmission speed and mode of WAN Port. This feature is only available with MH-2000.
  • Page 28 Multi-Homing Security Gateway User’s Manual Administration Packet Logging Step 1. Select this option to the device’s Administration Packet Logging. Once this function is enabled, every packet to this appliance will be recorded for system administrator to trace. System Reboot Once this function is enabled, MH-2K/4K will be rebooted. Reboot Appliance: Click Reboot.

  • Page 29: Date/Time

    Multi-Homing Security Gateway User’s Manual 4.1.3 Date/Time Synchronizing the MH-2K/4K with the System Clock Administrator can configure MH-2K/4K’s date and time by either syncing to an Internet Network Time Server (NTP) or by syncing to your computer’s clock. Follow these steps to sync to an Internet Time Server Enable synchronization by checking the box.

  • Page 30: Multiple Subnet

    Multi-Homing Security Gateway User’s Manual 4.1.4 Multiple Subnet NAT mode Multiple Subnet allows local port to set multiple subnet works and connect with the internet through different WAN 1 IP Addresses. For instance: The lease line of a company applies several real IP Addresses 168.85.88.0/24, and the company is divided into R&D department, service, sales department, procurement department, accounting department, the company can distinguish each department by different subnet works for the purpose of convenient management.
  • Page 31 Multi-Homing Security Gateway User’s Manual Step 2: Enter the IP Address in the website name column of the new window. Alias IP of LAN Interface: Enter Local port IP Address. Netmask: Enter Local port subnet Mask. WAN Interface IP: Add WAN 1 or WAN 2 IP. Forwarding Mode: Click the NAT button below to setup.
  • Page 32 Multi-Homing Security Gateway User’s Manual For example, the leased line of a company applies several real IP Addresses 168.85.88.0/24 and the company is divided into R&D, Customer Service, Sales, Procurement, and Accounting Department. The company can distinguish each department by different sub-network for the purpose of convenient management.
  • Page 33 Multi-Homing Security Gateway User’s Manual Step 4: Adding a new WAN to LAN Policy. In the Incoming window, click the New Entry button. Modify a Multiple Subnet Routing Mode Step 1: Find the IP Address you want to modify in Multiple Subnet menu, then click Modify button, on the right side of the service providers, click OK.

  • Page 34: Hacker Alert

    Auto Detect functions Some worms will attack your MS system in accordance with their weakness, such as Sasser, Blaster, Code Red and Nimda. Select the blocking function of MH-4000 will prevent you to be attacking by these worms (MH-4000 only).
  • Page 35 Multi-Homing Security Gateway User’s Manual allowed to enter MH-2K/4K. Once the SYN packets exceed this limit, the activity will be logged in Alarm and an email alert is sent to the Administrator. The default SYN flood threshold is set to 200 Pkts/Sec . Detect ICMP Flood: Select this option to detect ICMP flood attacks.

  • Page 36: Blaster Alert

    System -> Setting. Enalbe SNMP Trap Alert Notification: When Blaster worm is detected, send SNMP trap to user-defined SNMP trap receiver IP address defined on System -> SNMP (MH-4000 only). Enable NetBIOS Alert Notification: When Blaster worm is detected, send alart message to administrator by using “Net send”...
  • Page 37 Multi-Homing Security Gateway User’s Manual Route Table functions Interface: Destination network, LAN or WAN 1 networks. Destination IP: IP address of destination network. NetMask: Netmask of destination network. Gateway: Gateway IP address for connecting to destination network. Configure: Change settings in the route table. Adding a new Static Route Step 1.

  • Page 38: Dhcp

    Multi-Homing Security Gateway User’s Manual Removing a Static Route Step 1. In the Route Table window, find the route to remove and click the corresponding Remove option in the Configure field. Step 2. In the Remove confirmation pop-up box, click OK to confirm removing or click Cancel to cancel 4.1.8 DHCP In the section, the Administrator can configure DHCP (Dynamic Host Configuration Protocol) settings for the LAN (LAN) network.
  • Page 39 Multi-Homing Security Gateway User’s Manual Dynamic IP Address functions Subnet: LAN network’s subnet NetMask: LAN network’s netmask Gateway: LAN network’s gateway IP address Broadcast: LAN network’s broadcast IP address Enabling DHCP Support Step 1. In the Dynamic IP Address window, click Enable DHCP Support. Domain Name: The Administrator may enter the name of the LAN network domain if preferred.

  • Page 40: Dynamic Dns

    Multi-Homing Security Gateway User’s Manual Leased Time: Enter the leased time for DHCP. Step 2. Click OK to enable DHCP support. 4.1.9 Dynamic DNS The Dynamic DNS (require Dynamic DNS Service) allows you to alias a dynamic IP address to a static hostname, allowing your device to be more easily accessed by specific name.
  • Page 41 Multi-Homing Security Gateway User’s Manual Click to link to the website selected on the left. Add Dynamic DNS settings Step 1. Click Add button. Step 2. Click the information in the column of the new window. Service providers: Select service providers. Sign up: to the service providers’...

  • Page 42: Host Table

    Multi-Homing Security Gateway User’s Manual Remove Dynamic DNS Step 1. Find the item you want to change and click Remove. Step 2. A confirmation pop-up box will appear, click OK to delete the settings or click Cancel to discard changes. 4.1.10 Host Table The Multi-Homing Security Gateway’s Administrator may use the Host Table function to make the MH-2K/4K act as a DNS Server for the LAN and DMZ network.
  • Page 43 Multi-Homing Security Gateway User’s Manual If you want to use the Host Table function of the device, the end user’s main DNS server IP address should be the same IP Address as the device. Click on System in the menu bar, then click on Host Table below it. The Host Table window will appear. Below is the information needed for setting up the Host Table: •...

  • Page 44: Snmp (Mh-4000 Only)

    A confirmation pop-up box will appear, click OK to remove the DNS Proxy or click Cancel. Step 2: 4.1.11 SNMP (MH-4000 only) The administrator could send the information to SNMP by enabling SNMP Agent. NOTE: This function is not supported on MH-2000.

  • Page 45: Permitted Ips

    Multi-Homing Security Gateway User’s Manual SNMP Trap Settings Allow the System Administrator to enable SNMP Trap Alert Notification for sending trap message to the set SNMP Trap receiver IP address when the network is disconnected/ connecting and being attacked by hackers or when emergency conditions occur.
  • Page 46 Ping: Select this to allow the external network to ping the IP Address of the Firewall. HTTP/HTTPS: Check this item, Web User can use HTTP or HTTPS to connect to the Setting window of MH-2K/4K (HTTPS is only available with MH-4000). Step 3. Click OK to add Permitted IP or click Cancel to discard changes.

  • Page 47: Language

    Multi-Homing Security Gateway User’s Manual Step 2. In Remove Permitted IP, enter new IP address. Step 3. In the confirm window, click OK to remove or click Cancel to discard changes. 4.1.13 Language Administrator can configure MH-2K/4K to select the Language version Step 1.

  • Page 48: Software Update

    Multi-Homing Security Gateway User’s Manual 4.1.15 Software Update Under Software Update, the admin may update the device’s software with a newer software. You may acquire the current version number of software in Version Number. Administrators may visit distributor’s web site to download the latest version and save it in server’s hard disc. Step 1.

  • Page 49: Interface

    Ping: Select this to allow the LAN network to ping the IP Address of MH-2K/4K. If set to enable, the device will respond to ping packets from the LAN network. HTTP/HTTPS: Select this to allow the device WEBUI to be accessed from the LAN network (HTTPS is only available with MH-4000). - 44 -...

  • Page 50: Wan

    WAN port on the list. This function is only applicable for By Session mode. Ping / HTTP/ HTTPS: Display Ping/HTTP/HTTPS functions of WAN 1/2 to show if they are enabled or disabled. (HTTPS is only available with MH-4000) Configure: Click Modify to modify WAN 1/2 settings.
  • Page 51 HTTP/HTTPS: Select this to allow the device WebUI to be accessed from the WAN 1 network. This will allow the WebUI to be configured from a user on the Internet. Keep in mind that the device always requires a username and password to enter the WebUI. (HTTPS is only available with MH-4000) - 46 -...
  • Page 52 Multi-Homing Security Gateway User’s Manual For Dynamic IP Address (Cable Modem User): This option is for users who are automatically assigned an IP address by their ISP, such as cable modem users. The following fields apply: IP Address: The dynamic IP address obtained by MH-2K/4K from the ISP will be displayed here. This is the IP address of the WAN 1 (WAN 2 ) port of the device.
  • Page 53 WebUI to be configured from a user on the Internet. Keep in mind that the device always requires a username and password to enter the WebUI. (HTTPS is only available with MH-4000) For Static IP Address: This option is for users who are assigned a static IP Address from their ISP. Your ISP will provide all the information needed for this section such as IP Address, Netmask, Gateway, and DNS.
  • Page 54 Multi-Homing Security Gateway User’s Manual For PPTP (European User Only): This is mainly used in Europe. You need to know the PPTP Server address as well as your name and password. User Name: The user name is provided by ISP. Password: The password is provided by ISP.

  • Page 55: Dmz

    Multi-Homing Security Gateway User’s Manual NOTE: This function is not supported on MH-4000. 4.2.3 DMZ The Administrator uses the DMZ Interface to set up the DMZ network. The DMZ network consists of server computers such as FTP, SMTP, and HTTP (web). These server computers are put in the DMZ network so they can be isolated from the LAN (LAN) network traffic.
  • Page 56 HTTP/HTTPS: Select this to allow the device WEBUI to be accessed from the WAN 1 network. This will allow the WebUI to be configured from a user on the Internet. Keep in mind that the device always requires a username and password to enter the WebUI. (HTTPS is only available with MH-4000) - 51 -...

  • Page 57: Address

    Multi-Homing Security Gateway User’s Manual 4.3 Address MH-2K/4K allows the Administrator to set addresses of the LAN network, LAN network group, WAN network, WAN group, DMZ network and DMZ group. These settings are to be used for policy editing. What is the Address Table? An IP address in the Address Table can be an address of a computer or a sub network.
  • Page 58 Multi-Homing Security Gateway User’s Manual network. Click Remove to delete the settings. In the LAN window, if one of the members has been added to Policy or LAN Group, the Configure column will show the message – In Use. In this case, you are not allowed to modify or remove the setting. Adding a new LAN Address Step 1.
  • Page 59 Multi-Homing Security Gateway User’s Manual Removing a LAN Address Step 1. In the LAN window, locate the name of the network to be removed. Click the Remove option in its corresponding Configure field. Step 2. In the Remove confirmation pop-up box, click OK to remove the address or click Cancel to discard changes.

  • Page 60: Lan Group

    Multi-Homing Security Gateway User’s Manual 4.3.2 LAN Group Entering the LAN Group window The LAN Addresses may be combined together to become a group. Step 1. Click LAN Group under the Address menu to enter the LAN Group window. The current setting information for the LAN network group appears on the screen.
  • Page 61 Multi-Homing Security Gateway User’s Manual Selected Address: list the names to be assigned to the new group. Name: enter the name of the new group in the open field. Step 3. Add members: Select names to be added in Available Address list, and click the Add>> button to add them to the Selected Address list.
  • Page 62 Multi-Homing Security Gateway User’s Manual Removing a LAN Group Step 1. In the LAN Group window, locate the group to be removed and click its corresponding Remove option in the Configure field. Step 2. In the Remove confirmation pop-up box, click OK to remove the group or click Cancel to discard changes.

  • Page 63: Wan

    Multi-Homing Security Gateway User’s Manual 4.3.3 WAN Entering the WAN window Step 1. Click WAN under the Address menu to enter the WAN window. The current setting information, such as the name of the WAN network, IP and Netmask addresses will show on the screen. Definitions Name: Name of WAN network address.
  • Page 64 Multi-Homing Security Gateway User’s Manual Modifying an WAN Address Step 1. In the WAN table, locate the name of the network to be modified and click the Modify option in its corresponding Configure field. Step 2. The Modify Address window will appear on the screen immediately. In the Modify Address window, fill in new addresses.

  • Page 65: Wan Group

    Multi-Homing Security Gateway User’s Manual Removing an WAN Address Step 1. In the WAN table, locate the name of the network to be removed and click the Remove option in its corresponding Configure field. Step 2. In the Remove confirmation pop-up box, click OK to remove the address or click Cancel to discard changes.
  • Page 66 Multi-Homing Security Gateway User’s Manual Definitions: Name: Name of the WAN group. Member: Members of the group. Configure: Configure the settings of WAN group. Click Modify to change the parameters of WAN group Click Remove to delete the selected group. NOTE: In the WAN Group window, if one of the members has been added to the Policy, “In Use”...
  • Page 67 Multi-Homing Security Gateway User’s Manual Modifying a WAN Group Step 1. In the WAN Group window, locate the network group to be modified and click its corresponding Modify button in the Configure field. Step 2. A window displaying the information of the selected group appears: Available Address: list the names of all the members of the WAN network.

  • Page 68: Dmz

    Multi-Homing Security Gateway User’s Manual 4.3.5 DMZ Entering the DMZ window: Click DMZ under the Address menu to enter the DMZ window. The current setting information such as the name of the LAN network, IP, and Netmask addresses will show on the screen. - 63 -...
  • Page 69 Multi-Homing Security Gateway User’s Manual Adding a new DMZ Address: In the DMZ window, click the New Entry button. Step 1. In the Add New Address window, enter the settings for a new DMZ address. Step 2. Click OK to add the specified DMZ or click Cancel to discard changes. Step 3.
  • Page 70 Multi-Homing Security Gateway User’s Manual Removing a DMZ Address: Step 1. In the DMZ window, locate the name of the network to be removed and click the Remove option in its corresponding Configure field. Step 2. In the Remove confirmation pop-up box, click OK to remove the address or click Cancel to discard changes.

  • Page 71: Dmz Group

    Multi-Homing Security Gateway User’s Manual 4.3.6 DMZ Group Entering the DMZ Group window Click DMZ Group under the Address menu to enter the DMZ window. The current settings information for the DMZ group appears on the screen. Adding a DMZ Group: In the DMZ Group window, click the New Entry button.
  • Page 72 Multi-Homing Security Gateway User’s Manual Modifying a DMZ Group: In the DMZ Group window, locate the DMZ group to be modified and click its corresponding Step 1. Modify button in the Configure field. A window displaying information about the selected group appears: Step 2.
  • Page 73 Multi-Homing Security Gateway User’s Manual Removing a DMZ Group: In the DMZ Group window, locate the group to be removed and click its corresponding Remove Step 1. option in the Configure field. In the Remove confirmation pop-up box, click OK to remove the group. Step 2.

  • Page 74: Service

    Multi-Homing Security Gateway User’s Manual 4.4 Service In this section, network services are defined and new network services can be added. There are three sub menus under Service which are: Pre-defined, Custom, and Group. The Administrator can simply follow the instructions below to define the protocols and port numbers for network communication applications.

  • Page 75: Custom

    Multi-Homing Security Gateway User’s Manual Icons and Descriptions Figur Description TCP services, i.g. AFP over TCP, FTP, FINGER, HTTP, HTTPS, IMAP, SMTP, POP3, ANY, AOL, BGP, GOPHER, InterLocator, IRC, L2TP, LDAP, NetMeeting, NNTP, PPTP, Real Media, RLOGIN, SSH, TCP ANY, TELNET, VDO Live, WAIS, WINFRAME, X-WINDOWS, MSN, etc.
  • Page 76 Multi-Homing Security Gateway User’s Manual Service port: The range of Service port in defined service. If the number of ports entered in the two fields of Service port is different, it means that the port numbers between these two numbers are opened. If the number of ports entered in the two fields of Service port is identical, it means that the entered port number is opened.
  • Page 77 Multi-Homing Security Gateway User’s Manual Modifying Custom Services Step 1. A table showing the current settings of the selected service appears on the screen Step 2. Enter the new values. Step 3. Click OK to accept editing; or click Cancel. Removing Custom Services Step 1.

  • Page 78: Group

    Multi-Homing Security Gateway User’s Manual 4.4.3 Group Accessing the Group window Step 1. Click Group under it. A window will appear with a table displaying current service group settings set by the Administrator. Definitions: Group name: The Group name of the defined Service. Service: The Service item of the Group.
  • Page 79 Multi-Homing Security Gateway User’s Manual Step 5. To remove services: Select services desired to be removed in the Available Services, and then click the <<Remove button to remove them from the group. Step 6. Click OK to add the new group. Modifying Service Groups Step 1.
  • Page 80 Multi-Homing Security Gateway User’s Manual Removing Service Groups In the Remove confirmation pop-up box, click OK to remove the selected service group or click Cancel to cancel removing. - 75 -...

  • Page 81: Schedule

    Multi-Homing Security Gateway User’s Manual 4.5 Schedule MH2K/4K allows the Administrator to configure a schedule for policies to take affect. By creating a schedule, the Administrator is allowing MH2K/4K policies to be used at those designated times only. Any activities outside of the scheduled time slot will not follow MH2K/4K policies therefore will likely not be permitted to pass through MH2K/4K.
  • Page 82 Multi-Homing Security Gateway User’s Manual NOTE: In setting a Schedule, the value in Start time must be less than the value in Stop Time, or you cannot add or configure the setting. Modifying a Schedule Step 1. In the Schedule window, find the policy to be modified and click the corresponding Modify option in the Configure field.
  • Page 83 Multi-Homing Security Gateway User’s Manual Removing a Schedule Step 1. In the Schedule window, find the policy to be removed and click the corresponding Remove option in the Configure field. Step 2. A confirmation pop-up box will appear, click on OK to remove the schedule. - 78 -...

  • Page 84: Q O S

    Multi-Homing Security Gateway User’s Manual 4.6 QoS By configuring the QoS, you can control the outbound Upstream/downstream Bandwidth. The administrator can configure the bandwidth according to the WAN bandwidth. Downstream Bandwidth: To configure the Guaranteed Bandwidth and Maximum Bandwidth. Upstream Bandwidth: To configure the Guaranteed Bandwidth and Maximum Bandwidth. QoS Priority: To configure the priority of distributing Upstream/Downstream and unused bandwidth.
  • Page 85 Multi-Homing Security Gateway User’s Manual Definition Name: The name of the QoS you want to configure. Downstream Bandwidth: To configure the Guarateed Bandwidth and Maximum Bandwidth. Upstream Bandwidth: To configure the Guarateed Bandwidth and Maximum Bandwidth. QoS Priority: To configure the priority of distrubuting Upstream/Downstream and unused bandwidth. Click the OK button to add new QoS.

  • Page 86: Authentication

    Multi-Homing Security Gateway User’s Manual Click the Modify button to modify QoS. Definition: Name: The name of the QoS you want to configure. Downstream Bandwidth: To configure the Guarateed Bandwidth and Maximum Bandwidth. Upstream Bandwidth: To configure the Guarateed Bandwidth and Maximum Bandwidth. QoS Priority: To configure the priority of distrubuting Upstream/Downstream and unused bandwidth.

  • Page 87: Auth User

    Multi-Homing Security Gateway User’s Manual Authentication Port: The port number used for user login page. When user want to access WAN network and the authentication (Policy -> Outgoing) is enabled, the user has to send http request with this port number. MH-2K/MH-4K will send a User Login page for user to input user name and password.
  • Page 88 Multi-Homing Security Gateway User’s Manual Definitions: Name The name of the Authentication you want to configure. Configure: modify settings or remove users. Adding a new Auth User In the Authentication window, click the New User button to create a new Auth User. Step 1.
  • Page 89 Multi-Homing Security Gateway User’s Manual NOTE: When the LAN user access to WAN network and do not use for a while, the connection will be time-out. User has to re-login again. The default time is 30 minutes and you can configure this time by “Authentication”->...
  • Page 90 Multi-Homing Security Gateway User’s Manual User Name: The name of the Authentication you want to configure. Password: The input carries on the authentication the password Modifying the Authentication User In the Authentication window, locate the Auth-User name you want to edit, and click on Modify Step 1.

  • Page 91: Auth User Group

    Multi-Homing Security Gateway User’s Manual Removing a Authentication User Step 1. In the Authentication table, locate the Auth-User name you want to edit, and click on the Remove option in the Configure field. Step 2. The Remove confirmation pop-up box will appear. Step 3.
  • Page 92 Multi-Homing Security Gateway User’s Manual Adding Auth User Group Step 1. In the Auth User Group window, click the New Entry button. In the Auth User Group window, the following fields will appear: Name: Enter the new Auth User group name. Available auth user: List all the available Auth User.
  • Page 93 Multi-Homing Security Gateway User’s Manual Name: Enter the new Auth User group name . Available auth user: List all the available Auth User. Selected auth user: List Auth User to be assigned to the new group. Step 3. To add new Auth User: Select the Auth User desired to be added in the Available auth user list, and then click the Add>>...

  • Page 94: Radius Server (Mh-4000 Only)

    RADIUS Server IP: Enter RADIUS Server IP address. ♦ RADIUS Server Port: Enter RADIUS Server Port. The default port is 1812. ♦ Shared Secret: The Password for MH-4000 to access RADIUS Server. ♦ Enable 802.1x RADIUS Server Authentication: Enable 802.1x RADIUS Server Authentication. 4.7.5 POP3 (MH-4000 only) Click Authentication on the left side menu bar, then click POP3 below it.

  • Page 95: Ldap (Mh-4000 Only)

    POP3 Server : Enter POP3 Server IP address or domain name. ♦ POP3 Server Port: Enter POP3 Server Port. The default port is 110. 4.7.6 LDAP (MH-4000 only) Click Authentication on the left side menu bar, then click LDAP below it. The following window is shown. Definition ♦...
  • Page 96 Multi-Homing Security Gateway User’s Manual ♦ Search Distinguished Name: The Distinguished Name will be used to search by LDAP server. (ex: dc=mydomain,dc=com) ♦ LDAP Filter: Input the object located at the range of Distinguished Name. (ex: (objectClass=*)) ♦ User Distinguished Name: The user Distinguished Name of LDAP server. (ex: cn=users,dc=mydomain,dc=com) ♦...

  • Page 97: Content Filtering

    Multi-Homing Security Gateway User’s Manual 4.8 Content filtering Content Filtering includes “URL Blocking” , “Script Blocking”, “P2P Blocking”, “IM Blocking” and “Download Blocking”. URL Blocking: The administrator can use a complete domain name or key word to make rules for specific websites.
  • Page 98 Multi-Homing Security Gateway User’s Manual Step 3. Click OK to add the policy. Click Cancel to discard changes. Modifying a URL Blocking Policy Step 1. In the URL Blocking window, find the policy to be modified and click the corresponding Modify option in the Configure field.

  • Page 99: Script Blocking

    Multi-Homing Security Gateway User’s Manual Note: After finishing Content Filtering setting, you must enable it at Outgoing Policy, or Content Filtering will not be workable. 4.8.2 Script Blocking To let Popup, ActiveX, Java, or Cookies in or keep them out. Step 1: Click Content Filtering in the menu.

  • Page 100: P2P Blocking

    Multi-Homing Security Gateway User’s Manual When the system detects the setting, MH-2K/4K will spontaneously work. Note: After finishing Content Filtering setting, you must enable it at Outgoing Policy, or Content Filtering will not be workable. 4.8.3 P2P Blocking Step 1: Click Content Filtering in the menu. Step 2: Select P2P Blocking and configure the setting.

  • Page 101: Im Blocking

    Multi-Homing Security Gateway User’s Manual Note: After finishing Content Filtering setting, you must enable it at Outgoing Policy, or Content Filtering will not be workable. 4.8.4 IM Blocking Step 1: Click Content Filtering in the menu. Step 2: Select IM Blocking and configure the setting.

  • Page 102: Download Blocking

    Multi-Homing Security Gateway User’s Manual Note: After finishing Content Filtering setting, you must enable it at Outgoing Policy, or Content Filtering will not be workable. 4.8.5 Download Blocking Step 1: Click Content Filtering in the menu. Step 2: Select Download Blocking and configure the setting.
  • Page 103 Multi-Homing Security Gateway User’s Manual Note: After finishing Content Filtering setting, you must enable it at Outgoing Policy, or Content Filtering will not be workable. - 98 -...

  • Page 104: Virtual Server

    Multi-Homing Security Gateway User’s Manual 4.9 Virtual Server MH-2K/4K separates an enterprise’s Intranet and Internet into LAN networks and WAN networks respectively. Generally speaking, in order to allocate enough IP addresses for all computers, an enterprise assigns each computer a private IP address, and converts it into a real IP address through MH-2K/4K’s NAT (Network Address Translation) function.

  • Page 105: Mapped Ip

    Multi-Homing Security Gateway User’s Manual 4.9.1 Mapped IP Internal private IP addresses are translated through NAT (Network Address Translation). If a server is located in the LAN network, it has a private IP address, and outside users cannot connect directly to LAN servers’ private IP address.
  • Page 106 Multi-Homing Security Gateway User’s Manual Modifying a Mapped IP Step 1. In the Mapped IP table, locate the Mapped IP you want it to be modified and click its corresponding Modify option in the Configure field. Step 2. Enter settings in the Modify Mapped IP window. Step 3.

  • Page 107: Virtual Server

    Multi-Homing Security Gateway User’s Manual 4.9.2 Virtual Server Virtual server is a one-to-many mapping technique, which maps a real IP address from the WAN interface to private IP addresses of the LAN network. This function provides services or applications defined in the Service menu to enter into the LAN network.
  • Page 108 Multi-Homing Security Gateway User’s Manual hand side, click Virtual Server Real IP to add or change the virtual server IP address; click “Click here to configure” to add or change the virtual server service configuration. Adding a Virtual Server Step 1. Click an available virtual server from Virtual Server in the Virtual Server menu bar to enter the virtual server configuration window.
  • Page 109 Multi-Homing Security Gateway User’s Manual Removing a Virtual Server Step 1. Click the virtual server to be removed in the corresponding Virtual Server option under the Virtual Server menu bar. A new window displaying the virtual server’s IP address and service appears on the screen.
  • Page 110 Multi-Homing Security Gateway User’s Manual Adding New Virtual Server Service Configuration Step 1. Select Virtual Server in the menu bar on the left hand side, and then select Virtual Server 1/2/3/4 sub-selections. Step 2. In Virtual Server 1/2/3/4 Window, click “New Entry” button. Step 3.
  • Page 111 Multi-Homing Security Gateway User’s Manual Remember to configure the service items of virtual server before you configure Policy, or the service names will not be shown in Policy. Modifying the Virtual Server configurations Step 1. In the Virtual Server window’s service table, locate the name of the service desired to be modified and click its corresponding Modify option in the Configure field.
  • Page 112 Multi-Homing Security Gateway User’s Manual NOTE: If the destination Network in Policy has set a virtual server, it will not be able to change or configure this virtual server unless you have already removed this configuration of Policy. - 107 -...

  • Page 113: Policy

    Multi-Homing Security Gateway User’s Manual 4.10 Policy This section provides the Administrator with facilities to sent control policies for packets with different source IP addresses, source ports, destination IP addresses, and destination ports. Control policies decide whether packets from different network objects, network services, and applications are able to pass through MH-2K/4K.
  • Page 114 Multi-Homing Security Gateway User’s Manual displaying currently defined Outgoing policies. The fields in the Outgoing window are: Source: source network addresses that are specified in the LAN section of Address menu, or all the LAN network addresses. Destination: destination network addresses that are specified in the WAN section of the Address menu, or all of the WAN network addresses.
  • Page 115 Authentication User: Select the item listed in the Authentication User to enable the policy to automatically execute the function in a certain time and range. (Only available with MH-4000) Schedule: Select the item listed in the schedule to enable the policy to automatically execute the function in a certain time and range.
  • Page 116 Step 3: Click OK to do confirm modification or click Cancel to cancel it. Pausing an Outgoing Policy: (Only available with MH-4000) Step 1. In the Outgoing window, locate the name of policy desired to be paused and click its corresponding [Pause] option in the Configure field.
  • Page 117 Multi-Homing Security Gateway User’s Manual Removing the Outgoing Policy Step 1. In the Outgoing policy section, locate the name of the policy desired to be removed and click its corresponding Remove option in the Configure field. In the Remove confirmation dialogue box, click OK to remove the policy or click Cancel to cancel Step 2.
  • Page 118 Multi-Homing Security Gateway User’s Manual NOTE: System Administrator can back up and clear logs in this window. Check the chapter entitled “Log” to get details about the log and ways to back up and clear logs. Alarm: If Logging is enabled in the outgoing policy, MH-2K/4K will log the traffic alarms and event alarms passing through the Multi-Homing Security Gateway.

  • Page 119: Incoming

    Multi-Homing Security Gateway User’s Manual NOTE: The Administrator can also get information on alarm logs from the Alarm window. Please refer to the section entitled “Alarm” for more information. Statistics: If statistics is enabled in the outgoing policy, MH-2K/4K will display the flow statistics passing through the Multi-Homing Security Gateway.
  • Page 120 Multi-Homing Security Gateway User’s Manual Step 2: The fields of the Incoming window are: Source: source networks which are specified in the WAN section of the Address menu, or all the WAN network addresses. Destination: destination networks, which are IP Mapping addresses or Virtual server network addresses created in Virtual Server menu.
  • Page 121 QoS: Select the item listed in the QoS to enable the policy to automatically execute the function in a certain time and range. (Only available with MH-4000) MAX. Concurrent Sessions: The maximum concurrent sessions that allows passing through MH-2K/4K.
  • Page 122 Step 3: Click OK to save modifications or click Cancel to cancel modifications. Pausing an Incoming Policy: (Only available with MH-4000) Step 1. In the Incoming window, locate the name of policy desired to be paused and click its corresponding [Pause] option in the Configure field.

  • Page 123: Wan To Dmz & Lan To Dmz

    Multi-Homing Security Gateway User’s Manual Removing an Incoming Policy In the Incoming window, locate the name of policy desired to be removed and click its Step 1: corresponding [Remove] in the Configure field. Step 2: In the Remove confirmation window, click Ok to remove the policy or click Cancel to cancel removing.
  • Page 124 Multi-Homing Security Gateway User’s Manual The fields in WAN To DMZ window: Source: source networks, which are addresses specified in the WAN section of the Address menu, or all the WAN network addresses. Destination: destination networks, which are addresses specified in DMZ section of the Address menu and Mapped IP addresses of the Virtual Server menu.
  • Page 125 Multi-Homing Security Gateway User’s Manual Step 2: Configure the parameters. Source Address: Select names of the WAN networks from the drop down list. The drop down list contains the names of all WAN networks defined in the WAN section of the Address menu. To create a new source address, please go to the LAN section under the Address menu.
  • Page 126 QoS: Select the item listed in the QoS to enable the policy to automatically execute the function in a certain time and range. (Only available with MH-4000) MAX. Concurrent Sessions: The maximum concurrent sessions that allows passing through MH-2K/4K.

  • Page 127: Dmz To Wan & Dmz To Lan

    Multi-Homing Security Gateway User’s Manual Step 1. In the WAN To DMZ window, locate the name of policy desired to be paused and click its corresponding [Pause] option in the Configure field. In the Pause confirmation dialogue box, click OK. Step 2.
  • Page 128 Multi-Homing Security Gateway User’s Manual Please follow the same procedures for DMZ networks to LAN networks. Entering the DMZ To WAN window: Click DMZ To WAN under Policy menu and the DMZ To WAN table appears displaying currently defined DMZ To WAN policies. The fields in the DMZ To WAN window are: Source: source network addresses which are specified in the DMZ section of the Address window.
  • Page 129 Multi-Homing Security Gateway User’s Manual Step 2: Configure the parameters. Source Address: Select the name of the DMZ network from the drop down list. The drop down list will contain names of DMZ networks defined in DMZ section of the Address menu. To add a new source address, please go to the DMZ section under the Address menu.
  • Page 130 Step 3: Click OK to save modifications or click Cancel to cancel modifications. Pausing a DMZ To WAN Policy: (Only available with MH-4000) Step 1. In the DMZ To WAN window, locate the name of policy desired to be paused and click its corresponding [Pause] option in the Configure field.
  • Page 131 Multi-Homing Security Gateway User’s Manual Removing a DMZ To WAN Policy: Step 1. In the DMZ To WAN window, locate the name of policy desired to be removed and click its corresponding [Remove] option in the Configure field. In the Remove confirmation dialogue box, click OK. Step 2.

  • Page 132: Vpn

    Multi-Homing Security Gateway User’s Manual 4.11 VPN MH-2K/4K’s VPN (Virtual Private Network) is set by the System Administrator. The System Administrator can add, modify or remove VPN settings. What is VPN? To set up a Virtual Private Network (VPN), you don’t need to configure an Access Policy to enable encryption.
  • Page 133 Multi-Homing Security Gateway User’s Manual creating the tunnel. Gateway IP: The IP address for the remote side of VPN device. Destination Subnet: Destination network subnet. Algorithm: The display the Algorithm way. Status: Connect/Disconnect. Configure: Connect, Disconnect, Modify and Delete. Adding the Autokey IKE Step 1.
  • Page 134 (MH-4000 supports only) Authentication-User: Select the item listed in the Authentication-User to enable the policy to automatically execute the function in a certain time and range. (MH-4000 supports only) Show remote Network Neighborhood: Select the remote Network Neighborhood enable to show.
  • Page 135 Multi-Homing Security Gateway User’s Manual There are 5 examples of VPN setting. Example 1. Create a VPN connection between two Multi-Homing Security Gateways. Example 2. Create a VPN connection between the Multi-Homing Security Gateway and Windows XP Professional VPN Client. Example 3.
  • Page 136 Multi-Homing Security Gateway User’s Manual Step 4. In Authentication Method Table, choose Preshare and enter the Preshared Key. ( The max length is 100 bytes.) Step 5. In Encapsulation or Authentication table, choose ISAKMP Algorithm. For communication via VPN, we choose 3DES for ENC Algorithm and MD5 for AUTH Algorithm.
  • Page 137 Multi-Homing Security Gateway User’s Manual Step 9. Click OK to finish the setting of Company A. The Gateway of Company B is 192.168.20.1. The settings of company B are as the following. Step 1. Enter the default IP of Company B’s Multi-Homing Security Gateway, 192.168.20.1. Click VPN in the menu bar on the left hand side, and then select the sub-select IPSec Autokey.
  • Page 138 Multi-Homing Security Gateway User’s Manual Step 5. In Encapsulation or Authentication table, choose ISAKMP Algorithm. For communication via VPN, we choose 3DES for ENC Algorithm and MD5 for AUTH Algorithm. And select Group to connect. Step 6. In IPSec Algorithm Table , choose Data Encryption + Authentication. We choose 3DES for ENC Algorithm and MD5 for AUTH Algorithm.
  • Page 139 Multi-Homing Security Gateway User’s Manual Example 2. Create a VPN connection between the Multi-Homing Security Gateway and Windows XP Professional VPN Client. Preparation Task: Company A External IP is 61.11.11.11, Internal IP is 192.168.10.X Remote User External IP is 211.22.22.22 Remote user with an external IP wants to create a VPN connection with company A and connect to 192.168.10.100 for downloading the sharing file.
  • Page 140 Multi-Homing Security Gateway User’s Manual Step 6. In IPSec Algorithm Table , choose Data Encryption + Authentication. We choose 3DES for ENC Algorithm and MD5 for AUTH Algorithm. Step 7. Choose Perfect Forward Secrecy, and enter 28800 seconds in IPSec Lifetime and Keep alive IP to keep connecting.
  • Page 141 Multi-Homing Security Gateway User’s Manual Step 2. In the Execute window, enter the command, MMC in Open. Step 3. Enter the Console window, click Console(C) option and click Add/Remove Embedded Management Option. - 136 -...
  • Page 142 Multi-Homing Security Gateway User’s Manual Step 4. Enter Add/Remove Embedded Management Option window and click Add. In Add/ Remove Embedded Management Option window, click Add to add Create IP Security Policy. Step 5. Choose Local Machine (L) for finishing the setting of Add. - 137 -...
  • Page 143 Multi-Homing Security Gateway User’s Manual Step 6. Finish the setting of Add. Step 7. Click the right button of mouse in IP Security Policies on Local Machine and choose Create IP Security Policy(C) option. - 138 -...
  • Page 144 Multi-Homing Security Gateway User’s Manual Step 8. Click Next. Step 9. Enter the Name of this VPN and optionally give it a brief description. - 139 -...
  • Page 145 Multi-Homing Security Gateway User’s Manual Step 10. Disable Activate the default response rule. And click Next. Step 11. Completing the IP Security Policy setting and click Finish. Enable Edit properties. - 140 -...
  • Page 146 Multi-Homing Security Gateway User’s Manual Step 12. In VPN_B window, click Add and please don’t click Use Add Wizard. - 141 -...
  • Page 147 Multi-Homing Security Gateway User’s Manual Step 13. In IP Filter List tab, click Add. Step 14. In IP Filter List window, please don’t choose Use Add Wizard and change Name to VPN_B WAN TO LAN. Click Add. - 142 -...
  • Page 148 Multi-Homing Security Gateway User’s Manual Step 15. In Filter Properties window, in Source address, click down the arrow to select the specific IP Subnet and fill remote user’s IP Address, 211.22.22.22 and Subnet mask, 255.255.255.255. In Destination address, click down the arrow to select the specific IP Subnet and fill Company A’s IP Address, 192.168.10.0 and Subnet mask 255.255.255.0.
  • Page 149 Multi-Homing Security Gateway User’s Manual Step 17. Click Filter Action tab and choose Require Security. Click Edit. Step 18. In Security Methods tab, choose accept unsecured communication, but always respond using IPSec. - 144 -...
  • Page 150 Multi-Homing Security Gateway User’s Manual Step 19. Click Edit in Custom/ None/ 3DES/ MD5. Step 20. Click Custom(For professional user) and click Edit. - 145 -...
  • Page 151 Multi-Homing Security Gateway User’s Manual Step 21. Click Data Integrity and Encapsulation and choose MD5 and 3DES. Click Generate a New key after every 28800 seconds. And click 3 times OK to return. Step 22. Click Connection Type tab and click all network connections. - 146 -...
  • Page 152 Multi-Homing Security Gateway User’s Manual Step 23. Click Tunnel Setting tab, and click The tunnel endpoint is specified by the IP Address. Enter the WAN IP of Company A, 61.11.11.11. Step 24. Click Authentication Methods and click Edit. - 147 -...
  • Page 153 Multi-Homing Security Gateway User’s Manual Step 25. Choose Use this string to protect the key exchange (Preshared Key). And enter the key, 123456789. Step 26. Finish the setting, and close the window. - 148 -...
  • Page 154 Multi-Homing Security Gateway User’s Manual Step 27. Finish the Policy setting of VPN_B WAN TO LAN. Step 28. Enter VPN_B window again and click Add to add second IP Security Policy. Please don’t enable Use Add Wizard. - 149 -...
  • Page 155 Multi-Homing Security Gateway User’s Manual Step 29. In New Rule Properties, click Add. Step 30. In IP Filter List window, please disable Use Add Wizard, and change Name to VPN_B LAN TO WAN. Click Add. - 150 -...
  • Page 156 Multi-Homing Security Gateway User’s Manual Step 31. In Filter Properties window, in Source address, click down the arrow to select the specific IP Subnet and fill Company A’s IP Address, 192.168.10.0 and Subnet mask 255.255.255.0. In Destination address click down the arrow to select the specific IP Subnet and fill remote user’s IP Address, 211.22.22.22 and Subnet mask, 255.255.255.255., Please disable Mirrored.
  • Page 157 Multi-Homing Security Gateway User’s Manual Step 33. Click Filter Action tab and choose Require Security. Click Edit. Step 34. In Security Methods tab, choose accept unsecured communication, but always respond using IPSec. - 152 -...
  • Page 158 Multi-Homing Security Gateway User’s Manual Step 35. Click Edit in Custom/ None/ 3DES/ MD5. Step 36. Click Custom (For professional user) and click Edit. - 153 -...
  • Page 159 Multi-Homing Security Gateway User’s Manual Step 37. Click Data Integrity and Encapsulation and choose MD5 and 3DES. Click Generate a New key after every 28800 seconds. And click 3 times OK to return. Step 38. Click Connection Type tab and click all network connections. - 154 -...
  • Page 160 Multi-Homing Security Gateway User’s Manual Step 39. Click Tunnel Setting tab, and click The tunnel endpoint is specified by the IP Address. Enter the WAN IP of remote user, 211.22.22.22. Step 40. Click Authentication Methods and click Edit. - 155 -...
  • Page 161 Multi-Homing Security Gateway User’s Manual Step 41. Choose Use this string to protect the key exchange (Preshared Key). And enter the key, 123456789. Step 42. Finish the setting, and close the window. - 156 -...
  • Page 162 Multi-Homing Security Gateway User’s Manual Step 43. Finish the Policy setting of VPN_B LAN TO WAN. Step 44. In VPN_B window, click General tab. And click Advanced for Key Exchange using these settings. - 157 -...
  • Page 163 Multi-Homing Security Gateway User’s Manual Step 45. Click Master key Perfect Forward Secrecy. Step 46. Move IKE/ 3DES/ MD5/ up to the highest order. Finish all settings. - 158 -...
  • Page 164 Multi-Homing Security Gateway User’s Manual Step 47. Finish the settings of remote user’s Windows XP VPN. Step 48. Click the right button of mouse in VPN_B and enable Assign. - 159 -...
  • Page 165 Multi-Homing Security Gateway User’s Manual Step 49. To restart IPSec by Start Settings Control Panel Step 50. Enter Control Panel and click Administrative Tools. - 160 -...
  • Page 166 Multi-Homing Security Gateway User’s Manual Step 51. After entering Administrative Tools, click Services. Step 52. After entering Service, click IPSec Services, Restart the Service. - 161 -...
  • Page 167 Multi-Homing Security Gateway User’s Manual Step 53. Finish all settings. Example 3. Create a VPN connection between two Multi-Homing Security Gateways using Aggressive mode Algorithm (3 DES and MD5), and data encryption for IPSec Algorithm (3DES and MD5) Preparation Task: Company A External IP is 61.11.11.11 Internal IP is 192.168.10.X Company B External IP is 211.22.22.22...
  • Page 168 Multi-Homing Security Gateway User’s Manual Step 2. Enter the VPN name, VPN_A in IPSec Autokey window, and choose From Source to be Internal. Fill the subnet IP, 192.168.10.0 and subnet mask, 255.255.255.0. Step 3. In To Destination table, choose Remote Gateway-Fixed IP, enter the IP desired to be connected, company B’s subnet IP and mask.
  • Page 169 Multi-Homing Security Gateway User’s Manual keep connecting. tep 8. Click the down arrow to select the policy of schedule, which was pre-determined in Schedule. Refer to the corresponding section for details. tep 9. Click OK to finish the setting of Company A. The Gateway of Company B is 192.168.20.1.
  • Page 170 Multi-Homing Security Gateway User’s Manual 100 bytes.) Step 5. Enable Aggressive mode. For communication via VPN, the Multi-Homing Security Gateway wil l automatically choose 3DES for ENC Algorithm, MD5 for AUTH Algorithm and select Group 2 to connect. Local ID and Remote ID are optional parameters. If we choose to enter Local ID/ Remote ID, they couldn’t be the same.
  • Page 171 Multi-Homing Security Gateway User’s Manual Example 4. Create a VPN connection between two Multi-Homing Security Gateway using ISAKMP Algorithm (3DES and MD5), data encryption for IPSec Algorithm (3DES and MD5) and GRE. Preparation Task: Company A External IP is 61.11.11.11 Internal IP is 192.168.10.X Company B External IP is 211.22.22.22 Internal IP is 192.168.20.X...
  • Page 172 Multi-Homing Security Gateway User’s Manual Step 5. In Encapsulation / ISAKMP Algorithm, choose 3DES for ENC Algorithm and MD5 for AUTH Algorithm. And select Group 1 to connect. Step 6. Choose GRE/ IPSec and enter GRE Source IP, 192.168.50.100 and GRE Remote IP, 192.168.50.200.
  • Page 173 Multi-Homing Security Gateway User’s Manual The Gateway of Company B is 192.168.20.1. The settings of company B are as the following. Step 1. Enter the default IP of Company B’s Multi-Homing Security Gateway, 192.168.20.1. Click VPN in the menu bar on the left hand side, and then select the sub-select IPSec Autokey. Click Add. Step 2.
  • Page 174 Multi-Homing Security Gateway User’s Manual Step 7. In IPSec Algorithm Table , choose Data Encryption + Authentication. We choose 3DES for ENC Algorithm and MD5 for AUTH Algorithm. Step 8. Choose Perfect Forward Secrecy, and enter 28800 seconds in IPSec Lifetime. Step 9.
  • Page 175 Multi-Homing Security Gateway User’s Manual Step 1: Configure the Multi-Homing Security Gateway as the following: Step 2: Configure VRT-311 VPN policy as the following: - 170 -...
  • Page 176 Multi-Homing Security Gateway User’s Manual - 171 -...

  • Page 177: Pptp Server

    Multi-Homing Security Gateway User’s Manual 4.11.2 PPTP Server This function allows the remote client dialup to your local network and access local resources by PPTP (Point to Point Tunnel Protocol) client software. Entering the PPTP Server window Step 1. Select VPN→PPTP Server. PPTP Server Click Modify to select Enable or Disable.
  • Page 178 IP or Domain Name: the RADIUS IP address or domain name RADIUS Server Port: the port number of the RADIUS, default port number is 1812. Shared Secret: the Password for MH-4000 to access RADIUS Server. Step 4. Click OK to save modifications or click Cancel to cancel modifications Adding PPTP Server Step 1.
  • Page 179 Multi-Homing Security Gateway User’s Manual Multi-Machine: Check to connect with a device, such as MH-2K/4K, that works as the PPTP client. IP Address: Enter LAN IP subnet of the PPTP Client device. Netmask: Enter subnet mask of the PPTP Client. Client IP assigned by: 1.
  • Page 180 Multi-Homing Security Gateway User’s Manual Step 4. Click OK to save modifications or click Cancel to cancel modifications Removing PPTP Server Step 1. Select VPN→PPTP Server. Step 2. In the PPTP Server window, find the PPTP server that you WAN t to modify. Click Configure and click Remove.

  • Page 181: Pptp Client

    Multi-Homing Security Gateway User’s Manual 4.11.3 PPTP Client This function allows MH-2K/4K to dial-up the remote PPTP server and access the network resources on remote network. Entering the PPTP Client window Step 1. Select VPN→PPTP Client. - 176 -...
  • Page 182 Multi-Homing Security Gateway User’s Manual User Name Displays the PPTP Client user’s name for authentication. Server Address Display the PPTP Server IP addresses. Encryption Displays the PPTP Client Encryption ON or OFF Uptime Displays the current PPTP connection time. Status Displays the current PPTP connection status. Configure Click Modify to modify the PPTP Client settings or click Remove to remove the item.
  • Page 183 Multi-Homing Security Gateway User’s Manual Auto-Connect when sending packet through the link: Check to enable the auto-connection whenever there’s packet to transmit over the connection. The feature will be disabled automatically if always-connect is checked. minutes: Configure this device to disconnect to the PPTP Server Auto-Disconnect if idle when there is no activity for a predetermined period of time.
  • Page 184 Multi-Homing Security Gateway User’s Manual - 179 -...

  • Page 185: Inbound Balance (Mh-4000 Only)

    Multi-Homing Security Gateway User’s Manual 4.12 Inbound Balance (MH-4000 only) MH-4000 provides the function of Inbound Load Balance to the enterprise’s website. When customers visit the website and the internet is disconnected, customers still can connect to the website via the other lines instead of missing the chance of business.
  • Page 186 Yahoo, he may encounter the Yahoo via entering www.yahoo.com in the browser. As a matter of fact, the Address of Yahoo is 66.218.71.84. MH-4000 provide the DNS Server to deal with the process of mapping the Domain Name (Yahoo) and IP (66.218.71.84).
  • Page 187 Multi-Homing Security Gateway User’s Manual Priority: Adjust the priority of each WAN IP address. Click OK to create the domain and click New Entry to add host DNS name. Add New Host DNS name On the domain configuration page, click New Entry to add host DNS name. The following page is shown. Select type: There are 3 selectable types as below.
  • Page 188 Round-Robin: According to specific weight and priority to distribute the load sharing from WAN to LAN. Backup: After selecting the backup mode, if the defined WAN port of MH-4000 encounters disconnection, the device will return this IP address for future DNS inquiry.
  • Page 189 IP Address 211 .22 . 22 .2 2 NOTE: The domain name which is register to the local Network Information Center should map to Fixed IP absolutely. The System Administrator may configure the below data in the function of Inbound Balance of MH-4000: Name Type...
  • Page 190 Address Name: main.planet.com.tw Address: 211.22.22.22 ------------------> Test whether if the function of backup is enabled automatically and smoothly or not. (Reverse) The System Administrator may configure the below data in the function of Inbound Balance of MH-4000: Name Type Address...
  • Page 191 The sixth user enter the server of 211.22.22.22 …… MH-4000 would distribute the load sharing to different WAN ports sequentially via round-robin and weight repeatedly. That’s the mechanism of Inbound Load Balance via round-robin and weight for conquering the over-loading problem of WAN link in most of enterprises.
  • Page 192 Because the number of priority, 1, has the highest priority, MH-4000 would use the server, smtp1.planet.com.tw, to send e-mail (via SMTP Protocol) by default. If the 1 server can’t run well, it will send the e-mail to the server with second priority automatically.
  • Page 193 Example 1: Setup WEB Server and Type is Back up in Inbound Load Balance. Backup : For providing stable and reliable connection service quality, MH-4000 provides this mechanism in setup of Inbound Load Balance. Below is the detail setup description for this function: Step 1.
  • Page 194 Multi-Homing Security Gateway User’s Manual Step 5. Add the 2 entry, and enter the www in the field of Name . And after selecting WAN 2 from the drop down list in the right side of Address , click on the Assist to select 211.22.22.22.
  • Page 195 Multi-Homing Security Gateway User’s Manual Step 9. Add new policy of Incoming in Policy for Virtual Server 1. Step 10. Enter the setup window of Virtual Server 2 . Step 11. Enter the window of Add Virtual Server IP and enter the virtual server IP WAN 2, 211.22.22.22 .
  • Page 196 Round-Robin in Inbound Load Balance. Round-Robin : For providing stable and reliable connection service quality, MH-4000 provides this mechanism according to specific weight and priority in setup of Inbound Load Balance. Below is the detail setup description for this function: Step 1.
  • Page 197 Multi-Homing Security Gateway User’s Manual Step 4. Add the 1 entry, and enter the www in the field of Name . And after selecting WAN 1 from the drop down list in the right side of Address , click on the Assist to select 61.11.11.11.
  • Page 198 Multi-Homing Security Gateway User’s Manual Step 10. Set weight to be 2 (second priority), and the setup is completed below. Step 11. Enter the setup window of Virtual Server 2 . Step 12. Enter the window of Add Virtual Server IP and enter the virtual server IP WAN 2, 211.22.22.22 .
  • Page 199 Round-Robin in Inbound Load Balance. Round-Robin : For providing stable and reliable connection service quality, MH-4000 provides this mechanism according to specific weight and priority in setup of Inbound Load Balance. Below is the detail setup description for this function: Step 1.
  • Page 200 Multi-Homing Security Gateway User’s Manual Step 3. Enter the window of Inbound Balance Configuration and select A for the Select Type . Step 4. Add the 2 entry, and enter the www in the field of Name . Step 5. And after selecting WAN 1 from the drop down list in the right side of Address , click on the...
  • Page 201 Multi-Homing Security Gateway User’s Manual to select 211.22.22.22. And select Round-Robin in Balance Mode . After the setup is completed, please click on OK . Step 10. Set weight to be 2(second priority), and the setup is completed below. Step 11. Enter the window of Inbound Balance Configuration and select CNAME for the Select...
  • Page 202 Multi-Homing Security Gateway User’s Manual Step 14. Enter the setup window of Virtual Server 1 in the menu. Step 15. Enter the window of Add Virtual Server IP and enter the virtual server IP WAN 1, 61.11.11.11 . And click the button.
  • Page 203 Multi-Homing Security Gateway User’s Manual Name Type Address Weight Priority www.broadband.com.tw 61.11.11.11 www.broadband.com.tw 211.22.22.22 web.broadband.com.tw CNAME www.broadband.com.tw When users encounter web.broadband.com.tw (Alias Server), the connection service maps into www.broadband.com.tw (Real Server) and the sequence of entering the website is below. The first user enter the server of 61.11.11.11 The second user enter the server of 211.22.22.22 The third user enter the server of 211.22.22.22...
  • Page 204 Multi-Homing Security Gateway User’s Manual Step 3. Enter the window of Inbound Balance Configuration and select A for the Select Type . Step 4. Add the 1 entry, and enter the main in the field of Name . Selecting WAN 1 from the drop down list in the right side of Address , click on the...
  • Page 205 Multi-Homing Security Gateway User’s Manual Step 9. Enter the window of Inbound Balance Configuration and select MX for the Select Type . The Name is mail. the Real Name is main.broadband.com.tw Step 10. The setup is completed. Step 11. Enter the setup window of Virtual Server 1 in the menu.
  • Page 206 Multi-Homing Security Gateway User’s Manual Step 14. Add new policy of Incoming in Policy for Virtual Server 1. Step 15. Enter the setup window of Virtual Server 2 . Step 16. Enter the window of Add Virtual Server IP and enter the virtual server IP WAN 2, 211.22.22.22 .
  • Page 207 Multi-Homing Security Gateway User’s Manual Step 18. Add new policy of Incoming in Policy for Virtual Server 2. Step 19. The setup is completed. Name Type Address Weight Priority main.broadband.com.tw 61.11.11.11 main.broadband.com.tw 211.22.22.22 mail.broadband.com.tw. main.broadband.com.tw When users encounter mail.broadband.com.tw (Alias Server), the connection service maps into main.broadband.com.tw (Real Server) and the sequence of entering the website is below.

  • Page 208: Log

    Multi-Homing Security Gateway User’s Manual 4.13 Log MH-2K/4K supports traffic logging and event logging to monitor and record services, connection times, and the source and destination network address. The Administrator may also download the log files for backup purposes. The Administrator mainly uses the Log menu to monitor the traffic passing through MH-2K/4K. What is Log? Log records all connections that pass through MH-2K/4K’s control policies.
  • Page 209 Multi-Homing Security Gateway User’s Manual Traffic Log Table The table in the Traffic Log window displays current System statuses: Definition: Time: The start time of the connection. Source: IP address of the source network of the specific connection. Destination: IP address of the destination network of the specific connection. Protocol: Protocol type of the specific connection.

  • Page 210: Event Log

    Multi-Homing Security Gateway User’s Manual 4.13.2 Event Log When MH-2K/4K WAN detects events, the Administrator can get the details, such as time and description of the events from the Event Logs. Entering the Event Log window Step 1. Click the Event Log option under the Log menu and the Event Log window will appear. - 205 -...
  • Page 211 Multi-Homing Security Gateway User’s Manual Step 2. The table in the Event Log window displays the time and description of the events. Time: time when the event occurred. Event: description of the event. Downloading the Event Logs Step 1. In the Event Log window, click the Download Logs button at the bottom of the screen. Step 2.
  • Page 212 Multi-Homing Security Gateway User’s Manual Clearing the Event Logs The Administrator may clear on-line event logs to keep just the most updated logs on the screen. Step 1. In the Event Log window, click the Clear Logs button at the bottom of the screen. Step 2.

  • Page 213: Connection Log

    Multi-Homing Security Gateway User’s Manual 4.13.3 Connection Log Click Log in the menu bar on the left hand side, and then select the sub-selection Connection Log. Definition: Time: The start and end time of connection. Connection Log: Event description during connection. Download Logs Step 1.
  • Page 214 Multi-Homing Security Gateway User’s Manual Clear Logs Step 1. Click Log in the menu bar on the left hand side, and then select the sub-selection Connection Logs. Step 2. In Connection Log window, click the Clear Logs button. Step 3. In Clear Logs window, click OK to clear the logs or click Cancel to discard changes. - 209 -...

  • Page 215: Log Backup

    Multi-Homing Security Gateway User’s Manual 4.13.4 Log Backup Click Log Log Backup. - 210 -...
  • Page 216 Multi-Homing Security Gateway User’s Manual Log Mail Configuration: When the Log Mail files accumulated up to 300Kbytes, router will notify administrator by email with the traffic log and event log. NOTE: Before enabling this function, you have to configure E-mail Settings in System -> Settings. Syslog Settings: If you enable this function, system will transmit the Traffic Log and the Event Log simultaneously to the server which supports Syslog function.
  • Page 217 Multi-Homing Security Gateway User’s Manual Disable Log Mail Support & Syslog Message Step 1. Go to LOG Log Backup. Uncheck to disable Log Mail Support. Click OK. Step 2. Go to LOG Log Backup. Uncheck to disable Settings Message. Click OK. - 212 -...

  • Page 218: Alarm

    Multi-Homing Security Gateway User’s Manual 4.14 Alarm How to apply Alarm Service The administrator can use Blaster Alarm to track the Virus infected IP; use Traffic Alarm to track the Source Address, Destination Address, network service and the status of network; and use Event Alarm to track the attack event from hacker.

  • Page 219: Traffic Alarm

    Multi-Homing Security Gateway User’s Manual The table in Blaster Alarm window displays current blaster alarm logs for connections. Interface: Specify which interface received the attack packets. Virus infected IP: Specify the IP address who is infected the virus and spreads the attack packets out. MAC Address: Specify the MAC address who is infected the virus and spreads the attack packets out.

  • Page 220: Event Alarm

    Multi-Homing Security Gateway User’s Manual Step 3. The table in the Traffic Alarm window displays the current traffic alarm logs for connections. Time: The start and stop time of the specific connection. Source: Name of the source network of the specific connection. Destination: Name of the destination network of the specific connection.
  • Page 221 Multi-Homing Security Gateway User’s Manual The table in Event Alarm window displays current event alarm logs for connections. Time: log time. Event: event descriptions. Downloading the Event Alarm Logs The Administrator can back up event alarm logs regularly by downloading it to a file on the computer. Step 3.

  • Page 222: Accounting Report (Mh-4000 Only)

    NOTE: This function is not supported on MH-2000. 4.15.1 Setting Select Setting to configure what type of Accounting Report will be logged at MH-4000. There are three types of report can be select: User, Site and Service. Outbound Accounting Report: the statistics of the downstream and upstream for the LAN, WAN and all kinds of communication services.
  • Page 223 Click Top Users icon on the page to show the source IP accounting report. If this option is already selected, it does not change when you click it. When LAN users connect to WAN service server through MH-4000, all of the Downstream / Upstream / First Packet / Last Packet / Duration log of the source IP will be recorded.
  • Page 224 TOP Users: Select the data type you want to check, it presents 10 results in one page. Source IP: The LAN user’s IP address connects to MH-4000 to access WAN service server. Downstream: The percentage of downstream and the statistic value of the connection from WAN server to LAN user.
  • Page 225 Multi-Homing Security Gateway User’s Manual When LAN user connect to WAN service server through MH-4000, all of the Downstream / Upstream / First Packet / Last Packet / Duration log of the Destination IP will be recorded. Definition: Top Sites: Select the data type you want to check, it presents 10 results in one page.
  • Page 226 When LAN users connect to WAN Service Server through MH-4000, all of the Downstream / Upstream / First Packet / Last Packet / Duration log of the Communication Service will be recorded.

  • Page 227: Inbound Accounting Report

    Multi-Homing Security Gateway User’s Manual service server. NOTE: To correctly display the pizza chart, please install the latest java VM for http://www.java.com. 4.15.3 Inbound Accounting Report Click the Accounting Report function, and then select Inbound. There are three options for Inbound acounting report: Top Users (source IP), Top Sites(Destination IP) and Top Services(Service).
  • Page 228 Multi-Homing Security Gateway User’s Manual When WAN users connect to LAN service server through MH-4000, all of the Downstream / Upstream / First Packet / Last Packet / Duration log of the source IP will be recorded. Definitions: TOP Users: Select the data type you want to check. It presents 10 pages in one page.
  • Page 229 Upstream: The percentage of Upstream and the statistic value of the connection from LAN host to WAN host via MH-4000. Total Traffic: MH-4000 will record the sum of upstream/downstream packets from WAN host to LAN host. NOTE: To correctly display the pizza chart, please install the latest java VM for http://www.java.com.
  • Page 230 Upstream: The percentage of Upstream and the statistic value of the connection from LAN host to WAN host via MH-4000. Total Traffic: MH-4000 will record the sum of upstream/downstream packets from WAN host to LAN host. NOTE: To correctly display the pizza chart, please install the latest java VM for http://www.java.com.

  • Page 231: Statistics

    Multi-Homing Security Gateway User’s Manual 4.16 Statistics In this chapter, the Administrator queries MH-2K/4K for statistics of packets and data which passes across the Multi-Homing Security Gateway. The statistics provides the Administrator with information about network traffics and network loads. What is Statistics Statistics are the statistics of packets that pass through MH-2K/4K by control policies setup by the Administrator.

  • Page 232: Policy Statistics

    Multi-Homing Security Gateway User’s Manual Step 2. The Interface Statistics will be displayed. It displays statistics of WAN 1/2 network connections (downstream and upstream as well) in a total amount by Minute (60 minutes), Hour (24 hours), Day (30 days), Week (7 weeks), Month (12 months) and Year (10 years). Select the WAN port you want to show and select the time units (minute, hour, day, week, month or year) of the graph.
  • Page 233 Multi-Homing Security Gateway User’s Manual Source: the name of source address. Destination: the name of destination address. Service: the service requested. Action: permit or deny Time: viewable by minutes, hours, days, weeks, months or years. NOTE: To use Statistics, the administrator needs to go to Policy to enable Statistics function. Entering the Policy Statistics Step 1.
  • Page 234 Multi-Homing Security Gateway User’s Manual - 229 -...

  • Page 235: Status

    Click on Status in the menu bar, then click Interface Status below it. A window will appear and provide information from the Configuration menu. Interface Status will list the settings for LAN Interface, WAN 1/2 Interface, and DMZ Interface. 4.17.2 System Info (MH-4000 only) NOTE: This function is not supported on MH-2000. Entering the System Info window Click on Status in the menu bar, then click System Info below it.

  • Page 236: Auth Status

    Multi-Homing Security Gateway User’s Manual 4.17.3 Auth Status Entering the Auth Status window Click on Status in the menu bar, then click Auth Status below it. A window will appear and provide information from the Auth User menu. Auth Status will list the settings for Auth User login status. - 231 -...

  • Page 237: Arp Table

    Multi-Homing Security Gateway User’s Manual IP Address: The IP address of the host computer. Auth-User Name: The Auth User Name of that host computer. Login time: The Auth User login in time. 4.17.4 ARP Table Entering the ARP Table window Click on Status in the menu bar, then click ARP Table below it.

  • Page 238: Dhcp Clients

    Multi-Homing Security Gateway User’s Manual IP Address: The IP address of the host computer MAC Address: The MAC address of that host computer Interface: The port that the host computer is connected to (LAN, WAN 1/2, DMZ) 4.17.5 DHCP Clients Entering the DHCP Clients window Click on Status in the menu bar, then click on DHCP Clients below it.
  • Page 239 Multi-Homing Security Gateway User’s Manual IP Address: the IP address of the LAN host computer MAC Address: MAC address of the LAN host computer Leased Time: The Start and End time of the DHCP lease for the LAN host computer. - 234 -...

This manual is also suitable for:

Mh-2000

Table of Contents