Planet Networking & Communication CS-2001 User Manual

Utm content security gateway

page of 828

/ 828
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

Download this manual

CS-2001 UTM Content Security Gateway User's Manual

UTM Content Security

Gateway

CS-2001

User's Manual

Table of Contents

Summary of Contents for Planet Networking & Communication CS-2001

Page 1 CS-2001 UTM Content Security Gateway User’s Manual UTM Content Security Gateway CS-2001 User’s Manual...
Page 2: Federal Communication Commission Interference Statement
Copyright Copyright© 2011 by PLANET Technology Corp. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language or computer language, in any form or by any means, electronic, mechanical, magnetic, optical, chemical, manual or otherwise, without the prior written permission of PLANET.
Page 3: Customer Service
interference in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference radio communications. However, there is no guarantee that interference will not occur in a particular installation.
Page 4 Any error messages that displayed when the problem occurred ♦ Any software running when the problem occurred ♦ Steps you took to resolve the problem on your own Revision User’s Manual for PLANET UTM Content Security Gateway Model: CS-2001 Rev: 1.0 (Dec, 2010) PartNo: EM-CS2001v1...
Page 5: Table Of Contents
Table of Contents Quick Installation Guide ................8 Hardware Installation ..................9 Basic System Configuration ................12 S.1 Overview of Functions ..............20 System ...................... 27 Chapter 1 Administration ................28 1.1 Admin ..................... 30 1.2 Permitted IPs .................. 32 1.3 Logout ....................
Page 6 8.3 POP3 Authentication ..............193 8.4 LDAP Authentication ..............196 Chapter 9 Application Blocking ..............210 9.1 Example ..................213 Chapter 10 Virtual Server ................220 10.1 Example ..................222 Chapter 11 VPN ....................242 11.1 Example ..................255 Mail Security ..................413 Chapter 12 Configuration ................
Page 7 21.1 Example ..................634 Policy ...................... 649 Chapter 22 Policy .................... 650 22.1 Example ..................657 Anomaly Flow IP .................. 682 Chapter 23 Anomaly Flow IP ................. 683 23.1 Example ..................684 Advance ....................688 Chapter 24 Inbound Balancing ..............689 24.1 Example ..................
Page 8 32.1 Interface ..................817 32.2 System Info ................819 32.3 Authentication ................821 32.4 ARP Table .................. 822 32.5 Sessions Info ................825 32.6 DHCP Clients ................827...
Page 9: Quick Installation Guide
Quick Installation Guide...
Page 10: Hardware Installation
Hardware Installation Front panel: Power Indicator HDD Indicator Console Port Ethernet Port1/2/3/4 Figure. Front Panel of the CS-2001 Rear panel: Power Switch Power Socket  Power Indicator: Lights up when the power is on.  HDD Indicator: Glitters when system is accessing data from the HDD.
Page 11 LED / Port Description LED1 Orange Steady on indicates the port is connected to other network device. Blink to indicates there is traffic on the port LED2 Orange Steady on indicates the port is connected at 1000Mbps speed Green Steady on indicates the port is connected at 100Mbps speed The LED off to indicate the port is connected at 10Mbps speed...
Page 12 CS-2001 Topology： Figure2. Topology of the CS-2001...
Page 13: Basic System Configuration
Basic System Configuration Step 1. Connect both the IT administrator’s PC and the device’s LAN port to the same hub / switch, and launch a browser (e.g., IE or Firefox) to access the management interface address which is set to http://192.168.1.1 by default.
Page 14  Configuration Panel: Displays the data or configurable settings of the corresponding item selected on the Menu Panel. Figure4. The CS-2001 User Interface Note： 1. For your reference, you may configure your management address based on the available subnet ranges below.
Page 15 Step 4. If it’s the first time you’ve logged into the management interface, an install wizard will appear to guide you through setting some of the basic settings required. System > Configuration > Installation Wizard Figure5. The Install Wizard Step 5. Select the language for the user interface and the default character encoding.
Page 16 Fill in the IP Address and Netmask fields. Figure7. Interface Settings Important : 1. Note: Once the LAN interface is changed, please enter the new LAN IP address in the browser next time when you log in the CS-2001 Web UI.
Page 17 Step 7. Configure theWAN Interface (please refer to your ISP for the settings).  Setting: Select Port2(WAN1)  Interface: Select WAN  Connection Mode: Select the required mode  Configure the remaining settings. Figure8. The WAN Settings...
Page 18 Step 8. Tick the Synchronize to an NTP Server box to ensure the system is provided with the accurate time. Figure9. Time Settings Step 9. Enable Outgoing. Figure10. Enabling an Outgoing Policy...
Page 19 DHCP to enable LAN PCs to obtain IP addresses, users may have Internet access right after configuring DHCP. To configure any network policies, please go to Policy Object and Policy. Step 10. Provide the following CS-2001 interface information to LAN users. Figure12. Settings Confirmation...
Page 20 Step 11. Settings complete. Figure13. Installation Wizard Completed...
Page 21: Overview Of Functions
S.1 Overview of Functions Category Configurable Settings Description Index System Administration Admin Creates, modifies or removes Chapter 1 administrator accounts. Permitted IPs Permits specific IP addresses to access the system. Software Update the system’s software Update version. Configuration Settings For importing or exporting the Chapter 2 system settings, resetting the system to factory default settings,...
Page 22 Wizard configuration. Language Available languages include Traditional Chinese, Simplified Chinese and English. Network Settings For DNS settings, link speed / Chapter 3 duplex settings, etc. Interface For configuring the interface type: LAN (IP address, netmask, MAC address, etc.), WAN (connection type, downstream / upstream bandwidth, etc.), DMZ (IP address, netmask, MAC address, etc.)
Page 23 controlling. Virtual Server Mapped IPs Maps an internal host to an Chapter 10 external IP address to provide a Port Mapping specific connection or service, Virtual IP such as PC-Anywhere, FTP, Group HTTP, etc. One-Step For establishing secure and Chapter 11 IPSec private connections, there are two connection methods, namely...
Page 24 Whitelist > Personal Rule, Global Rule > Whitelist > Blacklist > Blacklist Fingerprint > Bayesian Filtering Training > Spam Signature... Anti-Virus Settings Scans for virus-infected mail Chapter 14 using ClamAV and Sophos. Mail Reports Settings Provides a statistical mail report Chapter 15 in the form of bar charts and Statistics...
Page 25 For distributing inbound flows to Chapter 24 Balancing each port by its DNS controlling mechanism. The backup mode provides continuous access if one of the WAN links ceases to function. High Settings For installing two CS-2001 Chapter 25 Availability devices to ensure an uninterrupted...
Page 26 network connection. Co-Defense Core Switch Provides control over anomaly Chapter 26 System flows by working with the Edge Switch network's core switch. In MAC ADDR addition, the IP and MAC Table addresses over anything connected to each of the switch's ports can be obtained.
Page 27 System Info Displays CPU and hard disk utilization statistics. Authentication Displays the auth user list. ARP Table Displays a list of all current IP and MAC addresses that have accessed the network. Sessions Info Displays outbound sessions established from internal users. DHCP Clients Displays a list of all current users who have obtained their IP...
Page 28: System
System...
Page 29: Chapter 1 Administration
Chapter 1 Administration This chapter mainly explains the authorization settings for accessing the CS-2001. It covers the subjects of Admin, Permitted IPs, Software Update and Logout. The complete administrative authority lies in the hands of the IT administrator. Other than the IT administrator, any other administrator, also known as...
Page 30 Terms in Admin Admin Name  The authentication name to log in the system.  The IT administrator’s name and password are assigned as admin which cannot be deleted. Privilege  The main IT administrator have the privilege of reading, writing and viewing. That means the main IT administrator is able to view and change the system configuration, logs and accounts.
Page 31: Admin
1.1 Admin 1.1.1 Adding a Sub-Administrator Step 1. Go to System > Administration > Admin, set as below: （Figure 1-1）  Click the New Sub-Admin button to create a new sub-administrator.  Enter the Sub-Admin Name and Password.  Enter the password again in the Confirm Password field. ...
Page 32: Modifying The Password
1.1.2 Modifying the Password Step 1. Go to System > Administration > Admin and then set as below: （Figure 1-2）  Click the Modify button of the admin you want to modify.  Enter the original password in the Password field and then enter the new password in the New Password field.
Page 33: Permitted Ips
1.2 Permitted IPs 1.2.1 Adding a Permitted IP Step 1. Under System > Administrator > Permitted IPs, click the New Entry button and then set as below: （Figure 1-3）  Enter the name in the Name field.  Select IPv4 for Protocol. ...
Page 34: Logout
1.3 Logout 1.3.1 Logging out the System Step 1. Click Logout to protect the system from any unauthorized modification while being away. （Figure 1-4, 1-5） Figure 1-4 The Logout Screen Figure 1-5 Confirming to Log Out...
Page 35 Step 2. Click OK and then the logout message appears. （Figure 1-6） Figure 1-6 The Logout Message...
Page 36: Updating Software
1.4 Updating Software Step 1. To run a software update, go to System > Administration > Software Update and follow the steps below:  Click Browse to locate the software and then open it.  Click OK to proceed to update the software. （Figure 1-7）...
Page 37: Chapter 2 Configuration
Chapter 2 Configuration Configuration includes the following system settings: System Settings, Date / Time, Multiple Subnets, Route Table, DHCP, Dynamic DNS, Host Table, SNMP and Language.
Page 38 Terms in Setting System Settings  Allows the IT administrator to import / export system settings, perform a factory reset and format the built-in hard disk. Configuration File Backup and Restore Utility (Used: 40KB, Free: 9MB, Capacity: 10MB)  Saves a copy of the system settings file to the devices’ s internal storage. The IT administrator can restore the system’s settings based upon the file’s date.
Page 39 device can block their IP address for the specified amount of time. This helps to prevent any unauthorized tampering of the device.
Page 40 Proxy Settings (for signature updates)  Once the Proxy Server is deployed, the proxy settings must be configured for the CS-2001 to access the Internet. Max. Number of Items Shown per Page  Configures the maximum number of entries displays per page.
Page 41  Denotes in which network, i.e. LAN or DMZ, the subnet resides. VLAN ID  Permits the interface on the CS-2001 to support VLAN tags belonging to the LAN or DMZ. Terms in Routing Table Dynamic Routing  Routers exchange routing information to reflect any changes in the typology of the network.
Page 42 Note： Dynamic Routing Protocols can be categoried into the following two categories:  Distance-Vector Routing Protocol: Uses the Bellman-Ford algorithm to calculate paths. Examples of distance-vector routing protocols include RIPv1/2 and IGRP (Cisco's proprietary protocol). Using RIP, the maximum hop count from the first router to the destination is 15. Any destination greater than 15 hops away is considered unreachable.
Page 43 private purposes.  In 2007 30-bit AS numbers were introduced. These numbers are written either as simple integers, or in the form x.y, where x and y are 16-bit numbers. Numbers of the form 0.y are exactly the old 16-bit AS numbers, 1.y numbers and 65535.65535 are reserved, and the remainder of the space is available for allocation.
Page 44 Terms in DHCP Subnet Name  The name of the LAN or DMZ. Assign Static IP Address  DHCP can allocate IP addresses based upon the MAC address of PCs in the LAN or DMZ. Terms in Dynamic DDNS Domain Name ...
Page 45  Level 3 provides not only authentication for SMTP data but also encryption and is referred to as AuthPriv. User Name  The NMS uses this user name to access information from the CS-2001. Auth Protocol  Supports the authentication protocols of HMAC_MD5_96 and HMAC_SHA_96.
Page 46 Auth Password  The NMS uses this password to access information from the CS-2001. Privacy Protocol  Supports the cipher Data Encryption Standard (DES) that is based on a 56-bit Symmetric-key algorithm.
Page 47 Privacy Password  The NMS uses this password to access information from the CS-2001.
Page 48: Settings
2.1 Settings 2.1.1 Exporting System Settings Step 1. Under System > Configuration > Settings, click next to Export System Settings under the System Settings section. Step 2. Click Save in the File Download window, and then assign a storage folder. After that, click Save in the Save As window to complete exporting the system settings.
Page 49 2.1.2 Importing System Settings Step 1. Under System > Configuration > Settings, click Browse… next to Import System Settings under the System Settings section. Next, in the Choose File window, select the configuration file and then click Open. （Figure 2-2） Step 2.
Page 50 2.1.3 Resetting the System to Factory Default Settings and Formatting the Hard Drive Step 1. Under System > Configuration > Settings, tick Reset to factory default settings and Format the inbuilt hard disk under the Hard Disk Formatting section. （Figure 2-4） Figure 2-4 Resetting the Device to Factory Default Step 2.
Page 51 2.1.4 Enabling Email Alert Notification Step 1. Go to System > Configuration > Settings. Under the Name Settings section, configure the following settings:  Type your company name in the Company Name field.  Type a name in the Device Name field. Step 2.
Page 52 2.1.5 Rebooting the CS-2001 Step 1. To reboot the CS-2001, go to System > Configuration > Settings. Under the Device Reboot section click Reboot next to To reboot the system, click. Step 2. A confirmation dialogue box will appear asking “Are you sure you want to reboot the system? Step 3.
Page 53: Date / Time
2.2 Date / Time 2.2.1 CS-2001 Time Settings Step 1. Go to System > Configuration > Date/Time and configure the following settings: （Figure 2-7）  Configure the GMT offset hours.  Tick Synchronize to an NTP server.  Type the IP address of Internet time server in the NTP Server IP / Hostname field.
Page 54: Multiple Subnet
2.3 Multiple Subnet 2.3.1 Using NAT / Routing Mode For LAN Users to Access the Internet Prerequisite Setup (Note: IP addresses used as examples only) Configure port 1 as LAN1 (192.168.1.1, NAT routing mode) and connect it to the LAN which is using the IP address range 192.168.1.x/24. Configure port 2 as WAN1 (10.10.10.1) and connect it to the ISP router (10.10.10.2);...
Page 55 Figure 2-8 Configuring Multiple Subnet Figure 2-9 Settings Completed Important: 1. When the PCs’ subnets or IP addresses are not on the same Interface. You may go to Policy > LAN to LAN and create a policy (select Inside Any for both Source Address and Destination Address) to enable LAN to LAN connection.
Page 56 Step 2. Under Network > Interface, set as below: （Figure 2-10）  Click on Port 2’s Modify button.  For Interface Type select WAN, and enter all the relevant settings (provided by your ISP).  For WAN NAT Redirection, select A designated IP and then enter 162.172.50.1.
Page 57 Step 3. Under Policy Object > Address > LAN, set as below: （Figure 2-11） Figure 2-11 Address Settings for the LAN...
Page 58 Step 4. Go to Policy > Outgoing and configure the following settings:  Click on New Entry.  Source Address: Select the name of the LAN addresses. (LAN1_Subnet1)  Action: Tick Port 3 (WAN2).  Click on Advanced Settings. For Port3 (WAN2) select Automatic. ...
Page 59 Figure 2-13 The Second Outgoing Policy Settings...
Page 60 Figure 2-14 Policy Settings Completed...
Page 61 Step 5. The configuration of LAN1 to the Internet is now complete. （Figure 2-15） Figure 2-15 The LAN Configured Using Multiple Subnet Note： 1. The LAN subnet 192.168.1.x/24 is only able to gain access to the Internet via WAN2 (using NAT).
Page 62 2.3.2 Using Multiple Subnets to Establish a VLAN Gateway to Regulate VLAN Users to Access the Internet Prerequisite Setup (Note: IP addresses used as examples only) Configure Port1 as LAN1 (192.168.1.1, NAT/ Routing mode) and connect it to the LAN which is using 192.168.1.x/24. VLAN ID 10 using 192.168.100.x/24.
Page 63 Figure 2-16 First Multiple Subnet Setting...
Page 64 Figure 2-17 Second Multiple Subnet Setting Figure 2-18 Multiple Subnet Settings Completed Note： 1. The device’s interface settings permits multiple VLAN gateways to control each of the VLAN’s access to the Internet or communication amongst the VLANs. 2. When the PCs’ subnets or IP addresses are not on the same Interface. You may go to Policy > LAN to LAN and create a policy (select Inside Any for both Source Address and Destination Address) to enable LAN to LAN connection.
Page 65 Step 2. Go to Policy Object > Address > LAN, and set as below: （Figure 2-19） Figure 2-19 Address Settings for the LAN...
Page 66 Step 3. Go to Policy Object > Address > LAN Group and then set as below: (Figure 2-20) Figure 2-20 LAN Group Settings Step 4. Go to Policy > Outgoing, set as below:  Click on New Entry.  Source Address: Select the name of the LAN addresses (VLAN_Group) ...
Page 67 Step 5. The internal network’s VLAN. (Figure 2-23) Figure 2-23 The Completed Mulitple Subnet VLAN Settings...
Page 68: Route Table
2.4 Route Table 2.4.1 Enabling Two Networks Connected by a Router to Access the Internet via the CS-2001 Prerequisite Setup (Note: IP addresses used as examples only) Company A: Port 1 is set as LAN 1 (192.168.1.1, NAT routing mode) which is connected to the LAN subnet 192.168.1.x/24.
Page 69 Step 1. Go to System > Configuration > Route Table and set as below:  Click on New Entry.  IP Version : Select IPv4.  IP Address: Type 192.168.10.0.  Netmask: 255.255.255.0.  Gateway : 192.168.1.252.  Interface : LAN1. ...
Page 70 Figure 2-26 Static Route Setttings Figure 2-27 The Completed Static Route Settings Important: 1. To enable the LAN to LAN connection, go to Policy > LAN to LAN and create a policy (select Inside Any for both Source Address and Destination Address). To enable the DMZ to DMZ connection, go to Policy >...
Page 71 Step 2. The subnets 192.168.10.x/24,192.168.20.x/24 and 192.168.1.x/24 can now communicate with each other. In addition, these subnets may also access the Internet using real IP addresses assigned from the CS-2001 device’s NAT mechanism. （Figure 2-28） Figure 2-28 The Routing Table...
Page 72: Dhcp
2.5 DHCP 2.5.1 Using an External DHCP Server to Allocate IP Addresses to Internal PCs Step 1. Go to System > Configuration > DHCP, and set as below: （Figure 2-29）  Tick Enable DHCP Relay.  From DHCP Relay Interface select the interface. ...
Page 73 Note: 1. When Enable DHCP Relay Support is enabled, internal PCs can obtain an IP address from the server through the specified interface (WAN1/2/3/4/5/6 or VPN-WAN1/2/3/4/5/6) of the CS-2001.
Page 74 2.5.2 Using the CS-2001 to Allocate IP Addresses to LAN PCs Step 1. Go to System > Configuration > DHCP and set as below: （Figure 2-30）  Select Enable DHCP.  Deselect Obtain DNS server address automatically.  DNS Server 1: Type an IP address as DNS Server 1.
Page 75 Figure 2-30 DHCP Settings...
Page 76 1. Enabling Obtain DNS server address automatically is intended for LAN users whom access the Internet via the device’s authentication mechanism. LAN users need to configure their Preferred DNS server address to be the same as the LAN interface address of the CS-2001 in Internet Protocol (TCP/IP) Properties.
Page 77: Ddns
2.6 DDNS Step 1. Go to System > Configuration > Dynamic DNS, and set as below: （Figure 2-31）  Click New Entry. Select a Service Provider from the drop-down list.  Tick Use the IP of on the right of WAN IP and then select a WAN port.
Page 78 3. You may configure the WAN IP by either ticking the Automatically checkbox or simply specifying it in the WAN IP field.
Page 79: Host Table
2.7 Host Table Step 1. Go to System > Configuration > Host Table and set as below: （ Figure 2-33）  Configure the Host Name accordingly.  Select IPv4 for IP Version.  Type the virtual IP address that the host name corresponds to in the Virtual IP Address field.
Page 80: Snmp
2.8 SNMP 2.8.1 SNMP Agent Settings Step 1. Go to System > Configuration > SNMP. Under the SNMP Agent Settings section configure the following: （Figure 2-34）  Tick the interfaces that are permitted to send SNMP agent messages.  Device Name: Name the device. By default, it is UTM. ...
Page 81 Port: Type the port number of SNMP Trap. (Default value: 162)  Click OK.  The IT administrator may now install a SNMP Trap client to receive alerts from the CS-2001. Figure 2-35 SNMP Trap Settings Note: 1. The IT administrator may test the SNMP trap by clicking on...
Page 82: Language
2.9 Language 2.9.1 Changing the Language Step 1. Under System > Configuration > Language, you may change the language of the user interface. （Figure 2-36） Figure 2-36 The Language Settings...
Page 83: Interface
Interface...
Page 84: Chapter 3 Interface
Chapter 3 Interface The Interface configuration allows you to configure the connection parameters separately for LAN, WAN and DMZ interfaces as well as to assign multiple network interfaces into a group based on your topology plan. In this chapter, it will be covering the functionality and application of Settings, Interface and Interface Group.
Page 85 By Source IP: For services that require using the same IP address throughout the process, such as online game and banking, CS-2001 helps user retain the same WAN port (i.e. IP address) over which the session was created to avoid disconnection caused by the variation of the user’s IP address.
Page 86 Interface Designation  The system-assigned name based on the network interface type selected. Interface Type  The network interface is categorized into three types:  Local Area Network (LAN)  Wide Area Network (WAN)  Demilitarized Zone (DMZ) Connection Type (As Interface Type set to LAN) ...
Page 87  IPv6 address represent itself as text string using the following three conventional forms:  Colon-hexadecimal form: This is the preferred form n:n:n:n:n:n:n:n. Each n represents the hexadecimal value of one of the eight 16-bit elements of the address. For example: 21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A ...
Page 88  The IPv6 prefix is the part of the address that indicates the bits that have fixed values. If it happens not to be a multiple of four such as 21DA:D3:0:2F3B:2AA:FF:FE28:9C5A/59, then the third 16 bits (i.e., 2F3B) have to be modified (to 2F20) to become a multiple of four. ...
Page 89  The result, 02-AA-00-FF-FE-3F-2A-1C, is converted to colon-hexadecimal notation, yielding the interface identifier 2AA:FF:FE3F:2A1C. Thus, in this example, the link-local address that corresponds to the network adapter with the MAC address of 00-AA-00-3F-2A-1C is FE80::2AA:FF:FE3F:2A1C. MAC Address  Configure the MAC address accordingly. Ping ...
Page 90 WAN NAT Redirection  Translates private IP addresses into public addresses.  Auto-configuration: The public address is automatically designated by the system.  A designated IP: The public address is manually designated by the IT administrator. Max. Downstream & Upstream Bandwidth ...
Page 91 Terms in Interface Group Interface Group  Allows you to group network interface while each group is isolated from one another. Note: This requires at least a WAN port with a static IP and a LAN or DMZ running Transparent Bridging mode. ...
Page 92: Example
3.1.1 Modifying the LAN Interface (NAT / Routing) 3.1.2 Configuring the WAN Interface 3.1.3 Using CS-2001 as a Gateway for Users on Two Subnets to Access the Internet (NAT/Routing) 3.1.4 Using CS-2001 as a Gateway for the Internal Users to Access the Internet...
Page 93: Modifying The Lan Interface (Nat / Routing)
3.1.1 Modifying the LAN Interface (NAT / Routing) Prerequisite Setup (Note: IP addresses used as examples only) Port1 is configured as LAN1 by default. (IP address: 192.168.1.1, NAT/ Routing) Step 1. Go to Network > Interface and then set as below: （Figure 3-1）...
Page 94: Configuring The Wan Interface
3.1.2 Configuring the WAN Interface Step 1. Go to Network > Interface and then click Port2’s Modify button. Select WAN for Interface Type. Step 2. Configure the Service Detection (ICMP & DNS):  If ICMP is selected, enter the Alive Indicator Site IP. （Figure 3-2）...
Page 95 Step 3. Select WAN for Interface Type:  Static IP Address: （Figure 3-4）  Enter the IP Address, Netmask and Default Gateway.  Enter the Max. Downstream Bandwidth and the Max. Upstream Bandwidth.  Tick Ping, HTTP and HTTPS.  Click OK. （Figure 3-5）...
Page 96 Figure 3-4 Configuring the Static IP Address Figure 3-5 Setting Completed...
Page 97 Figure 3-6 Configuring the Dynamic IP Address Figure 3-7 Setting Completed...
Page 98 Figure 3-8 Configuring the PPPoE Figure 3-9 Setting Completed...
Page 99 1. The DNS Settings may be configured under Network > Settings. 2. When Ping, HTTP and HTTPS are enabled, the users may access the CS-2001 Web UI from external network. The access from the external network might affect the network security, thus it is suggested to disable Ping, HTTP and HTTPS after the configuration.
Page 100 3.1.3 Using CS-2001 as a Gateway for Users on Two Subnets to Access the Internet (NAT/Routing) Prerequisite Setup (Note: IP Addresses used as examples only) Configure Port1 as WAN1 (61.11.11.11) and connect it to the ADSL Termination Unit Remote (ATUR) to access the Internet.
Page 101 Figure 3-10 Configuring the LAN Interface...
Page 102 Step 2. Go to Network > Interface and then set as below: （Figure 3-11）  Click Port3’s Modify button.  Select LAN for Interface Type.  Select NAT Routing for Connection Type.  Enter the IPv4 Address and the Netmask. ...
Page 103 Step 3. LAN1 and LAN2 users will connect to WAN1(61.11.11.11) and use WAN1’s IP address to access the Internet. You may create the policy to establish the connection between LAN1 and LAN2. （Figure 3-12） Figure 3-12 The Deployment of LAN using NAT / Routing Mode...
Page 104 3.1.4 Using CS-2001 as a Gateway for the Internal Users to Access the Internet and Configure the DMZ for the External Users to Access the Network Resource Prerequisite Setup (Note: IP addresses used as examples only) Configure Port1 as LAN1(192.168.1.1, NAT/Routing) and connect to the LAN. IP address range:192.168.1.x/24.
Page 105 Figure 3-13 Configuring the LAN Interface...
Page 106 Step 2. Go to Network > Interface and then set as below: （Figure 3-14）  Click Port3’s Modify button.  Select DMZ for Interface Type.  Select Transparent Routing for Connection Type.  Tick Ping, HTTP and HTTPS.  Click OK. Figure 3-14 DMZ Interface Settings Note：...
Page 107 Step 3. The external users may connect to the web server (61.11.11.12) to access the network resource. The LAN users may connect to WAN1 (61.11.11.11) and use WAN1’s IP address to access the Internet. （Figure 3-15） Figure 3-15 The Deployment of DMZ Using Transparent Routing Mode...
Page 108: Internet (Nat/Routing)
3.1.5 Deploying the CS-2001 between the Gateway and LAN (configuring two subnets, one using Transparent Routing, the other one using NAT/Routing) for the LAN users to access the Internet Prerequisite Setup (Note: IP addresses used as examples only) Gateway’s LAN IP addresses are 192.168.1.1 (192.168.1.x/24) and 192.168.2.1 (192.168.2.x/24).
Page 109 Step 1. Go to Network > Interface and then set as below: （Figure 3-16）  Click Port2’s Modify button.  Select LAN for Interface Type.  Select Transparent Routing for Connection Type.  Tick Ping, HTTP and HTTPS.  Click OK. Figure 3-16 Configuring the LAN Interface Step 2.
Page 110 Settings Step 3. LAN1 users (192.168.1.x/24) and LAN2 users (192.168.2.x/24) may use their original IP addresses to access the Internet via the CS-2001. You may create the policy to establish the connection between LAN1 and LAN2. （Figure 3-18）...
Page 111 Figure 3-18 The deployment of LAN Using Transparent Routing and NAT/ Routing...
Page 112: Deploying The Cs-2001 Between The Gateway And The Lan
3.1.6 Deploying the CS-2001 between the Gateway and the LAN (LAN1 and DMZ1), connecting LAN1 to the user’s PC (using NAT/Routing mode) and then connecting DMZ1 to user’s PC (using Transparent Bridging mode) Prerequisite Setup (Note: IP addresses used as examples only) Gateway’s LAN (172.16.1.1).
Page 113 Step 1. Go to Network > Interface and then set as below: （Figure 3-19）  Click Port1’s Modify button.  Select LAN for Interface Type.  Select NAT Routing for Connection Type.  Enter the IPv4 Address and the Netmask. ...
Page 114 Step 3. Go to Network > Interface Group and then set as below: （Figure 3-21）  Configure Port2(WAN1) and Port3(WAN2) as Group1.  Click OK. Figure 3-21 Configuring the Interface Group...
Page 115 Step 4. PCs (IP range: 172.16.x.x/16) on DMZ may use the original address to access the Internet through CS-2001. PCs on LAN will connect to WAN1 (172.16.1.12) and use WAN1’s IP address to access the Internet. （Figure 3-22） Figure 3-22 The Deployment of DMZ Using Transparent Bridging Mode...
Page 116  PCs in DMZ (172.16.x.x/16):  The LAN PCs (default gateway:172.16.1.1) will access the Internet through CS-2001’s WAN1.  Configure the default gateway as CS-2001’s WAN1 (172.16.1.12). Packets pass through the CS-2001 will use WAN1(172.16.1.12) or WAN2(211.22.22.22) to access the Internet. (Load Balancing) ...
Page 117 3. Configure a router to connect different subnets in LAN for the PCs to access the Internet through the original firewall. PCs in DMZ may using the original IP address to access the （Figure 3-24） Internet through CS-2001’s WAN1. Figure 3-24 The Deployment of DMZ Using Transparent Bridging 03...
Page 118 4. Configure two Firewall to connect the Internet and the CS-2001 and then configure a router to connect the CS-2001 and DMZ (192.168.2.1/24 and 192.168.3.1/24). Connect the two subnets to WAN1’s firewall and WAN2’s firewall individually. Then, the packets from the two subnets （Figure 3-25）...
Page 119: Deploying Cs-2001 Between The Gateway And Lan (Lan1 And Dmz1)
3.1.7 Deploying CS-2001 between the Gateway and LAN (LAN1 and DMZ1) for LAN Users and DMZ Users to Access the Internet Prerequisite Setup (Note: IP addresses used as examples only) Gateway: LAN(192.168.1.1), IP range:192.168.1.x/24 WAN(61.11.11.11) connects to the ADSL Termination Unit Remote to access the Internet.
Page 120 Step 1. Go to Network > Interface and then set as below: （Figure 3-26）  Click Port1’s Modify button.  Select WAN for Interface Type.  Select the Connection Type.  Configure the connection settings.  Tick Ping, HTTP and HTTPS. ...
Page 121 Step 2. Under Network > Interface, set as below: （Figure 3-27）  Click Port2’s Modify button.  Select LAN for Interface Type.  Select Transparent Bridging for Connection Type.  Tick Ping, HTTP and HTTPS.  Click OK. Figure 3-27 LAN Settings Using Transparent Bridging Mode...
Page 122 Step 3. Under Network > Interface and then set as below: （Figure 3-28）  Click Port3’s Modify button.  Select WAN for Interface Type.  Select the Connection Type.  Configure the connection settings.  Tick Ping, HTTP and HTTPS. ...
Page 123 Figure 3-30 Interface Group Settings Important： 1. Then, the CS-2001 may operate as two individual switches. Port1(WAN1) and Port2 (LAN1) connect to the LAN, Port3(WAN2) and Port4(DMZ1) connect to the DMZ. The PCs under two different switches may not connect to each other.
Page 124 Step 6. Users connecting to Port2(LAN1) will use 192.168.1.x/24 to access the Internet. Users on Port4(DMZ1) will use the IP address that distributed by the ISP to access the Internet. （Figure 3-31） Figure 3-31 Interface Group Deployment...
Page 125 3.1.8 Using the CS-2001 Device as the Gateway and Connecting it to the LAN (There are Two LAN Interface, One Use NAT/Routing, the Other One Use Transparent Bridging Mode) for the LAN Users to Access the Internet Prerequisite Setup (Note: IP Addresses used as examples only) Configure Port1 as WAN1(61.11.11.11) and connect it to the ADSL Termination Unit...
Page 126 Step 1. Go to Network > Interface and set as below: （Figure 3-32）  Click Port1’s Modify button.  Select WAN for Interface Type.  Select the Connection Type.  Configure the connection settings.  Tick Ping, HTTP and HTTPS. ...
Page 127 Step 2. Go to Network > Interface and then set as below: （Figure 3-33）  Click Port2’s Modify button.  Select LAN for Interface Type.  Select NAT/Routing for Connection Type.  Enter the IPv4 Address and the Netmask.  Tick Ping, HTTP and HTTPS.
Page 128 Step 4. Go to Network > Interface Group and then set as below: （Figure 3-35）  Configure Port1(WAN1), Port2(LAN1) and Port3(LAN2) as Group  Click OK. Figure 3-35 Interface Group Settings Note： 1. Then, users on the same subnet may be divided into different interface according to their departments.
Page 129 Step 5. PCs under sales department (LAN1) and PCs under support department (LAN2) are on 192.168.1.x/24. They will connect to WAN1 and use WAN1’s IP address (61.11.11.11) to access the Internet. You may create the policy to establish the connection between LAN1 and LAN2. （Figure 3-36）...
Page 131: Policy Object
Policy Object...
Page 132: Chapter 4 Address
Chapter 4 Address In Address, the IT administrator may configure network settings of LAN, WAN and DMZ, as well as designate specific addresses in a network as a group. An IP address might represent a host or a subnet, in either case, the IT administrator may give it an easily identifiable name for better management.
Page 133 Terms in Address Name  An easily identifiable name to represent the IP address or addresses. Address type  Used to designate the IP range and IPv6 address / prefix length or IP / netmask IP. IP Version  IPv4 or IPv6 can be selected. IP Address ...
Page 134 Note: 1. Under Policy Object > Address > WAN Group, the newly added *CHINA_TELECOM and *CNC selections represent two major ISPs in China. During an outward session, in order to take advantage of policy-based routing (PBR), the device will designate the most appropriate route based upon the destination address.
Page 135: Example
4.1 Example Settings Scenario Page 4.1.1 LAN Using DHCP to Grant Only FTP Access to a LAN User with Specific IP Address 4.1.2 Creating a Policy for Certain Users to Connect to a LAN/ WAN Specific IP Address Group...
Page 136 4.1.1 Using DHCP to Assign an IP to a Specific User and only Permitting FTP Access Step 1. Under Policy Object > Address > LAN, set as below: （Figure 4-1）  Click New Entry. Type the name of the user in the Name field. (e.g., Alex).
Page 137 Note: 1. To save the configured data from Policy Object > Address > WAN / LAN / DMZ as a file for storage or modification, use Export data entries. If the list needs to be restored due to accidential modifications etc., use Import data entries. 2.
Page 138 Step 2. Go to Policy > Outgoing and configure as below: （Figure 4-3）  Source Address: Select the source address.  Service Select FTP.  Click OK. （Figure 4-4） Figure 4-3 The Outgoing Policy Settings Figure 4-4 Policy Completed...
Page 139 4.1.2 Creating a Policy for Certain Users to Connect to a Specific IP Address Step 1. Create several addresses under Policy Object > Address > LAN. （Figure 4-5） Figure 4-5 The Creation of Several LAN Addresses...
Page 140 Step 2. Under Policy Object > Address > LAN Group, set as below: （Figure 4-6）  Click New Entry.  Name: Designate a name for the group.  Select group members from the Available address column on the left, and then click Add. ...
Page 141 Step 3. Go to Policy Object > Address > WAN and configure as below: （ Figure 4-8）  Click New Entry.  Name: Designate a name for the group.  Address Type: Select IP / Netmask.  IP Version: Select IPv4. ...
Page 142 Step 4. Go to Policy > Outgoing and configure as below: （Figure 4-10）  Source Address: Select the LAN address group.  Destination Address: Select the WAN destination address.  Click OK. （Figure 4-11） Figure 4-10 The Policy Settings Figure 4-11 The Completed Policy Settings Note: 1.
Page 143: Chapter 5 Service
TCP and UDP protocols provide different services. These services have an associated port number, for example Telnet = 23, FTP = 21, SMTP = 25, POP3 = 110, etc. The CS-2001 provides control over access to these services using Pre-defined and Custom settings.
Page 144 Client Port  The port number of the client user’s PC which is used for connecting to the CS-2001. It is recommended using the default range (0 to 65535). Server Port  The port number for the customized service.
Page 145: Example Of Pre-Defined
5.1 Example of Pre-defined 5.1.1 Creating a Policy to Permit WAN Users Using VoIP Technology to Communicate with LAN Users (Using VoIP Port Numbers of TCP 1720, TCP 15328-15333 and UDP 15328-15333) Step 1. Go to Policy Object > Address > LAN Group and configure the following settings.
Page 146 Step 2. Go to Policy Object > Service > Custom and then configure as below: （Figure 5-3）  Name: Type in a name for the service.  In row number 1 select TCP for the protocol. Leave the Client Port on the default setting.
Page 147 Step 3. Go to Policy Object > Virtual Server > Port Mapping and use settings you created in Policy Object > Service > Custom. (Figure 5-5) Figure 5-5 Using the Pre-defined Service Settings Step 4. Go to Policy > Incoming and configure as below: （Figure 5-6）...
Page 148 Step 5. Go to Policy > Outgoing and configure as below: （Figure 5-8）  Source Address: Select the LAN group.  Service: Select the custom service.  Action: Select Port1 (WAN1).  Click OK. （Figure 5-9） Figure 5-8 The Outgoing Policy for VoIP Figure 5-9 The Completed Settings Note: 1.
Page 149: Example Of Service Group
5.2 Example of Service Group 5.2.1 Creating a Policy with a Service Group to Limit Specific LAN Users to Access Only Certain Internet Services (HTTP, POP3, SMTP and DNS) Step 1. Go to Policy Object > Service > Group, and set as below: （Figure 5-10）...
Page 150 Figure 5-11 The Added Service Group...
Page 151 Step 2. Go to Policy Object > Address > LAN Group and create a LAN Group of specific LAN users that are only permitted to access certain services. （ Figure 5-12） Figure 5-12 The Added LAN Group Step 3. Under Policy > Outgoing, set as below: （Figure 5-13）...
Page 152 Figure 5-14 The Completed Policy Settings...
Page 153: Chapter 6 Schedule
Chapter 6 Schedule Schedule is used for regulating the activation time of policies. With its help, the IT administrator may determine a specific period of time for each policy to take effect, saving time on system administration.
Page 154 Terms in Schedule Name  Designates the name of the schedule. Type  Two modes are provided:  Recurring: Based upon a weekly schedule, with configurable start and end periods for each of the seven days in a week.  One-Time: Provides a start and stop time for a single specific date based upon the year, month, day, hour and minute.
Page 155: Example
6.1 Example 6.1.1 Assigning Daily Internet Access Time Slots for LAN Users Step 1. Under Policy Object > Schedule > Settings, set as below: （Figure 6-1）  Type the name.  Mode: Select either Recurring or One-Time.  Use the drop-down menus to select the required start and end time for each day of the week.
Page 156 Step 2. Under Policy > Outgoing, set as below: （Figure 6-3）  Select the pre-defined schedule for Schedule.  Click OK. （Figure 6-4） Figure 6-3 Applying the Schedule to the Policy Figure 6-4 The Completed Policy Settings...
Page 157: Chapter 7 Qos
Chapter 7 QoS QoS provides bandwidth management for LAN users accessing the Internet via the CS-2001. When applied with a Policy, it ensures users are allocated suitable amounts of bandwidth. （Figure 7-1, 7-2） Figure 7-1 The Network with no QoS Figure 7-2 Applying QoS to the Network (Max.
Page 158 Terms in Settings Name  The name of the QoS setting. Port  The WAN port to apply QoS. Downstream Bandwidth  Determines the guaranteed bandwidth and maximum bandwidth of the total downstream bandwidth. Upstream Bandwidth：  Determines the guaranteed bandwidth and maximum bandwidth of the total upstream bandwidth.
Page 159: Example
7.1 Example 7.1.1 Creating a Policy to Limit Upload and Download Bandwidth Step 1. Under Policy Object > QoS > Settings, set as below: （Figure 7-3）  Click New Entry. Type the Name accordingly.  Configure the bandwidth of Port 2 (WAN1) and Port 3 (WAN2). ...
Page 160 Figure 7-4 The Completed QoS Settings...
Page 161 Step 2. Under Policy > Outgoing, set as below: （Figure 7-5）  Select the pre-configured QoS setting.  Click OK. （Figure 7-6）...
Page 162 Figure 7-5 Applying QoS to a Policy...
Page 163 Figure 7-6 The Completed Policy Setting Note： 1. When configuring QoS, the available bandwidth range, such as guaranteed bandwidth and maximum bandwidth, is predefined under Interface > WAN. Thus, when configuring Maximum Downstream Bandwidth and Maximum Upstream Bandwidth under Interface >...
Page 164: Chapter 8 Authentication
Chapter 8 Authentication Authentication regulates users access to the Internet. CS-2001 offers five authentication modes, namely User, Group, RADIUS, POP3 and LDAP, adding flexibility to your choice of authentication method.
Page 165 Terms in Authentication Authentication Management  Provides basic settings for managing authentication:  Authentication Port Number: The port number designated for authentication. By default, it is 82.  Authentcation Idle Timeout: If an authenticated connection has been idle for a period of time, it will expire. The default is 30 minutes. ...
Page 166 Figure 8-1 Authentication Management Settings...
Page 167  The authentication login screen appears after a user attempts to access a web site: （Figure 8-2） Figure 8-2 The Authentication Login Screen  An authenticated user will be redirected to the designated web site: （Figure 8-3） Figure 8-3 The User Being Redirected to a Website...
Page 168 Note： 1. The Allow password modification mechanism is only applicable to authenticated users. 2. The authentication login screen appears after either trying to access a web site or by typing the management address together with its authentication port number in the address field of a web browser.
Page 169: User / Group Authentication
1. The IT administrator may export the Authentication user list for safe keeping, and restore the list if needed. 2. To use authentication, LAN users must configure their Preferred DNS server in Internet Protocol (TCP/IP) Properties to be the same as the LAN interface address of CS-2001.
Page 170 Step 2. Under Policy Object > Authentication > Group, set as below: （Figure 8-5）  Click New Entry.  Group Name: Type a name for the group.  Select group members from the Available Authentication User column on the left, and then click Add. ...
Page 171 Step 3. Go to Policy > Outgoing and configure as below: （Figure 8-6）  Authentication: Select the group name that was configured in the previous step.  Click OK. （Figure 8-7） Figure 8-6 Apply the Authentication to a Policy Figure 8-7 The Completed Policy Settings...
Page 172 Step 4. The authentication login screen is displayed in the web browser when a LAN user tries to access the Internet. Internet access will be available after applying the valid user name and password to the corresponding fields in the login screen. （Figure 8-8）...
Page 173: Radius Authentication
8.2 RADIUS Authentication 8.2.1 Regulating Internet Access with a Policy – An Example using the RADIUS Server from Windows Server 2003 ※ The Configuration of Windows Server 2003 Built-in RADIUS Server Step 1. Go to Start > Settings > Control Panel > Add/Remove Programs, and then click Add/Remove Windows Components on the left.
Page 174 Step 3. The Internet Authentication Service. （Figure 8-11） Figure 8-11 Selecting the Internet Authentication Service Step 4. Go to Start > Settings > Control Panel > Administrative Tools > Internet Authentication Service, and then click it. （Figure 8-12） Figure 8-12 The Path of Internet Authentication Service on the Start Menu...
Page 175 Step 5. Right-click RADIUS Clients and then click New RADIUS Client. （Figure 8-13） Figure 8-13 Adding a RADIUS Client Step 6. Type a name and the client address, namely the management address of CS-2001. （Figure 8-14）...
Page 176 Figure 8-14 Typing a Friendly Name and the Management Address...
Page 177 Step 7. Select RADIUS Standard from the Client-Vendor dorp-down list, and then configure the Shared secret and Confirm shared secret as same as that of the CS-2001 under Policy Object > Authentication > RADIUS. （Figure 8-15） Figure 8-15 Selecting the Client Vendor and Entering the Password Step 8.
Page 178 Figure 8-16 Adding a Remote Access Policy...
Page 179 Step 9. Select Use the wizard to set up a typical policy for a common scenario and then type a name in the Policy name field. （Figure 8-17） Figure 8-17 Configuring and Naming the Policy...
Page 180 Step 10. Select Ethernet. （Figure 8-18） Figure 8-18 Selecting the Access Method...
Page 181 Step 11. Select User. （Figure 8-19） Figure 8-19 Selecting User or Group Access Step 12. Select MD5-Challenge from the drop-down list. （Figure 8-20） Figure 8-20 Selecting an Authentication Method...
Page 182 Step 13. Right-click the newly added policy name and then click Properties. （Figure 8-21） Figure 8-21 Configuring the Properties of a Policy...
Page 183 Step 14. Select Grant remote access permission and then remove the existing settings. Next, click Add…. （Figure 8-22） Figure 8-22 Configuring the RADIUS Properties...
Page 184 Step 15. Select Service-Type to add. （Figure 8-23） Figure 8-23 Select the Attribute Type Step 16. Select Authenticate Only and Framed from the Available types and then click Add. （Figure 8-24） Figure 8-24 Adding the Service Type...
Page 185 Step 17. Click on the Edit Profile…, then click the IP tab and then tick Server settings determine IP address assignment. （Figure 8-25） Figure 8-25 Configuring the IP Setting...
Page 186 Step 18. Click on the Edit Profile… button then click on the Authentication tab. Tick Microsoft Encrypted Authentication version 2 (MS-CHAP v2), Microsoft Encrypted Authentication (MS-CHAP ), Encrypted authentication (CHAP) and Unencrypted authentication [PAP, SPAP]. （Figure 8-26） Figure 8-26 Configuring the Authentication Settings...
Page 187 Step 19. Click on the Edit Profile…, click the Advanced tab and then click Add…. （Figure 8-27） Figure 8-27 Configuring the Advanced Settings...
Page 188 Step 20. Select Framed-Protocol and click Add. （Figure 8-28） Figure 8-28 Adding the Attribute...
Page 189 Step 21. For Framed-Protocol, select PPP from the Attribute value drop-down list. （Figure 8-29） Figure 8-29 Attribute Setting 1 Step 22. For Service-Type, select Framed from the Attribute value drop-down list. （Figure 8-30） Figure 8-30 Attribute Setting 2...
Page 190 Step 23. Go to Start > Settings > Control Panel > Administrative Tools, then select Computer Management. （Figure 8-31） Figure 8-31 Selecting “Computer Management” on the Start Menu Step 24. In the left column, go to Computer Management (Local) > System Tools >...
Page 191 Figure 8-32 Adding a User...
Page 192 RADIUS server: （Figure 8-33） Figure 8-33 The RADIUS Server Settings Note： 1. You may click Test Connection to detect the connection between CS-2001 and RADIUS server. Step 27. Under Policy Object > Authentication > Group, select RADIUS Server from the Available Authentication User column and then click Add.
Page 193 Step 28. Under Policy > Outgoing, set as below: （Figure 8-35）  Select the defined user group for Authentication User.  Click OK. （Figure 8-36） Figure 8-35 Applying the Authentication to a Policy Figure 8-36 The Completed Policy Settings Step 29. The authentication login screen will appear in the web browser with which a LAN user tries to surf the Internet.
Page 194: Pop3 Authentication
Step 1. Under Policy Object > Authentication > POP3, set as below: （Figure 8-38） Figure 8-38 The POP3 Server Settings Note： may click Test Connection to test the connection between CS-2001 and the POP3 1. You server. Step 2. From Policy Object > Authentication > Group, select POP3 User from the Available Addresses column and then click Add.
Page 195 Figure 8-39 Adding POP3 User to an Authenticated Group...
Page 196 Step 3. Under Policy > Outgoing, set as below: （Figure 8-40）  Authentication: Select the user group.  Click OK. （Figure 8-41） Figure 8-40 Using POP3 Authentication in a Policy Figure 8-41 A Policy with POP3 Authentication Step 4. The authentication login screen appears in the web browser when a LAN user tries to access the Internet.
Page 197: Ldap Authentication
8.4 LDAP Authentication 8.4.1 Regulating Internet Access with a Policy － An Example of Windows Server 2003 Built-in LDAP Server ※ The Configuration of the LDAP Server from Windows Server 2003 Step 1. Go to Start > Settings > Control Panel > Administrative Tools > Manage Your Server.
Page 198 Step 3. In the Preliminary Steps window, click Next. （Figure 8-44） Figure 8-44 Preliminary Steps Step 4. In the Server Role window, select Domain Controller (Active Directory) and click Next. （Figure 8-45） Figure 8-45 Server Role...
Page 199 Step 5. In the Summary of Selections window, click Next. （Figure 8-46） Figure 8-46 Summary of Selections Step 6. In the Active Directory Installation Wizard window, click Next. （Figure 8-47） Figure 8-47 Active Directory Installation Wizard...
Page 200 Step 7. In the Operating System Compatibility window, click Next. （Figure 8-48） Figure 8-48 Operating System Compatibility Step 8. In the Domain Controller Type window, select Domain controller for a new domain, then click Next. （Figure 8-49） Figure 8-49 Domain Controller Type...
Page 201 Step 9. In the Create New Domain window, select Domain in a new forest and click Next. （Figure 8-50） Figure 8-50 Creating a New Domain Step 10. In the New Domain Name window, enter the Full DNS name for new domain and then click Next.
Page 202 Step 11. In the NetBIOS Domain Name window, type a Domain NetBIOS name and then click Next. （Figure 8-52） Figure 8-52 The NetBIOS Domain Name Step 12. In the Database and Log Folders window, specify the pathname of the Database folder and the Log folder and then click Next. （Figure 8-53）...
Page 203 Step 13. In the Shared System Volume window, specify the Folder location and then click Next. （Figure 8-54） Figure 8-54 The Shared System Volume Step 14. In the DNS Registration Diagnostics window, select I will correct the problem later by configuring DNS manually (Advanced) and then click Next.
Page 204 Step 15. In the Permissions window, select Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems and then click Next. （Figure 8-56） Figure 8-56 Permissions Step 16. In the Directory Services Restore Mode Administrator Password window, enter the Restore Mode Password and Confirm password, and then click Next.
Page 205 Step 17. In the Summary window, click Next. (Figure 8-58) Figure 8-58 The Summary Step 18. Settings completed. （Figure 8-59） Figure 8-59 Settings Completed...
Page 206 Step 19. Go to Start > Programs > Administrative Tools > Active Directory Users and Computers. （Figure 8-60） Figure 8-60 Navigating to “Active Directory Users and Computers” on the Menu Step 20. In the Active Directory Users and Computers window, right-click Users, and then go to New >...
Page 207 Step 21. In the New Object–User window, apply your information to the fields, and then click Next. （Figure 8-62） Figure 8-62 New Object – User Settings Step 22. In the New Object – User window, enter the password, and then click Next.
Page 208 Step 24. Go to Policy Object > Authentication > LDAP, and then refer to figure below to configure: （Figure 8-65） Figure 8-65 LDAP Server Settings Note : 1. You may click Test to detect the connection between CS-2001 and LDAP server.
Page 209 Step 25. Go to Policy Object > Authentication > Group, then add LDAP User. （Figure 8-66） Figure 8-66 Adding the LDAP User...
Page 210 Step 26. Under Policy > Outgoing, set as below: （Figure 8-67）  Select the defined user group for Authentication User.  Click OK. （Figure 8-68） Figure 8-67 Using LDAP Authentication in a Policy Figure 8-68 A Policy with LDAP Authentication Step 27.
Page 211: Chapter 9 Application Blocking
Chapter 9 Application Blocking Application Blocking regulates the control of Instant Messenger Login, File Transfer over IM, Peer-to-Peer Sharing, Multimedia Streaming, Web-Based Mail, Online Gaming, VPN Tunneling, Remote Controlling and Other Applications.
Page 212 Note: 1. Once the Proxy Server is deployed, the proxy settings under System > Configuration > Settings must be configured for the CS-2001 to access the Internet. Instant Messenger Login  Regulates the use of MSN, Yahoo, ICQ/AIM, QQ, Skype, Google Talk, Gadu-Gadu, Rediff, WebIM and Alisoft.
Page 213 VPN Tunneling  Regulates the online usage of VNN Client, Ultra-Surf, Tor, Hamachi, HotSpot Shield and FreeGate. Remote Controlling  Regulates the online usage of TeamViewer, VNC and Remote Desktop.
Page 214: Example
9.1 Example Example Scenario Page Regulating the Use of IM Software ─ Messaging and File 9.1.1 IM Transferring Regulating the Use of P2P Software － Downloading and 9.1.2 P2P Uploading...
Page 215 9.1.1 Regulating the Use of IM Software ─ Messaging and File Transferring Step 1. Go to Policy Object > Application Blocking > Settings and set as below: (Figure 9-1)  Click New Entry.  Type a name in the Name field. ...
Page 216 Figure 9-2 Settings Completed...
Page 217 Step 1. Under Policy > Outgoing, set as below: （Figure 9-3）  Application Blocking: Select the name of the Application Blocking setting.  Click OK. （Figure 9-4） Figure 9-3 Applying IM Blocking to a Policy Figure 9-4 A Policy with IM Blocking...
Page 218 9.1.2 Regulating the Use of P2P Software － Downloading and Uploading Step 1. Under Policy Object > Application Blocking > Settings, set as below: (Figure 9-5)  Click New Entry.  Type a name in the Name field.  Select Peer-to-Peer Sharing and tick Select All. ...
Page 219 Figure 9-6 Settings Completed...
Page 220 Step 2. Under Policy > Outgoing, set as below: （Figure 9-7）  Application Blocking: Select the name of the Application Blocking Setting.  Click OK. （Figure 9-8） Figure 9-7 Enabling the P2P Blocking in a Policy Figure 9-8 A Policy with P2P Blocking Note: 1.
Page 221: Chapter 10 Virtual Server
Chapter 10 Virtual Server Virtual server provides services to external users by mapping a real IP address from a WAN port on the CS-2001 to a private IP address within the LAN.  Mapped IPs: Uses Network Address Translation (NAT) to map a real IP address to a private IP address (one-to-one mapping) to provide any service (ports 0-65535).
Page 222 Terms in Virtual Server WAN IP  The real IP address of the WAN. Map to Virtual IP  The private network address of a server in the LAN. Server Real IP  The real IP address used by the virtual server. Service ...
Page 223: Example
10.1 Example Settings Scenario Page 10.1.1 Mapped IPs Using a Server to Provide FTP, Web and Mail Services through the Regulation of a Policy 10.1.2 Port Using Multiple Virtual Servers to Host a Web Site through the Regulation of a Policy Mapping 10.1.3 Port A VoIP Session Between an External and Internal User...
Page 224 10.1.1 Using a Server to Provide FTP, Web and Mail Services through the Regulation of a Policy Step 1. Setup a server in the LAN which provides FTP, web and mail services; configure its IP address as 192.168.1.100 and its Preferred DNS server address as that of the external DNS server.
Page 225 Step 4. Go to Policy Object > Service > Group, and create a group called Main_Service containing all of the server’s services e.g. DNS, FTP, HTTP, POP3, SMTP, etc. Create another group called Mail_Service comprising the services for enabling the server to send emails. （Figure 10-3）...
Page 226 Step 6. Under Policy > Outgoing, set as below: (Figure 10-6)  Source Address: Select the LAN address.  Service: Select Mail_Service.  Click OK. （Figure 10-7） Figure 10-6 Configuring an Outgoing Policy Figure 10-7 The Completed Policy Settings Important: 1.
Page 227 Step 7. The completed settings. （Figure 10-8） Figure 10-8 The Server Providing Multiple Services Note: 1. It is strongly recommended not to select ANY for Service when configuring a policy, especially when using a Mapped IP. This is because of the possibility of hackers being able to use some of the services as a means to hack into server.
Page 228 10.1.2 Using Multiple Virtual Servers to Host a Web Site through the Regulation of a Policy Step 1. Set up multiple web servers in the LAN using the IP addresses: 192.168.1.101, 192.168.1.102, 192.168.1.103 and 192.168.1.104. Step 2. Under Policy Object > Virtual Server > Port Mapping, set as below: （Figure 10-9）...
Page 229 Figure 10-9 Setting Virtual IP Figure 10-10 The Completed Virtual IP Settings...
Page 230 Step 3. Under Policy > Incoming, set as below: （Figure 10-11）  Destination IP: Select the Virtual IP setting.  Service: Select HTTP(8080)  Click OK. （Figure 10-12） Figure 10-11 Applying the Service to Policy Figure 10-12 The Completed Policy Setting Note：...
Page 231 Step 4. Settings completed. （Figure 10-13） Figure 10-13 Multiple Servers Hosting a Single Website...
Page 232 10.1.3 A VoIP Session Between an External and Internal User (VoIP Ports: TCP 1720, TCP 15321-15333 and UDP 15321-15333) Step 1. Configure internal VoIP user with the IP address: 192.168.1.100. Step 2. Under Policy Object > Address > LAN, set as below: （Figure 10-14）...
Page 233 Step 4. Under Policy Object > Virtual Server > Port Mapping, set as below: （Figure 10-16）  Name : Enter the name for the Virtual IP setting.  Server Real IP : Select Port 2 (WAN1) and type 61.11.11.12 in the field, or click Assist Me to select an IP addresss.
Page 234 Step 5. Under Policy > Incoming, set as below: （Figure 10-18）  Destination IP: Select the vitual server setting.  Service: Select the custom service setting.  Click OK. （Figure 10-19） Figure 10-18 Applying the Service to the Policy Figure 10-19 The Completed Policy Setting...
Page 235 Step 6. Under Policy > Outgoing, set as below: （Figure 10-20）  Source IP: Select the address setting.  Service: Select the service setting.  Action: Select Port2 (WAN1)  Click OK. （Figure 10-21） Figure 10-20 Setting an Outgoing Policy Figure 10-21 The Completed Settings Important：...
Page 236 Step 7. A VoIP session created between an internal and external user. （Figure 10-22） Figure 10-22 The Completed VoIP Setup...
Page 237 10.1.4 Using Multiple Virtual Servers to Provide HTTP, POP3, SMTP and DNS Services through the Regulation of a Policy Step 1. Set up multiple service servers of which IP addresses respectively are 192.168.1.101, 192.168.1.102, 192.168.1.103 and 192.168.1.104 in the LAN. And then, configure their preferred DNS server addresses as that of the external DNS server.
Page 238 Figure 10-25 A Created Group Service...
Page 239 Step 4. Under Policy Object > Virtual Server > Port Mapping, set as below: （Figure 10-26）  Name: Enter the name for the setting.  Server Real IP: Select Port3 (WAN2) and type “211.22.22.23” in the field, or click Assist Me to select an IP address. ...
Page 240 Step 5. Go to Policy > Incoming and then set as below: （Figure 10-28）  Select the virtual server setting for Destination IP.  Select Main_Service for Service.  Click OK. （Figure 10-29） Figure 10-28 Configuring an Incoming Policy Figure 10-29 Policy Completed...
Page 241 Step 6. Go to Policy > Outgoing and set as below: （Figure 10-30）  Select the defined rule from the Source Address drop-down list.  Select Mail_Service from the Service drop-down list.  Click OK. （Figure 10-31） Figure 10-30 Configuring an Outgoing Policy Figure 10-31 Policy Completed Important：...
Page 242 Step 7. Settings completed. （Figure 10-32） Figure 10-32 Settings Completed...
Page 243: Chapter 11 Vpn
Chapter 11 VPN To obtain a private and secure network link, the CS-2001 is capable of establishing VPN connections. When used in combination with remote client authentication, it links the business’ remote sites and users, conveniently providing the enterprise with an encrypted network communication method. By allowing the...
Page 244 Terms in VPN Diffie-Hellman  A cryptographic protocol that allows two parties that have no perior knowledge of each other to establish a shared secret key over an insecure communications channel.  The RSA is a kind of asymmetric cryptography. It involves a public and private key.
Page 245 AH ( Authentication Header )  The Authentication Header guarantees connectionless integrity and data origin authentication of IP datagrams. ESP (Encapsulating Security Payload)  The Encapsulated Security Payload provides confidentiality and integrity protection to IP datagrams.
Page 246 DES (Data Encryption Standard)  The Data Encryption Standard is a NIST standard encryption using 56-bit key. 3DES (Triple-DES)  Triple DES is a block cipher formed from the Data Encryption Standard (DES) cipher by using it three times. It can achieve an algorithm up to 168 bits. AES (Advanced Encryption Standard) ...
Page 247 Terms in One-Step IPSec One-Step IPSec  One-Step IPSec merely takes one step to complete settings  Go to Policy Object > VPN > One-Step IPSec, and then refer to the following to configure:  Type a name for the connection in the Name field. （Figure 11-1）...
Page 248 Figure 11-3 The Automatically Created IPSec Policy Figure 11-4 The Corresponding Outgoing Policy Figure 11-5 The Corresponding Incoming Policy Note： 1. One-Step IPSec uses default settings (listed below) on most configurations to simplify the procedure of creating a VPN connection with IPSec encryption: ...
Page 249 Terms in VPN Wizard： VPN Wizard  It simplifies the settings of a VPN connection.  Under Policy Object > VPN > VPN Wizard, set as below:  Select a connection method and then click Next. （Figure 11-6）  Create a policy for VPN connection. Click Next when finished. （Figure 11-7）...
Page 250 Figure 11-9 Applying Available VPN Trunk to the Policy Figure 11-10 Setting Completed Figure 11-11 An Outgoing Policy Completed Figure 11-12 An Incoming policy Completed...
Page 251 Figure 11-13 IPSec Autokey Screen Note： 1. By default, CS-2001 will create an IPSec VPN connection using Dead Peer Detection. If Remote Gateway – Fixed IP or Domain Name has been specified, then the IT administrator may manually create an IPSec VPN connection.
Page 252 Click Modify to modify the settings, or click Remove to remove the settings. （Figure 11-14） Figure 11-14 PPTP Server Screen Note： 1. By default, CS-2001 will create a PPTP VPN connection using Echo-Request. If Manual Disconnect is ticked, then the IT administrator shall be able to disconnect the connection manually.
Page 253 Click Modify to modify the setting, or click Remove to remove the setting. （Figure 11-15） Figure 11-15 PPTP Client Screen Note： 1. By default, CS-2001 will create a PPTP VPN connection using Echo-Request. If Manual Connection is ticked, then the IT administrator shall be able to create a connection manually.
Page 254 Terms in Trunk  The symbol and its description used in the VPN connection status. Symbol Description Disconnected Connecting Name  The description for VPN trunk. Note: the name has to be exclusive from any other. Source Subnet  The IP address of source subnet. Destination Subnet ...
Page 255 Terms in Trunk Name  The description for VPN trunk. Note: the name has to be exclusive from any other. Group Member  The groups that are subject to the VPN Trunk rule. Configuration  Click Modify to change the configuration of VPN trunk; click Remove to remove the setting.
Page 256: Example
11.1 Example Settings Scenario Page 11.1.1 IPSec Autokey Using Two CS-2001 Devices to Mutually Access the Resources of Two Subnets via an IPSec VPN Connection 11.1.2 IPSec Autokey Creating an IPSec VPN Connection under Windows 2000 by a CS-2001 Device 11.1.3 IPSec Autokey Creating an IPSec VPN Connection between Two...
Page 257 Configure Port2 as WAN1(211.22.22.22) and connect it to the ADSL Termination Unit Remote (ATUR) to access the Internet. Multiple subnet: 192.168.85.1. IP address range: 192.168.85.x/24 This example uses two CS-2001 devices to establish VPN connection between A Company and B Company. For A Company, set as below: Step 1.
Page 258 Step 3. Select Remote Gateway (Static IP or Hostname) for Remote Settings, and enter the management address of B Company. （Figure 11-20） Figure 11-20 Remote Settings...
Page 259 Step 4. Select “Pre-Shared Key” for Authentication Method, and enter a Pre-Shared Key String. (The maximum length of Pre-Shared Key String is 103 characters.) （Figure 11-21） Figure 11-21 Authentication Method Settings Step 5. Below Encryption and Data Integrity Algorithms, select “3DES” for Encryption Algorithm;...
Page 260 Step 8. Settings completed. （Figure 11-25） Figure 11-25 IPSec Autokey Settings Completed Step 9. Under Policy Object > VPN > Trunk, set as below: （Figure 11-26）  Name:Type a name.  Local Settings : Select “LAN”. Local IP / Netmask : Type “192.168.10.0”...
Page 261 Figure 11-26 VPN Trunk Settings Figure 11-27 VPN Trunk Created Step 10. Under Policy > Outgoing, set as below: （Figure 11-28）  Select the defined trunk for VPN Trunk.  Click OK. （Figure 11-29） Figure 11-28 Configuring a Policy with VPN Trunk Figure 11-29 Policy Created...
Page 262 Step 11. Under Policy > Incoming, set as below: （Figure 11-30）  Select the defined trunk for VPN Trunk.  Click OK. （Figure 11-31） Figure 11-30 Creating an Incoming Policy with VPN Trunk Figure 11-31 An Incoming Policy with VPN Trunk Note：...
Page 263 For B Company, set as below: Step 1. Under System > Configuration > Multiple Subnets, set as below: （Figure 11-32） Figure 11-32 Multiple Subnet Settings Step 2. Go to Policy Object > VPN > IPSec Autokey, and then click New Entry. （Figure 11-33）...
Page 264 Step 5. Select “Pre-Shared Key” for Authentication Method, and enter a Pre-Shared Key String. ( The maximum length of Pre-Shared Key String is 103 characters.) （Figure 11-36） Figure 11-36 Authentication Method Settings Step 6. Below Encryption and Data Integrity Algorithms, select “3DES” for Encryption Algorithm;...
Page 265 Step 9. Settings completed. （Figure 11-40） Figure 11-40 IPSec Autokey Settings Completed Step 10. Under Policy Object > VPN > Trunk, click New Entry and then set as below: （Figure 11-41）  Name: Type a name.  Local Settings: Check “LAN”. Local IP / Netmask: Type “192.168.85.0”...
Page 266 Figure 11-41 VPN Trunk Settings Figure 11-42 VPN Trunk Created...
Page 267 Step 11. Under Policy > Outgoing, click New Entry and then set as below: （Figure 11-43）  Select the defined Trunk for VPN Trunk.  Click OK. （Figure 11-44） Figure 11-43 Using VPN Trunk in an Outgoing Policy Figure 11-44 An Outgoing Policy with VPN Trunk...
Page 268 Step 12. Under Policy > Incoming, click New Entry and then set as below: （Figure 11-45）  Select the defined trunk for VPN Trunk.  Click OK. （Figure 11-46） Figure 11-45 Creating an Incoming Policy with VPN Trunk Figure 11-46 An Incoming Policy with VPN Trunk...
Page 269 Step 13. Settings completed. （Figure 11-47） Figure 11-47 Deployment of IPSec VPN...
Page 270 11.1.2 Creating an IPSec VPN Connection under Windows 2000 by a CS-2001 Device Prerequisite Setup (Note: IP addresses used as examples only) A Company uses a CS-2001 device: Configure Port1 as LAN1(192.168.10.1). IP address range:192.168.10.x/24 Configure Port2 as WAN1(61.11.11.11) and connect it to the ADSL Termination Unit Remote to access the Internet.
Page 271 11-50） Figure 11-50 Remote Settings Step 4. Select “Pre-Shared Key” for Authentication Method, and enter a Pre-Shared Key String. (The maximum length of Pre-Shared Key String is 103 characters.) （Figure 11-51） Figure 11-51 Authentication Method Settings Step 5. Below Encryption and Data Integrity Algorithms, select “3DES” for Encryption Algorithm;...
Page 272 Figure 11-54 Advanced Settings of IPSec Autokey Step 8. Settings completed. （Figure 11-55） Figure 11-55 IPSec Autokey Settings Completed Step 9. Under Policy Object > VPN > Trunk, set as below: （Figure 11-56）  Name: Type a name.  Local Settings: Select “LAN”. Local IP / Netmask: Type “192.168.10.0”...
Page 273 Figure 11-56 VPN Trunk Settings Figure 11-57 VPN Trunk Created...
Page 274 Step 10. Under Policy > Outgoing, set as below: （Figure 11-58）  Select the defined trunk for VPN Trunk.  Click OK. （Figure 11-59） Figure 11-58 Creating an Outgoing Policy with VPN Trunk Figure 11-59 Policy Completed...
Page 275 Step 11. Under Policy > Incoming, set as below: （Figure 11-60）  Select the defined trunk for VPN Trunk.  Click OK. （Figure 11-61） Figure 11-60 Creating an Incoming Policy with VPN Trunk Figure 11-61 Policy Completed...
Page 276 For B Company, set as below: Step 1. Select Start > Run on the Start menu in Windows 2000. （Figure 11-62） Figure 11-62 Selecting “Run…” on the Start Menu Step 2. In the Open field of the Run window, type “mmc”. （Figure 11-63）...
Page 277 Step 3. In the Console 1 window, click Console on the menu bar, and then click Add/Remove Snap-in. （Figure 11-64） Figure 11-64 Selecting “Add / Remove Snap-in” on the Console Menu Step 4. In the Add / Remove Snap-in window, click Add. Then, in the Add Standalone Snap-ins window, select IP Security Policy Management and add it.
Page 278 Step 5. Select Local Computer, and then click Finish. （Figure 11-66） Figure 11-66 Selecting Local Computer Step 6. Settings completed. （Figure 11-67） Figure 11-67 Settings Completed...
Page 279 Step 7. Right-click the IP Security Policies on Local Machine, and then click Create IP Security Policy. （Figure 11-68） Figure 11-68 Creating an IP Security Policy Step 8. Click Next. （Figure 11-69） Figure 11-69 Security Policy Wizard...
Page 280 Step 9. Type the Name and Description and then click Next. （Figure 11-70） Figure 11-70 Name and Description Settings Step 10. Disable Activate the default response rule and then click Next. （Figure 11-71） Figure 11-71 Disable the “Activate the Default Response Rule”...
Page 281 Step 11. In the IP Security Policy Wizard window, tick Edit properties and click Finish. （Figure 11-72） Figure 11-72 Settings Completed Step 12. In the VPN_B Properties window, disable Use Add Wizard and then click Add. （Figure 11-73）...
Page 282 Figure 11-73 VPN_B Properties...
Page 283 Step 13. In the New Rule Properties window, click Add. （Figure 11-74） Figure 11-74 New Rule Properties Step 14. In the IP Filter List window, disable Use Add Wizard. Change the Name into “VPN_B WAN TO LAN” and then click Add. （Figure 11-75）...
Page 284 Figure 11-75 Adding an IP Filter...
Page 285 Step 15. In the Filter Properties window, select “A specific IP Address” for Source address, and then apply B Company’s WAN IP address “211.22.22.22” and subnet mask “255.255.255.255” to the fields. After that, select “A specific IP Subnet” for Destination address, and then type “192.168.10.0”...
Page 286 Figure 11-77 IP Filter Added...
Page 287 Step 17. In the New Rule Properties window, click Filter Action tab and then tick Require Security. Next, click Edit. （Figure 11-78） Figure 11-78 Selecting Filter Action Step 18. In the Require Security Properties window, tick “Session Key Perfect Forward Secrecy” on the bottom. （Figure 11-79）...
Page 288 Figure 11-79 Ticking the “Session Key Perfect Forward Secrecy”...
Page 289 Step 19. Select the security method (Custom / None / 3DES / MD5), and then click Edit. （Figure 11-80） Figure 11-80 Selecting a Security Method to Edit Step 20. Select Custom (for expert users), and then click Settings. （Figure 11-81）...
Page 290 Figure 11-81 Modifying Security Method...
Page 291 Step 21. Tick Data integrity and encryption, and select “MD5” for Integrity algorithm and “3DES” for Encryption algorithm. Tick Generate a new key every, and enter “28800” in the seconds field, and then click OK to return to the New Rule Properties window. （Figure 11-82）...
Page 292 Figure 11-83 Selecting the Connection Type...
Page 293 Step 23. In the New Rule Properties window, click Tunnel Setting tab. After that, tick The tunnel endpoint is specified by this IP Address, and then enter “61.11.11.11” as the WAN IP address of A Company. （Figure 11-84） Figure 11-84 Tunnel Setting Step 24.
Page 294 Figure 11-85 Authentication Methods Settings...
Page 295 Step 25. Select Use this string to protect the key exchange (preshared key), and then enter the preshared key “123456789” in the field. （Figure 11-86） Figure 11-86 Preshared Key Settings...
Page 296 Step 26. Click Apply, and then click Close to close the window. （Figure 11-87） Figure 11-87 Authentication Methods Settings...
Page 297 Step 27. Settings completed. （Figure 11-88） Figure 11-88 Settings Completed...
Page 298 Step 28. In the VPN_B Properties window, disable Use Add Wizard; click Add to create the second IP security rule. （Figure 11-89） Figure 11-89 VPN_B Properties Settings...
Page 299 Step 29. In the New Rule Properties window, click Add. （Figure 11-90） Figure 11-90 Clicking “Add…” to Add an IP Filter...
Page 300 Step 30. In the IP Filter List window, disable Use Add Wizard. Change the Name into “VPN_B LAN TO WAN”, and then click Add. （Figure 11-91） Figure 11-91 Adding an IP Filter...
Page 301 Step 31. In the Filter Properties window, select “A specific IP Subnet” for Source address, and then type “192.168.10.0” as A Company‘s subnet address and “255.255.255.0” as subnet mask. After that, select “A specific IP Address” for Destination address, and then type “211.22.22.22” as B Company‘s WAN IP address and “255.255.255.255”...
Page 302 Step 32. Settings completed. （Figure 11-93） Figure 11-93 IP Filter Added...
Page 303 Step 33. In the New Rule Properties window, click Filter Action tab; tick Required Security and then click Edit. （Figure 11-94） Figure 11-94 Filter Action Settings Step 34. In the Require Security Properties window, tick Session key Perfect Forward Secrecy on the bottom. （Figure 11-95）...
Page 304 Figure 11-95 Ticking the “Session Key Perfect Forward Secrecy”...
Page 305 Step 35. Select the security method (Custom / None / 3DES / MD5), and then click Edit. （Figure 11-96） Figure 11-96 Security Methods Settings Step 36. Select “Custom (for expert users)”, and then click Settings. （Figure 11-97）...
Page 306 Figure 11-97 Modifying Security Method...
Page 307 Step 37. Check Data integrity and encryption, and select “MD5” for Integrity algorithm and “3DES” for Encryption algorithm. Tick Generate a new key every, and type “28800” in the seconds field, and then click OK to return to the New Rule Properties window （Figure 11-98）...
Page 308 Step 38. In the New Rule Properties window, click Connection Type tab and tick All network connections. （Figure 11-99） Figure 11-99 Selecting the Connection Type...
Page 309 Step 39. In the New Rule Properties window, click Tunnel Setting tab. After that, tick The tunnel endpoint is specified by this IP Address, and then type “211.22.22.22” as the WAN IP address of B Company. （Figure 11-100） Figure 11-100 Tunnel Settings...
Page 310 Step 40. In the New Rule Properties window, click Authentication Methods tab. Next, select the method “Kerberos” and then click Edit on the right. （Figure 11-101） Figure 11-101 Authentication Methods Settings...
Page 311 Step 41. Select Use this string to protect the key exchange (preshared key), and then enter the preshared key “123456789” in the field. （Figure 11-102） Figure 11-102 Preshared Key Settings...
Page 312 Step 42. Click Apply, and then click Close to close the window. （Figure 11-103） Figure 11-103 New Authentication Method Created...
Page 313 Step 43. Settings completed. （Figure 11-104） Figure 11-104 Settings Completed...
Page 314 Step 44. In the VPN_B Properties window, click General tab and then click Advanced. （Figure 11-105） Figure 11-105 General Settings of VPN_B Properties...
Page 315 Step 45. Tick Master Key Perfect Forward Secrecy and then click Methods. （Figure 11-106） Figure 11-106 Key Exchange Settings Step 46. Click Move up or Move down to arrange the order of selected item. Move the item “IKE / 3DES / MD5” to the top, and then click OK. （Figure 11-107）...
Page 316 Step 47. Settings completed. （Figure 11-108） Figure 11-108 IPSec VPN Settings Completed Step 48. Right-click VPN_B and move to Assign, and then click it. （Figure 11-109） Figure 11-109 Assigning a Security Rule to VPN_B...
Page 317 Step 49. Select Start > Settings > Control Panel on the Start menu, and then click it. （Figure 11-110） Figure 11-110 Selecting “Control Panel” on the Start Menu Step 50. In the Control Panel window, double-click Administrative Tools. （Figure 11-111） Figure 11-111 Double-Clicking “Administrative Tools”...
Page 318 Step 51. In the Administrative Tools window, double-click Services. （Figure 11-112） Figure 11-112 The Services Window Step 52. In the Services window, right-click IPSec Policy Agent and move to Restart, and then click it. （Figure 11-113） Figure 11-113 Restarting IPSec Policy Agent...
Page 319 Step 53. Settings completed. （Figure 11-114） Figure 11-114 Deployment of IPSec VPN Using CS-2001 and Windows 2000...
Page 320 Configure Port2 as WAN1(211.22.22.22) and connect it to the ADSL Termination Unit Remote (ATUR) to access the Internet. This example uses two CS-2001 devices to establish VPN connection between A Company and B Company. (using aggressive mode) For A Company, set as below: Step 1.
Page 321 and enter the management address of B Company. （Figure 11-117） Figure 11-117 Remote Settings...
Page 322 Step 4. Select “Pre-Shared Key” for Authentication Method, and enter a Pre-Shared Key String. (The maximum length of Pre-Shared Key String is 103 characters. （Figure 11-118） Figure 11-118 Authentication Method Settings Step 5. Below Encryption and Data Integrity Algorithms, select “3DES” for Encryption Algorithm;...
Page 323 Step 8. Select “Aggressive mode” for Mode. Enter 11.11.11.11 in the My ID field and then enter @abc123 in the Peer ID field. （Figure 11-122） Figure 11-122 Mode Settings Note： 1. MY ID / Peer ID Settings:  The ID will be the same as the WAN IP if you leave the field blank. ...
Page 324 Step 10. Under Policy Object > VPN > Trunk, set as below: （Figure 11-124）  Name: Type a name.  Local Settings: Select “LAN”. Local IP / Netmask: Type “192.168.10.0” as A Company’s subnet address and “255.255.255.0” as Mask.  Remote Settings: Select Remote IP / Netmask.
Page 325 Step 11. Under Policy > Outgoing, click New Entry and then set as below: （Figure 11-126）  Select the defined trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-127） Figure 11-126 Configuring an Outgoing Policy with VPN Trunk Figure 11-127 An Outgoing Policy with VPN Trunk...
Page 326 Step 12. Under Policy > Incoming, click New Entry and then set as below: （Figure 11-128）  Select the defined trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-129） Figure 11-128 Configuring an Incoming Policy with VPN Trunk Figure 11-129 An Incoming Policy with VPN Trunk...
Page 327 For B Company, set as below: Step 1. Under Policy Object > VPN > IPSec Autokey, click New Entry and then set as below: （Figure 11-130） Figure 11-130 IPSec Autokey Screen Step 2. Enter ipsec2 in the Name field and then select Port2 (WAN1) for WAN Interface.
Page 328 Step 5. Below Encryption and Data Integrity Algorithms, select “3DES” for Encryption Algorithm; select “SHA1” for Authentication Algorithm; select “DH 2” for Key Group. （Figure 11-134） Figure 11-134 ISAKMP Algorithm Settings...
Page 329 Step 6. Configure the settings under IPSec Algorithm. Select “3DES” for Encryption Algorithm and “MD5” for Authentication Algorithm. （Figure 11-135） Figure 11-135 IPSec Algorithm Settings Step 7. Select “Group 1” for PFS Key Group. Enter “3600” in the ISAKMP SA Lifetime field and “28800”...
Page 330 Step 10. Select Policy Object > VPN > Trunk, click New Entry and then set as below: （Figure 11-139）  Name: Type a name.  Local Settings: Select “LAN”. Local IP / Netmask: Type “192.168.20.0” as B Company’s subnet address and “255.255.255.0” as Mask.
Page 331 Figure 11-140 VPN Trunk Created...
Page 332 Step 11. Under Policy > Outgoing, click New Entry and then set as below: （Figure 11-141）  Select the defined trunk for VPN Trunk.  Click OK. （Figure 11-142） Figure 11-141 Configuring an Outgoing Policy with VPN Trunk Figure 11-142 Policy Completed...
Page 333 Step 12. Under Policy > Incoming, click New Entry and then set as below: （Figure 11-143）  Select the defined trunk for VPN Trunk.  Click OK. （Figure 11-144） Figure 11-143 Configuring an Incoming Policy with VPN Trunk Figure 11-144 Policy Completed...
Page 334 Step 13. Settings completed. （Figure 11-145） Figure 11-145 Deployment of IPSec VPN Using Aggressive Mode...
Page 335 A Company’s WAN port 1 and B Company’s WAN port 1; A Company’s WAN port 2 and B Company’s WAN port 2. This example uses two CS-2001 devices. Assume that A Company wants to create a VPN connection with B Company in order to access files. (GRE / IPSec package...
Page 336 For A Company, set as below: Step 1. Go to Policy Object > VPN > IPSec Autokey, and then click New Entry. （Figure 11-146） Figure 11-146 IPSec Autokey Screen Step 2. Enter VPN_01 in the Name field and then select Port2 (WAN1) for the WAN Interface.
Page 337 Step 6. Select Use both algorithms below the IPSec Algorithm, or tick Use authentication algorithm only. If ticked Use both algorithms, please select “3DES” for Encryption Algorithm and “MD5” for Authentication Algorithm. （Figure 11-151） Figure 11-151 IPSec Algorithm Settings Step 7. Select “Group 1” for PFS Key Group. Enter “3600” in the ISAKMP SA Lifetime field and “28800”...
Page 338 Step 9. Setting completed. （Figure 11-154） Figure 11-154 IPSec Autokey Settings Completed Step 10. Select Policy Object > VPN > IPSec Autokey, and then click New Entry. Step 11. Type VPN_02 in the Name field and then select Port3(WAN2) for the WAN Interface.
Page 339 Step 14. Under the ISAKMP Algorithm section, select “3DES” for Encryption Algorithm; select “MD5” for Authentication Algorithm; select “DH 1” for Key Group. （Figure 11-159） Figure 11-159 ISAKMP Algorithm Settings Step 15. Select Use both algorithms below the IPSec Algorithm, or tick Use authentication algorithm only.
Page 340 Step 18. Settings completed. （Figure 11-163） Figure 11-163 IPSec Autokey Settings Completed Step 19. Under Policy Object > VPN > Trunk, set as below: （Figure 11-164）  Name: Type a name.  Local Settings: Select “LAN”. Local IP / Netmask: Type “192.168.10.0”...
Page 341 Figure 11-164 VPN Trunk Settings Figure 11-165 VPN Trunk Created...
Page 342 Step 20. Under Policy > Outgoing, click New Entry and then set as below: （Figure 11-166）  Select the defined trunk for VPN Trunk.  Click OK. （Figure 11-167） Figure 11-166 Configuring an Outgoing Policy with VPN Trunk Figure 11-167 Policy Completed...
Page 343 Step 21. Under Policy > Incoming, click New Entry and then set as below: （Figure11-168）  Select the defined trunk for VPN Trunk.  Click OK. （Figure 11-169） Figure 11-168 Configuring an Incoming Policy with VPN Trunk Figure 11-169 An Incoming Policy with VPN Trunk Completed...
Page 344 For B Company, set as below: Step 1. Go to Policy Object > VPN > IPSec Autokey, and then click New Entry. （Figure 11-170） Figure 11-170 IPSec Autokey Screen Step 2. Type VPN_01 in the Name field and then select Port2(WAN1) for WAN Interface.
Page 345 Figure 11-174 ISAKMP Algorithm Settings...
Page 346 Step 6. Select Use both algorithms below the IPSec Algorithm, or tick Use authentication algorithm only. If ticked Use both algorithms, please select “3DES” for Encryption Algorithm and “MD5” for Authentication Algorithm. （Figure 11-175） Figure 11-175 IPSec Algorithm Settings Step 7. Select “Group 1” for PFS Key Group. Enter “3600” in the ISAKMP SA Lifetime field and “28800”...
Page 347 Step 10. Under Policy Object > VPN > IPSec Autokey, click New Entry again. Step 11. Type VPN_02 in the Name field and then select Port3 (WAN2) for Interface. （Figure 11-180） Figure 11-180 Name and Interface Settings Step 12. Select Remote Gateway (Static IP or Hostname) for Remote Settings, and enter the management address of A Company (WAN port 2).
Page 348 Algorithm. （Figure 11-184） Figure 11-184 IPSec Algorithm Settings Step 16. Select “Group 1” for PFS Key Group. Enter “3600” in the ISAKMP SA Lifetime field and “28800” in the IPSec SA Lifetime field and then select “Main Mode” for Mode. （Figure 11-185）...
Page 349 Step 19. Under Policy Object > VPN > Trunk, set as below: （Figure 11-188）  Name: Type a name.  Local Settings: Select “LAN”. Local IP / Netmask: Type “192.168.20.0” as B Company’s subnet address and “255.255.255.0” as Mask.  Remote Settings: Select Remote IP / Netmask.
Page 350 Step 20. Under Policy > Outgoing, click New Entry and then set as below: （Figure 11-190）  Select the defined trunk for VPN Trunk.  Click OK. （Figure 11-191） Figure 11-190 Using VPN Trunk in an Outgoing Policy Figure 11-191 An Outgoing Policy with VPN Trunk...
Page 351 Step 21. Select Policy > Incoming, click New Entry and then set as below: （Figure 11-192）  Select the defined trunk for VPN Trunk.  Click OK. （Figure 11-193） Figure 11-192 Using VPN Trunk in an Incoming Policy Figure11-193 An Incoming Policy with VPN Trunk...
Page 352 Step 22. Settings completed. （Figure 11-194） Figure 11-194 Deployment of IPSec VPN Using GRE/IPSec...
Page 353 C Company: Configure Port1 as LAN1(192.168.30.1). IP range:192.168.30.x/24. Configure Port2 as WAN1(121.33.33.33) and connect it to the ADSL Termination Unit Remote to access the Internet. This example is to use three CS-2001 devices to establish VPN connection among A Company, B Company and C Company.
Page 354 CS-2001 UTM Content Security Gateway User’s Manual For A Company, set as below: Step1. Go to Policy Object > VPN > IPSec Autokey and then click New Entry. （Figure 11-195） Figure 11-195 IPSec Autokey Step2. Type VPN_01 in the Name field and then select Port2(WAN1) for Interface.
Page 355 Figure 11-199 Configuring the IPSec Algorithm Step6. Under the IPSec Algorithm section, select 3DES for Encryption Algorithm and then select MD5 for Authentication Algorithm. （Figure 11-200） Figure 11-200 Configuring the IPSec Algorithm Step7. Under the Advanced Settings (optional) section, select GROUP 1 for PFS Key Group, enter 3600 in the ISAKMP SA Lifetime field, enter 28800 in the IPSec SA Lifetime field and then select Main mode for Mode.
Page 356 Step8. Policy Created. （Figure 11-202） Figure 11-202 Policy Created Step9. Go to Policy Object > VPN > Trunk, click New Entry and then set as below: （Figure 11-203）  Type the name in the Name field.  Local Settings: select LAN. Enter the local subnet and the mask. ...
Page 357 Figure 11-204 First Trunk Completed Step10. Go to Policy Object > VPN > IPSec Autokey and then click the New Entry button again. （Figure 11-205） Figure 11-205 The IPSec Autokey Page Step11. Type VPN_02 in the Name field and then select Port2(WAN1) for the Interface.
Page 358 1 for Key Group. （Figure 11-209） Figure 11-209 Configuring ISAKMP Algorithm...
Page 359 Step15. Under the IPSec Algorithm section, select Use both algorithms. Select 3DES for Encryption Algorithm and MD5 for Authentication Algorithm. （Figure 11-210） Figure 11-210 Configuring IPSec Algorithm Step16. Under the Advanced Settings (Optional) section, select GROUP 1 for PFS Key Group, enter 3600 in the ISAKMP SA Lifetime field, enter 28800 in the IPSec SA Lifetime field and then select Main mode for Mode.
Page 360 Step18. Go to Policy Object > VPN > Trunk, click New Entry and then set as below: （Figure 11-213）  Type the name in the Name field.  Local Settings: select LAN. Enter the IP address and the Mask in the Local IP / Netmask field.
Page 361 Step19. Go to Policy Object > VPN > Trunk Group, click New Entry and then set as below: （Figure 11-215）  Type the name in the Name field.  Move the IPSec_VPN_Trunk_01(LAN) and IPSec_VPN_Trunk_02(LAN) from the Available Trunks column to the Selected Trunks column.
Page 362 Step20. Under Policy > Outgoing, click New Entry and then set as below: （Figure 11-217）  Select the defined Trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-218） Figure 11-217 Configuring the Outgoing Policy with VPN Trunk Figure 11-218 Policy Created...
Page 363 Step21. Go to Policy > Incoming, click New Entry and then set as below: （Figure 11-219）  Select the defined Trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-220） Figure 11-219 Configuring an Incoming Policy with VPN Trunk Figure 11-220 Policy Created...
Page 364 For B Company, set as below: Step 1. Go to Policy Object > VPN > IPSec Autokey and then click the New Entry button. （Figure 11-221） Figure 11-221 The IPSec Autokey Page Step 2. Type VPN_01 in the Name field and then select Port2(WAN1) for Interface.
Page 365 Step 6. Under the IPSec Algorithm section, select Use both algorithms. Select 3DES for Encryption Algorithm and then select MD5 for Authentication Algorithm. （Figure 11-226） Figure 11-226 Configuring the IPSec Algorithm Step 7. Under the Advanced Settings (optional) section, select GROUP 1 for PFS Key Group, enter 3600 in the ISAKMP SA Lifetime field, enter 28800 in the IPSec SA Lifetime field and then select Main mode for Mode.
Page 366 Step 9. Under Policy Object > VPN > Trunk, click the New Entry button and then set as below: （Figure 11-229）  Type the name in the Name field.  Local Settings: Select LAN. Local IP / Netmask: Enter the subnet and the mask.
Page 367 Step 10. Go to Policy Outgoing, click the New Entry button and then set as below: （Figure 11-231）  Select the defined Trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-232） Figure 11-231 Configuring an Outgoing Policy with VPN Trunk Figure 11-232 A Policy with VPN Trunk Created...
Page 368 Step 11. Go to Policy > Incoming, click the New Entry button and then set as below: （Figure 11-233）  Select the defined Trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-234） Figure 11-233 Configuring an Incoming Policy with VPN Trunk Figure 11-234 A Policy with VPN Trunk Created...
Page 369 For C Company, set as below: Step 1. Under Policy Object > VPN > IPSec Autokey, click the New Entry button and then set as below: （Figure 11-235） Figure 11-235 The IPSec Autokey Page Step 2. Enter the name in the Name field and then select Port2(WAN1) for Interface.
Page 370 Step 6. Under the IPSec Algorithm section, select Use both algorithms. Select 3DES for Encryption Algorithm and then select MD5 for Authentication Algorithm. （Figure 11-240） Figure 11-240 Configuring the IPSec Algorithm Step 7. Under the Advanced Settings (optional) section, select GROUP 1 from the PFS Key Group drop-down list.
Page 371 Step 9. Go to Policy Object > VPN > Trunk, click the New Entry button and then set as below: （Figure 11-243）  Type the name in the Name field.  Local Settings : Select LAN. Enter C Company’s subnet / mask 192.168.30.3 / 255.255.255.0 in the field.
Page 372 Step 10. Go to Policy > Outgoing, click New Entry and then set as below: （Figure 11-245）  Select the defined Trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-246） Figure 11-245 Configuring an Outgoing Policy Figure 11-246 Policy Completed...
Page 373 Step 11. Go to Policy > Incoming, click New Entry and then set as below: （Figure 11-247）  Select the defined Trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-248） Figure 11-247 Configuring an Incoming Policy Figure 11-248 Setting Completed...
Page 374 Step 12. Setting completed. （Figure 11-249） Figure 11-249 The Deployment of IPSec VPN...
Page 375 A Company’s WAN port 1 and B Company’s WAN port 1; A Company’s WAN port 2 and B Company’s WAN port 2. This example is to use two CS-2001 devices to establish VPN connection between A Company and B Company.
Page 376 1. The IT administrator may enable or disable the external users to access the Internet via the CS-2001 device when they establish a VPN connection with the CS-2001 device. 2. Auto-disconnect if idle for: if the VPN connection is idle for the defined times, it will be...
Page 377 3. Using RADIUS Server (refer to chapter 8 for RADIUS authentication) to establish PPTP VPN connection, go to Policy Object > VPN > PPTP Server and create a PPTP Server setting of which User Name is“*” and the Password is “@radius” for RADIUS authentication. Step 2.
Page 378 Figure 11-253 Configuring the Second PPTP Server...
Page 379 Figure 11-254 Second PPTP Server Completed...
Page 380 Step 3. Go to Policy Object > VPN > Trunk, click New Entry and then set as below: （Figure 11-255）  Type the name in the Name field.  Local Settings: Select LAN. Type A Company’s subnet / mask 192.168.10.0 / 255.255.255.0 in the field. ...
Page 381 Note： 1. When Remote IP / Netmask is selected for Remote Settings, you may select only one tunnel to establish the PPTP VPN connection. Step 4. Go to Policy > Outgoing, click New Entry and then set as below: （Figure 11-257）...
Page 382 Step 5. Go to Policy > Incoming, click New Entry and then set as below: （Figure 11-259）  Select the defined VPN from the VPN Trunk drop-down list.  Click OK. （Figure 11-260） Figure 11-259 Configuring an Incoming Policy with VPN Trunk Figure 11-260 Settings Completed...
Page 383 For B Company, set as below: Step 1. Go to Policy Object > VPN > PPTP Client and then set as below:  Click New Entry. （Figure 11-261）  Type PPTP_01 in the Username field.  Enter 123456789 in the Password field. ...
Page 384 Figure 11-263 Second PPTP Client Setting Completed Figure 11-264 Second PPTP Client Setting Completed Note： 1. When CS-2001 PPTP Client establish VPN connection with Windows PPTP Server, NAT with PPTP Client must be selected for the PCs under CS-2001 to access to Windows PPTP server.
Page 385 Step 2. Go to Policy Object > VPN > Trunk, click New Entry and then set as below: （Figure 11-265）  Enter the name in the Name field.  Local Settings: select LAN. Enter B Company’s local subnet / mask 192.168.20.0/ 255.255.255.0 in the Local IP / Netmask field.
Page 386 Figure 11-266 Settings Completed Note: 1. When Remote IP / Netmask is selected for Remote Settings, the number of the PPTP_Client tunnel should be configured according to the number of WAN.
Page 387 Step 3. Go to Policy > Outgoing and then set as below: （Figure 11-267）  Select the defined Trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-268） Figure 11-267 Configuring an Outgoing Policy Figure 11-268 Setting Completed...
Page 388 Step 4. Go to Policy > Incoming, click New Entry and then set as below: （Figure 11-269）  Select the defined Trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-270） Figure 11-269 Configuring an Incoming Policy Figure 11-270 Settings Completed...
Page 389 Step 5. Settings completed. （Figure 11-271） Figure 11-271 The Deployment of PPTP VPN...
Page 390 Configure Port 2 as WAN1(211.22.22.22) and connect it to the ADSL Termination Unit Remote(ATUR) to access the Internet. This example is to use two CS-2001 devices to establish VPN connection between A Company and B Company. For A Company, set as below:...
Page 391 Step 1. Go to Policy Object >VPN > PPTP Server and then set as below: （Figure 11-272）  Click Modify.  Click Enable PPTP.  Click Encryption.  Tick Allow Internet access via and then select the port.  Auto-disconnect if idle for: type 0. ...
Page 392 Step 2. Go to Policy Object > VPN > PPTP Server, click New Entry and then set as below: （Figure 11-273）  Type PPTP_Connection in the Username field.  Type 123456789 in the Password field.  Under Client IP(s) assigned from, click IP Range. ...
Page 393 Figure 11-275 Configuring PPTP Connection Figure 11-276 Setting Completed Note: 1. When CS-2001 PPTP Client establish VPN connection wih the CS-2001 PPTP Server, NAT with PPTP Client must be selected for CS-2001 PPTP Client users to access the Internet via PPTP Server.
Page 394 Step 2. Go to Policy Object > VPN > Trunk, click New Entry and then set as below: （Figure 11-277）  Enter the name in the Name field.  Local Settings: select LAN. Type B Company’s subnet/ mask 192.168.20.0 / 255.255.255.0 in the Local IP / Netmask field. ...
Page 395 Step 3. Go to Policy > Outgoing, click New Entry and then set as below: （Figure 11-279）  Select the defined Trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-280） Figure 11-279 Configuring an Outgoing Policy Figure 11-280 Setting Completed Note：...
Page 396 Step 4. Setting Completed. （Figure 11-281） Figure 11-281 Deployment of PPTP VPN Connection...
Page 397 Remote (ATUR) to access the Internet. B Company uses a PC running Windows 2000. IP address: 211.22.22.22 This example is to establish VPN connection by one CS-2001 device and one PC running Windows 2000. For A Company, set as below:...
Page 398 1. The IT administrator may enable or disable the external users to access the Internet via the CS-2001 device when they establish a VPN connection to the CS-2001 PPTP Server. 2. Auto-disconnect if idle for: if the VPN connection is idle for the specified minutes, it will be...
Page 399 Client IP Allocation/ IP Range must be on the LAN1 (192.168.10.x/24) which must not already be in use. In addition, the external user must establish the PPTP VPN connection to the CS-2001 via IPSec VPN. Step 2. Go to Policy Object > VPN > PPTP Server, click New Entry and then set as below: （Figure 11-283）...
Page 400 Step 3. Go to Policy Object > VPN > Trunk, click New Entry and then set as below: （Figure 11-285）  Type the name in the Name field.  Local Settings: select LAN. Type A Company’s subnet / mask 192.168.10.0 / 255.255.255.0 in the Local IP/ Netmask field. ...
Page 401 Note： 1. If the external users want to connect to the IPSec VPN subnet, the Local IP/ Netmask must be configured as the IPSec VPN subnet.
Page 402 Step 4. Go to Policy > Outgoing, click New Entry and then set as below: （Figure 11-287）  Select the defined trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-288） Figure11-287 Configuring an Outgoing Policy Figure 11-288 Setting Completed...
Page 403 Step 5. Go to Policy > Incoming, click New Entry and then set as below: （Figure 11-289）  Select the defined Trunk from the VPN Trunk drop-down list.  Click OK. （Figure 11-290） Figure 11-289 Configuring an Incoming Policy with VPN Trunk Figure 11-290 Setting Completed...
Page 404 For B Company, set as below: Step 1. Right-click on My Network Places and then click Properties. （Figure 11-291） Figure 11-291 Selecting “Properties” on the Shortcut Menu of “My Network Places” Step 2. In the Network and Dial-up Connections window, double-click ”Make New Connection”.
Page 405 Figure 11-292 Double-Clicking on “Make New Connection”...
Page 406 Step 3. In the Location Information window, specify the country / region, area code and phone system accordingly, and then click OK. （Figure 11-293） Figure 11-293 Local Information Settings Step 4. In the Phone And Modem Options window, click OK. （Figure 11-294）...
Page 407 Figure 11-294 Phone and Modem Options...
Page 408 Step 5. In the Network Connection Wizard window, click Next. （Figure 11-295） Figure 11-295 Network Connection Wizard Step 6. In the Network Connection Type window, select Connect to a private network through the Network and then click Next. （Figure 11-296） Figure 11-296 Select the “Connect to a private network through the Internet”...
Page 409 Step 7. In the Destination Address window, type the host name or IP address in the blank field and then click Next. （Figure 11-297） Figure 11-297 Destination Address Settings Step 8. In the Connection Availability window, select For all users and then click Next.
Page 410 Step 9. In the Completing the New Connection Wizard window, type a Connection Name and then click Finish. （Figure 11-299） Figure 11-299 New Connection Created...
Page 411 Step 10. In the Connect Virtual Private Connection window, set as below: （Figure 11-300）  User Name: Type “PPTP_Connection”.  Password: Enter 123456789.  Tick Save Password.  Click Connect.  The “Connecting Virtual Private Connection…” dialogue box appears. （Figure 11-301） ...
Page 412 Figure 11-302 PPTP VPN Connection Successfully Connected...
Page 413 Step 11. Settings completed. （Figure 11-303） Figure 11-303 Deployment of PPTP VPN...
Page 414: Mail Security
Mail Security...
Page 415: Chapter 12 Configuration
Chapter 12 Configuration Mail configuration refers to the processing basis of mail services. In this chapter, it will be covering the functionality and application of Settings, Mail Domains, Account Manager, Mail Relay, Mail Notice, Queued Mail and Mail Signatures.
Page 416 Terms in Settings Log Storage Time  Quarantined spam / virus emails can be designate a storage time and deleted when due.  You may also decide whether a quarantined email can be repeatedly retrieved or not. Personal Email Viewer / Email Notification Settings ...
Page 417  Tag virus-infected emails with: --Virus--.  Type the subject and the content of the mail notice.  Click OK. （Figure 12-1）...
Page 418 Figure 12-1 Configuring the Settings of Mail Security...
Page 419  A notice with customized subject and message. （Figure 12-2） Figure 12-2 A Notice Shows Customized Subject and Message  An unscanned email is highlighted with a warning message“---Unscanned---”. （Figure 12-3） Figure 12-3 An Unscanned Email Shows a Warning Message...
Page 420  The spam mail’s subject tagged with warning message. （Figure 12-4） Figure 12-4 The Spam Mail’s Subject Tagged with “Spam”  The virus mail’s subject tagged with warning message. （Figure 12-5） Figure 12-5 The Virus Mail’s Subject Tagged with “Virus”...
Page 421 Terms in Account Manager Account Learning Settings  The email account will be added in the local mail server automatically once it is proved valid by the mail server.  The accounts can be imported from LDAP server. Terms in Queued Mail Queued Mail ...
Page 422: Mail Domains
12.1 Mail Domains 12.1.1 Using Mail Domains to Filter Emails Step 1. Apply to a local ISP for several domain names, “planet.com.tw”, “supportplanet.com.tw”, “testplanet.com.tw” and “virtualplanet.com.tw” for instance, to provide mail service. The mapped IP address is 172.19.100.164.
Page 423 Step 2. Under Mail Management > Configuration > Mail Domains, set as below:  Click the New Entry button to create the first entry.  Type planet.com.tw in the Domain Name field.  Enter the mapped IP address.  Click OK and then modify the domain. （Figure 12-6, 12-7）...
Page 424 Figure 12-8 Modifying the First Entry Figure 12-9 Typing the Domain Alias Figure 12-10 Settings Completed Figure 12-11 Creating the Second Entry...
Page 425 Figure 12-12 The Second Entry Completed Figure 12-13 Modifying the Second Entry Figure 12-14 Typing the Domain Alias Figure 12-15 Settings Completed...
Page 426 Note： 1. The CS-2001 device will filter the emails according to the settings under Mail Security > Configuration > Mail Domains. If there is no Mail Domains settings, the filtered emails will be recorded under Mail Security > Mail Reports > Logs > Outbound SMTP.
Page 427: Account Manager
 Select Accounts added automatically.  Click OK.  The CS-2001 filters any emails passing through by verifying with the mail server that the recipients account exists.  Select Import from LDAP server and configure the settings.  Click OK.
Page 428 Step3. Go to Mail Security > Configuration > Account Manager, import the accounts into the system:  Click the Browse... button. In the Choose file window, locate the file and then click the Open button. （Figure 12-16）  Click the Import button. In the Import Mail Account window, select the file type and then click the OK button.
Page 429 Step4. Go to Mail Security > Configuration > Account Manager, add or remove the accounts.  Click the Add button.  Enter the account information. （Figure 12-18）  Click the OK button. （Figure 12-19）  To remove the account, select the account and then click the Remove button.
Page 430 Figure 12-20 Removing the Account Note： 1. Once Accounts added automatically is selected, the CS-2001 will varify the existence of the account with the mail server before relaying the mail. 2. When Imported from LDAP server is selected, the CS-2001 will determine whether to relay the email by varifying the account with the LDAP accounts list.
Page 431 Step5. Users may be given permission to access Personal Email Viewer under Mail Security > Configuration > Account Manager.  To permit a user to access Personal Email Viewer, select the account(s) and then click Enable Personal Email Viewer.  Click OK in the confirmation window.
Page 432 12.2.2 Accessing Personal Email Viewer Step 1. Type the management address together with the HTTP port (8080) or HTTPS port (1443) in the address field of a Web browser. （Figure 12-23）  Type the account name and the password.  Select the mail domain from the drop-down list.
Page 433 Step 2. Users will be requested to configure user preferences during their first login.  Click Continue. （Figure 12-24）  Configure the User Preferences accordingly. （Figure 12-25）  Click Save.  Settings completed. （Figure 12-26）  Click Continue. Figure 12-24 The Greeting Message Shown upon First Login...
Page 434 Figure 12-25 The User Preferences Settings Figure 12-26 User Preferences Settings Completed...
Page 435 Step 3. Below shows the CS-2001’s user-friendly, web-based mailbox. （Figure 12-27） Figure 12-27 The Web Mail User Interface...
Page 436 12.2.3 Using Whitelist and Blacklist to Filter Emails Supposed the domain name “planet.com.tw” is registered to your organization, and you are using the account “joe” to log in to Personal Email Viewer, then: Step 1. Click Preference in the Web Mail main screen and then a pop-up window appears.
Page 437 Figure 12-29 Creating the Second Entry of Whitelist Figure 12-30 Settings Completed...
Page 438 Step 2. Click Preference in the Personal Email Viewer main screen and then a pop-up window appears. Click the Blacklist button under the User Preference section.  Click the New button.  Type *yahoo* in the Email Address/ Domain Name field. ...
Page 439 Figure 12-32 Creating the Second Entry of Blacklist Figure 12-33 Blacklist Created...
Page 440 Step 3. When joe@planet.com.tw receives an email from a yahoo account:  If the mail is from share2k01@yahoo.com.tw, then joe@planet.com.tw will receive it.  If the mail is from another yahoo account, such as share2k003@yahoo.com.tw, then it will be rated as a spam mail. Step 4.
Page 441: Mail Relay
12.3 Mail Relay 12.3.1 Using CS-2001 as a Gateway (Set the Mail Server in DMZ under Transparent Mode) Prerequisite Setup Configure Port1 as LAN1 (192.168.1.1, NAT/Routing Mode) and connect it to the LAN which is using the IP range 192.168.1.X/24.
Page 442 Step 2. Go to Mail Security > Configuration > Mail Relay and then set as below: （Figure 12-35）  Select Sender’s IP Address.  Type the IP Address and the Netmask.  Click OK. Figure 12-35 Mail Relay Settings Note： 1.
Page 443 12.3.2 Deploying the CS-2001 Device between the Gateway and Mail Server (Mail Server is in DMZ under Transparent Mode) Prerequisite Setup LAN Segment: 172.16.x.x/16 Configure Port1 as WAN1(172.16.1.12) and connect it to the LAN. Configure Port2 as DMZ1 (Transparent Routing mode) and connect it to the mail server.
Page 444 Step 2. Go to Mail Security > Configuration > Mail Relay and then set as below:  Click New Entry. （Figure 12-37）  Select Sender’s IP Address.  Type the IP Address and the Netmask.  Click OK.  Click New Entry again. （Figure 12-38）...
Page 445 12.3.3 Using CS-2001 as Gateway to Enable Branch’s Employees to Send Emails via Headquarters’ Mail Server (Set the Mail Server under DMZ Transparent Routing Mode) Prerequisite Setup Configure Port1 as WAN1(61.11.11.11) and connect it to the ADSL Termination Unit Remote (ATUR) to access the Internet.
Page 446 Step 2. Go to Mail Security > Configuration > Mail Relay and then set as below: （Figure 12-40）  Select Sender’s IP Address.  Enter the IP Address and the Netmask.  Click OK. Figure 12-40 Mail Relay Settings...
Page 447: Mail Notice
12.4 Mail Notice 12.4.1 Retrieving Spam or Virus Emails from the Mail Notice (An Outlook Exparess Example) Step 1. All the accounts are listed under Mail Security > Configuration > Mail Notice but only accounts in the Selected Accounts column will be notified: （Figure 12-41）...
Page 448 Step 2. Go to Mail Security > Configuration > Mail Notice and then set as below:  Tick Notice for, then select “Both Spam and Viruses” from the drop-down list.  Tick Send Mail Notice on weedends.  Select “00 : 00” for 1st Time. ...
Page 449 Note： 1. Accounts in the Selected Accounts column will receive a mail notice based upon schedules when emails sent from or to them are classified as spam or virus emails. 2. Up to six email notifications can be sent based upon the time order, starting from the earliest time set.
Page 450: Queued Mail
12.5 Queued Mail 12.5.1 Monitoring Email Delivery Status Step 1. Go to Mail Security > Configuration > Settings and then set as below:  Max. Lifetime of Queued Mail: 4 hour.  When the delivery has failed, the system will keep trying to resend the email to the recipient periodically within the storage time.
Page 451 Step 2. Go to Mail Security > Configuration > Queued Mail to obtain the delivery status.  A symbol, under the Reason column, indicates an email is being processed (delivered). （Figure 12-44 Figure 12-45）  Factors that caused failed deliveries are obtainable and the email can be resent by clicking Resend.
Page 452: Mail Signatures
12.6 Mail Signatures Step 1. Go to Mail Security > Configuration > Mail Signatures and then set as below:  Tick Add signatures to all outgoing messages.  Type the message to be shown in the text field.  Click OK to complete the settings. （Figure 12-46）...
Page 453 Step 2. Any email sent from the CS-2001 will now have the signature message appended to the body of the email for the recipient to view. （Figure 12-47） Figure 12-47 Email with the Mail Signatures...
Page 454: Chapter 13 Anti-Spam
Chapter 13 Anti-Spam Users will no longer be disturbed by large influxes of spam. The Anti-Spam mechanism prevents the users from wasting their time on searching for business emails amongst the spam. It also lowers the risk of accidentally deleting business emails when deleting spam.
Page 455 Settings must be configured for the CS-2001 to access the Internet. 2. The CS-2001 will apply its default spam filtering settings if no method has been selected. 3. Bayesian filtering is not effective unless at least 200 messages have been classified for spam （Figure 13-1）...
Page 456 Spam Actions (Sending)  The action of outbound spam mail can be set to delete, deliver as normal or store the quarantine. Spam Actions (Receiving)  The action of inbound spam mail is deliver. In addition, you may also store the spam in the quarantine.
Page 457  The figure below shows that an email’s subject is tagged with the score (optional). （Figure 13-3） Figure 13-3 An Email’s Subject Tagged with the Score Terms in Personal Rule Search  Used for searching for individual emails.  Used for retrieving quarantined emails. Whitelist ...
Page 458 Comment  The description of the rule’s name. Classification  When Spam is selected, emails that meet the inspection criteria will be classified as spam.  When Ham (Non-Spam) is selected, emails that meet the inspection criteria will be classified as ham. Action ...
Page 459 “joe” typed as a pattern, it means emails from whosever email account contained the word “joe” will be considered as spam or ham.
Page 460 Spam Training Using Forwarded Mail  IT administrator may designate a separate email account for reporting spam emails. Through the help of users, spam emails can be reported to CS-2001 to raise filtering accuracy. Ham Training Using Forwarded Mail ...
Page 461 Training Schedule  CS-2001 can be scheduled a daily time for spam or ham training.  CS-2001 can be set to immediately train. An Overview on Email Transmission A mail server acts as an intermediary among users during mail delivery or retrieval.
Page 462 The Three Key Elements of Email Transmission An email transmission is achieved by using an MUA, MTA and MDA.  ：Whether sending or receiving email, the end-user MUA（Mail User Agent） client must rely on an MUA which came along with the OS, as without it they are unable to obtain email access.
Page 463 How an Email is Processed Composing and sending an email:  Email delivery from an MUA to an MTA: Run a MUA client (email program) and follow the instructions below:  Apply the sender address and the domain name of outgoing mail server (sender MTA), to the corresponding fields.
Page 464  Email retrieval: signifies MUA is using POP (Post Office Protocol) to communicate with the MTA by which users may have the access to emails. Currently, POP3 (Post Office Protocol version 3) is the most popular protocol for incoming emails. By default, port 110 is assigned to the POP3 protocol.
Page 465: Example
Scenario Page 13.1.1 Detecting Whether Emails are Spam 13.1.2 Using CS-2001 in Accordance with Whitelist and Blacklist to Filter Spam (Mail Server Is Deployed in DMZ under Transparent Mode) 13.1.3 Deploying CS-2001 in between Gateway and Mail Server and Filtering...
Page 466 13.1.1 Detecting Whether Emails are Spam Prerequisite Setup Configure Port1 as LAN1(192.168.1.1, NAT/ Routing mode) and connect it to the LAN which is using 192.168.1.x/24. Configure Port2 as WAN1(61.11.11.11) and connect it to the ADSL Termination Unit Remote to access the Internet. IP range: 61.11.11.10 to 61.11.11.14. Configure Port3 as WAN2(211.22.22.22) and connect it to the ADSL Termination Unit Remote to access the Internet.
Page 467 Step 3. Under Policy Object > Address > DMZ, set as below: （Figure 13-4） Figure 13-4 Creating an Address Setting Corresponding to the Mail Server Step 4. Under Policy Object > Service > Group, set as below: （Figure 13-5） Figure 13-5 Creating Service Groups to Include the POP3, SMTP or DNS Services...
Page 468 Step 5. Go to Policy > Outgoing and then set as below: （Figure 13-6）  Select the defined group (Mail_Service_02) from the Service drop-down list.  Tick POP3 for Anti-Spam.  Click OK. （Figure 13-7）...
Page 469 Figure 13-6 Configuring an Outgoing Policy with Group Service and POP3 Anti-Spam...
Page 470 Figure 13-7 Policy Created...
Page 471 Step 6. Under Policy > WAN to DMZ, set as below: （Figure 13-8）  Select the defined rule from the Destination Address drop-down list.  Select the defined service group (Mail_Service_01) from the Service drop-down list.  Tick POP3 for Anti-Spam. ...
Page 472 Figure 13-9 Policy Created...
Page 473 Step 7. Go to Policy > DMZ to WAN and then set as below: （Figure 13-10）  Select the defined group from the Source Address drop-down list.  Select the defined service group (Mail_Service_02) from the Service drop-down list.  Tick POP3 for Anti-Spam.
Page 474 Figure 13-10 Creating a DMZ to WAN Policy with Group Service and POP3 Anti-Spam...
Page 475 Figure 13-11 Policy Created...
Page 476 Step 8. Under Mail Security > Anti-Spam > Settings, set as below: （Figure 13-12） Figure 13-12 Anti-Spam Filter Settings and Action Settings...
Page 477  Global Rule, Whitelist or Blacklist can be used as criteria to filter spam.  The list of filtered spam cannot be obtained by means of Mail Notice. Step 9. When receiving an email from an external mail account js1720@ms21.pchome.com.tw, CS-2001 will filter the email for spam. Step 10.
Page 478 CS-2001 will filter the email for spam.
Page 479: Transparent Mode
13.1.2 Using CS-2001 in Accordance with Whitelist and Blacklist to Filter Spam (Mail Server Is Deployed in DMZ under Transparent Mode) Prerequisite Setup Configure Port1 as LAN1 (192.168.1.1, NAT/ Routing mode) and connect it to the LAN which is using 192.168.1.x/24.
Page 480 Step 3. Go to Policy Object > Service > Group and then set as below: （Figure 13-15） Figure 13-15 Creating Service Groups to Include POP3, SMTP and DNS Service...
Page 481 Step 4. Go to Policy > WAN to DMZ and then set as below: （Figure 13-16）  Select the defined rule from the Destination Address drop-down list.  Select the defined rule (Mail_Service_01) from the Service drop-down list.  Select SMTP for Anti-Spam. ...
Page 482 Figure 13-17 Policy Created...
Page 483 Step 5. Under Policy > DMZ To WAN, set as below: （Figure 13-18）  Select the defined rule for Source Address.  Select the defined service (Mail_Service_02) for Service.  Select SMTP for Anti-Spam.  Click OK. （Figure 13-19）...
Page 484 Figure 13-18 Creating a DMZ to WAN Policy...
Page 485 Figure 13-19 Policy Created...
Page 486 Step 6. Go to Mail Security > Configuration > Mail Domains and then set as below: （Figure 13-20） Figure 13-20 Mail Domain Settings Step 7. Go to Mail Security > Anti-Spam > Settings and then set as below: （Figure 13-21） Figure 13-21 Anti-Spam Settings Note: 1.
Page 487 Step 8. Go to Mail Security > Anti-Spam > Whitelist and then set as below:  Click New Entry.  Type share2k01@yahoo.com.tw in the Mail Account field.  Select From for Direction.  Click OK. （Figure 13-22）  Click New Entry again. ...
Page 488 Figure 13-25 Creating the Fourth Entry on Whitelist Figure 13-26 Whitelist Setting Completed Note: 1. Whitelist can be exported as a file for archive and editing purpose, which can be used for restoring the list later on.
Page 489 Step 9. Go to Mail Security > Anti-Spam > Blacklist and then set as below:  Click New Entry.  Type *yahoo* in the Mail Account field.  Select From for Direction.  Click OK. （Figure 13-27）  Click New Entry again. ...
Page 490 3. Whitelist overrides Blacklist, thus, email inspection will firstly act on Whitelist and then Blacklist. Step 10. Provided that joe@supportplanet.com.tw steve@supportplanet.com.tw both receive an email from a Yahoo account:  If the sender’s account is share2k01@yahoo.com.tw, then both Joe and Steve will receive it.
Page 491 13.1.3 Deploying CS-2001 in between Gateway and Mail Server and Filtering Spam with Global Rule (Mail Server Is Deployed in DMZ under Transparent Mode) Prerequisite Setup Gateway: 172.16.x.x/16 Configure Port1 as LAN1. Configure Port2 as WAN1 (172.16.1.12) and connect it to the gateway.
Page 492 Figure 13-31 Creating Service Groups...
Page 493 Step 4. Under Policy > WAN To DMZ, set as below: （Figure 13-32）  Select the defined DMZ for Destination Address.  Select the defined service (Mail_Service_01) for Service.  Select SMTP for Anti-Spam.  Click OK. （Figure 13-33） Figure 13-32 Creating a WAN to DMZ Policy with Service and SMTP Anti-Spam...
Page 494 Figure 13-33 Policy Completed...
Page 495 Step 5. Under Policy > DMZ To WAN, set as below: （Figure 13-34）  Select the defined DMZ for Source Address.  Select the defined service (Mail_Service_02) for Service.  Select SMTP for Anti-Spam.  Click OK. （Figure 13-35）...
Page 496 Figure 13-34 Creating a DMZ to WAN Policy with Service and SMTP Anti-Spam...
Page 497 Figure 13-35 Policy Created...
Page 498 Step 6. Under Mail Security > Configuration > Mail Domains, set as below: （Figure 13-36） Figure 13-36 Mail Domain Settings Step 7. Under Mail Security > Configuration > Mail Relay, set as below: （Figure 13-37） Figure 13-37 Mail Relay Settings Note: 1.
Page 499 Step 8. Under Mail Security > Anti-Spam > Settings, set as below: （Figure 13-38） Figure 13-38 Anti-Spam Settings Note: 1. An email that meets a Global Rule will be processed based on the corresponding Action setting of the Global Rule.
Page 500 Step 9. Go to Mail Security > Anti-Spam > Global Rule and then set as below:  Click New Entry.  Type HamMail in the Rule Name field.  Type Ham Mail in the Comment field.  Select Ham (Non-Spam) for Classification. ...
Page 501 Note: 1. The Action setting of a Global Rule will be unavailable if Classification selected as Ham (Non-Spam). It is because normal emails do not need any additional process before sending to the recipient.
Page 502 Step 10. Go to Mail Security > Anti-Spam > Global Rule and then set as below:  Click New Entry.  Type SpamMail in the Rule Name field.  Type Spam Mail in the Comment field.  Select Spam for Classification. ...
Page 503 Email header can be used as a reference when configuring Condition and Item of Global Rule. Figure 13-43 shows the header of an email. To view header, click to select any email in your Outlook Express, then right-click it and move to Properties on the shortcut menu. After a window appeared, click the Details tab for header information.（Figure 13-43）...
Page 504 Step 11. Provided that joe@supportplanet.com.tw steve@supportplanet.com.tw both receive an email from a Yahoo account:  If the sender’s account is share2k01@yahoo.com.tw, then both Joe and Steve will receive it.  But if the sender’s account is share2k003@yahoo.com.tw, only Joe will receive it. Emails that sent to Steve will be classified as spam and quarantined.
Page 505 13.1.4 Improving Bayesian Filtering Accuracy by Training Spam Filtering / Ham-Filtering (An Outlook Express Example) To train spam filtering: Step 1. In Outlook Express, create a new folder named “Spam Mail”:  Right-click Local Folders, and then select New Folder. （Figure 13-44）...
Page 506 Figure 13-45 Naming the Folder as Spam Mail...
Page 507 Step 2. Click Inbox in Outlook Express, and then move the spam to the Spam Mail folder  In Inbox, select all the spam, right-click them, and then move to Move to Folder on shortcut menu. （Figure 13-46）  Select Spam Mail folder in the Move window, and then click OK. （Figure 13-47）...
Page 508 Figure 13-47 Selecting the “Spam Mail” Folder...
Page 509 Step 3. Compact the Spam Mail folder to make it easier importing spam messages onto CS-2001 for spam filtering training:  Click the Spam Mail folder. （Figure 13-48）  In the upper left corner, click File, point to Folder, and then click Compact.
Page 510 Figure 13-49 Compacting the Spam Mail Folder...
Page 511 Step 4. Copy the pathname of the Spam Mail folder to CS-2001 device for training use:  Right-click Spam Mail folder, and then click Properties on shortcut menu. （Figure 13-50）  In the Spam Mail Properties window, copy the pathname.
Page 512 Figure 13-51 Copying the Pathname of the Spam Mail Folder...
Page 513 Step 5. Go to Mail Security > Anti-Spam > Training and then configure the settings under the Spam Training Using Importing section:  Paste the pathname of the Spam Mail folder in the Import Spam Mail from field.  Click the lower right OK to import the folder; the spam filtering will be trained on schedules.
Page 514 Step 6. Delete all spam emails in the Spam Mail folder; since they have been compressed and uploaded to CS-2001, they are of no use any longer:  In the Spam Mail folder, select all emails, right-click them, and then click Delete on shortcut menu.
Page 515 Figure 13-54 All Spam Emails Have Been Deleted To train ham filtering: Step 7. In Outlook Express, create a new folder called “Ham Mail”:  Right-click Local Folders, and then select New Folder. （Figure 13-55）  In the Create Folder window, type “Ham Mail” in the Folder name field, and then click OK.
Page 516 Figure 13-55 Creating a New Folder Figure 13-56 Naming the Folder as Ham Mail...
Page 517 Step 8. Click Inbox in Outlook Express, and then move normal emails to the Ham Mail folder:  In Inbox, select all the hams, right-click them, and then move to Move to Folder on shortcut menu. （Figure 13-57）  Select Ham Mail folder in the Move window, and then click OK. （Figure 13-58）...
Page 518 Figure 13-58 Selecting the Ham Mail Folder...
Page 519 Step 9. Compact the Ham Mail folder for the easy of importing normal email messages onto CS-2001 for ham filtering training:  Click the Ham Mail folder. （Figure 13-59）  In the upper left corner, click File, point to Folder, and then click Compact.
Page 520 Figure 13-60 Compacting the Ham Mail Folder...
Page 521 Step 10. Copy the pathname of the Ham Mail folder to CS-2001 device for training use:  Right-click the Ham Mail folder, and then click Properties on shortcut menu. （Figure 13-61）  In the Ham Mail Properties window, copy the pathname.
Page 522 Figure 13-62 Copying the Pathname of the Ham Mail Folder...
Page 523 Step 11. Go to Mail Security> Anti-Spam > Training, configure the settings under the Ham Training Using Importing section.  Paste the pathname of the Ham Mail folder to the Import ham mail from field.  Click lower right OK to import the folder; the ham filtering will be trained on schedules.
Page 524 Step 12. Delete all emails in the Ham Mail folder; since they have been compressed and uploaded to CS-2001, they are of no use any longer:  In the Ham Mail folder, select all normal emails, right-click them, and then click Delete on shortcut menu.
Page 525 Figure 13-65 All Normal Emails Have Been Deleted...
Page 526 13.1.5 Improving Bayesian Filtering Accuracy by Training Spam Filtering / Ham-Filtering Step 1. On you mail server, create an email account, such as spam@supportplanet.com.tw, for gathering spam emails. Step 2. On you mail server, create an email account, such as ham@supportplanet.com.tw, for gathering normal emails.
Page 527 Step 4. In Mail Security > Anti-Spam > Training, configure the Ham Training Using Forwarded Mail setting according to the relevant information of ham@supportplanet.com.tw:  POP3 Server  Enter the user name and the password.  Click OK. （Figure 13-66） Figure 13-66 Email Accounts Used for Gathering Normal/ Spam Messages and Training...
Page 528 To train spam filtering: Step 5. In Outlook Express, forward all spam emails in the Inbox as attachment to spam@supportplanet.com.tw:  In Inbox, select all spam emails, right-click any of the selected emails, and then click Forward As Attachment on shortcut menu. （Figure 13-67）...
Page 529 Figure 13-68 Forwarding the Selected Spam Emails as Attachment...
Page 530 To train ham filtering: Step 6. In Outlook Express, forward all normal emails in the Inbox as attachment to ham@supportplanet.com.tw:  In Inbox, select all normal emails, right-click any of the selected emails, and then click Forward As Attachment on shortcut menu. （Figure 13-69）...
Page 531 Figure 13-70 Forwarding the Selected Normal Emails as Attachment...
Page 532 Step 7. CS-2001 will retrieve emails in spam@supportplanet.com.tw ham@supportplanet.com.tw periodically and use them for training on schedules. （Figure 13-71） Figure 13-71 Training Schedule Settings...
Page 534: Chapter 14 Anti-Virus
Chapter 14 Anti-Virus Due to its inbound and outbound email anti-virus scanning capabilities, CS-2001 guards against the extensive damage that virus infections can inflict on your business.
Page 535  Sophos─The purchase of an end-user license is required for legal use. Note: 1. To assure the CS-2001 is updated successfully, click Test Connection to check whether the connection to the virus definition server works before running the update. 2. Once the Proxy Server is deployed, the proxy settings under System > Configuration >...
Page 536 Figure 14-1 Anti-Virus Settings Note: 1. Three virus-scanning modes available for users are ClamAV, Sophos and ClamAV+Sophos.
Page 537: Example
14.1 Example Scenario Page 14.1.1 Filtering Out the Virus Emails on Mail Server the Virus Emails on Mail Server 14.1.2 Using CS-2001 as a Gateway to Filter Out Virus Emails (Mail Server Is Deployed in LAN under NAT Mode)
Page 538 14.1.1 Filtering Out the Virus Emails on Mail Server Prerequisite Setup Configure Port1 as LAN1 (192.168.1.1, NAT/ Transparent Routing mode) and connect it to the LAN which is using 192.168.1.x/24. Configure Port2 as WAN1(61.11.11.11) and connect it to the ADSL Termination Unit Remote to access the Internet.
Page 539 Step 4. Go to Policy Object > Service > Group, set as below: （Figure 14-3） Figure 14-3 Creating Service Groups to Include the POP3, SMTP and DNS Services...
Page 540 Step 5. Under Policy > Outgoing, set as below: （Figure 14-4）  Select the defined service (Mail_Service_02) for Service.  Select POP3 for Anti-Virus.  Click OK. （Figure 14-5）...
Page 541 Figure 14-4 Creating an Outgoing Policy with Service and POP3 Anti-Virus Figure 14-5 Policy Created...
Page 542 Step 6. Under Policy > WAN To DMZ, set as below: （Figure 14-6）  Select the defined DMZ for Destination Address.  Select the defined service (Mail_Service_01) for Service.  Select POP3 for Anti-Virus.  Click OK. （Figure 14-7） Figure 14-6 Creating a WAN to DMZ Policy with Service and POP3 Anti-Virus...
Page 543 Figure 14-7 Policy Created...
Page 544 Step 7. Under Policy > DMZ To WAN, set as below: （Figure 14-8）  Select the defined DMZ for Source Address.  Select the defined service (Mail_Service_02) for Service.  Select POP3 for Anti-Virus.  Click OK. （Figure 14-9）...
Page 545 Figure 14-8 Creating a DMZ to WAN Policy with Service and POP3 Anti-Virus...
Page 546 Figure 14-9 Policy Created...
Page 547 Step 8. Go to Mail Security > Anti-Virus > Settings and then set as below: （Figure 14-10） Figure 14-10 Anti-Virus Settings...
Page 548 “. Step 9. When receiving emails from an external mail account, such as js1720@ms21.pchome.com.tw, CS-2001 will scan emails for viruses. Step 10. When an external user receiving emails from an internal account, such as joe@supportplanet.com.tw, CS-2001 will scan emails for viruses.
Page 549 14.1.2 Using CS-2001 as a Gateway to Filter Out Virus Emails (Mail Server Is Deployed in LAN under NAT Mode) Prerequisite Setup Configure Port1 as LAN1(192.168.2.1, NAT/Routing mode) and connect it to the LAN which is using 192.168.2.x/24. Mail Server: using LAN1 IP address (192.168.2.12) mapping to WAN1 IP address(61.11.11.12).
Page 550 Figure 14-13 Creating Service Groups to Include POP3, SMTP and DNS Service Step 4. Under Policy Object > Virtual Server > Port Mapping, set as below: （Figure 14-14） Figure 14-14 Port Mapping Settings...
Page 551 Step 5. Under Policy > Incoming, set as below: （Figure 14-15）  Select the defined virtual server for Destination Address.  Select the defined service (Mail_Service_01) for Service.  Select SMTP for Anti-Virus.  Click OK. （Figure 14-16） Figure 14-15 Creating an Incoming Policy with Service and SMTP Anti-Virus...
Page 552 Figure 14-16 Policy Completed...
Page 553 Step 6. Under Policy > Outgoing, set as below: （Figure 14-17）  Select the defined LAN address for Source Address.  Select the defined service (Mail_Service_02) for Service.  Select SMTP for Anti-Virus.  Click OK. （Figure 14-18）...
Page 554 Figure 14-17 Creating an Outgoing Policy with Service and SMTP Anti-Virus...
Page 555 Figure 14-18 Settings Completed...
Page 556 Step 7. Go to Mail Security > Configuration > Mail Domains and then set as below: （Figure 14-19） Figure 14-19 Mail Domain Settings Step 8. Go to Mail Security > Anti-Virus > Settings and then set as below: （Figure 14-20） Figure 14-20 Anti-Virus Settings Note：...
Page 557 Step 9. When “Joe”, an internal user at supportplanet.com.tw, receives emails from external mail accounts at yahoo.com.tw:  The virus mail from share2k01@yahoo.com.tw will be stored in the quarantine.  The regular mail from share2k003@yahoo.com.tw will be sent to joe@supportplanet.com.tw. Step 10.
Page 558: Chapter 15 Mail Reports
Chapter 15 Mail Reports CS-2001 provides you with email reports in the form of statistics and logs, presenting you with a thorough insight into the email activities of the business.
Page 559 Terms in Setting Periodic Report Scheduling Settings  It can generate and send out the periodic report to the designated recipient(s) on schedules. History Report Scheduling Settings  It can generate and send the history report to the designated recipient(s) on schedules.
Page 560 Figure 15-2 Periodical Report Sent as an Attachment...
Page 561 Terms in Logs Search  Available searching criteria are: date, sender, sender IP, recipient, attachment, subject, attribute and process.  Go to Mail Security > Mail Reports > Logs, click the Search icon and then set as below:  Enable the searching duration and then specify a period of time. ...
Page 562 Figure 15-3 Searching for a Specific Log Note： 1. How to open an “.mbx” file (exported from quarantined or archived emails) on your local computer:  Convert the “.mbx” file into an “.eml” file with an mbx2eml application (e.g., IMAPSize) and then run Outlook Express to open the “.eml”...
Page 563  Run IMAPSize, go to Tools > mbox2eml on the menu bar, and then click it.（Figure 15-26）  In the mbox2eml window, click the Select mbox files to convert button, locate the “.mbx” file, click Open, and then click Convert to start converting the file into an “.eml”...
Page 564 Figure 15-26 Navigating to Tools > Mbox2eml on the Menu Bar Figure 15-27 Locating the “.mbx” File to be Converted...
Page 565 Figure 15-28 Converting the “.mbx” File into an “.eml” File Figure 15-29 File Conversion Completed...
Page 566 Figure 15-30 Clicking and Dragging the “.eml” File into Outlook Express to Open It...
Page 567: Statistics
15.1 Statistics Step 1. Mail Security > Mail Reports > Statistics shows a comprehensive statistical report. Step 2. In the upper left corner, click Day for a daily statistics report; click Week for a weekly statistics report; click Month for a monthly statistics report; click Year for an annual statistics report.
Page 568: Logs
15.2 Logs Step 1. Under Mail Security > Mail Reports > Logs, it shows how emails are processed.
Page 569 The symbols used in Logs:  Attribute： Symbol Description Regular Spam Virus Unscanned  Process: Symbol Description Deleted Notified Delivered Stored Retrieved  Attachment:...
Page 570: Web Filter
Web Filter...
Page 571: Chapter 16 Configuration
Chapter 16 Configuration Regulating the websites that employees may access improves profuctivity, and protects the network from the damage caused by malicious software or code.  Whitelist : To permit access to specific websites, the IT administrator may enter the complete URL, or a URL in combination with a wildcard (*). ...
Page 572 Terms in Setting URL Blocking License  To activate the Category feature for URL Blocking, the license key must be imported into the device here.  Each license key is unique to the device it was purchased for, thus the key is invalid if used on other devices.
Page 573 Figure 16-1 Web Filter Settings Note： 1. Before enabling syslog, please configure the syslog setting under System > Configuration > Settings.
Page 574  The alert message displays when an internal user tries to access the blocked web page. （Figure 16-2） Figure 16-2 The Alert Message Terms in Whitelist Name  The name of the Whitelist.  Specifies permitted URLs.  The asterisk character (“*”) allows any website. Terms in Blacklist Name ...
Page 575  Specifies any URLs required to be blocked.  The asterisk character (“*”) blocks any websites. Terms in Category Name  The name for the Category. Member  Provides the following categories: Anti-Social and Illegal, Pornographic and Abusive, Gaming and Gambling, Society and Commerce, Communication and Technology, Leisure, Information and Education, and Other.
Page 576 Terms in MIME/Script Name  The name of MIME/Script. Script  Window Popup：Blocking the popup window.  Microsoft ActiveX：Disallowing the execution of ActiveX.  Java Applet：Disallowing the execution of Java.  Web Cookie：Blocking Web Cookie. MIME Type  MIME (Multipurpose Internet Mail Extensions) is an Inernet standard that extends the format of e-mail.
Page 577  video/mpeg  application/octet-stream  application/pdf  application/msword Important: 1. To apply the Whitelist, Blacklist, Category, File Extensions and MIME/Script to the Policy, those rules need to be added in the Group first.
Page 578: Example
16.1 Example Settings Scenario Page 16.1.1 Whitelist Regulating User’s Access to Specific Websites Using Blacklist and Whitelist Blacklist Group 16.1.2 Category Regulating User’s access to Specific Website, Downloading or Uploading Specific File Extension via File Extensions MIME/Script HTTP or FTP or the Access to Specific MIME Types/ Group Script Types...
Page 579: Blacklist And Whitelist
16.1.1 Regulating User’s Access to Specific Websites Using Blacklist and Whitelist Step 1. Go to Web Filter > Configuration > Whitelist and then set as below:  Click New Entry.  Type the name in the Name field.  In the URL field, type the keyword of the URL, such as yahoo. ...
Page 580 Note： 1. Whitelist can be exported as a file for storage, which can be used for restoring the list later Step 2. Go to Web Filter > Configuration > Blacklist and then set as below: （Figure 16-6）  Type the name in the Name field. ...
Page 581 Step 3. Go to Web Filter > Configuration > Group, click New Entry and then set as below: （Figure 16-8）  Type the name in the Name field.  Move the Whitelist from the Available Whitelists column to the Selected Whitelists column. ...
Page 582 Figure 16-8 Group Settings for URL Blocking...
Page 583 Figure 16-9 The Completed Group Settings...
Page 584 Step 4. Go to Policy > Outgoing, click New Entry and then set as below: （Figure 16-10）  Select the defined group from the Web Filter drop-down list.  Click OK. （Figure 16-11）  By applying this policy, only websites containing “yahoo” or “google” in the domain name will be permitted.
Page 585 16.1.2 Regulating User’s access to Specific Website, Downloading or Uploading Specific File Extension via HTTP or FTP or the Access to Specific MIME Types/ Script Types Step 1. Go to Web Filter > Configuration > Category, click New Entry and then set as below: （Figure 16-12）...
Page 586 Figure 16-13 The Completed Category Settings...
Page 587 Step 2. Go to Web Filter > Configuration > File Extensions, click New Entry and then set as below: （Figure 16-14）  Type the name in the Name field.  Select All types of file extensions.  Click OK. （Figure 16-15） Figure 16-14 Blocking the Specific File Extension Figure 16-15 Setting Completed Note：...
Page 588 Figure 16-16 Adding a New Extension Figure 16-17 Typing a New Extension Figure 16-18 File Extension Added...
Page 589 Step 3. Go to Web Filter > Configuration > MIME/Script, click New Entry and then set as below: （Figure 16-19）  Type the name in the Name field.  Under the Forbidden File Extensions section, tick Window Popup, Microsoft ActiveX, Java Applet and Web Cookie. ...
Page 590  Click Modify and then click Add. （Figure 16-21）  Enter the MIME Types in the field.  Click OK. （Figure 16-22, 16-23） Figure 16-21 Configuring the MIME Type Figure 16-22 Adding the MIME Types Figure 16-23 MIME Type Added...
Page 591 Step 4. Go to Web Filter > Configuration > Group, click New Entry and then set as below: （Figure 16-24）  Type the name in the Name field.  Select the defined category from the Category drop-down list.  Select the defined rule from the Upload Blocking drop-down list and the Download Blocking drop-down list.
Page 592 Figure 16-24 Configuring the URL Group...
Page 593 Figure 16-25 Setting Completed...
Page 594 Step 5. Go to Policy > Outgoing, click New Entry and then set as below: （Figure 16-26）  Select the defined group from the Web Filter drop-down list.  Click OK. （Figure 16-27） Figure 16-26 Configuring the Policy Figure 16-27 Policy Completed...
Page 595: Chapter 17 Reports
Chapter 17 Reports Reports delivers the IT administrator with detailed statistics and logs regarding the access of websites made by users.
Page 596 Terms in Setting Periodic Report Scheduling Settings  Generates and sends out a periodic report to the designated recipient(s) based on a schedule. History Report Retrieving Settings  Generates the report of a specific date and instantly sends it to the designated recipient(s).
Page 597 Figure 17-2 A Daily Report Sent through an Email Message...
Page 598 Terms in Logs Search  Category: Available searching criteria are time, souce IP address, website, classification and action.  Upload: Available searching criteria are time, source IP addrss, website, file, rule and action.  Download: Available searching criteria are time, source IP address, website, file, rule and action.
Page 599 Figure 17-13 Searching for the Specific Logs Note: 1. Under Web Filter > Reports > Logs, the Category reports can be sorted by the time, source IP, website, class or action. 2. Under Web Filter > Reports > Logs, the download and the upload report can be sorted by the time, source IP, website, class and action.
Page 600: Statistics
17.1 Statistics Step 1. Under Web Filter > Reports > Statistics, bar charts shows the report of URL blocking. Step 2. In the upper left corner, click on a time reference from which to display the bar charts. Click on Day for bar charts derived from daily statistics; click on Week for bar charts derived from weekly statistics;...
Page 601 Step 4. Below it shows the statistics report. （Figure 17-15）  Y-axis indicates the amount of scanned URL.  X-axis indicates the time.
Page 603 Figure 17-15 Statistics Report...
Page 604: Logs
17.2 Logs Step 1. Under Web Filter > Reports > Logs, there it shows the URL blocking logs. （Figure 17-16） Figure 17-16 URL Blocking Logs...
Page 606: Chapter 18 Configuration
Chapter 18 Configuration In order to protect your network from various security threats, the device produces timely alerts and blocking mechanisms based upon anomaly flows and the inspection of packet contents.
Page 607 1. To ensure signature definitions can be updated successfully, click on Test Connection to check the connection to the designated IDP definition server. 2. Once the Proxy Server is deployed, the proxy settings under System > Configuration > Settings must be configured for the CS-2001 to access the Internet. IDP Logging Setting ...
Page 608  Type 60 in the Storage Lifetime field.  Click OK. （Figure 18-1） Figure 18-1 IDP Settings Note: 1. To enable Syslog, the IT administrator must configure the Syslog Message Settings under System > Configuration > Settings first.
Page 609  When detecting attacks, the IT administrator will receive both an email notification and a NetBIOS Notification, Also, a corresponding log will be available under IDP > IDP Reports > Logs. （Figure 18-2, 18-3） Figure 18-2 An Email Notification Figure 18-3 A NetBIOS Notification...
Page 610 Note: 1. The IDP log is generated upon the “Log”setting under IDP > Signatures > Anomaly / Pre-defined / Custom.
Page 611: Chapter 19 Signatures
Chapter 19 Signatures To protect your company's network from malicious intrusions and attacks, the CS-2001 provides alerts and blocking mechanisms based upon the inspection of packets and the detection of anomaly traffic flows. Regardless of whether the attack originated internally or externally, the device ensures that legitimate network traffic remains secure and undisturbed.
Page 612 Terms in Signatures Anomaly  Available signatures are syn flood, udp flood, icmp flood, portscan and http insptct. （Figure 19-1）  You may specify the action taken upon the detection of an anomaly flow. Available actions are Pass, Drop and Reject. Available Alert are Log and Alert. Figure 19-1 Anomaly Settings...
Page 613 Pre-defined  Available signatures are Attack Responses, Backdoor, Bad Traffic, Chat, DDoS, DNS, DoS, Exploit, Finger, FTP, ICMP, IMAP, Info, Misc, MySQL, NetBIOS, NNTP, Oracle, Policy, POP2, POP3, Porn, RPC, Rservices, Scan, Shellcode, SMTP, SNMP, Spyware, SQL, Telnet, TFTP, Web CGI, Web Client, Web Coldfusion, Web Frontpage, Web IIS, Web Misc, Web PHP, X11 and other.
Page 614 Figure 19-2 Pre-Defined Settings...
Page 615 Note: 1. All the signatures under the IDP > Signatures > Pre-defined are processed according to the Default Settings for Each Risk Level settings under IDP > Configuration > Settings. However, after the settings under IDP > Configuration > Settings, the user may go to IDP > Signatures >...
Page 616 Name  The name of the signature. Protocol  Determine of which IP Version (IPv4, IPv6) and Communication Protocol to detect and protect. Source IP / Netmask  The IP address/ netmask where the attack is from. Source Port  The port number where the attack is from.
Page 617: Example
19.1 Example 19.1.1 Adopting Packets Inspection along with Custom and Pre-Defined Signatures to Detect and Prevent the Intrusion Step 1. Under IDP > Configuration > Settings, set as below: （Figure 19-3） Figure 19-3 IDP Settings...
Page 618 Step 2. Go to IDP > Signatures > Anomaly and then set as below: （Figure 19-4）  Enable the signatures and configure the settings.  Click OK. Figure 19-4 Anomaly Settings...
Page 619 Step 3. Under IDP > Signatures > Pre-defined, set as below: （Figure 19-5）  Select the signatures.  Click OK. Figure 19-5 Pre-Defined Settings...
Page 620 Step 4. Go to IDP > Signatures > Custom and set as below: （Figure 19-6）  Type the name in the Name field.  Select IPv4 for IP Version and TCP for Communication Protocol.  Type the Source Port No. ...
Page 621 Note: 1. You may type a word string in the Content Pattern field; or convert it to hexadecimal ASCII code and then paste it into the field. (E.g., the word “cracks” can also be converted to |63 72 61 63 6b 73|) Step 5.
Page 622 Figure 19-8 Applying the IDP to the Policy...
Page 623 Figure 19-9 Policy Created...
Page 624: Chapter 20 Idp Report
Chapter 20 IDP Report CS-2001 provides you with a comprehensive IDP report in both statistics and logs. With the help of them, you could have a clear view of network security status.
Page 625 Terms in Settings Periodic Report Scheduling Settings  It can generates and send out the periodic report to the designated recipient(s) on schedules. History Report Scheduling Settings  It can generates the report of a specific date and instantly send it to the designated recipient(s).
Page 626 Figure 20-2 Periodic Report Received...
Page 627 Terms in Logs Search  Available search criteria are date, event, signature category, attacker IP, victim IP, interface and risk level.  Go to IDP > IDP Reprots > Logs, click the Search icon and then set as below:  Enable searching duration and specify a period of time.
Page 628: Statistics
CS-2001 UTM Content Security Gateway User’s Manual 20.1 Statistics Step 1. Go to IDP > IDP Reports > Statistics, to view a full-scale IDP report in statistics. Step 2. In the upper left corner, click Day to see the daily statistics report, click Week to see the weekly statistics report, click Month to see the monthly statistics report, click Year to see the yearly statistics report.
Page 629: Logs
20.2 Logs Under IDP > IDP Reports > Logs, it shows the IDP status. Note: 1. The symbol used in Logs:  Process: Symbol Description Allow Drop, Reject  Risk Level: Symbol Description High Risk Medium Risk Low Risk...
Page 630: Web Vpn / Ssl Vpn
Web VPN / SSL VPN...
Page 631: Chapter 21 Web Vpn / Ssl Vpn
Chapter 21 Web VPN / SSL VPN Since the Internet is in widespread use these days, the demand for secure remote connections is increasing. To meet this demand, SSL VPN provides the best solution. By using SSL VPN from a standard browser, clients can transfer data securely through its SSL security protocol without the need to install any software or hardware.
Page 632 Terms in VPN  DES, an acronym for Data Encryption Standard, is a cipher that was selected by NIST (National Institute of Standard and Technology), using a 56-bit key for encryption. 3DES  3DES, an acronym for Triple Data Encryption Standard, providing significantly enhanced security by executing the core DES algorithm three times in a row, is more difficult to break than DES, using a 168-bit key size.
Page 633 Hardware Auth.  The IT administrator may enable the PCs listed under Web VPN/ SSL VPN > Hardware Auth by adding them to the Selected Hardware column under Web VPN / SSL VPN / Settings.
Page 634 1. Hardware authentication prevents the need for users to enter a username and password every time they wish to establish a SSL VPN connection with the CS-2001. However, if it is the first time that a user tries to establish a SSL VPN connection, they will be requested to enter a username and password.
Page 635: Example
21.1 Example 21.1.1 Configuring Web / SSL VPN Connection settings for External Clients Step 1. Go to Interface > WAN, activate the HTTPS function. （Figure 21-2） Figure 21-2 WAN Interface Step 2. Go to Policy Object > Authentication > Account / Group and then set as below: （Figure 21-3, 21-4）...
Page 636 Figure 21-4 User Group Entries...
Page 637 Step 3. Go to Web VPN / SSL VPN > Settings and then set as below:  Click Modify. （Figure 21-5）  Tick Enable Web VPN / SSL VPN.  Select the IP Version.  Enter the Client IP address / netmask. ...
Page 638 Figure 21-6 Web VPN / SSL VPN Setting Completed...
Page 639 Figure 21-7 Web VPN / SSL VPN Authentication Settings Figure 21-8 Web VPN / SSL VPN Authentication Completed...
Page 640 Step 4. Go to Policy > Incoming and then set as below: （Figure 21-9）  Select the defined Web VPN / SSL VPN from the VPN Trunk drop-down list.  Click OK. （Figure 21-10） Figure 21-9 Configuring an Incoming Policy with Web VPN / SSL VPN Figure 21-10 Policy Created...
Page 641 Step 5. Configure the setting from a browser:  In the URL field, type the CS-2001 interface address plus sslvpn or webvpn. For example, https://61.11.11.11/sslvpn or https://61.11.11.11/webvpn.  Click Yes in the Security Alert window. （Figure 21-11）  Click Yes in the Warning – Security window.
Page 642 Figure 21-12 Warning-Security Window...
Page 643 Figure 21-13 Warning-Security Window Figure 21-14 The Authentication Window Figure 21-15 Web VPN / SSL VPN Connection...
Page 644 Figure 21-16 Web VPN / SSL VPN Connection Established...
Page 645 (Figure 21-17) Figure 21-17 Web VPN / SSL VPN Connection Status Step 7. Under Web VPN / SSL VPN > Hardware Auth, it displays the connection status between the CS-2001 and the users. （Figure 21-18） Figure 21-18 The Authentication User List...
Page 646 Step 8. Go to Web VPN / SSL VPN > Settings and then set as below: （ Figure 21-19）  Click Modify.  Move the hardware from the Available Hardware column to the Selected Hardware column.  Click OK. （Figure 21-20） Figure 21-19 Configuring Authentication User / Group...
Page 647 Figure 21-20 Setting Completed Step 9. When a user establishes an SSL VPN connection through the CS-2001, their hardware can be directly authenticated without the need for a username and password.
Page 648 Note： 1. When hardware authentication and user/group authentication are both enabled, the device will first try to authenticate by hardware authentication and will perform the following:  If the user’s PC hardware information is under Web VPN / SSL VPN > Settings, then the user is permitted to establish a Web VPN connection.
Page 649 Figure 21-22 Installing Java Runtime Environment Plug-in...
Page 650: Policy
Policy...
Page 651: Chapter 22 Policy
Chapter 22 Policy CS-2001 inspects each packet passing through the device to see if it meets the criteria of any policy. Every packet is processed according to the designated policy, consequently any packets that do not meet the criteria will not be permitted to pass.
Page 652 1. CS-2001 only processes packets accepted from the policy. Therefore, wherever the connection is made ─ regardless of the network type (LAN, WAN or DMZ) ─ there must be policies respectively configured for these networks. 2. CS-2001 adopts VPN trunk in policy to manage the packet transmission and reception of VPN connections.
Page 653 Terms in Policy Source Address & Destination Address  Source address and Destination address is based around using the device as a point of reference. The initiating point of a session is referred to as the source address. Service  The service to be regulated.
Page 654 VPN Trunk  This is where you apply the policy to regulate the session packets of IPSec or PPTP VPN.
Page 655 Action  It determines over which WAN interface/s packets are permitted to pass through (see the table below). Symbol Meaning Description WAN access is granted to Packets are granted to pass through all interfaces all interfaces once approved by the configurd policy. WAN1 granted Policy approved packets may access WAN1.
Page 656 Anti-Spam  It filters emails transferred over POP3 and SMTP. Mail Archiving / Auditing  It determines whether to archive or audit the incoming or outgoing emails that pass through the policies.  The guaranteed and maximum bandwidth settings. (The bandwidth is distributed to users who meet the criteria of the policy).
Page 657 Priority  When accessing packets, CS-2001 will inspect the packet to see if it is identical with the criteria of existing policies. The packet-to-policy inspection is performed by the priority of policies. Therefore, in order to optimize the process, you may rearrange the priority of policies accordingly by changing the figure in the pull-down menu of each policy.
Page 658: Example
22.1 Example No. Settings Scenario Page 22.1.1 Outgoing Creating a Policy to Monitor the Internet Access of LAN User 22.1.2 Outgoing Creating a Policy to Restrict the Access to Specific Web Sites 22.1.3 Outgoing Creating a Policy to Grant Internet Access to Only Authenticated Users on Schedule 22.1.4 Incoming...
Page 659 22.1.1 Creating a Policy to Monitor the Internet Access of LAN Users Step 1. Go to Policy > Outgoing and then set as below: （Figure 22-1）  Enable the Packet Logging.  Enable the Traffic Grapher.  Click OK. （Figure 22-2） Figure 22-1 Enabling Packet Logging and Traffic Grapher Figure 22-2 Setting Completed...
Page 660 Click any Source IP or Destination IP for sessions accessed through the IP address that you click on.  For details of all sessions accessed through CS-2001, go to Monitoring > Logs > Traffic on the main menu. （Figure 22-4）...
Page 661 Figure 22-4 Traffic Shown in Log Screen...
Page 662 Step 3. Under Monitoring > Traffic Grapher > Policy-Based Traffic, the traffic flow is displayed in graphics, giving you an instant insight of traffic status. （Figure 22-5）...
Page 664 Figure 22-5 Statistics Screen...
Page 665 22.1.2 Creating a Policy to Restrict the Access to Specific Web Sites Step 1. Go to Web Filter > Configuration > Whitelist/ Blacklist/ File Extensions/ MIME/ Scritp/ Group and then set as below: （Figure 22-6, 22-7, 22-8, 22-9, 22-10） Figure 22-6 Whitelist Settings Figure 22-7 Blacklist Settings Figure 22-8 File Extensions Settings...
Page 666 Figure 22-9 MIME / Script Settings Figure 22-10 Group Settings...
Page 667 Step 2. Go to Policy Object > Application Blocking > Settings and then set as below: （Figure 22-11, 22-12） Figure 22-11 Application Blocking Settings Figure 22-12 Setting Completed Note: 1. Script blocking is used for blocking certain functional features of a web site, such as Java, cookie, and so on.
Page 668 2. Application Blocking is used for blocking Instant Messenger, Peer-to-Peer Application, Video/ Audio Application, Webmail, Game Application, Tunnel Application, Remote Control Application and other application.
Page 669 Step 3. Go to Policy Object > Address > WAN / WAN Group and then set as below: （Figure 22-13, 22-14） Figure 22-13 WAN Interface Setting Figure 22-14 WAN Group Setting...
Page 670 Step 4. Go to Policy > Outgoing and then set as below: （Figure 22-15）  Select the defined group from the Destination Address field.  Select Deny All for Action.  Click OK. Figure 22-15 Creating an Outgoing Policy to Deny Access...
Page 671 Step 5. Go to Policy > Outgoing and then set as below: （Figure 22-16）  Select the defined group from the Web Filter drop-down list.  Select the defined rule from the Application Blocking drop-down list.  Click OK. （Figure 22-17） Figure 22-16 Applying Application Blocking to the Policy Figure 22-17 Policy Created Note:...
Page 672 22.1.3 Creating a Policy to Grant Internet Access to Only Authenticated Users on Schedule Step 1. Go to Policy Object > Schedule > Settings and then set as below: （Figure 22-18） Figure 22-18 Shcedule Settings Step 2. Go to Policy Object > Authentication > Account / Group and then set as below: （Figure 22-19）...
Page 673 Figure 22-20 Applying the Schedule and Authentication to the Policy Figure 22-21 Policy Completed...
Page 674 22.1.4 Creating a Policy to Enable a Remote User to Control a LAN PC with Remote Control Software (pcAnywhere) Step 1. Set up a computer to be remotely controlled; its IP address is 192.168.1.2. Step 2. Under Policy Object > Virtual Server > Port Mapping, set as below: （Figure 22-22）...
Page 675 Step 3. Under Policy > Incoming, set as below: （Figure 22-23）  Select the defined Virtual Server for Destination Address.  Select PC-Anywhere(5629-5632) for Service.  Click OK. （Figure 22-24） Figure 22-23 Creating an Incoming Policy to Enable LAN PC to be Remotely Controlled Figure 22-24 Policy Completed...
Page 676 22.1.5 Creating a Policy to Limit the Bandwidth, Daily Total Traffic Amount and Maximum Concurrent Sessions of an Incoming Session to a FTP Server (A NAT Mode Example) Step 1. Set up a FTP server in DMZ; the server IP address is 192.168.3.2. (The DMZ subnet addresses range from 192.168.3.1/24) Step 2.
Page 677 Step 4. Go to Policy > WAN to DMZ and then set as below （Figure 22-27）  Select the defined rule from the Destination Address drop-down list.  Select FTP(18-21) from the Service drop-down list.  Select the defined rule from the QoS drop-down list. ...
Page 678 Figure 22-28 A WAN-to-DMZ Policy Created...
Page 679 22.1.6 Creating a Policy to Enable LAN / WAN Users to Have Email Access (A Transparent Mode Example) Step 1. Set up a mail server in DMZ. Next, point it to the external DNS server and then set its IP address to 61.11.11.12. Step 2.
Page 680 Step 4. Under Policy > WAN To DMZ, set as below: （Figure 22-31）  Select the defined DMZ rule for Destination Address.  Select the defined service for Service.  Click OK. （Figure 22-32） Figure 22-31 A WAN-to-DMZ Policy for Granting Email Access to WAN Users Figure 22-32 A WAN-to-DMZ Policy for Granting Email Access to WAN Users Completed...
Page 681 Step 5. Under Policy > LAN To DMZ, set as below: （Figure 22-33）  Select the defined DMZ entry for Destination Address.  Select the defined service for Service.  Click OK. （Figure 22-34） Figure 22-33 A LAN-to-DMZ Policy for Granting Email Access to LAN User Figure 22-34 A LAN-to-DMZ Policy for Granting Email Access to LAN User Completed...
Page 682 Step 6. Under Policy > DMZ To WAN, set as below: （Figure 22-35）  Select the defined rule for Source Address.  Select the defined rule for Service.  Click OK. （Figure 22-36） Figure 22-35 A DMZ-to-WAN Policy for Granting Email Access to WAN User Figure 22-36 A DMZ-to-WAN Policy for Granting Email Access to WAN User Completed...
Page 683: Anomaly Flow Ip
Anomaly Flow IP...
Page 684: Chapter 23 Anomaly Flow Ip
Chapter 23 Anomaly Flow IP Once an anomaly traffic flow is detected, CS-2001 will take action to block the flow of packets. This protection ensures that the network remains operational, and consequently the business’s revenue generating opportunities are left undisturbed.
Page 685: Example
23.1 Example 23.1.1 Configuration for Alerts and the Blocking of Internal DDoS Attacks Step 1. Go to System > Configuration > Settings and then configure the settings under the Email Notification Settings section. Step 2. Go to System > Configuration > SNMP and then configure the settings under the SNMP Trap Settings section.
Page 686 Step 3. Go to Anomaly Flow IP > Settings and then set as below: （Figure 23-2）  Enter the Traffic Threshold per IP. (The default value is 100)  Tick Enable Anomaly Flow IP Blocking and then type the Blocking Time.
Page 687 Step 4. When a DDoS attack occurs, CS-2001 generates a corresponding log under Anomaly Flow IP > Virus-infected IP, and if NetBIOS Notification is enabled, sends a NetBIOS broadcast to both the victim user and IT administrator to warn about the attack.
Page 688 Step 6. Internal users will see an alert message upon opening a web browser after being infected by a computer virus. CS-2001 limits virus-infected users’ bandwidth to a minimum in order to oblige users to take action to remove virus. Note: The alert message merely appears to virus-infected users at the very first time to open a web browser after the infection.
Page 689: Advance
Advance...
Page 690: Chapter 24 Inbound Balancing
Chapter 24 Inbound Balancing The CS-2001 provides enterprises with Inbound Load Balancing. It ensures uninterrupted access for external users to the company's servers. If one WAN link fails, incoming traffic will be redirected to another WAN link. In addition, inbound flows can be distributed to each port according to the regulated weighting and priority of each port, ensuring the quality of the connection.
Page 691 Terms in Inbound Balancing Domain Name  Refers to an address that is registered at an ISP. An IP address like 198.68.20.78 is not easy to memorize, therefore, domain names intend to represent IP addresses with meaningful and more easily readable English hostnames, such as ccu.edu.tw, planet.com.tw.
Page 692 Domain Name Type IP Address host1.nu.net.tw 61.11.11.12 host2.nu.net.tw 61.11.11.13 host2.nu.net.tw 211.22.22.23 Table 24-1 Domain Name and IP Address Mapping Table  Domain names can be mapped to more than one IP address. The table above indicates that host2 is mapped to two IP addresses, so it lists out two entries corresponding to host2.
Page 693  Supposing a user wants to send an email to mary@mail.nu.net.tw. The user is using test.com.tw as its SMTP server. The DNS records will be queried on this server to determine where to send the email destined for mail.nu.net.tw. The following table shows the MX record resulted from the query: （Table 24-4）...
Page 694 pointer records of the reverse database, this IP address is stored as the domain name 12.11.11.61.in-addr.arpa pointing back to its designated hostname.
Page 695  IPv6 uses PTR record as well. For example, host33.nu.net.tw points to FEC0::2AA:FF:FE3F:2A1C (FEC0:0000:0000:0000:02AA:00FF:FE3F:2A1C), in pointer records of the reverse database, this IP address is stored as the domain name C.1.A.2.F.3.E.F.F.F.0.0.A.A.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.C.E.F.IP6.INT. pointing back to its designated hostname.  For example, using the nslookup command to verify whether DNS lookup functions normally.
Page 696 Further Description DNS pointers are used to indicate which DNS server holds all the associated DNS records for a domain. Any specific information can be obtained from the DNS server, such as the physical address of a website or mail server. Thus, the DNS server must be reliably connected to the internet and accurate DNS records must be maintained.
Page 697 Note: 1. The DNS must point to the fixed IPs.
Page 698 Under Advance > Inbound Balancing > Settings, configure DNS settings as listed below: （Table 24-6） Domain Name Type IP Address Reverse Weight Priority nu.net.tw 61.11.11.11 nu.net.tw 211.22.22.22 Table 24-6 Domain Name and IP Address Mapping Table The Secondary DNS server can act as a substitute if the primary DNS server develops a fault by allowing the domain name to remain functioning.
Page 699 Configure DNS settings as listed below: （Table 24-7） Domain Name Type IP Address Weighting Priority web.nu.net.tw 61.11.11.11 web.nu.net.tw 211.22.22.22 www.nu.net.tw CNAME web.nu.net.tw Table 24-7 CNAME Record of www.nu.net.tw According to table 24-7, use nslookup command to verify the result of forward DNS lookup and reverse DNS lookup: C:\>nslookup Default Server：dns.hinet.net...
Page 700 As seen from table 24-7, it can be inferred that when browsing www.nu.net.tw, visitors are directed to different servers according to their browsing sequence. The 1st user accesses the server via 61.11.11.11. The 2nd user accesses the server via 211.22.22.22. The 3rd user accesses the server via 211.22.22.22.
Page 701: Example
24.1 Example Application Environment Page 24.1.1 Creating an A Record to Load Balance a Web Server Using the Backup Mode 24.1.2 Creating an A Record to Load Balance a Web Server Using the Round-Robin Mode 24.1.3 Creating a CNAME Record to Load Balance a Web Server Using the Round-Robin Mode 24.1.4 Creating a MX Record to Load Balance a Mail Server Using the Round-Robin Mode...
Page 702 24.1.1 Creating an A Record to Load Balance a Web Server Using the Backup Mode Step 1. Go to Advance > Inbound Balancing > Settings and proceed with the following settings:  Click New Entry. （Figure 24-2）  Type the domain name. ...
Page 703 Figure 24-3 The First Inbound Balance Configuration...
Page 704 Figure 24-4 The Second Inbound Balance Configuration Figure 24-5 The Completed Settings Note: 1. If @ is entered in the Hostname field, then it will be the defined domain name. In this example, it is supportplanet.com.tw. 2. ”.” indicates fully qualified domain name (FQDN). For example, if www is entered in the Hostname field, then it will be www.supportplanet.com.tw.
Page 705 Step 2. Go to Policy Object > Virtual Server > Port Mapping and then set as below: （Figure 24-6, 24-7） Figure 24-6 Server 1 Settings Figure 24-7 Server 2 Settings...
Page 706 Step 3. Go to Policy > Incoming and then set as below:  Click New Entry. （Figure 24-8）  For Destination Address select [Virtual Server IP] Web_Server(61.11.11.11).  For Service select HTTP(80).  Click OK.  Click New Entry. （Figure 24-9） ...
Page 707 Figure 24-9 Configuring the First Settings of an Incoming Policy Settings Figure 24-10 The Completed Policy Settings...
Page 708 Step 4. Settings complete. If WAN 1 goes down, WAN 2 ensures user’s access to the web server remains uninterrupted. （Figure 24-11） Figure 24-11 Web Server Backup Deployment...
Page 709 24.1.2 Creating an A Record to Load Balance a Web Server Using the Round-Robin Mode Step 1. Go to Advance > Inbound Balancing > Settings and proceed with the following settings:  Click New Entry. （Figure 24-12）  In the Domain Name field, enter the domain that you obtained from your ISP.
Page 710 Figure 24-13 The First Inbound Balance Settings Figure 24-14 The Second Inbound Balance Configuration Figure 24-15 Setting Completed...
Page 711 Step 2. Go to Policy Object > Virtual Server > Port Mapping and then set as below: （Figure 24-16, 24-17） Figure 24-16 Server 1 Settings Figure 24-17 Server 2 Settings...
Page 712 Step 3. Go to Policy > Incoming and proceed with the following settings:  Click New Entry. （Figure 24-18）  Select the defined rule ([Virtual IP]Web_Server(61.11.11.11)) for Destination Address.  Select HTTP(80) for Service.  Click OK.  Click New Entry. （Figure 24-19）...
Page 713 Figure 24-19 Configuring the Second Policy Settings Figure 24-20 Policy Completed...
Page 714 Step 4. Setting completed. （Figure 24-21） Figure 24-21 The Round-Robin Deployment Note: 1. Inbound Balance Settings:（Table 24-9） Name Type Address Weight Priority www.supportplanet.com.tw 61.11.11.11 www.supportplanet.com.tw 211.22.22.22 Table 24-9 Web Server Weight and Priority Settings  The weight and priority values will distribute their access as below: ...
Page 715 cycle restarted)  The 5th user accesses the server via 211.22.22.22.  The 6th user accesses the server via 211.22.22.22.
Page 716 24.1.3 Creating a CNAME Record to Load Balance a Web Server Using the Round-Robin Mode Step 1. Go to Advance > Inbound Balancing > Settings and then set as below:  Click New Entry. （Figure 24-22）  In the Domain Name field, enter the domain name you applied for from your ISP.
Page 717 Figure 24-23 The First Inbound Balance Settings Figure 24-24 The Second Inbound Balance Settings Figure 24-25 CNAME(Alias) Settings...
Page 718 Figure 24-26 Completed CNAME(Alias) Settings...
Page 719 Step 2. Go to Policy Object > Virtual Server > Port Mapping and then set as below: （Figure 24-27, 24-28） Figure 24-27 Server 1 Settings Figure 24-28 Server 2 Settings...
Page 720 Step 3. Go to Policy > Incoming and then set as below:  Click New Entry. （Figure 24-29）  Select the defined rule ([Virtual IP]Web_Server(61.11.11.11)) for Destination Address.  Select HTTP(80) for Service.  Click OK.  Click New Entry. （Figure 24-30）...
Page 721 Figure 24-30 Configuring the Second Policy Settings Figure 24-31 Adding the Second Policy...
Page 722 Step 4. Setup completed. （Figure 24-32） Figure 24-32 Web Server Deployment Using CNAME Note: 1. The settings for Inbound Balancing:（Table 24-10） Name Type Address Weight Priority web.supportplanet.com.tw 61.11.11.11 web.supportplanet.com.tw 211.22.22.22 www.supportplanet.com.tw CNAME web.supportplanet.com.tw Table 24-10 The Web Servers Weight, Priority and CNAME Settings ...
Page 723  The 4th user accesses the server via 61.11.11.11 (Round-Robin priority distribution cycle has restarted)  The 5th user accesses the server via 211.22.22.2 2.  The 6th user accesses the server via 211.22.22.2 2.
Page 724 24.1.4 Creating a MX Record to Load Balance a Mail Server Using the Round-Robin Mode Step 1. Go to Advance > Inbound Balancing > Settings and then set as below:  Click New Entry. （Figure 24-33）  Enter the Domain Name. ...
Page 725 Figure 24-34 The First Inbound Balance Settings Figure 24-35 The Second Inbound Balance Settings Figure 24-36 The MX(Mail eXchanger) Settings...
Page 726 Figure 24-37 MX(Mail eXchanger) Settings Completed...
Page 727 Step 2. Go to Policy Object > Virtual Server > Port Mapping and then set as below: （Figure 24-38, 24-39, 24-40, 24-41） Figure 24-38 The First Setting of Server Figure 24-39 The Second Setting of Server...
Page 728 Figure 24-40 The Third Setting of Server Figure 24-41 The Fourth Setting of Server...
Page 729 Step 3. Go to Policy > Incoming and then set as below:  Click New Entry. （Figure 24-42）  Select the defined rule ([Virtual IP]Mail_Server_POP3(61.11.11.11)) for Destination Address.  Select POP3(110) for Service.  Click OK.  Click New Entry. （Figure 24-43）...
Page 730 Figure 24-43 The Second Policy Settings Figure 24-44 The Third Policy Settings...
Page 731 Figure 24-45 The Fourth Policy Settings Figure 24-46 Policy Completed...
Page 732 Step 4. Setup Completed. （Figure 24-47） Figure 24-47 The Mail Server Deployment Note: （Table 24-11） 1. Settings for Inbound Balancing: Name Type Address Weight Priority main.supportplanet.com.tw 61.11.11.11 main.supportplanet.com.tw 211.22.22.22 mail.supportplanet.com.tw. main.supportplanet.com.tw Table 24-11 The MX Server’s Weight and Priority Settings ...
Page 733  The 2nd user accesses the server via 211.22.22. 22.  The 3rd user accesses the server via 211.22.22.2 2 (Round-Robin priority distribution cycle finished).  The 4th user accesses the server via 61.11.11.11(Round-Robin priority distribution cycle has restarted).  The 5th user accesses the server via 211.22.22.2 2. ...
Page 734: Chapter 25 High Availability
Chapter 25 High Availability When two CS-2001 devices are deployed in the network, the two devices can operate in active / standby mode. The master device (active device) maintains a synchronization with the backup device (standby device). Once the master device fails, the backup device will seamlessly take over the operations.
Page 735 Terms in High Availability HA Mode  This mode is used to determine if the device will serve as the master or backup. Data Transmission Port / Management IP Address  Configures the IP address and port for executing the synchronization between the master device and the backup device.
Page 736: Example
25.1 Example 25.1.1 High Availability Deployment Preparation Configure Port1 as LAN1 (192.168.1.1, NAT/ Routing mode) and connect it to the LAN using 192.168.1.x/24. Configure Port2 as WAN1(61.11.11.11) and connect it to the ADSL Termination Unit Remote to access the Internet. IP range:61.11.11.10 to 61.11.11.14. Configure Port3 as WAN2 (211.22.22.22) and connect it to the ADSL Termination Unit Remote to access the Internet.
Page 737 Step 1. Assign one CS-2001 device as the master and connect it to the same switch that the LAN is connected to. （Figure 25-1） Figure 25-1 The Deployment of the Master Device under High Availability Mode...
Page 738 Step 2. Using the master device, configure the following High Availability settings under Network > Interface. （Figure 25-2） Figure 25-2 The IP Address for the LAN Interface...
Page 739 Step 3. Using the master device, configure the following High Availability settings under Advance > High Availability > Settings:  Tick Enable High Availability(HA).  For HA Mode, select Active from the drop-down list.  For HA Port, select Port1 from the drop-down list. ...
Page 740 Step 4. To set up the backup device, be sure the backup device is turned off and then configure the interface. Backup device’s LAN port, WAN port and DMZ port must be different from Master device’s. After the configuration, turn on the device. （Figure 25-4）...
Page 741 1. When deploying a high availability between two devices, the Master device must be turned on to avoid synchronization errors. 2. The built-in disk of the CS-2001 device can be changed. The capacity of the new disk should be larger than or equal to the capacity of the original one to avoid synchronization errors. (To synchronize the data of Backup device and Master device.
Page 742 Figure 25-6 Backup Device Taking Over Operations When Master Device Fails 6. Note:  During backup, if the WAN port is using a dynamic IP address and it is in the process of being renewed, the session will disconnect.  IPSec VPN Connections: the IT administrator needs to set the Keepalive IP Address under Policy Object >...
Page 743: Chapter 26 Co-Defense System
Chapter 26 Co-Defense System The CS-2001 can work in cooperation with the network’s switch, to provide instant monitoring of the internal network’s status. When the device detects an anomaly traffic flow, it will block the flow and provide information to help the IT...
Page 744 Terms in Core Switch Name  The name used to identify the switch. Switch Model  The switch model can be selected or it can be customized. IP Version  The Internet protocol that the system can use to telnet into the switch. There are IPv4 and IPv6.
Page 745 Remove Blocking Command  This command instructs the core switch to discontinue blocking an IP/MAC address. Show Blocking Commands  This command is used to view the IP/MAC addresses that the switch is blocking. Note: 1. When the system detects the internal anomaly flow, the switch will use the following variables to block IP/MAC address, unblock already blocked IP/MAC addresses and view IP/MAC addresses.
Page 746: Example
26.1 Example 26.1.1 Quickly Isolating Any Anomaly Flow in the Internal Network by Utilizing the Core and Edge Switch Step 1. Go to Anomaly Flow IP > Settings and set as below: （Figure 26-2） Figure 26-2 Anomaly Flow IP Settings...
Page 747 Step 2. Under Advance > Co-Defense System > Core Switch, set as below: （ Figure 26-3）  Enter the name to identify the switch.  Select the model of the switch from the Switch Model drop-down list.  Select IPv4 from the IP Version drop-down list。 ...
Page 748 Figure 26-4 Core Switch Settings Completed...
Page 749 Step 3. Under Advance > Co-Defense System > Edge Switch, click New Entry and then set as below: （Figure 26-9）  Type the name in the Name field.  Select IPv4 from the IP Version drop-down list.  Fill the IP Address field and the Community String field. ...
Page 750 Step 4. Go to Advance > Co-Defense System > MAC ADDR Table. Using SNMP, the CS-2001 can obtain the MAC addresses of any packets that pass through the edge switch. Note: 1. Under Advance > Co-Defense System > Edge Switch, every port number from on the edge...
Page 751: Monitoring
Monitoring...
Page 752: Chapter 27 Logs
 Virus Logs show the detected viruses from your HTTP, Webmail and FTP packets processed through the CS-2001.  Application Blocking Logs provide details of all the applications that have been blocked by the CS-2001.
Page 753 Terms in Settings Logging Settings  Logs are sent to the designated recipient once the file size reaches 300 KB.  Logs can be backed up onto the remote device and SNMP Trap.  The log setting of traffic, events, connections, viruses, application blocking, concurrent sessions and quota: ...
Page 754 Figure 27-1 Searching for a Specific Log...
Page 755 Figure 27-2 Downloading the Search Results...
Page 756 Terms in Events Search  Available search criteria are date, admin name, IP address, event type and event log with detailed content.  Under Monitoring > Logs > Events, click Search and then set as below:  Enable the search duration and then specify a period of time to search within.
Page 757 Terms in Connection Search  PPPoE : Available search criteria are date and keyword.  Dynamic IP Address: Available search criteria are date and keyword.  DHCP: Available search criteria are date and keyword.  PPTP Server : Available search criteria are date and keyword. ...
Page 758 Figure 27-4 Searching for a Specific Log...
Page 759 Terms in Virus Search  Available search criteria are date, source IP, destination IP, application, infected file and virus name.  Under Monitoring > Logs > Viruses, click Search and then set as below: Terms in Application Blocking Search  Available search criteria are date, source IP and keyword.
Page 760: Traffic
27.1 Traffic 27.1.1 Viewing the Protocols and Port Numbers Used during an Access to CS-2001 Step 1. Go to Policy> DMZ To WAN and set as below: （Figure 27-5）  Enable the Packet Logging.  Click OK. （Figure 27-6） Figure 27-5 A Policy with Traffic Log...
Page 761 Step 2. Under Monitoring > Logs > Traffic, it shows the traffic status of a policy. （Figure 27-7） Figure 27-7 Traffic Log Step 3. Click any Source IP or Destination IP, you will see of which protocols and ports it used and its traffic. （Figure 27-8）...
Page 762 Figure 27-8Monitoring the Traffic Flow of Each IP Address...
Page 763 Step 4. To clear the logs, click the Clear button and then click OK in the confirmation window. （Figure 27-9） Figure 27-9 Deleting all the Traffic Log...
Page 764: Event
27.2 Event 27.2.1 Viewing System History Access and the Status of WAN Step 1. Under Monitoring > Logs > Events, there it shows the system history access and the status of WAN. （Figure 27-10）  Click the icon for details. （Figure 27-11）...
Page 765 Figure 27-11 Specific Details of a History Event...
Page 766: Connection
27.3 Connection 27.3.1 Viewing the Connection Logs of WAN Interface Step 1. Under Monitoring > Logs > Connections, it shows the logs of PPPoE, Dynamic IP Address, DHCP, PPTP Server, PPTP Client, IPSec, Web VPN, SMTP Inbound, SMTP Outbound and POP3. （Figure 27-12）...
Page 767 Step 2. To delete the logs, click the Clear button and then click OK in the confirmation window. （Figure 27-13） Figure 27-13 Deleting all the Connection Logs...
Page 768: Viruses
27.4 Viruses 27.4.1 Viewing the Detected Viruses from Internal Users Using HTTP / Web Mail / FTP Protocol to Transfer Files Step 1. Go to Policy > Outgoing and then set as below: （Figure 27-14）  For Anti-Virus, tick HTTP/Webmail and FTP. ...
Page 769 Figure 27-14 A Policy with HTTP/ WebMail and FTP...
Page 770 Figure 27-15 Policy Completed...
Page 771 Step 2. Under Monitoring > Logs > Viruses, it shows the logs of detected virus from the Internal users using HTTP/ WebMail and FTP protocol to transfer files. Step 3. To delete the logs, click the Clear button and then click OK.
Page 772: Application Blocking
27.5 Application Blocking 27.5.1 Viewing the Logs Step 1. Under Policy > Outgoing, set as below: （Figure 27-16）  Select the defined application blocking.  Click OK. （Figure 27-17） Figure 27-16 A Policy with Application Blocking Figure 27-17 Policy Completed...
Page 773 Step 2. Under Monitoring > Logs > Application Blocking, it shows the logs of applicatons that have been blocked. （Figure 27-18） Figure 27-18 Application Blocking Logs Step 3. To delete the logs, click the Clear button and then click OK from the confirmation window.
Page 774: Concurrent Sessions
27.6 Concurrent Sessions 27.6.1 Viewing the Logs of Concurrent Sessions that have been Exceeded the Configured Value Step 1. Go to Policy > Outgoing and then set as below: （Figure 27-20）  Enter a value in the Max. Concurrent Sessions per IP field ...
Page 775 Figure 27-20 A Policy with Limitation of Concurrent Sessions...
Page 776 Figure 27-21 Policy Completed Step 2. Under Monitoring > Logs > Concurrent Sessions, it shows the logs of the concurrent sessions that have exceeded the configured value. Step 3. To delete the logs, click the Clear button and then click OK in the confirmation window.
Page 777: Quota
27.7 Quota 27.7.1 Viewing the Logs of Quota that Has Been Reached Step 1. Go to Policy > Outgoing and then set as below: （Figure 27-22）  Type a value in the Quota per Source IP field.  Click OK. （Figure 27-23）...
Page 778 Figure 27-22 A Policy with Limitation of Quota per Source IP...
Page 779 Figure 27-23 Policy Completed Step 2. Under Monitoring > Logs > Quota, it shows the logs of the quota that have reached the configured value. Step 3. To delete the logs, click the Clear button and then click OK in the confirmation window.
Page 780: Log Backup
27.8 Log Backup 27.8.1 Archiving or Retrieving Logs Generated by CS-2001 Step 1. Go to System > Configuration > Settings and then set as below:  Tick Enable email notifications and then configure the related settings. （Figure 27-24）  Tick Enable syslog messages and then configure the related settings.
Page 781 Step 3. Go to Monitor > Log > Settings and then set as below: （Figure 27-27） Figure 27-27 Monitoring Settings...
Page 782 Note: 1. Once Email Notification is enabled, the logs will be sent to the IT administrator when the files size reaches 300KB. 2. When syslog message is enabled, the logs will be delivered to the designated remote device. 3. When SNMP trap alerts is enabled, the logs can be delivered to a PC installed with SNMP Trap software.（Figure 27-29）...
Page 783: Chapter 28 Accounting Reports
CS-2001 UTM Content Security Gateway User’s Manual Chapter 28 Accounting Reports Accounting report gives the IT administrator an insight into the various session of users that pass through the device, providing the IT administrator with detailed statistical reports and charts.
Page 784 Terms in Setting Accounting Report Settings  The configuration to enable or disable the recording of inbound and outbound data access and configure the storage period of the records.  Under Monitoring > Accounting Reports > Settings, set as below: ...
Page 785: Historical Top Chart
Terms in Today Top-N Time Slider  Drag the two sliders to adjust the statistics’ time interval (represented by the red portion.) Source IP  Indicates certain period of traffic of the source IP in the day.  Source IP: indicates the source IP of the packets. ...
Page 786 Figure 28-2 Searching for the Specific Log...
Page 787 Figure 28-3 Downloading the Accounting Reports...
Page 788 Figure 28-4 Deleting the Accounting Reprots...
Page 789: Flow Analysis
28.1 Flow Analysis Step 1. Under Monitoring > Accounting Reports > Flow Analysis, it shows the traffic of source IP and service through CS-2001. （Figure 28-5） Figure 28-5 Flow Analysis...
Page 790: Today's Top Chart
28.2 Today’s Top Chart Step 1. Under Monitoring > Accounting Reports > Today’s Top Chart, it shows the traffic from the source IP, destination IP and the traffic of service through CS-2001 in the day. （Figure 28-6）...
Page 791 Figure 28-6 Today Top-N...
Page 792 Step 2. You may drag the two sliders to adjust the statistics’ time interval. The left one is the start time slider, the right one is the end time slider. Once you adjust the time interval, the Service IP accounting report, the Destination IP accounting report and the Service accounting report will be refreshed according to the new time interval.
Page 793 Figure 28-7 Today Top-N Report according to the Time Interval...
Page 794 Step 3. By clicking any source IP, a pop-up window will show its destination IP and service. （Figure 28-8） Figure 28-8 The Destination IP and Service Step 4. By clicking any Destination IP, a pop-up window will show its source IP and service.
Page 795 Figure 28-9 The Source IP and Service...
Page 796 Step 5. By clicking any service, it will show its source IP and destination IP. （Figure 28-10） Figure 28-10 The Source IP and Destination IP...
Page 797: Historical Top Chart
28.3 Historical Top Chart Step 1. Under Monitoring > Accounting Reports > Historical Top Chart, you may see the traffic of the source IP, destination IP and service of the certain duration by specifying the date. （Figure 28-11） Figure 28-11 History Top-N...
Page 798: Chapter 29 Traffic Grapher
Chapter 29 Traffic Grapher Statistics delivers comprehensive information regarding network traffic, enabling the IT administrator to gain a thorough understanding of traffic flow across the WAN interfaces and packets managed by policies.  WAN Traffic provides upstream and downstream traffic flow statistics of all packets passing through the WAN interfaces based on their corresponding policies.
Page 799 Traffic Grapher Charts  Vertical axis indicates the network traffic.  Horizontal axis indicates time. Type/ Source/ Destination/ Service/ Action  The Items infer what Policy is used. Time  The statistics are available in time units of per minute, hour, day, week, month and year.
Page 800: Wan Traffic
29.1 WAN Traffic Step 1. In Monitoring > Traffic Grapher > WAN Traffic, it shows the statistics of upstream / downstream packets over the WAN interface. The statistic charts are available in the time unit of minute, hour, day, week, month and year. Click Minutes for statistic charts in the time unit of minute；Click Hours for statistic charts in the time unit of hour；Click Days for statistic charts in the time unit of day；Click Weeks for statistic charts in the time unit of...
Page 801 Step 2. Statistic charts （Figure 29-2）  Vertical axis indicates network stream.  Horizontal axis indicates time.
Page 803 Figure 29-2 The Network Stream Chart Note: 1. You may configure the time duration to search for the statistics in a certain period of time.
Page 804: Policy-Based Traffic
29.2 Policy-Based Traffic Step 1. When creating a new policy, if the Statistics is enabled, the Policy statistics charts in the path of Monitoring > Traffic Grapher > Policy-Based Traffic corresponding to the policy will start recording. Under Monitoring > Traffic Grapher > Policy-Based Traffic, the statistics charts corresponding to a policy are available in the time unit of minute, hour, day, week, month, and year.
Page 805 Step 2. Statistics charts. （Figure 29-4）  Vertical axis indicates network traffic.  Horizontal axis indicates time.
Page 807 Figure 29-4 Viewing the Policy Statistics Chart Note: 1. You may see the statistics of a certain time by using the time searching.
Page 808: Chapter 30 Diagnostic Tools
Chapter 30 Diagnostic Tools The device provides ping and traceroute utilities to help diagnose network issues with particular external nodes.
Page 809: Ping
30.1 Ping Step 1. To test whether a host is reachable across an IP network, go to Monitoring > Diagnostic Tools > Ping and then configure as below: （Figure 30-1）  Type the Destination IP or Domain name in the Destination IP / Domain name field.
Page 810 Figure 30-2 Ping Result Note: 1. If VPN is selected from the Interface drop-down list, the user must enter the local LAN IP address in the Interface field. Enter the IP address that is under the same subnet range in the Destination IP / Domain name field.
Page 811 Figure 30-3 Ping Results for a VPN Connection...
Page 812: Traceroute
30.2 Traceroute Step 1. Under Monitoring > Diagnostic Tools> Traceroute the Traceroute command can be used by the CS-2001 to send out packets to a specific address to diagnose the quality of the traversed network. （Figure 30-4）  In Destination IP / Domain name enter the destination address for the packets.
Page 813 Figure 30-5 Traceroute Results...
Page 814: Packet Capture
CS-2001 UTM Content Security Gateway User’s Manual 30.3 Packet Capture Capture packetfor debugging Step 1. Under Monitoring > Diagnostic Tools> Packet Capture the packet capture can help to debug and capture the packet content for debugging. ( figure 30-6 ) ...
Page 815: Chapter 31 Wake-On-Lan
Chapter 31 Wake-On-LAN Any wake-on-LAN supported PC can be remotely turned on by a “wake-up” packet sent from the CS-2001. By utilizing remote control software such as VNC, Terminal Service or PC Anywhere, a remote user may remotely wake up a computer...
Page 816: Example
31.1 Example 31.1.1 Remote Controlling a PC Step 1. Supposing the MAC address of the PC that is desired to be remotely controlled is 00:0C:76:B7:96:3B. Step 2. Under Monitoring > Wake-On-LAN > Settings, click New Entry and then set as below: ...
Page 817: Chapter 32 Status
ARP Table: records all the ARP tables of host PCs that have connected to CS-2001.  Sessions Info: It records all the sessions sending or receiving packets over CS-2001.  DHCP Clients: It records the status of IP addresses distributed by CS-2001 built-in DHCP server.
Page 818: Interface
（Figure 32-2） Figure 32-2 Status Interface Note: 1. System Uptime: the operating uptime of the CS-2001. 2. Active Sessions Number: shows the current number of sessions connected to the device. 3. Forwarding Mode: displays the interface connection mode. 4. WAN Connection: shows the WAN interface connection status.
Page 819 8. PPPoE / Dynamic IP Uptime: when the interface is connected using PPPoE, it displays the connection uptime. 9. MAC Address: displays the MAC address of the interface. 10. IP Address / Netmask: the interface’s IP address and netmask. 11. Default Gateway: shows the WAN gateway address. 12.
Page 820: System Info
32.2 System Info Step 1. Under Monitoring > Status > System Info, it shows the current system information, such as CPU utilization, hard disk utilization and memory utilization. （Figure 32-3）...
Page 821 Figure 32-3 System Information...
Page 822: Authentication
32.3 Authentication Step 1. Under Monitoring > Status > Authentication, it shows the authentication status of the device. （Figure 32-4） Figure 32-4 The Authentication Status Note: IP Address: displays the authenticated user’s IP address. Authentication – User Name: the user’s authenticated login name. Login Time: the user’s login time (year/ month/ day/ hour/ minute/ second)
Page 823: Arp Table
32.4 ARP Table Step 1. Under Monitoring > Status > ARP Table, it shows NetBIOS Name, IP Address, MAC Address and Interface of any computer that has connected to the device. （Figure 32-5） Figure 32-5 ARP Table Note: 1. NetBIOS Name: the computer’s network identification name. 2.
Page 824 Figure 32-6 Downloading the Anti-ARP Virus Software Figure 32-7 The Result of Executng the Anti-ARP Virus Software...
Page 825 Figure 32-8 The Anti-ARP Virus Software will Automatically Run when the System Startups...
Page 826: Sessions Info
32.5 Sessions Info Step 1. Under Monitoring > Status > Sessions Info, it provides a list of all the sessions that have connected to the device. （Figure 32-9） Figure 32-9 System Sessions...
Page 827 Step 2. By clicking on any source IP, it shows the port number and the traffic. （Figure 32-10） Figure 32-10 The System Info...
Page 828: Dhcp Clients
32.6 DHCP Clients Step 1. Under Monitoring > Status > DHCP Clients, it shows the status of IP address distributed by the device’s DHCP server. （Figure 32-11） Figure 32-11 The DHCP Clients Note: 1. NetBIOS Name: the computer’s network identification name. 2.

Planet Networking & Communication CS-2001 User Manual

Quick Installation Guide

Hardware Installation

Basic System Configuration

System

Chapter 1 Administration

Chapter 2 Configuration

Chapter 3 Interface

Modifying the LAN Interface (NAT / Routing)

Configuring the WAN Interface

Deploying the CS-2001 between the Gateway and LAN

Deploying the CS-2001 between the Gateway and the LAN

Deploying CS-2001 between the Gateway and LAN (LAN1 and DMZ1)

Policy Object

Chapter 4 Address

Chapter 5 Service

Chapter 6 Schedule

Chapter 7 Qos

Chapter 8 Authentication

Chapter 9 Application Blocking

Chapter 10 Virtual Server

Chapter 11 VPN

Mail Security

Chapter 12 Configuration

Chapter 13 Anti-Spam

Chapter 14 Anti-Virus

Chapter 15 Mail Reports

Web Filter

Chapter 16 Configuration

Chapter 17 Reports

Idp

Chapter 18 Configuration

Chapter 19 Signatures

Chapter 20 IDP Report

Chapter 21 Web VPN / SSL VPN

Chapter 22 Policy

Chapter 23 Anomaly Flow IP

Advance

Chapter 24 Inbound Balancing

Chapter 25 High Availability

Chapter 26 Co-Defense System

Monitoring

Chapter 27 Logs

Chapter 28 Accounting Reports

Chapter 29 Traffic Grapher

Chapter 30 Diagnostic Tools

Chapter 31 Wake-On-LAN

Chapter 32 Status

Quick Links

Related Manuals for Planet Networking & Communication CS-2001

Summary of Contents for Planet Networking & Communication CS-2001