Succendo 502_2000 User Manual (OD2200UME01) EN 1.2
Contents
1. 14 2 IP Pools 108 IP pools are used by Succendo to assign IP addresses to NC user s virtual network cards When a user successfully logs into Succendo and activates NC Succendo will assign an IP address to the user from his assigned IP pool This address will be the user s virtual NIC address Note that each user can be assigned to only 1 IP pool If the assigned IP address conflicts with the user s physical network card s IP address Succendo will re assign an IP address to the user Select the menu option IP Pool gt gt IP Pool List and the list of IP pools will be displayed b Position IP Pool gt gt IP Pool List Add Query Name Empty Name IP Range Remove Edit Duplicate O pool 10 23 99 1 10 23 99 200 x z ES 9 19 o ae EC 192 168 254 25 3 Ej E All Reverse Remove 1 11 Click lt All gt to select all IP pools displayed on the current page Clicking lt Reverse gt will select the unselected IP pools while un selecting the selected ones Click lt Remove gt to delete all selected IP pools You can also click lt Empty gt to remove all IP pools currently displayed Succendo 502 2000 User Manual 1 2 Chapter 14 Network Connection 14 2 1 Adding a new IP Pool Click the lt Add gt button to open the Add New IP Pool interface and complete the fields described below Name Name of the IP Pool Pool Enter the Start IP address and End IP address of an IP range and click lt Add gt to add the2. Chapter 3 System Configuration 3 1 System gt gt Interface Succendo has several Ethernet interfaces which can be divided into two types internal interfaces which are connected to the internal application servers and external interfaces which are connected to external clients You can configure the IP address net mask default gateway and static route of internal and external interfaces b Position System gt gt Interface __ _ Pd b Type Internal v I I I Interface eth Type Internal 4 f j N 4 a nterna IP method Manual ODHcP i DH i External IP Address 10 236 16 I 1 I Subnet mask 25525500 I Interface Default Gateway ForMulti ISP Save Destination Subnet mask Gateway Remove 10 0 0 0 255 0 0 0 10 23 254 254 10 23 0 0 255 255 0 0 0 0 0 0 26 Add Interface Select the port named ethO to ethN The number of ports available for selection depends on the Succendo model For example Succendo 502 has four ports Thus ethO to eth3 are available for selection Type Select Internal External IP Method Select Manual to specify the IP address or DHCP to obtain the IP address from the DHCP server on an accessible network IP Address IP address of the port Subnet mask Subnet mask of the port I nterface Default The IP address of the default gateway for Gateway this interface for multiple ISPs This field is only displayed if the Type i
3. Service status Tool Bar buttons 134 Appendix A End user Remote Access The Valid column indicates the status of the services If the service is currently not in use the value in the Valid column will be a no If the services are currently being accessed the user will see a yes in the Valid column and the amount of data sent and received will be shown under the Sent and Received column respectively as shown in the example below Customized A 10 23 7 3 M CC SeErvice 23 12K dif lan proxy g M proxy all any mil sc nis 01 nt fsrvr o2micro com sc nis 01 nt fsrvr o2 no micro com ml sc sharepoint nt fsrvr o2micro com sc sharepoint nt no fsrvr o2micro coam If the IP address of the service becomes invalid due to a disconnection to the server or the server are down a red E will appear under the Valid column Dar dst AT E dc nee MI eivec SERVICES uu Jen RECEIVED Customized m 102373 M cc service M lan proxy M proxy all any M sc nis 01 nt fsrvr o2 micro com sc nis 1 nt Fsrvr o2 no micro com im sc sharepoint nt fFsrvr o2micro com sc sharepoint nt no fsrvr o2micra com On top of the service list is the tool bar with various commands User userTest Language selector ser Change Password Logout Succendo 502 2000 User Manual 1 2 Appendix A End user Remote Access Change password To change password user can click the Change Password button
4. Example ftp s where s points to the IP address of the FTP server to connect to 77 Chapter 8 Service Management 8 4 Service Type Here you can configure the necessary service types used to categorize the services displayed on the client s interface b Position Service gt gt Service Type Add Query Name Name Protocol Remove Edit Duplicate custom E ES cvs T 2401 E E Exchange T 135 E ES filesharing T 139 T 445 E EE vnc T 5900 T 5901 E3 tftp U 69 E ES terminalServer T 3389 IESU ES sglserver T 1433 E ES pop3 T 110 Zi E smt T 25 E EE All Reverse Remove 122252 41v You can only select service types that were defined by administrators System pre defined types are not selectable 8 4 1 Adding a new service type To add a new service type click Add l Position Service gt gt Service Type 3 Name i Protocol tee w o Add Remove Group Customized be Save Name Service type name Ports Select the service port type from the drop down menu and enter the corresponding port number Click lt Add gt to add the port number to the list in the box below Select a port and click lt Remove gt to delete it from the list Group Select the group this service type will belong to 78 Succendo 502 2000 User Manual 1 2 Chapter 8 Service Management 8 4 2 Editing Deleting and Duplicating existing service types To edit a service type click the type which is a hyperlink or
5. To delete an existing IP pool click the i icon corresponding to the IP pool To duplicate an IP Pool click the icon under the Duplicate column corresponding to the name of the pool you want to duplicate The duplicated item will be created with the original name prefixed with a Copy of Succendo 502 2000 User Manual 1 2 109 Chapter 14 Network Connection 14 2 3 Querying for specific IP Pools You can also query for specific IP pools based on the name Enter the full or partial name in the Name text box and click lt Query gt to generate the search list 14 3 VPN Users 110 Setup the users that are able to activate NC access remotely through Succendo Select User gt gt User Accounts from the menu and the list of currently existing users will be displayed Either click lt Add gt to add a new NC user or edit an existing user to enable NC access for by assigning the users IP Pools In the IP Pool field on the interface select the appropriate IP Pool from the drop down menu displaying the list of IP Pool names configured in Section 14 1 Please refer to Chapter 7 Section 7 2 for details on the adding editing of user accounts Note The IP Pools must not contain any IP addresses currently existing in the network Configure static routes on the application server gateways to ensure that application server data to addresses in these IP pools can be routed to Succendo Succendo 502 2000 User Ma
6. user role v service Log Type log 4 arl 4 policy 4 sys manage Service all System all Remote ftp server configure IP address P address of the remote FTP server to export the file to User name Login user name for the FTP server 84 Succendo 502 2000 User Manual 1 2 Chapter 10 Log Management Password Corresponding login password Path Directory and or filename to store the file to Time Configure Export Specify the time and date to begin the automatic Time export by using the date picker icon Interval Specify the interval between each export days Query Condition Operator Specify the user whose log records are to be exported during this scheduled automatic export Result Specify whether to export log records of failed Fail successful OK activities or both Level Select the levels of the logs to be exported Log Type Select the type of logs to be exported Click lt Save gt to save the configuration 10 2 Query for logs To search and view logs recorded select Log gt gt Log Query at the Menu Bar The Log Query interface will be displayed as shown below l Position Log gt gt Log Query Level ALL e Result ALL v Show 10 items Operator LJ precision Log Type All v Sub Type all hdi From To Elia Query Reset There are 7 criteria you can set to narrow your log search These are Level The level of severity of the logs you wan
7. Impart configuration or S restore the original Restore factory setting OK factory settings 3 6 1 Export system settings Click the lt Export gt button to save the current system settings into the local memory Then click lt Download gt when given the option The system will then further prompt you to save the settings into a file named sysbackup bin you can also enter another filename Click lt Save gt to save the file or lt Cancel gt to abort the operation 3 6 2 Import system settings To import previously saved settings first select the configuration file from your local disk by click lt Browse gt or enter the full path and filename directly into the text box then click Import After a confirmation prompt appears click lt OK gt to continue to import or lt Cancel gt to abort importing Note that all current configurations including address password and license information will be overwritten by the imported settings As different Succendo models may differ in their configuration settings you cannot import a configuration backup file from a different model Note also that the configuration backup file from one Succendo device cannot be imported into another device Warning mporting settings would restart the device 10 automatically 3 6 3 Restore original factory settings To restore the original factory settings click the lt OK gt button besides Restore Factory Setting After a confirmation
8. amp auto complete this clears any user credentials from previous authentication and clears all cache in auto complete features found in text boxes e Delete directory deletes the data stored in the directory during the connection Succendo 502 2000 User Manual 1 2 Chapter 12 Client Policies Check Item Item Value Message URL Policy Information Description Name of the specific item This field is not available if Rule Type is Patch Level Examples of check item values for rule type Regfold HKEY LOCAL _MACHINE SOFTWARE INTEL Regkey _ HKEY LOCAL MACHINE SOFTWARE INTEL IG DIVinstall The value of the item to check against based on Rule Type selected When a rule fails the system will display an error message which is clickable and hyperlinked to this URL Select the policies that will include this rule Brief description of the rule max 128 characters Click Save to save the information or Reset to undo the changes 12 1 2 Query for specific rules Query Name Succendo 502 2000 User Manual 1 2 You can also query for specific rules based on the rule name Just enter the name or part of a name to the Name text box as shown in the diagram and click lt Query gt to generate a new list 99 Chapter 12 Client Policies 12 2 Client Policy Client policies are defined by their type and the rules they include Each policy can be defined by mult
9. button to open the Add New rule interface and complete the fields described below Name OS Type Check Type Rule Type Host Check v Regkey service driver process module Patch level port File version clean cookie clean cookie clean file clean temp clean user credentials amp auto c e delete directory 98 Rule name Note that the rule name will be made know to the user when there is a violation Operating System currently select from Windows 2000 Windows XP Windows 2003 or Windows All Define the type of check to be made with this rule Select Host Check which check various aspect of the users workstation or Cache Clean which clears the local cache of the workstation Depending on the Check Type selected you can specify which aspect of check to perform or which part of the cache to clear Regfold Register folders e Regkey Register Keys e File Client end file e Service Client service e Driver Client end driver e Process Client end process e Module Client end module e Patch Level Windows patch level e Port Client end port e File version Version of software used to create modify the file on the client end e Clean cookie clear the cache cookies le Clean file clear temporary internet files and web history files Clean temp clear temp files as defined in the environment variable temp e Clean user credentials
10. duplicate A copy of the service will be inserted into the Service List with the name copy lt gt lt service name gt first copy is copy 0 as shown in the example below C HR Service oracle 211 23 55 100 copy O HR Ser L vice copy 1 HR Ser a vice oracle 211 23 55 100 oracle 211 23 55 100 Succendo 502 2000 User Manual 1 2 Za Chapter 8 Service Management 8 2 4 Application Access Control Rule AACR 74 The AACR Application Access Control Rule are rules applicable to service commands determining whether they can be performed or not For example if the AACR for the FTP command DELE Is Deny then the user assigned with this AACR will not be allowed to delete any files while performing FTP Note that the adding of AACR here can have an effect on the AACR Default Action configured in System gt gt Security Chapter 3 Section 3 3 The AACR default action determines the nature of a service s commands in the event where AACR are defined for none or some of them So if there is no AACR defined for a service at all all its commands are defaulted to Permitted regardless of what is defined in the AACR Default Action But if some of the commands in a service are assigned AACR then those without an AACR will follow what is set in AACR Default Action To begin defining the Application Access Control Rule for a service click the m icon found under the AACR column and you will see the
11. on the tool bar A Change Password interface will open Old Password New Password Contirm Password Enable PIA password input Domain L Name L Password Contirm Password _S Enter the current password old password the new password and retype the password Confirm Password to confirm Click lt OK gt to change the password The user can also enable a single sign on functionality by selecting Enable PIA password input assistant Specify his Domain ip address user name and password Retype the password to confirm Upon successful login Succendo will automatically enter the user s information when accessing the authorized services Succendo 502 2000 User Manual 1 2 135 Appendix A End user Remote Access 136 Succendo 502 2000 User Manual 1 2 A AA Mode 27 AACR Default Action 22 Defining 73 Access Control role based model See Role 5 See AACR Access Restriction List adding new ARL 102 configuring editing 101 default action 22 definition 100 querying 103 Administration Login 12 main screen 13 change password 13 language selector 13 logout 13 online help 13 menu bar options system See System function administrator See Administrator function certificate See Certificate authentication See Authentication Servers user See Users service See Service role See Role log See
12. to connect the network port of the computer directly to the control network port of the Succendo system 3 This user manual Step 3 Connect the Succendo system to the computer power sources and LAN This section explains the preparations you must complete before running the Succendo system which include checking the power source and control cable connection l Check and connect the power source The Succendo system only supports AC input of wide voltage range with the specification of 115 230V 50 60Hz full range 2 Connect the Succendo system to the computer using the serial cable Connect the RS232 port of the Succendo system to the serial port of the computer using the serial cable in the accessories in order to control the Succendo system Please fasten the fasteners of the serial port connector to avoid contact failure 3 Connect the Succendo system to the computer using the network cable In general connect the ETHO of Succendo to your control computer Ethernet port 4 Start up the system After you have done the above steps switch on the system Succendo 502 2000 User Manual 1 2 Chapter 1 Introduction 1 5 Some default settings EthO IP address 192 168 1 100 Serial port setting Baud rate 9600 Stop Bit 1 Parity None Default administrator username admin for Web UI SSH Command Line Default administrator password admin for Web UI SSH Command Line Default SSL protocol SSL3 0 TLS1 0 Ti
13. 0 6 kbg 0 6 kbg 0 0 7 di giu 0 7 di giu 0 0 8 ke chen 0 8 ke chen 0 0 9 xiangwei 0 9 xiangwei 0 0 Deny O Error O Query Reset Download Print For each individual area you can specify the number of top entries you want to see in that area For example you can specify to see the top 10 entries in Services most requested Top 5 users stayed online the longest Top 7 users logging in and out frequently and Top 3 heavy users of services Just enter an integer into the respective text boxes and click the Query button Deny at the bottom of the screen represents the number of times users have been denied from accessing a service Error at the bottom of the screen represents the number of times erroneous user logins were carried out Click Reset to reset the TopN data Click Download to save the Top N statistics on the current page into a txt file into the local storage Click lt Print gt to print the Top N statistics on the current page 96 Succendo 502 2000 User Manual 1 2 Chapter Client Policies Client policies exist to ensure that the end users workstation maintains a secured network environment and complies with corporate security policies especially for mobile users and users who frequently perform remote access Policies are made up of Rules which can be defined by the administrators Currently Succendo check and maintain the end users workstation based on two types of rules Host Check and Cache Cle
14. 1 Introduction 1 3 2 Succendo 2000 Front Panel Power Status Storage Status Succendo eo Micro Fes Fez Fei Feo Gea Geo Coracia Co ES eret Kaya Interface Description of Function Console A RS232 standard serial port that enables you to connect Succendo to a computer from which you can then call up a console program such as Window s Hyper Terminal to issue Command Line commands Default settings baud rate 9600b s one bit stop no parity bit FEO FE3 FEO FE3 are the four 10 100M Ethernet ports GEO GE1 GEO GE1 are the two 10 100 1000M Ethernet ports The LCD displays current system status and information like IP address system resource usage number of users online etc See Appendix A for details LCD Control Keys Used for navigating the menu options in the LCD Power status Power indicator Lighted LED indicates that the system is on Storage Status Read Write indicator Blinking LED indicates that the system is currently reading writing data Succendo 502 2000 User Manual 1 2 7 Chapter 1 Introduction Rear Panel d H Cooling FAN Interface O Description of Function AC Power Input Power socket for voltage of 110 230V Socket Cooling Fan Cooling fans to help reduce the heat produce by the device Succendo 502 2000 User Manual 1 2 Chapter 1 Introduction 1 4 Connecting Succendo to the LAN Connecting the device into the existing netwo
15. All only if you are about to do a system upgrade or to do a re installation Erase would erase configuration settings and clears the logs thus restoring to factory default Regardless of whether you are using erase data or erase all the user setting for SSL VPN will be discarded This includes IP address route settings administrator settings user and user group information and role information Ensure there is a backup for this information before using this command Command exit string Exit from monitor Using the hotkey lt CTRL C gt has the same effect interface Command Interface ethX ip A B C D M M M M string Setting ip address of a ethernet port Monitor gt interface ethO ip 1 1 1 1 255 255 255 0 Succendo 502 2000 User Manual 1 2 115 Chapter 15 Shell Commands Command Interface ethX up down Switch the ethernet port on or off string To switch off the ethernet port Monitor gt interface ethl down To switch on the ethernet port Monitor gt interface ethl up ip Command Ip route A B C D M M M M A B C D string Establish static routes Monitor gt ip route 1 1 1 1 255 255 255 255 218 201 10 120 no Command No ip route A B C D M M M M string Function remove existing static routes Example Monitor gt no ip route 1 1 1 1 255 255 255 255 ping Command Ping A B C D string Function Ping destination IP address Monitor gt ping 86 18 1 1 5 packets transmitted 5
16. Description Update View Remove 7 CN succendo 3322 org OU cd806 0 02 L CD ST SC default gateway L self ves C CN certificate E x All Reverse Remove 4 118 Select the gateway certificate you want Succendo to use by toggling the certificates Using column to Yes Only one certificate s Using column can be toggled to Yes at any time the rest must remain as No Click the es icon under the Update column to regenerate the self sign certificate Clicking the lt All gt button will select all the certificates in the current page of the list if the list spans more than one page Clicking Reverse will unselect the selected certificates while selecting the unselected To delete a certificate click the 2 icon under the Remove column of the certificate To delete multiple certificates select the certificates to delete by clicking the check boxes next to the certificates and click the Delete button Note that you can only remove certificates that are not in use i e No in the Using column 5 3 1 Viewing the certificate information You can view the certificate information by clicking the E icon under the View column of the certificate you want to view The certificate information will be displayed To see the Issuer s certificate information click the Issuer Cert button at the left hand corner and the relevant information will be shown 5 3 2 Installing a new gateway certificate There are 3 w
17. Memory The percentage of Random Access Memory usage RAM currently used by the system Disk usage Succendo 502 2000 User Manual 1 2 The percentage of hard disk space currently used by the system 89 Chapter 11 System Monitoring and Control Model Model number of the Succendo device Version Current build of Succendo Client Version of the client end component and ActiveX Version Max license Maximum number of users as granted by the users current license System Date Current system data and time and Time Uptime How long Succendo has been up ethO ethl TX and RX packets speed of Ethernet ports BEN ethN Session Number of sessions spawned at the moment Number User Current number of end users online Number 11 2 Monitor gt gt Online User Select Monitor gt gt Online User to access this page which displays the list of users currently online This is also where you can choose to terminate any online connection between users and the System l Position Monitor Online User Online User List Refresh Terminate Sel Name Authentication Server Admin Login Time Login ip bb admin Yes 2006 11 16 09 27 37 console Name User name The current administrator will be displayed with a followed by the name Authentication Name of the authentication server used by this Server user Admin Whether user has administrative rights Login Time Date and time user login Login IP IP address where us
18. click the E icon corresponding to the type You will open a screen identical to the Adding a new service type interface except that the fields are populated To delete an existing service type click the i icon corresponding to the type You can also select multiple applications selecting the check boxes besides the names and then click Remove to delete en masse Note Pre defined service types in the system cannot be deleted To duplicate an item click the icon under the Duplicate column corresponding to the name of the service type you want to duplicate The duplicated item will be created with the original name prefixed with a Copy of 8 4 3 Querying for specific service types You can also query for specific service types based on the type name Enter the full name in the Name text box and click Query to generate the search list Note that this query will not return partial matches Succendo 502 2000 User Manual 1 2 79 Chapter 8 Service Management 8 5 IP Host In order to allow the convenient recognition of the various application servers you can add the mapping between IP addresses and host names in this interface From the bottom of the list there are two ways to add new IP hosts as detailed below Type in the IP address and hostname and click Add 2 Create a txt file on the local machine with IP addresses and hostnames mapped accordingly in the file Click Browse and select the file Cli
19. correct Description Brief description of the server max 128 characters Click lt Save gt to add the server once all parameters are specified 6 1 4 Configuring Local Server Local Authentication Server Password Minimum length 6 6 32 Password Maximum length 32 6 32 Default Credential PASSWD v Save Reset Password Minimum Minimum number of characters for the length password Password Maximum Maximum number of characters for the length password Default Credential Select the default authentication method from the drop down menu Succendo 502 2000 User Manual 1 2 55 Chapter 6 Authentication Servers 6 2 Managing existing authentication server 6 2 1 Editing the Servers parameters There are two ways to view and edit an existing server e Click the E icon corresponding to the server name you want to edit The icon is found under the Edit column of the server list e Directly click the server name Using either method brings up the server information configuration window After editing the information click Save to save the modification or Reset to undo the changes Tips You can also retrieve the user account information without password information from the authenticating server by clicking the Download user button Note that this option is only available for LDAP and Windows AD server 6 2 2 Downloading User I nformation 56 From the server edit
20. i Select the item from the respective Unselected list box You can selected multiple items from the list box ii Click the button and the selected items will be placed in the corresponding Selected list box Succendo 502 2000 User Manual 1 2 Chapter 7 User Management lil To remove the items from the Selected list box select the items to be removed and click the button Alternatively double click an item to move it from one list to the other Once you are satisfied with your options click lt Save gt to save the group 7 1 2 Edit existing user group There are two ways to view and edit an existing user group Click the E icon corresponding to the group name you want to edit The icon is found under the Edit column of the group list E Directly click the user group name Using either method will bring up the group information configuration window identical to the Add New User Group interface except that the fields are populated After editing the information click Save to save the modification or Reset to undo the changes 7 1 3 Delete existing user group To delete an account click the icon corresponding to the group name you want to delete The icon is found under the Delete column of the group list As usual a confirmation dialog box will pop up to confirm your deletion You can also select multiple groups by clicking the check box next to them and click
21. interface click Download user to download user and user group information not including user passwords from the selected server This function is only available for LDAP and AD servers A tree structure user interface will be displayed From the tree select the users and user groups to download Click Save to begin the download or Reset to undo the selections In the LDAP AD server user tree displayed organization units container and user groups that were downloaded previously will be shown as selected When you re select the users from the tree the following will be performed Users in previously selected organization units and containers that are not selected currently will be deleted Previously selected groups that are not selected currently will be deleted The selected nodes will be downloaded into Succendo Succendo 502 2000 User Manual 1 2 Chapter 6 Authentication Servers o All users in the selected organization units and containers will be added into Succendo with organization units and containers added as user groups The group name will be ou authentication server name ou container name For example if the authentication server is testserver ou name is testou then the group name on Succendo will be ou testserver testou If the organization unit contains other organization units containers or groups the users under these groups will also be added into Succendo accordin
22. is address not specify Press key ctrl shift 6 interrupt it Sending 12 78 byte CMP Echos to 192 168 2 2 timeout is 3 seconds LI E B g gG Gn g gg Success rate is 10096 12 12 Round trip min avg max 0 0 1 ms Succendo 502 2000 User Manual 1 2 121 122 Chapter 15 Shell Commands poweroff Command poweroff string Power off the system if it supports APM advanced power management reload Command reload string Reload system restore Command restore setting string Restore to factory setting after restore you should reload system admin and admin respectively and all other settings are lost After restoration the IP address will be restored to factory default s 92 168 1 100 the administrator user name and password restored back to default Succendo 502 2000 User Manual 1 2 Chapter 15 Shell Commands show Command show interface ethX lt cr gt string Show ethernet port s information Function Shows a specific port information ssl_vpn show interface eth1 eth1 IP Type Manual Flags 0x1043 UP Internet address 211 23 16 15 Netmask 255 255 0 0 Ethernet address 00 30 18 a3 43 f3 Shows all ports information ssl_vpn show interface ethO IP Type Manual Flags 0x1043 UP Internet address 86 18 1 15 Netmask 255 255 0 0 Ethernet address 00 0e 2e 2d cf Ob IP Type Manual Flags 0x1043 UP Internet address 211 23 16 15 Netmask 255 255 0 0 E
23. l Key Length 1024 Generate 43 44 Chapter 5 Certificate Management To generate a new local CA complete the following fields in the bottom half of the screen Note that only one local CA is saved in the system at any time Country State Location Company Department Common Name Key Length Country where the Succendo server is situated Name of the state Specific location name Organization name Certificate user department Publicly known name of this certificate Length of the security key 1024 2048 4096 Click lt Generate gt to generate the local CA A display window appears when the local CA is successfully generated Click lt Return gt to return to the local CA interface Succendo 502 2000 User Manual 1 2 Chapter 5 Certificate Management 5 2 Trusted CA Trusted CA represents the issuer CA of user certificates You can setup whether or not to trust the possible issuer CAs using this function Select Certificate gt gt Trusted CA to see a list of Trusted CA You can toggle the Trust column between Yes and No to indicate if the certificate is to be trusted or not You can toggle the CRL column between Yes and No to instruct Succendo to check or ignore the CRL of this CA To delete a certificate click the 2 icon under the Remove column of the certificate To delete multiple certificates select the certificates by clicking the check boxes n
24. lo 12 14d 16 i18 20 22 0 2 q lo do id 10 17 The top chart shows the daily eth port s TX package speed at bit s based on the speed versus time at 2 hour intervals The bottom chart shows the daily eth port s RX package speed at bit s based on the speed versus time at 2 hour intervals The statistics displayed in the 2 charts is the combined statistics collected from all ports in the system To view the individual port s charts click Detail above the TX chart An example of the chart for Ethernet port O is shown below with the TX statistics in yellow and the RX statistics in blue Succendo 502 2000 User Manual 1 2 93 Chapter 11 System Monitoring and Control Ethernet O Tx Ex ETH gbit s 11 3 7 Query for charts from other date Query 20060925 16 06 38 You can query for charts showing information from other dates and times Just select a date from the date picker in the Date Picker interface remember to set the time first before selecting the date and click the Query button You can also decide if the charts would display daily weekly monthly or yearly information Select your option from the drop down box 11 3 8 Data collection interval Save 5 Mi nute v By default Succendo collects the statistical data for the above charts in a 5 minute interval To change this interval select the time from the drop down menu between 1 to 5 minutes and click Save To not collect the data
25. lt Reverse gt will unselect the selected names while selecting the unselected There are four types of users local password users local certificate users local password certificate users and authentication server users To begin adding a new user click the lt Add gt button to access the Add User Page You can add a local user which can be a Password a Certificate or a Password Certificate user and a non local user 62 Succendo 502 2000 User Manual 1 2 Chapter 7 User Management 7 2 1 Adding a local user To add a local password user select Local for the Authentication Server field this is also the default value when you first access this page and then select Password again this is the default value for the Credential Type field b Position User gt gt User Accounts Name Upload Name File Authentication Server Credential Type Password Confirm Password IP Pool Time Out _ Re authentication valid time Status Name Upload Name File Authentication Server Credential Type Password Confirm Password IP Pool Succendo 502 2000 User Manual 1 2 with Password Local Password 6 32 1 Minutes 5 3a0 0 Mever timeouti 1 Default ENABLE User name Click lt Browse gt and select the text file containing the list of user names to upload If With Password is selected the file should contain both user names and the cor
26. may cause 509 Succendo to be inaccessible Succendo 502 2000 User Manual 1 2 Chapter 3 System Configuration 3 4 System gt gt Update You can update the system with new upgrade packages via FTP HTTP or uploading from the local hard drive 3 4 1 Update via FTP When selecting to update via FTP you will have to fill up fields corresponding to whether you choose anonymous login or not as Shown in the screenshots below and click lt Update gt With Anonymous login selected Position System gt gt Update Grp OdHrP O Upload Anonymous Host 211 68 101 5 Update File d3p4 bin Include path With Anonymous login unselected l Position System gt gt Update FTP He Upload Anonymous Account Password i Host 10 23 71 Update File ipe Include path Anonymous Select whether to login to the FTP server anonymously Account For non anonymous login you will need to enter the account name user ID Password For non anonymous login enter the password Succendo 502 2000 User Manual 1 2 25 Chapter 3 System Configuration corresponding to the account name above Host The IP address of the FTP server Include port number if necessary Update File The name of the file to download Include the full path of the file 3 4 2 Update via HTTP For update via HTTP complete the required fields and click lt Update gt Host The IP address of the HTTP server Upda
27. prompt appears click lt OK gt to continue to restore or lt Cancel gt to abort the action 32 Succendo 502 2000 User Manual 1 2 Chapter 3 System Configuration 3 7 System gt gt Tools This menu item contains various tools to assist the Administrator Position System gt gt Tools IP or Host 127 0 0 1 Ping Count Ping Restart device OK PowerOff device OK IP or Host P address or DNS name to ping Ping Count Ping count Ping Click this button to ping the IP address or DNS name specified above Restart Device Restart Succendo PowerOff Device Switch off the Succendo device 3 8 System gt gt License The page indicates the maximum number of authorize users for this license and the license ID as shown in the example screenshot below Max license users 100 ID dc82 08fe 114c 6a4c Key Save To update the license enter the new license Key obtained from the manufacturer and click lt Save gt Succendo 502 2000 User Manual 1 2 33 Chapter 3 System Configuration 3 9 System gt gt Custom Here you can upload and customize the displayed images on the user interface l Position System gt gt Custom Welcome Picture 557x79 GIF JPEG Client Banner Picture 351x58 GIF JPEG Admin Banner Picture 822x72 GIF JPEG Welcome vou Welcome Message Background Color wrrerer EM Bulletin Message Client Default Language English v Admin Defa
28. range into the list box below Select an IP range from the box and click lt Remove gt to remove the range from the list As Succendo defaults all IP addresses assigned to end user s to be of network length 32 it is not necessary to specify the network mask of the IP range Note that the maximum number of IP range per IP pool is 6 User Select the users to be assigned to this IP Pool by Information selecting them from the Unselected box and click to move them into the Selected box Note that each user can only be assigned to 1 IP pool and the Unselected box will only display the users that are not yet assigned to any IP pool Description Brief description of this IP Pool Click lt Save gt to save the new IP pool Note that if the administrator defines an IP Pool with the IP Pool name equal to that of an authentication server users whose logins are authenticated by this server will be able to obtain an IP address from this authentication server s IP pool if the user was not assigned an IP Pool on Succendo Administrators can also edit or remove the assigned IP pool from a user in the edit add user interface as will be demonstrated in Section 14 2 14 2 2 Editing Deleting and Duplicating Existing IP Pools To edit an IP pool click the hyperlinked name or the Ej icon corresponding to the pool You will open an interface identical to the one allowing you to add new IP pool except this time the fields are populated
29. specify the following parameters in the textboxes from the bottom of the list Port Virtual port number of the service Destination IP Actual IP address of server providing this service Destination Port Corresponding port number of the service Use SSL Select whether to use SSL encryption Click lt Add gt to add the new virtual service To remove a virtual service click the corresponding i icon from the rightmost column of the list Note When defining ports for NAT or Virtual Service the port number must not be the same as Succendo s reserved ports 1 22 or the SSL listening port default 443 36 Succendo 502 2000 User Manual 1 2 Chapter Managing the Administrator Accounts Here is where you can manage the administrator accounts to add edit or delete them Succendo is configured with a default administrative account The default account name is admin and the default password is admin Note that you will not be able to remove this root account 4 1 Managing Accounts You should create a few administrative accounts to suit your needs giving each one admin capability limited based on their function and role To manage these accounts click the menu item Administrator on the menu bar and click the sub menu items to access the function you need The diagram below shows the Account management screen l Position Administrator gt gt Account Add Query Name All Reverse Remove
30. the above steps Succendo is ready to provide remote access services for your company 12 Succendo 502 2000 User Manual 1 2 Chapter The Admunistration Interface 2 1 Main Screen After logging on to Succendo you will be greeted with the welcome page All options and menu items are accessible from the menu bar found on the left Succendo SSL VPN System Monitor gt English Catti SERB E 2 IE E HiSvstem b Position Monitor gt gt Monitoring Item omen Administrator Certificate CPU usage 1 2 Language Selector Authentication Hon usage 29 8 Huser Disk usage 9 8 0 Model Succendo502 s gt service Version Succendo 3 2 Build test 20061025220153 P 5 E e gt s Role Client Version build20061025220314 rf fe 2 E y Log Max license users 1000 VS NS Xm Monitor System Date and Chan ge A A Wf Ee ime S client Policy Uptime 13 08 Password Piel o d Access Rule List Rule List TX packets RX packets FL HIP Pool etho o s o s eth o s o s Online Help Logout eth2 o s o s eth3 0 S o s Session Number 2 User Number 1 Menu Bar Display Window Copyright 2006 O2Mico All Rights Reserved If this is your first login to the system the monitoring page will be displayed otherwise it will be the last configuration page you accessed before your previous logout Clicking any of the Language Selector buttons Eng
31. then select Certificate for the Credential Type field An additional Certificate field will appear where you can browse for a certificate to upload Select Zip packet next to the certificate field to upload multiple certificates within a Zip file Complete the other fields as above To add a local password certificate user select Local for Authentication Server and Password certificate for Credential Type Succendo will authenticate the user based on both the user password and the certificate Note Credential Type field is related to role management For example if the credential type of roleA is certificate then a password user cannot access the services in this role even if he was assigned roleA Please refer to chapter 9 on role management Click lt Save gt to save the new user or lt Reset gt to clear the field textboxes Succendo 502 2000 User Manual 1 2 Chapter 7 User Management 7 2 2 Adding a non local user To add a user that is verified by an external authentication server select an authentication server for the Authentication Server field The servers available for selection are the ones you have already defined See Chapter 6 for details on how to setup authentication servers b Position User gt gt User Accounts Name Authentication Server Radius01 IP Pool v Time Out 1 Minutes 5 300 0 Never timeout 1 Default Re authentication valid time Status ENABL
32. ttl 1 max ttl 30 1 86 18 1 1 6 561ms 2 270ms 1 474ms Command Update system HOST www ftp username string password FILE Update system using www or ftp Update via WWW update system 211 23 4 175 www d3p4 bin Update via anonymous FTP login update system 211 23 4 175 ftp d3p4 bin Update via FTP user login update system 211 23 4 175 ftp d3p4 bin warmghost 810427 who Command who string Show all login users on shell ssl_vpn who Line User Host Idle Total vtyO admin 211 23 4 9 00 00 00 00 27 29 Succendo 502 2000 User Manual 1 2 125 Chapter 15 Shell Commands 15 3 Configure mode Configure Mode is part of the Normal Mode To enter this mode type configure and press ENTER while you are in Normal Mode Under this mode you can configure the system s network related information such as IP address route etc 126 Command list end exit from configuration mode exit exit from current EXEC mode hostname configure host name of local machine interface interface configuration commands ip internet protocol configure command no negate a command or set its defaults ssl Configure ssl related parameters end exit Command end string exit Function Return to normal mode hostname Command Hostname NAME string Function Set hostname ssl_vpn config hostname Succendo3 Succendo3 config First character of the name must be an alphabet and the name must not be longer tha
33. users Note that users locked by the system will be automatically unlocked when their locked period expires The locked period for all users is set in the Security settings See Chapter 3 Section 3 3 for details 7 3 2 Querying for locked users 68 You can narrow down the locked user list to view users from specific groups user name or those verified by specific authentication servers This is done by entering the full or partial group name or user name into the text boxes and or selecting the server name from the drop down box which is similar to how you would query for existing users Click lt Query gt to generate the search results Succendo 502 2000 User Manual 1 2 Chapter Service Management Accesses to services in Succendo are entirely determined by roles Users or users in a user group must have the correct role or roles assigned to them before they can access the services You can setup the kind of service a specific role can access see Chapter 9 or the kind of role or roles that can access the service right here in Service Management An illustration of the m m many to many relationship between roles users and services can be found in Chapter 1 Section 1 2 8 1 Adding a new service Select Service gt gt Service List from the Menu Bar to access the Service List refer to Section 8 2 for details click lt Add gt to adda new service The Add new Service interface will be displayed Complete t
34. 0A HQe7dN4 2 ast3u REAeExAVbYIsCwEVuLha4j8cVi4KYqlY754crzrIvrHal CIj5v TpcNz44Jb6e8f8jKyliQfO0x4FyC6R21mpsoQxkEKkj40WovNdqXH 30yy1j5VJMnqy komgzcdfYYxlkarRuo v9n3EP pxUpQXqynoJ2MPnLEKJV3WrNF6tTrlkqFZ7mkvX CBNWNqhb8o50evuxesNEVelUUCETri385aAO0yC58GdDlF2uk4ydFsFvulQ4 nzVkyHM v pzrB6A7O0B8Zc FPkNel0TT7TRKEnKjRSynlONEcUCAwEAAaAcMBoGCSqGSIb3DQEJ DjENMAswCQYDVROTBAIwADANBgkghkiGSwOBAQUFAAOCAQEAwYjGpOjeP xVmuze EcWGDMMaCaV JAuRmDvWrZIl12ZJvEW8VagN2dEK2pj451GBdCp6eEKx3wG35DQeSJAhT I rje6IcKLwCWJWto vOIMPEOXSQ2UlfTl1zrjyY 7avy3HGjru7eMMYF4aBAaxKlHet Ive liil Copy the request information in the text box for your third party certificate server to request for the required certificates Step 3 Gateway Certificate C bert certnew cer Browse Issuer Certificate C certIssuerCA p b Browse Import When you receive the Gateway Certificate and the Issuer Certificate import the files into the system in Step 3 to complete the request If the import is successful you will see a message indicating that the certificate is uploaded successfully Succendo 502 2000 User Manual 1 2 49 Chapter 5 Certificate Management 5 5 Protection Key Select Certificate gt gt Protection Key to set the private key protected password Note that this private key is used for all Succendo gateway and local CA certificates Complete the required fields enter the New Protection Key and retype it in Confirm Protection Key Click lt Sa
35. 113 Loop VIO Pd Or O dass onu dana dera a anand a cusa er 113 15 2 Normal TOU usada ssa ado inc E a UD DIUDNPI PL AD LEM 119 o COnN Sare 1110 Ce isenta Tas insect a a ramus ont se taeda ne eeenares 126 Appendix A End User Remote Access Introduction Chapter Succendo SSL VPN is a SSL based clientless secure remote access solution Remote users using Succendo can access the company s internal network via the Internet securely This is done by utilizing technology such as user verification and authentication via authentication servers role based access control and data encryption to protect the network and to provide protection while user access and use internal network services With the SSL TLS protocol Succendo ensures that data are encrypted adequately to prevent eavesdropping As a SSL based VPN Succendo supports a wide range of TCP UDP based application programs such as web applications ftp tftp telnet terminal server VNC File sharing SSH HTTPS Oracle Exchange Outlook Lotus Notes and MySQL Succendo also Supports a wide range of port ranged application programs Besides deploying an internal user verification database Succendo utilizes authentication servers such as Windows AD LDAP and Radius for an integrated user management system thus simplifying system administration User authentication methods include the use of username password one use password token authentication certificates and image code
36. 14 175 ftp admin admin monitor v1 05d Update the system via WWW Monitor gt update system 211 23 14 175 www d3p4 bin Update the system via anonymous FTP login Monitor update system 211 23 14 175 ftp anonymous a d3p4 bin Update the system via FTP user login Monitor update system 211 23 14 175 ftp admin admin d3p4 bin Succendo 502 2000 User Manual 1 2 Chapter 15 Shell Commands 15 2 Normal mode If the system start up normally it will be in Normal Mode where all SSL VPN services are activated Under this mode you can configure basic system parameters Command list configure turn on configuration commands mode exit exit from current EXEC mode generate generate new local certificate ping send echo message poweroff switch off the system reload reload the system restore restore the system show show running system information traceroute send echo message update update software who show all login users 2 Command string Under any mode when a is typed after a command the monitor will display the parameters or sub commands available for this command Succendo show Commands interface Interface configuration commands ip Internet protocol configure command version software version Succendo 502 2000 User Manual 1 2 119 120 Chapter 15 Shell Commands lt tab gt Command lt Tab gt as in pressing the TAB key on the string keyboard Under any mode pressing the TAB key aft
37. 17 show 118 traceroute 120 update 120 who 120 configure mode 121 end 121 exit 121 hostname 121 interface 121 ip 122 no 122 ssl 123 SSL protocols configuring 21 Succendo 139 default settings 11 deployment See deployment models hardware description 6 connecting to LAN 9 10 parts checklist 9 system requirements 9 setting up for service 12 System function Backup Exporting settings 31 Importing settings 31 Restore settings 31 Custom 33 HA See High Availability Information DNS Servers 21 Interface configure 19 IP Pools 20 Static routes 20 License License Key 32 NAT Source NAT 34 Destination NAT 34 Security Login Validate Code 22 AACR Default Action 22 ARL Default Action 22 Crypto Algorithm See Crypto Strength Set Time Date Picker 34 Tools Ping 32 Update via FTP 24 via HTTP 25 140 via Upload 25 Virtual Service 35 System Monitoring 87 collection interval 92 online users 88 query based on dates 92 93 service charts 93 system usage summary 88 system charts active session usage 90 active users usage 91 CPU Usage 89 disk usage 90 eth port s package speed 91 memory usage 90 Top N chart 94 Users adding new user local user 61 non local user 63 auth column 60 credential type 61 editing deleting duplicating 65 groups adding 58 editing deleting 59 list of 57 superior group 58 locked users 66 querying 67 unlocking 66 re authentication 62 upload list of users
38. 61 Succendo 502 2000 User Manual 1 2
39. CO mmo I S CiSuccendo SSIBVPR User testUser ena fe Server time 10 26 2006 9 20 48 AM E 0 0 1 282 English gt fds pi gt SRS PIT Prog Stop Proxy __ Customized Fi Customized ile m 102373 no 0 0 Mail M cc service yes 3 79K 3 14K Remot di lan proxy no 0 0 d proxy all any no 0 0 M sc nis 01 nt fsrvr o2micro com sc nis 01 nt fsrvr o2 no NENNT HN micro com a sc sharepoint nt fsrvr o2micro com sc sharepoint nt no NC Status fsrvr o2micro com NC Services File cd storage nt fsrvr o2micro com cd storage nt fsrvr no 0 0 o2micro com af ftp 10 23 7 3 no 0 0 Mail M cd adserver nt fsrvr o2micro com cd adserver nt fsr no 0 0 vr o2micro com dm cd exch2003 nt fsrvr o2micro com cd exch2003 nt f no 0 0 srvr o2micro com A sc adserver nt fsrvr o2micro com sc adserver nt fsr no 0 0 vr o2micro com 0 0 n sc exch2003 nt fsrvr o2micro com sc exch2003 nt f no Copyright 2006 O Micro All Rights Reserve d On the right of the top banner area is an auto scrolling bulletin board where messages from administrators are displayed The page consists of a Server List bar on the left tool buttons on the top and the service list below the tool buttons The services are divided into groups for easy viewing and access The various service groups available are Proxy Services Customized Services that are not otherwise categorized under the catego
40. Duplicate existing user To duplicate a user click the button corresponding to the user name you want to duplicate The duplicated user will have the same name as the user name being duplicated but prefixed with the word Copy of where is the number of copies currently existing For example duplicating the user name Ricky once would yield a new user named Copy O of Ricky Note that all duplicated users status begins with Disabled you will need to enable it manually if you want it to be active The icon is found under the Duplicate column of the user list 7 2 5 Delete existing user To delete a user click the icon corresponding to the user name you want to delete The icon is found under the Delete column of the user list As usual a confirmation dialog box will pop up to confirm your deletion You can also select multiple users by clicking the check box next to them and click lt Remove gt to delete them en masse 7 2 6 Querying for existing users You can narrow down the user list to view users from specific groups user name or those verified by specific authentication servers This is done by entering the full or partial group name or user name into the text boxes and or selecting the server name from the drop down box as shown in the diagram below Add Query Group customer Name As Authentication All x Any combination of criteria can be formed as long as you have a
41. E Once you selected an authentication server simply fill in the various fields as shown in the diagram to the left The configuration of each field is similar to Section 7 2 1 above The rest of the fields to fill in after determining the type of user are Group Select which existing group the user will Information belong to Role Select the existing roles created with the Information Role option see Chapter 9 to be assigned to this user Client Secure Select the client secure policies created in Policy the Client Policy option see Chapter 12 for Information this user All selected policies are related by a or relation by default This means that as long as 1 policy is fulfilled the user check is satisfied You can add or remove and relations by clicking the add or del buttons respectively Select the policy name from the list and click add to add an and relation below this policy Click the relation line and del to remove the relation All policies enclosed within the line are related by the default or relation Example McAfee 8 0 0 Norton Anti Virus Succendo 502 2000 User Manual 1 2 65 Chapter 7 User Management Windows auto update This indicates that the user end must have windows auto update and either McAfee 8 0 0 or Norton Anti Virus running on his computer to satisfy the policy check Access Select the ARL create with the ARL option Re
42. Information Domain Or IP Country State Location Company Department Key Length 1 024 wal Validity 2 Month Generate Domain or IP The gateway s domain name or IP address Country Country of origin Succendo 502 2000 User Manual 1 2 47 48 Chapter 5 Certificate Management State State of origin Location Location of origin Company Organization name Department Certificate user company department Key Length Length of the security key select from 1024 2048 or 4096 Validity Validity of the certificate number of months Click lt Generate gt to generate a new self signed certificate or regenerate an old one The third way to install a certificate is to perform a certificate request which is described in the next section Succendo 502 2000 User Manual 1 2 Chapter 5 Certificate Management 5 4 Certificate Request There are 3 steps to request for a certificate Step 1 requires you to fill up the certificate request information which is identical to the Gateway information fields in Section 5 3 2 above After completing the fields click the lt Generate gt button and the next screen shows Step 2 and Step 3 Step 2 HMIICODCCAbgCAQAwbzELMAkGATUEBhMCUOCXxEjAQBgNVBAcHCVNpbmdhcGS5 yZTEb MBEGAIlUECqwS5VHJpbnNpYyBIZWN1cmlOaWVzMQOwCwYDVOQOLDARCZXRhMSAwHgYD VOODDBGdTdWNjZzW5kbzsyMIEuMTM3LjEwMi44NTCCASIwDQYJROZIhvcNAQEBBQAD ggEPADCCAQOCQgEBANSsb3cuCpPYllRJHIrsr r OkRVGgYrkzB555HJnNbp ne11
43. Logs monitoring See System monitoring client policy See Client policies access rule list See ARL IP pool list See IP Pool Succendo 502 2000 User Manual 1 2 Index Administrator function adding new account 37 editing deleting 39 list of accounts 36 locked accounts 41 unlocking 41 querying 40 types of administrators 38 AP Mode 26 Application association See End user remote access ARL See Access Restriction List Authentication Servers C AD server protocols 55 adding LDAP 51 RADIUS 50 Windows AD 52 delete 56 download user info 54 list of 49 local server 53 set default 49 synchronizing accounts 55 Certificates Local CA 42 Trusted CA 44 Gateway list of 45 import 46 generate self signed 46 request from third party 48 protection key 48 137 Change password administrator 13 end user 130 Client Policies Rules adding editing 96 check type 96 list of rules 95 type 96 Crypto Algorithms See Crypto Strength Crypto Strength 21 23 Deployment Models typical 2 multiple ISP 2 High Availability 3 Duplicating ARL 101 client applications 75 IP pools 106 service 72 serviced type 77 users 65 End user remote access application association 128 change password 130 login page 124 NC access 127 service page 126 service status 129 tool bar 129 138 High Availability deployment model 3 Load Balancing See AA Mode Setting up HA AP mode 26 AA mode 27 Synchroniza
44. Micro Breathing Life into Security Streaming SUCCENDOP Succendo 502 2000 Series User Manual 1 2 OD2200UME01 1 2 IMPORTANT NOTICE No portion of O2Micro specifications documents or any of its subparts may be reproduced in any form or by any means without prior written permission from O Micro O Micro and its subsidiaries reserve the right to make changes to their documents and or products or to discontinue any product or service without notice and advise customers to obtain the latest version of relevant information to verify before placing orders that information being relied on is current and complete All products are sold subject to the terms and conditions of sale supplied at the time of order acknowledgement including those pertaining to warranty patent infringement and limitation of liability O gt Micro warrants performance of its products to the specifications applicable at the time of sale in accordance with O Micro s standard warranty Testing and other quality control techniques are utilized to the extent O Micro deems necessary to support this warranty Specific testing of all parameters of each device is not necessarily performed except those mandated by government requirements Customer acknowledges that O Micro products are not designed manufactured or intended for incorporation into any systems or products intended for use in connection with life support or other hazardous activities or en
45. Name Description Remove Edit ma 2 Ej C quolu 2 E ken x Ef CO rex x E C atticus X Ej O ivf 2 Ej xiangwei 2 E fei wang 2 Ej C cheng x E ims d The screen displays a list of accounts created hyperlinked account names and buttons for ease of performing various functions This list shows the accounts created previously Each page shows a maximum of 10 accounts and you can navigate between pages by Succendo 502 2000 User Manual 1 2 37 4 1 1 Add new account 38 Chapter 4 Managing the Administrator Accounts clicking on the page hyperlink at the bottom right corner of the screen The list itself contains the account names their corresponding descriptions and the option to delete the i icon and edit the Ei icon the account To add a new account click lt Add gt Clicking the lt All gt button will select all the accounts displayed on the current page if the list spans more than one page Clicking lt Reverse gt will unselect selected accounts and select unselected accounts Click lt Add gt to add a new administrator account The add account screen will be displayed as shown below b Position Administrator gt gt Account Name Credential PASSW Password Confirm Password Administrator Type System Config CI Audit access method https console ssh Status ENABLE Time Out 60 Minutes 1 300 Description Access restriction lists Unsel
46. Remove to delete them en masse Re Note You will not be able to delete a user group if there are users assigned to the group You will need to remove all the d 99 users from the group before deleting it Succendo 502 2000 User Manual 1 2 61 Chapter 7 User Management 7 2 Managing Users Select User gt gt User Accounts to view the User List shown below b Position User gt gt User Accounts Add Query Group Name Authentication All y Name Group Role Auth Status Remove Edit Duplicate zzz role zzz v local ENABLE L ES E wv role xw local ENABLE 2 Ej EE E zhe role zhe v local ENABLE x Ej EE lquolu role gl v local ENABLE 2 Ej E E dd role cc M local ENABLE 3 Ej E E ec v role cc v local ENABLE 3 E EE O release iw role release local ENABLE X ISI EE E rex role lyf v local ENABLE XX ESI EE O kenong role lyf local ENABLE X ISI EE E lyf v role lyf local ENABLE X E EE A Reverse Remove m I Ina E lt A user can belong to multiple groups and have multiple roles assigned to it Drop down boxes are available in the user list to view the list of groups or roles for a user The Auth column refers to the name of the authentication server used to authenticate the user Clicking the lt All gt button will select all the names in the current page of the list if the list spans more than one page Clicking
47. Succendo 502 2000 User Manual 1 2 1 Chapter 1 Introduction 1 1 Typical Deployment Models There are typically three models when deploying Succendo All data streamed from the Internet are required to go through Succendo s security process before accessing the enterprise s intranet This prevents attacks such as eavesdropping replay illegal login etc while providing access authentication and control measures 1 1 1 Typical Remote Access Model Succendo provides a remote access solution to enterprises Mobile users are able to access the Intranet via any connection to the Internet Succendo s SSL tunnel secures all such transmissions Furthermore Succendo supports the use of various authentication servers such as Radius Windows AD and LDAP etc facilitating the convenience of the deployment of Succendo with the enterprise s existing authentication system The figure below demonstrates this model Email O f lt S Mobile Officer 9 File share Radius LDAP s AD WLAN Access t E commerce PDAs e Qy t Database Windo z Web E N Partner 1 1 2 Remote Access via Multiple I SPs Different users may connect to the Internet via different service providers ISPs In such an environment accessing a single point on Succendo from different ISPs may result in the instability of the network Even though Succendo s intelligent client end system is able to sustain the ne
48. Target IP Target IP address to ping Click Add to add multiple target ping IP addresses Click Remove to remove an IP address from the target list 3 5 1 HA Synchronization When the two devices working in HA are first activated in AP the Slave device will perform an initial synchronization with the master device In AA mode the device that was activated later will perform the initial synchronization with the device activated earlier The initial synchronization ensures that both devices have the same configuration state upon activation After the initial synchronization either device can perform Synchronization with the other Hence any changes on the slave device can also be synchronized to the master device and vice versa The following settings will not be synchronized e System device name e Software version e License e Customized settings in System gt gt Custom e NAT information e HA parameters e Log contents e Interface settings and interface route information e Monitoring contents other than Online User All settings other than the above listed will be synchronized between the two devices Succendo 502 2000 User Manual 1 2 31 Chapter 3 System Configuration 3 6 System gt gt Backup b Position System gt gt Backup You can backup the Export Password Do Export current system configuration into your EE local disk restore a previously saved Import Password 1
49. ab SOHO e SOHO l Internet ee SOHO Succendo Data base Web 0655550 Partner Succendo 502 2000 User Manual 1 2 3 Chapter 1 Introduction Under HA the two Succendo devices can automatically synchronize with each other and realize the swapping and restoration of their status according to conditions such as the network s usability and the device s current status etc Under the active active mode Succendo also provides a load balancing mechanism Succendo s HA mode equips the enterprise s remote access solution with high availability hence allowing mobile users to access the resources in the Intranet at all times Please refer to Chapter 3 Section 3 5 for information on setting up the HA function Succendo 502 2000 User Manual 1 2 Chapter 1 Introduction 1 2 Succendo s Access Control Model Succendo SSL VPN uses a role based model for access control as illustrated in the diagram below User groups AD user group LDAP user group Radius user group Services Local user group Users In the diagram the role connects the users to the services After a user successfully login to the system Succendo will based on the user name determine the user s role and determine the kind of resources available to the user according to his roles Essentially a role defines the user or user group s accessibility to a particular service or application We can summ
50. access of web enabled applications to the end users This model is sufficient in providing web based applications to partners and most employees However other staff members such as IT personnel may require access to the entire IP network so as to be able to carry out their duties Succendo can be configured to monitor and provide access to all internal network resources through the Network Connection NC access model You can configure the NC settings to be deployed in the following ways 1 Single direction access from the NC client to the application Servers 2 Bidirectional access from the NC client to the application servers and vice versa 3 Proxy client to NC client such as connecting IT administrators to the NC client to provide technical support when needed 4 Securing connections internally by transferring data between the internal application server and Succendo via the secured NC tunnel 5 Connection between 2 peer NC clients Succendo 502 2000 User Manual 1 2 107 Chapter 14 Network Connection 14 1 Succendo NC Operation To enforce the security of remote accesses to the Intranet you can setup Succendo to allow or deny access to specific resources via NC To setup Succendo to provide NC service to clients complete the following steps Configure IP Pools Add VPN Users Configure the NC environment Add NC accessible services uoe DI E Manage the roles The sections below detail each of the 5 steps above
51. ace except that the fields are populated To delete an existing client application click the i icon You can also select multiple applications selecting the check boxes besides the names and then click Delete to delete en masse To duplicate an item click the EE icon under the Duplicate column corresponding to the name of the application you want to duplicate The duplicated item will be created with the original name prefixed with a Copy of Succendo 502 2000 User Manual 1 2 Chapter 8 Service Management 8 3 2 Query for specific applications Query Name 8 3 3 Adding a new client application You can also query for specific client applications based on the application name Just enter the name or part of a name and to the Name text box as Shown in the diagram and click lt Query gt to generate a new list To add a new client application click lt Add gt The interface for adding a new application will be displayed as shown below Name Client O5 Service Type Application Parameters Name Client OS Service Type Application Parameters Succendo 502 2000 User Manual 1 2 Windows 2000 vnc iv Save Reset Application name The Operating System where the application resides Select type of application vnc ftp http etc Enter the full path of the application executable Example C Program Files ftp ftp exe Any parameter required by the application
52. an 12 1 Client Policy Rules Select Client Policy gt gt Rule to view the list of rules as shown below Add Policy Query Name m a Name Item Item Value Remove Duplicate McAfee 8 0 0 UpdateUI 2003 UpdaterUI exe exist McAfee 8 0 0 UpdateUI XP UpdaterULexe exist McAfee 8 0 0 UpdateUI 2000 UpdaterUI exe exist McAfee 8 0 0 Shield 2003 McShield run McAfee 8 0 0 Shield XP McShield run McAfee 8 0 0 Shield 2000 McShield run McAfee 8 0 0 Service 2003 McAfeeFramework run McAfee 8 0 0 Service XP McAfeeFramework run McAfee 8 0 0 Service 2000 McAfeeFramework run Symantec Settings Manager 2003 All Reverse Remove 1 234567 gt gt gt 1 0000000000 X X X 2 X 2 2 X X X E DL DR E D D D D O GEB ge cu gn cu cel cu c gp gd ccSetMgr run Click the lt Policy gt button to switch to the Policy List screen which can also be accessed by selecting Client Policy gt gt Policy By clicking the ES icon you can duplicate a rule immediately and add it into the Rule list The duplicated rule will be created with the original name prefixed with a Copy of Or you can click 2 to delete a rule from the list Editing the existing rule is done by clicking on the rule name hyperlink The edit screen is identical to the Add New rule interface except that the fields are populated Succendo 502 2000 User Manual 1 2 97 12 1 1 Adding a new Rule Chapter 12 Client Policies Click the lt Add gt
53. arize the m m many to many relationship between roles users and user groups and services as follows 1 Each role defines accessibility to one or more services 2 Each user or user groups can be assigned with one or more roles 3 Each service can be accessible to one or more roles For details on how to set up the users services roles and their relationship to each other refer to Chapter 7 8 and 9 Succendo 502 2000 User Manual 1 2 5 Chapter 1 Introduction 1 3 The Hardware 1 3 1 Succendo 502 Front Panel 502 Succendo O Micro Interface Description of Function Console A RS232 standard serial port that enables you to connect Succendo to a computer from which you can then call up a console program such as Window s Hyper Terminal to issue Command Line commands Default settings baud rate 9600b s one bit stop no parity bit FEO FE3 FEO FE3 are the four 10 100M Ethernet ports provided by Succendo502 Power status Power indicator Lighted LED indicates that the system is on Storage Status Read Write indicator Blinking LED indicates that the system is currently reading writing data Back Panel AC Power pegar input Socket Sw ch Goling FAN Interface Description of Function AC Power Input Socket Power socket for voltage of 110 230V Cooling Fan Cooling fans to help reduce the heat produce by the device 6 Succendo 502 2000 User Manual 1 2 Chapter
54. atively just change the Status value when editing the user see Section 4 1 2 Note that admin users locked by the system will be automatically unlocked when their locked period expires The locked period for all users can be set in the Security settings See Chapter 3 Section 3 3 for details Succendo 502 2000 User Manual 1 2 Certificate Management Chapter Certificates for SSL VPN gateway can be generated by Succendo or by importing from a third party Succendo also supports end user certificate verification via third party trusted certificate chain There are several ways to get CRL based on the third party trusted certificate We will first look at how to add a Local CA 5 1 Local CA Select Certificate gt gt Local CA The details of the current local CA used by the system are displayed in the top half of the screen Succendo 502 2000 User Manual 1 2 l Position Certificate gt gt Local CA Local CA Information Version 3 Serial Number Serial Number 48 0x30 Subject CN CD amp D Issuer CM CD806 Valid Fram Oct 19 04 44 54 2006 GMT Valid To Oct 14 04 44 54 2026 GMT SHA_1 AC SOD 66 CLiEL BY 16 46 69 7 9 O EB 9C D4 36 9E 29 F 79 92 MDS IB AG 44 4F 04 32 DE 14 7C 4A D8 51 78 7F D5 3A Subject Information Country State Location i Company E Department B Common Name
55. ays to install gateway certificates you can import one from your local disk generate one from the system or request one from third party see Section 5 4 46 Succendo 502 2000 User Manual 1 2 Chapter 5 Certificate Management 1 Importing the certificate Click the lt Import gt button from the certificate list to open the Import Certificate screen as shown below Gateway Certificate Password Issuer Certificate Import Select a Gateway Certificate and an Issuer Certificate from your local drive by using the lt Browse gt button The Gateway certificate file in particular should have pfx as an extension and is protected by a password Enter the password for the pfx file into the Password text box The Issuer certificate file should be of extension cer or p7b If the issuer certificate is a multi level CA the certificates for each of these CA must be placed within the same p7b file to be uploaded Click lt Import gt to begin the importing process If the import is successful you should see the success screen 2 Generating a self signed certificate To generate a new self signed certificate or to regenerate an existing self signed certificate denoted by a self in the From column with a new set of data click the lt Generate self sign certificate gt button l Position Certificate gt gt Gateway Certificate Gateway Certificate Information Subject
56. chart from other date Query 2006 09 25 1606 38 ERI day You can query for service chart showing the service information from other dates and times J ust select a date from the date picker and click the lt Query gt button You can also decide if the charts would display daily weekly monthly or yearly information Select your option from the drop down box Succendo 502 2000 User Manual 1 2 95 Chapter 11 System Monitoring and Control 11 5 Monitor gt gt Top N This page shows top ranking entities in 4 areas services most requested users stayed online the longest users logging in and out frequently and heavy users of services b Position Monitor gt gt Top N p du services most requested Top 10 Jusers stayed online the longest No Name Throughput No Name Time 1 10 23 7 1 ssh 0 0 1 cheng 0 00 00 2 10 23 7 3 ssh 0 0 2 lyf 0 00 00 3 sc exch2003 nt 0 3 hawk 0 00 00 fsrvr o2micro com 4 ime 0 00 00 4 Sh exch2003 nt 0 5 bitmani 0 00 00 fsrvr o2micro com 6 kbg 0 00 00 s cd exch2003 nt 0 7 di giu 0 00 00 fervr o2micro com 8 ke chen 0 00 00 6 fsrvr o2micro com 0 Mangue a 7 sh adserver nt 0 fsrvr o2micro com 8 cd adserver nt 0 fsrvr o2micro com 9 ftp 73 0 0 10 xiangwei ter 0 0 Top 40 users logging in and out frequently Top 10 heavy users of services No Name Times No Name Throughput 1 cheng 0 1 cheng 0 0 2 lyf 0 2 lyf 0 0 3 hawk 0 3 hawk 0 0 4 mcl 0 4 mel 0 0 5 bitmani 0 5 bitman1 0
57. ck Import to import the file into the System 8 5 1 Removing a IP Host From the Remove column in the list click the icon to remove the corresponding IP host mapping You can also select multiple IP host mappings selecting the check boxes beside IP Address and click Remove to delete en masse 8 5 2 Querying for specific IP Hosts You can also query for specific IP Hosts based on the host name Enter the full name in the Name text box and click Query to generate the search list 80 Succendo 502 2000 User Manual 1 2 Chapter Role Management Succendo supports a role based access control model for defining users and user groups rights in accessing the system s services Each user or user group can have multiple roles assigned to it while each role can also be assigned to multiple users or user groups An illustration of the m m relationship between roles users and services can be found in Chapter 1 Section 1 2 Select Role gt gt Role List from the Menu Bar to view the list of existing Roles l Position Role gt gt Role List Add Query Name Name Schedule Description Remove Edit Duplicate E role zzz Disable zzz 2 Ej E3 role xw Disable 2 Ej E3 role zhe Disable E E role al Disable 26 z E role cc Disable 2 s E role release Disable s E role lyf Disable 2 E EE C role cheng Disable 26 ES ES role hawk Disable 2 ESI ES Al
58. ck lt Reset gt to clear your selection anytime Once you have decided on your criteria and entered the respective values click lt Query gt to begin the search and the log list will be displayed as shown in an example query below Level Time Log Type Sub Type Result Message x VACUUM UIT us 2 User kenong 203 126 184 126 211 137 102 86 finished the mE 2006 10 18 14 04 44 Service OK use of NC total time throughput 0 00 01 bytes e onem TON User kenong 203 126 184 126 211 137 102 86 got NC mode wam 2006 10 18 14 04 44 Service Fail IP address 0 0 0 0 a 2 14 0n4 a2 I User kenong 203 126 184 126 211 137 102 86 finished the mE 2006 10 18 14 04 42 Service OK use of NC total time throughput 0 00 01 bytes E an nce lt a ERR User kenong 203 126 184 126 211 137 102 86 got NC mode E 1n 12 14 n4 22 E c User kenong 203 126 184 126 211 137 102 86 finished the m 10 18 14 04 28 Service OK use of NC total time throughput 0 00 02 bytes A ab E User kenong 203 126 184 126 211 137 102 86 got NC mode wam 2006 10 18 14 04 28 Service Fail IP address 0 0 0 0 E Term m us z User kenong 203 126 184 126 211 137 102 86 finished the 2008 10 18 14 04 21 Service OK use of NC total time throughput 0 00 01 bytes ES a TM User kenong 203 126 184 126 211 137 102 86 got NC mode wam 2006 10 18 14 04 21 Service Fail IP address 0 0 0 0 RR 2006 10 18 14 04 12 user OK Use
59. e for LDAP and AD servers Synchronization of selected organization units containers groups and users between the two servers includes Renaming of the authentication server configured in Succendo Groups from the authentication server will also be renamed Succendo 502 2000 User Manual 1 2 57 Chapter 6 Authentication Servers e Deletion moving and renaming of containers and organization units Deletion moving and renaming of groups DN value will also be modified Creation deletion moving if the user was added to or removed from a group and renaming of users DN value will also be modified 6 2 4 Deleting an existing server 58 To delete a server click the 2 icon corresponding to the server name you want to delete The icon is found under the Delete column of the server list A confirmation dialog box will pop up to confirm your deletion You can also select multiple servers by clicking the check box next to them and click lt Remove gt to delete them en masse Note you must first remove the users and user groups assigned to the authentication server before you can delete the server Succendo 502 2000 User Manual 1 2 Chapter User Management Management of the end users accessing the VPN through Succendo is achieved in two levels managing them as a user group or as individual users Succendo supports a role based access control model for managing users and user groups rights to acce
60. e selected Click the lt Add gt button If a local server type is selected the local server configuration screen will be displayed instead see Section 6 1 4 6 1 1 Adding Radius Server Complete the fields for a Radius Server l Position Authentication gt gt Server Radius Authentication Server Name Radius Server Port 1812 1 65535 Shared Secret B 5 16 Time Out 10 Minutes 1 300 Retries 2 1 5 Authentication method 9 pap CHAP Description i Save Reset Name Name of the Radius Server Radius Server The IP address of the Radius Server Port Port number Shared Secret Shared secret password defined by the Radius server used to encapsulate or to unpack messages The password should be at least 16 characters in length Time Out The duration of time for the Radius server to respond to the authentication request after which the request timeouts and Succendo resends the request Retries The number of times the system resends authentication requests if the previous attempt fails Authentication Select either PAP or CHAP method Description Brief description of the server max 128 characters 52 Succendo 502 2000 User Manual 1 2 Chapter 6 Authentication Servers 6 1 2 Adding LDAP Server Complete the fields for a LDAP Server Name LDAP Authentication Server LDAP Server Port Admin Username Admin Password Base DN Time Out 10 Minut
61. ected list box with the button You can also just double click the item to move it from one list box to the other AACR Select the AACR accessible by this role by Information picking the items from the Unselected list box and put them in the Selected list box with the button You can also just double click the item to move it from one list box to the other Group Select the user groups that will be assigned with Information this role User Select the users that will be assigned with this Information role Click lt Save gt to save the information or lt Reset gt to undo the changes 82 Succendo 502 2000 User Manual 1 2 Chapter Log Management All administrators and users activities can be logged for auditing purpose as well as for monitoring system resources and troubleshooting abnormalities The details of the log will be described in the section Querying for logs in this chapter But first there are some log options you will want to configure 10 1 Configuring Log options Select Log gt gt Configure at the Menu Bar to access the Log option screen shown below l Position Log gt gt Config Maximum log entries 5000 5000 20000 End user access lag Log auto export config C Detail Syslog server E SERVER PORT Syslog serverz Save Reset Export Clear Maximum Maximum number of log entries you want to be log entries recorded into the S
62. ected Selected A i Save Name Account name Username for logging in Credential Password Confirm Password Certificate Type of verification default is PASSWD Account password if Credential is PASSWD Retype account password to confirm if Credential is PASSWD Select the certificate file to use for this admin account if Credential is CERTI FI CATE Succendo 502 2000 User Manual 1 2 Chapter 4 Managing the Administrator Accounts Administrator Type Determines the type of functions available for this admin account 1 System able to access all system functions 2 Config able to access all configuration functions 3 Audit able to access all the log functions Here s a summary of admin rights of different administrator type E ic o il se NIIT Policy SysemRW RW R R R R R R R JR R oe mw ew nw ww sw aw R aw aw Ru Legend Sys System options Log Config Configuring Log Option Admin Admin accounts Monitor Monitors option Cert Certificate Management Client Policy Policy Management Auth Authentication ARL ARL Management User User Management Role Role Management RW Read Write R Read only Access Determines the method of accessing Method Succendo that is available to this account 1 https via web based interface 2 console via the device console 3 ssh via SSH connection Status Enable disable or lock the account Timeout Session
63. ed 6 1 3 Adding AD Server Complete the required fields for an AD Server Name Name of the AD Server Domain Domain name of the server Active Directory The IP address of the server Server Admin Administrator username for logging onto the Username AD Server Admin The corresponding admin password Password Base DN The point where the search begins in the directory Time Out The duration of time for the AD server to respond to the authentication request after which the request timeouts and Succendo resends the request Authentication Select from NTLM NTLMv2 or LDAP Demon If LDAP is selected the account and login account downloaded from the AD server is the AD user s display name if NTLM or NTLMv2 is selected then what is downloaded is the AD user s account Auto Check to enable automatic synchronization Synchronization of selected group and user information from the remote AD server onto the Succendo server when the AD server is modified once per hour Default Permit Check to enable the authentication of user Access logins for users not yet added into the Succendo server If checked Succendo will send the login entries to the AD server for authentication Upon successful authentication the user will be automatically added into the Succendo server 54 Succendo 502 2000 User Manual 1 2 Chapter 6 Authentication Servers If unchecked the user s login will fail even if his username and password are
64. ed Succendo 502 2000 User Manual 1 2 Chapter 3 System Configuration Global Check status Login validate code Prevent against syn flood attack ARL Default Action AACR Default Action Succendo 502 2000 User Manual 1 2 automatically after this period Determine if the system will activate the Host Check policy before login see Chapter 12 Section 12 2 1 Select whether to use additional image code at the Login screen as shown in the example below Code Users logging in are required to enter the code displayed in the box into the Code field as part of their user verification This prevents the middle man attacks where login requests are randomly and periodically issued You can turn this feature off by de selecting the Login validate code checkbox here Select it to turn the feature on Select this option to specifically guard against SYN flood attacks The ARL default action determines a user s ability to access the VPN from certain IP addresses or port in the event where ARL is defined for none or some of these IP addresses and ports To see the ARL Default Action s impact on a user with ARL defined and general information on ARL please see Chapter 13 The AACR default action determines the nature of a service s commands in the event where AACR is defined for none or some of them For details on defining AACR for a service refer to Chapter 8 Section 8 2 4 If no AACR defined
65. entication server they will be verified under Select a server name from the drop down box as in the example below User authentication Radius01 Iv User Name Radius0 LDAPOT Password hy g50AD aes AD Server 05 User name for Password users Password for Password Users This parameter will appear depending on whether you have included Additional Code verification in your configuration Users will be required to enter the code shown in the code box This image code will contain alphanumeric characters including 0 9 a f and A F Credential Type refers to the type of verification the users are subject to Credential Type Password we Password Certificate Password Certificate If the domain is selected as Certificate the User Name and Password fields will be disabled as the users need not enter them Note that if the certificate user has been assigned a re authentication password the user can choose to login via either password or certificates User can then click lt Login gt to login or click lt Cancel gt to close the browser instead 130 Succendo 502 2000 User Manual 1 2 Appendix A End user Remote Access Service Page Once login is successful which includes a successful host check the user will see the service page This page will show all the services available to the users as you have set them up An example of the page is shown below p m MR mom
66. er login from You can click the Refresh button to refresh the list or click the lt Terminate gt button to terminate selected users by clicking the corresponding check boxes connection 90 Succendo 502 2000 User Manual 1 2 Chapter 11 System Monitoring and Control You can also further view the session information of a non admin user by clicking the hyperlinked user name Below is an example of the session information of an online user l Position Monitor gt gt Online User Online User Session List Refresh Terminate Sel Session ID Service Name Local IP Service IP Login Time 2801 ftp Local 86 18 1 10 2006 11 16 14 12 09 From here you can click lt Refresh gt to refresh the information or click the lt Terminate gt button to terminate selected sessions by clicking the corresponding check boxes The column names are very much self explanatory 11 3 Monitor gt gt System Chart This page shows a series of charts displaying in details the various usage patterns of the CPU RAM Disk space etc Note that each chart displays three values and the line in blue indicates the maximum value recorded at the corresponding time the yellow line indicates the minimum value recorded at the corresponding time The colored areas in green indicate the average value of the collected data for the corresponding time interval 11 3 1 CPU Usage Detail CPU y m AG HIN E MAS ly 12 14 This chart shows the combined da
67. er typing a part of a command word would either list out a list of shell commands that is similar to the partial word or complete the partial word if there is only one command word that resembles the partial word Succendo conf lt TAB gt Succendo conf terminal configure Command configure terminal string Function Enter configure mode exit Command exit string Exit from shell generate Command generate local certificate string Generates a new local certificate Example Succendo generate local certificate Succendo 502 2000 User Manual 1 2 Chapter 15 Shell Commands ping Command Ping WORD lt CR gt string Ping destination DNS name or IP address Ping lt CR gt Extended ping you will be guided to set a few parameters before the system does the ping Normal ping command ss vpn ping FTPServer 806lab com DNS name or IP address Press key ctrl shift 6 interrupt it Sending 5 76 byte ICMP Echos to 192 168 1 2 timeout is 2 seconds Success rate is 10096 5 5 Round trip min avg max 0 0 1 ms Extended ping command ss vpn ping Target IP address or hostname 192 168 1 2 must specify destination IP address Repeat count 5 12 number of ping packets default 5 Datagram size 76 78 ping size default 76 characters Timeout in seconds 2 3 Timeout default 2 seconds Source address not specify 192 168 2 2 specify source address Default
68. es 1 300 Cl using LDAPS Port 636 Auto Synchronization C Default Permit Access Description Save Name LDAP Server Port Admin Username Admin Password Base DN Time Out Using LDAPS Auto Synchronizati on Default Permit Access Succendo 502 2000 User Manual 1 2 Reset Name of the LDAP Server The IP address of the server Port number Administrator s username used to log onto the LDAP Server The corresponding admin password The point where the search begins in the directory The duration of time for the LDAP server to respond to the authentication request after which the request timeouts and Succendo resends the request To enable LDAP over SSL Check to enable automatic synchronization of selected group and user information from the remote LDAP server onto the Succendo server when the LDAP server is modified once per hour Check to enable the authentication of user logins for users not yet added into the Succendo server If checked Succendo will send the login entries to the LDAP server for authentication Upon successful authentication the user will be automatically added into the Succendo server 53 Chapter 6 Authentication Servers If unchecked the user s login will fail even if his username and password are correct Description Brief description of the server max 128 characters Click lt Save gt to add the server once all parameters are specifi
69. ext to the certificates and click the Remove button 5 2 1 Viewing the certificate information You can view the certificate information by clicking the Ej icon under the View column of the certificate you want to view You can click the lt CRL gt button to see the CRL information if any 5 2 2 Configuring the CRL 5 2 3 Adding a CA To configure the CRL click the icon under the CRL Config column corresponding to the certificate you want to configure From the configuration page that appears select the type of CRL and select whether the information will be retrieve automatically periodically Click Get to upload the information To add a new certificate click the New button and then follow the steps below l Click the Browse button to select the certificate file from the local drive you want to import 2 Select whether to include CRL by selecting the checkbox beside CRL Enter descriptions if any Click the Import button to start the importing process If the import is successful you will see the import success page Succendo 502 2000 User Manual 1 2 45 Chapter 5 Certificate Management 5 3 Gateway Certificates To see the current list of gateway certificates installed select Certificate gt gt Gateway Certificate The list is as shown here b Position Certificate gt gt Gateway Certificate Gateway Certificate List Import Generate Self sign Certificate From Using Subject
70. fined for the ARL that is to deny or permit the user to continue to login This way administrator can define specifically where a user can login to the system for example denying the user from logging into the system from home while permitting them to login from a specific workstation in remote branch office With this feature there is even greater flexibility in tailoring access and security levels for specific users Adding the ARL to a user can have an effect on the ARL Default Action configured in System gt gt Security Chapter 3 Section 3 3 The ARL default action decides the action to be taken if the user is logging in from IP addresses and ports that are not defined in an ARL if ARL was assigned to the user If there is no ARL defined for a user at all they can have access to the system from any IP addresses via any port regardless of what is defined in the ARL Default Action The following table best illustrates the concept Succendo 502 2000 User Manual 1 2 103 104 Chapter 13 Access Restriction List ARL Default Action DENY ARL Defined None User can access the system from any IP addresses or ports ARL DENY User cannot access the system from defined for port 220 11 6 5 at ethO neither can he access ethO IP address from any other port or IP addresses due to 220 11 6 5 the ARL Default Action being DENY ARL PERMIT User can access the system from 220 11 6 5 defined for port at ethO but will be u
71. for a service at all all its commands are defaulted to Permitted regardless of what is defined here in the AACR Default Action If AACR is defined for some of the commands in a service then those without an AACR will follow what is set here in the AACR Default Action 23 Chapter 3 System Configuration 3 3 1 Crypto algorithms 24 Besides selecting the strength low medium or high of the encryption you can also select the algorithm for the particular strength As shown in the following diagram the algorithms currently active for the strength selected appears in the Selected Algorithm list box and the inactive but available algorithms appear in the Unselected Algorithm list box Crypto Algorithm Choice Medium Chooses the Algorithm for this strength set Unselected Algorithm Selected Algorithm AES128 SHA RC4 SHA RC4 MD5 RC2 CBC MDS ADH AES128 SHA DHE RSA AES128 SHA ADH RCA MDS Save Retum Clicking and highlighting an item or items from the Unselected Algorithm list box then clicking will move the item s to the Selected Algorithm list box Likewise clicking and highlighting an item or items from the Selected Algorithm list box then clicking will move the item s to the Unselected Algorithm list box Alternatively simply double click an item to move it from one list to the other Click Save to save any modifications Warning Wrong selection of algorithms
72. gly e Selected groups will be added directly into Succendo along with all the user members in the group If the group name is testgroup and the server name is testserver then the group name added into Succendo will be testserver testgroup Note When downloading containers that contain groups into Succendo the relationship between the users and the groups may not be correctly added into Succendo This is not a system error and simply involves the details of the AD container concept realization Exporting the AD content s LDIF file will Show the same result This error is only present for the AD container Succendo supports the NTLM NTLMv2 and LDAP protocols on AD servers When using the LDAP protocol for the AD server the downloaded account name is the user s display name on the AD server When using the NTLM or NTLMv2 protocols the downloaded account name is the user account name on the AD server LDAP users can use either their common name CN or UID when being authenticated by the system Note that regardless of which attribute is used to login to the system the user is assigned with the same authorizations When the account is downloaded onto Succendo the username is stored according to the user s CN 6 2 3 Synchronizing User Accounts From the server edit interface click Sync Accounts to manually begin the synchronization of Succendo and the remote authentication server Note This function is only availabl
73. h ehh e ehe ehh enne 83 lOl Conheurime Log OPOS asas cena ie cia as CO na IS Uai dd TOR ni rua arado 83 0 2 Query TOR lOS mara rite a cele anais apart abas aud a 85 11 System Monitoring and Control c cece cece ence eee ee eens eens sees eene enne 89 LL odlMonitor gt gt Monitorine TCE iai ydo yo 1o cisma br RE EA 89 11 2 Monitor gt Onin WSR merrie onie EEEE Cice aso Aa TR Per dun 90 IT 5 MOtnmtor ce5ystem C Wart sede det dr Umane PD aba ade oO ha Rp 91 ELA Monitor gt gt Service Chart sas nadie enero sis ae aa sais DUNS 95 LES Monitor gt Top aaa aa asas Rd a On MN usd e 96 L2 CCN POCOS sese eee eee een en idas sis e eee Ree eee ss ass iss idas nndd 97 12 Cent Policy ix UNOS aan das ias EEEN E AER 97 C22 CC DONO RET 100 13 Access Restriction List ccc cece cece cece cee e eee eee e rece ehe ehh ehh hehe ehh nh enne 103 193 1 PCV IO Anew A RE cp den veriatis suavi eh odas 105 l2 Oueryine Tor ARL sad nda eto uec RED udi uet Dt amena E died des 106 ba Nebwork E OBICO ENO a 107 I4 1 Succendo NC Operations Lila ai ab a e 108 1A 2 TP POOlS sio esconde isa ainda E DEAD MM A Id I Sad 108 Bao VEN USEI mc DER 110 14 4 Contigure NC Environment 2 ceto roe toa x ooo o Dea tes Qep quee dini o ac qas adam 111 Id NC ACOCOSSIDIe DOEFVIOGS santos hed eae mide gas idus cuna O 112 FEG ROLOS usas aaa an es sat aan ttu Meu e A du pad tata L12 LS O Nell COMMAS oiseau exces Ru Nana NNNSN P MERDA RELIER UR RUE cesar rere eens
74. hapter 12 Client Policies Succendo 502 2000 User Manual 1 2 17 Chapter 2 The Administration Interface 2 2 11 Access Rule List El Access Rule List e Config Configure ARL settings Detailed descriptions can be found in Chapter 13 Access Restriction List 2 2 12 IP Pool List IP Pool List e IP Pool List Add the IP Pools to be assigned to users for NC access Detailed descriptions can be found in Chapter 14 Network Connection 18 Succendo 502 2000 User Manual 1 2 Chapter System Configuration System options are necessary for configuring an environment and various parameters under which Succendo operates The options here include setting the IP and DNS information determining system upgrades etc Succendo provides two forms of user interfaces for system configuration One is a web based interface which you can access using any web browser and the other is via command line CLI Supported on console through the serial port There are several important commands in CLI including restoring factory settings specifying internal Ethernet interface IP information and setting the system s run mode For more details on CLI refer to Chapter 15 Shell Commands This chapter will describe the various system options accessible through the web based interface These options are accessible by clicking the System menu item on the Menu Bar and then click the sub menu items Succendo 502 2000 User Manual 1 2 19
75. he duration between each enforcement of policies Rule Select the rules for this policy Information Description Brief description of the policy Click lt Save gt to save the information or lt Reset gt to undo the changes Succendo 502 2000 User Manual 1 2 Chapter 12 Client Policies 12 2 2 Query for specific policies Query Name Succendo 502 2000 User Manual 1 2 You can also query for specific policies based on the policy name J ust enter the name or part of a name to the Name text box as shown in the diagram and click lt Query gt to generate a new list 101 Chapter 12 Client Policies 102 Succendo 502 2000 User Manual 1 2 Chapter Access Restriction List Access restriction lists ARL are rules setup by the Administrator to narrow down and restrict the access privileges of specific users both administrators and end users In general an ARL is a pair of IP address and port that the system assigns a deny or permit action The ARL can then be assigned to specific users or user groups Whenever the user attempts to log into the system a check will be made to determine if the user is assigned any ARL after they have been successfully authenticated via username and password If one or more ARL are assigned to the user then the system will start to match the IP addresses and ports with the one the user is currently logging in from If a match is found the system will perform the action de
76. he fields as described below Name Service name Application The application server where the service is Server found This is either an IP address a name name IlP IP1 IP2 IP netmask or any Access Select whether the service is accessible via proxy Method or NC Please refer to Chapter 14 for details on providing NC services Service The service type including vnc ftp Exchange Type etc Group Select the group the service type belongs to The services displayed at the client end will be categorized according to this group Succendo 502 2000 User Manual 1 2 69 70 Protocol Chapter 8 Service Management Select the type of protocol used to access the service You will also need to enter the port number in the text box available Click lt Add gt to add that port information to the service You can then continue to add more ports into the service information or remove them by clicking lt Remove gt The various options in the drop down menu are e TCP Service supports the TCP protocol Enter the corresponding port number e UDP Service supports the UDP protocol Enter the corresponding port number e ICMP Service supports the ICMP protocol Enter the corresponding port number e Any Service supports any protocol working on the IP layer or above No port number is necessary for this option e Protocol Enter the protocol number of the protocol working on the IP layer or above to be supported So
77. he system after user exceeded the maximum number of unsuccessful login attempts Click Administrator gt gt Locked Admin to see a list of admin accounts that are currently locked Position Administrator gt gt Locked Admin Refresh Query Name Sel Unsel Name Lock Time Lock Information All Reverse Unlock Name shows the account name of the locked user Lock Time shows the date and time of the user s last unsuccessful login attempt before being locked out or the date and time the user was manually locked by another administrator Lock Information shows the IP address from where the user was attempting to login from If the user was locked manually by the administrator then the column shows the user name of the administrator who locked the user Check the checkbox in the Sel UnSel column corresponding to the locked user in the list or click the lt All gt button to select all the users in the current page of the list if the list spans more than one page Clicking lt Reverse gt will unselect the selected users while selecting the unselected The lt Refresh gt button updates the list while the lt Query gt button allows you to search for locked admin users based on the account name See Section 4 1 4 for details on query for users 4 2 1 Unlocking the users 42 To unlock the admin users select the users by clicking in their corresponding check boxes and then click the lt Unlock gt button Altern
78. ig ssl encrypt strength medium ssl encrypt strength medium Command ssl port XXX poe Function Configure the ssl port number the ssl port number Example Succendo config ssl port 443 Note The default ssl port number is TCP443 Command ssl protocol accept sslv2 Function no ssl a I o accept sslv2 Function Configure the ssl version 2 the ssl version Example Succendo config ssl protocol accept sslv2 If this command is used Succendo will be able to support sslv2 sslv3 and tlsv1 Otherwise Succendo will only support sslv3 and tlsv1 128 Succendo 502 2000 User Manual 1 2 Appendix A Appendix A End User Remote Access With a standard web browser end users can login to the network via Succendo from anywhere The first step is to point the browser to Succendo SSL VPN s URL which was setup earlier Note that the browser should be pointing to the URL using the secured HTTP i e HTTPS For example the user can point the browser to https 211 10 167 35 Login Page Once the requested page is retrieved the user will be greeted with the login page as shown below Welcome You User authentication User Name Password Code aat Credential Type Password Login Close Succendo 502 2000 User Manual 1 2 129 User authentication User Name Password Code Credential Type Appendix A End user Remote Access The users should already been informed auth
79. ily CPU usage of all connected CPUs in the system based on percentage use versus time at 2 hour intervals To view the chart for individual CPUs click lt Detail gt from the top of the chart Succendo 502 2000 User Manual 1 2 91 11 3 2 Memory Usage 11 3 3 Disk Usage Chapter 11 System Monitoring and Control Memory mer CE c LL oe lo 12 14 do do do 22 0 2 d 6 amp 6 5 10 12 14 10 22 This chart shows the daily RAM usage based on percentage use versus time at 2 hour intervals Disk mms pv MIN BB HAs lo i 14 do do do 22 0 zZz d 6 G8 10 12 dd 10 22 This chart shows the daily Disk usage based on percentage use versus time at 2 hour intervals 11 3 4 Active session Usage 92 Activesession avo MIN MAAS SESSION do 12 14 16 j 4 6 1o 12 14 This chart shows the number of active sessions based on the number of concurrent sessions versus time at 2 hour intervals Succendo 502 2000 User Manual 1 2 Chapter 11 System Monitoring and Control 11 3 5 Active users Usage Activeuser avo MIN EB HAK oO Lu c 2 LL zem rei I c cL 4t lo 12 14 16 i18 20 22 0 2 q ly 12 dd 10 17 This chart shows the number of active users based on the active users online versus time at 2 hour intervals 11 3 6 eth port s TX package speed Detail Eth Tx jo 12 id Eth Rx H oa ms AG MIN Om Ha co D2 c r2 Roc co So Boe a T O C C ETH RA gbit s
80. iple rules To see the list of existing policies select Client Policy gt gt Policy to see the list of policies b Position Client Policy gt gt Policy Add Query Name Name Type Time Remark Remove Edit Duplicate C McAfee 8 0 0 after login 10 2 z ES Norton Anti Virus after login 10 26 E3 Kaspersky Anti Virus 6 0 after login 10 2 s ES McAfee 7 0 0 after login 10 26 s ES windows Firewall after login 10 2 ESI E windows auto update after login 10 26 z ES All Reverse Remove 1 1 By clicking the ES icon you can duplicate a policy immediately and add it into the Policy list The duplicated policy will be created with the original name prefixed with a Copy of Or you can click 2 to delete a policy from the list Editing the existing policy is done by clicking on the policy name hyperlink The edit screen is identical to the Add New policy interface except that the fields are populated 12 2 1 Adding a new Policy 100 Click the lt Add gt button to open the Add New Policy interface and complete the fields described below Name Policy name Policy Type Select Before Login where the policy is assigned to the user before login the policy will be enforced during and after user login This Policy Type will be active only when the Global Check Status is enabled see Chapter 3 Section 3 3 Select After Login where it is enforced after the user login Time T
81. l Reverse Remove il Querying for specific roles You can also query for specific roles based on the role name Enter the full name in the Name text box and click Query to generate the search list Note that this query will not return partial matches Succendo 502 2000 User Manual 1 2 81 Chapter 9 Role Management 9 1 Adding a new role To add a new role click the lt Add gt button and the Add New Role interface will be displayed Complete the fields as described below Name Role name Description Brief description of the role no more than 255 characters Credential Select the credential type for the role This will Type affect the service access authorization of users belonging to this role For example If the credential type of roleA is certificate then password userB cannot access the services in this role even if userB belongs to roleA Block Check to prohibit the user s access to the Internet Internet when connected to the Intranet over Succendo Schedule Enable the role to utilize the schedule feature Note that the schedule will be based on the server s time zone and time setting see Chapter 3 Section 3 10 on how to set time zone and time Therefore changing the time zone and time setting will have an impact on the schedule defined here Service Select the services accessible by this role by Information picking the items from the Unselected list box and put them in the Sel
82. le select the unselected The following sections describe the various operations you can perform on the services 72 Succendo 502 2000 User Manual 1 2 Chapter 8 Service Management 8 2 1 Editing and deleting existing service You can edit existing service by clicking the Service name which is a hyperlink or click the E icon corresponding to the service name The editing screen will be displayed and it is identical to the Add new service screen except that the fields are populated To delete a service click the 2 icon found under the Remove column corresponding to the service you want to delete As usual a confirmation dialog box will pop up to confirm your deletion 8 2 2 Testing Connectivity of a service To test the connectivity of a service click the 8 icon found under the Connectivity Test column corresponding to the service you want to test If the connectivity is successful a success screen will be displayed just click Return to return to the Service List However if the connectivity test fails you will see the failure screen informing you that the test has failed and the reason why Just click Return to return to the Service list Re Note The connectivity test cannot be performed for UDP services IP range services and port range services Ky 8 2 3 Duplicate a service To duplicate a service click the icon found under the Duplicate column corresponding to the service you want to
83. lish lt ffj fr simplified Chinese or lt h x gt traditional Chinese would instantly translate the interface and the text in the Display Window to the corresponding language To change the account password click the Change Password button The Help Button provides context sensitive online help Clicking the Logout button will log you out of the system Succendo 502 2000 User Manual 1 2 Is Chapter 2 The Administration Interface 2 2 The Menu Bar The Menu Bar consists of all the menu options you can access 2 2 1 System Option Eb System put Interface oN Information s Security M Update gt a HA P License ich Diston se SetTime aj MC Config EX Virtual service I nterface Set various IP information and interfaces to external system I nformation Set DNS information Security Set security information like crypto strengths session timeout etc Update Perform a system upgrade HA Configure settings for high availability Backup Backup or restore saved settings or restore factory defaults Tools Other tools License Enter authorized 16 characters license code Custom Customize the interface display images SetTime Set system date and timezone NC Configure Setup the network environment for Network Connection access NAT Setup NAT Virtual Service Setup virtual services Detailed descriptions can be found in Chapter 3 System Configuratio
84. matically change to become the master server Note This value must be identical for both HA servers Check Points System checks to be performed by the server to determine its status and inform the peer server accordingly There are three checks available for selection Process Interface and Ping Process Interval Time interval between each system process check seconds Number Inform the peer server if the number of process checks that detected process failure reaches this number If the peer server is the slave under AP mode the peer server will automatically change to the master status Interface Interval Time interval between checks on interface working status Seconds Select the interfaces to check by moving the interfaces from the Unselected list to the Selected list and vice versa Number Inform the peer server if the number of interface checks that detected interface down status reaches this number f the peer server is the slave under AP mode the peer server will automatically change to the master status Ping Interval Time interval between the sending of ping packets seconds Number Inform the peer server when the number of times ping replies were Succendo 502 2000 User Manual 1 2 Chapter 3 System Configuration not received equals to this number If the peer server is the slave under AP mode the peer server will automatically change to the master status
85. me examples are l Internet Control Message Protocol ICMP 2 Internet Group Management Protocol I GMP 3 Gateway to Gateway Protocol GGP 4 IP in IP 6 Transmission Control Protocol TCP 8 Exterior Gateway Protocol EGP 17 User Datagram Protocol UDP 35 Inter Domain Policy Routing Protocol 1 DPR 45 nter Domain Routing Protocol IDRP 46 Resource Reservation Protocol RSVP 47 Generic Routing Encapsulation GRE 54 NBMA Next Hop Resolution Protocol NHRP 88 Cisco Internet Gateway Routing Protocol I GRP 89 Open Shortest Path First OSPF Succendo 502 2000 User Manual 1 2 Chapter 8 Service Management Display to Decide whether end user will see this service end user displayed in their page or not Client Client Applications that the service will launch Application Select one or more applications from the Unselected list box to the Selected list box See later section for more details on adding new Client Applications Role Select the existing roles created with the Role Information option see Chapter 9 that can access this service Description Brief description of the service max 128 characters 8 1 1 HTTP service type If you select HTTP for service type an additional parameter Resource Path will have to be defined Service Type http v Group WEB v Protocol TCP Add 80 Remove Resource path NE i For http Enter the full path of the application y
86. n 14 Succendo 502 2000 User Manual 1 2 Chapter 2 The Administration Interface 2 2 2 Administrator Option e Account Manage administrator Administrator accounts Account e Locked Admin View and unlock Locked Admin locked accounts Detailed descriptions can be found in Chapter 4 Managing the Administrator Accounts 2 2 3 Certificate Option EI Certificate e Local CA Local certificate cT Local CA e Trusted CA Manage third party Trusted CA trusted certificate e Gateway Certificate Manage s Gateway Certificate gal gateway certificate Certificate Request T Certificate Request Generate UT Protection Ke Gateway certificate request e Protection Key This is the protection key password for the certificate Detailed descriptions can be found in Chapter 5 Certificate Management 2 2 4 Authentication Option Eos tasas e Server Manage authentication U EA server Detailed descriptions can be found in Chapter 6 Authentication Servers Succendo 502 2000 User Manual 1 2 T5 Chapter 2 The Administration Interface 2 2 5 User Option El User e Group Manage user groups Group e User Accounts Manage user accounts e Locked User View and unlock locked users Detailed descriptions can be found in Chapter 7 User Management 2 2 6 Service Option EF Service e Service List Manage services P Service List e Client Application Manage Client Application clien
87. n 64 characters Succendo 502 2000 User Manual 1 2 Chapter 15 Shell Commands interface Command Interface ethX ip A B C D M M M M string Interface ethX ip dhcp Setting ethernet port ip address manually or as DHCP client Set port address manually ssl vpn config Z interface ethO ip 86 48 1 15 255 255 0 0 Set port to retrieve address from DHCP ssl vpn config interface ethO ip dhcp Command Interface ethX up down string Function Switch the ethernet port on or off To switch off the port ssl vpn config interface ethO down To switch on the port ssi vpn config interface ethO up ip Command ip route A B C D M M M M A B C D string Function Establish static routes ssl vpn config Z ip route 20 0 0 0 255 255 255 0 211 23 0 120 Command No interface ethX ip dhcp string remove existing port address Remove existing port address that has been set manually ssl vpn config Z no interface ethO ip Remove existing port address that has been set using DHCP ssl vpn config Z no interface ethO ip dhcp Succendo 502 2000 User Manual 1 2 127 Chapter 15 Shell Commands Command No ip route A B C D M M M M string remove existing static routes ssl vpn config no ip route 20 0 0 0 255 255 255 0 218 200 10 120 ssl Command ssl encrypt strength high medium low string Configure SSL encryption strength either High Gaia PR Re emo mr or Low Example succendo conf
88. n tein peur Maas iode Mna du LE 42 da Cerca ManaseneribbesssssssssepaspaPeeoPe Da bL EUER EUER EEEDE aa 43 Di NO SA E cee cadeaneecemetate 43 DO ole il A ee er ree meet nee ee San a Rd Sac a a eee TO 45 Dror Gateway Certificates ise cde dd v A aa Drm RUN DEOR Ed hut DE 46 od CertiliCave Tee QUSE eee r rE RII DG REN RS COD LOG 49 oo Protection IS ey aaa iai a Uca dod iv epd ede eve aa Fue a aaa deu aec accent 50 O A Ae EO Sey EE ol Gl Adding New authentication SEVE pannon Gaia shape LRS odo ke dot bU sinal 52 6 2 Managing existing authentication server sssssesssssssssssesessessesrereeeeees 56 VNB Sai nga 59 lL Managing User GroU DS usadas EEE E EON 59 laa WhAT ACI USC eaor an NO S si 62 eo Mama cine Locked USCIS nba ds gd dadas DRA a o dd on Re Nd 68 O DEVICE MANASCIN NE a a O 69 OI Addino Ac Tew SCEVICC papai abs E Daian bitu m d Add dnb PLA 69 OZ OLIVI CE LIS E err iii para ee eai ot matre Ca E ssa odd dU atus 12 Spo SC MEMEA DP Oli CAT1 OI S ssduninvssananonoseinncsnns URDU tessa sus DUI ERREUR a Sd NOU DP PRE 76 Ot EL VICE lV DC X sia do soa Yas toe parte vans sue Dica io aos ated adia 78 Oe LE Ors TT TH RR SR coon RR SA E ence auesiecmeanecer 80 9 Role Management cccccccc erre erre eens ehe eee he eese reser es esses eres nns 81 Sd A AEW ROLO siste san bend asa Qu baias a seme Mi Me Ea UE 82 10 Log Management ecc erre e ehh e ehe eh
89. nable to access from ethO IP address any other port or IP addresses due to the 220 11 6 5 ARL Default Action being DENY ARL Default Action PERMITTED None User can access the system from any IP addresses or ports ARL DENY User cannot access the system from defined for port 220 11 6 5 at ethO but will be able to access ethO IP address from any other port or IP addresses due to 220 11 6 5 the ARL Default Action being PERMITTED ARL PERMIT User can access the system from 220 11 6 5 defined for port at ethO and will also be to access from any ethO IP address other port or IP addresses due to the ARL 220 11 6 5 Default Action being PERMITTED To see the current list of ARL select ARL gt gt Configure at the Menu Bar b Position Access Rule List gt gt Config Add Query Name Name Entry Interface Sourc IP Sourc Mask Action Remove Edit Duplicate C ARL1 eth1 12 32 102 230 255 255 255 255 Deny 2 ES ES All Reverse Remove 1 1 By clicking the icon you can duplicate a rule immediately and add it into the ARL list The duplicated rule will be created with the original name prefixed with a Copy of Or you can click i to delete a rule from the list Editing the existing ARL is done by clicking on the ARL name hyperlink or clicking the Ej icon corresponding to the ARL name The edit screen is identical to the Add New ARL interface shown in the diagram below except that the fields are populated Succend
90. ng the check box next to them and click Remove to delete them en masse Succendo 502 2000 User Manual 1 2 Chapter 4 Managing the Administrator Accounts 4 1 4 Query for accounts The default listing when you first access the account page lists all existing accounts in the database divided into pages if there are more than 10 existing accounts To narrow down the list to show Specific accounts you can use the lt Query gt button Type the name of the account you want to view and click lt Query gt The system will search through the database and list the accounts matching the name you typed Using this feature you can query for multiple accounts with similar names easily The query system does not accept wild card character e g and If the text box is blank when you click lt Query gt the entire list of accounts in the database will be displayed Add Quer Name tes Name test3 test2 testi Note that the system will also search for accounts whose user name contains the phrase you typed in the query box For example typing tes into the text box and click Query the system will yield accounts such as test1 test2 test3 etc Succendo 502 2000 User Manual 1 2 4 Chapter 4 Managing the Administrator Accounts 4 2 Locked Accounts Admin accounts can be locked for two reasons they are locked by administrators by manually changing the Status field of the account or by t
91. nncs 9 1 5 Some deidult setting S nadssccsoescccdadinatecssdnensdaasseondaseiaeendesdeneraaneesesdenocseteceees 11 1 6 Setting p Suec ndo for remote ACCESS i ie eeseepose sont sad osrus sa ai idees pes reana 2 2 The Administration MTE aC sss1c0sscssssecossssnonsecossasmosssnosseensoemeseucaneuceuceuceneeae 13 Zod M OOOI santa E E E O E E 13 22 Te Meni DAR eree RE EE EEE E EE E EE AEE 14 3 System Configuration ssssssssererrerereeereeeesesesssssssssesessssorereeeeeeeeeeeressssssess 19 Sed SVSIOHr coc Nerd nee ee I ec Db APUL CER DNUS 20 S2 VS eM o0 INTO MAO r E 22 SP OS DC hiinc cies 22 OP SyVStEI e Updater eni Du ttes EISE I Maud od MEME cen MM Pn 29 om omen i inb M M 27 0 Dyson sequi T H 32 Do VCC na ONS aaa rsss aa sa EM se eee uPaME o Ones danada MUR E 33 Duo OY Stem TCC Scares 33 Do Dos POTE CUSTOM MR sue oia spas cas 34 S IUDAS VSLIOID gt Del DIO cosnens trema cance E T ae can Cad E TE aid 35 Sed VS EG BL Pow 35 3 12 System gt gt Virtual SErvVIC suirenieidsas pu sou ateesedacyewradsedadecaronsdansecaseesnetsen 36 4 Managing the Administrator ACCOUNHS cccceceesc eee eeee eee eneeeeeeeeeeeseeeneneeeenes 37 El Manacino TNC COU IN Sadia repr ced news ac LG ACO RA ESC aun saan Tio UP situ ati aa ani 37 2 Locked ACCOUNTS 52 5 ood eie M d Ret eu do
92. nt selected and operated ide ied Dui eaa eco them into the logs System management Client policy ARL management Logout These are activities related to miscellaneous functions initiated by the end users Note that this activities will only be Login logged if the End user access log option is toggled see Section 10 1 Syte System initiated or y related activities l Service initiated or Service wn related activities HA initiated or related HA at activities Succendo 502 2000 User Manual 1 2 Chapter System Monitoring and Control Succendo provides tools to help you monitor the system s resources and other aspect of system usage This chapter will describe and explain the various charts and information 11 1 Monitor gt gt Monitoring Item This is a general information page a quick summary of system usage number of users session etc Select Monitor gt gt Monitoring Item to view this information page Position Monitor gt gt Monitoring Item CPU usage O 595 Memory usage 33 20 Disk usage 9 895 Model Succenda502 Version Succendo 3 2 Build 102 Client Version build20061020185452 Max license users 100 System Date and Time 2006 10 23 14 00 23 Uptime 2 days 19 16 TX packets RX packets eth 0 5 64 00B 5 eth1 89 69KB 5 65 58KB 5 ethz 66 16KB 5 91 05KB 5 eth3 o s o s Session Number g User Number CPU usage The CPU s current activity and usage represented by a percentage
93. nual 1 2 Chapter 14 Network Connection 14 4 Configure NC Environment Configure the NC environment that will be downloaded into the remote user s VNIC network tables when NC access Is activated These include the DNS server addresses WINS server addresses and user reachable routes Select System gt gt NC Config to view the configuration interface as shown below Position System gt gt NC Config DNS Server add WINS Server ada Remove 1 Route Remove 1 Save DNS Server DNS server addresses to be used by the clients WINS Server WINS server addresses to be used by the clients Route Reachable routes IP and network mask to be added to the client s route table These domains ensure that users accesses to the corresponding network area are sent to Succendo via the NC network card Enter the relevant information into the textboxes and click the corresponding lt Add gt button to add it into the list below Select an item from the list and click lt Remove gt to remove it from the list You can also change the priority of the server addresses and routes by clicking the respective up and down arrows to the right side of each list box Click lt Save gt to save the NC environment Succendo 502 2000 User Manual 1 2 111 Chapter 14 Network Connection 14 5 NC Accessible Services Add the NC services to be accessible remotely Select Service gt gt Service List fr
94. o 502 2000 User Manual 1 2 Chapter 13 Access Restriction List 13 1 Adding a new ARL Click lt Add gt to access the Add New ARL interface shown below b Position Access Rule List gt gt Config Name Entry Interface to OW Sourc IP Sourc Mask E Action 9 Deny Q Permit cave Reset Name ARL name Entry The type of port through which a user can Interface Sourc IP Sourc Mask Action Click lt Save gt to changes Succendo 502 2000 User Manual 1 2 access the Succendo interface IP address which the rule would deny or permit Subnet mask of the IP address Select which action deny or permit the system will perform according to this rule save the new Rules or lt Reset gt to undo the 105 Chapter 13 Access Restriction List 13 2 Querying for ARL 106 You can make use of the lt Query gt button at the ARL list screen to search for a specific ARL s based on the ARL name Simply type the name into the Name text box and click Query Name lt Query gt The system will generate a list of ARLS with names that match or partially match the name field here Querying with a blank name field will yield the entire list of ARLs Note that any leading white Spaces before a name will be automatically removed from the search phrase Succendo 502 2000 User Manual 1 2 Chapter Network Connection Being a SSL VPN Succendo primary offers the remote
95. om the menu and click lt Add gt Select Access Method to be NC and configure the remaining fields accordingly Refer to Chapter 8 Section 8 1 for details on adding services 14 6 Roles 112 Succendo authorizes user s access to services via the management of roles Hence it is necessary to add the roles needed for NC accesses Select Role gt gt Role List from the menu and click lt Add gt to add a new role Please refer to Chapter 9 for details on role management and configuration Succendo 502 2000 User Manual 1 2 Chapter Shell Commands Shell commands can be entered when you connect Succendo via the serial port to a console example the Hyper Terminal software in Windows Once you enter into the console screen press CTRL C to enter into Monitor Mode You can start entering the commands at the Monitor gt prompt There are 3 modes where you can run the shell commands Monitor Mode Normal Mode and Configure Mode The same function or command may work differently and have different purpose and applications under different mode 15 1 Monitor mode The Monitor Mode is essentially a recovery mode while Succendo start up Under this mode Succendo can only provide basic system protection functions no SSL VPN functions are available To enter into Monitor Mode press CTRL C when the screen displays the message Press Ctrl C to enter monitor during system start up Once the system
96. ou want this service to specifically point to For example succendo Succendo 502 2000 User Manual 1 2 71 Chapter 8 Service Management 8 1 2 File Sharing service type If you select FileSharing for service type an additional parameter Interface will have to be defined Service Type Group Protocol TCP Hm P Add T 445 Remove Interface 1 a M Select the interface for which this service is to be provided Once you are satisfied with your options click Save to save the service Your new service should appear in the Service List 4 2 Service List When you select Service gt gt Service List the list of services will be displayed P Position Service gt gt Service List Add Query Name Name Service Type Server Description AACR Remove Edit Connectivity Test Duplicate E 1 0 0 1 254 2 C icc service custom puppi 26 E ES sc sharepoint sc sharepoint int fsrvr o2micr http nt fsrvr o2micr ES 2 E Eo ES o com o com sc nis 01 nt fs sc nis 01 nt fs C rvr o2micro co http rvr o2micro co g 2 E amp ES m m cd storage nt cd storage nt C fsrvr o2micro c filesharing fsrvr o2micro c 2 E e EE om om All Reverse Remove 12 gt gt gt ER As usual clicking the lt All gt button will select all the services in the current page of the list if the list spans more than one page Clicking lt Reverse gt will unselect the selected services whi
97. packets received reload Command reload string Reload system Reloading the SSL VPN would severe all services Succendo 502 2000 User Manual 1 2 Chapter 15 Shell Commands restore Command Restore admin setting string Restore the administrator s admin default settings excluding ARL and description setting or restore factory default settings When factory default settings are restored all user defined settings will be lost The restore admin command will restore all factory default settings for the system default administrator other than settings for ARL and description Command show interface ethX lt cr gt string Show information of a ethernet port Monitor gt show inter eth1 ip 86 48 1 6 hw 00 0e 2e 24d 80 66 state up Command show ip route string show IP routing table Function Monitor gt show ip route Network Netmask Route 86 48 0 0 255 255 0 0 eth1 0 0 0 0 0 0 0 0 86 48 1 1 Succendo 502 2000 User Manual 1 2 117 Chapter 15 Shell Commands Command Update monitor system HOST www ftp string username password FILE Update monitor or system file from HOST using www or ftp Update the monitor via WWW Monitor gt update monitor 211 23 14 175 www monitor v1 05d bin Update the monitor via anonymous FTP login Monitor gt update monitor 211 23 14 175 ftp anonymous a monitor v1 05d Update the monitor via FTP user login Monitor gt update monitor 211 23
98. ps Be sure to change the administrator password once you login successfully Succendo 502 2000 User Manual 1 2 11 Chapter 1 Introduction 1 6 Setting up Succendo for remote access You can access the administration web interface via the Succendo service URL For example enter https Succendo IP admin and you will see the login page Welcome You User Name Password Code o 6428 Credential Type Password eg Login Close To chent Enter the default User Name and Password and enter the Code you see in the Additional Image Code The Credential Type field should remain as Password Now click Login to enter the Administrator interface After successful login you can start administrating Succendo Before you begin to setup the system s users services or corresponding access control policies you should take note of the following L Change your administrator password See Chapter 4 Managing the Administrator Accounts 2 Setup the network port IP address See Chapter 3 System Configuration 3 Setup the system s route See Chapter 3 System Configuration 4 Setup the system s DNS server See Chapter 3 System Configuration 5 Setup the system s security options including the SSL protocol versions See Chapter 3 System Configuration 6 Setup Succendo s gateway certificate See Chapter 5 Certificate Management Once you have done
99. r kenong get service list OS version winxp ma 2006 10 18 14 04 12 User OK User kenong hostcheck result Successed lt lt lt 122 456789101112 gt gt gt 3 M Y Select the page Click to go to number to go to from specific page the drop down menu Using the default values of the criteria will yield the entire list of logs There are 8 types of log level EMERG Emergency system is unstable and requires immediate attention from the administrator ALERT Requires immediate attention and action from the administrator CRIT Critical conditions Requires immediate attention and action from the administrator ERR An erroneous event occurred WARNING Usually refers to conditions that require attention before it deteriorates into critical NOTICE Normal but significant conditions HA Records HA activities such as automatic synchronization INFO Informational messages DEBUG Detailed debug information that is useful for the technical support to analyze the logs in the event of a system failure Succendo 502 2000 User Manual 1 2 87 10 2 2 Log Type 88 Chapter 10 Log Management The table below shows the Log types and their corresponding sub type if any Log Type SubType Remarks Administrator management These are activities Certificate related to various management management functions carried out by the Management Administrators Every MGT Role management time such functions are Log manageme
100. r groups Clicking the lt All gt button will select all the names in the current page of the list if the list spans more than one page Clicking lt Reverse gt will unselect the selected names while selecting the unselected 7 1 1 Creating a new user group 60 Click lt Add gt to create a new user group and the New User Group page will appear The Name field is mandatory while the rest are optional with the exception of the Superior Group field which will have a default value The description of the fields is as follows Name User Group name Superior Group This is the parent group to which the user group belongs The user group will inherit role information from the superior group User Select the existing users created with the Information User Accounts option see Section 7 2 to be placed in this group Role Select the existing roles created with the Information Role option see Chapter 9 to be assigned to this group Client Secure Select the client secure policies created in Policy the Client Policy option see Chapter 12 for Information this group Access Select the ARL create with the ARL option Restriction List see Chapter 13 for this group Information Description Brief description of the group max 128 characters The values for the fields User Information Role Information Client Secure Policy Information and Access Restriction List Information are selected by the following steps
101. responding password in the following format Username password If With Password is not selected the file Should only contain user names The uploaded users will be assigned the password specified in the Password field below Note that each entry in the file should begin on a new line This option is only available for local password users Select Local for local users Select Password for password users User password Retype the user password for confirmation IP Pool from which the user is to be assigned an IP for NC access Please refer to Chapter 63 64 Chapter 7 User Management 14 Section 14 1 for information on adding IP Pools Timeout The duration of inactivity before Succendo automatically disconnects the user Re Check to enable and specify the time interval authentication minutes When the user s log in time exceeds this specified interval Succendo will require the user to be re authenticated Note Succendo will prompt the user to re authenticate themselves 3 minutes before the Specified time The user will be kicked out of the system if he fails to enter his password correctly for 3 consecutive times Valid Time Time period after which this user account will be automatically disabled Select the time period by using the date picker icon in the From and To boxes Status Enabled Disabled or Locked To add a local certificate user select Local for the Authentication Server field and
102. ries below are listed here Database Database related services Directory Directory related services such as LDAP AD etc File Files related services such as FTP file sharing etc Mail Services that deals with mails such as HTTP mails Exchange etc Portrange Services that belong to the particular port range Remote Remote access services such as VNC Telnet etc Web Web services Succendo 502 2000 User Manual 1 2 131 Appendix A End user Remote Access Click on the group from the service list bar and the service list will automatically scroll to the corresponding group which will be displayed with a bolded border as the figure above shows Activating NC Access 132 If the user has been set up for NC access he can view the NC user interface by clicking on the sub options in the NC menu User userlest B 10 18 2006 3 02 45 PM m 0 0 1 28 l Server time Customized E Web Click to download NC component File Status Mail Reason esa Sent 0 Received 0 lan nc 10 0 0 1 10 255 255 254 any NA nc all any any NA NC Services If this is his first time accessing NC the user must first lt Click to download NC component and install the file onto the local computer The first box NC Status will then display the current NC status including the user s VNIC IP address assigned and it s connection status the status of the gateway and whether an
103. rk involves a few easy steps Step 1 Check for system requirements To start configuring and running the Succendo system you must have the following software and hardware ready Please read the content below carefully to ensure a quick and accurate installation and configuration process Hardware and software requirements 1 AnIBM compatible PC Pentium II 400MHz and above e A CAT 5 UTP network cable an installed network adaptor either a fast Ethernet adaptor or a Gigabit Ethernet adaptor e Minimum 256M system RAM e Minimum 40M hard disk space e A mouse an SVGA monitor e Supports RS 232 serial port of 9600 Baud rate e A crossover serial cable connecting the serial port of the Succendo system to that of the computer 2 Microsoft Windows 98 2000 NT XP 2003 3 IE browser support 4 Hyper terminal program Step 2 Check system parts Please check the parts in the Succendo system package carefully once you receive it and make sure the following devices are included L 1 chassis of the Succendo system e 1 chassis with a pair of rack mounting bracket 2 5 cables e 1 AC power cable Succendo supports a single point AC power source e 1 crossover serial cable to connect the serial port of the computer to the monitor port of Succendo Succendo 502 2000 User Manual 1 2 9 10 Chapter 1 Introduction e 2 CAT 5 standard network cable to connect Succendo to your HUB or switch e 1 CAT 6 crossover network cable
104. s External Click Save to save the IP information 20 Succendo 502 2000 User Manual 1 2 Chapter 3 System Configuration 3 1 1 Adding IP Pool If you have selected Internal you will notice an additional lt Pool gt button appear on the right of the interface Clicking the lt Pool gt button will allow you to define the IP Pool for the interface Interface eth1 Start IP End IP Subnet mask Remove Add Return Enter the Start IP address the End IP address and the subnet mask into the respective text boxes Click Add to add this IP Pool or Return to return to the previous screen without saving Note P addresses must belong to the same network segment as the port address or you will not be able to add the pool Also the port s IP address must not be within the range of addresses defined in an IP address object 3 1 2 Adding more Static Routes The list on the lower part of the main interface is a list of static routes added You can add more routes by entering the Destination P address Subnet mask and Gateway address into the respectively text boxes then click Add to add the route Succendo 502 2000 User Manual 1 2 21 Chapter 3 System Configuration 3 2 System gt gt Information The top part of this screen displays information about the system s interfaces such as type and status You can also decide whether users can or cannot access the SSH or the Gateway This is done b
105. select O Minute from the drop down menu and click Save 94 Succendo 502 2000 User Manual 1 2 Chapter 11 System Monitoring and Control 11 4 Monitor gt gt Service Chart This page shows the amount of traffic flow each service used at intervals Select Monitor gt gt Service Chart to view the Service List b Position Monitor gt gt Service Chart Name Service Type Server Description t hawk terminalServer cd yonghuang 10 23 4 237 xiangwei terminal terminalServer 10 23 6 88 zhe terminal terminalServer 10 23 1 1 terminalServer al terminalServer 10 23 4 4 term lvf terminalServer 10 23 4 116 cc service custom 1 0 0 1 254 254 254 254 ftp 10 23 7 3 ftp 10 23 7 3 sc sharepoint nt htt sc sharepoint nt fsrvr o2micro com p fsrvr o2micro com poe Spe http sc nis 01 nt fsrvr o2micro com J ar T cd storage nt filesharing cd storage nt fsrvr o2micro com fsrvr o2micro com I Iro To see the usage chart of the service click the service name hyperlink The chart will be displayed as shown in the example below Query 2006 10 23 14 11 35 Ese day Bl Service cc service r m Aro MIN BB Ax LLI C FA E z Lu CI 1o 12 14 16 i do 6 i 12 14 The chart shows amount of traffic generated by the service based on the amount of traffic in Megabytes versus the time in 2 hour intervals Just on top of the chart shows the name of the server which the service originates 11 4 1 Query for
106. service s AACR list as shown in the example below l Position Service Service List Add Service Service Name sc nis 01 nt fsrvr o2micro com Name Description Remove Edit Duplicate All Reverse Remove Clicking the lt All gt button will select all the names in the current page of the list if the list spans more than one page Clicking lt Reverse gt will unselect the selected names while select the unselected To edit or delete an existing rule click the Rule Name or the E icon respectively To duplicate a rule click the icon The duplicated rule will be created with the original name prefixed with a Copy of Succendo 502 2000 User Manual 1 2 Chapter 8 Service Management To add a new rule click lt Add gt After the interface for adding a new rule is displayed complete the fields as described Name Command Parameter Action Role Information Description AACR name If the service type is HTTP the commands you can select are either GET or POST However if the service type is FTP then the available commands are CDUP CWD DELE LIST MKD NLST PASV PORT RETR RMD RNFR RNTO SMNT STOR and STOU The path of the object in the server that the command is applied to Select Deny or Permit Select the Roles that are affected by this rule Brief description of the service max 128 characters Once you are satisfied with your options click Save to save the rule Your new r
107. ss the system resources Roles define the services which the users or user groups has access to For details on how to add and manage roles see Chapter 9 An illustration of the m m many to many relationship between roles users and services can be found in Chapter 1 Section 1 2 Each user group is made up of one or more users and each user can belong to multiple user groups 7 1 Managing User Groups You can create User groups to group users with identical roles and functions together This eliminates the need to manage users individually when it comes to assigning roles and rights deleting users en masse etc Select User gt gt Group to view the User Group List shown below P Position User gt gt Group Add Query Name Name Superior Role Policy Description Remove Edit C 806test 806fae 806 d McAfee 700 v 2 Ej All Reverse Remove A user group can have multiple roles and policies assigned to it Drop down boxes are available in the user group list to view the list of roles or policies for a user group Succendo 502 2000 User Manual 1 2 59 Chapter 7 User Management You can make use of the lt Query gt button to search for a specific group or groups based on group name Simply type the name into the Name text box and click lt Query gt The system will list user groups with names that match or partially match the name field here Querying with a blank name field will yield the entire list of use
108. st be different for the two Succendo servers working together in HA mode Port The interface port number After selecting the HA working mode configure the other settings as shown below Succendo 502 2000 User Manual 1 2 Chapter 3 System Configuration Setting Succendo 502 2000 User Manual 1 2 Current status Peer status Setting Secret Key Interface Local IP address Peer IP address Hello Interva Check Points Process Interval Number Interface Interval Number Ping Interval Number Target IP Save Hello Number Seconds Remove Current status Peer status Secret Key Interface Local IP Current HA status of this server active inactive HA status of the peer HA server active inactive Encryption key used to encrypt data transmitted by the HA server Note Both HA servers must have the same secret key Interface used to communicate with the peer HA server Local IP address of the HA interface 29 Chapter 3 System Configuration address Peer IP Peer server s interface IP address address Hello Interval Interval of time between sending Hello messages seconds Hello Number If the server does not receive Hello messages consecutively for this number of times the server will deduce that the peer server is down and changes the peer status to inactive If this is a slave server in AP mode the server Will auto
109. striction List see Chapter 13 for this user I nformation Description Brief description of the user max 128 characters The values for the fields User Information Role Information Client Secure Policy Information and Access Restriction List I nformation are selected through the following steps i Select the item from the respective Unselected list box You can selected multiple items from the list box ii Click the button and the selected items will be placed in the corresponding Selected list box lil To remove the items from the Selected list box select the items to be deleted and click the button Alternatively double click an item to move it from one list to the other Once you are satisfied with your options click Save to save the user 7 2 3 Edit existing user 66 There are two ways to view and edit an existing user Click the E icon corresponding to the user name you want to edit The icon is found under the Edit column of the user list Directly click the user name Using either method will bring up the user information window identical to the Add New User interface except that the fields are populated and the fields Authentication Server and Credential Type are disabled After performing the necessary editing click lt Save gt to save the modification or lt Reset gt to undo the changes Succendo 502 2000 User Manual 1 2 Chapter 7 User Management 7 2 4
110. successfully enters Monitor mode you will see the Monitor gt prompt cursor blinking on the display Command list Applicable for monitor v1 05 e erase delete data exit exit interface configure interface Ip IP information no delete a configure ping send echo message reload reload system restore restore system show Show system information update update core or software Succendo 502 2000 User Manual 1 2 T3 114 Chapter 15 Shell Commands Command string Under any mode when a is typed after a command the monitor will display the parameters or sub commands available for this command Monitor gt interface Commands EthO Interface ethO Interface eth1 Command Tab as in pressing the TAB key on the string keyboard Under any mode pressing the TAB key after typing a part of a command word would either list out a list of shell commands that is similar to the partial word or complete the partial word if there is only one command word that resembles the partial word Monitor gt inte TAB Monitor gt interface Succendo 502 2000 User Manual 1 2 Chapter 15 Shell Commands erase Command erase all data string Delete all data or just delete configuration file and log Erase user data Monitor gt erase data Erase all data Monitor gt erase all Erase All will erase Succendo s program data The system will not be able to start unless a system upgrade is done Use Erase
111. t least one query criteria Click lt Query gt to generate the search results Succendo 502 2000 User Manual 1 2 67 Chapter 7 User Management 7 3 Managing Locked Users Users can be locked for two reasons by administrators by manually changing the Status field of the user or by the system after user exceeds the maximum number of unsuccessful login attempts or violates certain security policies To view the locked users select Users gt gt Locked User and the list will be displayed as follows b Position User gt gt Locked User Refresh Query Group Name Authentication All Name Authentication Server Lock Time Lock Information All Reverse Unlock Name shows the locked user s account name Authentication Server shows the name of the authentication server that authenticates the user Lock Time shows the date and time of the user s last unsuccessful login attempt before being locked out or the date and time the administrator changed the user s status to LOCKED Lock Information shows the IP address where the user was attempting to login from If the user was locked manually by the administrator then the column shows the name of the administrator who locked the user 7 3 1 Unlocking the users To unlock one or more users first select them by clicking the check box besides the user name and then click the lt Unlock gt button The list will be refreshed and will display the remaining locked
112. t ranging from Warning to Critical See the section Log Levels below for more details Result To include logs that indicates a OK successful operation Fail failed operation or both Show Select the number of log items to display 10 200 Operator Username of the user whom you would like to search his or her activities recorded Select precision to avoid returning partial name matches in the query results Succendo 502 2000 User Manual 1 2 85 86 Time Range From and to Click the arrows to select the previous or next Chapter 10 Log Management The range of the Date and Time of logs you want to include in your query You can either type the information into the text boxes provided in YYYY MM DD HH MM SS format or use the Date Picker button Edw to select a date and enter the time as shown below Click hyperlink to select the month exact date Enter the time in hh mm ss format Log Type The type of logs you want to include in your query Sub Type Ex sp This can be one of the four types available See the following section Log Types for details Depending on the Log type selected this field will be populated accordingly See the following section Log Types for details on sub type Note You must enter the time before setting the date in the Date Picker Succendo 502 2000 User Manual 1 2 Chapter 10 Log Management 10 2 1 Log Levels You can cli
113. t applications e Service Type Specify the AE Service Type Dll a various service and application IP Host types for the client end e IP Host Set up the mapping between the Intranet host names with the corresponding IP addresses Detailed descriptions can be found in Chapter 8 Service Management 2 2 7 Role Option Er Role e Role List Manage Roles ATE Role List Detailed descriptions can be found in Chapter 9 Role Management 16 Succendo 502 2000 User Manual 1 2 Chapter 2 The Administration Interface 2 2 8 Log Option A Log e Config Configure Log settings and oi parameters e Log Query Search and view logs Detailed descriptions can be found in Chapter 10 Log management 2 2 9 Monitoring Option El Monitor e Monitoring Item Display various Monitoring Item status and parameters of the running system Online User 2 e Online User View and terminate System chart current online users Service Chart e System Chart Display various Top N system charts memory usage CPU usage etc e Service Chart Display current services e Top N Display Top N information Detailed descriptions can be found in Chapter 11 System Monitoring and Control 2 2 10 Client Policy Option EF rClient Poli e Rule Rules that decides whether i Rule the system should perform a host check or cache clear e Policy Policies are made up of Rules Detailed descriptions can be found in C
114. te File The name of the file to download Include the full URL path of the file 3 4 3 Update via Upload b Position System gt gt Update You can type in the filename mm its full path into the text box O FP QOdHrTP upload directly or click Browse gt to select the file from a Choose File dialog box Then click Update to update with the file Browse 26 Succendo 502 2000 User Manual 1 2 Chapter 3 System Configuration 3 5 System gt gt HA Succendo comes with a High Availability HA feature using either dual standby or dual load mechanisms b Position System gt gt HA Work Mode 9 None O ap Current status Peer status Inactive Setting Secret Key secret Interface Local IP address Peer IP address Seconds Hello Interval ig Hello Number Check Points Process LT interface L Ping Save First select the HA work mode Note If HA is activated both Succendo devices must be working in the same HA mode There are 3 modes you can select from 1 None Do not activate HA 2 AP Activate dual standby mode One server will become the master while the other is the slave When AP is the selected HA work mode you must configure the Float IP Remote clients will use this IP address to access services on the master server In AP mode the Float IP must be the same for both the master and the slave servers so that client connec
115. thernet address 00 30 18 a3 43 f3 Command show ip route string Function show IP routing table ss vpn show ip route Destination Netmask Gateway 86 48 0 0 255 255 0 0 211 23 0 120 211 23 0 0 255 255 0 0 eth1 86 18 0 0 255 255 0 0 ethO 0 0 0 0 0 0 0 0 211 23 254 254 Succendo 502 2000 User Manual 1 2 123 124 Chapter 15 Shell Commands Command show license string show the device s license information Function Succendo show license System license information ID e21d25beb490d844 Key License users 25 Command Show running string Prints the system operation configuration information Succendo show running System version information System Succendo 3 2 Build test 20061114120636 Client build20061114120745 hostname Succendo interface ethO ip 86 18 33 10 255 255 0 0 interface eth1 ip 86 48 33 10 255 255 0 0 interface eth2 ip 0 0 0 0 0 0 0 0 interface eth3 ip 86 88 33 10 255 255 255 255 ss encrypt strength medium ss port 443 Command Show version string show software version Function ss vpn show version System version information System Succendo3 0 0 Build 9 20051216142037 Client build20051216142051 Succendo 502 2000 User Manual 1 2 Chapter 15 Shell Commands traceroute Command Traceroute HOST string Trace the hops on route to the destination host Succendo traceroute 86 18 1 1 Press key ctrl shift 6 interrupt it Tracing the route to 86 18 1 1 min
116. timeout for this account Description Brief description of the account a max of 128 characters Access Restriction These are ARL that were created earlier List see Chapter 13 on details of ARL Select the ARL from the Unselected ARL list into the Selected ARL Succendo 502 2000 User Manual 1 2 39 Chapter 4 Managing the Administrator Accounts Once you are done click lt Save gt to create and save the new password account To create a Certificate account select CERTIFICATE from the Credential field and upload the Certificate via the lt Browse gt button 4 1 2 Edit existing account There are two ways to view and edit an existing account o Click the E icon corresponding to the account name you want to edit The icon is found under the Edit column in the account list Directly clicking the hyperlinked account name Using either method will bring up the account configuration window After editing the information click lt Save gt to save the modification or lt Reset gt to undo the changes Re Note The Credential field will not be editable when editing existing accounts p 4 1 3 Delete existing account 40 To delete an account click the 2 icon corresponding to the account name you want to delete The icon is found under the Delete column in the account list A confirmation dialog box will pop up to confirm your deletion You can also select multiple accounts by clicki
117. tion 30 IP Pool See Network Connection Access Model Load Balancing See AA Mode Logs automatic export 82 levels 85 log options configuring 81 querying 83 type 86 Multiple ISP deployment 2 Setting up multiple interfaces 2 19 Network Connection Access Model accessible services 109 configuring NC environment 108 deployment single direction access 104 bidirectional access 104 proxy client to NC client 104 secured NC tunnel 104 peer to peer 104 Succendo 502 2000 User Manual 1 2 R IP Pools list of 105 adding 106 editing deleting duplicating 106 query 107 setting uo VPN users 107 roles 109 virtual network cards 105 Recovery See Shell commands monitor mode Role S access control model 5 adding editing 80 in user groups 58 in local non local user 63 in NC 109 in service 70 role list 79 querying 79 Service AACR 73 adding 68 client applications adding 75 editing deleting duplicating 75 querying 75 duplicating 72 editing deleting 72 IP Host adding 78 removing querying 78 list of 71 testing connectivity 72 type http 70 Succendo 502 2000 User Manual 1 2 file sharing 71 adding 76 editing deleting duplicating 77 querying 75 Shell commands monitor mode 110 erase 111 exit 112 interface 112 ip 112 no 113 ping 113 reload 113 restore 113 show 113 update 114 normal mode 115 configure 116 exit 116 generate 116 ping 116 poweroff 117 reload 117 restore 1
118. tions will not be disrupted when the slave takes over as the master in the event of a failure Configure the Float IP by filling up the fields Interface The interface through which services are remotely accessed IP Address IP address for the interface Note This address must be identical for both Succendo servers Succendo 502 2000 User Manual 1 2 27 28 Chapter 3 System Configuration working together in HA mode Subnet IP address s subnet mask mask 3 AA Activate dual load mode In this mode both servers are providing services to clients When a client attempts to access a service it compares the network load of both servers and the status of the connection between the client machine and the servers The client then determines which server has a better availability status to access the service from The client initially connects only to 1 server and obtains the address of the other server from this initial server Hence the IP address and the port number of each server must be configured on the other This is configured as the Map IP When both servers are behind a firewall the Map IP is the translated external address of the server In the absence of a firewall the Map IP is the direct external IP address of the server Configure the Float IP by filling up the fields Interface The interface through which services are remotely accessed IP Address IP address for the interface Note This address mu
119. twork link quality over slow and unstable links this function does not activate for applications that have strict requirements on the network environment To resolve this issue administrators can configure multiple interfaces on Succendo each interface connecting to a different ISP Coupled with Succendo s intelligent client end function this ensures 2 Succendo 502 2000 User Manual 1 2 Chapter 1 Introduction that clients connecting via the different ISPs enjoy a good network application experience Please refer to Chapter 3 Section 3 1 for information on setting up interfaces LI rena user SS SOHO Exchange ISP1 gt SOHO Radius LDAP Succendo File Server e Remote user 7 SOHO Database ISPZ Windows AD Web popp Partner J 1 1 3 High Availability Model The aim of a remote access solution is to provide remote users with access to the Intranet at any time This requires Succendo to provide for redundancy and sufficient fault tolerant mechanisms for possible breakdowns in the physical network environment Succendo s high availability HA function satisfies this requirement The two Succendo devices can be working in active active mode or active passive mode The diagram below represents a HA deployment of Succendo LY ero vse Ss qe N Remote user Authentication server E mail File server
120. uccendo flash disk you can define an integer from 5000 to 20000 End user Select to record information on users access to access log services Log auto Select to enable the auto export of log files Click export lt Detail gt to configure the various associated config parameters Please refer to Section 10 1 1 below for details Succendo 502 2000 User Manual 1 2 83 Chapter 10 Log Management Syslog IP address of the first Syslog server where the server logs will be kept Syslog IP address of the second Syslog server server2 Click Save to save the current settings or Reset to reset the parameters to the system default values No Syslog server maximum log entries set at 5000 You can also export the current logs into a locally stored file by clicking Export To clear the current logs click Clear 10 1 1 Automatic Export of Logs Click lt Detail gt on the interface to configure the various parameters such as the location to export the logs to the type of logs to export and auto export schedule The interface is shown below Remote ftp server configure IP address 0 00 o User name Password Path Time configure Export time el Interval 1 1 365 Query condition Operator Result OK E itn info notice warning v error evel i critical alter 7 emerg debug User login logout Management v monitor admin certificate
121. ule should appear in the AACR List Note Commands that are not assigned with an AACR will follow what is set in the AACR Default Action in the Security Settings refer to Chapter 3 section 3 3 Succendo 502 2000 User Manual 1 2 75 Chapter 8 Service Management 8 3 Client Applications When defining a service there is an option to add client applications to it so that when the user accesses the service they effectively launch the application An example would be a file exchange service where a FTP client software is launched when the user select the service To create a pool of client applications you need to first access the Client Application List Select Service gt gt Client Application to view the list b Position Service gt gt Client Application Add Query Name service os app parameter Remove Edit Duplicate QN windows 2000 http http S x Ef E Windows IE http XP windows xp http http S 2 Ej E JE M 208 windows 2003 http http S 2 Ej ES RS ii windows 2000 https https S 2 Ej E Windows IE https XP windows xp https https S ESI ES windows 2003 https https S 2 EE Reverse Remove i 18 8 3 1 Editing Deleting and Duplicating existing applications 76 To edit an application click the application which is a hyperlink or click the E icon corresponding to the application name You will open a screen identical to the Adding a new application interf
122. ult Language English v Save Click lt Browse gt and select the image files to upload for the various display areas including Welcome picture at the login page Client banner picture what users would see in their client end home page and Admin banner picture what admin users would see in their admin home page The remaining customizable features include Welcome Message to be displayed on the login Message screen Background Color Enter the color code or click the palette button to select the color This corresponds to the background color of the end user interface Bulletin Message Bulletin message shown on the top right area of the end user interface Client Default Default language for the end user interface Language Admin Default Default language for the administrative Language interface 34 Succendo 502 2000 User Manual 1 2 Chapter 3 System Configuration 3 10 System gt gt SetTime From this interface window you can configure the system s date and time settings Set the system Date and time using the Date Picker 2 Then select the Time Zone Continent City from the drop down box BA Note n the Date Picker interface you must set the time first before selecting the date 3 11 System gt gt NAT Select System gt gt NAT to view the list of source NAT SNAT and destination NAT DNAT mappings currently defined in the system 3 11 1 Source NAT The top half of the screen displa
123. ve gt to save the new key 50 Succendo 502 2000 User Manual 1 2 Chapter Authentication Servers Succendo supports 4 types of authentication servers namely local default Radius Windows Active Directory AD and LDAP Select Authentication gt gt Server from the menu bar to see the existing server list b Position Authentication gt gt Server Add server type w Authentication Server Type Description Default Remove Edit Local Local Local All Reverse Remove The default list will show all existing authentication servers regardless of the type However you can narrow down the list to display a specific type of servers by selecting server type from the drop box Add Radius w Click on the drop down box to select the E type of authentication server you want to see Once a type is selected the server list will be refreshed and a list of servers of that specific type will be displayed All Rewere Ramnua You can add a new server delete and edit existing ones To set an authentication server as the default server for authentication click the corresponding radio button found under the Default column Succendo 502 2000 User Manual 1 2 54d Chapter 6 Authentication Servers 6 1 Adding new authentication server To add a new server first select a server type from the drop down box The current page will be refreshed automatically displaying the list of servers matching the typ
124. vironments in which the failure of the O Micro products could lead to death bodily injury or property or environmental damage High Risk Activities O gt Micro hereby disclaims all warranties and O Micro will have no liability to Customer or any third party relating to the use of O Micro products in connection with any High Risk Activities Any support assistance recommendation or information collectively Support that O Micro may provide to you including without limitation regarding the design development or debugging of your circuit board or other application is provided AS IS O Micro does not make and hereby disclaims any warranties regarding any such Support including without limitation any warranties of merchantability or fitness for a particular purpose and any warranty that such Support will be accurate or error free or that your circuit board or other application will be operational or functional O Micro will have no liability to you under any legal theory in connection with your use of or reliance on such Support COPYRIGHT 2006 O Micro International Limited Table of Content ke TUPOU O eean E EEEE TEE 1 l t Typical Deployment Models as suiaisnasadasasdniia o neinna e EE SERE RE eret 2 1 2 Succendo s Access Control Model sssssssssssssssssssssesreeeeesereesesesssssssseseeo 5 o ne PBIAPIONUOTDO e E E EEE 6 1 4 Connecting Succendo to the LAN sassccsscdsotonstcascensnreonsnateianecontsecteavenneneene
125. y DNS or WINS server addresses have been downloaded from Succendo The area below displays the NC services that are authorized for the user s access As with proxy services you can click the relevant option from the NC menu in the bar on the left to auto scroll the page to the corresponding area Note that if a particular service can be accessed both in proxy and NC mode then the system automatically executes the service at the client end in proxy mode To use NC instead click the lt Stop Proxy gt button from the top of the proxy service list Succendo 502 2000 User Manual 1 2 Appendix A End user Remote Access Setting up associated applications The services names are all hyperlinked User can click the name to access the service via an associated application If an associated application for the service is not defined an error message will be displayed Message If this is the case the user has to click the icon beside the service name to setup the associated application associated application Please setup the associated application for the tftp service type Application Parameter Please substitute the domain name or IP using 96S in the parameter the system will automatically translate itto actual address or domain name Cancel Once the associated application is setup the user can click the service name to access the service via the application Succendo 502 2000 User Manual 1 2 133
126. y toggling start or stop the option which is not hyperlinked represents the current status for the respective access means If services use the domain name of the application server you can tell Succendo the location of the DNS servers so that the domain name can be resolved Once the configuration page appears type in the Hostname Domain Primary DNS IP address and Secondary DNS IP address accordingly Click lt Save gt to save the settings 3 3 System gt gt Security Ze This is where you set the various security features such as the crypto strength various timeouts lock period etc On the configuration page select Accept SSL V2 and V3 and TLS to accept SSL protocols versions V2 V3 and TLS If this field is unselected then the system will only accept SSL V3 and TLS Complete the rest of the fields Crypto Select from the strength of Low Medium or Strength High See Section 3 3 1 for details Listen Port Listening port number Session Specify duration of inactivity after which the Timeout session timeouts User timeout Specify duration of inactivity after which the user timeouts and is automatically logged out of the system Session Maximum number of concurrent sessions each Number per user can activate user Login try Maximum number of unsuccessful attempts times allowed for user to login Lock period Lockout duration of deactivated or locked users in minutes Users will be unlock
127. ys the SNAT list To add a new SNAT configure the following parameters Source Address Source IP address of the packet Netmask Corresponding network mask for the source IP Destination IP Destination IP address to translate to Interface SNAT will be performed for matching packets arriving at this interface To remove a SNAT click the corresponding 2 icon from the rightmost column of the list 3 11 2 Destination NAT The bottom half of the screen displays the DNAT list You can add a new DNAT by specify the following parameters in the textboxes from the bottom of the list Protocol The protocol TCP or UDP of the packet to perform the translation on Source IP Source IP address Source Port Corresponding source port number Succendo 502 2000 User Manual 1 2 35 Chapter 3 System Configuration Destination IP Destination IP address of the packet to perform the translation on Destination Port Corresponding destination port number Click lt Add gt to add the new DNAT mapping To remove a DNAT click the corresponding 2 icon from the rightmost column of the list 3 12 System gt gt Virtual Service To protect the Intranet s server information of servers providing services that can be remotely accessed you can setup virtual service on Succendo This function is similar to destination network address translations with the added functionality of being able to perform SSL encryption To add a new virtual service
Download Pdf Manuals
Related Search