Sinfor Web Access Gateway Manual
Contents
1. Y ssL Management Enable SSL Control Deny certificates issued by the folowing organizations O Only alow certificates issued by the folowing organizations O Deny expired certificate O Enable SSL certificate chain control to check if the root certificate is trusted if no access will be denied Enable SSL Control Check this item to enable the SSL black white list control function Type the black list and white list respectively in the corresponding text box and configure whether to enable the expired certificate Deny certificates issued by the following organizations Defines the certificate issuer of the website which is denied to be accessed This is what is called as the Black List Only allow certificates issued by the following organizations Defines the certificate issuer of the website which is allowed to be accessed This is what is called as the White list Deny expired certificate Check this item and it will verify whether the certificate has expired If it has expired the LAN user then cannot access this website Enable SSL certificate chain control 1s used for verifying the certificate chain according to the trusted root certificates listed in Object gt SSL certificate page If the sub CA is not coherent to the root CA or the certificate has been altered during the issuing process the LAN computer will be denied to get access2. Update server version is 0x400 View Gateway History View the update log of the IAM gateway device View Local Records View the update log of the local Gateway Client Updater Delete Local Records Clear the update logs of the local Gateway Client Updater Detailed Update Procedures a Download the update package to the local device b Start the Gateway Client Updater and then load the downloaded update package through ManagePackage gt Load Package c Log in to the IAM gateway device through System gt Connect d Click Update gt Update Firmware and the dlanupdater will prompt updating successfully and then the IAM gateway device will reboot 315 SANGFOR IAM v2 1 User Manual e If the default configurations need to be restored log in to the device and click Update gt Restore Default Config To update the Firmware kernel of the SANGFOR gateway device please DO follow the instructions given by the technicians of SANGFOR 316 SANGFOR IAM v2 1 User Manual Appendix B Acronyms And Abbreviations 317 SANGFOR IAM v2 1 User Manual URL Uniform Resource Locator VID VLAN ID VLAN Virtual Local Area Network 318
3. Filter URLs of the HTTP Get type controlling the access to common webpages If you find any URLs that cannot be filtered please contact us Submit uncategorized website Select All Inverse MoveUp MoveDown Action Please select V Schedule Please select Y Display All Hide DISABLE Categories Job hunting employment Job hunting employment information website All day v Sex sexual information website All day v Select All Inverse MoveUp MoveDown Action Please select Schedule Please select v Display All Hide DISABLE Default Action Allow O Deny lf several policies are associated adopt the default action of the next policy and continue matching downwards Action Select Disable Deny or Allow define the status of the selected URL s Schedule Select All day On duty Off duty or Internet access total time to define the valid time of the selected URL s As to detailed configuration of Schedule please refer to Section 4 5 Schedule lt Select All gt lt Inverse gt Click this button to quickly select the needed URLs lt Move Up gt lt Move Down gt Click the button to move up or move down the corresponding selected URL s lt Display All gt Click this button to display all the URLs including the valid URLs and the invalid URLs lt Hide DISABLE gt Click this button to list all the valid URLs and hide all the invalid URLs Default Action Select Allow or Deny
4. Application Executable file script Disable v All day v Select All Inverse MoveUp MoveDown Deny Disable Add File Type Group File Type Filter configures filtering function for Upload and Download The following restrictions will also be applied to FTP upload download Check this item and the filtering rules configured below will also apply to FTP upload download Upload Upload configures the file type filtering function to control the upload of some types of file based on the extension name of the file For example if the LAN users are uploading attachment s through WebMail or through BBS the access control policy will filter the limited file type s Upload Check this item to enable the function of filtering the to be uploaded file types Except checking the Upload item to achieve this filtering function you have to add the keyword s to the File Type Group list configured in Object gt File Type Group page please refer to Section 4 9 File Type Group White List Group You can configure the white list group here which is only valid for HTTP upload download For detailed configuring procedures please refer to Section 4 7 White List Group lt Add File Type Group gt Click this button to configure activate the file type groups which have been configured in Object gt File Type Group page 124 SANGFOR IAM v2 1 User Manual To activate the file type s select the co
5. Cannot contain the special characters Description o Cammotcontainthe special characters l 8 lt irin Display Name Cannot contain the special characters Current Group i Source Created by administrator l Advanced Settings y Binding OBindIP O Bind mac O Bind both IP and MAC No binding Group Password O Dkey O None O Only alow SSO Custom password Password Authentication Method Confirm password eN a aT LJ RADIUS authentication _ POP3 authentication Public Account Cl Allow multiple users to sign onto the same account multi user login Expiry Date Never O Expired on Enable This User Enable Disable 7 4 5 1 Binding IP MAC Binding configures the to be bound IP MAC only with which the users can get authenticated through the IAM gateway device Options are Bind IP Bind MAC Bind both IP and MAC and No binding If No binding is selected you have to configure an authentication method Password Dkey or Only allow SSO You can click lt Format Instruction gt and view the notes for filling in and format of IP or MAC address es 7 4 5 1 1 Bind IP Select Bind IP and configure the to be bound IP followed as shown below 193 SANGFOR IAM v2 1 User Manual gt gt Edit User Help i Basic Settings E Login Name Cannot contain the special characters Description Cannot contain the special characters 25
6. Y Differences between Multi Interface and Multi Bridge Multi Interface indicates one bridge has several interfaces and the IAM gateway device maintains only one MAC address table while Multi Bridge regards that inside the IAM gateway device there are two independent bridges each individual bridge maintaining its own MAC address table and the data of the two bridges cannot be forwarded to each other SANGFOR IAM v2 1 User Manual 3 4 2 2 Bridge Mode Multi Bridge Environment for Bridge mode Multi bridge In order to enhance the stability of the network and reduce single node failure both the kernel switch and the router of local area network are in redundancy Both R1 and R2 use VRRP protocol When the host is down the alternate device enables the virtual IP and takes over the network Then we deploy the IAM device in Multi Bridge Mode data transmission directions are ADC B7D corresponding to those in the Bridge list Detailed deployment is as shown in the following figure The configuration page is as shown below 28 SANGFOR IAM v2 1 User Manual Sangfor IAM 2 1 gt gt Gateway Mode User admin Logout Bridge Mode Multi Interface and Multi Bridge Settings 4 System Running Status i M F ql H O Bridge Mode O Mutti Interface Multi Bridge gt License Disable Enable Network Interface MuR Ong LER Sme Link Sync means that when one interface of the bridge switches from the
7. _Template Anti fishin Online Users O s ertificate enable URL filter relative domain na Never expire Enable View Associated User Rename Bandwidth Management iS i me Delayed Email Audit it _Template Open all Inter f t b Internet Access Audit A Open all Internet access privilege and recor i d net access privilege an Never expire Enable View Associated User Rename gt Logs Troubleshooting d all actions gt Advanced d audit b Security _Template Open all Inter 7 e Open all Internet access privilege not recor i f b DHCP O net access privilege an Never expire Enable View Associated User Rename t d any actions Wizard d not audit J Alarm upon outgoing file such as compressi _Template prevent file i E d k on pagckage office software and progra Never expire Enable View Associated User Rename eakage m code _Template prevent Troja Identify risk Internet activity alarm on informa one ae Never expire Enable View Associated User Rename n tion disclosure deny malicious software d white Never expire Enable View Associated User Rename First Prev 14 Next Last Goto Page Recordspage50 7 1 Access Control Policy Access Control Policy mainly configures the policy controlling the LAN users to get access to the Internet It involves the configuration of Access Control Web Filter Email Filter SSL Management Application Audit Flow Time Statistics Ingress System Risk Iden
8. 5 1 3 WAN lt gt LAN WAN lt gt LAN page configures the rule communication between the LAN interface and the WAN interface By default Internet access through the LAN interface has no limitation while LAN access through the WAN interface is not allowed To enable the external network to access a local area network you have to configure a filtering rule which allows the Internet IP to access the LAN IP address As shown in the figure below the port configured for Internet IP to access the local area network is 80 which indicates the port for communication from WAN gt LAN is 80 SANGFOR IAM v2 1 User Manual W Sangfor IAM 2 1 User admin Logout gt System b Object 4 Firewall Select 4 Firewall Rules LAN lt gt DMZ Allow To Ping Allow WANs LAN Ping Enable Edit Up Down O 2 Pass UDP Allow WAN lt LAN AllUDP_ Service ALL ALL Enable xX Edit Up Down O 3 Pass TCP Allow VVANs LAN Al_TCP_Service ALL ALL Enable xX Edit Up Down C DMZ lt gt DMZ gt NAT Rules inti Dos ARP Protection In the Firewall Rule List information of Service Source IP Group Destination IP Group can be configured in the corresponding page of Object or you can click the lt Add gt button followed to create a new one For detailed configuration of each object please refer to the corresponding section in Chapter 4 Object Y WAN lt gt LAN is a most common firewall rule The IAM gateway device ha
9. Configures the auditor s email address if there is 133 SANGFOR IAM v2 1 User Manual any email need audit The audit information will be automatically delivered to this email address 1f there is email need audit Check and configure this item to avoid delaying the delivery of some important emails This function must be in association with he configurations in Advance gt Alarm page For details please refer to Section 12 1 Alarm a Email Filter is only valid for SMTP and POP3 protocol but invalid for WEBMAIL Length of the SMTP Server Address authentication must not be shorter than 3 characters otherwise the audited emails will fail to be audited 7 1 2 4 SSL Management SSL Management controls the LAN users to visit certain websites with the help of the black list and white list and the configuration whether to allow expired certificate This function can further enhance the security level of SSL access for it can apply the black list and white list deny expired certificate and verify the certificate chain SSL Management covers the configuration of SSL Control and SSL Content Ident 7 1 2 4 1 SSL Control SSL Control Check this item to activate the function The configuration page is as shown below 134 SANGFOR IAM v2 1 User Manual Edit Access Control Policy T Help O Single policy O Mutiple policies S O Expiry Date Never expire Expired on E Status Enable Disable
10. D LAN 10 251 251 251 PO WAN 200 200 20 156 y Domain Server 10 251 251 10 The domain controller locates in the local area network that is to say PC1 and PC2 can log in to the domain controller before authentication the domain controller and IAM gateway device can communicate with each other so that the domain controller can send the successfully authenticated user information to the IAM gateway device The primary DNS of the LAN user PC should be the same with the IP address of the domain controller Check Enable Active Directory SSO to activate this SSO function Click lt Help of SSO Usage gt to view the guide information of how to configure component mode of SSO Active Directory SSO falls into three types one is to install a SSO script on the domain controller to intercept the logon logs the second one is to allocate SSO script by the domain controller the third one is to allocate SSO script by the domain controller and to send logon logoff information to the IAM gateway device The last SSO should have the help of a listening port to intercept the active directory SSO information in the data sent from the mirror port of the switch or from the HUB 7 2 2 1 1 Install Component Mode Enter the shared key in the text box followed User component mode please enter shared key ensuring that the key is the same with that configured in the SSO component of the domain controller At the end of installing the
11. Disable b Security b DHCP Refresh gt Wizard Firewall rules are to be matched from top to bottom If a rule is matched the rules below it will not to be matched therefore please arrange the rules in needed order Order arrangement of the firewall rules cannot only be fulfilled through the Firewall Rule List but be numbered by Sequence Number in the above figure The Firewall defaults to deny the data packets if none of the firewall rules is matching that is 83 SANGFOR IAM v2 1 User Manual to say the data packets will be dropped 5 1 2 DMZ lt gt WAN DMZ lt gt WAN configures the rule for access fulfilled between WAN interface and DMZ interface The service can be all the services of certain protocol or a user defined service s For detailed configuration please refer to Section 5 1 1 LAN lt gt DMZ The default configuration page 1s as shown below Sangfor IAM 2 1 a gt gt Firewall Rules DM2 lt gt WAN User admin Logout l Firewall Rule List oral E gt System b Object 4 Firewall 4 Firewall Rules All_TCP_Servic LAN lt gt DMZ Pass TCP Allow DMzZ VVAN Disable Edit Up Down All_UDP_Servic 2 Pass UDP Allow DMZ WWAN ALL ALL Disable X Edit Up Down O VPN lt gt WAN e VPN lt gt LAN 3 Allow To Ping Allow DMZ VVAN Ping ALL ALL Disable X Edit Up Down M LAN lt gt LAN E Dea l Pant Select Al Add DMZ lt gt DMZ b NAT Rules
12. If it has not yet installed the DKey driver it will prompt to download the DKey driver Click the lt Download DKey driver gt link to download and install the driver Before generating the DKey please DO install the DKey driver otherwise the computer cannot recognize the DKey hardware During the process of installing the DKey driver please DO close the third party anti virus software and firewall otherwise conflicts between the programs will appear and the DKey 269 SANGFOR IAM v2 1 User Manual driver will fail to be installed lt Delete gt Click this button to delete the selected user s lt Import Text User gt lt Import Domain User gt Click this button to import the TXT or CSV file that contains the user information lt Export User gt Click this button to export and save the users information of this IAM gateway device to the local computer You can decide whether to export it as Plaintext or as Cipher text The dialog 1s as shown below EMI Web Page Dialog Eg Cloze Click the lt New Group gt button to add a new user group Type a name and description for this user group define the group attributes Encryption algorithm and check Enable My Network Places option The dialog is as shown below A Add Group Web Page Dialog Group Mame Encryption lgorithen y a Enable My Metwork Places LAN Privilege Click lt Add User gt to add a new user C
13. On duty Off duty or Internet access total time to define the valid time of the selected URL s As to the configuration of Schedule please refer to Section 4 5 Schedule lt Select All gt lt Inverse gt Click this button to quickly select the needed URLs lt Move Up gt lt Move Down gt Click the button to move up or move down the corresponding selected URL s lt Display All gt Click this button to display all the URLs including the valid URLs and the invalid URLs lt Hide DISABLE gt Click this button to list all the valid URLs and hide all the invalid URLs lt Copy HTTP URL Filter gt Click this button and the HTTPS URL Filter page will copy the configurations in HTTP URL Filter gt Basic Filter page so as to create the same rules without configuring them one by one again Default Action Select Allow or Deny to configure the default action of the current access control policy to the HTTPS URL filter rules that are not in the above rule list This item functions in association with the valid URL s configured above If several policies are associated adopt the default action of the next policy and continue matching downwards If multiple access control policies are associated with a user or user group uncheck this item and the access control policy will apply the Default Action or check this item and the data packets will continue to match the URL filtering rules of the access control p
14. Organization Structure Configured the structure of the LAN users and user groups as well as the association between the policy and user group The default Organization Structure configuration page 1s as shown below 180 SANGFOR IAM v2 1 User Manual Sangfor IAM 2 1 gt gt Organization Structure E Help Jser admin Logout gt Object gt Firewall gt WAN Optimization Group Path i 4 TAM Access Control Policy Authentication Options Source Created by administrator Authentication Server Group Information Subgroups 1 direct users 5 total users including subgroups 5 p Organization Structure User Import LDAP Sync I Advanced Settings SA Online Users b Access Control Policy Bandwidth M a ee a Mee Add Subgroup AddUser Selecta inverse Mutti Eat Delete Selected Delete Selected Delete Current Group Enable Disable Move GroupiUser Move Group User Delayed Email Audit Internet Access Audit First Prev1M Next Last Go to Page me Records page so ise O 2222 Use its owen policy Subgroup Count 0 User Count 0 2222 S it ee A Authentication Method Password Customized passw DHCP 2 T User O testuser t Use parent group policy o ord Binding Information Wizard E Authentication Method Password Customized passw 3 user O z i Use parent group policy ne ord Binding Information 4 Ta O i E cae Authentication Method Password Customized passw Bossa is L dans ord Binding Information E EE
15. The default password is dlanrecover The login page is as shown below Connect Gateway Ip 10 252 252 252 Password a Cancel After logging in successfully it clews login success as shown in the figure below DLAN Gateway Client dlanupdater4 0 AS Systems Update U Backup B ManagePackage M Tools T UpdateHistory R Help H Update Firmware Restore Default Config D Restore Default Wetworkity connec IA PA MAC 005009008C73 DATE 20100526 login success gateway firmware version is SANGFOR IAM 1 BUILD 100226 173247 cluster 1 23 disk Update server version is 0x400 Search It will automatically search for the SANGFOR gateway devices in the local area network as long as there is no routing devices between the local computer and the IAM gateway device and layer 2 broadcast can reach even though the IAM gateway device is located in a different network segment as long as there is no router or layer 3 switch between the local computer and the IAM gateway device The search results are as shown in the following figure 311 SANGFOR IAM v2 1 User Manual a DLAN Gateway Client dlanupdater4 0 System S UpdatefL BackupiB ManagePackage M Toolsi UpdateHistoryiR HelpiHh begin to search DLAN gateway please wait Gateway 1 Ip 10 252 252 252 search finished found 1 gateways Change password Modifies the login password of the gateway cli
16. Wi Manage Your Server lal x U M a n a ge Yo u r Se rve r Search Help and Support Center 7 gt Server JW OV725BU123D More Tools a O Read about server roles Windows Update Read about remote Computer and Domain Name administration Information Y has b figured with the Following roles our server has been configured with the following roles Jamat Explotar Enhanced Security Configuration 24 Application Server Application servers provide the core technologies required to build deploy and operate XML Web Services ae See Also Web applications and distributed applications Application server technologies include ASP NET COM and asai application Internet Information Services IIS Help and Support Open the Web Interface For i Remote Administration of Microsoft TechNet Web servers Deployment and Resource Kits Review the next steps for List of Common Administrative this role Tasks 4 Mail Server POP3 SMTP Windows Server Communities What s New Mail servers use the POP3 service to provide e mail delivery and tools for creating and managing e mail Wanane thie mal serv r Strategic Technology Protection accounts 9 Program Review the next steps for this role Domain Controller Active Directory gt Domain controllers use Active Directory to manage network resources such as users computers and ee Manage users and applications Manage users and computers in Active Directory Manage do Opens the conso
17. there is a Default Action and an option If several policies are associated adopt the default action of the next policy and continue matching downwards If you DO NOT check the latter the access control policy will apply the Default Action of the current control policy instead of having the data packets continue to match the rules of the access control policies followed In other rule modules it takes the first rule as the final when matching the access control policy These rule modules include Access Control gt Proxy Control SSL Management Email Filter Application Audit Flow Time Statistics and Risk Ident Generally speaking the rules of a policy are matched from top to bottom A rule will take effect once it is matched and the next rule of the same type will not be matched once again For this reason it is recommended that the more detailed rules are the upper ones while the general rules are at the bottom of the rule list If the detailed rules are involved in the general rules logic error of rules being matched will occur Please DO arrange the rules in a right order 152 SANGFOR IAM v2 1 User Manual 7 2 Authentication Options Authentication Options mainly configures the IAM gateway device and user authentication related options The configuration page is as shown below Sangfor IAM 2 1 EE gt gt Authentication Options User admin Logout gt System gt Object y Enable p
18. 3 10 gt wm Display Name Cannot contain the special characters Current Group i Source Created by administrator l Advanced Settings G liser Attribute sl Access Control Policy Bind IP O Bind MAC O Bind both IP and MAC No binding Format Instruction Binding Add IP Get from IP group Clear List Group Select Password O Dkey O None O Only allow SSO Custom password Password Authentication Method Confirm password CILDAP authentication _ RADIUS authentication _ POP3 authentication Public Account C Allow multiple users to sign onto the same account multi user login Expiry Date Never O Expired on 7 Enable This User Enable Disable Click lt Add IP gt and configure Add Object Single IP IP range or Subnet and enter an IP address or IP range respectively lt Get from IP group gt Click 1t to select an already defined IP group as to the configuration of IP group please refer to the relevant part in Section 4 5 Schedule lt Clear List gt Click it to clear all the IP address es in this list 7 4 5 1 2 Bind MAC Bind MAC configures the to be bound MAC address followed as shown below 194 SANGFOR IAM v2 1 User Manual Login Name Cannot contain the special characters Description Cannot contain the special characters 1459 8 1 gt Pin Display Name Cannot contain the special characters Current Gro
19. 304 SANGFOR IAM v2 1 User Manual third party If you want to have a third party fulfill the RADIUS authentication correctly configure the Radius Server information including RADIUS Server IP RADIUS Server Port Authentication Shared Key and RADIUS Authentication Protocol The configuration page is as shown below Sangfor IAM 2 1 Internet Access Audit ES RADIUS Server Logs Troubleshooting gt Advanced k 7 7 ae Security Gateway Antivirus RADIUS Server IF 10 254 7549 P IPS RADIUS Server Port 1812 ad VPN Settings VPN Status Authentication Shared Key 2 User Management Connection Management RADIUS Authentication mae Virtual IF Pool Protocol Milti line OATES Enable RADIUS Authentication Multiline Routing Policy Local Subnet List Tunnel Route Lo b IPSec Connection ali b Common Settings 4 Advanced LAN Service TEN Interface LIA Server BaADIUS Server 13 3 13 Generate Certificate The HARDCA is one of the patents of SANGFOR The device that applies this technology can use its certificate to get its identity authenticated among different VPN nodes The certificate of a device 1s generated with some of the features of this device and is then encrypted Due to the uniqueness of the device hardware the corresponding certificate is also unique and cannot be counterfeited Through this way requiring authentication with the features of the hardware the IAM gateway device
20. Authentication Options Mew User Authentication Sol Settings Page Display After Authentication Authentication Conflict Settings For account that disallovs multi user login if tt is logged in on another IP address during authentication O Logot the previous login and authenticate the account on current IF address Prompt the login on another IP address but not logout it SAMP Option Enable t when the device requires crossing the layer 3 switch and binding MAC address Other Authentication Options 7 2 5 SNMP Option SNMP Option helps to achieve Internet access through binding MAC or binding IP and MAC address when a layer 3 switch exists in the networking environment The configuration page is as shown below gt gt Authentication Options E Help New User Authentication Sol Settings Page Display After Authentication Authentication Conflict Settings SAMP Option Enable t when the device requires crossing the layer 3 switch and binding MAC address Enable Disable SNMF Server Access Timeout seconds Value range is 1 5 SNMP Server Access Interval seconds Value range is 5 300 SNMP Server List if MAC address cannot be obtained through SMMP most layer 3 switch users vill access internet as temporary Users One server per roy Support at most 64 servers Format IMAC Od Community e g 200 200 2057 00 65 51 02 01 161 5 6 1 2 1 3 1 1 2 public Other Authentication Options ok 174 SANG
21. Common Settings Common Settings covers the configuration of Schedule and Algorithm modules 13 3 11 1 Schedule Schedule defines the commonly used time periods mainly used as valid time or expiry time The schedule can be referenced by User Management and LAN Privilege configurations The time is the same with the system time of the IAM gateway device The Schedule default configuration page is as shown below 296 SANGFOR IAM v2 1 User Manual SANGFOR Sangfor IAM 2 1 gt Advanced gt gt Schedule 4 Security b IPs All day All day View 4 VPN Settings VPN Status Basic Settings User Management Connection Management Virtual IP Pool Multiline Settings Multiline Routing Policy Local Subnet List Tunnel Route 4 IPSec Connection Device List Security Option Outbound Policy Inbound Policy 4 Common Settings Click the lt New gt button and the Schedule configuration dialog appears as shown below Schedule Web Page Dialog Mame Office hours Office hours Description a OO 04 02 03 04 05 06 OF 09 10 11 12 13 14 15 16 17 18 19 20 21 22 25 From Man To Mon From 0 00 To 0 30 In this example the Office hours 1s the enabled time period which means the rule will take effect during this period if it has referenced this schedule Having completed configuring this schedule you have to click the lt OK gt button to save the settings
22. Description AAA Expiry Date Never expire Expired on E Status Enable O Disable After identifying the features of the outgoing files the system will send an alarm email reporting about the potential information disclosure To audit the outgoing files transferred by FTP HTTP and email please enable relevant options under Application Content Audit in Audit Option tab Enable Outgoing File Alarm Note If the FTP upload audit is not enabled the file types uploaded by FTP will not be audited If the Web upload audit is not enabled the file types uploaded by webpage will not be audited If the outgoing email audit is not enabled the file types sent by email will not be audited Add the file types to be alarmed and audited Select All Inverse Alarm All Alarm Encrypted Enable Disable Add Edit Delete Classification Alarm Option Office software Feature ident Text file Feature ident Video amp image Feature ident Select All Inverse Alarm All Alarm Encrypted Enable Disable Add Edit Delete In Adding Status Use internal classifications feature ident Classification Video amp image Nj File Type All customize file types extension ident bcf p2p fgk comma separated Enable alarm on multi layer nested compression more than 2 layers Enable alarm free extension Enter file type comma separated Set administrator email address for this policy xujc sangfor com cn Ibis effective only w
23. IPS Direction OEnable Disable High medium C Low IPS rule defense level iso seconds Simple Detailed Y wan lt Lan Y vwvan lt DMz Y LAN lt DMZ _ Advanced Settings After enabling the IPS function check the Advanced Settings option and configure the detailed parameters as shown below 262 SANGFOR IAM v2 1 User Manual gt gt IPS Options Enable IPS O Enable Disable Defense Level High L imedium Low IPS rule defense level Defense Time After Intrusion le Det a ected SeBcongas Log Type of Intrusion Event Simple Detailed IPS Direction M Wiehs 2LAn KIWAN Y LANs DMz IPS conditions IPS vill be enabled only when the conditions configured on the right are satisfied All IF addresses O Specified IF address IPS will be enabled only when the IP address belongs to the tollowing range Format One IP range per row Use hyphen ta separate start IF and end IP e g 1 1 0 1 1 1 0 2 0 m 0 DGE 2654 2282 ASG stet o fee Aoa Ciesr List All TEP ports O Specify TCF port IPS wil be enabled only when the TCP port belongs to the tollowing range Format One port range per row Use hyphen to separate start port and end port e g 1 655535 Start port depot dl Clear List Al UDP ports O Specified UDP port IPS will be enabled only when the UDP port belongs to the following range Format One port range per row Use hyphen 1to separate start po
24. LDAP Synchronization Policy configuration page lt Delete gt Click it to delete the selected LDAP synchronization policy or policies lt View Sync Report gt Click it to view the LDAP synchronization report lt Refresh gt Click it to refresh manually and view the synchronization status 7 6 1 Syne by LDAP Organization Structure Sync by LDAP organization structure synchronization mode imports the users user groups according to the organization unit OU and structure of the Active Directory Select Sync by LDAP organization structure and click the lt Add gt button and the LDAP Synchronization Policy configuration page appears as shown below gt gt LDAP Synchronization Policy Policy Mame LDAP Description OLA oUz Auto Synchronize Enable Disable LDAP Server LOAPO w Import OL F Keep the relations OK Cancel Import Remote Target Enter DM of LOAP Filter Import From disabled for security group OU Import Depth Users under the depth vvill be synchronized to the same grou p while ts subgroups will be ig nored E specified OU O Sub OL of the specified OL Policy Name Type a unique name for this synchronization policy 207 SANGFOR IAM v2 1 User Manual Description Type a brief introduction for this synchronization policy Auto Synchronize Configures whether to automatically synchronize the information or not Select Enable and the device w
25. POP3 SSO 7 2 2 2 1 POP3 Authentication POP3 authentication 1s generally applicable to internal mail system and each user has been allocated with an email account It is flexible for the client s email environment and improves the variety of authentication methods and makes the authentication process more convenient and humane As to configuring POP3 authentication the user should be an existing user of POP3 server If the 166 SANGFOR IAM v2 1 User Manual user enters username password and the authentication system can successfully log in to the assigned POP3 server the password entered by the user is then proved correct and the user will get authenticated if it fails to log in then the user cannot get authenticated Check the Enable POP3 SSO option and the authentication system will automatically identify the authentication information and allow the authenticated user to get access to the Internet directly when the user is logging into the POP3 server through mail client such as Outlook Foxmail etc without requiring it to type once again the username and password 7 2 2 2 2 Network Environment Typical topology environment of the POP3 authentication is as shown in the following figure INTERNET If both the POP3 server and PC are in the local area network the authentication data will not be forwarded to the IAM gateway device Automatic authentication is realized through the mirror port if there is no m
26. System Object C Set Conditions Enable Drop List Enable Drop List and Bypass Close Drop List Firewall WAN Optimization TAM Drop list enable No bypass No Bandwidth Management Time Source Action Proto IP Dev Len Line dropflag appname apprule Delayed Email Audit Internet Access Audit h Logs Troubleshooting System Logs Packet Capture Advanced Security Wizard Check the Set Conditions to view the conditions items and configure the filtering conditions such as IP Address List Excluded IP List Protocol and Port etc as shown below 246 SANGFOR IAM v2 1 User Manual gt Policy Troubleshooting Drop List Click here to view packet drop list 0 0 0 0 255 255 2 55 2 lt 55 IP Address List IP address O IP range O Subnet Clear List P address As Excluded IP list IP address O IP range O Subnet Clear List IP address aa All Protocol O Specified Select protocol type an Port O Specified pot Set Conditions Enable Drop List Enable Drop List and Bypass Cloze Drop List Drop list enable HN0 bypass Ho Time Source Action Proto IP Dev Len Line dropflag appname apprule IP Address List Configures the IP address to which this rule is applied It defaults to include all the segments Excluded IP List Configures the IP address whose data p
27. T Modify standby Mode Modify 10 254 254 125 Gateway Mode Network Interface ActivesStandky Primary oe ara Sue Mode Switch to Standby Last Switch Time 2010 06 20 09 08 33 Multi Mode Sync Deraf time Update Mode Disable Last Sync Time Syne configuration Administrators Communicate with the peer failure Web TUI e Current Status artheat timed out Backup Hestore Reboot Timeout Settings Interface Detection Maintenance duto Update 4 Route Policy Routing Static Routing Generate Certificate ailability High Av 53 SANGFOR IAM v2 1 User Manual High Availability Displays the status of this function enabled or disabled Device Name Displays the name the local device Click lt Modify gt to edit the device name Active Standby Status Displays the active or standby status of the local device Click the lt Switch to Active gt or the lt Switch to Standby gt button to switch the standby node to Active or switch the active node to Standby Update Mode Click this button to update the primary node and lock the Active Standby status Click Enable and the Active Standby status cannot be altered even though the primary node is down Please think it over to enable this function It is recommended to enable Update Mode when you are to update the primary and standby device completing update please disable Update Mode Click lt Enable gt and the following dialog pops up 3 Update Mo
28. URL Group URL List gt Keyuord Group File Type Group gt Ingress Fule SSL Certificate b Firewall b WAN Optimization del domaine Clear gt IAM gt Bandwidth Management b Delayed Email Audit Name Names the new white list group 68 SANGFOR IAM v2 1 User Manual Description Type in a brief description for this white list group URL List Configures the composition of the white list group one domain name IP address per row Having completed configuring you have to click the lt OK gt button to save the settings 4 8 Keyword Group Keyword Group is used for configuring and classifying the keywords The Keyword Groups can be referenced by IAM gt Access Control Policy gt Edit Access Control Policy page gt Web Filter gt Keyword Filter to control searching and uploading information that contains the keywords in the keyword group Sangfor IAM 2 1 gt gt Keyword Group Useradmin Logout 4 Object 1 Pornography Pornography keyword Edit E ELETA Tong AE NS 2 MEN MEN keywords through http protocol login Eli C Intelligent Ident Rule 3 E E 3 Entertainment Various entertainment information keyword Edit F Service IP Group Select All Schedule UBL Group White List Group Eeymord Group File Type Group Ingress Pule SSL Certificate Under the Keyword Group default configuration page click the lt Add gt button to enter the Edit Key
29. User Select All All inverse mutica Delete Selected Delete Selected Delete Current Delete Current Group Enable Disable Move Groupiiser Move Group User First Prev1 Next Last Go to Page ft Recordsipage 15 a A E 1 A Group O 2222 Use its own policy Subgroup Count 0 User Count 0 2222 Authentication Method Passyword Customized passw 2 i Use parent group polic Laer O pas user p di ord Binding Information T Authentication Method Password Customized passw 3 User Oz i Use parent group policy a ord Binding Information 4 inne O ne i Usa parani group policy Authentication Method Password Customized passw ord Binding Information 5 User O ce i TE A da Authentication Method Password Customized passw ord Binding Information 6 ser O EE i A A Authentication Method Password Customized passw ord Binding Information The newly created subgroup s will be displayed in the left tree and in member list as well To add a subgroup of a certain group you have to first get into the corresponding configuration page of this group and then click the lt Add Subgroup gt button and follow the instructions to add subgroup For instance to add a subgroup for the 2222 you have to click 2222 on the left tree and then click the lt Add Subgroup gt button The hierarchic structure of SANGFOR gateway supports maximum 16 hierarchies root group included 7 4 3 Edit Subgroup Under the
30. You can specify a port to transmit broadcast packets so as to avoid broadcast storm from appearing at the both ends of a VPN 13 3 3 User Management User Management is used for managing the connecting in VPN accounts The configurations include user account and password of the connecting in VPN the authentication method of the account verification expiry date of the account LAN privilege group the user and the public attributes of the group users Besides 1t configures whether to enable hardware authentication DKey and virtual IP The default configuration page 1s as shown below Sangfor IAM 2 1 a gt gt User Management Help User admin Logout System Download Dkey driver Username OOOO O Search Object Check Dkey Check Dkey Total Groups 0 Total Users 2 Current Group User Count 0 Current Page 1 1 Paget Y si Group Memb Encryption vis Network Virtual IP Description Operation Algorithm Firewall WAN Optimization Tan Bandwidth Management E Default group Delayed Email Audit Internet Access Audit Logs Troubleshooting Advanced io o Phe o Security Gateway Antivirus b IPS 4 VPN Settings VPN Status Basic Settings User Management Connection Managemer TT eat a 1 TH Tia Click the lt Check Dkey gt button to inspect whether the DKey has inserted into the USB port of the computer through which you have logged in to the IAM gateway console
31. abc com and abc com cn If abc com is entered here the emails addressed to abc com or abc com cn will not be audited Qmaisize gt 8 gt attachment number D O Email contains the following keywords in title or content Note Regular expression is supported For example key d will match keyd and keyword C Set administrator email address for this policy RS Audit Address Audit free Address List Define respectively the email address es to be audited or not to be audited For instance 1f you do not want to audit the emails received by the email addresses of the enterprise itself you can type the domain name of the enterprise Mail Server in Audit free Address List text box such as vpn com cn This configuration will free the email addresses from delay and audit whose suffix is vpn com cn Except the above settings you can also define the Mail size and Attachment number of the emails that should be audited Email contains the following keywords in title or content Configures the keyword that may be contained in the email title or content The emails whose title or content contains the any of the keywords configured in the list will be delayed and audited For instance type the keyword source code in the text box and the email will be delayed from being sent if 1ts title or content contains this keyword Set administrator email address for this policy
32. and will apply to all the SANGFOR hardware gateways deployed in the local area network LAN 312 SANGFOR IAM v2 1 User Manual Operation of Restore Default Network may result in hazardous outcome Please DO NOT implement this function without second thought JAM hardware gateway can only be updated from lower version to higher version it does not allow skipping a version or degrading Update is also a kind of risk If update operation is not appropriate the device may be damaged Please DO NOT update the system by yourself at will If necessary please contact the technicians of SANGFOR for instructions Brief update procedures are Step1 Upload the corresponding update package to the Gateway Client Updater Step2 Log in to the Gateway Client Updater and implement update operations Backup Submenus are Backup Configuration Restore Backup Please refer to the page below DLAN Gateway Client dlanupdater4 0 System S Update Backup B ManagePackage M Tools T UpdateHistory R Help H Backup Config C Restore BackupiR connecting gateway 192 200 200 12 MAC 005009008C73 DATE 20100526 login success gateway firmware version is SANGFOR IAM 2 1 BUILD 100226 173247 cluster 1 23 disk Update server version is 0x400 Backup Config Backup all the configuration information of the IAM hardware gateway device Restore Backup Restore all the backup configuration inf
33. b Security _Template Open all Inter i Open all Internet access privilege not recor i f f b DHCP O net access privilege an f Never expire Enable View Associated User Rename h d any actions b Wizard d not audit _ amp larm upon outgoing file such as compressi _Template prevent file f S F d A on pagckage office software and progra Never expire Enable View Associated User Rename eakage m code _Template prevent Troja Identify risk Internet activity alarm on informa O E Never expire Enable View Associated User Rename n tion disclosure deny malicious software d white Never expire Enable View Associated User Rename First Prev 14 Next Last Goto Page Recordspage50 Access Control Policy List Displays the already configured policies including the information of the Policy Name Description Expiry Date Status and Operation lt Select All gt lt Inverse gt Click this button to quickly select the needed policies lt Add gt Click this button to create a new access control policy lt Delete gt Click this button to delete the selected access control policy or policies lt Enable gt Click this button to enable the selected access control policy or policies lt Disable gt Click this button to disable the selected access control policy or policies lt Export gt Click this button to export the selected access control policy or policies and save into the local computer Import Policy Clic
34. baidu com it indicates www baidu com tieba baidu com music Baidu com etc There is a file type filter All which indicates all the file types Please do select it with caution for it will affect Internet access if the Action of this rule is Deny 125 SANGFOR IAM v2 1 User Manual 7 1 2 2 5 ActiveX Filter It happens that the installed ActiveX controls of some WebPages will affect the function of your browser or even monitor your behavior surfing on the Internet and disclose your personal information Some of these ActiveX controls often are installed automatically by the browser leading to spread of malicious plug ins SANGFOR gateway device can effectively solve this problem with the help of ActiveX Filter rule Any ActiveX control will be required with signature and the untrusted plug in will be unable to be installed into the LAN computers In this way security of the local area network would be guaranteed Enable ActiveX Filter Check this item to activate the ActiveX control filtering function and then the configurations on Verify digital signature of ActiveX and Only allow the following ActiveX Controls pages will take effect Edit Access Control Policy Policy _Template Basic Internet Access Audit v Description Allow DNS HTTP HTTPS FTP Mail MSN enable relative audit Expiry Date Never expire Expired on sd Status Enable Disable meee activex Filter U
35. mem file Amps 946659435 Access Log System Information 16 09 10 Q aclog cpp 515 Receive action watch cmd Generate Intermediate Repor Information 16 07 24 Make mid table thread is working t wiowork server coy 754 System pressure going down notify the driver to continue torwa WAN Optimization Alarm qz 4022 rding WAN Optimization Alarm 15 40 12 welowork_server cpp 733 System pressure is too heavy notify the driver to bypass MTLM Authentication Alarm 15 38 29 sedinthn cpp 165 Failed ta connect domain controller 200 200 0 1 socks Proxy Information 15 38 29 socks _main cpp 545 MTLM Authentication Information 16 38 20 O ntim cpp 426 Start ntin authentication service Click the lt Options gt button at the right top of the interface to enter the Log Options dialog to 244 SANGFOR IAM v2 1 User Manual define the display of the system logs as shown below A Log Options Web Page Dialog Display Option W Info log gt Alarm lor W Error log E Debug log Records Per Page Filter Options iw PD W ONS i Firewall Iw Intelligent report MLineDetect_vPN W Email Audit eb Tracking IM Access Log System Flow Statistics IM Virus Library Update Anti Dos M Web Authentication System Having completed defining the Display Options and Filter Options you have to click the lt OK gt button and then click the lt Refresh gt button to apply the new configuration as shown below 245 SANGFOR IAM v2 1
36. selected URL s Schedule Select All day On duty Off duty or Internet access total time to define the valid time of the selected URL s As to the detailed configuration of Schedule please refer to Section 4 5 Schedule lt Select All gt lt Inverse gt Click this button to quickly select the needed URLs lt Move Up gt lt Move Down gt Click the button to move up or move down the corresponding selected URL s respectively lt Display All gt Click this button to display all the URLs including the valid URLs and the invalid URLs lt Hide DISABLE gt Click this button to list all the valid URLs and hide all the invalid URLs Default Action Select Allow or Deny to configure the default action of the current access control policy to the HTTP URL filter rules that are not in the above rule list This item functions in association with the valid URL s configured above Only allow login POST Select this item and it only allows login to WEBMAIL and BBS view emails and read post but does not allow email delivering and posting If several policies are associated adopt the default action of the next policy and continue matching downwards If multiple access control policies are associated with a user or user group uncheck this item and the access control policy will apply the Default Action or check this item and the data packets will continue to match the URL filtering rules of the access control
37. to configure the default action of the current access control policy to the HTTP URL filter rules that are not in the above rule list This item functions in association with the valid URL s configured above If several policies are associated adopt the default action of the next policy and continue matching downwards If multiple access control policies are associated with a user or user group uncheck this item and the Default Action of the current policy will be adopted after the data packets complete matching its rules or check this item and the data packets will continue to match the URL filtering rules of the access control policies followed 118 SANGFOR IAM v2 1 User Manual Edit Access Control Policy Help Expiry Date Never expire O Expired on Status Enable Disable Filter URLs of the HTTP Get type controlling the access to common webpages If you find any URLs that cannot be filtered please contact us Submit uncategorized website Select All Inverse MoveUp MoveDown Action Schedule Display All Hide DISABLE Categories Description Action Schedule Jb uring enpomertinomaion webst soi internaten wette Select All Inverse MoveUp MoveDown Action Schedule Display All Hide DISABLE Default Action Allow O Deny O If several policies are associated adopt the default action of the next policy and continue matching downwards Action Select Deny or Allow to define the status of the corresponding URL
38. 1 3 Bind Both IP and MAC Bind both IP and MAC configures the to be bound IP MAC followed as shown below Add Object Single user Multiple users Login Name Cannot contain the special characters Description oa Cannot contain the special characters 125 3 40 gt wn Display Name Cannot contain the special characters Current Group 2222 gw Source Advanced Settings y Access Control Policy O Bind IP O Bind Mac Bind both IP and MAC No binding Format Instruction 192 168 1 12 00 95 00 03 06 48 Binding Scan MAC address Clear List Scan Object Single IP OP range Subnet IP address 192 168 1 12 Enter the binding IP address Scan MAC Address Group 2222 qwi Password O Dkey O None O Only alow SSO Custom password Password Authentication Method Confirm password O LOAP authentication J RADIUS authentication C POP3 authentication Public Account C Allow multiple users to sign onto the same account multi user login Expiry Date Never O Expired on 7 Enable This User Enable O Disable To add IP MAC address you can directly enter the IP MAC address in the Binding text box or click lt Scan MAC address gt lt Scan MAC address gt Click 1t and select scan object Single IP IP range or Subnet and then enter the to be scanned IP range the device will scan and get the MAC addresses of these IP addresses 1
39. 146 SANGFOR IAM v2 1 User Manual Edit Access Control Policy E Help O single policy O Mutiple policies Expiry Date Never expire O Expired on E Status Enable Disable Note When Ingress System is enabled LAN users need to install the ingress client before they can connect to the Internet Select All Inverse Add Delete Select No Schedule Select All Inverse Add Delete lt Add gt Click this button and the options pop up as shown below Edit Access Control Policy single policy O Mutiple policies Ps AAA AAA Expiry Date Never expire Expired on E Status Enable Disable Note When Ingress System is enabled LAN users need to install the ingress client before they can connect to the Internet Select All Inverse Add Delete O Select All Inverse Add Delete Type IM Monitor Y Schedule All day Y Add Select a Type Schedule and then click the lt Add gt to add this new ingress rule into the list As to the configuration of a new schedule here it indicates the valid time please refer to Section 4 5 Schedule lt Select All gt lt Inverse gt Click it above below the list to select the needed ingress rule s lt Delete gt Click it to delete the selected ingress rule s Having completed configuring this page you have to click the lt OK gt button to save the settings 7 1 2 8 Risk Ident Risk Ident is used for identifying and controlling
40. 2 1 gt gt Alarm E Help User admin Logout NE Event Alarm Enable Disable D Object gt Firewall O Disk Space Alarm Send alarm email when the remaining disk space is lower than p 0 indicates no alarm O Bandwidth Alarm Send alarm email when the total bandwidth of the device reaches pb Kbps in pb minutes 0 indicates no alarm b WAN Optimization gt TAM gt Bandwidth Management b Delayed Email Audit b Internat Access indit Alarm Events Attack Alarm Indicate Anti DoS attack ARP Protection etc P Logs Troubleshooting Antivirus Alarm Indicate all kinds of antivirus methods 4 Advanced R p pi Disclosure Alarm Indicate Keyword Filter File Type Filter under WWeb Filter E Proxy Server Email Audit Alarm Indicate Delayed Email Audit Web Tracking O Risk Behavior Alarm Indicate risk behavior identification Excluded IP Domain Page Customization Email Title b Security a Tizard Sending Interval pb minutes Sender usertest sangfor com Receiver usertest sangfor com SMTP Server Address 200 200 0 250 Require Authentication Send Testing Email Event Alarm Select Enable to enable the event alarm function This is an overall switch for the alarm function only with which will the email alarm function take effect Alarm Events Includes Disk Space Alarm Bandwidth Alarm Attack Alarm Antivirus Alarm Disclosure Alarm Email Audit Alarm and Risk Behavior
41. A AAN 104 0 2 1 2 AV AN CEG CUM S ais casricentiacianansaciasarnecuapnvonaaasonmacausennadenAanueauasntuccuascuuadnuseweaeseunnduccenen 105 Chapter AM aa 107 Tel cACCESS COMO POLICY raid Rain 107 FAA SADO ACCESS CONTO F Ol ida 109 P dnk QUE ACCESS C OROL TON Si EEEE 111 Pd ACCESS C OO 112 REZ oL de APplucation COMO tk 113 Ti k2 hee SOVICE ONO erren R N E 114 ALZI FO CO O e EE eee dad aond eaatena tae ence easaces 116 A A O 117 TR OSAR ATTRURE PIE sena ia dios 117 TAD HTTPS OUR Te PIE oriei a 120 Tall Resword ECE ot oh EEE chen cement EEE S EAE EA Monte 122 7 1 2 2 4 File Type Filte ra A Masia i 123 Tal ZoZod RCIE A PILED sania ice Sena con duesadaeatesa cen AE 126 7 1 2 2 6 SCAPE PIO ve casalsidetitaacressa eid a a a a deed 130 MA A no a N a a saad aa aaa a 131 BRZ A SE A RECEIVE Mall serien a lO 131 7 1 2 3 2 WEAVER Emal UCI inc dead 132 Tiled Ac SS A ES A ana amaceaeciees 134 TAZA DLs COMMON E 134 Pola AE A cite hetero cass dots ete di hate ete 135 FEZ o AOU AAA AA A A A AT 137 TZ AUTO PUNA A sia 137 T252 JUL OVS Ele AM mistina a E sreartdh dathanthdrincadls 140 71 220 Flow Time Statisties nai E EE E E 144 7 1 2 6 1 A a E 144 7 1 2 6 2 Online Duration Control a a 145 1 1 2 6 3 SESO ONO ncedeetalacceatancedendeedecsat addetadeeacereh cadderadeeacenanees 145 ata A O TNT 146 E Io O Gis lt a 6 10 01 COPEC PENA nO 147 SANGFOR IAM v2 1 User Manual ERZO Reminder ases ER ese esate 149 7 1 2 9 1 Aide lt A N 1
42. Alarm You can check one or more options according to your needs Email Title Defines the title of the alarm emails s Sender Configures the email address of the sender that is to send alarm emails Receiver Configures the email address of the receiver that 1s to receive the information of the alarm events and the to be audited emails 253 SANGFOR IAM v2 1 User Manual SMTP Server Address Configures the IP address or domain name of the SMTP server used for delivering alarm emails Username Password Type the username and password 1f the SMTP server requires authentication Having completed configuring this page you can click the lt Send Testing Email gt button to check whether the email can be delivered successfully 12 2 Proxy Server In some cases the users of the IAM gateway get access to the Internet through proxy These users are escaping the rules configured on the firewall module as the firewall module decides whether to allow or deny the data packet only according to the destination address and port To have the firewall module function we first need to have the IAM gateway device to analyze the real IP address and port through which the data packets are forwarded by the proxy and then enable the firewall to get the information The networking should be designed as that in the following figure gt w PC IAM Proxy The data packet must be ensured to go through the IAM gateway
43. Disable WAN v Synchronize Configuration to Other Node View Synchronization Report Saving configuration successtully Multi Node Synchronization Enable it and the user authentication information user list and data of the internal identification libraries will be synchronized in real time Communication Interface Configures the network interface used for the synchronization between the IAM gateway devices The communication interface can be any network interface that can cross multicast packets to communication with each other It is recommended to use an idle network interface to connect them directly Multicast IP Address Configures the multicast address used for synchronization between the IAM gateway devices The multicast can be any addresses of the multicast IP range However the multicast IP addresses configured on the to be synchronized IAM gateway devices must be the same 39 SANGFOR IAM v2 1 User Manual Online List Displays the IP addresses of the synchronization related devices Having completed configuring the page you have to click the lt Synchronize Configuration to Other Node gt button to send synchronization signals to the other node IAM gateway device or click the lt View Synchronization Report gt button to view the synchronization information 3 7 Date Time Date Time Configures the system date and time of the SANGFOR IAM hardware gateway device In addition
44. External Data Center http IP PORT varies with IP address and port to enter the login interface of the internal Data Center as shown below DATA CENTRE LJ Sangfor 14M 2 1 Usernane Passvord To enable DEey search please download Actives control IE you have installed software with popup filter function please remove such function first 241 SANGFOR IAM v2 1 User Manual Having completed configuring the page you have to click the lt OK gt button to save all the settings 10 4 Enter Data Center Enter Data Center enables you to log in to the internal Data Center of the IAM gateway device as the present user to search for the logs and make statistics in real time SANGFOR Sangfor LAM 2 1 User admin Logout System 0bJect Firewall WAN Optimization Tan Bandwidth Management Delayed Email Audit k 7 TF7 TFT TF F F F Internet Access Audit b gt Pealtime Logs Audit Log Maintenance Welcome to Data Center Data Center Settings Enter Internal Data Center Enter Data Center Logs Troubleshooting Advanced Security T O Z F F T Wizard Click the lt Internal Data Center gt button to log in to the Data Center as shown below Login X Logout User admin Language Endlish ENG Current Gateway AQuick Link aclog v B Search Behavior Logs x FTP Flow Search x HTTP Flow Search x User Flow Ranking x Rabsite Clazz x nr Websi
45. Group Destination IP Group Schedule Enable Fule Enable Loc VPN LAN VPMe LAN lO Allow O Deny AIl_TCP_ Service Add Service LL Add IP Group LL Add IP Group All day Add Schedule Enable O Disable Enable Disable ai Y As to other kinds of data packets from the VPN headquarters or the Branch VPN you can also configure filtering rule s for the data transmission between other interfaces 5 1 6 LAN lt gt LAN LAN lt gt LAN configures the data transmission between the LANI interface LAN interface on the IAM gateway device and the LAN2 interface the idle WAN2 interface on the IAM gateway device or configures the communication among the IP addresses of different segments that are bound with the LAN interface The service can be all the services of certain protocol or a user defined service For detailed configurations please refer to Section 5 1 1 LAN lt gt DMZ The default configuration page 1s as shown below 87 SANGFOR IAM v2 1 User Manual Sangfor IAM 2 1 ________ 4q gt gt Firewall Rules LAN lt gt LAN User admin Logout gt System 4 Firewall aiiirennl Are Allow To Ping Allow LAN1 LAN1 Disable Edit Up Down O gt LAN lt gt DMZ 2 Pass UDP Allow LAN1 LAN1 All_UDP_Service ALL ALL Disable x Edit Up Down O gt DMZ lt gt WAN ES Pass TCP Allow LAN1 gt LAN1 All_TCP_Service ALL ALL Disable x Edit Up Down O gt WAN lt gt LAN Se
46. Having completed configuring this page you have to click the lt OK gt button to save the settings Advanced Filter Advanced Filter functions specifically for URL filtering of HTTP POST controlling the process of logging in or posting to BBS WEBMAIL etc Advanced Filter Check this item to activate the rules configured and enable it to do advanced filtering Edit Access Control Policy Policy _Template prevent Trojan v Description Identify risk Internet activity alarm on information disclosure deny malicious software Expiry Date Never expire O Expired on po Status O Enable Disable Fitter URLs of the HTTP Post type controlling the login or posting to BBS Webmail etc If you find any URLs that cannot be filtered please contact us Submit uncategorized website Select All Inverse MoveUp MoveDown Action Please select Y Schedule Please select Y Display All Hide DISABLE Description Action Schedule Gambling Only allow login POST V Allday v ee fo as x forum blog website Deny vi Alday 3 Select All Inverse MoveUp MoveDown Action Please select Y Schedule Please select Y Display All Hide DISABLE Default Action O Allow O Deny O Only allow login POST If several policies are associated adopt the default action of the next policy and continue matching downwards 119 SANGFOR IAM v2 1 User Manual Action Select Disable Deny Allow or Only allow login POST to define the status of the
47. IP address and the port as the proxy port configured in WAN Optimization gt Proxy Options gt WAN Optimization page 36 SANGFOR IAM v2 1 User Manual 3 5 Network Interface Under Route mode you can configure the network interfaces on this Network Interface page If it is in Bridge mode Multi bridge you can also configure the bridge here As to other gateway modes the network interfaces are configured in System gt Gateway Mode Network Interface default configuration page is as shown below lt gt WA Sangfor LAM 2 1 Lan Interface User admin Logout d System Interface Type LANI Bunning Status Security Status Work Mode Ethernet License Gateway Mode F address 100 100 7100 100 255 255 252 0 Multi Node Syne MAC address 00 00 48 0E 09 03 ParerTine Address Information MTL 1500 Administrators Speed 100MbJs Full Web TI Backup Restore Link statuz Enable Peboot cea ces VLAN Status Disable V view WLAN list display format VLAN IDAP address subnet mask Auto Update Tr Route Generate Certificate Configure High Availability aa at DMZ Interface N MI I rr ttt tt tit iti iri irr iri rrr eri nner ier ner ere serene ggn WAN Optimization WAN Interface TAM gt Bandwidth Management l WAN Interface gt Delayed Email Audit LAN Interface Displays the information of LAN interface Click the lt Configure gt button to enter the corresponding configu
48. LAN IP WAN IP Protocol LAN Port YVAN Port Line Operation Line Edit Up Down 2 All All All All All Line2 Edit Up Down Default All All All All All All All Line1 Move Selected Rule To Firstrow OLastrow Ono ft SANGFOR IAM gateway device enables you to create a Virtual Line Rule List It functions when there are multiple external lines connecting to the front end Internet device of the IAM gateway device or there are several Internet devices connecting to the front end of the IAM gateway device and the gateway mode of the IAM gateway device is Bridge mode Multi Bridge Configure the virtual line rule s according to certain policy configuring external internal network IP address and port protocol etc so as to forward the specific data to the assigned bridge and therefore to more efficiently control and make full use of the bandwidth The Virtual Line Rule List is as shown below gt gt Yirtual Line l System Settings B l Virtual Line Import Export y e Import Configuration Poo Browse Import Select file to import imported configuration will not impact or overwrite the original one e Export Configuration Export configuration file of virtual line rules Import Rule Import virtual line rules virtual Line Rule List B Select All inverse Add Delete First Prev 14 Next Last Goto Page 1 Recordsipage 500 LAN Interfa WAN Intert LAN IP WAN IP Protocol LAN
49. Management gt Delayed Email Audit gt Internet Access Audit D Logs Troubleshooting 4 Advanced WaN Optimization Excluded IP or Domain Alarm Proxy Server Web Tracking Excluded IP Domain Page Customization Security Wizard involved hosts of the domain will not be monitored or controlled lt but still restricted by IM monitoring For example if you specify baidu com here all the involved hosts such as www baidu com and zhidao baidu com will not be monitored or controlled Format One IP address IP range subnet or domain name per row Use slash to separate subnet and mask e g 10 10 0 0 255 255 0 0 Use hyphen to separate start IP and end IP e g 192 168 0 1 192 168 0 20 or baidu com The wildcard is not supported urs microsoft com p 360 cn rising com cn 360safe com update microsoft com download windowsupdate com windowsupdate microsoft com peechk trendmicro com IP address O IP range O Subnet O Domain name Clear List Paddress 0 w Excluded IP Domain If the IP address domain name of a LAN user or the destination IP address 257 SANGFOR IAM v2 1 User Manual of a server is any of the IP addresses domain names configured here the Internet access of the LAN user or the visits to the destination server will not be monitored The data packets will get passed directly If the firewall has configured a rule on any of the IP addresses that are involved in t
50. Mask Configures the mask of the source subnet In this example it is 255 255 255 0 Destination Subnet Configures the network ID of the destination subnet In this example it is 172 16 1 0 Destination Mask Configures the mask of the destination subnet In this example it is 2353 2335 2350 Destination Route User Configures the VPN device to which this tunnel route directs indicating the corresponding username selected in the VPN Settings gt Connection Management gt Edit Connection configuration dialog In this example it is test Guangzhou 287 SANGFOR IAM v2 1 User Manual The tunnel route also 1s used for forwarding all the Internet access requests of a branch user to 1ts VPN headquarters enabling the branch VPN user to get access to the Internet through the VPN headquarters WAN interface The configuration is as shown below A Edit Tunnel Route Web Page Dialog Source Subnet Source Mask Destination Subnet 0 0 0 Destination Mask 0 0 0 0 Destination Route User Guest Y Enable Access Internet via destination route user ca Cancel Source Subnet Configures the network ID of the source subnet which needs to connect to the Internet through the VPN headquarters In this example it is 172 16 1 0 Shanghai branch Source Mask Configures the mask of the source subnet In this example it is 255 255 255 0 Destination Route User Configures the VPN device to which thi
51. Picture Picture format file Edit El Service 4 Text Source file Edit dl IP Group Geos aie 5 Compressed file Edit UEL Group 6 Application Executable file script Edit C IO Select Al EReyvord Group Ingress Rule SSL Certificate Under the default configuration page click the lt Add gt button to enter the Edit File Type Group default configuration page as shown below 70 SANGFOR IAM v2 1 User Manual Sanafor LAM 2 1 gt gt Edit File Type Group Liser admin Logout Mame gt System al 7 F 2 Object Description Movie format file Application Ident Pule Intelligent Ident Rule Format One file type per row Format is similar to mp3 or mp3 Service IP Group Schedule UBL Group White List Group File Type Eeyword Group File Type Group Ingress Pule SSL Certificate gt Firewall Add filetype ld Cher gt WAN Optimization ran gt Bandwidth Management re Tr o o oo Delayed Email Audit Name Names the new file type group Description Type in a brief description for this file type group File Type Configures the extension of file type one entry per row Having completed configuring you have to click the lt OK gt button to save the settings Extension name of a file type cannot be entered twice or more 4 10 Ingress Rule Ingress Rule configures the rules to be applied when users get access to the Internet The ingress rules are to ban the use of proxy soft
52. Port Type a port through which the peer VPN Branchl is to visit the services provided by the local terminal In this example it is 1 65535 all the ports Under the Edit Multiline Routing Policy page select Bandwidth stacking and check the lt Advanced gt button to enter the Advanced Settings page as shown below 23 Advanced Settings Web Page Dialog Humber of Peer Lines 4 e Available Line List Line Line Up Down Line Line Up Down Lines Line Up Down Line4 Line Up Down Line Line2 Up Down Line Line Up Down Lines Line Up Down Line2 Up Down Cancel Select the needed line for data transmission In this example it is from local line Line 1 to peer line Line 1 After that click the lt OK gt button to save the settings In the above example Branch has only one line connecting to its VPN headquarters If the branch has several lines connecting to the headquarters you can select Number of Peer Lines and select the needed lines in the list The Advanced Settings is only available for Bandwidth stacking Active standby and 283 SANGFOR IAM v2 1 User Manual Average distribution routing policy options Ifthe routing policy selected is Dynamic detection option the system will choose a line an optimal line for the fastest connection If policy selected line is in fault the system will automatically switch to an available line to ensu
53. Return to Packet Capture page No Packet Header Loaded Data 0 AT 04 BO 93 000 4302 4009 4562 66 24 55 D3 TCP h SRC 192 168 233 215 1757 10 7895 90 1E 42 1F SESE 04 AF OF OC BEES BB x Detail 037 192 168 233 1 22345 i Length of application layer 36 20 47 EC 44 17 Sal 0 EF 34 F9 6C 74 660062 40 AE ADE 16 38 30 34 bf bL 04 10 FA 15 83 B5 7D A3 DR AB SC E8 FOF 95 F3 5014 yP Detail 20 39 26 D3 33 Se TCP SRC1 92 168 253 215 1787 OST 192 168 255 1 22345 Length of application layer 36 0 6D FO AA 49 EE 57 8A DE 65 22 F6 6A 0C 83 ES 34 e yt 10 BC 26 DB EC 04 BA 51 06 562051010 06 44 86 02 2 11 D Detail 20 3F 1B 16 88 ER TCP 5RC 192 168 233 215 1787 0571 192 168 233 1 22345 Length of application layer 36 0 FC EE 34 36 32 7A 4249 GA FO 41 4497 54 96 EE 52z 10 50 29 ES 1F 62 F1 38 7A 760514F 7465650040 1 b zv te Detail cl 20 999230 17 TCP SRC192 165 253 215 1787 057 192 168 235 1 22345 Length of application layer 36 Click lt Details gt to view the detailed data loaded by the data packets as shown below gt gt Capture File Details Capture File Information Return to current data packet Return to Packet Capture page blo Packet Header Loaded Data TCP 0 Ar 64 BO 93 20 DB ASC 460945 6266 246505 H E h 5R0C 192 15608 235 215 1787 10 78 93 90 1E 42 1F SESE 04 AF OF OC BE ES BB
54. Router List so that the MAC address of this interface is excluded from the anti DoS rule and from being blocked Generally if the WAN interface of the IAM gateway device connects to any firewall or router the interface IP address of this routing device should be added into the LAN Router List By default the Max New TCP Connections Per IP in one minute of an IAM gateway device anti DoS module is 1024 and the Max Attack Packets Per IP is 300 If the local area network is virus infected and sending enormous packets resulting in disconnection of the network it is recommended to modify Max New TCP Connections Per IP to 512 and Max Attack Packets Per IP to a smaller value and then the defense against the LAN virus infected computers can be more efficient P As the download software Thunder allows massive connections and thus features like DoS attack Because of this feature the IAM gateway device may block the LAN PC that is running Thunder software To solve this problem you can set an appropriate value to lower the possibility the computer being blocked by the IAM gateway device Configure the Max New TCP Connections Per IP as 1024 connections minute and Max Attack Packets Per IP as 512 packets second 5 4 ARP Protection ARP spoofing is a common LAN virus The infected computer keeps sending fake or spoofed message broadcast packets to the local area network LAN and thus interrupts and stops the normal communi
55. SSO component of the domain controller 1t requires typing IP address of the IAM gateway device shared key The shared key must be the same with that configured on the IAM gateway device otherwise the active directory SSO function will not work properly 7 2 2 1 2 AD Group Policy Mode This mode can realize SSO with the help of group policy of the Active Directory Configured correctly it will enable the user to automatically get WEB authentication fulfilled by the IAM 158 SANGFOR IAM v2 1 User Manual gateway device when the user logs in to the Active Directory and will enable the user to logoff from the IAM gateway device when it is logging off 7 2 2 1 3 Configure Logon Script Program Logging in to the domain controller click Start gt Program gt Administrator Tool gt Manage Your Server as shown below 9 My Documents Wr a My Computer My Network Places y Administrator T Manage Your Server ev Windows Explorer jes Command Prompt fa Notepad Adobe Reader 8 Y Paint ws My Computer ite Control Panel gt ETE Administrative Tools gt LS Printers and Faxes 0 Help and Support yo Search 27 Run All Programs gt Log off O shut Down Pstat QB Y untitled Paint 550 pdf Adobe Reader Q 11 03 am Select Manage users and computers in Active Directory as shown below 159 SANGFOR IAM v2 1 User Manual
56. Session Control Enable Session Control O Enable Disable Max Concurrent Sessions Per IP po Value range is 1 65535 Enable Session Control Enable 1t to limit the maximum concurrent sessions connections for a single IP address user This function can prevent the users from creating large number of sessions caused by scanning tool or using several download tools at the same time such as P2P It helps to lower down the possibility that the viruses spread widely by scanning and connecting to other devices Max Concurrent Sessions Per IP Configures the maximum concurrent sessions for a single IP address If the number of concurrent connections of a single IP address reaches the threshold configured here the session connection request will be denied Having completed configuring this page you have to click the lt OK gt button to save the settings 7 1 2 7 Ingress System Ingress System is used for banning the use of proxy software inspecting the status of binding IP MAC over the layer 3 switch and monitoring encrypted IM message etc If the access control policy has applied the ingress rule s the user computer has to satisfy the corresponding rules configured on IAM gateway device to get access to the Internet As to the configuration of ingress rule please refer to Section 4 10 Ingress Rule Ingress System Check this item to activate the ingress rule The configuration page is as shown below
57. Settings Enter Data Center Logs Troubleshooting Advanced Security Wizard Having completed configuring this page you have to click the lt OK gt button to save the settings 10 3 Data Center Settings Data Center Settings configures the server that synchronizes the logs including the IP address account password and WEB port of the external Data Center 239 SANGFOR IAM v2 1 User Manual The configuration page is as shown below Sangfor IAM 2 1 gt gt Data Center Settings User admin Logout AA Data Center Primary Address gt Object gt Firewall Data Center Secondary Address A gt WAN Optimization gt IAM Communication Port TCP gt Bandwidth Management b Delayed Email Audit Data Syne Account 4 Internet Access Audit Realcine Logs Data Sync Password ss Audit Log Maintenance Data Center Settings Data Center Web Port Enter External Data Center http 11127 0 0 1 80 Enter Data Center gt Logs Troubleshooting Test gt Advanced gt Security gt Wizard Data Center Primary Address Data Center Secondary Address Configures the server IP address of the Data Center of SANGFOR IAM gateway device The address can be an IP address or the corresponding domain name ensure that the IAM gateway device can parse the domain name the IAM gateway should be able to access the Internet Data Sync Account Data Sync Password Enter the account name and password respectively Click th
58. Shanghai Source Subnet and Destination Subnet define respectively the source IP address and destination IP address of the data to be transmitted If the data packet satisfies these two conditions this route will take effect and the data will then be transmitted to the corresponding VPN device 5 Destination route user determines the VPN device to which the data packets are forwarded 286 SANGFOR IAM v2 1 User Manual by this tunnel route indicating the corresponding username selected in the VPN Settings gt Connection Management gt Edit Connection configuration dialog In this example the branch Shanghai has established a VPN connection with its headquarters using the name Guest in the Connection Management configuration page Therefore we choose the Destination Route User Guest as the route to forward the data to its headquarters VPN device Step 2 Configure Tunnel Route on the Guangzhou branch IAM gateway device Check Enable Tunnel Route and click the lt New gt button to add a route directing to the Shanghai branch as shown below A Edit Tunnel Route Web Page Dialog Eq Source Subnet 10 1 1 0 Source Mask Destination Subnet Destination Mask 255 255 255 0 Destination Route User test v Y Enable Access Internet via destination route user kaa Source Subnet Configures the network ID of the source subnet In this example it is 10 1 1 0 Source
59. The configuration page is as shown below 46 SANGFOR IAM v2 1 User Manual Sangfor IAM 2 1 D gt gt Auto Update E Help Library Update Settings Enable Auto Update Current Version Latest Version Expiry Date Operation User admin Logout 4 System Running Status Security Status a Wirus Library 2006 07 05 Failed to get information 2011 07 14 Update Now License Gateway Bede URL Library 2008 10 20 15 36 12 Failed to get information 2000 00 00 Expired Update Now http Avan ww org TR lt html A Gateway Firmware l ha i Never expire Update Now Multi Node Sync DTD xhtnlt transitional dtd gt Date Time E 3 r x Update Now icati 10 20 15 36 i information 00 00 Expire Application Ident 2008 10 20 15 36 12 Failed to get information 2000 00 00 E d Administrators Rollback Backup Restore Server Settings I oes A O NN tao HTP Proxy Paddress Port a e Update Through Proxy Server p Require Authentication Username Ch Password Generate Certificate e Select a Update Server China Telecom Nj www sinfors com cn High Availability h Ahsaaat Enable Auto Update Check the corresponding item to automatically update the internal library lt Update Now gt Click this button to immediately update the corresponding library that has not been expired lt Rollback gt Click this button to cancel the previous update of the corresponding library and the rules library will recover to the pr
60. User Under the Member List page click the lt Add User gt button to add user s The configuration page is as shown below gt gt Edit User A SS E Add Object Single user Multiple users Login Name Lp Cannot contain the special characters Description SS Cannot contain the special characters O erin Display Name Cannot contain the special characters Current Group i Source AN User Attribute Access Control Policy _ ser Attribute Access Control Policy Binding O Bind IP O Bind mac Bind both IP and MAC No binding Group Password O Dkey O None O Only allow SSO Custom password Password f EN Acernerinceinn t ra Torim passwort eccoocoocooooooo CILDAF authentication OO RADIUS authentication L POP3 authentication Public Account C Allow multiple users to sign onto the same account multi user login Expiry Date Never O Expired on E Enable This User Enable Disable Configures Add Object Single user or Multiple users to add one user or multiple users at one time respectively Group Path Configures the path of parent group of the to be created user The path is indicated 190 SANGFOR IAM v2 1 User Manual by a back slash Description Type a brief introduction for this newly created user If Multiple users is selected you cannot configure the Display Time bind IP or MAC address or create DKEY authentication user
61. User Manual gt gt System Logs tts Page wlowork_ server cpp 754 System pressure going down notify the driver to continue torwa WAN Optimization Alarm 15 40 22 ring Ward Optimization Alarm 15 40 12 wliwork_ server cop 239 System pressure is too heavy notify the driver to bypass ATLA Authentication Alarm 15 38 29 wwiintim cpp 185 Failed to connect domain controller 200 200 0 1 Web Authentication system Alarm 153406 1 libcheckcpu cpp 40 open proc 8496 cpu failed HA Alarm 15 07 53 clusterJLocal device is primary device Failed to detect secondary device HA Alarm 140753 cluster Local device is primary device Failed to detect secondary device HA Alarm 13 07 53 cluster local device is primary device Failed to detect secondary device PTLM Authentication Alarm 2 26 33 w1 ntlim cpp 155 Failed to connect domain controller 200 200 0 1 WTEM Authentication Alarm 1227532 1 ntim cpp 185 Failed to connect domain controller 200 200 0 1 HA Alarm 12 07 54 cluster local device is primary device Failed to detect secondary device 11 2 Policy Troubleshooting Policy Troubleshooting enables you to view which module has denied the data packet for what reason so as to locate the configuration mistakes made on certain module or test whether some rules is taking effect or not The page is as shown below Sangfor IAM 2 1 gt gt Policy Troubleshooting User admin Logout Drop List Click here to view packet drop list
62. Web Page Dialog Primary DMS secondary DNS Primary WINS secondary WANS Mask of virtual IP After configuring the Advanced options of the Virtual IP Pool the virtual network adapter of the mobile VPN user s computer must be configured as Obtain an IP address automatically and Use the following DNS server addresses otherwise the addresses configured in Advanced will not be allocated to the virtual network adapter of the mobile VPN user s computer 13 3 6 Multiline Settings When there are multiple external lines the Multiline Setting must be configured You can add or delete a line here or modify the line selection policy The Multiline Settings default configuration page is as shown below 278 SANGFOR IAM v2 1 User Manual Sangfor IAM 2 1 gt gt Multiline Settings User admin Logout PE e Enable Multiline Object Line Status Line Name Line Alias Connection Mode Uplink Bandwidth kbitis Downlink Bandwidth kbit s Operation Firewall WAN Optimization Ian Bandwidth Management b b b b b b b Delayed Email udit D Internet Access Audit b Logs Troubleshooting gt Advanced 4 Security Gateway Antivirus b IPS 4 VPN Settings VPN Status Basic Settings User Management Connection Managemer Virtual IP Pool If your networking has multiple lines connecting to the external network check Enable Multiline and then add the line Click the l
63. access privilege and record all actions Never expire Enable Wiew Associated User Rename privilege and audit _Template Open all Internet acces O y Open all Internet access privilege not record any actions Never expire Enable Wiew Associated User Rename s privilege and not audit Alarm upon outgoing file such as compression pagckage offic f F _Template prevent file leakage Never expire Enable Wiew Associated User Rename e software and program code Identify risk Internet activity alarm on information disclosure den O _Template prevent Trojan E Never expire Enable View Associated User Rename y malicious software F white Never expire Enable View Associated User Rename O sdg Never expire Enable View Associated User Rename F sdfwt Never expire Enable Wiew Associated User Rename O dfh Never expire Enable View Associated User Rename First Prev 1M Next Last Goto Page __ RecordspageS0 Add new policy using ee as template Export 7 1 2 Edit Access Control Policy Under the default configuration page of Access Control Policy click the name of a policy to enter the Edit Access Control Policy page as shown below Edit Access Control Policy Policy _Template prevent Trojan v Description Identify risk Internet activity alarm on information disclosure deny malicious software Expiry Date Never expire O Expired on E Status O Enable Disable Controls are based on specific content of data packe
64. applied next configure the filtering rules in Firewall gt Firewall Rules referring to the services defined previously or configure access control in IAM gt Access Control Policy page gt Access Control gt Service Control according to the services defined previously The configuration is as shown below 2 SANGFOR Sangfor IAM 2 1 Liser admin Logout 4 Object 1 SMTP TCP 25 Edit F Application Ident Pule gt Pops TCP 110 Edit F Intelligent Ident Fule 3 HTTP TCP 80 90 Edit Fi 4 FTF TCP 20 21 Edit L IP Group ee are 5 All TCP Service TCP 0 65535 Edit Fi UBL Group 6 Remote Desktop TCP 33839 Edit F White List Group 7 netmeeting TCP 1503 1720 Edit F Keyword Group 8 ssl email TCP 465 995 Edit C Mete lyre Troup 9 telnet TCP 23 Edit O Ingress Pule 10 SSL TEF 443 Edit di SSL Certificate ME 11 SSH Telnet TCF 22 Edit Fi t WAN Optimization 12 ANUDP Service UDF 0 65535 Edit b IAM 13 DMS UDP 53 Edit d gt Bandwidth Management 14 Pina ICMP type 8 code 0 Edit gt Delayed Email Audit gt Internet Access Audit Select All Click the lt Add gt button and the Edit Service page pops up as shown below 61 SANGFOR IAM v2 1 User Manual So IN Sangfor 14M 2 1 gt gt Edit Service Service Mame Useradmin Logout gt System al J Application Ident Rule Intelligent Ident Pule IF Group Schedule d Service Settings g
65. can ensure that only certain specified hardware device can get connected to a network and therefore eliminate the potential security hazards Click the lt Generate gt button and select a path to save the generated hardware certificate to the local computer Send this certificate to the administrator of the headquarters Then the administrator can check the Enable Hardware Authentication option upload this hardware certificate and bind the user with this certificate while creating an account for this user 305 SANGFOR IAM v2 1 User Manual Chapter 14 DHCP 14 1 DHCP Status DHCP Status displays the running status of the DHCP and the IP addresses allocated to the LAN computers details displayed are Current status of DHCP service Allocated IP Addresses Host Name and MAC Address Sangfor IAM 2 1 gt gt DHCP Status E Help User admin Logout System e Current Status Disabled Object e Allocated IP Addresses 0 Firewall IAM Bandwidth Management Delayed Email Audit Internet Access Audit Logs Troubleshooting Advanced Security DHCP EEE DHCP Settings Wizard Click the lt Refresh gt button to refresh the status 14 2 DHCP Settings DHCP settings are detailed parameters of the DHCP service including DHCP Service Interface Gateway IP of the allocated IP address Lease Term DNS WINS DHCP IP Range and DHCP Reserved IP Settings The configuratio
66. control policy Taking the IP address as user name or taking host name as the user name requires the IAM gateway device binding at least with one IP address or MAC address of the user If the IAM gateway device fails to resolve the host name because of the existence of the firewall on the client side this host will be not added to the user list but it will be entitled with all the privileges of its root group or the assigned user group if it had been successfully added to certain user group 7 2 2 SSO Settings Single Sign On SSO will not require the user for username and password once again after its first logon but have the user automatically get passed when it logs in to the third party authentication server The user need type only once the login password to log in to the third party authentication server automatically passing the authentication instead of typing password once again next time therefore 1t can lower the risk of password being disclosed SSO Settings covers the options for single sign on including POP3 SSO Web SSO and Proxy 156 SANGFOR IAM v2 1 User Manual SSO as well as the configuration of a listening port to listen to the login data of the network The configuration page is as shown below gt gt Authentication Options New User Authentication SSO Settings Enable Active Directory SSO Help of SSO Usage Use component mode please enter shared key e O Use monitoring mode En
67. default configuration page of Member List click the name of a subgroup to get into the configuration page of this subgroup The configuration page is as shown below 185 SANGFOR IAM v2 1 User Manual gt gt Drganization Structure Help a Settings B Group Path i Description Source Created by administrator Group Information Subgroups 2 direct users O total users including subgroups 1 l Advanced Settings B Member List Access Control Policy _ nber Lis _ Access Control Policy Add Subgroup Add User Select All Delete Selected Delete Current Group Move Group User First Prev1 Next Last Goto Page lt Recordsipage 15 ae accesar i Group d gu 12222 Use parent group policy Subgroup Count 0 User Count 1 gue 2 A Group d hor 122221 Use parent group policy Subgroup Count 0 User Count 0 Return to Upper Level Group Generate Policy Report Import Organization Structure Search The function and configuration are the same with those in the above Section Add Subgroup Be noted that here you can only search the members in the group 2222 It is the same with other subgroup searching for the members of the current subgroup lt Add Subgroup gt Click this button to add subgroup s for the current group For detailed configuration please refer to the above section lt Add User gt Click this button to add user s for the current group For detailed configuration please refer to the next section lt
68. deployment supposes that there is a HUB or a switch with mirror port If the switch has no mirror port please connect a HUB to the front end of the switch Under Bypass mode lt View Flow Ranking gt and lt View Connection Ranking gt are unavailable Under Bypass mode TCP control is fulfilled by sending reset packets through the DMZ interface Therefore to achieve TCP control all the reset packets sent through the DMZ interface must be ensured to be received by the PC and the server of the public network Many functions are not available in bypass mode such as VPN DHCP and Ingress rule etc Bypass mode IAM gateway mode mainly plays a monitor role control functions are not as complete as those of Route mode or Bridge mode for it can only restrict some TCP connections such as URL filtering keyword filtering email filtering etc No UDP connection control can be done such as P2P software QQ login etc 3 4 4 Single Arm Mode Single arm mode deployment takes the IAM gateway device as a proxy IAM gateway device can fulfill monitoring and controlling and can avoid disconnection of the users with the Internet The IAM gateway device is connected to the HUB or the mirror port of the switch monitoring the overall local area network Single arm mode requires no change on user s networking and plays 34 SANGFOR IAM v2 1 User Manual no influence on the network environment If the device is down you need
69. email will contain the information of the first event that needs alarm One log only records the detailed information of at most one file and the general alarm information of other file s Ifthe outgoing file is delivered through email its eml format attachment will be audited and the email alarm will be delivered to the administrator email address 7 1 2 6 Flow Time Statistics Flow Time Statistics covers the configuration of Flow Time Statistics Online Duration Control and Session Control Flow Time Statistics Check this option to activate this function and the configurations under it 7 1 2 6 1 Flow Time Statistics Flow Time Statistics mainly makes statistics of the bandwidth flow of various applications that are used by the user group and the online time statistics of the users on these applications The configuration page is as shown below Edit Access Control Policy T Help O Single policy O Multiple policies Expiry Date Never expire Expired on al Status Enable Disable it Z Flow Tine Statistics D Ingress System O Riskini Reminders V Flow Time Statistics Online D Make statistics of flow of various applications Make statistics of online duration of various applications 144 SANGFOR IAM v2 1 User Manual 7 1 2 6 2 Online Duration Control Online Duration Control configuration can control the online duration of the users The configuration page is as sh
70. exist create group aut omatically Operation import Above User Above User Scan LAK Scan LAN Computer import LDAP User LOAP User Clear List Select LDAP Serv to eE import el LOAPO 200 200 0 1 Import Format First row are the column headings include fields Username Group IP Address MAC Address Auth Method Description and Password One record per rowr Fields are separated by vertical bars If a field has multiple values Use commas ta separate t supports binding multiple IF addresses or ranges When multiple IP addresses are bound MAC binding i not supported MAC address yill be i gnored even if tis entered The format of IP range i start IF end IF The format of MAC address is G6 ee ee ee ee ee The values of the Auth Method field include noauth authentication not required acpass authentication of customized password ldap LDAP authentication pops POPS authentication and radius RADIUS authentication Description cannot contain these characters 22 Pee Group name should contain the full path with separators A at the beginning and the end There should be no space before or after the J e q Head Office R amp Dy Operation Instruct ions The LDAP server configured in Authentication Server will be displayed here Click the lt Import gt button and the list of all the users appear 7 6 LDAP Sync LDAP Sync is used for synchronizing the users and organization structure of the d
71. gt button to save the settings HTTP Upload HTTP Upload Configures the filtering function for the keywords that may be uploaded through HTTP POST For instance if the LAN users are posting on the BBS of a forum or sending email with WEB mail server the keyword s configured here will be filtered Operating procedures are the same with those of the Search Engine For details please refer to the related sections above Y Keyword Filter 1s specific for HTTP protocol 7 1 2 2 4 File Type Filter File Type Filter Check this item to activate the file type filtering rule s of the access control policy The configuration page is as shown below 123 SANGFOR IAM v2 1 User Manual Edit Access Control Policy Policy _Template Anti fishing webpage v Description Prevent deceiving from illegal SSL protocol certificate enable URL filter relative domain name Expiry Date Never expire O Expired on Pa Status O Enable Disable Yhite List Please select k Only applied to HTTP upload download For FTP please go to Advanced gt Excluded IP Domain to configure it Select All Inverse MoveUp MoveDown Deny Disable Add File Type Group Description Schedule All Disable v Alday Movie Movie format file Deny v All day Music Music format file Disable v Alday Picture Picture format file Disable v All day Text Source file Deny v All day Compressed file Disable v Alday v
72. have a third party to fulfill LDAP authentication configure the LDAP Server including configuration of LDAP Server IP LDAP Server Port Administrator Name by following the introduction and instructions below The LDAP Server configuration page 1s as shown below 303 SANGFOR IAM v2 1 User Manual Sangfor IAM 2 1 Internet Access Audit gt gt LDAP Server Logs Troubleshooting Advanced k Tr Security Gateway Antivirus LOAF Server IP bh IPS LOAP Server Port 4 VPN Settings VEN Status Administrator Mame Basic Settings User Management Connection Management Virtual IP Pool Multiline Settings Multiline Pouting Policy Local Subnet List Tunnel Route Pb IPSec Connection l Common Settings 4 Advanced LAN Service VEN Interface LDAP Server Administrator Password Confirm Password 10 254 254 5 il ag dimin Enable LDAP Authentication Test Having completed configuring the LDAP server domain server you can click the lt Advanced gt button to open the Advanced Settings dialog The configuration dialog is as shown blow A Advanced Settings Web Page Dialog x Contig Template User Filter Login Mame Attrib ute User Root Dir search Directory Search Timeout S Configure these settings according to your case 13 3 12 4 Radius Server The VPN service of SANGFOR IAM gateway device supports RADIUS authentication through a
73. have to first select the needed bandwidth channels and then select a template Click the lt Edit gt button and the configuration page pops up as shown below gt gt Edit Bandwidth Channel Format One channel name per row The name cannot be repeated Channel Mame a Service pplication All D Custom E Liser Group All D Custom E Channel Type Guaranteed channel D Limited channel Priority The high priority channel has the first opportunity to use the idle bandwidth of other channels Guaranteed Uplink Bandwidth to A kek Allow its idle guaranteed bandwidth to be borrowed Guaranteed Downlink Bandwidth 200 Bs Allow ts idle guaranteed bandwidth to be borrowed Max Uplink Bandwidth Br si The extra bandwicth vill be borrowed from other channels hax Downlink Bandwidth 200 Bis The extra bandwidth will be borrowed from other channels Bandwidth Allocation Policy Allocate evenly Note Data transmitted by different users will queue up and take turns for processing Max Bandwidth Per IP enable uplink 0 KBs Downlink O KE l Scheriule On duty w Cl Destination ALL ho Enable This Channel Enable Disable p Service Application User Group Channel Type Max Bandwidth Per IP Schedule Valid Line Destination Enable This Channel configurations are the same with those introduced above 229 SANGFOR IAM v2 1 User Manual 5 Bandwidth Type and Valid Line must be che
74. is 0 1440 0 indicates immediate reminder Online duration counts starting from the time when one of the reminder objects is detected Reminder Interval po minutes Yalue range is 0 1440 After a reminder interval the system will remind again if the user is still online O indicates reminding only once You can customize the Reminder page on Advanced gt Page Customization page Online Duration Reminder Enable it to have the IAM gateway device record the online duration 149 SANGFOR IAM v2 1 User Manual of the users and activate the prompt settings Schedule Select the time period to define the valid time of the Time Reminder function As to the configuration of a schedule please refer to Section 4 5 Schedule Reminder Object Configures the application type whose online time statistics is to be made Only the online duration of the selected application types will be recorded Detailed steps are select an application type from the Type pull down list and a specific application from Application pull down list and then click the lt Add gt button to add the application into the list to remove a selected application from the list just click the application and then click the lt Delete gt button Reminder Time Configures the online time duration If a user uses up the allowed online duration the IAM gateway device will remind the user that it has used up the allocated online duration Type a value rang
75. m k Authentication Method Password Customized passw y User LY shy 0123 AEE A T AA oy ae ord Binding Information 6 a o i PA Authentication Method Password Customized passw aid ee ical aac ord Binding Information Return to Upper Level Group Generate Policy Report Import Organization Structure As shown above there is a built in group root group of the Member List The root group cannot be deleted and its name cannot be modified The user defined groups are subgroups of the root group You can configure the relationship between the groups inheriting the properties of a group or belonging to a group which helps you to distinguish parent group s from subgroup s and parent group s from user s The structure and relations listed are similar to the structure of and relations in an enterprise Member List Displays the subgroup s and user s of the current root group or subgroup Access Control Policy Displays the associated access control policy policies of the current root group subgroup or user No Sequence number of this member in the current group Type Type of the member group subgroup or user Name Name of each member Group The path group that the member locates in Access Control Policy Lists the type of the access control policy or policies associated with the member Use parent group policy or Use parent group policy Use its own policy indicates that the associated access co
76. mobile VPN user s to use DKey authentication all SANGFOR IAM v2 1 User Manual Before enabling the DKey please DO first insert the DKey into the USB interface of the computer and then generate the DKey Enable Virtual IP Mainly is used for the connecting of the mobile VPN users If there are mobile VPN users you have to check Enable Virtual IP option and configure a virtual IP address LAN IP address in the virtual IP pool Once a mobile VPN user connects to the VPN it will take this allocated IP address as the virtual LAN IP IP address 0 0 0 0 indicates that the system will automatically allocate a virtual LAN IP address from the virtual IP pool for this user Schedule Enable Expiry Time Configures respectively the valid time and expiry time of the VPN user connecting in account Enable My Network Places Check this option if the user of this VPN needs to use My Network Places Enable compression Check this option and the IAM gateway device will compress the data to be transmitted between the AM gateway device and the user according to the selected algorithm Y This is a unique technology of SANGFOR VPN It will take the best advantage of the bandwidth in particularly in networking environment with limited bandwidth resources and accelerate data transmission However this function 1s not suitable for all the cases Check or uncheck this option according to your case Deny Internet acce
77. only disable the proxy service on the user s PC and to have 1t back into normal Typical topology of the single arm mode is as shown below failure will not disconnect the network Layer 2 3 Switch Router or Firewall Layer 2 3 Switch Under the Gateway Mode default configuration page click lt Configure gt to enter the Select 35 SANGFOR IAM v2 1 User Manual Gateway Mode page Select Single Arm Mode and click the lt Next gt button then the following page appears gt gt Gateway Mode l Single Arm Mode LAN Interface Settings IP Address Subnet Mask Default Gateway Primary DNS Secondary DNS Next IP Address Configures the IP address of the LAN interface Default Gateway Configures the gateway of the local area network same with the gateway of the LAN computer Click the lt Next gt button to get into the next configuration page as shown below 1 l Under single arm mode the gateway configured in the local area network need no change keeping directing to its original gateway To have the IAM gateway device work in single arm mode you have to configure the WAN Optimization gt Proxy Options VPN is not available for single arm mode Single mode mainly functions as a proxy If a LAN user needs to get access to the Internet it need only have its computer s proxy server direct to the IAM gateway device proxy server address being set as the LAN interface
78. policies followed Having completed configuring this page you have to click the lt OK gt button to save the settings 7 1 2 2 2 HTTPS URL Filter HTTPS URL Filters configures the filtering rule for the cases that LAN users get access to website through HTTPS protocol HTTPS URL Filter Check this item to activate the rules configured and to enable it to filter HTTPS URLs 120 SANGFOR IAM v2 1 User Manual Edit Access Control Policy TZ Help Policy Template Anti fishing webpage Description Prevent deceiving from illegal SSL protocol certificate enable URL fitter relative domain name Expiry Date Never expire Expired on E Status O Enable Disable If you find any URLs that cannot be filtered please contact us Submit uncategorized website Select All Inverse MoveUp MoveDown Action Please select Y Schedule Please select v Display All Hide DISABLE Description Web mail Webmail service website Sex sexual information website Online Payment Online payment website Select All Inverse MoveUp MoveDown Action Please select Y Schedule Please select Y Display All Hide DISABLE Copy HTTP URL Filter Default Action O Allow Deny O lf several policies are associated adopt the default action of the next policy and continue matching downwards Action Select Disable Deny or Allow define the status of the selected URL s Schedule Select All day
79. risky behaviors of the users so as to prevent the information from being disclosed Options Settings configures the options to identify and control the traffic caused by HTTP Trojan SMTP Trojan port scanning non standard protocol transmission at common and well known ports and by suspicious HTTP applications 147 SANGFOR IAM v2 1 User Manual Risk Ident Check this item and the options pop up as shown below Edit Access Control Policy T Help Single policy Multiple policies Expiry Date Never expire O Expired on 7 Status Enable Disable Risk Ident This function identifies and controls risk network behaviors preventing information disclosure Enable O Disable Options Settings Identification Sensitivity Medium See the instructions below for different levels Alarm Level Medium See the instructions below for different levels The alarm level cannot be higher than identification sensitivity level Intercept Level Low See the instructions below for different levels The intercept level cannot be higher than identification sensitivity level Instructions Identification Sensitivity indicates the ability to identify risk behavior The risk behaviors detected by each level are described as follows Low Detect suspected HTTP Trojan flow Medium Detect suspected HTTP and SMTP Trojan flow High Detect suspected HTTP SMTP Trojan flow port scanning HTTP flow anomalies commonly ca
80. seconds Value range ls 1 120 i Enable DNS Detection Cancel Check Enable DNS Detection to enable it to detect the status of the multiple lines DNS Detection Time Configures the time interval of fulfilling DNS detection Only when the Enable DNS Detection option is checked will the settings take effect 13 3 7 Multiline Routing Policy SANGFOR IAM gateway device offers the powerful multiline routing policy for VPN You can 280 SANGFOR IAM v2 1 User Manual configure the multiline policy to achieve intercommunication among different VPNs according to the protocol applied source IP destination IP source port destination port etc SANGFOR Sangfor IAM 2 1 User admin Logout Routing Mode Description Dynamic adaptation mode Default strategy Edit System Object Firewall WAN Optimization Mew Tan Bandwidth Management Delayed Email Audit Internet Access Audit 7 Loge Troubleshooting Advanced b Security Gateway Antivirus b IFS d VPN Settings VPM Status Basic Settings User Management Connection Management Virtual IF Pool Multiline Settings Multiline Routing Policy Local Subnet List For example the Branch 172 16 1 0 24 need visit the FTP server IP 192 168 1 20 of its headquarters We are to configure a multiline routing policy so as to have the data packets from Branch transmitted to the FTP server through Line 1 Under the Multil
81. status of Disable to Enable or Enable to e peepee Disable the other interface will automatically switch to the corresponding status realizing status synchronization gt Date Time caes Bridge List Select LAN Zone Interface Select WAN Zone Interface gt Web UI LANs VVAN DMZ v DMZ v Backup Restore gt Reboot e Maintenance Bridge List gt kuto Update Route gt Generate Certificate gt High Availability b Object gt Firewall Next b WAN Mntaimizatinn Select LAN Zone Interface Select a LAN interface Select WAN Zone Interface Select a WAN interface Bridge List Defines the direction the data are forwarded to Click the lt Next gt button to get into the next page to configure the bridge as shown below SANGFOR Sangfor IAM 2 1 User admin Logout 4 System ia eee Bridging Direction LANS gt WAN gt Security Status Format One IP address per row Use slash to separate IP address and subnet mask e g 200 200 20 172 25 5 255 255 0 License gt Network Interface Zop zon z0 Ley eo 255 2520 gt Multi Node Sync A Bridge IP List Administrators gt Web UI gt Backup Restore ici IP address 7 Subnet mask fs Add Clear List gt Maintenance cid Default Gateway 00 200 70 254 gt Route gt Generate Certificate Primary DNS 0 0 0 0 High Availability gt Object Firewall Secondary DNS 0 0 0 0 OOOO pa Cancel Randrridth Man
82. that a LAN IP address has established with the external networks Behavior Monitoring Displays the Internet behavior of a certain LAN IP address including the information of application type application and detailed information 234 SANGFOR IAM v2 1 User Manual Sangfor IAM 2 1 gt gt Flow Ranking User admin Logout System Search Conditions B Object Block User i A Block selected user for minutes WAN Optimization e Search by User Po p b p b b IAM E Mamaneaate e Search by Group booo f gt Delayed Email Audit e Display Option Refresh Interval Save Preferences A Internet Access Audit e Note When CPU usage is high and the page cannot be switched please click Stop Refresh to stop automatic refresh Pmrealtime Logs Flow Ranking EPI Connection Ranking DO Flow Speed Ranking aaa Connection Monitoring l Uplink Flow Speed Ranking B E E TT at E CEES EES EEE gt Audit Log Maintenance gt Data Center Settings gt Enter Data Center Logs Troubleshooting gt Advanced gt Security TT vr vr Q Wizard 10 1 1 Flow Ranking Flow Ranking displays the real time flow information caused by the LAN users getting access to the Internet You can obtain the host name of an IP address and block the selected user s to get access to the Internet The page is as shown below gt gt Flow Ranking Search Conditions u e Block User Block selected user for minutes
83. the current version of virus library Auto Update Time Displays the exact time each day when the IAM gateway device shut down for auto updating the virus library HTTP Antivirus FTP Antivirus POP3 Antivirus SMTP Antivirus Select Enable to enable the antivirus function against the four protocols respectively Antivirus Free Website List only applicable for HTTP antivirus Configures the website s that is free from antivirus detecting Enter the domain name one entry per row wildcard not supported Antivirus File Type applicable for HTTP FTP antivirus Configures the file extensions of the file s that are to be detected by the antivirus software o Once the antivirus function gets expired the virus library can neither be updated automatically nor be updated manually though the antivirus function still works POP3 antivirus and SMTP antivirus is realized by the proxy function of the IAM gateway device For this reason the AM gateway device must be able to get access to the Internet As to the trusted websites you can add them to the Antivirus Free Website List only applicable for HTTP antivirus What is more if a LAN computer need visit the website of the antivirus software provider to update the antivirus software this antivirus software provider should be added to this list Because during the updating process the downloaded virus library will feature as virus and the IAM gateway de
84. the depth will be synchronized to the same grou i E p while ts subgroups veill be ig nored The above configurations are nearly the same with those of Sync by LDAP organization structure with the only difference that the selected and imported Import Remote Target are the security groups of the domain server 7 6 3 View Sync Report Each synchronization option of Active Directory will produce its own synchronization report which covers information of group user name etc Click lt View Sync Report gt to view all the reports The page is as shown below 210 SANGFOR IAM v2 1 User Manual gt gt Sy nchronization Report LOAF Synchronization Policy Sync Report Name sync Mode amo 1264014542 2010 9 9 Thu 1 4 42 22_LDAP_repoart ht a Syne Mow Thu Sep 9 14 42 22 2010 Failed 126401451 2 201 ai 4 41 52 LDAP_report ht ea Thu Sep 9 14 41 52 2010 pea m 1 283980861 201 0 9 9 Thu 5 21 1 e report htmi Syne Mow Thu Sep 9 05 27 07 2010 Failed 1 283555643 201 0 9 5 Ved 22543_ Pg_ report htmil Syne Mow Wed Sep 8 02 54 03 2010 Failed 1 26350564 2 201 0 9 6 Med 2542 ve report html Syne Mow Wed Sep 8 02 54 02 2010 Failed 12050231 32 201 0 9 7 Tue 9 32 12 _erg_report html Syne Mow Tue Sep 7 09 32 12 2010 Failed 12058 23114 2010 9 7 Tue 9 31 54_ e _repor Htmi Syne Mow Tue Sep 7 09 31 54 2010 Failed 1205799431 2010 9 7 Tue 225711_ we report Html Syne Mow Tue Sep 7 02 57 11 2010 Failed 1263544241 201 0 9 4 Sat 4 41 wee _re
85. the recently requested Webpage O Go to the Logout page O Goto customized page O O Go to user ranking page Authentication Conflict Settings For account that disalows multi user login if t is logged in on another IP address during authentication O Logout the previous login and authenticate the account on current IP address O Prompt the login on another IP address but not logout it SNMP Option Enable t when the device requires crossing the layer 3 switch and binding MAC address Enable Disable Other Authentication Options Logout the user automatically if there i no traffic in minutes Submit User name and password by POST Allows users to access DMS service before authentication Open basic services to users who tails the authentication default root group privileges but HTTP is excepted lt Select All gt lt Inverse gt Click it to select the needed new user policy lt Move Up gt lt Move Down gt Click it to move up or move down the selected new user policy lt Add gt Click this button to add a new user policy 154 SANGFOR IAM v2 1 User Manual gt gt Add New User Policy T Help Format One IP address IP range or subnet per row The maximum number of entries allowed is 32 For example 192 168 1 27 192 168 1 1 192 168 1 99 or 192 168 1 0 255 255 255 D dl o slo lr o ot 192 168 2 0 255 255 255 0 IP Address List O Take IP address as new user Processing Method The fi
86. the user defined application identification rules and the internal rules The type of rules that has higher priority to be matched is displayed in red 58 SANGFOR IAM v2 1 User Manual Since BT and IM software differ from each other and keep updating some application identification rules may get invalid for some versions of the software SANGFOR will periodically update the application identification rules Please make sure your IAM gateway device can access the Internet For the internal rules you can only alter the classification but not edit the policy or export the rule 4 2 Intelligent Ident Rule Intelligent Ident Rule mainly identifies the plain text or cipher text form P2P applications identifies the encrypted Skype data according to the Skype actions and identifies the SSL certificate SANGFOR VPN data data from proxy tool and the VOIP and IM video and voice data The configuration page is as shown below 59 SANGFOR IAM v2 1 User Manual gt gt Intelligent Ident Rule Intelligent Ident Rule List 1 P2P P2P Action P2P Action ce Enable Edit LI media according to P2P activity 2 Ihe skype skype Identify Skype according to skype activity Enable Edit F a Sei Sel L SSL protocol identification ta enable SSL e af O control please first enable the rule 4 Sanqgtar Ph Sangtor Ph Santor SPN Sangtor WPN data identification Enable Edit 5 ProxwyTooI FreeGate Freegate FreeGate Proxy Enable Edit F E Proxy
87. the version information click the link lt View Version gt 2 2 IAM Gateway Configuration Logging in successfully you will face the following function modules left tree System Object Firewall IAM Bandwidth Management Delayed Email Audit Internet Access Audit Logs Troubleshooting Security DHCP Wizard etc In case there is a lt OK gt or lt Finish gt button on a configuration page click it after altering configuring the parameters to save or apply the settings This will not be illustrated again in the subsequent parts in this user manual If you are to switch network interface LAN interface and WAN type interface on the Network Interface page the network connection will be interrupted and system requires rebooting the AM system and re login All the configuration pages have a lt Help gt link at the upper right corner If help is wanted click it to view the brief description of the item 18 SANGFOR IAM v2 1 User Manual Chapter 3 System Status System covers the running status of the IAM gateway device Detailed sections are Running Status Security Status License Gateway Mode Network Interface Date Time Administrators WEB UI Backup Restore Reboot Auto Update Route Generate Certificate etc 3 1 Running Status Running Status provides the real time status of the IAM gateway device including CPU usage Disk Usage Sessions WAN
88. these two addresses are network address and broadcast address of its network segment For example as to the 10 251 251 0 segment the entered IP range can be 10 251 251 1 10 251 251 254 308 SANGFOR IAM v2 1 User Manual Chapter 15 Wizard Configuration Wizard introduces the flow and steps of the basic configurations with link to configuring a specific module Just click the item in blue to directly get into the corresponding configuration page The page 1s as shown below Sangfor IAM 2 1 gt gt Configuration Wizard User admin Logout b b b b b b b p b p b b System Object Firewall WAN Optimization Ian Bandwidth Management Delayed Email Audit Internet Access Audit Logs Troubleshooting Advanced Security DHCP 4 Wizard Configuration Wizare Step 1 Configure License gt gt Step 2 Configure Firewall Rule gt gt Step 3 Configure Gateway Mode gt gt The step 4 varies with the selected gateway mode Gateway Mode gt gt Route mode Step 4 Configure Static Routing gt gt Step 5 Configure SNAT gt gt Step 6 Configure Access Control Policy gt gt Step 7 Configure User Group gt gt Bridge mode Step 4 Configure Access Control Policy gt gt Step 5 Configure User Group gt gt Bypass mode Step 4 Configure Access Control Policy gt gt Step 5 Configure User Group Note For multiline settings please go to Network Interface page to configure SANG
89. to be displayed Options are All and Running channels History Info Configures the time period during which the flow and speed statistics are made and displayed in the list lt Save Preference gt Click 1t and you will save the Display Option and History Info configured This operation will facilitate you to view your preferred statistics displayed by default next time 3 1 1 Bandwidth Channel Bandwidth Channel displays the running status of each bandwidth channel The configuration page is as shown below 215 SANGFOR IAM v2 1 User Manual Bandwidth Status Basic Information N e Bandwidth Management Running status e WAN Speed Realtime Speed Bandwidth Usage History Speed History Flow Line Bandwidth Total Speed DBs OB s tow 0 t OB s 0B z 08 408 64KBis 200KB Advanced Information Exclusion Policy a A in Untold All Fold All Bandwidth Us Guaranteed Band Realtime Speed History Speed History Flower Total Users Max Bandwidth Priority age vith 1 df t OBvs 4 08 towtow to0bs 406 t0B 406 0 t OBvs 08 DBs 083 High Disabled 2 igp OBvs 08 towtow tobe 406 toB 408 o OBvs 08 OBvs Obs High Disabled a T 64K Bis d 200KB t 64K Bs d 200KBf 3 Default Channel t 0B 083 to 40 PFOB fobs to8 40B 0 High Running Display History Save Stop Refresh First Frew 14 Next Last Goto Page Bit Info Last S minutes w Preferences Nam
90. to search for all members under the current group Search C Advanced Search nnn ES een ME i Group C 2222 Use its own policy Subgroup Count 0 User Count 0 2222 Authentication Method Password Customized passw z User a dia i ii a ord Binding Information 3 ii inne O 7 i Usa parori group paicy al PA a passw ord Binding Information 4 user O a i A AE pracy Aaa ear passw ord Binding Information 5 user O ere i ies EE E en een Oe eee a passw ord Binding Information 6 ser O de i Usa aren group cee elle id io passw ord Binding Information Search By Configures the conditions for searching Options are Name IP address and MAC address among which the IP address and MAC address are used for finding user Records page Configures the number of members searched and to be displayed in the list followed 182 SANGFOR IAM v2 1 User Manual Advanced Search Check this option and the advanced search conditions appears which will help you to set more specific conditions to find a needed group or user The advanced search conditions are Authentication Method Other Option and Sort By gt gt Drganization Structure Help Group Settings Group Path i Source Created by administrator Group Information Subgroups 1 direct users 5 total users including subgroups 5 Bo Advanced al z AAA d ISt Access Control Polic Add Subgroup Select All Delete Selected Delete Current Group Move Group User F
91. to the Internet 7 1 2 4 2 SSL Content Ident SSL Content Ident can identify the SSL encrypted WEBMAIL WEB BBS POP3 and SMTP contents financial services such as online banking and online payment are excluded 135 SANGFOR IAM v2 1 User Manual SSL Content Ident Check this item to activate the SSL content identification function The configuration page 1s as shown below Edit Access Control Policy E Help single policy O Multiple policies Expiry Date Never expire Expired on Status Enable Disable V Aces ontro b Filte V Email Filte V SSL Management Application Audi Flow Time Statistics Ing sstem Ri deni Remind V SSL Contro MssL Content Ident Enable SSL content identification to identify the SSL encrypted contents such as Webmail Web BBS POP3 and SMTP but online bank online payment and other financial information are excepted O Control SSL transferred content please go to Access Control and Web Filter tabs to configure the contents to be controlled O Audit SSL transferred content please go to Application Audit tab to configure the contents to be audited Audit Control Website List only audit and control the following websites Format One domain name per row Wildcard is supported Add domain Aod Clear List HTTPS Website Examples Click to download SSL ident root certificate Enable SSL content identification Check thi
92. webpage and block these scripts before they are downloaded to the browser therefore the LAN users are kept away from the script viruses Script Filter Check this item to activate the script filtering function and the built in internal rules will take effect functioning for controlling the illegal scripts SANGFOR IAM gateway device can filter JavaScript and VBScript Edit Access Control Policy Policy _Template Basic Internet Access Audit v Description Allow DNS HTTP HTTPS FTP Mail MSN enable relative audit Expiry Date Never expire O Expired on ss Status Enable O Disable a ro e ll Enable Script Filter including JavaScript and VBScript Script Filter Options Filter registry altering Fitter file altering Filter transformed script prevent malicious scripts from evading security check but misjudgement exists Filter risk object and invoking updated with the rule library Not filter the scripts of the following websites Defined in Object White List Group You can modify it when necessary Please select Y Remove gt Script Filter Options includes configurations of Filter registry altering Filter file altering Filter transformed script and Filter risk object and invoking Filter registry altering Check this item and the script will be filtered directly if it has ever altered the registry Filter file altering Check this item and the s
93. webpage exists otherwise it indicates that the webpage does not exist If the Webagent is a static IP address testing results show success and the format IP PORT of it is correct In a word successful testing results do not indicate connection success of the VPN Transfer Type Configures the transmission type of the VPN data packet Options are TCP and UDP It is UDP by default Data Encryption Key Username and password Fill in the corresponding account information provided by the VPN headquarters Cross ISP If the VPN headquarters and the branch VPN apply different Internet service providers ISP and these different links cause frequent packet loss this option is recommended to be checked You can also configure the networking environment situation according to your case Low packet loss High packet loss or Set manually at To enable this function you have to activate the cross ISP license Activate the cross ISP license and check the Cross ISP option and then all the branch VPN users and mobile VPN users can gain the profits brought by the cross ISP option when they are connecting to the VPN headquarters lt LAN Privilege gt Click this button to enter the Privilege Settings configuration page and configure the privileges of the peer terminal that is to specify the services provided by the local device that will be available for the peer VPN connection 275 SANGFO
94. 0 00 00 2005 GMT Jan 18 23 59 59 2015 GMT O 119 SecureNet CA SGC Root Aug 20 00 43 29 1999 GMT Oct 16 07 00 00 2009 GMT O 120 UTN DATACorp SGC Aug 20 00 57 10 1999 GMT Jun 24 07 00 00 2019 GMT O 121 WeriSign Class 1 CA Individual Subscriber Persona Not Validated May 12 00 00 00 1998 GMT May 12 23 59 59 2008 GMT go 122 www verisign com Apr 17 00 00 00 1997 GMT Oct 24 23 59 59 2011 GMT O Import Trusted Root Certificate Import certificate from the local PC only support crt or cer format certificate Differentiation of different certificates is inspected by MD5 value of the certificate If the MD5 value of a certification is different from others then it is regarded as another certificate A certificate cannot be imported twice or more 1 l Y Generally name of the certificate main body is the corresponding CN name of the certificate subject in IE If the certificate subject contains no CN name it will take the last field of the subject as the main body of the certificate the field order may be different from that of IE 81 SANGFOR IAM v2 1 User Manual Chapter 5 Firewall Firewall covers configurations of Firewall Rules NAT Rules Anti DoS and ARP Protection as shown below Sangfor IAM 2 1 Ef gt gt Firewall Rules LAN lt gt DMZ Help User admin Logout b System Freva Rule Uist ea Se A 4 Firewall Rules All_TCP_Servic LAN lt gt DAZ Pass TCP Allow LAN gt DMZ Disable X Edit Up Down DMZ l
95. 00 200 12 Arptable a MAC 005009008C73 DATE 20100526 Network config N login success l l View mode M b gateway firmware version is Set net mode s SANGFOR IAM 2 1 BUILD 100226 173247 cluster 1 23 disk Exchange net interface E Update server version is 0x400 Ping Log in to the IAM gateway device ping an external network on the device to check whether the IAM is connected to the external networks Route Table View the route table of the IAM gateway device ARP Table View the ARP table of the IAM gateway device 314 SANGFOR IAM v2 1 User Manual Network Config View the network configuration of the IAM gateway device including information of interface IP etc View Mode View the mode the current network interface card NIC is working in Set Net Mode Configure manually the working mode of NIC for the IAM gateway device if the setting 1s not coherent to the actual network interface card mode Update History Submenus are View Gateway History View Local Records Delete Local Records as shown in the following figure DLAN Gateway Client dlanupdater4 0 System S Update U Backup B ManagePackage M Tools T UpdateHistory R Help H View Gateway History G View Local Records L connecting gateway 192 200 200 12 Delete Local Records D MAC 005009008C73 DATE 20100526 login success gateway firmware version is SANGFOR IAM 2 1 BUILD 100226 173247 cluster 1 23 disk
96. 1 User Manual User admin Logout 4 System No Subnet Segment Subnet Mask Gateway Address Operation Select gt h Ww ww ww Ww w Ww ww Ww Ww Ww Ww Ww gt Click the lt Add gt button and the Edit Static Routing configuration page appears Sangfor IAM 2 1 4 gt gt Edit Static Routing User admin Logout SANGFOR Sangfor IAM 2 1 A gt gt Static Routing Security Status License Gateway Mode Network Interface Multi Node Syne Date Time Administrators Web UI Backup Restore Reboot Maintenance Auto Update Route gt Policy Routing Generate Certificate gt 4 System Subnet Segment ws A v v Y vw vw v vyv 7v Yv Zv w w gt Running Status Security Status LUNES Subnet Mask Gateway Mode Network Interface Gateway Address Multi Node Sync Date Time Administrators Web UI Backup Restore Reboot Maintenance tuto Update Route gt Policy Routing mestatic Routing Generate Certificate Static Routing can enable the SNAT function for multiple segments to add return route Add return route for SNAT function for multiple segments If there are several LAN segments access Internet through the SANGFOR gateway device then you need to add a Static Routing so that the IAM gateway device can return the data packets of the LAN users of different segments to the LAN switch route device properly 51 SANGFOR IAM v2 1 User Manual Configuration Ex
97. 10 Internet Access Arda 234 LOT Realtime LOGS id de es 234 E A O soo 235 IO T2 C OUNCCHION AROUSA ade edaaeaiaeh dedetndempiaataate 237 LOLAS Conmechon Mon lOTO 1 A siete O AA AA 238 SANGFOR IAM v2 1 User Manual 104 behavior Monitorin o AAA AAA AR 238 PO Audit Los Mantenida a 239 tO 355 Data Center Seine S os 239 NO Ae Emer DII C Cmte st A 242 Chapter 11 Logs Troubleshooting ssssssssssssssssssscssssssssssssssssseseccsccssscscssssssssscssssssssssssssee 244 AMS NAAA A E E ct E OE A E EOE E AT 244 12 Poley Troubleshootin a ican E A E E 246 MASA eS AA A N 249 Chapter 12 Ady anced ii iiaae 253 Me 2 A A E RR ON 293 1702 FTO YS CEY Oea a a E E E 254 T NVC AC I T E ohn Ae Galea E eh dee aac aha age aes E seaedaes hand ear dereetae 255 124 Excluded IPD OU a ii sac sos ne oes inc sos de cote inc cos cect ees win cates dace ees oc aout tc cece teeta 257 PD aPC eC SUOMI AU OM PACA P PO 258 Chapter 13 Secre nica cestas 260 GAS A e ese 260 EAR EPS css fees ef Sees acess ess och Sees acces tess oc AA T A AA EAA T 262 VAL TOONS esse eae eae ade 262 SI a A A A E SU A 264 le APIS CU et AA RA AAA winwurendeeaaedinds 265 SI AAA E E E 265 LL SOS ELO A a doi 266 IDO SCP MARA TCME Lt tes 269 1S 3 4 CONNCCTHON MGNGSCINGIIT e 213 L332 AULA PO oi 276 TIO MUITO SCT OS ass seta asa ec oe Oe a hasan es in a se a a ese ean ae ee de 278 13 5 7 WUIIIINE ROUTING POLICY A Ad 280 Paa o NAAA Saud iddaand ence eee uk oiesaud duicdvand den ceueteaudee
98. 192 168 0 197 1 4 Internet Access Audit 4 Realtime Logs 5 111 251 1 Flow Ranking 6 200 200 76 62 1 MACormection Ranking gt Connection Monitoring gt Behavior Monitoring gt Audit Log Maintenance gt Data Center Settings gt Enter Data Center Logs Troubleshooting Advanced Security Wizard l hPa Y Maximum top 20 connection rankings are displayed 10 1 3 Connection Monitoring Connection Monitoring displays all the connections that a LAN IP address has established with the external networks It only displays the top 200 connection rankings 1P addresses Under the Connection Monitoring page enter an IP address and click the lt Search gt button to refresh the displayed connections of this IP address The page 1s as shown below Sangfor IAM 2 1 gt gt Connection Monitoring User admin Logout System e Search Connections Search by IP O search by user A Enter IP address or user name Object WAN Optimization TAM Bandwidth Management Delayed Email Audit 4 Internet Access Audit 4 Realtime Logs gt Flow Ranking gt Commection Ranking Behavior Monitoring 10 1 4 Behavior Monitoring Behavior Monitoring displays the Internet behavior of certain LAN IP address including the 238 SANGFOR IAM v2 1 User Manual information of application type application and detailed information Specify the search condition and click the lt Search gt butto
99. 24 hours Last7 days Last 30 days gt Internet Access Audit AOS Statistics Object Flow Flow speed gt Logs Troubleshooting gt Advanced AEE Flow Optimization Over Last 30 Days gt DHCP gt Wizard Flow Reduction 2 3MB gt UWAN Flow 3 77MB 6 1 Optimization Status Optimization Status displays the cache and optimization acceleration information including System Status and Optimization Status modules as shown below 97 SANGFOR IAM v2 1 User Manual Sangfor IAM 2 1 gt gt Optimization Status User admin Logout gt System b Object Disk Usage 0 GB 0 GB Sessions 0 gt Firewall F a A A win Optinieetion Memory Usage 0 MB 0 MB Cached Objects Memory objects O Disk Objects O Optimization Status E Proxy Options gt TAM Bandwidth Management gt Delayed Email Audit Statistics Time Last 24 hours Last7 days Last 30 days Internet Access Audit Save Preferences Statistics Object Flow O Flow speed Logs Troubleshooting Advanced Security DHCP Wizard Flow Optimization Over Last 24 Hours none 100B 6 1 1 System Status System Status displays the disk usage sessions memory usage and cached objects information as shown below Sangfor IAM 2 1 gt gt Optimization Status User admin Logout l System Status b Syst A b Object Disk Usage 0 GB 4 75 GB Sessions 0 gt Firewall ewe one
100. 297 SANGFOR IAM v2 1 User Manual 13 3 11 2 Algorithm List Algorithm List enables you to view and add the authentication algorithms and encryption algorithms that are supported by the SANGFOR IAM gateway device These encryption algorithms will encrypt all the data transmitted over the established VPN network guaranteeing security of these data The algorithm list is as shown below Sangfor IAM 2 1 gt Advanced 0 gt gt Algorithm List Jo 4 Security p IPS DES Encryption Algorithm Walter tuchman and Carl Meyer Data Encryption Standard for encrypt data VPN Settings 3DES Encryption Algorithm Walter tuchman and Carl Meyer Triple DES Standard for encrypt data com ere Authentication Algorith Basic Settings MDS Ronald L Rivest of the RSA Message Digest Algorithm for Authentication m User Management i A Advanced Encryption Standard for encrypt dat Connection Management AES Encryption Algorithm Joan Daemen and Yincent Rijmen Virtual IP Pool Authentication Algorith US National Security Agency NS Multiline Settings SHA 1 Secure Hash Algorithm 1 for Authentication Delete Multiline Routing Policy H A Local Subnet List SANGFOR_DES Encryption Algorithm Sangfor vpn group Data Encryption Standard for encrypt data Delete Tunnel Route Load Algorithm 4 IPSec Connection Device List Security Option Outbound Policy Inbound Policy 4 Common Settings Schedule Algorithm List The SANGFOR IAM gateway device is inte
101. 4 and Guangzhou 10 1 1 x 24 however there is no VPN tunnel between the Shanghai branch and Guangzhou branch To achieve interconnection between the two we are to configure a tunnel route The detailed configuration is as shown below Step 1 Configure Tunnel Route on the Shanghai branch s IAM gateway device Check Enable Tunnel Route and click the lt New gt button to add a route directing to the Guangzhou branch as 285 SANGFOR IAM v2 1 User Manual shown below 2 Edit Tunnel Route Web Page Dialog Source Subnet Source Mask Destination Subnet 10110 Destination Mask 255 255 255 0 Destination Route User Guest Y Enable Access Internet via destination route user A Source Subnet Configures the network ID of the source subnet In this example it is 172 16 1 0 Source Mask Configures the mask of the source subnet In this example it 1s 255 255 255 0 Destination Subnet Configures the network ID of the destination subnet In this example it is 10 1 1 0 Destination Mask Configures the mask of the destination subnet In this example it is 255 255 255 0 Destination Route User Refers to the user that is used to establish the VPN connection with the headquarters that is the user selected in the VPN Settings gt Connection Management gt Edit Connection configuration dialog It determines the VPN device to which the packets are forwarded In this example it is Guest
102. 49 11 292 NA reei E 150 7129 3 A A ES 151 Tel AMMentica ton PLODS asasen ea ea aA o eE E E 153 TA NWU SCV AUEN CANO oiia aca ERS 153 Tesi D O O C ON E Ua E SOD 156 Taza CUE Dreco SS ena dr a 157 Tel Leds Install Component Modena dino inline 158 P22 AD AD Group Policy MO i iciiavicunstoniastareaiaucaioniesicanteuacctetinehawialaninubine ia 158 TELS Cont gcure Lo son Scr pl ero aeee caia 159 7 2 2 1 4 Cont sute Logotf Script Prostate 163 E OE A O 166 Dedede POPS AUC iCal Onnen esacnseumserdes eeaebeawese tees eeacebawene tees esackbameareed eeaci 166 i222 Network Environment soaren E E EE 167 T2223 COMA OTN eater Ga ai eat ae eee ad a hanes 167 IDAS O ce Shee a dc Seersucker essere ice Sheree eeG Aimed ceed a a a 168 TD rs NO A a a 170 7 2 2 4 1 POR Y AUN ME CALIOD rada ss 170 T2242 Network ENVITONMEOL id Es 170 7 2 2 4 3 COTO WE Ot rad a a a cade 170 220 Wels emis Mirror PO eacee ann oi ici 171 122 0 On AON S ironico 171 Lia Pag Display After Authentication irrien tineia i EEE EAA A snide 172 7 2 4 Authentication Conflict Settings ccoooonnnmnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnonononnnanannnnnncnnnnnnnnnnos 173 A ose ace da saaaice soc ea duavcatinae saan eee aaa aan eae ssa 174 1 2 0 Other Authentication OPLONS 0 175 Peo A UMeEn tac AOS VE A AA E 177 SA A A O A N 178 LAVO So 179 A datasets hate oto atau E E hasta dctoteoetan clones 180 HA Or amzatiO mn SUUCUUITE ici laicas dalcbs 180 T Tec SCCM AAA AAA A A a IA 182 PA
103. 9 Oct 15 23 59 00 2009 d 6 CS HKT SecureNet CA Root Jun 30 00 00 00 1999 Oct 15 23 59 00 2010 O 7 CAN HKT SecureNet CA Class B Jun 30 00 00 00 1999 Oct 15 23 59 00 2009 Fi 8 CAA HKT SecureNet CA Class 4 Jun 30 00 00 00 1999 Oct 15 23 59 00 2009 O 9 Belgacom E Trust Primary CA Nov 4 13 04 39 1998 GMT Jan 21 13 04 39 2010 GMT go 10 Baltimore EZ by DST Jul 6 20 56 53 1999 GMT Jul 3 19 56 53 2009 GMT O 11 Autoridad Certificadora del Colegio Nacional de Correduria Publica Mexicana 4 C Jun 29 18 59 00 1999 GMT Jun 29 18 59 00 2009 GMT 0O 12 Autoridad Certificadora de la Asociacion Nacional del Notariado Mexicano 4 C Jun 28 18 53 00 1999 GMT Jun 28 18 53 00 2009 GMT O 13 VeriSign Individual Software Publishers CA Apr 9 09 37 49 1996 GMT Dec 31 09 37 48 1999 GMT F 14 ABA ECOM Root CA Jul 12 17 33 53 1999 GMT Jul 9 17 33 53 2009 GMT d 15 Verisign Commercial Software Publishers CA Apr 9 00 00 00 1996 GMT Jan 7 23 59 59 2004 GMT 0O 112 Government Root Certification Authority Dec 5 13 23 33 2002 GMT Dec 5 13 23 33 2032 GMT O 113 LiteSSL CA Jul 14 00 00 00 2005 GMT Jul 9 18 19 22 2019 GMT Oo 114 Microsoft Internet Authority Apr 19 14 35 00 2006 GMT Apr 19 23 59 00 2009 GMT O 115 MSN Content Authentication CA Feb 24 16 03 13 2005 GMT Feb 24 16 13 13 2010 GMT O 116 MSN Content PCA Feb 24 17 48 04 2005 GMT Feb 9 17 58 04 2017 GMT O 117 Microsoft Secure Server Authority Apr 21 19 11 04 2006 GMT Apr 19 23 59 00 2009 GMT go 118 VeriSign Class 3 Secure Server CA Jan 19 0
104. 96 SANGFOR IAM v2 1 User Manual lt Clear List gt Click it to clear all the IP and MAC addresses in the list 7 4 5 1 4 No Binding No binding indicates not binding with any IP address or MAC address If this item is selected you then have to configure at least one Authentication Method The Authentication Method configuration options are as shown below AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA Add Object Single user Multiple users Login Name no Cannot contain the special characters Description Cannot contain the special characters l s gt rin i Display Name Cannot contain the special characters Current Group 12222 iqww N Source Advanced Settings y Access Control Policy Binding Obsind iP O Bind mac O Bind both IP and MAC No binding Group 2222igwi Password O Dkey O None O Only alow SSO Custom password Password ehitan t At na Tortirm passwort eeeeesesessesoee LJ LDAP authentication DO RADIUS authentication O POP3 authentication Public Account C Allow multiple users to sign onto the same account multi user login Expiry Date Onever OExpiredon Enable This User Enable Disable 7 4 5 2 Group Group configures the group which the new user belongs to as sho
105. Application Audit Application Audit helps monitoring the Internet access information and records of the LAN users including configuration of Audit Option and Outgoing File Alarm 7 1 2 5 1 Audit Option Audit Option Check this option to activate the configurations under it The configuration page is as shown below 137 SANGFOR IAM v2 1 User Manual Edit Access Control Policy Osingle policy Omutiele policies Description AAA Expiry Date Never expire O Expired on Status O Enable Disable O Audit all identifiable application behaviors All the options under Application Content Audit below are not included here O Audit all unidentifiable application behaviors For example access a certain port A large number of logs will be generated O Audit text contents uploaded through webpage 4 large number of logs will be generated Recommend just enabling the following first two audit options O Audit contents posted to WebBBS O Audit contents of the outgoing VebMail O Audit attachments uploaded through webpage The following two options will generate a large number of logs To filter some websites or file types please go to Web Tracking page to set the filter conditions O Audit visited websites URLs O Audit filenames of the files downloaded through webpage O audit outgoing emails SMTP C Audit incoming emails POP3 To audit the chat contents of more IM tools such as G TM enable the Ingress
106. C Enable ActiveX Filter to filter browser ActiveX Verity digital signature of Activex O Block ActiveX without signature Block altered Activex O Block ActiveX that uses expired certificate O Verify digital signature of ActiveX and block Activex if it fails the verification You can manage trusted root certificates in Object SSL Certificate Denial ActiveX Control List Format One ActiveX control name or issuer per row e g Beijing Jiangmin New Sci amp Tec Co Ltd O Only allow the following ActiveX Controls Not filter ActiveX controls downloaded from the following websites Defined in Object gt hite List Group You can modify t when necessary Please select v ActiveX Filter includes Verify digital signature of ActiveX and Only allow the following ActiveX Controls and Not filter ActiveX controls downloaded from the following websites as 126 SANGFOR IAM v2 1 User Manual to the former two only one of them can be selected Verify Legality of the Signature Verify digital signature of ActiveX Select this item and you can configure the conditions to verify the legality of the certificate signature The configuration page is as shown below Edit Access Control Policy Policy _Template Basic Internet Access Audit a Description Expiry Date Never expire O Expired on Status Enable Disable Enable ActiveX Filter to filter browser ActiveX o
107. Delete Classification File Type Ident Method Alarm Option Office software Feature ident Email Alarm Text file Feature ident Video amp image Feature ident Select All Inverse Alarm All Alarm Encrypted Enable Disable Add Edit Delete In Adding Status Use internal classifications feature ident Classification Video amp image v File Type E O Customize file types extension ident A comma separated Enable alarm on multi layer nested compression more than 2 layers Enable alarm free extension Enter fletype comma separated C Set administrator email address for this policy E lt is effective only when Disclosure Alarm is enabled on Advanced gt Alarm page In Adding Status Configures the option under it You can configure the new file type here Use internal classifications feature ident Select a file type from the existing internal library and then click lt OK gt The access control policy will identify the application according to the features of this specific file type Customize file types extension ident Type the file type name in the text box and click lt OK gt The access control policy will identify the application according to the suffix of the file You can enter several suffixes which are separated from each other with an English comma 142 SANGFOR IAM v2 1 User Manual Edit Access Control Policy Help single policy O Multiple policies
108. Description Operation Security gt Gateway Antivirus b IPS 4 VPN Settings gt VPN Status Ww Basic Settings Ww User Management Connection Management Virtual IP Pool v W Multiline Settings w Multiline Routing Policy Ww Local Subnet List Ww Tumnel Route 4 IPSec Connection gt Device List gt Security Option gt Outbound Policy melnbound Policy A Policy Settings Web Page Dialog Policy Marne Description Source IP Type Single IF Source IF Address Peer Device Service an Services Schedule an day Slow inthe above schedule C Deny inthe above schedule Enable Expiry Time Expiry Time 0 00 00 jo fo jo V Enable This Policy Cancel 295 SANGFOR IAM v2 1 User Manual Both the Service and Schedule of Outbound Policy Inbound Policy are extra rules provided by the SANGFOR IAM gateway device and only take effect on the local device which means these rules are not the negotiation topics during the process of negotiating with the third party and establishing the VPN connection The eventual source address es applicable to the Outbound Policy and Inbound Policy refers to the source IP addresses allowed to connect in out by the local VPN device are those that are included in both the Source IP configured in the inbound outbound policy and the Source IP Range referenced by the selected LAN service 13 3 11
109. FOR IAM series device uses 110 230V alternating current AC as its power supply Make sure it is well grounded before being provided with power supply 1 3 Product Appearance a aP SANGFOR SANGFOR IAM hardware gateway device Above is a SANGFOR IAM hardware gateway device The interfaces or indicators on the front panel from left to right are described respectively as follows CONSOLE Interface Interface used for high availability function redundant system USB Interface Standard USB port connecting to the peripheral device LAN Interface Network interface to be defined as LAN interface DMZ Interface Network interface to be defined as DMZ interface 12 SANGFOR IAM v2 1 User Manual WAN Interface Network interface to be defined as WAN1 LAN or DMZ interface WAN Interface Network interface to be defined as WAN2 LAN or DMZ interface POWER Power indicator of IAM gateway device ALARM Alarm indicator of IAM gateway device it keeps on for one minute while the device is starting up Normally the ALARM indicator keeps on lighting in red when the device is starting and goes out in about one or two minutes indicating successful startup of the device After startup the ALARM indicator may flash which means the device is writing logs however if the ALARM indicator stays lighted for a long time and does not go out please shut down the device and about 5 minutes later restart the device once again If this si
110. FOR IAM v2 1 User Manual Enable Disable Select it to enable or disable the SNMP Option function SNMP Server Access Timeout SNMP Server Access Interval Configures the timeout and the time interval that the layer 3 switch is accessed The default value is recommended SNMP Server List Type the IP address MAC address SNMP Oid and the community of the layer 3 switch in the text box Different elements are separated from each other with a back slash for instance 192 168 30 245 00 0f e2 59 0c 1f 1 3 6 1 2 1 3 1 1 2 public Having completed configuring the page you have to click the lt OK gt button to save the settings If you enable and configure SNMP Option the layer 3 switch must support SNMP services and the community of the layer 3 switch and the SNMP version must be configured correctly 7 2 6 Other Authentication Options Other Authentication Options configures the other authentication related options including automatic logout time DNS service availability for users who fail to get authenticated The configuration page is as shown below gt gt Authentication Options Mew User Authentication S50 Settings Page Display After Authentication Authentication Conflict Settings SNMP Option Enable t when the device requires crossing the layer 3 switch and binding MAC address Other Authentication Options Logout the user automatically if there is no traffic in minutes Submit User
111. FOR IAM v2 1 User Manual Appendix A Gateway Client Updater The gateway update and restoration system can be used to update the kernel version of SANGFOR IAM gateway device and backup configuration When vital errors occur in the system the IAM gateway device can be restored to the factory default configuration via the gateway restoration system In addition the gateway restoration system can be used to inspect the running state of the network interface and configuration of the routing as well as to modify the working mode and MTU value of the network interface etc As to the IAM gateway gateway clients have to use dlanupdater 4 0 DLAN Gateway Client The configuration page 1s as shown below a DLAN Gateway Client dlanupdater4 0 Systemi Updatel L BackupiBh ManagePackagelM Toolsi UpdabteHistory R HelptH about dlanupdater dlanupdater 4 0 ver copyright E 2001 2009 Sinfor CO Menus included are System Update Backup ManagePackage Tools Updatehistory and Help System Submenus are Connect Search Change password Disconnect and Quit 310 SANGFOR IAM v2 1 User Manual E DLAN Gateway Client dlanupdater4 0 System S UpdatefL Backup ManagePackage M Toolsi UpdateHistoryiR HelpcHh Connect Search F Change Password Py DisconmectD Quiti Connect Directly enter the IP address of IAM hardware gateway device and then type in the password to log in
112. IP Flow Status as well as View Connection Ranking View Flow Ranking View Connection Monitoring and View Online Users gt gt Running Status System Information CPU Usage 1 Disk Usage 1 Sessions 87 Wiew Connection Ranking WAN1 IP 200 200 76 205 WAN2 IP WANS IP WANG IP Flow Status Sent 3KB s Received 2KB s MoSent Received 56 Flow Unit Bytes O bitis D O 240 210 180 190 120 90 4x60 430 sec O O L h OL i gt View Flow View Connection View Online Current ast 24 hours Last 7 days Ranking Monitoring Users Bandwidth Usage Ranking Top applications Ranking Appication Percent Ulan Speed Download Speed 4 2 A 2 3 4 5 Note Displays various alarm prompt information etc Flow Status Displays the received and sent data through the selected network interface card NIC interface etc lt View Connection Ranking gt Click this link to view the ranking information of the active 19 SANGFOR IAM v2 1 User Manual connections of the IAM gateway device and the detailed connection information of an IP address For detailed introduction please refer to Section 10 1 2 Connection Ranking View Flow Ranking Click this link to view the uplink and downlink flow information of the top 10 rankings the IP group to which this IP address belongs traffic amount of the uplink and downlink and of specific application Click lt Obtain gt below the hostname and you can get the device n
113. L Type in a domain name URL into the Add URL text box and click the lt Add gt button followed to add this domain name into the list one entry URL per row 67 SANGFOR IAM v2 1 User Manual Domain Name Keyword URL group is automatically matched if the URL contains the configured domain name keyword Having completed configuring this page you have to click the lt OK gt button to save the settings 4 7 White List Group White List Group defines the domain name white list which can be referenced by Access Control Policy gt Edit Access Control Policy gt Web Filter gt File Type Filter ActiveX Filter and Scrip Filter Sangfor IAM 2 1 gt gt White List Group Useradmin Logout 1 126 4 Object gt Application Ident Pule gt Intelligent Ident Fule gt Service gt IP Group Schedule gt UEL Group Keyword Group File Type Group gt Ingress Fule SSL Certificate Under the default configuration page above click the lt Add gt button to enter the Edit White List page as shown below Sct WA Sangfor LAM 2 1 gt gt Edit White List Useradmin Logout gt System al 3 ae gt Application Ident Rule gt Intelligent Ident Rule Format One domain per row The maximum number of entries allowed is 512 Scien ee Format is similar to http Siew baldu com g co http 0 10 10 10 or 10 10 10 10 8080 IP Group gt Schedule gt
114. LAOS O OU DA Ai oia 183 AD SO A o Dei hs ee 185 E A A O 190 A A o erecta 192 SANGFOR IAM v2 1 User Manual TAS LABIOS UP MAC lt A E iia 193 7 4 5 1 1 O dencecnecemcacee ONR 193 7 4 5 1 2 Bnd MAC aoi a ci bcic 194 7 4 5 1 3 Bind Both IP and MAC ieee onea e eE EEA LEERE 196 7 4 5 1 4 No Bindo stas a E E IO 197 TE A A E EEA ON 197 TADO Authentication Methodes A a EERE A 198 TENE A A A A 200 PATO Enable TMS UA A AA A E 201 FAD Oc ACCESS COMITOL OUEN cieie 203 TI USC tt ita 204 IO AS e ati edi icnbal 206 AOL Sym DY EDAROrS anton SUCIO 2 207 VOD DNE DY LDAT SECY GTOUD A A AA A A AA 209 LOA VIENES VERO DO asa 210 A errrreret rere cre E tere cr er E tre rer treats tert rer E tert rer eee terre ere 211 Chapter 8 Bandwidth Management ccccccccssscsssssssssssssssssssssscccccccccccscccsssssssssssssssseees 214 SMe rani SO a a 214 A IA AMM NU In A 215 UA E SONT OUICY AA a o O A 216 32 Pand TCE cto id e iia cade 217 O 23 LD AVALON di AN AAA AAA A AAA 217 82 11 Add Bandwidth Chal 218 8 2 1 2 Add Child Bandwidth CAM dae ad 223 8 2 1 3 Select and Edit Bandwidth Chamnel oocccccncnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnoss 224 O 2 2a LS A to ias vax uiiee hades eosin eee ee 226 AS Bandy aa 221 Sde Virtual ANS o dee a dees 227 Chapter 9 Delayed Emal Auditado sais 232 OL Email Audit Polyar E A A 232 PT d E NADL eie II sede carder see doth O br cate Sn seth der cueee 233 9 3 Unaudited Email clics 233 Chapter
115. Logout 4 System Bunning Status Security Status License ateway Mode Network Interface Multi Node Sime Date Time Administrators Web UI Backup Restore Reboot Maintenance duto Update Route Generate Certificate High Availability Object Firewall WAN Optimization Tal gt gt Gateway Mode Bridge Mode Bridge Mode Settings Bridge Mame Bridge IF List Default Gateway Primary DMS Secondary DMS MANAGE Interface Setting 3 DMZ Interfaces VLAN Settings Bridging Direction Bridge 1 200 200 20 172 255 255 252 0 200 200 70 254 0 0 0 0 0 0 0 0 eae eae ee ede to tl Disable d View YLAN list display format VLAN IDAP addressisubnet mask La hi8 3 4 2 1 Bridge Mode Multiple Interface Through bridging the interfaces of the IAM gateway device we can establish multiple interfaces for a bridge so as to create an environment supporting dual routes or dual lines of the network 25 SANGFOR IAM v2 1 User Manual Environment examples for Bridge mode deployment Environment 1 S1 connects to two external lines R1 and R2 an IAM gateway device under bridge mode is then deployed to bridge R1 and R2 with S1 WANI WAN LAN C lt S 1 Environment 2 In order to enhance the stability of the network and reduce single node failure both the kernel switch and the router of local area network are in redundancy Then we deploy two IAM gateway d
116. Logs Troubleshooting gt Advanced IP address Ss MAC address SS Add Clear List Broadcast Gateway MAC Address Broadcast interval seconds gt Security gt DHCP gt Wizard Enable ARP Protection Select Enable to enable the ARP spoofing protection function Static ARP List If the gateway of the LAN PC is not an interface IP address of the IAM gateway device the Static ARP List should be configured Provided that the gateway mode of the AM gateway device is Bridge mode the gateway address of the LAN PC is the interface IP address of its front end router or firewall in this case we have to add the IP MAC address of the front end router to the Static ARP List If the LAN PC has installed the Ingress Client then it can get the correct IP MAC address of the gateway and bind with it therefore we can make sure that the IP MAC address of the gateway is correct Broadcast Gateway MAC Address Indicates the frequency broadcasting the MAC address of the gateway the LAN interface of the IAM gateway device in unit of second lt Broadcast gt Click this button to manually and immediately broadcast the MAC address of the device s LAN interface When the ARP spoofing is eliminated clicking this button can restore the ARP table of the LAN PC swiftly Having completed configuring this page you have to click the lt OK gt button to save the settings 96 SANGFOR IAM v2 1 User Manual Chapter 6 WAN Op
117. Multi Edit gt Click this button to edit the items that all of the selected member s have and share lt Delete Selected gt Click this button to delete the selected subgroup s or user s lt Enable gt lt Disable gt Click it to enable or disable the selected user s lt Move Group User gt Click this button to move the selected group s or user s to another group The included subgroup s user s and access control policy policies of the selected member will also be moved The configuration page is as shown below 186 SANGFOR IAM v2 1 User Manual gt gt Drganization Structure A oacsespeaencsmvnet Stuer coe lntnseveemeeirmapsses ensue bc sze ecrsvebbencsneec taps thaeessnelinansetepestaceboansfossonnsanetbeansameladiianciostdeeioniiiostepstesteoseostesisendeh y Group Path i Source Created by administrator Group Information Subgroups 2 direct users O total users including subgroups 1 Advanced Settings B search Add Subgroup Add Subgroup a r Select All inverse MuttiEdit Delete Selected Delete Selected Delete Current Delete Current Group Enable Disable Move Grouplser Move Group User First Prev1 Next Last Goto Page M Recordsipage 15 A Objet ements detonating bait epee bp tl rtd esate etecedae debe Move All Selected Groups Users To po select group Gog E 2 1 Group Fi que re i j group policy Subgroup Count 0 User Count 1 guy 2 Group Fi ler OK Cancel g
118. Only allow the folowing ActiveX Controls Internal ActiveX Control List O Online Anti virus Plug in such as online Rising anti virus plug in O Player Plug in such as flash player plug in O Entertainment plug in such as NetEase plug in Not filter ActiveX controls downloaded from the following websites Defined in Object White List Group You can modify it when necessary Please select v gt gt Remove gt gt Internal ActiveX Control List configures three types of plug in namely Online Anti virus Plug in Player Plug in and Entertainment plug in 128 SANGFOR IAM v2 1 User Manual Online Anti virus Plug in Check this item and the plug in will be allowed to install if it is a kind of online anti virus plug in Player Plug in Check this item and the plug in will be allowed to install if it is a kind of player plug in Entertainment Plug in Check this item and the plug in will be installed if it is a kind of entertainment plug in Custom ActiveX Control List Configures the keywords may contained in the to be installed ActiveX control one ActiveX control or issuer per row If the keyword is detected in the plug in it will be defined as secure and be installed It should be noted that the keyword configured here does not support wildcard characters length of each keyword within 64 bytes and total keywords within 32 Not Filter ActiveX Controls Down
119. PF x vy DST 192 165 253 1 22545 Length of application layer 56 20 47 EC 4A 1c Jaa Advanced ICPDUMP Select this item and configure the conditions such as network interface and TCPDUMP filter expression which helps to capture data packets as shown below 251 SANGFOR IAM v2 1 User Manual gt gt Packet Capture Captured Packets 1000 O Simple capture unknoven flow Advanced TCPDUMP Network Interface eth2 TCPDUMP Fiter Expression not capture packets at 505 630 and 1360 ports top or port 1 and host 192 1681 1 For example host 200 200 20 1 and port 53 Current Status Packet capturing is stopped Mame Delete Dovenload View 2010 09 02 115155 pcap 201 0 09 09 162734 pcap Delete Download view Select All Click the lt Delete gt button to delete a selected captured file or click lt Download gt to save the file into a specified file path of the local computer This captured file can be opened by the software such as Sniffer Ethereal etc 252 SANGFOR IAM v2 1 User Manual Chapter 12 Advanced Advanced covers the configurations of Alarm Proxy Server Web Tracking Excluded IP Domain and Page Customization 12 1 Alarm Alarm is used for sending alarm emails to the administrator if the IAM gateway device detects attack virus and file disclosure to be audited email and risky behavior Sangfor IAM
120. Port WAN Port Line Operation Line Edit Up Down 2 All All All All All Line Edit Up Down 5 Default All All All All All All All Line1 Move Selected Rule To Firstrow OLastrow Ono ft 229 SANGFOR IAM v2 1 User Manual lt Up gt lt Down gt Click the button to adjust the priority of each virtual line rule You can also select a rule and then select First row or Last row to move the selected the rule to top or bottom or select No to move the selected virtual line to a specified row As to the rules of the same type the upper one s has higher priority to be matched Click the lt Add gt button to enter the Edit Virtual Line Rule configuration page as shown below gt gt Edit irtual Line Rule LAN IP Address a Specified WAN IF Address al Specified Protocol All Specity the protocol type Bridge List All t LAN IP Address WAN IP Address Configures respectively the LAN IP and WAN IP from which the data packets are to be matched by the virtual line rule The IP can be All the IP addresses or the Specified IP addresses Protocol Select the protocol for packet transmission options are All TCP UDP ICMP and Others Select TCP or UDP and then you have to configure LAN Port and WAN Port select Others and you have to configure Protocol Number LAN Port WAN Port Configures respectively the LAN port and WAN port through which the da
121. Provided that a LAN IP address is 192 168 1 0 255 255 255 0 to create a SNAT source network address translation rule to proxy all the LAN users to get access to the Internet you need to configure the followings Under the default configuration page of SNAT Rules click the lt Add gt button to enter the Edit SNAT Rule as shown below gt Edit SNAT Rule O Specified LAMI v Eqress Interface AAN interfaces O al Specified The MAT rule will be applied only when the source address belongs to the following network segment Subnet segment 110 251 251 0 Subnet mask 255 255 255 0 al D Specified The SNAT rule will be applied only when the destination address belongs to the following network segment Subnet segment 0 0 0 0 Subnet mask 255 255 255 0 al Protocol O specified Source port bo Destination port psd D indicates all ports GOWAN interface address Source Address Destination Address Translate Source IP To de Specified Start IP 0 0 0 0 End IF 0 0 0 0 Enable This SNAT Rule Enable Disable Advanced Settings Type in a Rule Name to name this rule Select an Egress Interface a specified network interface or select All WAN interfaces to which the data packets are forwarded to Select Source Address All the IP addresses or a Specified subnet which can get access to the Internet through the IAM gateway In this example the configured source address is the s
122. Proxy Control Access Control You have to check this item to activate the configurations under it The configuration page is as shown below Edit Access Control Policy Help Policy _Template prevent Trojan v Description Identify risk Internet activity alarm on information disclosure deny malicious software Expiry Date Never expire Expired on ae Status Enable Disable Controls are based on specific content of data packet if you find any application that cannot be blocked please contact us Select All Inverse Allow Deny MoveUp MoveDown Add Delete Select All Inverse Allow Deny MoveUp MoveDown Add Delete Default Action O Allow O Deny lf several policies are associated adopt the default action of the next policy and continue matching downwards 112 SANGFOR IAM v2 1 User Manual 7 1 2 1 1 Application Control Application Control configures the items based on which the content of data packets will be inspected and then achieves control over certain application Application Control You have to check it to activate the rules configured under it as shown below Edit Access Control Policy Help Policy _Template prevent Trojan v Description Identify risk Internet activity alarm on information disclosure deny malicious software Expiry Date Onever expire OExpiredon Status Enable O Disable Controls are based on specific content of data packet if you find any a
123. R IAM v2 1 User Manual A Privilege Settings Web Page Dialog Select LAN Service Available Service Operation Service Nam E Allow Deny Schedule Operation AILICMP Services i e All Services AIL TCP Services All UCF Services Defaut Action le Allow E Deny Cancel Having completed configuring this page you have to check Enable to activate this connection and click the lt OK gt button to save all the settings 13 3 5 Virtual IP Pool Virtual IP Pool contains the idle LAN IP addresses or ranges specified by the local SANGFOR IAM gateway device These IP address are taken as the virtual IP addresses to be used by the mobile VPN users when they are getting connected to the gateway device VPN When a mobile VPN user connects in the IAM gateway device allocates a virtual IP address to this mobile VPN user All the operations fulfilled by this mobile VPN user in the VPN headquarters are based on the allocated virtual IP address source IP completely the same with those fulfilled as a VPN headquarters LAN user For instance a mobile VPN user can visit any LAN computer of the VPN headquarters though its computer does not direct its gateway to the IAM gateway device of the VPN headquarters besides you can configure some attributes for the mobile VPN user such as DNS General procedures to configure a virtual IP address are as introduced below a Create a virtual IP pool The IP addresses ranges in thi
124. SANGFOR IAM v2 1 User Manual IAM 2 1 User Manual September 2010 SANGFOR IAM v2 1 User Manual Table of Contents Tabie of Contents ira E E AA AAA a aaa 1 ANNO UICO MEN arar 8 Preface A vase dacsvecassevacedesssasesecasacedecsvassvevevacesenevessvarvadevecae 9 About PAIS Manta a 9 Docament Convention Samiera naa dads tir 10 Graphic Interface Conventions ass 10 SVMPONCORVERTONS idas 11 Technical Support a e os 11 PICK MO WGC TEMES aiii da dd di dt tradi 11 Chapter 1 TA Wiss Call a G0 ysis o is 12 De A A 12 M2 POW CE A concn EENT E EEE EEA EEE EA 12 EERO APP a E a E O a eee 12 14 Conie matonand M marcment eisereen E E E da rada 13 ES Wine Methodsor StaidalOne nai 13 1 6 Wine Method or Redundante 15 Ehapter 2 Console ia AA a AAA DEBORA ID A ARE ROE AID PP aa 17 CA AP O ae ery Aer nee 17 224 JANE Gateway Contursi da cea 18 Chapter 3 Systemi Statis iia olaa 19 SERUMA SUS AA IA AAA AAA N 19 SS AS RT 20 O A sess se E T seas Sasi E Secu E ode E E T 21 34 Gateway Mode sree ae e a eae ta 22 SAA ROME MOE lt A SAS AS AS A 22 ALADO MOL Si 24 342 1 Bidee Mode Multiple Interlace cia 23 34 22 Bridge Mode Multi Bridg Essers tia 28 TA INDIOS MOVE ESAS AE T ES AE A 31 SAA SNELA MOA E c 34 3d NetWork Interact A 37 20 Multi Node VACA tddi 38 SN Date TIME aa 40 O O AMA O A A A A A A A 40 SAA A ol 43 SANGFOR IAM v2 1 User Manual 5210 Backup RESIO aeie Rane 44 SN E eece eees 45 J12 Mantenan eee cs sesesses sede sacs Ses saa sie neca sa
125. SANGFOR IAM v2 1 User Manual Y If the authentication does not have the IAM gateway device get involved SSO is available only when a listening port is configured first As to the configuration of a listening port please refer to Section 7 2 2 5 SNMP Option 7 2 2 5 Listening Mirror Port Listening mirror port functions when the authentication does not have the IAM gateway device get involved The interface mirror port of the switch listens to the authentication information intercepted over the network which helps to achieve single sign on Check If login data does not go through the device please set listening mirror port which should be idle and select an idle network interface that will act as the listening port o The listening port must be a port that is not being used by the IAM gateway device The mirror port of the switch must mirror at least the network interface of the authentication server 7 2 2 6 Only Allow SSO Users belonging to following network segment must use SSO but users that require DKEY or no authentication are excepted Configures the IP ranges of some LAN user s who can only must log in with SSO The configuration page is as shown below 171 SANGFOR IAM v2 1 User Manual gt Authentication Options Mev User Authentication sol Settings C Enable Active Directory SSO Help of 550 Usage Enable POPS 550 _ Enable Web S50 d Enable Proxy 550 d If login data does
126. Sec connection and some other common and advanced settings The function use and configuration the DHCP service Where the configuration starts from and how to configure the IAM gateway step by step Document Conventions Graphic Interface Conventions This manual uses the following typographical conventions for special terms and instructions Convention Meaning boldface italics Keywords highlighted items Example The user name and password are Admin by default Enter the following address in the IE address Directories URLs bar Attp 10 254 254 254 1000 lt gt 66 99 Page titles names of parameters menus and submenus of buttons the Names links Or on web interface or key press Multilevel menus and submenus Prompts popped up Select System gt Web UI to open the Web UI page then the Timeout and configure Webpage Click lt Update gt to save the settings Go to System gt Network Interface to configure the network interfaces The browser may pop up the prompt Install ActiveX control 10 SANGFOR IAM v2 1 User Manual Symbol Conventions This manual also adopts the following symbols to indicate the parts which need special attention to be paid during the operation Convention Meaning Description Indicates actions that could cause setting error loss of data or Caution l damage to the device A Warning Indicates actions t
127. System and set relevant parameters To only audit the account information of encrypted IM such as QQ just check the above Audit recognizable application behavior option O Audit MSN chat content and behavior O Audit Yahoo Messenger chat content and behavior O Audit Gtalk chat content and behavior O Audit Fetion chat content and behavior O Audit files uploaded by FTP O Audit filenames of files downloaded by FTP O Audit commands executed through Telnet O Enable Disable O Audit titles and contents of all visited webpages Audit titles of all visited webpages O Audit webpages containing the keywords whose action is Record or Record and Deny set in the follow ing list O Deny access to the webpages containing the keywords whose action is Deny or Record and Deny set in the following list Select All Inverse Record Deny Record and Deny Disable Add Keyword Group Description Schedule Select All Inverse Record Deny Record and Deny Disable Add Keyword Group Audit Option falls into the following aspects Application Behavior Audit Records all the behaviors of the LAN users on the Internet 138 SANGFOR IAM v2 1 User Manual Application Content Audit Audits the contents of the specific applications used by the LAN users Web Upload Audit Audits the text contents BBS posting contents WebMail contents and the contents of the attachments that the LAN users are to upload Web Download Audit Aud
128. TP Mail MSN enable relative a n net Access Audit udit m Template Block Al P Block All P2P download tools Enable The configuration of access control policy here is the same with that in the above section Section 7 4 3 Edit Subgroup with the only difference that here you can configure Inherit Parent Group Policy because user is independent member and cannot have its own subgroup As to the introduction about it please refer to the relevant part in Section 7 4 3 Edit Subgroup 1 l One user or user group can associate with maximum 10 access control policies As to the case that there are multiple access control policies the matching order is as 203 SANGFOR IAM v2 1 User Manual introduced in Section 7 1 Access Control Policy 7 5 User Import User Import configuration can import batches of users The configuration page is as shown below Sangfor IAM 2 1 gt gt User Import Jser admin Logout Column Heading S System User Name v IP Address v MAC Address Y Auth Method Description v Password ho gt Object gt Firewall Content gt WAN Optimization 4 Ian Access Control Policy huthentication Options Operation Import Above User Scan LAN Computer Import LDAP User Clear List Authentication Server Format Options Y When a user already exists update its attribute automatically Y ven the group corresponding to a user does not exist c
129. TP service using TCP protocol Step 2 Click the lt New gt button to configure the IP ranges The configuration dialog is as shown below 7 IP Range Settings Web Page Dialog E source F Start IP 12 16 17 200 End IP 12 16 1200 Source Port start Port End Port 65535 Destination IP Start IF 192 168 1720 End IP 192 1668 1 20 Destination Port Start Port End Port 65535 Source IP Fill in the source IP In this example it is the LAN IP address of the peer VPN 172 16 1 200 300 SANGFOR IAM v2 1 User Manual Source port 1 65535 Destination IP Fill in the destination IP addresses In this example it is the FTP server IP of the headquarters 192 168 1 20 Destination IP Port of FTP service is 20 21 o The default configuration gives no limitation to the access privilege of VPN user Here you are just defining the LAN services After these configurations you have to go to Security gt VPN Settings gt User Management to create an account new user and then configure the LAN Privilege to complete configuring the LAN service p LAN Service can also be referred by the IPSec Connection gt Outbound Policy and Inbound Policy configuration For details please refer to Section 13 4 10 IPSec Connection Step 3 Under the User Management page select the user Branch and edit this user as shown below 3 Add User Web Page Dialog Auth
130. The configuration page 1s as shown below Add Object O Single user Multiple users Format One user name per row Username Description Poo Cannot contain these characters S 8 0 l Advanced Settings g Access Control Policy Password O None O Only alow SSO Custom password Rasswnert pnnnnnnnnnnnnnnn Authentication Method Confirm password CILDAP authentication CIRADIUS authentication C POP3 authentication Public Account C Allow multiple users to sign onto the same account multi user login Expiry Date Never O Expired on Enable This User Enable Disable Having completed configuring this page you have to click the lt OK gt button to save the settings and add the new user as shown below 191 SANGFOR IAM v2 1 User Manual gt gt Organization Structure Fe E E A A ANEA E AEA EEEE EEEE A EACEA ONA EAEAN N A EAE AEA STEE Group Path i Source Created by administrator Group Information Subgroups 1 direct users 9 total users including subgroups 10 Operation Result alb c a Add user successfully 1 Aavonced setings ion y search Add Subgroup AddUser Select al inverse Multia Delete Selected Delete Current Group Enable Disable First Prevt Next Last Goto Page __ Recordspage 15 Group C 2222 Use its own policy Subgroup Count 2 User Count 0 te Authentication Method Password Customized passw 2 user Da i Use parent
131. Tool Utrasurf Browser Ultra Surf Uttrasurt Browse Enable Edit F OIF Real time voice Real time voice RTP voice data Enable Edit al a OIF Real time viden Real time viden RTF video data Enable Exit F 3 OIF Real time voice wideo Real time voice video RTP video or voice data Enable Edit F 10 Ihi Video voice Video voice 1 Video voice 1 Enable Edit F 11 Ihi Video voice Video voice 2 Video voice 2 Enable Edit F pe Ihi Video voice Video voice 3 Video voice 3 Enable Edit F 13 Ihi Video voice Video voice 4 Video voice 4 Enable Edit dl 14 Ihi Video voice Video voice 5 Video voice 5 Enable Edit F 15 Ihi Video voice Video voice 6 Yahoo Messenger Enable Edit F 16 Ih Video voice Video voice Y Yahoo Messenger Enable Edit F 17 Ihi Video voice UL all UUCall net phone Enable Edit F 15 Ihi Video voce Video voice 6 Git viden Enable Edit F 19 Ihi Video voice Video voice 9 Gi VOICE Enable Edit F 20 Ih Video voice Video voice 10 SKYPE voice data of one party Enable Edit F 21 Ihi Video voice Video voice 11 Video voice 11 Enable Edit 22 Ihe Video voice Video voice 12 Gi video special port 443 Enable Edit L 23 Ihi Video voice Video voice 13 MSM voice Enable Edit L 24 Ihi Video voice Video voice 14 MSM one way video Enable Edit 25 Ihi Video voice Video voice 15 MSM one way video Enable Edit F 26 Ihi Video voice Video voice 16 MSM one way video 50 Enable Edit Fi 2r Ihi Video voice Video voice 17 MSM one way video 50 Enable Exit F 20 Ihi Video voice Vid
132. Verify digital signature of Activex Block ActiveX without signature Block altered ActiveX Block ActiveX that uses expired certificate Verify digital signature of ActiveX and block Activex if it fails the verification You can manage trusted root certificates in Object SSL Certificate Denial ActiveX Control List Format One ActiveX control name or issuer per row e g Beijing Jiangmin New Sci amp Tec Co Ltd O Only allow the following ActiveX Controls Not filter ActiveX controls downloaded from the following websites Defined in Object gt White List Group You can modify it when necessary Please select vw gt Remove gt Block ActiveX without signature Check this item and the access control policy will require signature from the ActiveX control If the ActiveX control has no signature 1t will be filtered Block altered ActiveX Check this item and the access control policy will inspect whether the signature of the ActiveX control is altered If the signature of the ActiveX control has been altered it would be filtered Block ActiveX that uses expired certificate Check this item and the access control policy will inspect whether the signature of the ActiveX control is expired If the signature of the ActiveX control has expired it would be filtered Verify digital signature of ActiveX and block ActiveX control if it fails the verification Check 127 SANGFOR IAM v2 1 User Manua
133. able Disable DoS attack Denial of Service attack generally is implemented by forcing the server to reset or saturating the server with external communication requests and consuming its resources so that 1t can no longer provide intended service and respond to legitimate computers SANGFPR IAM gateway device can defend the local area network against DoS attacks from external networks and take measures to prevent the infected machine or attack tool from initiating DoS attacks It can locate the attack source with the IP and MAC information 92 SANGFOR IAM v2 1 User Manual The configuration page 1s shown below Sangfor IAM 2 1 gt gt Anti DoS T Help User admin Logout gt System Enable Anti DoS O Enable Disable gt Object a Micra The IAM Gateway will discard the packets sent by the IP addresses that are not listed below Blank means no limit y Farell Ilex Format One network segment per row Use slash to separate network segment and subnet mask e g 10 10 0 0 255 255 0 0 gt NAT Bules LAN Address List ARP Protection gt WAN Optimization gt TAM gt Bandwidth Management Subnet segment 7 Subnet mask 7 Add Clear List The routers listed below will directly connect to the IAM device and access the Internet through it Format One MAC or IP address per row e g O00c 6dfd80c or 00 0c 76 df d8 0c N Delayed Email Audit gt Internet Access Audit gt Logs Troubleshooting P Advenca
134. able POP3 SSO Login server format IP1 port1 IP2 port2 Enable Web SSO Web authentication server format IP IP port or server domain name URL P GrRecirect to this page before authentication User Table Name O Name of the table that corresponds to the username on Web Authentication page O Keyword indicating success Keyword indicating failure O Keyword identifying authentication success or failure Enable Proxy SSO Login server format IP1 port1 IP2 port2 Po If login data does not go through the device please set listening mirror port which should be idle Lan vlomz Mwam Clwan2 wans Users belonging to following network segment must use SSO but users that require Dkey or no authentication are excepted Format One IP range or subnet per row IP range start IP end IP e g 192 168 0 1 192 168 0 6 Subnet IP mask e g 192 168 0 1 255 255 255 0 192 168 30 117 o Mm Page Display After Authentication Authentication Conflict Settings SNMP Option Enable t when the device requires crossing the layer 3 switch and binding MAC address Other Authentication Options 7 2 2 1 Active Directory SSO When the host of the user logs in to the active directory server not for the first time it will automatically passing the WEB authentication without typing the username and password once again Typical topology of Active Directive SSO is as shown below 157 SANGFOR IAM v2 1 User Manual MS100 AC
135. above below the file type list to select the needed file type s lt Alarm All gt lt Alarm Encrypted gt Click 1t above below the file type list to configure the Alarm Option of the selected file type s lt Enable gt lt Disable gt Click 1t above below the file type list to configure whether to give Email Alarm to notify the administrator while the configured file type s 1s detected lt Add gt Click 1t above below the file type list and configure a new file type to add this new file type into the list as shown below 141 SANGFOR IAM v2 1 User Manual Edit Access Control Policy Help O Single policy Omutiple policies Expiry Date Never expire Expired on Status Enable O Disable After identifying the features of the outgoing files the system will send an alarm email reporting about the potential information disclosure To audit the outgoing files transferred by FTP HTTP and email please enable relevant options under Application Content Audit in Audit Option tab Enable Outgoing File Alarm Note If the FTP upload audit is not enabled the file types uploaded by FTP will not be audited If the Web upload audit is not enabled the file types uploaded by webpage will not be audited If the outgoing email audit is not enabled the file types sent by email will not be audited Add the file types to be alarmed and audited Select All Inverse Alarm All Alarm Encrypted Enable Disable Add Edit
136. acket will get bypassed but the denied information will be recorded Protocol Port Configures the protocol condition that only the protocol and port contained in the transmitted data packet are the configured ones will the denied information be recorded Click lt Enable Drop List gt to enable the Drop list all the access control policies configured on the IAM gateway device are taking effect and the packets applicable to the policies to be denied will be denied and the related information will be outputted to a WEB page Click lt Click here to view packet drop list gt to open the page and view the detailed information of the denied data packets Click the lt Enable Drop List and Bypass gt button to enable the drop list and enable the bypass function all the access control policies configured on the IAM gateway device will get invalid 247 SANGFOR IAM v2 1 User Manual and the data packets applicable to the policy to be denied will be let pass and the related information will be outputted to a WEB page Click the lt Click here to view packet drop list gt button to open the page and view detailed information of the denied data packets This function helps do troubleshooting quickly locate the configuration mistakes made on certain function module of the IAM gateway device which caused faults such as network disconnection etc and therefore helps the network administrator to quickly correct the configuration
137. address 200 200 756 210 Backup Restore p WAN Interface Settings Subnet mask oo a i eboot Maintenance Primary DMS 202 96 125 565 Auto Update Secondary DMS 202 96 134 133 P Route Default gateway 200 200 79 254 Generate Certificate High Availability Rule Mame Proxy LAN interface Internet access b Object b Firewall Egress Interface VAN ae MAT Settings b WAN Optimization Proxy Network Segment 100 100 100 0055 255 252 0 Pb IAM Translate Source IP To Use interface address gt Bandwidth Management b Delayed Email Audit b Internet Access Audit The current gateway mode and interface information are seen below which is a lt Configure gt button Click the lt Configure gt button to get into the next page and select the gateway mode to be switched to Click the lt Next gt button and finish the rest required configuration options 3 4 1 Route Mode Route Mode takes the IAM gateway device as a route device The IAM gateway device is generally located at the exit of the LAN gateway proxying the LAN users to get access to the Internet or the IAM gateway device is located below the router which then proxies the LAN users to get access to the Internet 22 SANGFOR IAM v2 1 User Manual The deployment is as shown in the following figure MODEM IAM Switch Switch Under Route mode the default gateway of all the LAN servers are directing to the LAN interface Front end Device Al Static IP Danymic Dial u
138. age Timeout Operation Timeout Issue Console SSL Certificated to Download Console Root Certificate The configuration page is as shown below 43 SANGFOR IAM v2 1 User Manual Sangfor IAM 2 1 User admin Logout Default Encoding BIGS In case the encoding is unrecognizable the default encoding will be adopted HTTPS Login Port Webpage Timeout 1440 minutes Operation Timeout seconds 4 System Running Status Security Status License Gateway Mode Network Interface Multi Node Syne Date Time Gateway IP 100 100 100 100 Administrators Issue Console SSL Certificate To C Custom A At most 60 bytes Current certificate is issued to 100 100 100 100 Backup Restore Reboot Download Console Root Certificate Click here to download root certificate Maintenance Auto Update Default Encoding Select an option and the unrecognizable codes of the monitored data will be handled as this code HTTPS Login Port Configures the port of HTTPS protocol for logging in to the WEB UL It is 443 by default Webpage Timeout If there is no operation on the console during this time interval the console user will automatically log out the console Operation Timeout If a page fails to open during this time interval the system will think it times out and will not try to open this page again Issue Console SSL Certificated To Configures the IP or domain name to which the SSL certifica
139. age of Access Control Policy click the lt Add gt button to enter the Edit Access Control Policy page as shown below 109 SANGFOR IAM v2 1 User Manual Edit Access Control Policy singe policy Omutipepoices de A Expiry Date Never expire O Expired on Po Status O Enable O Disable Controls are based on specific content of data packet if you find any application that cannot be blocked please contact us Select All Inverse Allow Deny MoveUp MoveDown Add Delete Select All Inverse Allow Deny MoveUp MoveDown Add Delete Default Action Allow O Deny lf several policies are associated adopt the default action of the next policy and continue matching downwards Single policy Multiple policy Select either of the options and then type the name in the text box better easy for memory to distinguish it from others Description Enter a brief description for this access control policy Expiry Date Select Never expire or select Expired on and configure the date Status Configures the status of this policy itself Select Enable to enable this access control policy Select Single Policy or Multiple Policies to add one policy or add several policies respectively Multiple Policies enables you to add several policies that are of same property as shown below Edit Access Control Policy Format O Single policy Multiple policies One policy name per row Description Expiry D
140. al 7 2 2 4 Proxy SSO 7 2 2 4 1 Proxy Authentication Proxy authentication is generally applicable to the environment that the users get access to the Internet through Proxy and that each user has been allocated with a proxy account It is flexible for the client s proxy environment While configuring Proxy authentication the user should be an existing user of the Proxy server If the user wants to access the Internet through Proxy server it must enter the correct username and password to get authenticated if verification fails authentication will fail as well The IAM gateway device will then associate the IP address and the user according to the intercepted information of Proxy authentication 7 2 2 4 2 Network Environment Typical topology environment of Proxy authentication is as shown in the following figure If the IAM gateway device is under Bypass mode the authentication data will not be forwarded to the IAM gateway device Automatic authentication is realized through the mirror port if there 1s no mirror port the user has to manually get authenticated that 1s to say the user has type the username and password when browsing a webpage 7 2 2 4 3 Configuration Check Enable Proxy SSO and type the IP address and port in the Login server text box which will enable the IAM gateway device to listen to the authentication information that the client host gets authenticated through the Proxy server 170
141. al area network server needs to provide Internet with services the DNAT function of IAM gateway device has to be configured The default configuration page of DNAT rule is as shown below Sangfor IAM 2 1 gt gt DNAT Help Translate Destination IP Operation To Edit F User admin Logout b System All Protocols Source Port Destination Port b Object 1 httpd No 0 60 4 Firewall WANI 10 251 251 161 Disable b Firewall Rules SNAT Anti DosS ARP Protection gt WAN Optimization Provided that a LAN PC IP address 10 251 251 61 wants to provide the external network with WEB services at port 80 follow the procedures below to configure a DNAT rule Under the DNAT configuration page click the lt Add gt button to enter the Edit DNAT Rule 90 SANGFOR IAM v2 1 User Manual page as shown below gt gt Edit DNAT Rule Ingress Interface LAN i The DNAT rule will be applied only when data is transmitted through this interface all O Specified The DNAT rule will be applied only when the source address belongs to the following network segment Subnet segment 0 0 0 0 Subnet mask 0 0 0 0 al O Specified network segment The DNAT rule will be applied only when the destination address belongs to the following network segment Subnet segment 0 0 0 0 Subnet mask 0 0 0 0 O Specified interface address The DNAT rule will be applied only when the destination address is the inter
142. ame corresponding to this IP address For detailed configuration please refer to Section 10 1 1 Flow Ranking View Connection Monitoring Click this link to view the connection information Enter an IP address and click the lt Search gt button and you can get the current connection information of this IP address For detailed configuration please refer to Section 10 1 3 Connection Monitoring View Online User Click this button to view the online user s verified by IAM gateway device the login time and online duration of this user The online user s can be forced to lt Log Out gt or lt Block For gt some time For details please refer to Section 7 7 Online User 3 2 Security Status Security Status displays the network security information and statistics of the IAM gateway device including Statistics Time Virus Emails Virus Files Alarms including DoS ARP attacks Port Scanning Times Outgoing Email Anomalies Flow Anomalies at standard port and Protocol Anomalies The related page is as shown below SAN IAM 2 1 gt Security Status Useradmin Logout Statistics Time 2010 68 20 09 39 29 System Bunning Status f i Virus Emails a Security Status Licenze irus Files a Gateway Mode Network Interface Alarms Cincluding Dos 2RP attacks o Multi Node Sync Date Time Port Scanning Times a Administrators Weh UI Outgoing Email Anomalies O Backup Restore E Flow Anomalies at sta
143. ample of Static Routing Provided that there are two LAN segments 10 251 251 X and 192 168 2 X which are connected to each other through a layer 3 switch The LAN PCs of both the segments direct to the corresponding gateway configured on the layer 3 switch The LAN interface IP of the IAM gateway device 1s 10 251 251 251 of 10 251 251 X segment The WAN interface connects to the public network Requirement Users of 10 251 251 X and 192 168 2 X segments get access to the Internet through IAM gateway device IAM gateway device acting as the egress Since 192 168 2 X and the LAN interface 10 251 251 251 of IAM gateway device are of different segments IAM gateway device has to add a static routing the data packets from 192 168 2 X being forwarded to and handled by the LAN layer 3 switch 10 251 251 253 and finally back to the PC s of 192 168 2 X segment Specific steps and configurations are as shown below Sangfor IAM 2 1 gt Edit Static Routing User admin Lagaut 4 System Subnet Segment 182 168 2 0 Bunning Status Security Status Tasers Subnet Mask 2595 255 255 0 Gateway Mode Network Interface Gateway Address 10 251 251 253 Multi Mode Syme Date Time Administrators Web UI Backup Restore Reboot Maintenance uto Update b Route Policy Routing Static Routing Generate Certificate Add the SNAT segments namely 10 251 251 0 24 and 192 168 2 0 24 For detailed steps please refer
144. an ses ble ueae ds cdeu ses sede neee sodewens sedeneenscdeuees sedeueeescdeuseed 45 SS a a E A A 46 Se l4 RR 47 PLL OL N T OU aE NE AEAEE A 47 ALS MORO 50 ee oe Generate Oki gD Gr gee a a Ea 53 A O SE 53 Chapter Obs 56 4 A Application Ident Ulea 56 A lite Cente NG Ulta east A TN 59 RNA 61 A ROO RRA 62 AS Ml Es 64 AO OOO e e a Te Boer 65 ASA A A ea a acs cara dh hats deans en a dias bern ak camhadinc A 68 AO Keyword Groe dla dada dada dele 69 AA IP O ETE che ten catenin ae E Matcaes 70 AO MV GROSS RU ES AAA AAA AAA AAA edeawieas 71 ATTESE Ceri ea shires teashasssasdires A ERA 80 Chapter gt Firewall coseson eaa a a EEE aaa 82 Jl EMS Wallet ninos 82 LA LAN IM ias 82 IALMA E AWAN ra a ee ee ere eee 84 IL WAN A A vcecn ada Satan aan dase cae nets east taneae de ea eoeeaneueadou 84 Ide VENE E WVAN AAA o a a a Aa 85 A MEN a rd S e A a AN AAA A A O A A eee Winrene pri 87 AIM IMM dis 88 O a A A A A aE detbanghdnewaneher 88 IONAT A Goh eh casee S wwe ec Sonern A E eee eae uenere a eete eee 89 I PNA E an O e A A N otis 90 De SAMOA OD ain a a a a a a a a a re 92 A A TOLON a EN 95 Chapter 6 WAN Optmizatioho a 97 OL OPUMIZ AON Stat aci aaicia 97 SANGFOR IAM v2 1 User Manual OA ASCII TAS e A A Auelettand saibiadie cates 98 OL O PURI ZA MOR SOUS ai eae 98 ODD TAN abet etenna aes de tacies ad auaas eee nia done dad etanesad aed ceteris eee tonse 100 022 PEOX ODHONS aa d dla cirio ancladas 101 OZ LUST CIIMOS 2 ade 102 AA MAU ye MIE A O
145. aramant t gt WAN Optimization f t Bridge Direction Indicates the direction of data transmission Bridge IP List Based on Bridging Direction configures the IP interface of the LAN interface As to different bridging directions the Bridge IP can be of a same network segment 29 SANGFOR IAM v2 1 User Manual Default Gateway Directs to the next hop interface IP of the bridge direction Default gateway configures the default route of each bridge that is directing to the Under Multi Bridge mode you have to configure Default Gateway for each bridging gateway o Under Bridge mode gateway of the LAN PC needs no other change but remains directing to the original gateway in other words LAN PC directs to the LAN interface IP address of the front end device Under Bridge mode the data for Internet access should be ensured to pass through IAM gateway device that is the LAN user must not bypass the IAM gateway device and follow the physical line of the original gateway to get access to the Internet As to data traversing please ensure the WAN zone connects to the front end routing device and the LAN zone connects to the LAN switch These two connections cannot be mixed up The data for Internet access transmitted from LAN zone to WAN zone can be monitored and controlled Transparency of bridge mode IAM gateway device is achieved at the data link layer the second layer of OSI interfaces of t
146. aranteed Bandwyi Max Bandwidth Per Service Application Max Bandwidth Priority Status On duty Linet 64KB 4200KB ft 64KB 200KB No limit High Disable iop All All ALL On duty Linet 64KB 4200KB f64KB 200KB No limit High Disable Default Channel All All ALL Alday All t 64KB 4 200KB f 64KB 200KB No limit High Enable The bandwidth channel policies are matched from top to bottom 3 2 1 1 Add Bandwidth Channel Click the lt Add Parent Channel gt button and the Edit Bandwidth Channel configuration page appear as shown below gt gt Edit Bandwidth Channel Channel Mame Service Application UsersSroup Channel Type Priority Guaranteed Uplink Bandyvicth Guaranteed Downlink Bandwidth Max Uplink Bandwidth Max Downlink Bandwidth Bandwidth Allocation Policy Max Bandwidth Fer IF Schedule ralig Line Destination Enable This Channel Format One channel name per row The name cannot be repeated diy ar O Custom Bar O Custom O Guaranteed channel O Limited channel High The high priority channel has the first opportunity to use the idle bandwidth of other channels 100 0 ho Bs Alloy its idle guaranteed bandwidth to be borrowed 00 0 Bs Allow ts idle guaranteed bandwidth to be borrowed 100 0 Bi The extra bandwidth wil be borrowed from other channels e bJ 00 0 of 200 Bis The extra bandwidth will be borrowed from other channels me rs a a Allocate
147. ase set the Operation Timeout to a higher value in System gt Web UI DN een O f ETA Edit Add URL Library Released At Indicates the latest time that the current version of URL library was released at Update URL Library If the URL library cannot automatically update for it is disconnected to the Internet you can manually update the URL library Just click the lt Browse gt button and upload the URL library file from the local PC and then click the lt Upload gt button 66 SANGFOR IAM v2 1 User Manual URL Search Enter the domain name into URL Search and click the lt Search gt button to search whether this domain name exists in the URL library and in which URL group this domain name is contained For instance type in www sina com and click the lt Search gt button the search result is displayed as shown in the following figure AR libran A o O O ljljj aaaa e Update Service Expired On 2011 07 15 e URL Library Released At Inner 2010 07 09 08 43 28 esoft 2010 08 21 e Update Internal URL Library Df Browse Upload WWhen the uploaded file is very large please set the Operation Timeout to a higher value in Sistem gt Web UI e URL Search Po Enter domain name e Operation Result The URL type you searched is Portal Sites A RR tne O onerton Sect 1 Job hunting employment Job hunting employment information website Edit O 2 Web mail Webmail service website Edit O 3 Sex sexual info
148. ate Never expire O Expired on N Status Enable O Disable Controls are based on specific content of data packet if you find any application that cannot be blocked please contact us Select All Inverse Allow Deny MoveUp MoveDown Add Delete Select All Inverse Allow Deny MoveUp MoveDown Add Delete Default Action O Allow O Deny lf several policies are associated adopt the default action of the next policy and continue matching downwards ok 110 SANGFOR IAM v2 1 User Manual Having completed configuring the page you have to click the lt OK gt button to add one policy or multiple policies as shown below gt gt Access Control Policy e Import Policy Po Browse Select and import policy file Download Policy Template l Access Control Policy List _Template Basic Internet Access 4 F q Allow DNS HTTP HTTPS FTP Mail MSN enable relative audit Never expire Enable View Associated User Rename u O _Template Block All P2P Block All P2P download tools Never expire Enable Wiew Associated User Rename Monitor IM chat content GO MSN ICQ Skype Yahoo Message UC 3 F _Template Monitor IM chat content Never expire Enable View Associated User Rename POPO GTalk Fetion Ali Prevent deceiving from illegal SSL protocol certificate enable UR O Template Anti fishing webpage Never expire Enable Wiew Associated User Rename L filter relative domain name Template Open all Internet acces e A l F Open all Internet
149. ateway device must be at different subnet segments crossing a layer 3 switch and the MAC address changed In addition to the settings configured here IP MAC binding must be configured in IAM gt Organization Structure gt Edit User page gt Advanced Settings gt User Attribute For details please refer to Section 7 4 5 1 Edit User 4 11 SSL Certificate Trusted Root Certificate List is coherent to IAM gt Access Control Policy gt Edit Access Control Policy gt SSL Management gt SSL Control If the SSL Control is enabled then the 80 SANGFOR IAM v2 1 User Manual root certificates in the library are trusted You can import trusted root certificate to the Trusted Root Certificate List or delete a trusted root certificate The related page 1s as shown below Trusted Root Certificate Import cc cscsasssasvenusasvsntnssvssissninstvenisennssiasiivaninesiseninauseninsnissiasiinsiesisiissiisiinsiiesisiinsiisiiasisiissisiiesiiessteee l Import Trusted Root Certificate Po Browse Select and import certificate file Trusted Root Certificate List l 1 Xcert EZ by DST Jul 14 16 14 18 1999 GMT Jul 11 16 14 16 2009 GMT O 2 VeriSign Individual Software Publishers CA Apr 9 00 00 00 1996 GMT Jan 7 23 59 59 2004 GMT O 3 Certiposte Classe 4 Personne Jun 24 08 00 00 1998 GMT Jun 24 08 00 00 2018 GMT 0 4 CA 1 Mar 11 11 16 46 1999 GMT Mar 11 11 48 48 2019 GMT O 5 CRA HKT SecureNet CA SGC Root Jun 30 00 00 00 199
150. atus Bandwidth Status covers the status of bandwidth management flow information of the external lines and bandwidth channel s The page 1s as shown below 214 SANGFOR IAM v2 1 User Manual Bandwidth Status Basic Information N e Bandwidth Management Running status e WAN Speed Realtime Speed Bandwidth Usage History Speed History Flow Line Bandwidth Total Speed DBs OB s tow 0 t OB s 0B z 08 408 T 64KB 200K EVs Advanced Information E Exclusion Policy Unfold All Fold All M Bandwidth Us Guaranteed Band Mame Realtime Speed History Speed History Flow otal Users l Max Bandwidth Priority D ade width 1 ty OBys 4 083 tos 4o tobe obs F0B 40B T 0B 0B 0B 08 s High Disabled 2 jop OBys 0B tos o tons fobs foB 406 T OBys 0B Obs 0B High Disabled a T 64K Bis d 200KB t 64K Bs d 200KBf 3 Default Channel t 06 24 0B tosto tobs obs toa 40B 0 High Running Display History Save Stop Refresh First Frew 14 Mext Last Goto Page ia Info Last5 minutes w Preferences Basic Information Displays the running status and flow information of the external lines lt Unfold All gt lt Fold All gt Click it to unfold all or fold all the flow information of the channels lt Stop Refresh gt Click 1t to stop the function of refreshing the flow information in real time Display Option Configures what bandwidth channels are
151. atus Enable Disable SS eS a a a Email Fi vIssL Management Application Audit Flow Time Statistics Ingress Risk Ident Select All Inverse MoveUp MoveDown Deny Disable Add Keyword Group Categories Description Action Pornography keyword Al day y MSN keywords through http protocol login All day w Various entertainment information keyword All day v Select All Inverse MoveUp MoveDown Deny Disable Add Keyword Group Search Engine Search Engine configures some specific keywords which the LAN users may search for and thus limit some of the behaviors of the LAN users As to detailed procedures of configuring 122 SANGFOR IAM v2 1 User Manual keywords please refer to Section 4 8 Keyword Group Search Engine Check this item to enable the rules configured under it lt Add Keyword Group gt Click this button to list the invalid keywords To activate the keyword s you have to Select the corresponding keyword and configure the Action as Deny lt Select All gt lt Inverse gt Click the corresponding button to select the needed keyword s lt Move UP gt lt Move Down gt Click the corresponding button to move up or move down the selected keyword s respectively lt Deny gt Click this button to configure the Action of all the selected keyword s as Deny lt Disable gt Click this button to undo the Deny selection Having completed configuring this page you have to click the lt OK
152. ault configuration page is as shown below Sangfor IAM 2 1 E User admin Logout primary Webagen Secondary Webegert Transter Type Firewall WAN Optimization TAM Bandwidth Management Delayed Email Audit Internet Access Audit Logs Troubleshooting Advanced 4 Security Gateway Antivirus b IPS 4 VPN Settings VPN Status Basic Settings User Management Connection Managemer Virtual IP Pool lt New gt Click this button to add a new connection to the VPN headquarters The configuration dialog is as shown below 273 SANGFOR IAM v2 1 User Manual A Edit Connection Web Page Dialog Connection Mame Description Primary Webagent secondary WWwebagent Data Encryption Key Contirm Key Transter Type Username Password Confirm Password Cross ISP W Enable LAN Privilege Connection Name Description Type respectively the name and the description for this new connection Primary Webagent Secondary Webagent Type the primary and secondary Webagent of the to be connected VPN headquarters Click the lt Test gt button followed to check the availability of the Webagent The testing results are as shown below Connecting Ta Master WEBAGENT Slave WEBAGENT This test request is initiated by the local computer instead of the IAM gateway device 274 SANGFOR IAM v2 1 User Manual If the Webagent is a domain name testing results show success and the
153. authentication server which requires user name and password If the user name authenticated by the third party server is not any of the users in the user list this user will be automatically added to the assigned organization structure if Automatically add authenticated new users to the above group option is checked or this user will exist as a casual user if the Automatically add authenticated new users to the above group option is not checked SANGFOR IAM gateway device supports the following third party servers LDAP server RADIUS server and POP3 server 155 SANGFOR IAM v2 1 User Manual You can choose the needed one according to your case As to the configuration of third party authentication server please refer to Section 7 3 Authentication Server Add to Organization Structure Check the option Automatically add authenticated new users to the above group and the applicable new users will be added to the assigned structure group and entitled with all the privileges of this structure group Except the above configurations you can have the successfully authenticated new users IP address MAC address or both the IP and MAC address automatically bound or neither of the IP or MAC address automatically bound o Enabling policy authentication for new users can have the IP addresses of different segments get authenticated differently and add the user to the corresponding user group and apply its individual access
154. ave to click the lt OK gt button to save all the settings SANGFOR Sangfor IAM 2 1 gt gt Edit IP Group Mame LT b System 4 Object Description gt Application Ident Fule gt Intelligent Ident Fule One IPF address or IP range per row IP range format start IP end IP e q 192 168 01 192 168 0 5 Useradmin Logout Service gt Schedule gt UEL Group White List Group gt Keyword Group IP Address gt File Type Group gt Ingress Fule BSL Certificate P Fi 11 oes D Add Auto Resolve Clear gt WAN Optimization b IAM Resolve times Domain name Resolve gt Bandwidth Management gt Delayed Email Audit sE Y The local PC can Auto Resolve the domain name with the condition that the Internet is accessible to it 4 5 Schedule Schedule defines the commonly used time periods mainly used as valid time or expiry time The defined schedule can be referenced by Firewall gt Firewall Rules and IAM gt Access Control Policy gt Access Control and Bandwidth Management gt Bandwidth Settings configuration Sangfor 14M 2 1 Useradmin Logout gt system No 1 pages a Description a Object All day All day ere teer ion Leare Rule 2 On duty g AMto 12 AM 2 Pito 6 PM Eli O Intelligent Ident Pule 3 Off duty Off duty Edit El Service 4 Internet Access Total Time Mull C Click the lt Add gt button to enter the Schedule c
155. ble proxy softwares Process Disable proxy softwares SuperProxy 5 Disable proxy softwareb Process Disable proxy softwareb AngelGate 6 Disable proxy software Process Disable proxy software YiTe Proxy Server 7 Disable proxy softwares Process Disable proxy softwares QingSong Proxy 3 Disable proxy software9 Process Disable proxy software9 YiMail Proxy 9 Disable proxy software10 Process Disable proxy software10 SuperGate 10 Disable proxy software 1 Process Disable proxy software 1 GJProxy Operation Edit Edit Edit Edit Edit Edit Edit Edit Edit Edit Sele A A IS Update Internal Rule Click the lt Browse gt button to upload the internal ingress rule file and update the current internal rules You can obtain this file from SANGFOR Customer Service Import Rule is corresponding to the lt Export gt button below the Ingress Rule List which can export the selected ingress rule file s of conf format while the lt Import gt button is used for importing the uploaded conf format rule file into the system lt Combine Selected Rules gt Select two or more ingress rules and click this button to combine the selected rules as shown below 72 SANGFOR IAM v2 1 User Manual gt gt Ingress Rule E Help Ingress Rule Update e Internal Rule List Released On 2010 05 26 Update Internal Rule Po Browse Upload Select and upload internal rule file Import Rule Tf Browse Select and import i
156. bnet List Tumel Route gt Common Settings gt Advanced Select an Outlet Line and click the lt New gt button An Edit Device List configuration page pops up as shown below 289 SANGFOR IAM v2 1 User Manual Device Mame Description Address Type Static IP Authentication Method M Enable this E v Auto connect device Click the lt Advanced gt button to view the advanced settings The configuration dialog is as shown below 290 SANGFOR IAM v2 1 User Manual A Advanced Settings Web Page Dialog ISAKMP Lifetime 5 Retry Times Mode Main mode D H Group MDP 024 group ISAKMP Algorithm List Authentication Algorithm Encryption Algorithm MDS 3DES Cancel 13 3 10 2 Security Option Security Option configures the parameters used for establishing standard IPSec connection This 1s the second phase of IPSec negotiation The configuration page is as shown below 291 SANGFOR IAM v2 1 User Manual Sangfor IAM 2 1 O DANUWwWLULIL alg Wr Delayed Email Audit gt gt Security Option t gt Logs Troubleshooting ere Default security ESP MDS 3DES Edit vanced l PEREA i var i e Gateway Antivirus b IPS 4 VPN Settings VPN Status Basic Settings User Management Connection Management Virtual IP Pool Multiline Settings Multiline Routing Policy Local Subne
157. cal Subnet List stands for a kind of declaration The subnets defined here will be regarded as VPN segments by the VPN device and the client end software All the data going through the VPN device or software will be encapsulated and transmitted through the VPN tunnels Therefore you need to configure the Static Route in addition to adding the related subnets into the Local Subnet List so as to enable the intercommunication among these subnets 13 3 9 Tunnel Route SANGFOR IAM gateway device offers the powerful VPN tunnel route configuration function You can configure route for the VPN tunnels to achieve interconnection among different VPNs software hardware and establish a true web like VPN network The Tunnel Route default configuration page is as shown below Sangfor IAM 2 1 a gt gt T Hel b System O Enable Tunnel Route es Status Source Subnet Source Mask Destinetion Subnet Destinetion Mask Destination Route User gt Firewall gt TAM gt Bandwidth Management gt Delayed Email Audit Internet Access Audit Logs Troubleshooting gt Advanced 4 Security Gateway Antivirus p IPS 4 VPN Settings VPN Status Basic Settings User Management Connection Management Virtual IP Pool Multiline Settings Multiline Routing Policy Local Subnet List Iv For example the Shenzhen headquarters 192 168 1 x 24 needs to establish VPN connection with its branches Shanghai 172 16 1 x 2
158. cally adjust this value it is not recommended to be altered manually Not cache object greater than _ KB Check this item and configure the size limit of a single file to be cached A too large file will occupy much disk space of the IAM gateway device Excluded Website List Configures the website s whose data are not to be cached As some websites are of high instantaneity and change in real time data of these websites need not be cached lt Restore Default gt Click this button to restore the factory default settings Having completed configuring this page you have to click the lt OK gt button to save the setting or click the lt Cancel gt button to give up configuring this page 6 2 1 2 Advanced Settings Advanced Settings Configures the valid time of the cached data the method the requests are updated and the website with higher priority to be cached SANGFOR Sangfor IAM 2 1 gt gt Proxy Options User admin Logout b System gt Object b Firewall 4 WAN Optimization Optimization Status C Default Valid Period minutes Default 100 This value will be adopted for a web page whose expiry date is not specifie gt Bandwidth Management d gt Delayed Email Audit O Check for Updates Upon Every Request lt ensures the requested webpage is the newly updated but will decrease the cache hit rat e gt Internet Access Audit D Logs Troubleshooting gt Advanced Cache Website Lis hen the
159. cates the data cached in the IAM gateway device being matched by the sequential visits to the extranet server that is volume of the data request directly responded by the IAM gateway device This part of traffic volume shows the external bandwidth saved by the IAM gateway device Flow speed Displays the flow speed of the data that are passing through the IAM WAN optimization module The information is displayed on rectangular coordinates X axis in unit of time and Y axis in unit of flow speed Flow speed are LAN Flow Speed and WAN Flow Speed LAN Flow Speed means the flow speed the IAM gateway device directly responded to the LAN user s website access requests These portions of data do not reach the public network and thus consumes no public bandwidth WAN Flow Speed means the flow speed of the data that the IAM gateway device forwarded to the extranet server plus that of the extranet network giving response to the LAN user s request 99 SANGFOR IAM v2 1 User Manual gt gt Optimization Status System Status i cccoccccvsecesesssssssssisismmusessssssiisisussesssssisisissssssasasisussssssassasisusesssasisisiisessssisssiissssssssississsessssssiiusssaseveeeeeseseee E Disk Usage 0 GB 4 75 GB Sessions 0 Memory Usage 0 06 MB 100 01 MB Cached Objects Memory objects 12 Disk Objects 2 Optimization Status E Statistics Time Last 24 hours Last 7 days Last 30 days Save Preferences Statistics Objec
160. cation among the LAN devices or even stops the overall traffic of the local area network Defense against ARP spoofing is fulfilled through the ARP protection function of IAM gateway device in association with the Ingress Client installed in the LAN PC After installing the Ingress Client the Ingress Client will communicate with the IAM gateway device to get the correct IP MAC information of the gateway device and bind with it The IAM gateway device will refuse to receive the ARP request or response that features attack so as to protect the ARP cache of the local IAM gateway device and get immune from ARP spoofing However if the user related to access control policy is bound with an IP MAC address es the IAM gateway device will take the bound ones in Organization Structure gt Edit User page gt Advanced Settings gt User Attribute as the final IP MAC address es 95 SANGFOR IAM v2 1 User Manual The configuration page is as shown below Sangfor IAM 2 1 gt gt ARP Protection User admin Logout b System Enable ARP Protection O Enable Disable b Object 4 Firewall Set client side static ARP table item IAM gateway IP not required b Firewall Rules Format IP address MAC address One entry per row e g 200 200 20 1 00 32 83 ef a9 88 b NAT Rules Anti Dos b WAN Optimization gt TAM gt Bandwidth Management O Static ARP List gt Delayed Email Audit gt Internet Access Audit gt
161. cessed they will not be cached and cannot enjoy th List e WAN Optimization Note The Excluded Website List here takes higher priority over the Cache Website List in Advanced Settings tab If a website exists in both the two lists it will be excluded first Format One domain IP address or IP range per row Second lewel domain is supported For example 192 1 68 0 1 192 168 0 20 or google com Domain name IP address IP range Clear List Domain name Note To disable the WAN Optimization function for some groups please configure it on the Access Control Policy Access Control Proxy Control page 103 SANGFOR IAM v2 1 User Manual 6 2 1 1 Basic Settings Basic Settings includes Cache Time Settings and Other Settings as shown below gt gt Proxy Options SOLA SS Proxy Advanced Settings Cache Time Settings Shortest Update Interval bo minutes Default 30 The cache object whose valid period is smaller than this value will not ne updated even if tt is expired Continue caching o days after expiration Default 12 The expired cache object will be Updated after this time period as Other Settings d Limit memory cache size to smaller than po MB The system vill automatically select the memory cache size according o the dle memory Recommend leaving it blank Mot cache object greater than 2046 KB Default 2046 Value range is 8 102407 Excluded Website Whe
162. cked or unchecked at the same time 8 2 2 Exclusion Policy Exclusion Policy functions while the local area network has a proxy which is deployed at the WAN interface end of the SANGFOR IAM gateway device The exclusion policy will free the LAN users from limitations such as guaranteed bandwidth and maximum bandwidth The configuration page is as shown below gt gt Bandwidth Settings System Settings cc 5 e Bandwidth Management Enabe Disable Bandwidth Management is currently Enable a Filter Line All l Advanced Settings E Te A Rule Name Application Destination IP Group Pur WOIP ALL Click the lt Add gt button to enter the Exclusion Policy configuration page and add a new exclusion policy as shown below gt gt Exclusion Policy l Exclusion Policy Settings a Application Type a Destination IP Group ALL wt Name Type a name for this exclusion policy Application Type Select an application type that will not be limited by guaranteed uplink downlink bandwidth or maximum uplink downlink bandwidth Destination IP Group Select the IP address of the to be accessed server ali Y Please DO think it over to add an exclusion policy for the exclusion policy will ignore the bandwidth settings In that case all the matching traffic will be free from the control of the 226 SANGFOR IAM v2 1 User Manual bandwidth management module that is to say the physical bandw
163. contain the following file enter the file path or click lt Browse gt to upload the file check and calculate the File MD5 File Size and Update Date is _ days later Select an Operation Update Date is _ days later Indicates whether the antivirus software of the LAN computer is updated or not and for how many days the antivirus software on the LAN computer has lagged behind to be updated If the time is longer than the days configured here the IAM gateway device will take the corresponding operation Having completed configuring this page click the lt OK gt button to save the settings and add this rule to the Ingress Rule List n File Path can be translated for instance SystemRoot indicates where the Windows system directory is provided the C disk is the system disk generally C WINDOWS or CAWINNT Since the software files are installed in different subdirectories macro directory translation makes sense If you are adding a File ingress rule yon can use the macro directory translation function to T1 SANGFOR IAM v2 1 User Manual type the File Path that is provided by IAM gateway device Definitions of some the macro directories are as shown in the following table case insensitive Format Definition provided the C disk is the system disk SystemDrive C SystemRoot CAWINNT System C WINNT system32 Windir CAWINNT UserProfile C Documents and Settings SINFOR Temp C Do
164. cript will be filtered directly if it has ever altered the file Filter transformed script Check this item to disallow the script to shy away from inspection This operation may cause misjudgment 130 SANGFOR IAM v2 1 User Manual Filter risk object and invoking Check this item and the script will be directly filtered if it contains risky object and invoking Not filter the script of the following websites You can add the websites among those in the white list group whose scripts will not be filtered Click the pull down menu and select a needed white list then click the lt Add gt button to add the white list to the box To remove a white list from the box just select the white list and click the lt Remove gt button As to the configuration of white list group please refer to Section 4 7 White List Group Having completed configuring this page you have to click the lt OK gt button to save the settings 7 1 2 3 Email Filter 7 1 2 3 1 Send Receive Mail Email Filter mainly is used for limiting monitoring filtering the sent or received emails or delaying sending or receiving these emails for audit etc while the LAN users are using the email client to send or receive email with POP3 SMTP protocol Email Filter covers configurations of Send Receive Mail and Delayed Email Audit Send Receive Mail is mainly used for controlling and delaying the delivery of the emails and sending the delayed email
165. ctivate the prompt settings Schedule Select the time period to define the valid time of the Flow Reminder function As to the configuration of a schedule please refer to Section 4 5 Schedule Reminder Object Configures the application type whose online flow statistics 1s to be made Only the online flow information of the selected application types will be recorded Detailed steps are select an application type from the Type pull down list and a specific application from Application pull down list and then click the lt Add gt button to add the application into the list to remove a selected application from the list just click the application and then click the lt Delete gt button Statistics Period Configures the time period during which the online flow caused by the user 1s to be averaged If the averaged flow speed exceeds certain Kbps the IAM gateway device will remind the user of it Type a value ranging 0 60 in the Statistics Period text box O but the averaged flow is not 0 indicates that the user will not be reminded As to flow you can define it as Uplink flow Downlink flow or Total flow The averaged flow speed ranges 0 1Gbps 0 indicates that the IAM gateway device will remind the user once flow caused by the selected applications 1s detected Reminder Interval Configures the interval that the user is reminded of flow limit If the user has been reminded once but the averaged flow speed still
166. culated and allocated for the sub channel child channel are based on its parent channel the total bandwidth will never exceed that of its parent channel The BM module of IAM gateway device supports maximum three hierarchies Each parent channel has an internal default channel which cannot be deleted This default channel is used for other flow to which none of the other bandwidth channels policies is applied The configuration of a child channel is nearly the same with that of its parent channel For detailed introductions please refer to the above section Section 8 2 1 1 Add Bandwidth 223 SANGFOR IAM v2 1 User Manual Channel 8 2 1 3 Select and Edit Bandwidth Channel Under the Bandwidth Settings configuration page click lt Select All gt to select all the existing bandwidth channels or click lt Inverse gt to only select the currently unselected bandwidth channels The configuration page is as shown below gt gt Bandwidth Settings E Help DA a y e Bandwidth Management O Enable Disable Bandwidth Management is currently Enable e Filter Line All v 1 Advanced Settings B IC E AA oe Fold All Unfold All Move Up Move Down Move To Line E 1 Baty On duty Linet t 64KB 200KB 1 64KB 200KB No limit High Disable iHi by All All ALL On duty Linet 64KB 200KB 64KB 200KB No limit High Disable Ea All All ALL On duty Linet t 64KB 200KB t 564KB 200KB No limit High Disable 7 De
167. cuments and Settings SINFOR Local Settings Temp Program C Program Files Registry ingress rule checks the Registry of the operating system of the LAN computer that gets access to the Internet through the IAM gateway device In this way it can find the software and security problems of the software of the operating system The configuration page of the Registry ingress rule is as shown below gt gt Edit Ingress Rule Classification Operating System Process C File Registry C Task Plan Others Rule Type a Contains 1 95 bytes and cannot contains these characters Ape e Rule Marne D Registry must contain the falloying item D Registry must not contain the following item Registry Settings tem Operation Deny Internet access w Task Plan ingress rule configures the script and program that the client terminal may run the script and program is user defined the AM gateway device then can control the Internet access 78 SANGFOR IAM v2 1 User Manual with the return value The Task Plan ingress rule configuration page is as shown below gt gt Edit Ingress Rule Classification Operating System O Process OFile O Registry Task Plan Others Rule Type A Contains 1 95 bytes and cannot contains these characters I2 8 4 J fee Rule Name Set Task Execution Time O Execute once when ingress is started Execute periodically Execute it every 0 Y h
168. d LAN Router List b Security gt DHCP b Wizard IP or MAC address Add Clear List Attacks from the IP addresses listed below will not be defended against Format One IP address IP range or subnet per row Use slash to separate the subnet and mask e g 10 10 0 0 255 255 0 0 Use hyphen to separate start IP and end IP e g 192 168 0 1 192 168 0 20 Excluded IP List IP address OIP range Subnet Clear List address 0 a Max New TCP Connections Pe oa e i 1024 connections minute Max Attack Packets Per IP d TCP UDP small packets eee IA is Detected eS Enable Anti DoS Select Enable to enable the anti DoS function LAN Address List Configures the LAN IP range which gets access to the Internet through the SANGFOR IAM gateway device The data packets from the IP addresses outside the LAN Address List will be dropped by the IAM gateway device which means these blocked IP addresses will fail to connect to the Internet through the IAM gateway device or connect to the IAM gateway device through LAN and DMZ interface mistakes made on this list may result in login failure to the console through the LAN interface in that case log in through the WAN interface The LAN Address List can be left blank but configuring it will enable the SANGFOR IAM gateway device to defend against DoS attacks such as attacks by masqueraded IP address LAN Router List Configures the router without enabling NAT functi
169. ddress enter a Webagent website generally the website ends with pht You can click the lt Test gt button followed to check the connectivity of it if the VPN headquarters uses a static IP address the format is IP address port e g 202 96 134 133 4009 Click the lt Change PWD gt button followed and configure modify the Webagent password so as to prevent the illegal user from using the Webagent to masquerade the IP address Click the lt Shared Key gt to configure the shared key and prevent illegal device from connecting in If it has multiple lines and the IP address es is static IP the format of Webagent can be IP1 IP2 port If the Webagent password gets lost there is no way to get back the lost password The only solution 1s to contact the Customer Service of SANGFOR to generate a new file without Webagent password and replace the original one Ifthe Shared Key is configured all the branch VPNs have to configure the same shared key to interconnect and communicate with each other MTU Configures the MTU Maximum Transmission Unit of the data transmitted among the VPNs It is 1500 by default Min Compression Value Configures the minimum size of a VPN data packet that is to be compressed It is 100 by default 267 SANGFOR IAM v2 1 User Manual VPN Listing Port Configures the listening port for the VPN service If is 4009 by default You can change the port according
170. de Web Page Dialog Ed Update Mlode 13 used to update the active and standby nodes Procedures suppose device is the actrve one and device B i the standby one step 1 Enable Update Mode gt Dpdate acte node device Aj gt Update HA update packet agamn gt C heck whether update is completed Step 2 Switch actrve standoy Update actrve node device Bj gt Update HA update packet agaim gt C heck whether update 15 completed step 3 Disable Update Mode Hote When update mode is enabled the actree standby switch wall not happen even if failure occurs and the configuration of actrve node wall not be synchronized to the standby node Please operate under our technical engineer s instructions to ensure successful update Enable Update Mode now lok Cancel Current Status Displays the communication status between primary and standby device and the timeout information as well Timeout can be user defined lt Timeout Settings gt Click this button to enter the Timeout Settings page and define the communication detection timeout as shown in the following figure 2 Timeout Settings Web Page Dialog Timeout Settings Timeout seconds 3 20 54 SANGFOR IAM v2 1 User Manual Configuration Example of High Availability Timeout of the primary node is 10 seconds the primary node will send message to the standby node every 10 seconds If the standby node does not receive the message from the pri
171. ded to the domain Ifauser has logged in to the Active Directory successfully but the primary DNS or IP address is modified later single sign on SSO will get invalid though it seems that the user can still use the correct password to successfully log in In fact it only indicates that the user is getting into the Windows instead of the domain for user will be still required for password to log in to the domain This is because that Windows can remember the previous correct login password and allows the user to enter Windows but actually it is not a successful logon to the domain controller Domain server IP address LAN IP address of the IAM gateway device and the user s computer should be able to communicate with each other This OSS functions only when the LDAP authentication is enabled and that the user logs in to the domain controller through its computer To use monitoring mode check Use monitoring mode and type the IP address and port of the domain controller in the Login server text box This configuration can help to listen to the information that the client gets authenticated to the domain controller If the authentication does not have the IAM gateway device get involved listening mode SSO is available only when the listening port is configured As to the detailed configuration of a listening port please refer to Section 7 2 2 5 SNMP Option n It is better to enable several SSO modes at the same time 7 2 2 2
172. device before being forwarded to the proxy that is to say the proxy should be at the WAN interface end of the IAM gateway device The configuration page is as shown below 254 SANGFOR IAM v2 1 User Manual SANGFOR Sangfor IAM 2 1 gt gt Proxy Server User admin Logout Format One IP address or IP range per row Use hyphen to separate start IP and end IP e g 192 168 0 1 b System 192 168 0 6 b Object Firewall WAN Optimization TAM Bandwidth Management Delayed Email Audit Proxy Server List Internet Access Audit Logs Troubleshooting eavrvvuve Advanced Alarm Single IP Or range P address Al Clear List Web Tracking Excluded IP Domain Page Customization Security Wizard Proxy Server List Enter the IP address or IP ranges of the proxy in this text box That means the data forwarded to these proxies IP addresses will be detected and thus the administrator can control the Internet access of the LAN users If the list is blank all the data forwarded to any proxy will be detected however that will surely slower down the processing speed of the IAM gateway device It is recommended to fill in the IP addresses of some relevant proxies To ensure the data go through the IAM gateway device first and then through the proxy is to ensure that the Proxy is located at the WAN interface end of the IAM gateway device This function does not support the Proxies that require passwo
173. e Displays the name of the channel s Realtime Speed Displays the uplink downlink bandwidth of the channel in real time Bandwidth Usage Displays the percentage of the occupied bandwidth in the total bandwidth History Speed Displays the speed calculated according to the history statistics and time History Flow Displays the flow calculated according to the history statistics and time Total Users Displays the number of users that cause flow of this channel Guaranteed Bandwidth Displays the guaranteed bandwidth that the IAM gateway allocates for the channel Max Bandwidth Displays the maximum bandwidth configured on the IAM gateway device Priority Displays the priority of this channel The higher priority a channel has the more extra bandwidth this channel can get Status Displays the status of this channel running enabled or disabled If the status of a bandwidth channel is disabled the bandwidth channel policy may get invalid at that time check the Schedule of this policy 8 1 2 Exclusion Policy Exclusion Policy Displays the realtime speed history speed and history flow of the applications that are not involved in the bandwidth channels policies The page is as shown below 216 SANGFOR IAM v2 1 User Manual Bandwidth Status Basic Information a coocccssssssssstiviimssssiviniassssevisasssiiiispsssississsiivsisssssessisssiisinssssivissiiviessrviseeeesveeve e Bandwidth Manage
174. e lt Test gt button to check the connectivity with the server of SANGFOR IAM gateway Data Center gt gt Data Center Settings Data Center Primary Address Data Center Secondary Address Communication Port TOPs Data Syne Account Data Syne Password Data Center Web Port Operation Result Testing primary address failed Testing secondary address failed Test Click the lt Sync Now gt button and the IAM gateway will send the synchronization command to the server of the Data Center to synchronize the system logs 240 SANGFOR IAM v2 1 User Manual gt gt Data Center Settings E Help Data Center Primary Address 127 0 0 1 Data Center Secondary Address Communication Port TEF 510 Data Sync Account Data Sync Password Z iT Data Center Web Port Enter External Data Center http 11127 0 0 1 80 Operation Result Connecting to primary address and secondary address failed Synchronizing tailed Test Data Center Web Port Configures the port through which the external Data Center provides WEB services gt gt Data Center Settings E Help Data Center Primary Address Data Center Secondary Address Communication Port TEPI 510 Data Syne Account Data Sync Password i iT Data Center Web Port Enter External Data Center http i 27 0 0 1 50 Operation Result Connecting to primary address and secondary address failed Synchronizing tailed Test Click the Enter
175. e 1 Uplink 512 Downlink Kbps v Linea Uplink Downlink Mbps V Add Delete l Virtual Line Import Export yu e Import Configuration ee Browse Select file to import imported configuration will not impact or overwrite the original one e Export Configuration Export configuration file of virtual line rules Import Rule Import virtual line rules Virtual Line Rule List y Select All All Delete First Prey 1M Next Last Goto Page 1 Recordsipage 500 v LAN Interfa WAN Interf Line Edit Up Down 2 All All All All All Line2 Edit Up Down Default All All All All All All All Linet Move Selected Rule To First row OlLastrow Ono hi Click lt Delete gt and then click lt Save gt button to delete the line as shown below 228 SANGFOR IAM v2 1 User Manual gt gt Yirtual Line l System Settings B l Virtual Line Import Export y e Import Configuration fF Browse Import Select file to import imported configuration will not impact or overwrite the original one e Export Configuration Export configuration file of virtual line rules Import Rule Import virtual line rules Virtual Line Rule List icccccssssssssunsnnnsnnnsnusssssnssssunsssssssssssssssssssisinssssssesisesssssissnsassssssnisisisanisnssesisiiasisininiiiiiiiisiitisiseesisseseeeessee y Select All inverse Delete First Prev 14 Next Last Goto Page 1 Recordsipage 500 500 Ov LAN Interta WWAN Interf
176. e Search By Group Ouser Op range 4 TAM o N E EE valley a p Search for users in a specific group Authentication Options e Records page Authentication Server e Prompt The number of users matching the search conditions is O gt Gorganization Structure User Import LDAP Sync Online User List Dkey users temporary users and the users that requires no authentication cannot be logged out gt Bandwidth Management A First Prey 14 Next Last Goto Page gt Delayed Email Audit gt Internet Access Audit Select All BlockFor minute s gt Logs Troubleshooting gt Advanced gt Security gt DHCP gt Wizard Online User List Displays the information of the online users that are accessing to the Internet through the IAM gateway device including information of No Login Display Name Authentication Method Group IP Address Online Duration and Login Time lt Select All gt lt Inverse gt Click it to select the needed user s lt Logout gt Click it to force the selected online user s to log out lt Block For gt Click it and configure the time You can block the selected online user to get online for some time Search Conditions Configures the filtering conditions on searching for user s Search By Select an option according to which the user s is searched for Options are Group User and IP range Records page Configures the number of users displayed per page It is reco
177. e and not audit O Template IES prevent fia leakage Block All P2P download tools Enable _Template prevent Trojan q zit Select Policy Template Basic Internet Access Audit v Add Select a needed policy and click lt Add gt to add the selected access control policy into the policy list As to the configuration of the access control policy please refer to Section 7 1 Access Control Policy lt Move Up gt lt Move Down gt Click it to move up or move down the selected access control policy and adjust the priority of the policies to be matched lt Delete gt Click this button to delete the selected access control policy policies Inherit Check it and this access control policy will be inherited by all of its subgroups and the users in the subgroups The user s of this group also is forced to inherit this policy however different from the subgroup s of the group this access control policy of the user s can be moved and deleted while the access control policy of its subgroup cannot be moved or deleted Among all the policies of a subgroup the inherited policies have the higher priority over the others 189 SANGFOR IAM v2 1 User Manual 1 l One user or group can associate with maximum 10 access control policies If there are multiple policies in the list please adjust well the order of the policies As to the detailed introductions and notes please refer to Section 7 1 Access Control Policy 7 4 4 Edit
178. e for data transmission between the VPN interface and the DMZ interface By default TCP UDP and ICMP data transmission of both directions between the interfaces are allowed The configuration page is as shown below SANGFOR Sangfor IAM 2 1 gt gt Firewall Rules PN lt gt LAN User admin Logout gt System b Object 4 Firewall AE ES 1 Allow_To_Ping_ Allow WPN LAN Ping Enable x Edit Up Down F gt LAN lt gt DMZ 2 Pass_TCP_ Allow WPN LAN All_TCP_Service ALL ALL Enable x Edit Up Down O gt DMZ lt gt WAN 3 Pass_UDP_ Allow WPN LAN All UDP_Service ALL ALL Enable x Edit Up Down EI WAN r LAN 4 Allow_To_Ping Allow PN LAN Ping ALL ALL Enable x Edit Up Down O E RA tan 5 Pass_TCP Allow VPN LAN All_TCP_Service ALL ALL Enable x Edit Up Down O Ss 6 Pass_UDP Allow YPN 2LAN All UDP_Service ALL ALL Enable x Edit Up Down a gt LAN lt gt LAN gt DMZ lt gt DMZ Select All Delete gt NAT Rules gt Anti Dos For instance to allow the IP addresses 172 16 1 100 172 16 1 200 of a Branch VPN 172 16 0 0 24 to get access to the WEB server 192 168 1 20 of the headquarters and ban it from accessing to the SQL SERVER you need first to create a filtering rule on WEB server Detailed configuration is shown in the following figure 86 SANGFOR IAM v2 1 User Manual gt gt Edit Firewall Rule YPN lt gt LAN Rule Mame Description sequence Number Direction Action Service source IP
179. e on Web Authentication page Keyword indicating success O Keyword indicating failure A Keyword identifying authentication success or failure a Enable Proxy 550 F If login data does not go through the device please set listening mirror port which should be idej FI Users belonging to following network segment must use SSO but users that require Dkey or no authentication are excepted Fage Display After Authentication Authentication Conflict Settings SHMP Option Enable t when the device requires crossing the layer 3 switch and binding MAC address Other Authentication Options Web authentication server format IP or IP port or server domain name URL Type the server in the text box for Web SSO as shown below 168 SANGFOR IAM v2 1 User Manual gt gt Authentication Options Mew User Authentication S50 Settings E Enable Active Directory 550 Help of S50 Usage C Enable POPS 550 Enable Web SSO Web authentication server format IF IP port or server domain name URL 200 200 200 1 50 Redirect to this page before authentication User Table Mare Mame of the table that corresponds to the username on Web Authentication page Keyword indicating success O keyword indicating failure Keyword identitying authentication success or failure O Enable Proxy SSO O If login data does not go through the device please sel listening mirror port which should be ide F Users belonging to following network seg
180. ecurity of the local area network and reduce the possibility of misjudgment In almost all cases the local area network is under the protection of the firewall of the IAM gateway device and does not need the protection of IPS In fact the IPS 1s used for protecting the port with which the LAN server provides services to the external networks in other words 1t only maps the port to the local area network This design can efficiently protect the local area network and ensure the work efficiency of the IAM gateway device 13 2 2 IPS Rules IPS Rules enables you to view and configure the priority and auto update options of the IPS rules IPS rules can be arranged viewed according to service and priority Priority of an IPS rule may be High Medium and Low 264 SANGFOR IAM v2 1 User Manual Auto Update Select Enable to allow the rules to be updated automatically Rule Search To search for the existing rule s you can have Classified search and Exact search lt Detail gt Click it to view the detailed descriptions of the corresponding IPS rule If it happens that some legal and common applications are misjudged by the intrusion protection system select a lower defense level Procedures are select a rule and click the lt Edit gt button to enter the Edit IPS Rule configuration page as shown below Sangfor IAM 2 1 gt gt IPS Rules User admin Logout gt System Update a
181. ed Options are Deny Internet access and Submit report only Rule Type Defines the type of this combined rule Having completed configuring the above you have to click the lt Add gt button to add this combined rule to the Combined Ingress Rule List To create a new ingress rule click the lt Add gt button below the Ingress Rule List to enter the Edit Ingress Rule configuration page as shown below 73 SANGFOR IAM v2 1 User Manual Sangfor IAM 2 1 gt gt Edit Ingress Rule User admin Logout b System Classification Operating System O Process OFile O Registry O Task Plan Others 4 Object O windowsxp Jj Contains 1 95 bytes and cannot contains these characters l 0 Rule Type Intelligent Ident Rule ml fae Service TE oea Rule Name DI Schedule White List Group Keyword Group Users can only use the enabled Operating System s in the following table File Type Group Operating System Version Patch Version Status Ingress Rule SSL Certificate Bb Firewall Windows 95 Disable A econ Windows 98 Disable gt IAM gt Bandwidth Management Windows ME z Disable gt Delayed Email Audit Operating System Version Windows NT Disable D Internet Access Audit gt Logs Troubleshooting Windows 2000 Disable A Windows XP Disable b Security gt DHCP Windows 2003 Disable A a Windows Vista Disable Classification Defines the classification of this ingress rule options a
182. eequiz5bul 23d puanbo 163 com New Add Edit Up Options Delete Properties Down Block Policy inheritance coed 1 Then click User Configuration gt Windows Settings gt Scripts Logon Logoff in the pop up Group Policy Object Editor as shown below a Group Policy Object Editor File Action wiew Help AMEN Default Domain Policy yjw qu725b H Scripts Logon Logolt a Computer Configuration 11 Software Settings J Windows Settings pana J Administrative Templates Display Properties ES Logoff i amp User Configuration 3 1 Software Settings Description A E Windows Settings Contains user logon scripts 2 Remote Installation Set E Scripts Logon LogatF Security Settings Folder Redirection EE E Internet Explorer Maint Logon J Administrative Templates Double click Logon item and the Logon Properties dialog appears as shown below 161 SANGFOR IAM v2 1 User Manual Logon Properties Scripts Loge Logon EH Administrative Templates Display Properties E gl User Configuration EHD Software Settings Description EHE Windows Settings Contains user lagon s F TE ei ee Click the lt Show Files gt button and a directory is opened Save the logon exe script file into this director and close the window 3 yuanbo 163 com ss vol yuanbo 163 com Policies 3162F340 016D 11D2 945F 00004FB954F97 User Ser 162 SANGFOR IAM v2 1 U
183. efined identification rules URL group IP group service time schedule white list group keyword group file type group ingress rule and SSL certificate How to configure the firewall rules of the IAM gateway as well as the SNAT source network address translation rule and DNAT destination network address translation rule How to configure WAN optimization module to achieve WAN optimization acceleration How to configure the access control policies authentication method organization structure etc of the IAM gateway How to view the bandwidth related information and configure the bandwidth channel policy as well as bandwidth rule for line and virtual line How to configure the email audit policy for some specified emails The internet access audit information including viewing the internet access Statistics in real time log maintenance and Data Center settings etc SANGFOR IAM v2 1 User Manual Chapter 11 Logs Troubleshooting Chapter 12 Advanced Chapter 13 Security Chapter 14 DHCP Chapter 15 Wizard The function and use of the system logs policy troubleshooting and packet capture module How to configure the system related settings such as alarm proxy server web tracking and page customization How to configure some extension functions and security related modules provided by the SANGFOR IAM gateway such as gateway antivirus intrusion prevention system IPS VPN settings IP
184. elect Enable and click the lt OK gt button to activate the bandwidth management function Filter Line Select an option to have the corresponding bandwidth channel s displayed in the bandwidth channel list 3 2 1 Bandwidth Channel SANGFOR IAM bandwidth management BM module offers bandwidth allocation function to configure assured bandwidth and bandwidth limitation You can define a bandwidth channel according to the service and application object schedule external line destination IP group to achieve both assuring bandwidth and limiting bandwidth and can build sub channel for certain bandwidth channel to define the parent channel in detail 217 SANGFOR IAM v2 1 User Manual The page 1s as shown below SANGFOR Sangfor IAM 2 1 gt gt Bandwidth Settings Jser admin Logout gt System l System Settings cece eeeeeeetessvteeeeessssieeeeseesvisuetsesstsestiiesesss tiie B b Object b Firewall e Bandwidth Management O Enable O Disable Bandwidth Management is currently Enable PUSS mjete e Filter Line All v b IAM 4 Bandwidth Management A REAO E O 8 Bandwidth Status Exclusion Policy Bandwidth Settings Line Bandwidth Delayed Email Audit Internet Access Audit Logs Troubleshooting Advanced gt Security DHCP Wizard 2 8 3 E Add or edit multiple channels using as template Fold All Unfold All Move Up Move Down Move To Line 1 Destination IP Grou Valid Lin Gu
185. ent updater Disconnect Cut the connection to the SANGFOR hardware gateway If there is no operation for a certain time the client terminal will be disconnected automatically Update Submenus are Update Firmware Restore Default Configuration Restore Default Network Please see the figure below System S Update U Backup B ManagePackage M Tools T UpdateHistory R Help H Update Firmware w Restore Default Config D Restore Default Network connec 0 12 MAC 005009008C73 DATE 20100526 login success gateway firmware version is SANGFOR IAM 2 1 BUILD 100226 173247 cluster 1 23_disk Update Firmware and Restore Default Configuration Both are only available after the user logging in IAM hardware gateway The former Update Firmware is used for updating the kernel Firmware of IAM and the latter Restore Default Configuration for restoration of the default configuration These operations will update the key document of the device or will change serial number Please DO NOT perform this operation at will If update is needed please contact the technicians of SANGFOR and follow the instructions Restore Default Network This function is only available when the system is disconnected with the SANGFOR IAM hardware gateway Conduct this function and the network configuration of the device will recover to defaults This operation is realized with the command sent by the broadcast package
186. entication Metro Username at Local ll Paz weord E Algorithm AES Bl confirm Pas weorel CA Description User Group Use Group Attribute Enable Hardware Authentication Hardware Certificate Enable Okey Enable virtual IP Virtual IF schedule E day Y Enable Expiry Date Expiry Date l Enable the user W Enable hy Network Places W Enable compression E Deny Internet access after User connec Enable multi user login ts to PHN a Deny password change online LAN Privilege 301 SANGFOR IAM v2 1 User Manual Step 4 Click the lt LAN Privilege gt button and the Privilege Settings configuration dialog pops up as shown below EMS Web Page Dialog Select LAM Service Available Service Operation Al TCP Services AIL UDP Services AINICMP Services All Services Default Action Cancel Step 5 Move the needed services to the service list move from left to right and check Allow Select the Deny as the Default Action Having completed configuring the above you have to click the lt OK gt button to save the settings Till then the configuring of LAN Service finishes the branchl user 172 16 1 200 can only access the FTP server 192 168 1 20 and the requests initiated by other IP address of that local area network will be denied These configurations also disable the access requests initiated by the other computers of the headquarters to access the B
187. eo voice 15 MSM video 50 Enable Edit F 1 l select All Inverse Identity P2P software and P2P streaming Application Ident Rule detects the P2P application as well limited to plaintext P2P data If you disable the P2P Action in the Intelligent Ident Rule List on the Intelligent Ident Rule page it can still successfully identify the plaintext P2P data but fails to identify the cipher text P2P data Skype data are encrypted To control and record the Skype data you have to configure it on the Edit Intelligent Ident Rule page of P2P Action put in another way you have to first enable P2P Action in the Intelligent Ident Rule List on the Intelligent Ident Rule page and then select the Skype application and enable the rule on the Edit Intelligent Ident Rule page of P2P Action As to control and record of video voice applications such as IM VOIP etc you have to configure and enable the VOIP rule in Intelligent Ident Rule gt IM Edit Intelligent Ident 60 SANGFOR IAM v2 1 User Manual Rule and Intelligent Ident Rule gt VOIP Edit Intelligent Ident Rule 4 3 Service Service generally is in association with the rule configured in Firewall gt Firewall Rules and rules configured in IAM gt Access Control Policy page gt Access Control gt Service Control First you need to define various services of the firewall in Object gt Service including the port and protocol
188. er fobjectclass lt qroum Generally you need only configure IP address Authentication port Server User Password and Types other settings are recommended to be the defaults If necessary please turn to the system administrator of LDAP server for detailed configuration guide to this page Server Name can only contain English characters Otherwise you may fail to import the AD users and fail to read the AD structure Generally Server User is the admin account in format of Administrator domain com 7 3 2 RADIUS The RADIUS server configuration page 1s as shown below 179 SANGFOR IAM v2 1 User Manual gt gt Edit Authentication Server Server Type RADIOS Server Mame radius IF address 102 100 100 1 Authentication port 1512 Basic Settings Shared Key Timeout seconds Protocol PAP Ww T z Generally you need only configure IP address Authentication port Shared key Timeout and Protocol If necessary please turn to the system administrator of RADIUS server for detailed configuration guide to this page 7 3 3 POP3 POP3 server configuration page is as shown below gt gt Edit Authentication Server E Help Server Type O LDAP O RADIUS POPS Server Name IP address 200 200 2004 Basic Settings Authentication port 110 You can configure the IP address Authentication port and Timeout for the POP3 server 7 4 Organization Structure
189. er Manual Access Control Policy OBsind iP BindMAc OBind both IP and MAC O No binding Format Instruction 00 95 00 03 06 48 192 168 1 2 00 0c 29 a b8 20 192 168 1 99 Binding Scan MAC address Clear List Group 222 21qww ODkey O None only allow SSO Custom password Password Authentication Method Confirm password CILDAP authentication L RADIUS authentication C POP3 authentication Password Indicates to verify new user according to the WEB username and password Custom password Configures the original password for the IAM gateway authenticated user username LDAP RADIUS and POP3 Check the server type of the third party s that is used for authentication of this user You can apply multiple Password authentication methods to verify a user Matching one of the authentication methods will have the user username get authenticated DKEY Indicates that the user s identity is verified according to USB key You can check Enable monitor free Dkey not monitoring the users who use this authentication method DKEY authentication fall into two types one is for authentication and the other is to prevent monitoring These two DKEY authentication types cannot be mixed up Generate Dkey Click this button to generate the DKEY 199 SANGFOR IAM v2 1 User Manual gt gt Edit User T Help Basic Settings i ccccccccccssssresuusssssisinesstiviissssrisins
190. escription and Password Content defines the record one entry per row Different fields are separated from each other by a vertical bar including the case that the field is blank If one field has several values such as several IP addresses they are separated from each other by a comma Option Check When a user already exists update its attribute automatically to automatically update the attribute information of the user who already exists in the user list or check When the group corresponding to a user does not exist create group automatically and this new group will be added to the member list user list Operation Click the lt Import Above User gt button to import the user and attribute in the Content Or click the lt Scan LAN Computer gt button to view the Scan Object as shown below 204 SANGFOR IAM v2 1 User Manual gt gt User Import Column Headin PAdcress V MAC Address v Auth Method w Content Po Options H ihnen a user already exists update ts attribute automatically vhen the group corresponding to a user does not exist create group automatically Operation Import Above User Scan LAN Computer Import LDAP User Clear List Single IF O IP range O Subnet scan Object IF address Enter F address for scanning Format First row are the column headings include 7 fields Username Group IP Address MAC Address Auth Method Description and Password One record pe
191. eted configuring this page you have to click the lt OK gt button to save all the settings The application audit records are stored in the Data Center You can search the records in Internet Access Audit gt Enter Data Center o 139 SANGFOR IAM v2 1 User Manual The emails delivered through WebMail and the BBS posts can only be displayed under certain decoding Checking Web Content Audit will lead to massive logs If you do not want some websites or file types to be audited please configure the options in Advanced gt Web Tracking Name of the attachments sent or received through MSN or Yahoo Messenger can be recorded If you want to only audit the encrypted IM accounts such as QQ check Application Audit gt Audit all identifiable application behaviors All the options under Application Content Audit below are not included here If you want to record the chat content details through the encrypted IM software you have to configure a corresponding ingress rule As to the detailed introduction to ingress rule please refer to Section 7 1 2 7 Ingress System 7 1 2 5 2 Outgoing File Alarm Outgoing File Alarm configurations help to identify the features of the outgoing files and give audit alarm so as to prevent information disclosure Check Application Audit and then check Outgoing File Alarm the pop up configuration page appears as shown below 140 SANGFOR IAM v2 1 User Man
192. evenly Mote Data transmitted by different users will queue up and take turns for processing Clenable Uplink 0 KBs Downlink O KBs ALL y O Enabe 2 Disable Channel Name Type one more names for the bandwidth channel s One name per row length of each name 1s within 96 characters 218 SANGFOR IAM v2 1 User Manual Service Application Configured the specific service s applied to this bandwidth channel If Custom is selected you can define and add services Click lt Add gt and the corresponding options appear as shown below gt gt Edit Bandwidth Channel Format One channel name per row The name cannot be repeated Channel Mame nae ServicelApplication Dar custom select All Inverse Add Delete Teon Service Type Application QWebsite Fie OK Cancel Addimg Application AIl we Liser Group All O Custom Channel Type 2 Guaranteed channel O Limited channel Priority The high priority channel has the first opportunity to use the idle bandwidth of other channels Guaranteed Uplink Bandwidth To Ba kek Allow its idle guaranteed bandwidth to be borrowed Guaranteed Downlink Bandwidth hoo sd tH ko es Allow its idle guaranteed bandwidth to be borrowed Max Uplink Band yyicith o Br kasa The extra bandwidth will be borrowed from other channels Max Downlink Bandwidth w ko ka The extra bandwidth will be borrowed from other channels Bandwidth Allocation Policy Allocate evenly Note Data transmitted b
193. evices into the networking as shown in the following figure All o Al 4 B 51 52 The configuration page of Bridge Mode Bridge Mode Settings 1s as shown below 26 SANGFOR IAM v2 1 User Manual SANGFOR w Sangfor IAM 2 1 User admin Logout 4 System Bridge Mode 2 Mutti Interface 2 Multi Bridge Bunning Status Security Status LAN Zone Interface List Idle Interface List is LAN DMZ WAM Gateway Mode WANS Network Interface Select Interface Multi Mode Sync WAN Zone Interface List Date Time To Be Bridged Administrators WAN Backup Restore Reboot Maintenance z Dai Direction That Allows Data Tr Direction That Dizallows Data HE ds ansfer Transfer b Rout AS LANS V4V4N Generate Certificate High Availability Object Bridging Direction mien irera WAN Optimization Ian Bandwidth Management Delayed Email Audit gt Internet Access Audit Logs Troubleshooting Next Gateway Mode Options are Multi Interface and Multi Bridge Select Interface Only available for Multi Interface LAN Zone Interface List The selected interface will connect to local area network WAN Zone Interface List The selected interface will connect to the outgoing device s Bridge Direction Defines the direction the data forwarded from and being forwarded to In association with the settings of the firewall rules this item can allow or deny data transmission of certain direction a l
194. evious version of library To update the library the IAM gateway device should be ensured to connect to the Internet If the IAM gateway device cannot access the Internet you then need to configure HTTP Proxy options in Server Settings provided there is HTTP proxy so as to ensure the IAM gateway device can access the Internet smoothly and update the corresponding rules HTTP Proxy requires server IP address and Port Require Authentication requires Username and Password To ensure update speed select an update server Generally the update process will go more quickly if the ISP server of the update server is the same with that used by the IAM gateway device 3 14 Route Route covers Policy Routing and Static Routing and mainly configures the route related to the IAM gateway device 3 14 1 Policy Routing SANGFOR IAM gateway device allows you to configure Policy Routing Policy routing is 47 SANGFOR IAM v2 1 User Manual mainly used when IAM gateway connects to multiple external lines Through configuring the source IP destination IP source port destination port protocol etc the policy based route will be created Therefore which external line is the outgoing line to the external network is selected according to the manually created policy The Policy Routing configuration page 1s as shown below Sangfor IAM 2 1 User admin Logout 4 System Running Status Security Statu
195. exceeds certain Kbps the IAM gateway device will remind the user once again or more some time later up to the configured Reminder Interval Type a value ranging 0 1440 O indicates that the user will be reminded only once 7 1 2 9 3 Bulletin Page Bulletin Page defines the pop up prompt page when the user visits a HTTP webpage for the first time Enable Bulletin Page Check this option and the bulletin page will automatically pop up when the user visits a HTTP webpage for the first time provided that the user has passed the authentication 151 SANGFOR IAM v2 1 User Manual Edit Access Control Policy T Help O single policy O Multiple policies Expiry Date Never expire Expired on Status Enable Disable A Reninter If Bulletin page is enabled the bulletin page will pop up periodically when users access websites Bulletin Page Settings Enable Bulletin Page Display Interval A minutes Value range is 1 65535 Custom Bulletin Page URL Format is similar to http www baidu com If you disable this option you can also customize the default bulletin page on Advanced Page Customization page Having completed configuring this page you have to click the lt OK gt button to save the settings L The related reminder pages can be defined and modified in Advanced gt Page Customization page n some rule modules such as Access Control Web Filter etc
196. f the IAM device in the IE browser https 10 251 251 251 and the following pop up warning dialog appears Security Alert Information you exchange with this site cannot be viewed or changed by others However there is a problem with the site s security certificate A The security certificate was issued by a company you have not chosen to trust Wiew the certificate to determine whether you want to trust the certifying authority o The security certificate date is walid A The name on the security certificate i invalid or does not match the name of the site Do you want to proceed Click the lt Yes gt button and the following login interface appears 17 SANGFOR IAM v2 1 User Manual Login Before login you may be required to install the pop up ActiveX control Click This site might require the following ActiveX control sangfor dcweb from Sangfor Technology Co Ltd Click here to install gt Install ActiveX Control and then follow the instructions to finish installation If there is no prompt of installing the ActiveX control click the lt Download ActiveX gt link to manually download the ActiveX control and follow the instructions to finish installation Enter the user name and password click the lt Login gt button or press lt Enter gt key to log in to the console of IAM gateway device The user name and password are Admin by default If you want to view
197. face address specified below LAN v Oai Protocol Specified TCP v Source port pb Destination port From To D indicates all ports O Interface address LANT ho Specified 10 251 251 61 Map To Port Fromo jrof _ Enable This DNAT Rule Enable Disable Advanced Settings Source Address Destination Address Translate Destination IP To Type a Rule Name to name this DNAT rule Select an Ingress Interface Select a Protocol All the protocols or the Specified protocol TCP enter Source port O indicates all the ports Destination port 80 80 Enter the Translate Destination IP To 10 251 251 61 Enter the Map To Port 80 80 If Advanced Settings is checked more settings are seen Detailed introductions are as follows Source Address Options are All and Specified All means all the source IP addresses while Specified indicates that the source addresses are the specified ones Destination Address Generally Specified interface address is selected If the WAN interface has several IP addresses you can select the Specified network segment to specify the WAN interface IP address or IP range which are then be translated to the IP address of the local area network Destination Address and Source Address can be configured at the same time If both of them are configured only when both of the conditions are satisfied will the SNAT r
198. fault Channel All All ALL On duty Linet None 64KB 200KB No limit Low Disable 2 jop All All ALL On duty Linet t 54KB 200KB 64KB 200KB No limit High Disable 3 Default Channel All All ALL All day All 64KB 200KB 64KB 200KB No limit High Enable 7 Add or edit multiple channels using OSS STE as template Operation Result Add channel dfy b successfully Name Click the name of a bandwidth channel to get into the Edit Bandwidth Channel page and edit this bandwidth channel policy lt Enable gt lt Disable gt lt Delete gt Select one or more bandwidth channels and then click lt Enable gt lt Disable gt or lt Delete gt button to enable disable or delete the bandwidth channel policy respectively lt Unfold All gt lt Fold All gt Click it to view unfold or fold the information of all the bandwidth channels lt Move Up gt lt Move Down gt lt Move To gt Click lt Move Up gt lt Move Down gt to move the selected bandwidth channel up or down respectively or click the lt Move To gt and type a line number to move the selected bandwidth channel to an specified place row 224 SANGFOR IAM v2 1 User Manual The Default Channel in the Bandwidth Channel list is the system default channel and cannot be deleted The bandwidth channels are matched according to the features of the flow from top to bottom To edit multiple bandwidth channels at the same time you
199. g services to wide area network WAN are placed at the DMZ zone The IAM device provides secure protection for these servers o Multi line function of the IAM gateway device allows multiple Internet lines to be connected in You can connect the second Internet access device to the WAN2 interface When IAM gateway device runs normally the POWER indicator in green will keep on lighting and the WAN LINK and LAN LINK indicators in orange will keep on lighting The ACT indicators in green will flicker if there is data flow The ALARM indicator will be lighted only for about one minute due to system loading when the device is starting and then go out indicating successful startup of the device If the ALARM indicator stays lighted during startup please switch off the power and restart the device If 1t still keeps on lighting and does not go out please contact us Please use straight through cable to connect a WAN interface with the Modem and crossover cable to connect a WAN interface with the router Use straight through cable to connect the LAN interface with the switch and crossover cable to connect the LAN interface on the device with the network interface on the computer If connections cannot be established while the corresponding indicator functions normally please check whether the cables are correctly used for connections The differences between straight through cable and crossover cable are the wire sequences at bot
200. ge is as shown below gt gt Drganization Structure l Group Settings B Group Name List Group Path Description Source Group Information l Advanced Settings y O Use Parent Group Policy f r Description l Policy aa oe cere Allow DNS HTTP HTTPS FTP Mail MSN enable relative audit Enable s Au O Template Block All P2P O Block All P2P download tools Enable Prevent deceiving from ilegal SSL protocol certificate enable URL filter relativ O _Template Anti fishing webpage O Enable e domain name Add Policy Group Name Group Name List Configures the name or name list of the subgroup or subgroups Group Path Configures the path of parent group of the to be created subgroup In this example the created subgroup belongs to the root group The path is indicated by a back slash Description Type a brief introduction for this newly created subgroup Then click the lt Submit gt button and the subgroup s will be added to the member list as shown below 184 SANGFOR IAM v2 1 User Manual gt gt Drganization Structure Help a Settings enc cec cc ceees tetas tetas tteet iets tienes tiie ussite ities ties ites y Group Path i Description zhy_123 Source Created by administrator Group Information Subgroups 1 direct users 5 total users including subgroups 5 Operation Result Edit group successfully Advanced Settings B h Access Control Policy EH Add Subgroup Add User
201. grated with some encryption algorithms and authentication algorithms such as MD5 SHA 1 DES 3DES AES SANGFOR_DES You can also add some other authentication or encryption algorithms If necessary please contact with SANGFOR 13 3 12 Advanced Advanced covers the configuration of LAN Service VPN Interface LDAP Server and Radius Server 13 3 12 1 LAN Service SANGFOR IAM gateway device enables you to specify the access privileges of the VPN users or even to specify a branch VPN user or mobile VPN user IP address to access certain service s provided by a LAN computer besides it configures the service parameters of the inbound policy 298 SANGFOR IAM v2 1 User Manual used for connecting to a third party device For example to achieve the two requirements a only allow a user to access the WEB service provided by the headquarters WEB server other services are unavailable for this user b allow an IP address of a branch VPN branchl to access the SQL server of the headquarters other IP addresses of this branch are unable to access this server You have to configure the privilege of the relevant VPN user to certain service so as to ensure the security of the VPN channels and achieve secure management Sangfor IAM 2 1 gt Ad d TER a gt gt LAN Service Help 4 Security ii e rescatan Operation gt IPS All TCP Services AITCP Services Edit Delete 4 VPN Settings All UDP Services All UDP Se
202. group policy lt a ord Binding Information E p Authentication Method Password Customized passw 3 user d b i Use parent group policy oe E ord Binding Information E Ta p i Authentication Method Password Customized passw 4 User Je Use parent group pdicy nae i ord Binding Information ce Authentication Method Pas word Customized passw 5 user O d i Use parent group policy ee ord Binding Information te f Authentication Method Password Customized passw 6 User O testuser i Use parent group policy ya ord Binding Information E Authentication Method Password Customized passw 7 User O z i Use parent group policy eyes ord Binding Information 8 a O F ese eee aoe Authentication Method Password Customized passw a zhy j TAPE ord Binding Information 9 Cra O i AS Authentication Method Pas word Customized passw cil ANS p hai ET ord Binding Information 10 a O F A E E E Authentication Method Password Customized passw i soy ASS p viata aaa ord Binding Information Return to Upper Level Group Generate Policy Report Import Organization Structure Till then the user is added successfully and the new user is listed in the Member List 7 4 5 Edit User Under the default configuration page of Member List click the name of a user to get into the configuration page of this user The configuration page is as shown below 192 SANGFOR IAM v2 1 User Manual K E a E E OEE NES er am TEE AE EAEE ESA AE y Login Name
203. gt Bridge IP List Under Bridge mode the IAM gateway device supports VLAN TRUNK traversing Bridge IP can be IP address of 802 1Q VLAN which indicates the IAM gateway device can be transparently connected to the main channel of VLAN TRUNK To configure the Bridge mode deployment to support VLAN TRUNK go to Gateway Mode gt Bridge Mode gt Bridge mode VLAN Settings page as shown below gt Gateway Mode a A Bridging Direction LS h 21 VLAN O Enable Disable Format One IP address per row Use slashes 1 to separate VLAN ID 2 4094 IP address and subnet mask e g 20 10 0155 255 0 0 VLA Address List vid iPaddress Submetmask Add Clear List Next Enter VID the VLAN IP address and Subnet mask and then click lt Add gt If you have enabled the functions that need to be redirected to the IAM gateway device such as anti virus function email filter ingress rule WEB authentication etc you have to configure this IP address otherwise you can also leave the VLAN address list blank 3 4 3 Bypass Mode Without altering the networking bypass mode IAM gateway device can fulfill monitoring and controlling and can avoid disconnecting with the users The IAM gateway device is connected to the mirror port or the HUB monitoring the overall local area network Bypass mode plays no influence on the network environment and device failure will not disconnect the network Typical topology
204. gt lt Inverse gt Click the button to quickly select the needed services Allow Deny Delete Click the button to allow or deny or delete the selected service s 115 SANGFOR IAM v2 1 User Manual lt Move Up gt lt Move Down gt Click the button to move up or move down the corresponding selected service s respectively Default Action Select Allow or Deny to configure the default action of the current access control policy for the service control rules that are not in the above rule list This item functions in association with the service s configured above If several policies are associated adopt the default action of the next policy and continue matching downwards If multiple access control policies are associated by a user or user group uncheck this item and the Default Action of the current policy will be adopted after the data packets complete matching its rules or check this item and the data packets will continue to match the service rules of the access control policies followed Having completed configuring this page you have to click the lt OK gt button to save the settings 7 1 2 1 3 Proxy Control Proxy Control Check this item to activate the rules configured under it The configuration page 1s as shown below Edit Access Control Policy Policy _Template prevent Trojan b Description Identify risk Internet activity alarm on information disclosure deny malicio
205. h characters Having configured the above you can lt Preview gt the page lt Save gt the currently defined page lt Restore Previous Page gt or lt Restore Default Page gt 259 SANGFOR IAM v2 1 User Manual Chapter 13 Security 13 1 Gateway Antivirus Gateway Antivirus 1s used for detecting and removing the virus contained in the data packets that are going through the IAM gateway device and thus to assure the security of the LAN computers Antivirus system of the IAM gateway is applicable to four common protocols namely HTTP FTP POP3 and SMTP The IAM gateway is built in with a well known antivirus engine by the Iceland provider F PROT that has high detection rate and effectiveness The internal virus library of the IAM gateway device updates together with the virus library of F PROT generally in 1 2 days Under the Gateway Antivirus configuration page you can view the expiry date of the update service release date of the current version in addition to configuring the auto update time importing virus library enabling antivirus function against the four protocols and configuring the antivirus free website list and antivirus file type The displayed Virus Library Released On Update Service Expired On and Auto Update Time 1s as shown below gt gt Gateway Antivirus User admin Logout Update Service Expired On 2011 05 17 System Object Virus Library Released On 2006 07 05 Firewall WAN Optimiza
206. h ends are different as shown in the next figure 14 SANGFOR IAM v2 1 User Manual 1 Wire Sequence of Straight through Cable blue white blue l blue white blue white green Egreen white green Breen Orange QA white brown Lale MA tif white brown white orange Siil si brow white orange Vii s f brown R 45 Crystal Head 2 Wire Sequence of Crossover Cable blue white blue blue white blue white green Ereen white orange Y orange orange j PPH brown green i white brown white orange Vth iii brow white green Viti 6 brown EJ 45 Crystal Head Wire Sequences of Straight through Cable and Crossover Cable 1 6 Wiring Method of Redundant System If two SANGFOR IAM gateway devices are deployed to work in high availability mode HA the wiring to the external network and internal network should be as shown in the following figure External Lines Use standard RJ 45 Ethernet cable to connect the WAN1 interfaces of the two IAM gateway devices to a same switch if multi line function 1s applied the wiring is the same while the WAN interfaces of the two gateway devices should be ensured to be connected to a same external line 15 SANGFOR IAM v2 1 User Manual then use a standard RJ 45 Ethernet cable to connect the IAM gateway device to other networking device such as router fiber optical transceiver or ADSL Modem etc Use the C
207. hat could cause injury to human body Y Note Indicates helpful suggestion or supplementary information Technical Support For technical support use the following methods Go to our official website http www sangfor com Go to our technical support forum http www sangfor com cn forum Call 800 830 6430 fixed line phone or 400 830 6430 mobile or fixed line phone Email us at support sangfor com cn Acknowledgements Thanks for using our product and user manual If you have any suggestion about our product or user manual please provide feedback to us through phone or email Your suggestion will be much appreciated 11 SANGFOR IAM v2 1 User Manual Chapter 1 IAM Installation This chapter mainly describes the appearance of SANGFOR IAM series hardware gateway device and the installation After correct installation you can configure and debug the system 1 1 Environment Requirement The SANGFOR IAM device requires the following working environment Input voltage 110V 230V Temperature 10 50 C Humidity 5 90 To ensure long term and stable running of system the power supply should be properly grounded dustproof measures taken working environment well ventilated and indoor temperature kept stable This product conforms to the requirements on environment protection and the placement usage and discard of the product should comply with relevant national law and regulation 1 2 Power The SANG
208. he exclusion rule the firewall rule has higher priority As the IP address of IM instant message server may vary from time to time it is impossible to absolutely free the IM from monitoring with the exclusion policy configured here 12 5 Page Customization Page Customization enables you to design some pages to output prompt such as authentication results access denied virus detected Internet access timeout network ingress client modify user password bulletin file etc 258 SANGFOR IAM v2 1 User Manual Sangfor IAM 2 1 gt gt Page Customization User admin Logout gt System Custom Object Select object Authentication result v gt Object l eL Enable This Page Enable Disable If Disable is selected this page and corresponding information will not appear A OS Edit the page in the following text box Recommend editing the images and text description only Any questio P IAM n please refer to Help gt Bandwidth Management lt html gt lt head gt lt meta http equiv expires content 0 gt meta http equiv Content Type content text html charset ut f 8 gt lt head gt lt script language JavaScript type text JavaScript gt lt l function onloadl gt Delayed Email Audit gt Internet Access Audit bD Logs Troubleshooting 4 Advanced Alarm Proxy Server Web Tracking Edit Page 1 window location http wwr baidu con Excluded IPDomain Page Custom
209. he IP will be blocked for a certain time Host Blocking Time After Attack is Detected Max Attack Packets Per IP Configures the maximum packets including SYN packets ICMP packets and TCP UDP small attack packets of each IP or MAC address allowed by the IAM gateway device in one second If number of them exceeds the limit configured herein the IP or MAC address will be blocked for a certain time Host Blocking Time After Attack is Detected Host Blocking Time After Attack is Detected Configures the time duration of blocking the host if the IAM gateway device detects that this host is initiating attacks in unit of minutes It is strongly recommended to enable the anti DoS function which will enable the IAM gateway device to efficiently defend attacks initiated by external networks and to prevent traffic congestion caused by enormous and continuous packets that are sent by the virus infected LAN PC LAN Address List is also recommended to be configured This configuration will help to defend against attacks initiated by masqueraded IP address Better to add all the LAN segments to the list for the data packets sent by the IP addresses outside the list will be then forwarded to the IAM gateway device and then be dropped If there is a LAN router or layer 3 switch please DO add the routing device s interface IP 94 SANGFOR IAM v2 1 User Manual that directly connects to the IAM gateway device to the LAN
210. he destination IP group in IAM gt Access Control Policy page gt Access Control gt Service Control Sangfor IAM 2 1 Useradmin Logout 4 Object 1 ALL gt IP Group Description All IF addresses Application Ident Pule Intelligent Ident Fule Service Schedule TEL Croup White List Group Eeyvord Group File Type Group Ingress Pule SSL Certificate b Firewall Click the lt Add gt button and the following Edit IP Group page pops up as shown below Snor WAN Sangfor LAM 2 1 gt gt Edit IP Group Useradmin Logout gt System Application Ident Pule Intelligent Ident Rule One IP address or IP range per row ee IP range format start IF end IF e g 192 165 0 1 192 168 0 3 Schedule UBL Group White List Group IP Address Eeyword Group File Type Group Ingress Rule SSL Certificate o add Auto Resolve Clear l WAN Optimization gt TAM a ene gt Bandwidth Management b Delayed Email Audit Name Names the newly created IP group Description Type in a brief description for this IP group IP Address Defines the IP addresses contained by the IP group Select Add and type in the Start IP and End IP and then click the lt Add gt to add the IP address into the list or select Auto Resole type in the domain name and click lt Resolve gt to have the resolved IP addresses listed 63 SANGFOR IAM v2 1 User Manual Finally you h
211. he device are being bridged the data of layer 2 and the layers above can be traversed This feature of the IAM gateway device enables the DHCP service and the IP MAC binding of the original gateway work NAT function is unavailable in Bridge mode Under Bridge mode VPN module on the local IAM gateway device is unavailable If you want to enable the anti virus function email filter etc or if you want to have the URL library application identification library and virus library automatically updated you need to configure the Bridge IP List Default Gateway and DNS and make sure the IAM gateway device itself to get access to the external network you can implement ping to check the availability of the external network If you want to enable the WEB authentication ingress rule or other functions that need to be redirected to the IAM gateway device and there are several LAN segments you must add a corresponding route directing to the routing device If the computers of layer 2 switch have multiple network segments instead of VLAN the gateway should also have IP addresses of multiple segments If so and you want to enable the functions that need to be redirected to the IAM gateway device such as anti virus function email filter ingress rule WEB authentication etc the IP addresses of these 30 SANGFOR IAM v2 1 User Manual network segments should also be configured in Bridge Mode gt Bridge Settings page
212. he website Edit O 40 Web Proxy Web Proxy website Edit O 41 Stock Quotes Including equities the Fund s website message Edit O 42 Compromised and Links to Malware Sites that have been compromised by someone other than the site owner Edit O 43 Spyware and Malicious Sites Sites or software that installs on a user s computer to collect information without authoriz Edit O 44 Download Sites Shareware freeware and other legal software downloads Edit O 45 Translator Translate sites from one language to another Edit a 46 Alcohol Web pages that promote advocate or sell alcohol including beer wine and hard liquor Edit F 47 Pharmaceuticals Prescribed medications and information about legal drugs drug studies etc Edit d 45 Tobacco Sites that promote or sell tobacco products such as cigarettes cigars and chew Edit O 49 Personal Webpages Sites about or hosted by personal individuals Edit d 50 Humor Comedians comic strips jokes and other humorous content or diversions Edit O 51 Portal Sites General sites with customizable personal home pages parked domains and sites that co Edit d 52 Business Services Any business offers or service Edit O 53 Spam URLs Web site links found inside spammed e mails are automatically added to this list Edit a 54 Miscellaneous Websites that do not have any content contain blank or missing pages or that just do not Edit O oT Enter domain name Po Browse Upload Ahen the uploaded file is very large ple
213. hen Disclosure Alarm is enabled on Advanced gt Alarm page Enable alarm on multi layer nested compression more than 2 layers Check this option and it will give alarm when the nested compression file is detected Enable alarm free extension Check this option and enter the file type s free from alarm You can type several suffixes in the text box which are separated from each other with an English comma Set administrator email address for this policy Check this option and type the receiver of the alarm emails To successfully send the alarm emails to the administrator email address and notify the administrator of the alarm information you have to configure the options in Advanced gt Alarm For detailed introduction to the configuration please refer to Section 12 1 Alarm a i Y Outgoing File Alarm is unavailable by default If you want to activate this function you 143 SANGFOR IAM v2 1 User Manual have to activate the corresponding license As to the detailed operation please refer to Section 3 3 License To have the Outgoing File Alarm function work you have to enable Audit files uploaded by FIP Web Upload Audit and Audit outing emails please refer to Section 7 1 2 5 Application Audit For scanning a large alarm free compressed file package it only scans its 100 files and checks whether there are potential files that need alarm If an alarm email is to be sent this alarm
214. her channels Bandwidth Allocation Policy Allocate evenly Note Data transmitted by different users will queue up and take turns for processing Max Bandwidth Per IP Enable Uplink 0 KBs Downinko Ss KBs Schedule On duty v Valid Line Line1 lt i Destination ALL ki Enable This Channel O Enable Disable Bandwidth Allocation Policy Configures the bandwidth for the users and the specific service application that applies to this bandwidth chancel policy Allocate evenly Indicates that if there are 20 online users with Guaranteed uplink bandwidth 40KB S each of the user will be ensured with at least 2KB S uplink bandwidth Max Bandwidth Per IP Click Enable and configure the Uplink and Downlink to limit the maximum uplink downlink bandwidth of a single user IP address respectively 221 SANGFOR IAM v2 1 User Manual Max Bandwidth Per IP is configured with a bandwidth value instead of a rate and free from the impact of other bandwidth settings while Guaranteed Uplink Downlink Bandwidth and Max Uplink Downlink Bandwidth are configured with a rate which indicates that the actual bandwidth varies from the total bandwidth settings for this channel Advanced Check this option to open the Advanced Option page If you check the advanced option the external IP address node will be taken as one member of the LAN users nodes that is to say the Allocation Policy and Max Bandwidth Per IP wil
215. his button to open the Search User dialog type the user name and click the lt OK gt button to quickly search for the connection information of this user The Search User dialog is as shown below A Search User Web Page Dialog ES Cancel lt Stop Service gt Click this button to stop the VPN service temporarily 13 3 2 Basic Settings Basic Settings covers the VPN connection related configurations such as Webagent information MTU Minimum compression value VPN listening port VPN connection mode broadcast and performance settings Webagent The Webagent 1s the address in the WEB server where the dynamic IP addressing file 1s located The configuration page is as shown below 266 SANGFOR IAM v2 1 User Manual Sangfor IAM 2 1 a gt gt Basic Settings E Help User admin Logout P System Primary Web amp gent 10 254 254 254 4009 Change PWD gt Object gt WAN Optimization MTU 224 2000 Shared Key Mere Min Compression Value 99 5000 gt Bandwidth Management f b Delavad taal kulit YPN Listening Port default 4009 4009 b Internet Access Audit Change MSS only for UDP transmission D Logs Troubleshooting Directly connect Indirectly connect gt Advanced 4 Security Gateway Antivirus Performance and Broadcast Test p IPS 4 VPN Settings VPN Status Basic Settings User Management Primary WebAgent Secondary WebA gent If the VPN headquarters uses a dynamic IP a
216. ication cannot be logged out amp Ee a cece First Prev 1M Next Last GotoPage _ Delayed Email Audit Internet Access Audit minuters gt Realtime Logs eave To unblock a user just select the user and then click the lt Unblock gt button gt gt Online Users Search Conditions E e User Status O online Blocked e search By Group O User IP range e Group Name Search for users in a specific group e Records page a Prompt The number of users matching the search conditions is 0 l Blocked User List Dkey users temporary users and the users that requires no authentication cannot be logged out First Prev 1 Next Last GotoPage Select All Unblock Click the lt Auto Update gt button and you will see that there is flow caused by the unblocked user for the user IP address can access the Internet again 10 1 2 Connection Ranking Connection Ranking displays the number of active connections caused by the LAN users It only displays the top 20 connection rankings IP addresses Click the lt Refresh gt button to view the latest refreshed data of active connections caused by the 237 SANGFOR IAM v2 1 User Manual LAN users as shown below SANGFOR Sangfor IAM 2 1 gt gt Connection Ranking User admin Logout gt System a Rem Oa y As O Host IP Total Connections gt Firewall b WAN Optimization 1 192 168 3 196 2 gt IAM 2 200 200 78 187 1 gt Delayed Email Audit f 4
217. identity will be authenticated from top to bottom For instance if the four authentication methods are checked the users have to get the Custom password authentication and then the LDAP authentication and then the RADIUS authentication and finally the POP3 authentication having go through the four authentications the user need not go through any other authentication 201 SANGFOR IAM v2 1 User Manual Before generating DKEY please DO download and install the DKEY driver Inserting the DKEY you then can click the lt Generate DKEY gt button DKEY falls into two types one is for authentication and the other is to prevent monitoring These two DKEY types cannot be mixed up If the DKEY is for authentication to generate the DKEY you must NOT check Enable monitor free Dkey if the DKEY is to prevent monitoring to generate the DKEY you must check Enable monitor free Dkey Enter the IP address of the IAM gateway device in the IE browser and press the lt Enter gt key and the Identity Authentication system page appears as shown below Identity Authentication System Please login first login Homepage Login Logout Modify password DKEY client Ingress client Click the lt DKEY client gt link to download and install the DKEY client insert the DKEY and open the DKEY client The system requires the DKEY password enter the password to get authenticated If it is a monitor free DKEY it al
218. idth may be used out which may result in congestion of the lines 9 3 Line Bandwidth Line Bandwidth configures the actual uplink and downlink bandwidth of the external line s It is the base of Guaranteed Bandwidth and Limited Bandwidth configuration The configuration page is as shown below Sangfor IAM 2 1 gt gt Line Bandwidth Jser admin Logout b Object aa Line2 Uplink Downlink Kbps O Mbps b Firewall b WAN Optimization Operation Result Line 2 is not available because it is not defined as WAN interface gt TAM 4 Bandwidth Management Bandwidth Status Bandwidth Settings Line Bandwidth gt Delayed Email Audit gt Internet Access Audit gt Logs Troubleshooting gt Advanced gt Security gt DHCP gt Wizard Bandwidth configuration can be in unit of Kbps and Mbps 2 Under the Bridge mode the virtual line will be automatically enabled Maximum 4 virtual lines can be configured on each IAM gateway device Inappropriate line bandwidth settings will lead to waste of bandwidth the value is lower than need or lead to congestion the value is higher than need 9 4 Virtual Line Virtual Line configures the multiple virtual lines for a physical line It is only available for 227 SANGFOR IAM v2 1 User Manual Bridge mode deployment System Settings Configures the uplink downlink bandwidth of the virtual lines Idle bandwidth of a virtual line cannot be bor
219. ill synchronize the domain users user groups at certain time during 0 00 5 00 o clock select Disable and the device will not synchronize the users user groups LDAP Server Configures the domain server that is to be synchronized As to the configuration of domain server please refer to Section 7 3 1 LDAP Import OU Configures the user group path in the IAM gateway device to which the synchronized users and organization structure are imported to Click the lt Select gt button to view the organization structure of the IAM gateway device select a group subgroup and then click the lt OK gt button Keep the relations Check this option and the DC of the domain server will be imported together with the user and user groups Import Remote Target Configures the organization unit OU of the domain server Click the lt Select gt button to view the organization structure in unit of OU of the domain server and select a needed OU Filter Configures the filtering condition for synchronization according to the domain parameters It is blank with no condition by default Import From Configures the OU starting from where the users and user groups are imported Options are Specified OU and Sub OU of the specified OU Specified OU indicates that it imports the users user groups starting from the configured OU while Sub OU of the specified OU indicates that it imports the user user groups starting from the
220. ine Routing Policy default configuration page click the lt New gt button to enter the Edit Multiline Routing Policy page as shown below 281 SANGFOR IAM v2 1 User Manual 2 Edit Multiline Routing Policy Web Page Dialog Description Ca Conditions Source IP Range Source Port Range Destination IP Range Destination Port Range Protocol Operation Ada When the above conditions are satisfied the following routing policy vill be adapted C Bandwidth stacking o Activefstandby g Dynamic detection Average distribution Click the lt Add gt button to enter the IP Range Settings configuration dialog configure the IP addressed and ports and select a protocol as shown below IP Range Settings Web Page Dialog ES Protocol source IP start IF 92 169 1 20 End IP 97 168 1 20 source Port Start Port Destination IP Start IP T2 161 1 1 End IF T2 161 1 254 Destination Fort Start Fort End Port 65535 Protocol Select a protocol for data transmission In this example it is TCP Source IP Type a LAN IP address of the local terminal segment In this example it is 192 168 1 20 282 SANGFOR IAM v2 1 User Manual Source Port Type a service port of the local terminal segment In this example 1t is 20 21 Destination IP Type an IP address or the peer VPN segment In this example it is the LAN IP range of the Branch1 172 16 1 1 172 16 1 254 Destination
221. ing 0 1440 minutes O indicates that the IAM gateway device will remind the user the moment it accesses the Internet Reminder Interval Configures the interval that the user is reminded If the user has been reminded once but it is still surfing on the Internet the IAM gateway device will remind the user once again or more some time later up to the configured Reminder Interval Type a value ranging 0 1440 O indicates that the user will be reminded once 7 1 2 9 2 Flow Reminder Edit Access Control Policy T Help O single policy O Multiple policies Expiry Date Never expire O Expired on Se Status Enable Disable V Reminder X Flow Reminder _ Flow Reminder O Enable Disable Schedule All day Reminder Object Type a Y Statistics Period B minutes Value range is 0 60 Remind user when the average of Uplink flow Nj exceeds pb Kbps over the statistics period specified above value range is 0 1048576 Kbps 0 indicates immediate reminder Reminder Interval Er minutes Yalue range is 0 60 For reminded user the system will check whether itis necessary to remind again after a reminder interval O indicates reminding only once You can customize the Reminder page on Advanced Page Customization page 150 SANGFOR IAM v2 1 User Manual Flow Reminder Enable it to have the IAM gateway device record the online flow caused by the users and a
222. inieaci on Memory Usage 0 04 MB 100 01 MB Cached Objects Memory objects 11 Disk Objects 2 Optimization Status l Optimization Status Proxy Options rra nn Disk Usage Displays the utilized disk space by and the available disk space for optimization Sessions Refreshes and displays the total current sessions every five minutes Memory Usage Displays the utilized memory by and the maximum available memory space for optimization Cached Objects Displays the total cached objects in the memory and the total objects in the disk 6 1 2 Optimization Status Optimization Status displays the Optimization and Cache Hit information as shown below 98 SANGFOR IAM v2 1 User Manual gt gt Dptimization Status l System Stus Oyaa E Disk Usage 0 GB 4 75 GB Sessions 0 Memory Usage 0 04 MB 100 01 MB Cached Objects Memory objects 11 Disk Objects 2 Optimization Status E Statistics Time O Last 24 hours O Last 7 days Last 30 days Save Preferences Statistics Object Flow O Flow speed Flow Optimization Over Last 30 Days Flow Reduction 2 3MB WAN Flow 3 77MB Optimization displays two kinds of statistics objects one is Flow and the other is Flow Speed in time unit of Last 24 hours Last 7 days or Last 30 days Flow Makes statistics of traffic volume passing through and the traffic volume saved by the WAN optimization module The saved traffic volume indi
223. irror port the user has to manually get authenticated that is to say the user has to type the username and password when browsing a webpage 7 2 2 2 3 Configuration Check Enable POP3 SSO and type the IP address and port in the Login server text box which will enable the IAM gateway device to listen to the authentication information that the client host gets authenticated through the POP3 server If the authentication does not have the IAM gateway device get involved SSO is available only when a listening port is configured first As to the configuration of a listening port please refer to Section 7 2 2 5 SNMP Option 167 SANGFOR IAM v2 1 User Manual n If the POP3 server is in the external network to achieve SSO you have to check the option Allow users to access DNS service before authentication Gn IAM gt Authentication Options page gt Other Authentication Options and entitle the user s root group the privilege to access the POP3 server 7 2 2 3 WEB SSO Enable Web SSO Check this option to enable the Web single sign on function gt gt Authentication Options Mew User Authentication S50 Settings d Enable Active Directory 550 Help of 550 Usage Enable POPS S50 Enable Web SSO Web authentication server format IP IP port or server domain name URL hitg iw sanafor com cn Redirect to this page betore authentication User Table Mame Mame of the table that corresponds to the usernam
224. irst Prev1M Next Last Goto Page f Records page hs Specified Search e Search By name O P address O MAC address e Name A Search for groups or users containing the name Leave it blank to search for all members under the current group e Authentication Method O Password ODkey ONone O Only allow sso All e Gira Colin O Public user O Enabled user e Sort By Group a lt Search gt Click this button to have the matching subgroup s or user s displayed in the list followed 7 4 2 Add Subgroup Under the Member List page click the lt Add Subgroup gt button to add subgroup The configuration page is as shown below gt gt Organization Structure A g Add Object Single subgroup Multiple subgroups Group Path i Source Group Information Advanced Settings B O Use Parent Group Policy f Description Policy A SE is Allow DNS HTTP HTTPS FTP Mail MSN enable relative audit Enable sAu C _Template Block All P2P F Block All P2P download tools Enable Prevent deceiving from illegal SSL protocol certificate enable URL filter relativ O _Template Anti fishing webpage O Enable e domain name Add Policy 183 SANGFOR IAM v2 1 User Manual Add an object Single subgroup or Multiple subgroups to add one subgroup or multiple subgroup at one time respectively If Multiple subgroups is selected you can add a number of subgroups at a time that are of same properties The configuration pa
225. is the corresponding DHCP Service Interface IP of the device DNS is the DNS server IP provided by the local ISP maximum two DNS supported if neither of the DNS is configured no DNS will be allocated to the client end s computer WINS is up to your specific application being filled in or left blank DHCP IP Ranges Type the start IP and end IP respectively in Start IP and End IP text boxes and then click lt Add gt to add the IP range into the list DHCP Reserved IP Configures the reserved IP address and this reserved IP address will be allocated to the corresponding computer according the MAC address or hostname Click lt Add Reserved IP gt and enter the Username IP Address MAC Address and Hostname among which Username is a user defined name IP Address is a private network IP address that is to be reserved for this user The IP address reserved by the DHCP for this user can be bound according to the MAC Address 307 SANGFOR IAM v2 1 User Manual or Hostname Select a user type the MAC Address and Hostname and click lt Obtain by IP gt to get the corresponding parameter Finally click the lt OK gt button to save the above settings o Be noted that the DHCP IP ranges configured here must not conflict with the static IP addresses of other working LAN computers Generally the IP address in the DHCP IP range list must not be the IP address whose last octet is O or 255 for
226. isplays the information of WAN interface It can be defined as the third external line as well as a LAN interface or DMZ interface Multiline Settings Displays the line selection policy selected Click the lt Configure gt button to get into the configuration page and alter the line selection policy Four policy options are available with explanations above them Multiline Settings is suitable for the networking that consists of multiple external lines 3 6 Multi Node Sync Environment for multi node synchronization Two IAM gateway devices A and B are located in the local area network Both of them work in Bridge mode Internet access requests of the LAN users pass through device A or B user information and access control policy are configured on IAM gateway device A Requirement IAM gateway device A synchronizes IAM gateway B with the user information in real time The deployment of multi node system is as shown below 38 SANGFOR IAM v2 1 User Manual The Multi Node Synchronization configuration page 1s as shown below Sangfor IAM 2 1 User admin Logout 4 System Running Status Security Status License Gateway Mode Network Interface Multi Node Sync Date Time Administrators Web UI Backup Restore Reboot a gt gt Multi Node Synchronization Multi Mode Synchronization Communication Interface Multicast IP Address Online List Operation information T Help Enable O
227. its the website of the webpage that the LAN users are going to visit and the file name downloaded from webpage Email Audit Audits all the email information received or sent through SMTP or POP3 IM Chat Content Audit Audits the chat contents and behaviors through IM software such as MSN Yahoo Messenger GTALK and Fetion etc FTP Audit Audits the file names of the files uploaded or downloaded through FTP Telnet Audit Audit the commands executed by the LAN users through Telnet Web Content Audit Audit the title and content body of the webpage It is only applicable to the webpage containing the configured keyword s Enable Disable Select 1t to enable or disable the audit function over web content The audited items fall into Audit titles and contents of all visited webpages Audit titles of all visited webpages and Audit webpages containing the keywords whose action is Record or Record and Deny Deny access to the webpages containing the keywords whose action is Deny or Record and Deny Check this option to deny the webpage access if the webpage contains the keywords whose action is Deny or Record and Deny Select the needed item add the keyword group and select the corresponding Action and Schedule As to the configuration of keywords please refer to Section 7 1 2 2 3 under IAM gt Access Control Policy gt Edit Access Control Policy page gt Web Filter Having compl
228. ity to define the audited and selected emails 233 SANGFOR IAM v2 1 User Manual Chapter 10 Internet Access Audit Internet Access Audit covers Realtime Logs Audit Log Maintenance Data Center Settings and Enter Data Center The default configuration page of Internet Access Audit is as shown below Sangfor IAM 2 1 User admin Logout System Object Block User po i Firewall Block selected user for minutes a e Search by User Po Ian Bandwidth Management P Delayed Email Audit e Display Option Top 10 v Refresh Interval 5 seconds v a 4 Internet Access Audit _ Note When CPU usage is high and the page cannot be switched please click Stop Refresh to stop automatic refresh Wekealtime Logs Audit Log Maintenance Date Center Settings Downlink Flow Speed Reming COC O O jljj y Enter Data Center Uplink Flow Speed Ranking b Logs Troubleshooting 0000 cirri recen non trette Rennnnnnnnnnnnnnnnnanannnennnnss E EERENS E RE gt Advanced gt Security gt Wizard 10 1 Realtime Logs Realtime Logs includes the information of Flow Ranking Connection Ranking Connection Monitoring and Behavior Monitoring Flow Ranking Displays the real time flow information caused by the LAN users getting access to the Internet Connection Ranking Displays the number of active connections caused by the LAN users Connection Monitoring Displays all the connections
229. ization oa bs lt script gt AU lt body bgcolor fC1EOFD leftmargin 0 topmargin 0 marginwidth 0 margin gt Wizard 1 gt lt body gt lt html gt INS NETO Upload Image Format jpg or gif Next Pictures Image file name should co ntain English characters o Note To display an image type images mage file name extension behind the tag src in the above text nly box The supported image formats are gif and jpg and the file name is case sensitive Preview Save Restore Default Page Restore Previous Pe Custom Object Select a needed object page Options are Authentication Results Access Denied Virus Detected Internet Access Timeout Network Ingress Client Modify User Password Bulletin File Web Authentication Online Duration Reminder Internet Flow Reminder PC Proxy Prompt and Anti proxy Reminder Enable This Page You are recommended to check Enable If Disable 1s checked the corresponding prompt page will not pop up Edit Page There are codes of some pages provided by the IAM gateway device You can modify the codes to define the prompt page You are recommended to only modify the words and pictures displayed on the page Modification on other parts may result in failure of the links Upload Image To insert a picture into the page click the lt Browse gt button to upload the picture only jpg and gif formats supported Picture name consists of only Englis
230. k the lt Browse gt button to upload an access control policy and then click the lt Import gt button to import the policy into the IAM gateway device lt Download Policy Template gt Click this link to download the internal policy templates of the IAM gateway device lt View Associated User gt Click this operation link in the access control policy list to view which group or user has referenced this policy as shown below 108 SANGFOR IAM v2 1 User Manual Sangfor IAM 2 1 y gt gt Associated User Group User admin Logout System b b Object b Firewall Policy _Template prevent file leakage is associated with the following user or group b 4 First Prev 1M Next Last GotoPage Recordsipage 50 WAN Optimization Tan Recess Control Policy gt Authentication Options gt Authentication Server Path MOrganization Structure gt User Import LDAP Syne gt Online Users UN lt Rename gt Click this operation link in the access control policy list to rename the policy a shown below Sangfor IAM 2 1 Y gt gt Access Control Policy User admin Logout System b 2 gt WAN Optimization 4 TAM mgiccess Control Policy gt Authentication Options gt Authentication Server a Organization Structure Type the new name in the text box and then click the lt OK gt button to save the settings 7 1 1 Add Access Control Policy Under the default configuration p
231. ks or registered trademarks of SANGFOR Technology Co Ltd All other trademarks used or mentioned herein belong to their respective owners This manual shall only be used as usage guide and no statement information or suggestion in it shall be considered as implied or express warranty of any kind unless otherwise stated This manual is subject to change without notice To obtain the latest version of this manual please contact the Customer Service of SANGFOR Technology Co Ltd SANGFOR IAM v2 1 User Manual Preface About This Manual The IAM2 1 User Manual includes the following chapters Chapter 1 IAM Installation Chapter 2 Console Chapter 3 System Status Chapter 4 Object Chapter 5 Firewall Chapter 6 WAN Optimization Chapter 7 IAM Chapter 8 Bandwidth Management Chapter 9 Delayed Email Audit Chapter 10 Internet Access Audit The product appearance function features and performance parameters of IAM gateway device and wiring and cautions before installation How to use the console and the general operation on the console How to configure the device related options including status displays license gateway mode network interface multi node synchronization WEBUI system date and time backup restore reboot maintenance and update Some related objects of IAM gateway and configuration of each of them including the internal application intelligent identification rules user d
232. l this item and the access control policy will check whether the certificate signature of the ActiveX control exists in the Trusted Root Certificate List If certificate does not exist in the list the ActiveX control will be filtered As to the management of certificates please refer to Section 4 11 SSL Certificate Denial ActiveX Control List Configures the keywords may contained in the ActiveX control one ActiveX control or issuer per row If the keyword is detected in the plug in it will be filtered It should be noted that the keyword configured here does not support wildcard characters length of each keyword within 64 bytes and total keywords within 32 Only Allow the Following ActiveX Controls Only allow the following ActiveX Controls Check this item and you can configure the conditions for installing ActiveX controls The to be installed ActiveX control will be marked as secure 1f 1t matches any of that in the Internal ActiveX Controls List In this way the LAN users can be protected from potential malicious plug ins from external networks Edit Access Control Policy Policy _Template Basic Internet Access Audit v Description Allow DNS HTTP HTTPS FTP Mail MSN enable relative audit Expiry Date Never expire Expired on Sas Status O Enable O Disable laccessiconteola ted Filter Enable ActiveX Filter to filter browser ActiveX O Verify digital signature of Activex O
233. l Group Generate Policy Report Import Organization Structure 187 SANGFOR IAM v2 1 User Manual Enter the 2222 configuration page and click the lt Import Organization Structure gt button to import the 2222 hh The imported results are displayed as shown below gt gt Drganization Structure Group Settings n y Group Name 2222 Group Path i Description 2222 Source Created by administrator Group Information Subgroups 2 direct users 0 total users including subgroups 1 Operation Result Import failed File is invalid or group user is null l Advanced Settings B First Prev1M Next Last Goto Page JRecordsipage 15 gw 1 TAGroup O gu 12222 Use parent group policy Subgroup Count 0 User Count 1 2 Group F hor 122221 Use parent group policy Subgroup Count 0 User Count 0 Return to Upper Level Group Generate Policy Report Import Organization Structure LA Y The export and import functions are only available for the subgroup members User members cannot be exported or imported like that for different users on the SANGFOR gateway cannot have a same name while group can share a name if only the groups are of the different paths Access Control Policy configures and manages the access control policy policies of the current group The configuration page is as shown below gt gt Organization Structure O ss Y Group Path i Source Created by administrator Group Information Subg
234. l also be applied to the external IP address es which will lower down the performance of the IAM gateway if there are lots of external nodes The configurations are as shown below in red gt gt Edit Bandwidth Channel Format One channel name per row The name cannot be repeated Channel Mame ae Service Applicatior al CO Custom Usersroup ar O Custom Channel Type O Guaranteed channel Limited channel Priority Low The high priority channel has the first opportunity to use the idle bandwidth of other channels Max Uplink Bandwidth W e sis E will borrow idle bandwidth from other channels Max Downlink Bandwidth 26 200 Bis wil borrow idle bandwidth from other channels Bandwidth Allocation Policy Allocate evenly Note Data transmitted by different users will queue up and take turns for processing Max Bandwidth Per IP enable Uplink a KBs Down KBs Take WAN IP address as user within the channel The Bandwidth Allocation Policy allocate evenk and Max Bandwidth Per IP will Advanced Option also apply to the WAN IP address typically selected for server providing services to WAN Please select with caution alld Line Destination ALL vw Enable This Channel Enable Disable Schedule Configures the time period during which this bandwidth channel policy will get valid Valid Line Configures the external line to which this bandwidth channel policy applies Destination Configures the destinatio
235. l b Network Interface Target Line Line 1 v Multi Node Syne Date Time Administrators Web UI Backup Restore Reboot Maintenance Auto Update 4 Route olicy Ro y Static Routing Policy Name Type in a unique name for this policy based routing to distinguish it from others Source IP Destination IP Configures the source IP destination IP of the data packet on which this policy routing applies Four options are available namely All Single IP IP range and Subnet Protocol Select a protocol for data packet transmission All protocol TCP UDP ICMP or Others As to TCP and UDP protocol you have to configure Source Port and Destination Port for Others option you have to enter Protocol Number Source Port Destination Port Configures the source port and destination port of the data packet on which this policy based routing is applied Target Line This target line is the outgoing line of the data packet if all the conditions configured above are matched Configuration Example of Policy Routing Provided the IAM gateway device has two external lines Line 1 is of CHINA NETCOM Line 2 is of CHINA TELECOM IP range of CHINA TELECOM is 221 199 32 0 20 We design a routing based on Destination IP 221 199 32 0 20 Destination Port 80 all the data packet passing through the Target Line Line 2 To achieve traffic control of Internet access
236. le Edit Up Down gt DMZ lt gt WAN gt WAN lt gt LAN AN_UDP_Servic fo 2 Pass UDP Allow LAN DMZ ALL ALL Disable xX Edit Up Down F gt VPN lt gt WAN e gt VPN lt gt LAN 3 Allow To Ping Allow LA4N DMZ Ping ALL ALL Disable xX Edit Up Down F gt LAN lt gt LAN Select All Add gt DMZ lt gt DMZ gt NAT Rules Anti DoS gt ARP Protection Under the above configuration page click the lt Edit gt button and the Edit Firewall Rule LAN lt gt DMZ configuration page Click the lt Enable gt button to enable this rule or click the lt Add gt button and the Edit Firewall Rule LAN lt gt DMZ configuration page pops up as shown in the following figure Sangfor IAM 2 1 gt gt Edit Firewall Rule LAN lt gt DM2 User admin Logout Rule Name gt System b Object Description 4 Firewall 4 Firewall Rules Sequence Number gt DMZ lt gt WAN Direction LAN DMZ LANs DMZ gt WAN lt gt LAN gt VPN lt gt WAN ion Allow O Deny gt VPN lt gt LAN gt LAN lt gt LAN Service All_TCP_Service Add Service gt DMZ lt gt DMZ b WAT Rules Source IP Group ALL Add IP Group Anti DoS gt ARP Protection Destination IP G i estnation roup b WAN Optimization d O b IAM gt Bandwidth Management Schedule All day Add Schedule gt Delayed Email Audit bD Internet Access Audit Enable Rule Enable O Disable gt Logs Troubleshooting On Enable Log O Enable
237. le For administering and publishing information in the directory Manage sitesanosery Review the next steps For this role DNS Server gt gt DNS Domain Name System servers translate domain and computer DNS names to IP addresses Manage this DNS server 9 Review the next steps for this role 7 Don t display this page at logon bo 4 Start gs Manage Your Server 550 pdf Adobe Reader BD 6 56PM Right click the to be monitored directory in the pop up window and click Properties as shown below g Action View Window Help e Omme ShR av nrga E Saved Queries J Ee Delegate Control Connect to Domain Connect to Domain Controller Raise Domain Functional Level Operations Masters Default container for upg Default container For dom Default container For secu Default container For upgr New All Tasks View New Window From Here Refresh Properties gt Opens property sheet forthe current selection f p Select Group Policy and then Default Domain Policy as shown below 160 SANGFOR IAM v2 1 User Manual yuanbo 163 com Properties x General Managed By Group Policy Management Console GPM Si Current Group Policy Object Links for puanbo Group Policy Object Links Ho Override Disabled E Default Domain Policy Group Policy Objects higher in the list have the highest priority This list obtained from pj
238. le Type Rule Name Description Process Settings including Process Name Window Name Application Path Application MD5 File Size etc and Operation as Deny Internet access Stop Process or Submit report only Having completed configuring this page click the lt OK gt button to save the settings and add this ingress rule to the Ingress Rule List File ingress rule controls the files of the LAN computers who get access to the Internet through the IAM gateway device If you enabled this type of ingress rule the IAM gateway will detect whether there is certain file for instance dll file and therefore check whether the LAN computer has installed the specific software Configuration page of File ingress rule 1s as shown below 76 SANGFOR IAM v2 1 User Manual gt Edit Ingress Rule Classification Operating System O Process File O Registry Task Plan Others Rule Type CA y Contains 1 95 bytes and cannot contains these characters P 2 Rule Marne Description Po User s computer must contain the following file O User s computer must not contain the following file FilePath File Attributes Oriembs File MOS rie size 0 File Size d Update Date ls days later Operation Deny Internet access e Configure Rule Type Rule Name Description File Attributes Options are User s computer must contain the following file and User s computer must not
239. le program Jscript and VBscript Task Path Type in the detailed path where the task script is saved in the local client end PC 79 SANGFOR IAM v2 1 User Manual Others ingress rule can fulfill IP MAC binding over the layer 3 switch and ban the client end from logging into a LAN PC as administrator to access the Internet which can avoid virus infection The Others ingress rule configuration page 1s as shown below gt Edit Ingress Rule Classification O Operating System C Process O File O Registry Task Plan 2 Others Rule Type Contains 1 95 bytes and cannot contains these characters lS aay be fee To prevent virus system file altering and registry altering deny Internet access for Admin Options Authenticate IPMAC at the client side only applied to the users that bind IP address and MAC address Configure Rule Type Rule Name Description etc Options Check Authenticate IP MAC at the client side to realize IP MAC binding over the layer 3 switch check To prevent virus system file altering and registry altering deny Internet access for Admin to ban the client end from logging in to a LAN PC as administrator to get access to the Internet Having completed configuring this page you have to click the lt OK gt button to save the settings and add the ingress rule to the Ingress Rule List The condition for applying ingress rule to bind IP MAC is that the PC and the IAM g
240. le this module respectively Cache Usage Displays the utilized maximum memory space and disk space Click the lt Clear Cache gt button and 1t prompts whether to continue the operation as shown below Microsoft Internet Explorer A j Clearing cache will reduce the cache hit rate Are you sure to continue If you confirm to clear the cache just click the lt OK gt button Parameter Settings covers Basic Settings and Advanced Settings as shown below Sangfor IAM 2 1 gt gt Proxy Options User admin Logout gt System Object System Settings Firewall 4 WAN Optimization gt Optimization Status Cache Time Settings gt Bandwidth Management Y a gt Delayed Email Audit Shortest Update Interval bp minutes Default 30 The cache object whose valid period is smaller than this value will not b b b Internet Access Audit be updated even if it is expired b j i Te co Continue caching lb days after expiration Default 12 The expired cache object will be updated after this time period e vance b Security 5 Other Settings gt DHCP b Wizard O Limit memory cache size to smaller than bp MB The system will automatically select the memory cache size according o the idle memory Recommend leaving it blank Not cache object greater than 2048 KB Default 2048 Value range is 8 10240 Excluded Website When the websites specified in the following list are ac
241. le users to sign onto the same account multi user login Check this option and this account username and password can be used by multiple users to log on 7 4 5 4 Expiry Date Expiry Date Two options are available One is Never getting expired and the other is Expired 200 SANGFOR IAM v2 1 User Manual on some day If Expired on is selected the username will get expired after the configured date Date format is yyyy mm dd for instance 2009 06 12 The configuration page is as shown below gt gt Edit User Help Basic Settings E Login Name Cannot contain the special characters Description Cannot contain the special characters 9 8 4 4 s in Display Name Cannot contain the special characters Current Group 2222 igwy Source Created by administrator Advanced Settings yu Access Control Policy OBind iP Bind MAC Bind both IP and MAC O No binding Format Instruction 00 95 00 03 06 48 192 168 1 2 00 0Oc 29 a b8 20 192 168 1 99 Binding Scan MAC address Clear List Group 12222 1qw1 Select Enable This User 6 Enable Disable 7 4 5 5 Enable This User Enable This User configures whether to enable or disable this user If Disable 1s selected this user will get invalid If more than one Password authentication methods Custom password LDAP authentication RADIUS authentication and POP3 authentication are checked
242. lect Al gt VPN lt gt WAN gt VPN lt gt LAN gt DMZ lt gt DMZ gt NAT Rules gt Anti Dos 5 1 7 DMZ lt gt DMZ DMZ lt gt DMZ configures the data transmission between the DMZ 1 interface DMZ interface on the IAM gateway device and the DMZ2 interface the WAN2 interface on the IAM gateway device or configures the communication among the IP addresses of different segment that are bound with the DMZ interface The service can be all the services of certain protocol or a user defined service For detailed configurations please refer to Section 5 1 1 LAN lt gt DMZ The default configuration page is as shown below Sangfor IAM 2 1 e gt gt Firewall Rules DM2 lt gt DM2 User admin Logout gt System gt Object 4 Firewall 4 Firewall Rules gt LAN lt gt DMZ gt DMZ lt gt WAN gt WAN lt gt LAN gt VPN lt gt WAN gt NAT Rules 5 2 NAT Rules NAT Rules covers SNAT and DNAT configurations The default configuration page is as shown below Sangfor IAM 2 1 User admin Logout b Object Proxy LAN interface In 1 Enable WAN 192 168 76 0 255 255 255 0 4 Firewall ternet access gt Firewall Rules 4 NAT Rules __Setectan inverse ada Delete Enable Disable Move Up Move Down gt EN gt DNAT gt Anti DoS gt ARP Protection b WAN Optimization gt IAM 88 SANGFOR IAM v2 1 User Manual 5 2 1 SNAT
243. lications only based on HTTP protocol you need Allow Action all the HTTP applications Type and DNS application Type lt Select All gt lt Inverse gt Click the button to quickly select the needed applications lt Allow gt lt Deny gt lt Delete gt Click the button to allow or deny or delete the selected application s lt Move Up gt lt Move Down gt Click the button to move up or move down the corresponding selected application s Default Action Select Allow or Deny to configure the default action of the current access control policy to the application s rules that are not in the above rule list This item functions in association with the application s configured above If several policies are associated adopt the default action of the next policy and continue matching downwards If multiple access control policies are associated by a user or user group uncheck this item and the Default Action of the current policy will be adopted after the data packets complete matching its rules or check this item and the data packets will continue to match the application rules of the access control policies followed Having completed the configuration on this page you have to click the lt OK gt button to save the settings 7 1 2 1 2 Service Control Service Control configures the destination IP address port and time schedule of the data packets based on which certain application will be ins
244. licy Name Source IP Peer Device Security Option Service Description Operation gt Logs Troubleshooting Advanced Security gt Gateway Antivirus b IPS 4 VPN Settings VPN Status gt Basic Settings gt User Management gt Commection Management Virtual IP Pool gt Multiline Settings gt Multiline Routing Policy gt Local Subnet List Tunnel Route 4 IPSec Connection Device List gt Security Option gt Inbound Policy 293 SANGFOR IAM v2 1 User Manual A Policy Settings Web Page Dialog Policy Mame Po Source IP Type Single IP T eG Address Peer Device Security Option Detaut Security SA Lifetime 25500 seconds Service All Services Schedule All day gt Allow inthe above schedule C Deny inthe above schedule Enable Expiry Time Expiry Time 0 00 00 M Enable This Policy I Perfect Forward Secrecty 13 3 10 4 Inbound Policy Inbound Policy configures the rule used for data transmission from the peer device to the local device Click the lt New gt button and the corresponding Policy Settings appears as shown below 294 SANGFOR IAM v2 1 User Manual DAMUWLULL Natla wtr Delayed Email Audit h v o o o r gt Internet Access Audit Logs Troubleshooting gt Advanced SANGFOR Sangfor IAM 2 1 f gt gt Inbound Policy Policy Name Source IP Peer Device Inbound Service
245. loaded From the Following Websites Not filter ActiveX controls downloaded from the following websites You can add the websites among those in the white list group which will not be filtered The access control policy will not filter the plug ins of the websites in this list As to the configuration of white list group please refer to Section 4 7 White List Group Click the pull down menu and select a needed white list then click the lt Add gt button to add the white list to the box To remove a white list from the box just select the white list and click the lt Remove gt button Having configured all the filtering conditions you have to click the lt OK gt button to save all the settings a ActiveX Filter is only applicable to the ActiveX controls Some ActiveX controls are not downloaded from the current visited page but from the link of another website To get known the source of the plug in LAN user can enter the data center and view the Website Access website browse statistics If this plug in is filtered detailed information of this plug in will be recorded in Data Center 129 SANGFOR IAM v2 1 User Manual 7 1 2 2 6 Script Filter Internet security increasingly becomes a severe problem visiting a bad website will infect the device with Trojan or other kinds of viruses which are caused by running risky scripts SANGFOR IAM gateway device can identify the features of the scripts of the browsed
246. mail address of the administrator to which the alarm emails are delivered when risky behavior is detected To have the administrator receive the email notice that risky behavior is detected you have to configure the corresponding options in Advanced gt Alarm page For detailed configuration please refer to Section 12 1 Alarm 148 SANGFOR IAM v2 1 User Manual Risk Ident function is disabled by default If you want to activate this function you have to activate the corresponding license As to the detailed operation please refer to Section 3 3 License 5 Alarm Level and Intercept Level must not be higher than Identification Sensitivity To have Outgoing Email Identification function work you have to enable Email Audit and configure the corresponding options For details please refer to Section 7 1 2 5 Application Audit 7 1 2 9 Reminder Reminder can warn the users of their behaviors online time flow and bulletin etc It covers the configurations of Time Reminder Flow Reminder and Bulletin Page 7 1 2 9 1 Time Reminder Edit Access Control Policy E Help O Single policy O Multiple policies Expiry Date Never expire Expired on Po Status Enable Disable Online Duration Reminder Enable O Disable Schedule All day Reminder Object Type soot Please select LE Reminder Time Remind User When Online Duration Exceeds o minutes Yalue range
247. mary node in 10 seconds the standby node will think the primary node got down and switch from Standby status to Active status automatically Click the lt Interface Detection gt button to enter the Network Interface Detection dialog and select the network interface s of the host to be detected If any of the selected network interfaces is down the standby node switches to Active status The interface can be any of the device interfaces that connect to the public network The configuration page is as shown below Network Interface Detection Web Page Dialog Interface Detection Select VILAN DMZ Interface Line 1 Fe Line 2 F Line 3 F Line 4 55 SANGFOR IAM v2 1 User Manual Chapter 4 Object Object covers configuration of Application Ident Rule Intelligent Ident Rule Server IP Group Schedule URL Group White List Group Keyword Group File Type Group Ingress Rule and SSL Certificate 4 1 Application Ident Rule Download software such as BT emule etc consumes lots of bandwidth resource IM software such as QQ MSN and stock trading software etc definitely occupies the office hours and lowers down working efficiency Though most of the enterprises issue regulations to ban their staff from using these software tools however they can do nothing to prevent their staff from using them for nearly all of these software tools are designed to be able to shy away from the general fire
248. men Running Status a WAN Speed Realtime Speed Bandwidth Usage History Speed History Flow Line Bandwidth Total Speed POB 05s tow 0 POB Obs t06 08 64K EVs 200KB s Advanced Information E Realtime Speed History Speed History Flow Total Speed t 0 2 01 0B 05s 08 408 Display History Save stop Refresh Option Info Last 5 minutes Preferences 8 2 Bandwidth Settings Bandwidth Settings configures the bandwidth allocation for each line The configuration page is as shown below Sangfor IAM 2 1 gt gt Bandwidth Settings Jser admin Logout gt System Ei AA E b Object 6 Tirerali e Bandwidth Management O Enable O Disable Bandwidth Management is currently Enable gt WAN Optimization lie All v b IAM 4 Bandwidth Management l Advanced Settings B Bandwidth Status Bandwidth Settings Fold All Unfold All Move Up Move Down Move To Line 1 Line Bandwidth i i Destination IP Grou Valid Lin Guaranteed Bandwi Max Bandwidth Per SOA west laut Service Application Max Bandwidth Priority Status Internet Access Audit p p b Logs Troubleshooting Onduty Linet 64KB 4200KB ft 64KB 200KB No limit High Disable ae iop All All ALL On duty Linet t 64KB 200KB f 64KB 200KB No limit High Disable z q 3 Default Channel All All ALL Alday All 64KB 200KB 64KB 200KB No limit High Enable PSS Add or edit multiple channels using AAA E as template Bandwidth Management S
249. ment must use SSO but users that require Dkey or no authentication are excepted Fage Display After Authentication Authentication Conflict Settings SNMF Option Enable t when the device requires crossing the layer 3 swich and binding MAC address O Enable Disable Redirect to this page before authentication Check this option and the webpage being browsed will be redirected to the configured page for Web SSO if the user has not been authenticated yet User Table Name Configures the name of the user table to be handed in to the server when user is getting Web authentication Keyword indicating success Keyword indicating failure Configures the keyword according to which the Web SSO authentication of the user is identified as a success or a failure If you have checked Keyword indicating success and the keyword is contained in the return results of POST the authentication would be regarded as a success If you have checked Keyword indicating failure and the keyword is contained in the return results of POST the authentication would be regarded as a failure Length of the keyword and table for Web authentication must be less than 96 bytes and cannot be 0 If the authentication does not have the IAM gateway device get involved SSO is available only when a listening port is configured first As to the configuration of a listening port please refer to Section 7 2 2 5 169 SANGFOR IAM v2 1 User Manu
250. mmended that the displayed records per page be no more than 200 User Status Configures the status of the user s searched for Online or Blocked If the selected User Status is Blocked the blocked users will be displayed in the Blocked User List as shown below 212 SANGFOR IAM v2 1 User Manual gt gt Online Users Search Conditions EEEE y e User Status O Online Blocked e Search By Group O User Oi range e Group Mame Search for users in a specific group e Records page Prompt The number of users matching the search conditions is O Blocked User List Dkey users temporary users and the users that requires no authentication cannot be logged owt y A Blocking Frm el IT First Prev 1M Next Last GotoPage Blocked User List Displays the information of the blocked user s including No Login Display Name Authentication Method Group IP Address Blocking form and Left Blocking Time lt Unblock gt Click this button to unblock the selected blocked user s Having been unblocked the user can then get access to the Internet through the IAM gateway device 213 SANGFOR IAM v2 1 User Manual Chapter Bandwidth Management SANGFOR IAM bandwidth management BM module enables you to configure assured bandwidth and bandwidth limitation for the external lines and bandwidth channels It can guarantee the bandwidth for accessing to some im
251. mory 3194665943 Bandwidth Management Delayed Email Audit Access Log System Information 16 09 10 iO aclog cpp 134 Shared memory ok mem file Amp 3194685943 gt Internet Access Audit Access Log System Information 16 09 10 O aclog cpp 315 Receive action watch cmd 4 Logs Troubleshooting Generate Intermediate Repor Information 16 07 24 Make mid table thread is working Policy Troubleshooting wlowork_server cpp 754 System pressure going down notify the driver to continue torwa Packet Capture WAN Optimization Alarm 15 40 22 P gt Advanced edit gt Security WAN Optimization Alarm 15 40 12 wl work_server cpp 733 System pressure is too heavy notify the driver to bypass P Wizard NTLM Authentication Alarm 15 38 29 wei ntlm cpp 185 Failed to connect domain controller 200 200 0 1 Socks5 Proxy Information 15 38 29 0 socks_main cpp 545 NTLM Authentication Information 15 38 20 0 ntim cpp 426 Start ntlm authentication service 11 1 System Logs System Logs displays the running information of each function module of the IAM gateway device With the help of these logs you can tell whether each module is working normally The page is as shown below gt gt 5ystem Logs Access Log System Information 16 17 06 i0 aclog cpp 151 delete file Amp3194655945 Access Log System Information 16 11 06 Diaclog cpp 145 Release action watch shared memory 5194655943 Access Log System Information 16 09 10 iWachog cpp 134 Shared memory ok
252. n IP address to which this bandwidth channel policy applies 222 SANGFOR IAM v2 1 User Manual Enable This Channel Select Enable or Disable to have this bandwidth policy get valid or invalid respectively 3 2 1 2 Add Child Bandwidth Channel SANGFOR IAM gateway allows you to further define an existing bandwidth channel and to divide the bandwidth of 1t much finely Under the Bandwidth Settings configuration page select an existing bandwidth channel and then click the lt Add Child Channel gt button to enter the Edit Bandwidth Channel to add a sub channel gt gt Bandwidth Settings System Settings cece ceeerieeeerseetsstitsiitessstteess iiss E e Bandwidth Management Enable Disable Bandwidth Management is currently Enable e Filter Line All ae Advanced Settings E nine Exclusion Policy Fold All Unfold All Move Up Move Down Move Ta Line Destination IF Gr Schedu Malid Li Guaranteed Band Max Bandwidth F Priori Statu Mo Mame service Application Object l Max Bandwidth Select oup le ne width er IP y Z L 1 F giy All All ALL On duty Lined t 64KB 4 200K6 T 64KB 4 200KB Wo limit High Dizabl ae Dizabl 2 op All ll ALL On duty Linel f 64KG 4 200KB f 64KB 200KB Mo limit High ii Defaut chann Enakl All All ALL Alday All tB4KB 4 200K8 64KB 4 200KB Mo limit High el Add or edit multiple channels using A as template e The rate configured and bandwidth cal
253. n click the link lt Modify Password gt to enter the Modify Password page to replace the old password with a new one as shown below Identity Authentication System Please login first logi De Homepage Login Logout Modify password DKEY client Ingress client 176 SANGFOR IAM v2 1 User Manual Modify Password If DKEY is the Authentication Method the user has to click the lt DKEY Client gt link to download the DKEY Client as shown in the two figures above Also if the Ingress Client fails to be installed automatically the user can also click the link lt Ingress Client gt to download and manually install the Ingress Client 7 3 Authentication Server Authentication Server Configures the third party authentication server SANGFOR IAM gateway device supports three authentication servers in the external networks namely LDAP RADIUS and POP3 The default configuration page of Authentication Server is as shown below 177 SANGFOR IAM v2 1 User Manual Sangfor IAM 2 1 Y gt gt Authentication Server Jser admin Logout b System Authentication O see Operation b WAN Optimization LDAPO LDAP 200 200 0 1 Enable 4 a gt Access Control Policy e Authentication Options DAA Server gt Gorganization Structure gt User Import gt LDAP Syne gt Online Users Bandwidth Management Delayed Email Audit Internet Access Audit Logs Trouble
254. n page is as shown below 306 SANGFOR IAM v2 1 User Manual SANGFOR Sangfor IAM 2 1 gt gt DHCP Settings Help User admin Logout DHCP Service Interface LANI v gt System b Object al Enable DHCP Service Enable Disable WAN Optimization TAM gt Bandwidth Management Lease Term minutes Gateway IP 0000 0 0 0 0 Delayed Email Audit Internet Access Audit DNS1 DHCP Network Settings DNS2 Logs Troubleshooting gt Advanced gt Security 4 DHCP DHCP Status WINS1 0 0 0 0 Format One IP range per row Use hyphen to separate start IP and end IP e g 192 168 0 55 192 168 0 66 IP ranges cannot overlap WINS2 DHCP IP Range stertP Jenae Act Clear List Reserved IP list MAC address and host name can be bound with only one IP address reserved IP must be one of the IP addresses specified above DHCP Reserved IP Settings User IP Address Binding MAC Binding Hostname Operation Select Add Reserved IP Select All Inverse Delete DHCP Service Interface Select an interface for the DHCP service You can use multiple network interfaces to fulfill DHCP services Enable DHCP Service Select Enable to enable the DHCP service module Lease Term Configures the expiry time of the IP address allocated by the DHCP DHCP Network Settings Configures the Gateway IP DNS and WINS obtained by the DHCP client end Generally the Gateway IP
255. n the websites specified in the following list are accessed they will not be cached and cannot enjoy th List e WAN Optimization Mote The Excluded Website List here takes higher priority over the Cache Website List in Advanced Settings tab lf a website exists in both the two lists twil be excluded first Format One domain IP address or IP range per row Second level domain is supported For example 192 1 65 0 1 192 1668 0 20 or google com O Domain name O IP address O F range Clear List Domain name As Mote To disable the WAN Optimization function for some groups please configure t onthe Access Control Policy gt Access Control Proxy Control page Shortest Update Interval Check this option and configure the minimum interval the cache is updated by the IAM gateway device The IAM gateway device will not update the cached objects within this time interval even though they have been updated by the server only after this time interval will the IAM gateway device update the cached objects if there are new requests for it Continue caching Check this item and configure the longest time the cached data will be cached If it exceeds the time configured here the corresponding cached data will be deleted to release disk space and memory space 104 SANGFOR IAM v2 1 User Manual Limit memory cache size to smaller than Check this item and configure the maximum value the memory can cache The system will automati
256. n to view the latest Internet behavior of this user IP address The page is as shown below Sangfor IAM 2 1 gt gt Behavior Monitoring User admin Logout System gt Object pa PY Oseerchbyie O Search by user Click Select to select group anual Refres Firewall WAN Optimization gt TAM Delayed Email Audit Operation Result The following displays the information of the group that you have privilege to view 4 Internet Access Audit 4 Realtime Logs Flow Ranking Connection Ranking Connection Monitoring jehavior Monitoring Audit Log Maintenance Data Center Settinra 10 2 Audit Log Maintenance Audit Log Maintenance configures whether to have the system automatically delete the audit logs Options are Delete the audit logs that were generated _ days ago automatically When the size of logs exceeds _ of the partition delete the logs of the first day automatically and Disable The page is as shown below Sangfor IAM 2 1 gt gt Audit Log Maintenance User admin Logout b System Delete the audit logs that were generated iss days ago automatically D Object Auto Delete when the size of logs exceeds of the partition delete the logs of the first day automatically gt Firewall b WAN Optimization Disable gt TAM gt Bandwidth Management p 4 Delayed Email Audit Internet Access Audit gt Realtime Logs hudit Log Maintenance Data Center
257. nal URL Library e URL Search URL Group List 1 Job hunting employment Job hunting employment information website a 2 Web mail Webmail service website Edit O 3 Sex sexual informat website Edit O 4 Adult adult website Edit O 5 Counteraction superstition antiParty antigovernment antisocial website superstition website Edit d 6 Gambling Gambling Edit O ty Online Payment Online payment website Edit d 21 Education university website education website Edit O 22 Government organization government organization Edit O 23 Realty decoration realty decoration website Edit d 24 Life correlation health shopping online car tourism Edit O 25 Military military relative information website Edit d 26 Literature literature website Edit O 27 Religion Religion information website Edit d 28 Pyramid selling advertisement network pyramid selling advertisement website Edit O 29 Virus fishing virus network fishing website Edit d 30 Youth children Youth children website Edit O 31 Poison poison criminous website Edit O 32 Violence amp Immorality violence amp immorality website Edit O 33 Nonprofit Organization nonprofit Organization website Edit O 34 Criminal skill educate criminal skill Edit O 35 Law correlation law information website Edit O 36 Network Harddisk Network Harddisk Edit O 37 Movie music movie music website Edit O 30 Online video Online video website Edit O 39 Welfare Lottery The provision of welfare lottery information on line purchase of t
258. name and password by POST Allow Users to access DAS service before authentication Open basic services to users who fails the authentication default root group privileges but HTTP is excepted Logout the user automatically if there is no traffic in _ minutes If there is no traffic caused by 175 SANGFOR IAM v2 1 User Manual this user in certain time itis 120 minutes by default this user will automatically log out Submit user name and password by POST Check this option and the user will get authenticated through Web with the correct username and password Allow users to access DNS service before authentication Check this option and the user 1s allowed to access DNS before successful authentication Open basic services to users who fail to authentication default root group privileges but HTTP is excepted Check this option and the privileges of root group on various service and applications HTTP service excluded are also available for the users who have not yet gotten authenticated i yA With Password as the Authentication Method the user can modify its own password without the help of the administrator However if incorrect password is entered more than three times consecutive inputs this user will be blocked for one minute To modify the password procedures are type http 0 0 0 0 IP address of the IAM gateway device to open the Identity Authentication System page and the
259. nation IP and port and packet type It will capture the matching data packets of the unknown applications Click the lt Start capturing gt button to have it start capturing the data packets as shown below 249 SANGFOR IAM v2 1 User Manual gt gt Packet Capture Captured Packets 1000 Simple capture unknown tow Advanced TOPDUMP O IP address O IP range All LAN Address O Single pot Portrange Al O IP address O F range O All WAN Address O Single port O Fort range Al Packet Type Oter C upp Al Current Status Facket capture is running 4 F 2010 09 02 115155 pcap Troz240 Delete Download vien Click the lt Stop capturing gt button to have it stop capturing the data packets And then you will see a captured file with the file extension pcap in the Capture File List as shown below gt gt Packet Capture Captured Packets 1000 6 Simple capture unknown flow O Advanced TCPDUMP OP address Or range all LAN Address O Single port Port range al O IP address O IP range O All WAN Address O Single port Port range al Packet Type Oto Ou an Current Status Packet capturing i stopped es eO 4 L 201 0 09 02 115155 pcap Troz240 Delete Downioad view Click lt View gt to open the Capture File Details page as shown below 250 SANGFOR IAM v2 1 User Manual gt gt Capture File Details Capture File Information Page
260. nd Search aaa B ib Object b Firewall e Auto Update O Enable Disable gt WAN Optimization e Rule Search Classified search Exact search gt IAM Hi v vw A Mnara e Search Condition Service Al Priority gt Delayed Email Audit e Search Result Total 3871 objects gt Internet Access Audit Records Per Page Display records per page bD Logs Troubleshooting gt Advanced Submit 4 Securit a IPS Rule List B Gat eway int EET Fa eC re b Spam Filter First Prev 1 78 Next Last GotoPage 4 IPS IPS Options i Alter the Priority selecting a lower level Wizard gt gt Edit IPS Rule sequence Number 2320 Priority High O Medium Low 13 3 VPN Settings 13 3 1 VPN Status Click VPN Setting or VPN status to view the VPN connection and traffic information The page is as shown below 265 SANGFOR IAM v2 1 User Manual Sangfor IAM 2 1 gt gt PN Status User admin Logout System VPN Status Running Total Connections O Object WAN Flow Received 17 252 Byte s Sent 11 707 Bytels Firewall YPN Flow Received 0 Bytes Sent o Byte s WaN Optimization Records Per z Tam Page b b b p b gt Bandwidth Management Realtime Flow recv send Internet IP LAN IP gt Delayed Email Audit gt Internet Access Audit D Logs Troubleshooting gt Advanced 4 Security Gateway Antivirus b IPS 4 VPN Settings Basic Settings lt Search gt Click t
261. ndard port a Maintenance Protocol Anomalies a Auto Update Boute Generate Certificate 20 SANGFOR IAM v2 1 User Manual 3 3 License License includes Gateway Antivirus license Application Ident URL Library License and Multi Function authentication etc It limits the number of connections from external networks of Branch VPN and Mobile VPN A different license supports a certain number of lines and VPN licenses Cross ISP License Gateway Antivirus License Application Ident URL Library License and Multi function are optional Sangfor LAM 2 1 gt gt License E Help Useradmin Logout Number of Lines 2 d System Sut Eos Number of Branch VPNs 0 Security Status Humber of Mobile PMs 100 Ea cused Gateway ID FASESBOC Network Interface Multi Node Syne License ZFREKFYRRCHSRUDD Madity Date Time Rae ee Crozs ISP License Madity Pa Gateway Antivirus Li BIMSZLISALWPXKRA eway virus License adi Backup Restore E Reh Application dent URL Lib L as AS erent QWETINOTTONACIVE Modify Maintenance i auto Update Multi Function Activate Multi Function Route Spam Filter IPS YPN Settings Application Audit Outgoing File Alarm Risk Behavior Ident Sh Optimization Keyword Filter Email Fiter Application Content Audit Ingress System Generate Certificate Enabled Functions High Availability b Object b Firewall Cross ISP License You can activate 1t so as to be able t
262. ngress rule file Ingress Rule List O Display Internal Rule No Operation Select 1 Disable proxy software2 Process Disable proxy software2 SyGate Edit d 2 Disable proxy software3 Process Disable proxy software3 Proxy Fox Edit O 3 Disable proxy software4 Process Disable proxy software4 SecretAgent Edit d 4 Disable proxy softwares Process Disable proxy softwares SuperProxy Edit a 5 Disable proxy softwareb Process Disable proxy softwareb AngelGate Edit O 6 Disable proxy software Process Disable proxy software YiTe Proxy Server Edit O iy Disable proxy softwares Process Disable proxy softwares QingSong Proxy Edit d 3 Disable proxy software9 Process Disable proxy software9 YiMail Proxy Edit O 9 Disable proxy software10 Process Disable proxy software1 0 SuperGate Edit 10 Disable proxy software11 Process Disable proxy software 1 GJProxy Edit Matching Condition One of the rules must be satisfied All of the rules must be satisfied Action Deny Internet access YV Combined Ingress Rule List Select Al Rule Name Names the combined ingress rule Matching Condition Select the matching condition to the combined rule One of the rules must be satisfied or All of the rules must be satisfied Matching Condition Defined the relations between the combined rules Options are One of the rules must be satisfied and All of the rules must be satisfied Action Select the action if the Matching Condition is satisfi
263. not go through the device please set listening mirror port which should be idle Users belonging to following network segment must use SSO but users that require Dkey or no authentication are excepted Format One IP range or subnet per row IP range start IP end IP e g 192 166 0 1 192 166 0 6 Subnet IFuinask e g 192 168 0 1 255 255 255 0 172 168 she liaise lbs 254 Page Display After Authentication Authentication Conflict Settings SNMP Option Enable it when the device requires crossing the layer 3 switch and binding MAC address Type single IP address es or IP range s in the text box The IP address es contained in this list has to get SSO authentication through the IAM gateway device otherwise it cannot access the Internet It is an exception if some users have bound any of the IP address in this list but have checked None for Authentication Method please refer to IAM gt Organization Structure gt Edit User page gt Advanced Settings gt User Attribute or Section 7 4 5 Edit User or some users have enabled DKEY for Authentication Method that is to say these users need not use SSO to access the Internet 7 2 3 Page Display After Authentication Page Display After Authentication configured for the redirected to page after the user passes the WEB authentication The configuration page is as shown below 172 SANGFOR IAM v2 1 User Manual gt Authentication Options Mew User Authen
264. nternet Access Audit gt gt Proxy Options e WAN Optimization Enable O Disable The system is currently Enabled Memory O MB MB Disk 0 GB GB Clear Cache e Cache Usage O Enable Proxy Port The proxy options must be configured before the browser and application software can connect to the Internet The HTTP proxy is supported If this function is not enabled only the transparent proxy Po fe Logs Troubleshooting is supported For deployment of single arm mode gt Advanced this option is typically checked Enter 5 ports at a most and use comma to separate Security DHCP Parameter Settings Wizard Cache Time Settings Shortest Update Interval D minutes Defaut 30 The cache object whose valid period is smaller than this value will not be updated even if it is expired Continue caching pb days after expiration Default 12 The expired cache object will be updated after this time period Other Settings O Limit memory cache size to smaller than pb MB The system will automatically select the memory cache size according to the idle memory Recommend leaving it blank Not cache object greater than 2048 KB Default 2048 Value range is 8 10240 Excluded Website List When the websites specified in the following list are accessed they will not be cached and cannot enjoy the WAN Optimization Note The Excluded Website List here takes higher priority over the Cache Website List in Ad
265. ntrol policy policies is exactly the same with that those of its parent group inhering from its parent group and itself cannot add delete or edit policy Use it own policy indicates that the member can have its own access control policy instead of inhering only from its parent group 181 SANGFOR IAM v2 1 User Manual Summary Displays the brief information of each member Description Displays the description of each member lt Select All gt lt Inverse gt Click it to select the needed member s quickly a i A group is of hierarchic structure supporting maximum 16 hierarchies 7 4 1 Search Search Click this button and set the specific conditions to search for user s or user group s among the existing subgroup and users as shown below in this example it searches for all the subgroups and users of the root group Group Settings e Group Path i Source Created by administrator Group Information Subgroups 1 direct users 5 total users including subgroups 5 l Advanced Settings B Access Control Policy Search Add Subgroup AddUser Select Al inverse MuttiEait Delete Selected Delete Selected Delete Current Group Enable Disable Move GrouplUser Move Group User First Previ1M Next Last Goto Page 11 Recordsipage 15 l Specified Searcy 8 e Search By name OIP address O MAC address e Name O Search for groups or users containing the name Leave it blank
266. o be borrowed Max Uplink Bandwidth 64 sisi CS The extra bandwidth will be borrowed from other channels Max Downlink Bandwidth 200 Bis The extra bandwidth will be borrowed from other channels Bandwidth Allocation Policy Allocate evenly Note Data transmitted by different users will queue up and take turns for processing Max Bandwidth Per IP enable Uplink 0 kBs Downlink 0 KBs Schedule On duty vi Valid Line Line v Destination ALL v Enable This Channel O Enable Disable Priority Options are High Medium and Low The bandwidth channel with higher priority is preferred to be assigned with idle bandwidth from other bandwidth channels Guaranteed Uplink Guaranteed Downlink Bandwidth Configures the bandwidth or percentage of the guaranteed uplink downlink bandwidth in the total bandwidth allocated Max Uplink Bandwidth Max Downlink Bandwidth Configures the upper limit of uplink downlink bandwidth width or rate of this bandwidth channel Or select Limited channel and the following items appear as shown below Channel Type O Guaranteed channel Limited channel Priority Low v The high priority channel has the first opportunity to use the idle bandwidth of other channels Max Uplink Bandwidth Bis it will borrow idle bandwidth from other channels Max Downlink Bandwidth 200 Bis it will borrow idle bandwidth from ot
267. o establish VPN crossing ISPs Gateway Antivirus License You can activate 1t to update the virus library of the antivirus module Application Ident URL Library License You can activate 1t to update the expiry time of the application identification library and URL identification library Multi Function Click the lt Activate Multi Function gt button followed enter the serial number and then click the lt OK gt button to activate this function Multi function includes the following functions Spam Filter IPS Intrusion Prevention System VPN Settings Application Audit Data Center DKEY Search Outgoing File Alarm Risk Behavior Identification and SSL Identification Enabled Functions indicates this device has activated the listed functions 21 SANGFOR IAM v2 1 User Manual 3 4 Gateway Mode Gateway Mode Configures the working mode of the IAM gateway device Four working modes are selectable namely Route Mode Bridge Mode Bypass Mode and Single arm Mode The default configuration page of Gateway Mode 1s as shown below SANGFOR Sangfor IAM 2 1 gt gt Gateway Mode Useradmin Logout l Route Mode Route Mode Settings d System Punni Stat ae sia Gateway Mode Route mode Security Status License E IP Address 100 100 100 100 aroraa ee LAN Interface Settings WH eee Ie aes tare Subnet blask Aaa al Multi Node Sync Date Time Line Type Ethernet Administrators DHCP le Web UI IP
268. of bypass mode deployment is as shown below 31 SANGFOR IAM v2 1 User Manual Router or Firewall Under the Gateway Mode default configuration page click lt Configure gt to enter the Select Gateway Mode page Select Bypass Mode and click the lt Next gt button then the following page appears gt gt Gateway Mode l Bypass Mode MANAGE Interface DMZ Interface Settings AS y AAS SS II a o Pi easy lst LE IP Address Paddress Ss Submetmask Ss Add Clear List Default Gateway 255 255 255 255 Primary DMS 255 255 255 255 Secondary DNS a kala Crake Pea Next IP Address Configures the IP address of the MANAGE interface DMZ interface Click the lt Next gt button to get into the next configuration page as shown below 32 SANGFOR IAM v2 1 User Manual Montored Network Segment List Monitored Server List Subnet segment sO Subnet mask Add Clear List Format One single IP or IP range per row e g 200 200 20 58 or 200 200 20 14 200 200 20 146 IP address fo O Add Clear List Enter IP range or single IP Next Monitored Network Segment List Configure the network segments to be monitored In order to have the IAM gateway device connecting to the console or the client updater the IP Address and Default Gateway must be configured and the network cable should connect to the DMZ interface Since bypass mode IAM gateway mode needs only one network cable to c
269. off Properties dialog click the lt Show Files gt button to open a directory and save the logoff script that is the logoff exe file And then close the directory F A Renove 164 SANGFOR IAM v2 1 User Manual yuanbo 163 com sysvol yuanbo 163 com Policies 318B2F340 0160 1 1D2 945F D0CO4FRSE4FS liser Ser l0j xj Ele Edt yew Favortes Tools Help d Gss O P P Seach gt Folders gt gt X 19 m Tps oae wood 10 PM A Click the lt Add gt button in the pop up Logoff Properties dialog and the Add a Script dialog appears as shown below Click the lt Browse gt button to upload the logoff script file that is the logoff exe file and enter the Script Parameters the IP address 10 251 251 251 Then close the related configuration dialog page one by one Add a Script Script Name flogtt_release exe Browse Script Parameters 110 251 251 251 cono Having completed configuring the logoff script you have to click Start gt Run and type the spupdate and then click the lt OK gt button to have the group policy take effect Till then the logoff script grogram is configured successfully When the directory user logs off this logoff script program will run The primary DNS of the user host must be the IP address of the domain controller otherwise 165 SANGFOR IAM v2 1 User Manual the domain controller will not be found when the user is ad
270. ok Search by User Search by Group Poo f e Display Option Top 10 Refresh Interval 5 seconds vj Save Preferences e Note When CPU usage is high and the page cannot be switched please click Stop Refresh to stop automatic refresh a Flow Speed A jaaa B Select Ranking Username Group IP Address Total Application Type Downlink Application Downlink Hostname Search by User Specifies a user to view its their flow ranking information 235 SANGFOR IAM v2 1 User Manual Search by Group Specifies a group to view the flow ranking information Click the lt Select gt button and select a user group and then click lt OK gt Display Option Specifies the number of items to be displayed the top flow rankings and the time interval to automatically refresh the data You can click lt Save Preference gt to save the settings and facilitate you to view your preferred statistics displayed by default next time lt Stop Refresh gt Click this button to have the auto refresh function stop lt Obtain gt Click this button to obtain the host name of the corresponding device IP address as shown below Microsoft Internet Explorer Ne 192 168 1 101 Hostname Server01 If you want to block a user select the user and then configure the time duration which the selected user s 1s blocked for Click the lt OK gt button as shown below gt gt Flow Ranking Search Conditions aba Y a Block User Block
271. olicies followed 121 SANGFOR IAM v2 1 User Manual Edit Access Control Policy Policy Template Anti fishing webpage 8 Description Prevent deceiving from illegal SSL protocol certificate enable URL filter relative domain name Expiry Date Never expire Expired on i Status O Enable Disable If you find any URLs that cannot be filtered please contact us Submit uncategorized website Select All Inverse MoveUp MoveDown Action Please select Y Schedule Display All Hide DISABLE Categories Description Action Schedule Webmail service website alow O oy All day vj sexual information website Allow vi Allday Online Payment Online payment website Deny Alday Select All Inverse MoveUp MoveDown Action Please select MI Schedule Display All Hide DISABLE Copy HTTP URL Filter Default Action O Allow O Deny lf several policies are associated adopt the default action of the next policy and continue matching downwards Having completed configuring this page you have to click the lt OK gt button to save the settings 7 1 2 2 3 Keyword Filter Keyword Filter configures the filtering function for Search Engine and HTTP Upload Keyword Filter Check this item to activate the keyword filtering rules configured under it The configuration page is as shown below Edit Access Control Policy Policy _Template Anti fishing webpage ho Description Expiry Date never expire Qexpiredon St
272. olicy authentication for new users who are not in the organization structure gt Firewall 4 TAM Take computer name as new user Access Control Policy huthentication Options Authentication Server gt gt gt gt Gorganization Structure gt User Import gt LDAP Sync gt Online Users Bandwidth Management Delayed Email Audit Internet Access Audit Logs Troubleshooting Advanced Security DHCP Wizard T ee te age ew E A ve 7 2 1 New User Authentication New User Authentication configures the default policy that is applicable to the users not included in the member list It can automatically add the new users to the member list and to certain group and bind the IP MAC address of the user s The configuration page is as shown below 153 SANGFOR IAM v2 1 User Manual gt Authentication Options New User Authentication Enable policy authentication for new users ho are not in the organization structure Take computer name as new 1 Default policy 0000 255 255 245 255 ee i Bind IP Sol Settings C Enable Active Directory 530 Help of SS0 Usage Enable POPS 550 _ Enable Web 550 E Enable Proxy SSO F If login data does not go through the device please set listening mirror port which should be idle d Users belonging to following network segment must use SSO but users that require Dkey or no authentication are excepted Page Display After Authentication O Go to
273. omain server to the IAM gateway device and for realizing the automatic synchronization of the user and organization structure of the domain server Presently this function only supports MS SGtive Directory It falls into two synchronization modes namely Sync by LDAP organization structure and Sync by LDAP security group SANGFOR Sangfor IAM 2 1 gt gt LDAP Sync Jser admin Logout System Synchronization Mode y Object Sync by LDAP organization structure Syne by LDAP security group Firewall WAN Optimization LDAP Synchronization Policy IAM Auto Synchroni mao Gai rates Policy Name Description Included Group User Operation Last Sync Status Authentication Options Last Sync Time Thu Sep 1 L we Sync Now Yes 9 05 21 01 2010 MOrganization Structure Fitter Condition Authentication Server Synchronizing failed User Import Online Users Bandwidth Management Delayed Email Audit Internet Access Audit Logs Troubleshooting Advanced Security DHCP Wizard Synchronization Mode configures the mode of LDAP synchronization These two modes cannot work at the same time you can select either of them 206 SANGFOR IAM v2 1 User Manual Having selected one of the modes you have to click the lt Save gt button followed to save the settings lt Select All gt lt Inverse gt Click it to select the needed policy or policies lt Add gt Click 1t to enter the
274. on or layer 3 switch that connects to the LAN interface or DMZ interface of the IAM gateway device If a PC is not at the same segment of the LAN interface or DMZ interface of the IAM gateway device the MAC address of this PC will be replaced by the MAC address of the routing device In case the number of connections of this routing device is more than expected the routing device s interface at the 93 SANGFOR IAM v2 1 User Manual same segment with IAM gateway device will be blocked by the IAM gateway device This LAN Router List will prevent the MAC address of the LAN router in the list from being blocked by the IAM gateway device You can enter interface IP address or MAC address of the router or layer 3 switch that directly connects to the LAN interface of the IAM gateway device The IAM gateway device will automatically distinguish the MAC address of the corresponding IP address Excluded IP List Configures the IP address es that will not be defended against in any case regardless of the number of connections and high frequency of sending packets Generally the connections and frequency of sending packet of an IP address is limited if any of the standards is reached it will be regarded as DoS attack Max New TCP Connections Per IP Configures the maximum TCP connections of each IP allowed by the IAM gateway device in one minute If number of new TCP connections of an IP address exceeds the limit configured herein t
275. onfiguration page as shown below 64 SANGFOR IAM v2 1 User Manual SANGFOR Sangfor IAM 2 1 gt gt Edit Schedule User admin Logout gt System 4 Object Application Ident Rule Intelligent Ident Rule Mschedule Service IP Group URL Group White List Group AAA A AAA Keyword Group File Type Group From To From Tob Enable Return Ingress Rule i SSL Certificate h Ba warren 1 Name Names the newly created schedule Description Type in a brief description for this schedule Click or click and drag the needed time periods in the table and click the lt Enable gt button to enable the selected time periods and then click the lt OK gt button to save the settings on this page 4 6 URL Group URL Group is created according to the URL library and can be referenced by URL Filter configuration in IAM gt Access Control Policy gt Web Filter gt HTTP URL Filter and HTTPS URL Filter and by Bandwidth Channel configuration in Bandwidth Management gt Bandwidth Settings page to achieve URL access filtering and bandwidth control 65 SANGFOR IAM v2 1 User Manual A Update Search i iccccscssspupmpmuniitiiiniisiisisisisssssisssisvsssssesssssssssasessssssssssssessssssssssssssssssisiissiuuiiiisiiuiiuuiuiueeeee G e Update Service Expired On 2011 07 15 URL Library Released At Inner 2010 07 09 08 43 28 esoft 2010 08 21 e Update Inter
276. onfigure the username password description and 270 SANGFOR IAM v2 1 User Manual algorithm etc The configuration dialog 1s as shown below A Add User Web Page Dialog Authentication Metho Username A Local Password Algorithm AES Z Contirm Password Description User Group Use Group Attribute Enable Hardware Authentication Hardware Certiticate Enable DKey Enable virtual IP Virtual IF schedule E day Y Enable Expiry Date Expiry Date iM Enable the user W Enable hy Metyyvork Places W Enable compression Deny Internet access after user connec Enable multi user login te to WEN E Deny password change online LAN Privilege Authentication Method Configures the authentication method Local hardware authentication LDAP or RADIUS Use Group Attribute Classifies the user into certain group and configures whether to have the user apply the group attributes User Group is only available when there is a user group existing please create user group first If Use Group Attribute is checked the Algorithm Enable My Network Places and LAN Privilege are unavailable Enable Hardware Authentication Check this option to configure the hardware featured certificate for authentication Click the lt Browse gt button to select and upload the certificate file in 1d format Enable DKey Check this option to enable the
277. onnect the LAN interface or WAN of the IAM device to the HUB or mirror port of the switch IAM gateway device has no knowledge of which addresses are LAN addresses or which addresses are WAN addresses but regards the addresses in the Monitored Network Segment List as LAN addresses Access data sent to the Internet through these monitored addresses will be recorded or controlled However IAM gateway device will default not to record the access between two LAN PCs which means communication between any of the two addresses in the Monitored Network Segment List will not be monitored Also access data sent to the Internet through the server s of the Monitored Server List will be recorded or controlled Different from Monitored Network Segment List the access data sent by the network segment s and passing through the LAN servers will be recorded The data irrelevant to the addresses or severs in the above two lists will not be monitored 33 SANGFOR IAM v2 1 User Manual Click the lt Next gt button to continue the next step configuring Excluded IP List as shown below gt gt Gateway Mode l Bypass Mode Excluded IP List Settings Format IP range e g 200 200 20 14 200 200 20 148 or single IP e g 200 200 20 58 Excluded IF list IP address fo O OE Add Clear List Enter IP range or single IP Next Excluded IP List Access data requested by these excluded IP addressed will not be recorded Bypass mode
278. onsole cable among the accessories to connect the serial ports of the two IAM gateway devices through the CONSOLE interface Use RJ 45 Ethernet cable to connect the LAN interfaces of the two IAM gateway devices to a Same switch and then connect the switch to the local area network switch with standard RJ 45 wire connecting it to the local area network LAN Having completed wiring you have to switch on the power of the two IAM gateway devices and then configure them Device configuration of the HA system is the same with that of a single IAM gateway device you need only configure one of the IAM gateway device and the other IAM gateway device will synchronize and copy the settings automatically 16 SANGFOR IAM v2 1 User Manual Chapter 2 Console 2 1 Web UI Login IAM series gateway devices support secure HTTPS login at standard HTTPS port The login URL address 1s https 10 251 251 251 x i Y Log in through HTTPS to the WEB user interface WEB UI to manage the IAM gateway device the potential risks caused by interceptions during transmission can be avoided Having connected all the wires you can go on to configure the SANGFOR IAM gateway device through the WEB UI Detailed procedures are as described in the following chapters Configure a valid IP address for the IAM gateway device The IP address is of the 10 251 251 X network segment such as 10 251 251 100 Then type the default login IP address and port o
279. onsumes some system resources what is more if the bypass function is not disabled all the policies configured are invalid 248 SANGFOR IAM v2 1 User Manual 11 3 Packet Capture Packet Capture 1s used for capturing the data packets that go through the IAM gateway device This function helps to quick locate configuration mistakes and 1s a supplementary troubleshooting tool of policy troubleshooting The configuration page is as shown below Sangfor IAM 2 1 gt gt Packet Capture User admin Logout gt System aces D Object Captured Packets 1 10000 gt Firewall b WAN Optimization Packet Capture Settings CITAN Simple capture unknown flow O Advanced TCPDUMP gt Bandwidth Management gt Delayed Email Audit b Internet Access Audit O P address Or range O an P LAN Address L Troubleshooti A E Single port Port range al System Logs Policy Troubleshooting OPaddress OlPrange Dal Packet Capture WAN Address gt Advanced O Single port Port range O all b Security NS Packet Type Orter Ouo Dan Current Status Packet capturing is stopped Start capturing Capture File List E a A E 2010 09 02 115155 pcap 778248 Delete Dowenload Wiew Select all Inverse Delete Capture Packets Configures the total number the packets to be captured Simple capture unknown flow Select this item and configure the conditions such as the source LAN IP address and port WAN desti
280. ormation to the IAM hardware gateway devices Devices of different models and versions are inapplicable Operations of both are only applied to the same model and same version SANGFOR 313 SANGFOR IAM v2 1 User Manual Managepackage Submenus are Check Current Load Package Download as shown in the following figure DLAN Gateway Client dlanupdater4 0 System S Update U Backup B ManagePackage M Tools T UpdateHistory R Help H Check Current w Load Package Download D connecting gateway 19 HAC O005009008CT3 DATE 20100526 login success gateway firmware version is SANGFOR IAM 2 1 BUILD 100226 173247 cluster 1 23 disk Update server version is 0x400 Check Current View the information of the currently loaded update package Load Package Load the downloaded update package Upload the update package Only after implementation of the aforementioned procedures can Update gt Update Firmware be clicked Download Please visit the SANGFOR official website www sangfor com to download the corresponding update package Tools Submenus are Ping Route Table ARP Table Network Config View Mode Set Net Mode Exchange Net Interface as shown in the following figure DLAN Gateway Client dlanupdater4 0 System S Update U Backup B ManagePackage M Tools T UpdateHistory Rj Help H Ping P Route table R connecting gateway 192 2
281. ou can type in a single IP address or IP range One entry per line maximum 32 entries are allowed Privilege configuration of Common Administrator is as shown below SANGFOR Sangfor 14M 2 1 Useradmin Logout d Systen Bunning Status Security Status License Gateway Mode Network Interface Multi Node Sync Date Time Web UI Backup Restore Reboot Maintenance duto Update gt Route Generate Certificate High Availability Object Firemall WAN Optimization TAM Object Firemall Wal Optimization TAM Object Firewall WAN Optimization TAM LAr Bandwidth Management Delayed Email Audit Privileges of common admin are divided according to functions module there are privileges on Device Management System Object Firewall IAM Bandwidth Management Delayed Email Audit Internet Access Audit Logs Troubleshooting Advanced Security and DHCP Device Management Configures the privileges the administrator have on managing the selected user groups Click the lt Select gt button to browse the organization structure of the IAM gateway click a user group or sub group to add it to the list Device Management Privileges are View Member Management Policy Management 42 SANGFOR IAM v2 1 User Manual Delayed Email Audit and Data Center Audit View Indicates this admin can only view the selected user or sub group user information viewing the policy applied to 1
282. ours 0 Mo minutes 9 Y seconds The minimum running period is 40 seconds O Check return result O Not check return result jo YVihours 0 Y minutes 0 Y seconds 0 indicates no timeout not recommend The timeout value should be smalle r than the running period Return Result Timeout Task Attributes If task return result is 1 then Only record v If task return result is 2 then Only record v Executable program O Jscript O VBscript Task Path Rule Type Configures the type of the ingress rule Rule Name Description Configures the name and brief description for the ingress rule Task Attributes Configures the task execution time Execute once when ingress is started or Execute periodically If the Execute periodically is selected you can configure the interval for periodic execution as shown in the figure above Check return result Not check return result Configures whether to check the execution results of the task script Return Result Timeout Configures the timeout for obtaining the return results If task return result is 1 then If task return result is 2 then Configures the operation taken if the obtained task script is incoherent to the return results It may Only record or Prompt user or Deny Internet Access or Deny Internet access prompt user Presently only some of the scripts are supported namely Executab
283. ow F gt LDAP Sync Synchronization Mode cccccceessssssstisimssssisvisssassssiussasissiisessssissiissistisuusessasssissssasietiussssassivsusessseeeeeseee y Sync by LDAP organization structure O Syne by LOAF security group l LOAP Synchronization Policy E Policy Mame Description Included Grouper al Last Sync Time Thu Sep 1 L WE l Syne Mow Wes g 05 21 01 2010 Fiter Condition Synchronizing tailed Last Sync Time Thu Sep LU 2 E LDF OU Uz2 Syne how Yes 9144222 2010 Fitter Condition Synchronizing tailer Last Sync Time Displays the time of the latest synchronization and whether it synchronized successfully Having imported successfully the organization structure and the users into the IAM gateway device the group will be seen in the member list 7 6 2 Syne by LDAP Security Group Sync by LDAP security group synchronization mode imports user user groups according to the security group Select Sync by LDAP security group and click the lt Add gt button and the LDAP Synchronization Policy configuration page as shown below 209 SANGFOR IAM v2 1 User Manual gt LDAP Synchronization Policy Policy Marne estl Auto Synchronize Enable Disable LDAP Server LOAPO wt A Import aL Keep the relations Import Remote Target Enter DM of LDAP Fiter Import From specified OU leo Tor Secur ieou O Sub OU of the specified OU OU Import Depth Users under
284. own below Edit Access Control Policy E Help O single policy O Multiple policies Expiry Date Never expire Expired on e Status Enable Disable Enable Online Duration Control Enable O Disable Schedule All day v Max Online Duration Per Day minutes Walue range is 1 1440 Excluded Port These ports are free of the online duration control Enter at most 20 ports and use space to separate Enable Online Duration Control Select Enable or Disable to enable or disable this control function respectively Schedule Select a time schedule during which the users can get access to the Internet through the IAM gateway device As to the configuration of a schedule please refer to Section 4 5 Schedule Max Online Duration Per Day Configures the online duration in unit of minute Excluded Port Configures the port that is free from online duration control the port filled in here should be target port Having completed configuring this page you have to click the lt OK gt button to save the settings 7 1 2 6 3 Session Control Session Control configures the maximum sessions allowed for each IP address The configuration page is as shown below 145 SANGFOR IAM v2 1 User Manual Edit Access Control Policy T Help O single policy O Multiple policies Expiry Date Never expire Expired on Sa Status Enable Disable waite ViFiov Tine Statistics A ica ntrol V
285. ows Wista Disable Step 1 lt Add gt a new ingress rule Select Classification or any other existing rule type Step 2 Enter Rule type Click the pull down menu and select a rule type or enter a new one Length of rule type must be within 95 bytes Step 3 Enter Rule Name Length of a rule name must be within 95 bytes Step 4 Select Operating System Version If no operating system version is selected this ingress rule will ban the user from accessing Internet First select operation version s and then click lt Enable gt to enable this OS version Step 5 Select Action to Deny Internet access or Submit report only Step 6 Click the lt OK gt button to enable this ingress rule Process ingress rule controls the process on the LAN computers that are getting access to the Internet Click the lt Add gt button and create a new ingress rule of Process the page is as shown below 75 SANGFOR IAM v2 1 User Manual gt gt Edit Ingress Rule Classification O Operating System Process File 2 Registry C Task Plan Others Rule Type A Contains 1 95 bytes and cannot contains these characters 368 0 Sik iF Rule Mame Dosis User s PC must run the following process O User s PC must not run the following process Process Name Frocess Settings Window Name Doo O OE O sppiestionmos Feos O File size O Files Operation Deny Internet access w Configure Ru
286. p y IAM Switch IP of IAM gateway device or to the layer 3 switch which then directs to IAM gateway device The requests for Internet access are forwarded through the NAT function or the routing function of the IAM gateway device LAN interface and WAN interface should be configured with an IP address respectively that is of different network segments If WAN2 interface on the front panel of the IAM gateway device is not used you can define WAN2 interface as a LAN2 or DMZ2 If the LAN interface of the IAM gateway device is configured with 802 1Q VLAN address the LAN can connect to the TRUNK interface of the layer 2 switch that supports VLAN and the IAM gateway device can forward data between different VLAN with single armed route besides you can configure LAN lt gt LAN firewall rules In other words the access among different VLAN ID VID can also be controlled if the LAN interface is configured with 802 10 VLAN address The Route Mode Settings are as shown in the figure below 23 SANGFOR IAM v2 1 User Manual SANGFOR Sangfor IAM 2 1 User admin Logout gt gt Gateway Mode d System Bunning Status l Route Mode Route Mode Settings Gateway Mode Route mode Security Status License A IP Address 100 100 100 100 sae e LAN Interface Settings Near Clete ere tes Subnet Mask 255 255 252 0 Multi Node Sync Dates Time Line Type Ethernet Administrators DHCP Desa Web UI IP add
287. pected and controlled Service Control You have to check it to activate the rules configured under it as shown below 114 SANGFOR IAM v2 1 User Manual Edit Access Control Policy Expiry Date Never expire O Expired on e Status O Enable Disable Schedule Select All Inverse Allow Deny MoveUp MoveDown Add Delete Default Action Allow Deny If several policies are associated adopt the default action of the next policy and continue matching downwards Click the lt Add gt button to configure the service s to be controlled Edit Access Control Policy Policy _Template prevent Trojan v Expiry Date Never expire O Expired on Status Enable Disable AE d d 4 i d 4 Schedule All_TCP_Service Y Select All Inverse Allow Deny MoveUp MoveDown Add Delete Default Action Allow O Deny If several policies are associated adopt the default action of the next policy and continue matching downwards ok Cancel Just select Destination IP Service Action and Schedule and then you have finished configuring the Service Control rule For instance if you do not want to have the LAN users to browse WebPages during office hours you need to configure a service rule to deny HTTP service As to the detailed introductions to configuring the Destination IP Group Service and Schedule please refer to the corresponding section in Chapter 4 Object lt Select All
288. port html Syne Mow Sat Sep 4 04 04 01 2010 Failed 12583453342 2010 9 3 Fri 2 49 2 ye _report html Syne Mow Fri Sep 3 02 49 02 2010 Failed 1255369582 201 0 9 2 Thu 3 33 2 wwe report html Syne Mow Thu Sep 2 03 33 02 2010 Failed 126327 4681 201 0 9 4 Med 1 11 1_ e report html Syne Mow Wed Sep 1 01 11 01 2010 Failed Sync Report Name Displays the name of the report Click the report name and you will see the detailed contents of this report Sync Mode Displays how the synchronization policy is synchronized Sync Now or Auto Sync Sync Time Displays the time when the synchronization report is generated Sync Status Displays whether it is a successful synchronization lt Clear gt Click this button to clear all the reports recorded 1 l Y Each synchronization mode supports maximum 10 synchronization policies Maximum 20 synchronization reports will be saved If more reports are being generated the same number of the earliest reports will be deleted Clicking the lt Clear gt button can manually delete all the reports 7 7 Online User Online User enables you to view search for and manage the online users of the IAM gateway SANGFOR IAM v2 1 User Manual device The configuration page is as shown below Sangfor IAM 2 1 gt gt Online Users Help Jser admin Logout gt System Search Conditions E a gt Object e User Status i b Tirawali Online Blocked b WAN Optimization
289. portant applications and limit the uplink downlink bandwidth as well Besides you can create specific policy according to the service user guaranteed bandwidth and maximum bandwidth Sub channel can also be built for certain bandwidth channel to define the parent channel much finely The configuration page is as shown below lt gt WAN Sangfor IAM 2 1 Jser admin Logout gt System b Object e Bandwidth Management P a Running gt Firewall Status gt WAN Optimization e WAN Speed Realtime Speed Bandwidth Usage History Speed History Flow Line Bandwidth aoe Total Speed t 0B s OBis 4 0 40 t OB s 4 0B s 08 408 t 64KBis 200KB s 4 Bandwidth Management andwidth Status Advanced Informatio f Ojlj a a L B Bandwidth Settings Bandwidth Chann Exclusion Polic Line Bandwidth Unfold All Fold All gt Delayed Email Audit Bandwidth Us Guaranteed Band bD Internet Access Audit Realtime Speed History Speed History Flow Total Users Max Bandwidth Priority D Logs Troubleshooting aa t OBis 0B s to T 0 TOBs 40B s 05 08 t OBis 0B s 0B s 4 0B s High Disabled gt Security 2 iop t 0B s OBis t0 0 TOBs 40B 0B 0B 0 t 0B s 0B s t 0B s OBis High Disabled b DHCP a t B4KBis 200KB t 64KBis 200KB gt Wizard 3 Default Channel fOB s 0Bs 0 40 fOBs 0B s 0B 08 o High Running Ss Display History Save Stop Refresh First Prev 1M Next Last GotoPage 1 opter 3 oto E Preferences 9 1 Bandwidth St
290. pplication that cannot be blocked please contact us Select All Inverse Allow Deny MoveUp MoveDown Add Delete Application Action Schedule HTTP Application v HTTP_GET v All day v Select All Inverse Allow Deny Movelp MoveDown Add Delete Default Action O Allow O Deny If several policies are associated adopt the default action of the next policy and continue matching downwards Click the lt Add gt button to configure the application s to be controlled Edit Access Control Policy Description Identify risk Internet activity alarm on information disclosure deny malicious software Expiry Date never expire O Expired on Status Enable Disable Controls are based on specific content of data packet if you find any application that cannot be blocked please contact us Select All Inverse Allow Deny MoveUp MoveDown Add Delete Application j Schedule HTTP Application v HTTP_GET 2 W A AA El El E 24 3 lt lbs Es Es Stock Exchange he P2P Y is Select All Inverse Allow Deny MoveUp MoveDown Add Delete Default Action O Allow O Deny If several policies are associated adopt the default action of the next policy and continue matching downwards low Cancel Just select application Type Application Action and Schedule and then you have finished configuring an Application Control rule 113 SANGFOR IAM v2 1 User Manual For instance 1f you want the LAN users to run app
291. r rove Fields are separated by vertical bars C If a field has multiple values use commas 1 to separate t supports binding multiple IF addresses or ranges When multiple IF addresses are bound MAC binding i not supported MAC Operation Instr address will be ignored even if it is entered uction The format of IP range is start IP end IP The format of MAC address is ee ee e8 68 66 66 The values of the Auth Method field include noauth Cauthentication not required acpass authentication of customized passw ord ldap LOAP authentication pops POPS authentication and radius RADIUS authentication Description cannot contain these characters 253562 i Pee Group name should contain the tull path with separators 0A at the beginning and the end There should be no space before or after the M e g Head Ottice R amp D As shown in the above figure you can import users according to Single IP IP range or Subnet Filling in the corresponding information you can click the lt Scan gt button and the host name IP and MAC addresses will be displayed in the Content table 1192 1 68 1 10 90 FO CF 85 9E 76 Content Or click the lt Import LDAP User gt button and the Select LDAP Server appears as shown below 205 SANGFOR IAM v2 1 User Manual gt gt User Import E Help Content Pa Options Jhen a User already exists update its attribute automatically yen the group corresponding to a User does not
292. ranchl Because the LAN Service configurations will deny the response packet sent from other computers of the headquarters 1f the destination IP address 1s not 192 168 1 20 IP address of the FTP server 13 3 12 2 VPN Interface VPN Interface configures the IP address of the virtual network adapter for the VPN service The configuration page is as shown below 302 SANGFOR IAM v2 1 User Manual Sangfor IAM 2 1 gt Internet Access Audit a gt gt PN Interface gt Logs Troubleshooting gt Advanced 4 Security VPN LAN Settings Gateway Antivirus MILAN interface Subnet Mask TES 4 VPN Settings LC DMZ Interface Subnet Mask VPN Status Basic Settings VPN Interface Settings User Management a a Obtain IP address automatically Virtual IP Pool iiag ig IP Address 3 9 14 72 Multiline Settings Subnet Mask Multiline Routing Policy 255 255 255 0 Local Subnet List Customize VPN interface IP Tunnel Route gt IPSec Connection gt Common Settings 4 idvanced LAN Service LDAP Server By default the Obtain IP address automatically option is checked If IP conflict appears you can also define the IP address VPN interface is the virtual interface of the IAM gateway device In reality no such a physical interface 1s seen 13 3 12 3 LDAP Server The VPN service of SANGFOR IAM gateway supports LDAP authentication through a third party If you need to
293. ranteed Uplink Bandwidth 00 0 Biz Allow ts idle guaranteed bandwidth to be borrowed Guaranteed Downlink Bandwidth 00 0 Bis Allow its idle guaranteed bandwidth to be borrowred a n E mm Max Uplink Bandwidth 00 0 64 KBs The extra bandwidth will be borrowed from other channels Max Downlink Bandwidth 00 0 200 Bis The extra bandwidth will be borrowed fram other channels Bandwidth Allocation Policy Allocate evenly Note Data transmitted by different users will queue up and take turns for processing Max Bandwicth Per IF enable Uplink 0 KBs Downlink o KBs Valid Line Destination ALL e Enable Thiz Channel O Enable Disable Channel Type Defined the type of the bandwidth channel Guaranteed channel or Limited channel If the selected one is Guaranteed channel this policy will guarantee the user with the minimum bandwidth if the selected one is Limited channel this policy will limit the bandwidth for the services available online Select Guaranteed channel and the following items appear as shown below 220 SANGFOR IAM v2 1 User Manual Channel Type Guaranteed channel Limited channel Priority High v The high priority channel has the first opportunity to use the idle bandwidth of other channels Guaranteed Uplink Bandwidth Br kBis Allow its idle guaranteed bandwidth to be borrowed Guaranteed Downlink Bandwidth ko kes Allow its idle guaranteed bandwidth t
294. ration page If you are to configure multiple IP addresses you can add the IP addresses that are to be bound click the lt Next gt button to get into the next page VLAN Enable or Disable VLAN VLAN Address List If the interface of the switch that is connecting to IAM gateway device has applied Trunk then configure the IP address and VID VLAN ID for the VLAN at the LAN interface The VLAN function supports VLAN 802 1Q networking environment If the LAN interface of the IAM gateway device is configured with 802 1Q VLAN address the LAN can connect to the TRUNK interface of the layer 2 switch that supports VLAN and data of different VIDs can be 37 SANGFOR IAM v2 1 User Manual forwarded to each other one armed route besides you can configure LAN lt gt LAN firewall rules to control the access among different VLAN IDs VID DMZ Interface Displays the information of DMZ interface Click the lt Configure gt button to enter the corresponding configuration page to configure the IP address and Subnet mask WAN Interface Displays the information of WAN interface Click the lt Configure gt button to enter the corresponding configuration page and configure the Internet access mode If there is a second external line define WAN2 WAN2 Interface Displays the information of WAN interface It can be defined as the second external line as well as a LAN interface or DMZ interface WAN3 Interface D
295. rd HTTP and SSL protocol ports can keep blocking the illegal data Condition for selecting Disallow users to use external HTTP proxy or Disallow users to use external Socks4 and Socks5 proxies is that the proxy is at the WAN interface end of the SANGFOR IAM gateway device If the proxy is at the LAN interface end then it needs to cooperate with ingress rule As to the detailed introduction to ingress rule please refer to Section 4 10 Ingress Rule 7 1 2 2 Web Filter Web Filter covers the configurations of HTTP URL Filter HTTPS URL Filter Keyword Filter File Type Filter ActiveX Filter and Script Filter Web Filter Check this item to activate the rules configured under it and to enable it to filter webpage 7 1 2 2 1 HTTP URL Filter HTTP URL Filter includes configuration of Basic Filter and Advanced Filter HTTP URL Filter Check this item to activate the configured rules to filter HTTP URLs Basic Filter Basic Filter functions specifically for the URL filtering of HTTP GET mainly controlling the access to some common WebPages Click Basic Filter and the configuration page pops up as follows 117 SANGFOR IAM v2 1 User Manual Edit Access Control Policy Policy _Template prevent Trojan v Description Identify risk Internet activity alarm on information disclosure deny malicious software Expiry Date Never expire O Expired on E Status Enable O Disable
296. rd authentication 12 3 Web Tracking Web Tracking options define how detailed the logs are audited by the IAM gateway device 255 SANGFOR IAM v2 1 User Manual Sangfor IAM 2 1 gt gt Web Tracking User admin Logout gt System Optimize access logs Only record recognized text webpages t records only once if a same domain is b Object visited again in a short period ee only record visited text text html webpages b WAN Optimization O Only record root domain name of visited webpages enable it to only record the root domain name such bp IAM gt Bandvidth M x as www sohu com or news sohu com The URLs such as www sohu comxxxx xxxx shtml or news soh a aus crs a U cOmxxxx xxx will not be recorded gt Delayed Email Audit Tracking Options O Record all visited webpages Not recommended because it will generate an access log for each eleme nt of the requested page such as images and scripts producing a mass of logs gt Internet Access Audit bD Logs Troubleshooting 4 Advanced Alarn Not record the following file types downloaded by HTTP use comma to separate file types e g jpg gif swf Proxy Server gif jpg swf htm html css js shtml png cgi xml asp php jsp Web Tracking Excluded IP Domain Page Customization C Not record URLs with the following prefixes one prefix per row b Security b Wizard URL Fitter Rules O Not record URLs with the following suffixes one suffi
297. re Operation System Process File Registry Task Plan and Others Rule Type Select the type for this ingress rule or enter directly a new user defined rule type name into the text box followed Operating System ingress rule specifies the operating system of the LAN computer which is going to get access to the Internet through the IAM gateway device For instance if the LAN computers of an enterprise use the Microsoft Windows XP in order to prevent the LAN users from infecting virus who do not download the SP2 patch we take the following measures AM gateway device monitors all the Internet access data packets from the LAN PCs the PCs that have downloaded the SP2 patch can get access while the PCs that have not downloaded the SP2 patch cannot access the Internet Detailed configuring procedures are as shown below 74 SANGFOR IAM v2 1 User Manual gt Edit Ingress Rule Classification Operating System Process File O Registry Task Plan Others Rule Type windowsyp Jl Contains 1 95 bytes and cannot contains these characters l 8 0 i fae Rule Mame Desea AAA Users can only use the enabled Operating Systemes in the following table Operating System Version Patch Version Status Windows 95 Disable Windows 96 Disable Windows ME Disable Operating System Version Windows NT Disable Windows 2000 Disable Window s F Disable Windows 2003 Disable i wind
298. re the smooth transmission of the data 13 3 8 Local Subnet List Local Subnet List functions when there are multiple subnets existing in the local area network of the IAM gateway device and the branch VPN users also need to visit other subnets of this network the VPN headquarters For example there are two subnets 192 200 100 x and 192 200 200 x We are to configure the Local Subnet List to enable the branch VPN mobile VPN and VPN headquarters to interconnect with each other The detailed steps are as shown below Step 1 Configure the related subnets in the Local Subnet List The configuration page is as shown below Sangfor IAM 2 1 gt gt Local Subnet List Useradmin Logout System Subnet Segment Subnet Mask Object Adal Firewall WAN Optimization E E E E Pb LAM gt Bandwidth Management b Delayed Email Audit b Internet Access Audit b Logs Troubleshooting b Advanced 4 Security Gateway Antivirus b IPS 4 VPN Settings VPN Status Basic Settings User Management Connection Msnagenent Virtual IP Pool Multiline Settings Multiline Bouting Policy Local Subnet List Subnet Segment Subnet Mask Configures the network ID of the other LAN and subnet mask Step 2 Configure the route for the related subnets in the Static Routing page For detailed configuration page please refer to Section 3 14 2 Static Routing 284 SANGFOR IAM v2 1 User Manual The Lo
299. reate group a utomatically First row are the column headings include 7 fields Username Group IP Address MAC Address Auth Method Description and Password One record per row Fields are separated by vertical bars 4 GOrganization Structure 4 fa 2222 If a field has multiple values use commas to separate gt oe gu t supports binding multiple IP addresses or ranges When multiple IP addresses are bound MAC binding is not supported MAC address will be Oberallon etre ignored even if it is entered hw P ie The format of IP range is start IP end IP sailed The format of MAC address is ee ee ee ee ee ee The values of the Auth Method field include noauth authentication not required acpass authentication of customized password Idap LDA LDAP Syne P authentication pop3 POP3 authentication and radius RADIUS authentication Online Users Description cannot contain these characters 8 Y gt Group name should contain the full path with separators at the beginning and the end There should be no space before or after the e g Head Office R amp D Bandwidth Management Delayed Email Audit D Internet Access Audit gt Logs Troubleshooting gt Advanced gt Security gt DHCP gt Wizard Column Headings defines the columns of the user table It supports importing the information of User Name Group IP Address MAC Address Auth Method authentication method D
300. rer errrr err rrrrrererr errr err rererrrr err rr eee ee ee 0 s AEEA PLAcuE Enable Disable License e Auto Upload Unknown URL Enabled by default When enabled the URLs that are not recognized by internal URL library will be automatically reported The function will not disclose the Gacewar Mode information of your company Network Interface Enable O Disable Multi Node Sync e Auto Report System Error Enabled by default When enabled the system error messages will be automatically reported The function will not disclose the information of your Date Time ei Administrators O Enable Disable Web UI e Auto Report Unknown Application Enabled by default When enabled the application unrecognized will be automatically reported The function will not disclose the information of your Backup Restore E Reboot Auto Update Auto Upload Unknown URL Select Enable and the unknown URL found during using the IAM gateway device will be automatically uploaded Auto Report System Error Select Enable and the anomaly information found during using the IAM gateway device will be automatically uploaded Auto Report Unknown Application Select Enable and the unknown application information found during using the IAM gateway device will be uploaded 3 13 Auto Update Auto Update Configure the update options of internal Virus Library URL Library Gateway Firmware Application Ident Ingress Rule
301. resent one 3 11 Reboot You can Reboot Gateway or Restart Service on this page as shown below Sangfor 14M 2 1 gt gt Reboot Useradmin Logout d Syst em Reboot Gateway Restart Service Bunning Status Security Status License Gateway Mode e Network Interface Multi Mode Sync Date Time Administrators Web UI EackuprFestore 3 12 Maintenance Maintenance Defines whether to allow remote login through external network interface whether to Auto Upload Unknown URL whether to Auto Report System Error and whether to Auto Report Unknown Application 45 SANGFOR IAM v2 1 User Manual SANGFOR Sangfor IAM 2 1 Useradmin Logout d System Bunning Status Security 3 Remot Sout ey SG aes See enable Disable Maintenance License Gateway Mode Network Interface Multi Node Sync DatesTime Administrators Web UI Backup Restore Reboot Maintenance duto Update Under the default configuration page click the lt Advanced gt button to enter the System Maintenance gt Advanced page and configure Auto Upload Unknown URL Auto Report System Error and Auto Report Unknown Application as shown below Sangfor IAM 2 1 a gt gt Maintenance T Help User admin Logout 4 System System A B E Running Status rro rr eee T eer errr eer rss errrrerrrrer rer errerrrrrr rrr errrrerrerrrr er err errererrrr err rrerrerrrrrrrrrrrrrrerr errr rrr
302. ress 200 200 76 210 Backup Restore WAN Interface Settings Subnet mask pa ll Reboot Auto Update Secondary DMS 202 96 134 133 gt Foute Defaut gateway 200 200 798 254 Generate Certificate High Availability i Rule Pare Proxy LAN interface Internet access P Object b Firewall Eqress Interface VAN eu NAT Settings WAN Optimization Proxy Network Segment 1001004100 0 055 255 252 0 TAM Translate Source IP To Use interface address gt Bandwidth Management b gt Delayed Email Audit gt Internet Access Audit 3 4 2 Bridge Mode Bridge mode deployment takes the IAM gateway device as a network cable with filtering function This mode is usually applied where the original topology of the network is inconvenient to be altered The IAM gateway device locates between the original gateway and the LAN users no change to be made on the original gateway and the LAN users It seems the original gateway and the LAN server cannot feel the existence of the IAM device It is what we call Transparent deployment for the original gateway and the LAN users Bridge mode deployment features traversing the data of the data link layer absolutely transparent to the users Generally if the IAM gateway is deployed as that shown in the following figure Bridge mode is recommended 24 SANGFOR IAM v2 1 User Manual The configuration page is as shown below Sangfor IAM 2 1 SANGFOR Useradmin
303. rmation website Edit O 4 Adult adult website Edit O 5 Counteraction superstition antiParty antigovernment antisocial website superstition website Edit 0 6 Gambling Gambling Edit O z me IAM gateway device is built in with a large number of URL groups when it is delivered from the factory You can add a new URL into the URL library 1f necessary in addition to using the existing and built in URLs Sangfor IAM 2 1 gt gt Edit URL Group User admin Logout Name Job Search gt System 4 Object Description Includes various job searching w Application Ident Rule Intelligent Ident Rule Format One URL per row Service IP Group Schedule White List Group URL Keyword Group File Type Group Ingress Rule SSL Certificate Firewall Ada URL dt clear WAN Optimization IAM Note If a visited domain contains the following keywords it will be identified as the current URL group Bandwidth Management Domain Name Keyword has lower priority than internal URL library and customized URL library Delayed Email Audit Internet Access Andie Format One keyword per row Logs Troubleshooting Advanced gt Security DHCP Domain Name Keyword gt Wizard B Name Name the new URL group Description Type in a brief description for this new URL group URL Type the domain name URL into the text box The URL group consists of the URL s in this list The wildcard character is supported Add UR
304. roup policy Subgroup Count 0 User Count O Check the needed subgroup or user s to be moved and then click the lt Select gt button choose a target group in the organization structure and click lt OK gt The selected member s then is moved to the target group lt Return to Upper Level Group gt Click this button to back to the configuration page of its upper level group lt Export gt Click 1t to export the structure or the members of the current group for the purpose of saving them The exported information includes the properties lt Import Organization Structure gt Click it to export and import the structure or the members of the current group for the purpose of copying them to another structure The imported information includes the properties For instance to copy the members of hw to 2222 the configurations are as shown below gt gt Drganization Structure Group Settings ccexs acsearle sn a E E E E EEE eta en E E EEE E E E E EEEE star elec EEEE E E E EEEE an y Group Path i Source Created by administrator Group Information Subgroups 2 direct users O total users including subgroups 1 Operation Result hwMove successfully l Advanced Settings y First Prev 1M Next Last Goto Page f Records page fis i Group F qu 2222 Use parent group policy Subgroup Count 0 User Count 1 2 i Group F hor 122221 Use parent group policy Subgroup Count 0 User Count 0 Return to Upper Leve
305. roups 2 direct users 0 total users including subgroups 1 l Advanced Settings B O Use Parent Group Policy i Description Policy _Template Basic Internet Acces lice Allow DNS HTTP HTTPS FTP Mail MSN enable relative audit Enable s Au O _Template Block All P2P Block All P2P download tools Enable Add Policy 188 SANGFOR IAM v2 1 User Manual Use Parent Group Policy Check this option and policy policies is inhered from and exactly the same with that those of 1ts parent group and you cannot do any operation on the policy policies such as adding moving up down or deleting policy Uncheck this option and the group can associate with access control policy of 1ts own Select All Inverse Click 1t to select the needed policies lt Add Policy gt Click this button and select a policy to add it to the policy list The configuration page 1s as shown below gt gt Drganization Structure Help Group Settings B Group Path i Source Created by administrator Group Information Subgroups 2 direct users 0 total users including subgroups 1 l Advanced Settings B i Member List Access Control Policy _ O Use Parent Group Policy _ Template Block All P2P _Template Monitor IM chat content _Template Anti fishing webpage Template Open all Internet access privilege and audit Allow DNS HTTP HTTPS FTP Mail MSN enable relative audit Enable s Audit _Template Open all Internet access privileg
306. rowed by another virtual line and the total bandwidth of the all the virtual lines must NOT be more than the total bandwidth of the physical line One IAM gateway device supports maximum 4 virtual lines The configuration page 1s as shown below Sangfor IAM 2 1 gt gt Yirtual Line User admin Logout gt System AU AS a gt Object en Line 1 Uplink 512 Downlink kbps Y gt WAN Optimization A ea Line2 Uplink 800 Downlink 00 Add Delete 4 Bandwidth Management gt Bandwidth Status gt Bandwidth Settings virtual Line npr te B MA ek e Import Configuration Po Browse Select file to import imported configuration will not impact or overwrite the original one gt Delayed Email Audit 2 Seer Meson Pa e Export Configuration Export configuration file of virtual line rules b Logs Troubleshooting e Import Rule Import virtual line rules gt Advanced os Virtual Line Rule List y b Wi d an Select All All inverse Delete First Prev 14 Next Last Goto Page 1 Recordsipage 500 Y LAN Interfa WAN Interf LAN IP WAN IP Protocol LAN Port WAN Port Line Operation Line Edit Up Down 2 all all all All all Line2 Edit Up Down Default All All All All All All All Line1 Move Selected Rule To Firstrow OLastrow Ono fis Click the lt Add gt to create a new line configure this line and then click the lt Save gt button as shown below gt gt Yirtual Line l System Settings B Lin
307. rresponding keyword s and configure the Action as Deny lt Select All gt lt Inverse gt Click the corresponding button to select the needed file type s lt Move UP gt lt Move Down gt Click the corresponding button to move up or move down the selected file type s lt Deny gt Click this button to configure the Action of the selected file type s as Deny lt Disable gt Click this button to undo the Deny selection Having completed configuring this page you have to click the lt OK gt button to save the settings Download Download configures the file type filtering function to control the download of some types of file based on the extension name of the file For example 1f the LAN user is downloading MP3 or movie file the access control policy will filter these files Operating procedures are similar to those of Upload for details please refer to the related sections above o The rules configured under the Upload and Download page are specific for HTTP or FTP therefore the IAM gateway device will only inspect and analyze the extension names of the files that are transmitted through the WEB and FTP communication ports White List Group is only valid for HTTP upload download You can add maximum 16 white list groups each white list group supports maximum 512 URL entries The domain name in the white list group can be incompletely matched For instance as to the domain name
308. rst three methods require a O Take MAC address as new user utomatic binding but need no pas sword Take host name as new user O Get authenticated on server password required Select group in the organization structure for authenticated new users Add to Organization Structure O Automatically add authenticated new users to the above group New users using SSO will be added by default Binding Option No binding Bind IP address Bind MAC address Bind IP address and MAC address Note When Processing Method is taking IP address MAC address or host name as new user you cannot select No binding here otherwise the policy will be invalid Name Type a name for this new user policy IP Address List Configures the IP address es to which this new user policy is applicable Only when the user whose IP address is any of the IP address in the list will it be matched by this policy Handling methods to a new user are Take IP address as new user Automatically add the new user to the user list taking the IP address of this user as its user name Take MAC address as new user Automatically add the new user to the user list taking the MAC address of this user as its user name Take host name as new user Automatically add the new user to the user list taking the host name of this user as its user name Get authenticated on server password required Authentication is made through the third party
309. rt and end port e g 1 65535 Start port dept _ Adel Clear List Include data of ICMP protocol CJ Include data of other protocols Advanced Settings Defense Level There are three levels of defense rules provided by the SANGFOR IAM gateway device High Medium and Low Select a level according to the actual security need of your networking 263 SANGFOR IAM v2 1 User Manual All the matching and suspicious attacks will be recorded by the IAM gateway device and be handled according to the action configured for different defense levels As for the detailed logs you can view then in the Data Center of the IAM gateway Defense Time After Intrusion Is Detected Once attack attempt is detected the IAM gateway device will defend against the attacker denying all the data packets sent from this address in the next 180 seconds default value You can alter this value according to your case Log Type of Intrusion Event Options are Simple Gust record the general information of the intrusion and Detailed record the data packets of the intrusion which requires more storage capacity IPS Conditions You can configure the options to defend the data transmission among WAN LAN and DMZ zones against attacks according to your case They are all enabled by default Defense ability of High Medium and Low is in descending order In general it is recommended to check High which can ensure the s
310. rvices Edit Delete ted Bacia All ICMP Services All ICMP Services Edit Delete Basic Settings All Services All Services View User Management Connection Management fj Virtual IP Pool Multiline Settings Multiline Routing Policy Local Subnet List Tunnel Route gt IPSec Connection gt Common Settings 4 Advanced VPN Interface Generally speaking there are two steps to configure the privilege of the user to access LAN service a create LAN service b configure the privileges of the corresponding user Take the following case as the example allow an IP address 172 16 1 200 of branchl to get access to the FTP server 192 168 1 20 of the headquarters the requests for other service or the requests initiated by other IP addresses are denied Detailed configuration steps are elaborated as below Under the default configuration page LAN Service click the lt New gt button to open the Edit LAN Service configuration dialog as shown below 299 SANGFOR IAM v2 1 User Manual A Edit LAN Service Web Page Dialog Service Name only provide 172 16 1 2 lt 00 with services Description al Protocol W tcp upp icmp UDF List ICMP List Source IP Range Source Port Range Destination IP Range Destination Port Range 172161 200 172 16 1 200 1 65535 192 1658 1 20 192 168 1 20 1 65535 Edit Delete Cancel Step 1 Type a name in the Service Name text box and check the protocol in this example it is F
311. s All the already audited emails or the to be sent emails will be listed here as shown in the above figure The audited emails can be searched for in the Data Center of the IAM gateway device click Internet Access Audit gt Enter Data Center to get into the internal Data Center 9 3 Unaudited Email Sangfor IAM 2 1 User admin Logout p p 4 gt System Object gt Firewall gt WAN Optimization TAM Bandwidth Management Delayed Email Audit Email Audit Policy Audited Email MUnaudited Email Internet Access Audit Logs Troubleshooting Advanced Security Wizard gt gt Unaudited Email l Search Unaudited Email y e Search By croup OQuser OP address e Group Search emails of a specific group e Records Per Page Display iss records per page Unaudited Email List y First Prev 0 0 Next Last GotoPage Select Priority High MM Search By Select an object Group User or IP address Then click the lt Search gt button to have the matching unaudited emails listed Click lt Download gt to view the contents of the corresponding email lt Select All gt lt Inverse gt Click it to select the needed email s Having audited a selected email click the lt Approve gt button to have the selected email get passed or click lt Delete gt button to delete the selected email s lt Select Priority gt Select a prior
312. s lt Close Drop List gt Click this button to close the Drop list and disable the bypass function The Drop List is as shown below Drop list enable Yes bypass Yes Time Source Action Proto TP Dev Len Line dropflag ap 061 11 11 19 Arewall EE A T e a a at la ree 41 i flag 20 124 115 5 231 443 eth 13443 060 11 11 19 firewall TA U i a 124115 5 231 445 gt eth2 40 ho httporssiQ i e flag 20 192 168 1 106 2390 ethl 13443 oso 11 11 10 firewall lie Sa bs 124115 5231 443 gt eth ag ly AtiporsslQ 41 flag 20 192 168 1 106 2390 ethi 18443 058 11 11 19 Arewall spony lise e ol oe Vag Nice ree 41 i flee 20 124 115 5 231 443 eth 18443 057 11 11 19 firewall E ae a a la lr ute 11 flag 20 124 115 5 231 443 eth 18443 A eee o has top 192 158 1 106 2390 gt hD ly httporssl Q 41 i flag 20 124 115 5 231 443 eth 13443 055 11 11 10 firewall erica case wa Wo a og a ee 11 i flag 20 192 168 1 106 2390 ethl 18443 K K _ _ _ _ _ rea lt gt _ _ _ ____ cooo_ o MMM z__ JJJJ gt gt gt gt jJjxmMyzP 22 A PEA reaa Set Conditions 1s recommended to be configured With these conditions you can filter some irrelevant information and make troubleshooting more accurate and the process simpler After policy troubleshooting DO remember to close the Drop list for this function c
313. s License Gateway Mode Network Interface Multi Node Syne Date Time Administrators Web UI Backup Restore Reboot Maintenance Auto Update 4 Route Policy Routing Static Routing gt gt Policy Routing l Import and Export yu elimport Policy Routing Browse Select and import file e Export Policy Routing Export configuration file of policy routing Policy Routing List y First Prev 00 Next Last Goto Page o Records page 500 v Source r Route Name Source IP Destination IP Protocol aon Destination Port Line Operation o Move Selected Policy To First row O Lastrow Omo fh Policy Routing List Displays the existing policy based routings If there are multiple applicable policy routings the upper policy routing has higher priority to be matched Click lt UP gt or lt Down gt to move up or move down the routing respectively or Select an existing policy routing and then select First row or Last row or No to move this rule to top or bottom or to a specified row Click the lt Add gt button to enter the Edit Policy Routing page as shown below 48 SANGFOR IAM v2 1 User Manual Sangfor IAM 2 1 gt gt Edit Policy Routing Source IP O an O Single P O Prane O Subnet User admin Logout 4 System Running Status Security Status License Destination IP O an O Siner O Prane Subnet Gateway Mode Protocol Select protocol type 4
314. s 12 Disk Objects 2 Optimization Status Statistics Time Last 24 hours Last days Last 30 days Save Preferences Statistics Graph O Bar graph Pie graph Object hit v Note Instant Request means it is not hit by cache Cache Hit Over Last 24 Hours Disk Hit 2 _ Memory Hit 5 Instant Request 388 A Memory Hit Indicates the cached data in the memory of the IAM gateway device being hit by the LAN user requested data and being accelerated Disk Hit Indicates the cached data in the disk of the IAM gateway device being hit by the LAN user requested data and being accelerated Instant Request Indicates the data requested by the LAN user for the first time or the request data that are not hit by the cached data No Cache Indicates the requested data that the extranet server claims not allowed to be cached or the browser of the LAN user claims not allowed to be cached and indicates the object that is larger than the object size limit configured in WAN Optimization gt Proxy Options page gt WAN Optimization gt Basic Settings gt Other Settings 6 2 Proxy Options Proxy Options covers System Settings and Parameter Settings as shown below 101 SANGFOR IAM v2 1 User Manual Sangfor IAM 2 1 User admin Logout e Y vv System Object Firewall WAN Optimization Optimization Status Bandwidth Management Delayed Email Audit I
315. s 254 NO TUNEL ROU ARA A a ot yaisitdntta e a casciasted 285 TDD OAF SCC CONNEC LON aint wiee ssl easealivn a a N anne iad esesheoes 289 ES ST A o O a A A ant udetm eset Acer ente aren ames 289 153 10 2 SCULLY OPUON ridad diia 291 ISSO OULD OUNGE POMO iria iaa iiiaida 293 53 LOAS Inbound POLICY ai did 294 DDD TL NS O 296 De PMS CMCC ds 296 Nhl eC A e da es 298 SANGFOR IAM v2 1 User Manual ES A A Saale ised ind ade and cia Lise ica ol ae heed Sens 298 FRAN O O O O a 298 15 Se 222 V PINs Ie ic 302 ASA SADA ol a EA Revie och aoe SR E E EE 303 19 D124 Radius SOLVED rice 304 TD Dh De Generate CTU IICAIC a E E EE EEE EEEE 305 Chapter A DH CP va ccvessesecdeticsesseccccesteccecussevsedetzecnasescscncswadecsssvsvsvsssesdees dcetsecasdussescsesvecseseauss 306 DHCP STATS Aaa 306 142 DHCP SC Hai GS eona a a E a 306 ET IS V A A A ocua ae sucshee nutes ouecein eustansy sacs 309 Appendix A Gateway Client Updater cccscsscsssssssesnssscscccscccsssssssecesesosososcsccosscccscssonss 310 Appendix B Acronyms And ADDreviations ccccccccccssssssssssssssssssssscsccccccccccsscsssssssees 317 SANGFOR IAM v2 1 User Manual Announcement Copyright O 2010 SANGFOR Technology Co Ltd All rights reserved No part of the contents of this document shall be extracted reproduced or transmitted in any form or by any means without prior written permission of SANGFOR SANGFOR SANGFOR Technology and the SANGFOR logo are the trademar
316. s for audit in association with the configurations of source address email title email contents and attachment file type For detailed configuration guide please follow the notes on the interface The configuration page is as shown below 131 SANGFOR IAM v2 1 User Manual Edit Access Control Policy Help single policy O mutiple policies Expiry Date Never expire Expired on E Status Enable Disable C Enable Email Fitter Send Receive Mail Delayed Email Audit O Deny emails sent from the addresses with the following suffixes Note abc com includes abc com and abc com cn O Only alow emails sent from the addresses with the following suffixes Note abc com includes abc com and abc com cn O Deny emails containing the following keywords in title or content Note Regular expression is supported For example key d will match keyd and keyword O Deny emails containing the attachments of the following types Note Format is zip zip or zip One file extension per row O Enable Spam Filter only applied to incoming emails Email Filter Enable Email Filter Check the two items to activate the email filtering function For instance if you want the LAN users use only the email address provided by the enterprise itself select Only allow emails sent from the addresses with the following suffixes and then type the vpn com cn in the text box This configuration
317. s item to enable the identification function and the SSL encrypted WEBMAIL WEB BBS POP3 SMTP contents will be identified excluding financial services such as online banking online payment etc Audit Control Website List only audit and control the following websites This function is only available when Enable SSL content identification is checked You have to add the domain name of the website whose SSL encrypted contents are to be audited or controlled one entry domain name per row If 1t 1s left blank no SSL application will be identified Control SSL transferred content Check this option and the SSL objects will be controlled As to the detailed items to be controlled please configure them in the Access Control Policy gt Edit Access Control Policy page gt Access Control and Web Hilter Audit SSL transferred content Check this option and the identified SSL objects will be audited As to the detailed items to be audited please configure them in Access Control Policy gt Edit Access Control Policy page gt Application Audit lt Click to download SSL ident root certificate gt Click this link to download the legal SSL certificates so as to eliminate the security alarm caused by enabling SSL content identification function 136 SANGFOR IAM v2 1 User Manual SSL content identification function 1s invalid for financial services such as online banking online payment etc 7 1 2 5
318. s some built in and frequently used firewall rules which default to let pass all the data packets from the external networks 5 1 4 VPN lt gt WAN VPN lt gt WAN configures the firewall filtering rule for data transmission fulfilled between the VPN interface and WAN interface If the VPN client connects to the headquarters VPN device and gets access to the Internet through it you then can configure the filtering rule of VPN lt gt WAN on the headquarters VPN device to control the Internet access request sent from the client terminal branch VPN user or mobile VPN user The configuration page is as shown below 85 SANGFOR IAM v2 1 User Manual SANGFOR Sangfor IAM 2 1 User admin Logout gt System b Object 4 Firewall 4 Firewall Rules gt LAN lt gt DMZ Allow_To_Ping_ Allow VPN VVAN Ping Enable Edit Up Down 2 DMZ lt gt WAN Ae Pass_TCP_ Allow VPN lt s VVAN AN TCP Service ALL ALL Enable X Edit Up Down z gt WAN lt gt LAN a Pass_UDP_ Allow YPN lt WWAN All_UDP_Service ALL ALL Enable X Edit Up Down d gt 4 Alow_To_Ping Allow VPN VVAN Ping ALL ALL Enable X Edit Up Down F a 5 Pass TCP Allow VPN WAN AILTCP Service ALL ALL Enable X Edit Up Down O R _ re 6 Pass_UDP Allow VPN VVAN AILUDP_ Service ALL ALL Enable X Edit Up Down F b NAT Rules Delete gt Anti Dos gt ARP Protection gt WAN Optimization 5 1 5 VPN lt gt LAN VPN lt gt LAN configures the rul
319. s tunnel route directs indicating the corresponding username selected in the VPN Settings gt Connection Management gt Edit Connection configuration dialog In this example it is Guest Shanghai Finally check the Access Internet via Destination Route User option and click lt OK gt button to activate the above settings If the VPN headquarters device is configured as and deployed in Route mode you have configure a corresponding SNAT rule for the VPN segment in the Firewall gt NAT Rules gt SNAT configuration page For detailed configuration guide please refer Section 5 2 1 SNAT 288 SANGFOR IAM v2 1 User Manual 13 3 10 IPSec Connection SANGFOR IAM gateway can connect with a third party VPN device to establish standard IPSec VPN connection 13 3 10 1 Device List Device List can enable the SANGFOR IAM gateway device to connect with a peer VPN to establish a standard IPSec connection It is the first phase of negotiation of the standard VPN protocol The default configuration page is Device List is as shown below Sangfor IAM 2 1 O DANUWwWLILIL Lilia e rd E b Delayed Email Audit gt gt Security Option Lb gt Logs Troubleshooting Default security ESP MDS 3DES Edit gt Advanced as Gateway Antivirus b IPS 4 VPN Settings VPN Status Basic Settings User Management Connection Management Virtual IP Pool Multiline Settings Multiline Routing Policy Local Su
320. s virtual IP pool should be idle ones of the local area network where the local SANGFOR IAM gateway device locates b Allocate a virtual IP to a mobile VPN user If the virtual IP is 0 0 0 0 the gateway device will automatically allocate a virtual IP address to this user When the mobile VPN user connects in the user will use the virtual IP address allocated or automatically allocated by the VPN headquarters SANGFOR IAM gateway 276 SANGFOR IAM v2 1 User Manual Sangfor IAM 2 1 gt gt Yirtual IP Pool User admin Logout System IP Range Operation gt Object _ Advanced _ ok Advanced MIC Firewall WAN Optimization Tan Bandwidth Management Delayed Email Audit Internet Access Audit Logs Troubleshooting Advanced 4 Security gt Gateway Antivirus b IPS 4 VPN Settings VPN Status Basic Settings gt User Management gt Connection Managemer mevirtual IP Pool Click the lt New gt button to open the Virtual IP Settings configuration dialog type the start IP and end IP The dialog 1s as shown below 3 Virtual IP Settings Web Page Dialog E Click the lt Advanced gt button to open the Advanced Setting configuration dialog enter DNS WINS server address and the mask of virtual IP that is to be allocated to the virtual network adapter of the mobile VPN user The configuration dialog is as shown below 2d SANGFOR IAM v2 1 User Manual A Advanced Settings
321. sed At e Import Rule Pf Browse Select and import application ident rule file 2010 05 16 10 40 51 a Priority Rules Internal rules a Mote Inthe following list rules in blue are internal rules rules in red are customized and rules in grey are disabled Application Ident Rule List 672 items f O ljljj Meaz ema E Sedmi tema E O st tems L omnia E l IMET tems ooo cece cee cee eeeestetetteei tee ttt ttt E O stream A el E Pesrraa temai l OFE tems el z l Mato tes occ cee cece tees tte ttee tities iii E ar a E Or booing items ee y Ol E ne Shang teme E l EM tema E l se temsy E O tems oo ccc cee ces eeee eeet eee dette tee tte tet ete iter tte iti siete titi y tt o II AAA E AA E e a A y O tems y O 6 items B O og A ema y Cnet Protocolc12 items E The key to identify the application is to analyze the features of these data packets SANGFOR will periodically provide the feature values definition of the software such as P2P IM etc You can contact SANGFOR and apply for application identification rule packets to manually import the rules and you can analyze data packets by yourself and define your own application identification rule by clicking the lt Add gt button The pop up Edit Application Ident Rule configuration page is as shown below 57 SANGFOR IAM v2 1 User Manual gt gt Edit Application Ident Rule Basic Settings Rule Name Description I Classifica
322. selected user for minutes e Search by User zhy Display Option Top 10 ha Refresh Interval Sseconds Save Preferences Mote When CPU usage is high and the page cannot be switched please click Stop Refresh to stop automatic refresh l Downlink Flow Speed Ranking g Username Group IP Address Application Type Downlink Application Downlink Hostname W l Uplink Flow Speed Ranking y Username IP Address Application Type Uplink Application Uplink 236 SANGFOR IAM v2 1 User Manual System will prompt that the command for blocking the user 1s sent successfully Click the lt Auto Update gt button and you will see there is no flow caused by the blocked user for the user IP address is blocked from accessing to the Internet You search the blocked user s in IAM gt Online User just select Blocked and then click the lt Search gt button SANGFOR Sangfor IAM 2 1 gt gt Online Users User admin Logout gt System Search Conditions E b Object e User Status i b Firewall online Blocked b WAN Optimization e Search By Group O User O IP range 4 TAM o i Access Control Policy p Search for users in a specific group Authentication Options e Records page Authentication Server e Prompt The number of users matching the search conditions is 0 b a Organization Structure User Import LDAP Sync Online User List Okey users temporary users and the users that requires no authent
323. ser Manual Under the Logon Properties dialog click the lt Add gt button to enter the Add a Script dialog Click lt Browse gt to upload the logon exe script file and enter Script Parameters the IP address 1P address of the IAM gateway device the port number 1773 and shared key must be the same with that configured on the AM gateway device Parameters are separated from each other by a blank space Then click the lt Apply gt and the lt OK gt buttons close all the Group Policy Object Editor etc Script Name Jlogon exe Browse Script Parameters fi 0 251 251 254 1773123 cos Having completed configuring the logon script you have to click Start gt Run and type the spupdate and click the lt OK gt button to have the group policy configurations take effect Till then the logon script program 1s added successfully When the directory user logs in this logon script program will run 7 2 2 1 4 Configure Logoff Script Program Follow the steps same with that in Configure Logon Scrip Program Please refer to the above section and enter the Group Policy Object Editor page click User Configuration gt Windows Settings gt Scripts Logon Logoff and then double click the Logoff item as shown below 163 SANGFOR IAM v2 1 User Manual va Group Policy Object Editor Logoff Display Properties Description Contains user logoff scripts Under the pop up Log
324. shooting Advanced Security DHCP Wizard Click the lt Add gt button and the Edit Authentication Server page appears as shown below Sangfor IAM 2 1 Y gt gt Edit Authentication Server Jser admin Logout TEA Server Type Ovpap Orabius O pors b Object cia Server Name b WAN Optimization 4 Ian Access Control Policy IP address gt Authentication Options Authentication port meeuthentication Server b Organization Structure Basic Settings Shared Key gt User Import gt LDAP Syne Timeout seconds gt Online Users Protocol gt Bandwidth Management Delayed Email Audit gt Internet Access Audit ok Logs Troubleshooting gt Advanced Security DHCP Server Type Select the needed server to open the corresponding settings 7 3 1 LDAP LDAP server supports Microsoft SGtive Directory SUN LDAP and OPEN LDAP server You can select a needed one according to your case The configuration page of LDAP is as shown below 178 SANGFOR IAM v2 1 User Manual gt Edit Authentication Server Server Type server Mame Basic Settings Advanced Settings Lar Craps pops Authentication port 309 The following settings are required only when domain Users are imported manually otherwise they can he ignored lf OpenLDAP does not support anonymous search server user DN and password are required Type R User group attribute User group filt
325. so clews that it is monitor free oSinfor IAN DEKET Anthentication Client Status Un Login Gateway IP 100 100 100 250 DKEY Password ss I Save Password Login L Logout C gt gt If the Authentication Method is None either the IP address or MAC address of the 202 SANGFOR IAM v2 1 User Manual user must be bound MAC addresses are scanned by the local device which applies the NETBIOS protocol If it fails to scan the MAC address please check whether the NETBIOS protocol of the local device is available whether there is firewall blocking that whether the firewall of the local device is enabled and whether the local device is configured with multiple IP addresses 7 4 5 6 Access Control Policy SANGFOR IAM gateway device can configure access control policy for an individual user Under the Edit User default configuration page click Access Control Policy and the corresponding options appear as shown below gt gt Edit User Basic Settings Login Name Cannot contain the special characters Description Cannot contain the special characters l 8 0 s rin Display Name A Cannot contain the special characters Current Group 12222 1qwe1 Source Created by administrator l Advanced Settings User Attribute Access Control Policy O Inherit Parent Group Policy AA AI EA EZ Policy _Template Basic Inter Allow DNS ATTP HTTPS F
326. ss after user connects to VPN This function is only available for the mobile VPN users Check this option and the mobile VPN users can only visit the VPN device headquarters but cannot access the Internet Enable multi user login Check this option and this user account can be used by multiple users for logon Deny password change online Check this option and mobile VPN user cannot modify the login password after it connects to the VPN uncheck this option and the user can modify the login password online LAN Privilege Configures the privileges of this user after it connects to the VPN such as the privileges of accessing some services By default there is not privilege limitation 212 SANGFOR IAM v2 1 User Manual Y Before configuring LAN Privilege add some needed services in VPN Settings gt Advanced gt LAN Service page 13 3 4 Connection Management To enable it to realize interconnecting among multiple nodes and form a Web like networking the IAM gateway device offers the connection management function and configuration options to manage these nodes These configurations are available in Connection Management page si Connection Management function is only necessary when the local device need connect to other VPN devices as a Branch VPN In other cases that the local device is not a branch VPN of its peer this function need not be enabled The Connection Management def
327. ssssiiissssiisiupssssiiiisessritipssssiiissesisiitissiiwuesssiieesieseseeeee Login Name Cannot contain the special characters Description Po Cammotcontainthe special characters W 6 8 lt gt rIn Display Name Cannot contain the special characters Current Group 2222 iqwl Source Created by administrator l Advanced Settings u se te Access Control Policy Group f2222igwi O Password Dkey O None O Only alow SSO Authentication Method Generate Dkey Enable monitor free Dkey Expiry Date Onever OExpiredon sid Enable This User Enable Disable Enable monitor free Dkey Check this item and this user s behavior on the Internet will not be recorded monitored Dkey initial password Enter the initial password of the DKEY Confirm password Enter once again the above initial password to check its correctness lt Download Dkey Driver gt Click it to download the DKEY driver Only when the driver is downloaded and installed will the DKEY be identified and generated lt Start to Write Dkey gt Click this button to generate the DKEY None Indicates that user need not enter the WEB username and password to get authenticated If this option is selected at least one of the binding methods should be configured Bind IP or Bind MAC Only allow SSO Indicates that the WAN users have to get authenticated through the IAM gateway device by meanings of SSO Allow multip
328. sub OU of the configured OU its upper hierarchy OU and its users not being imported OU Import Depth Configures the depth maximum hierarchies of OU being imported maximum value is 15 In this example only the oul and its sub OU are imported the OU below its sub OU will not be imported however the user s below the OU will be imported and synchronized to the corresponding user group Having completed configuring this synchronization policy you have to click the lt OK gt button to save all the settings Saving the settings you will return to the default configuration page The newly created synchronization policy is listed as shown below 208 SANGFOR IAM v2 1 User Manual gt gt LDAP Sync l Synchronization Mode E Syne by LDAP organization structure O Syne by LOAF security group l LOAP Synchronization Policy E Policy Marne Description Included Group User Operation Last Syne Time Thu Sep OU 1 Syne Mow Wes g 05 21 01 2010 L Ges Fitter Condition Synchronizing tailed OL Last Syne Time 2 Pl Loar DU41 OUZ Sync Mow Yes Fiter Condition Synchronizing failed Operation Result Add syne policy LDAP successfully Click lt Sync Now gt to have the user user groups synchronized immediately according to the configured synchronization policy Click the lt Refresh gt button to refresh and view the synchronization status and the Last Sync Status is displayed in the list as shown bel
329. t Flow Flow speed Flow Speed Optimization Over Last 24 Hours 146 5Kbps 122 1Kbps 97 7Kbps 73 2Kbps 48 8Kbps 24 4Kbps 0 0bps 12 14 16 18 20 22 0 2 4 6 8 10 12 E LAN Flow Speed E WAN Flow Speed 6 1 3 Cache Hit Cache Hit makes statistics of the percentage and times the cached data being matched hit by the requested data The information is displayed in Bar graph and Pie graph Hits may be counted by object or by byte Byte hit indicates the cached hit percent or traffic volume on flow The Pie graph on Byte hit is as shown below System Status ccc ccccccssssssssssssesisimusssssssssssesestissssssssssessisuessssssssssssisuisssssssssisesisiussssssssssvssisussssessssesssiissssssssisessisesessesseeeeeeeeee E Disk Usage 0 GB 4 75 GB Sessions O Memory Usage 0 06 MB 100 01 MB Cached Objects Memory objects 12 Disk Objects 2 Optimization Status E Statistics Time Last 24 hours Last 7 days Last 30 days Statistics Graph Bar graph Piegraph Byteht Y Note Instant Request means it is not hit by cache Save Preferences Cache Hit Over Last 24 Hours Memory Hit 2 51KB Disk Hit 2 3MB No Cache 1 21MB Instant Request 3 72MB 100 SANGFOR IAM v2 1 User Manual The Pie graph on Object hit is as shown below gt gt Optimization Status Help DY Stus jja E Disk Usage 0 GB 4 75 GB Sessions 0 Memory Usage 0 06 MB 100 01 MB Cached Objects Memory object
330. t gt WAN S AN UDP_Servic Led ae ha z Pass UDP Allow LAN DMZ Maan ALL ALL Disable X Edit Up Down O VPN lt gt WAN e VPN lt gt LAN 3 Allow To Ping Allow LAN DMZ Ping ALL ALL Disable X Edit Up Down F LAN lt gt LAN lt gt gt NAT Rules Anti DoS ARP Protection 5 1 Firewall Rule Firewall Rule configures the specific settings of data packet access IAM gateway device allows you to configure the filtering rules for data transmission between LAN lt gt DMZ DMZ lt gt WAN WAN lt gt LAN LAN lt gt LAN DMZ lt gt DMZ VPN lt gt WAN and VPN lt gt LAN 5 1 1 LAN lt gt DMZ LAN lt gt DMZ configures the rule for data transmission fulfilled between LAN interface and DMZ interface The service can be all the services of certain protocol or a user defined service For example to have the communication between the LAN interface and DMZ interface available you have to enable all the TCP UDP and ICMP services and have them available for both directions LAN gt DMZ and DMZ gt LAN By default all the TCP UDP ICMP services are accessible for LAN gt DMZ however if the rule is not enabled the Status displayed in the Firewall Rule List is Disable as shown below 82 SANGFOR IAM v2 1 User Manual SANGFOR Sangfor IAM 2 1 User admin Logout b System b Object 4 Firewall Pules All_TCP_Servic gt LAN lt gt DMZ Pass TCP Allow LANM gt DMZ Disab
331. t URL Group White List Group Keyword Group File Type Group JAdd port Clear Ingress Fule BEL Certificate b Firewall b WAN Optimization Service Name Type in a unique name for this new service the characters better be easy for memory to distinguish 1t from others Click TCP UDP ICMP or Others to define the protocol to be applied check Add Port and type in a single port or a port range as shown below o SANGFOR Sangfor LAM 2 1 Useradmin Logout b System 4 Object gt gt Edit Service gt Application Ident Fule Intelligent Ident Fule IF Group Schedule URL Group Service Settings White List Group Keyword Group File Type Group Add port Clear Ingress Pule SSL Certificate Single port C Port range Port number Add b Firewall l WAN Optimization P TAM l ofl sl Y If it is Other protocol Protocol number 0 indicates all the protocols 4 4 IP Group An IP Group consists of some IP addresses which may be LAN IP range or WAN IP range or all the IP addresses 62 SANGFOR IAM v2 1 User Manual IP Group generally is in association with the rule configured in Firewall gt Firewall Rules It configures the source IP address destination IP addresses or defines the LAN users in association with IAM gt Organization Structure page gt Edit User gt User Attribute gt Binding gt Bind IP gt Get from IP group or defines t
332. t and Reminder The policies configured herein can be referenced by multiple users or user groups so as to implement Internet access controlling and monitoring The default Access Control Policy configuration page is as shown below 107 SANGFOR IAM v2 1 User Manual Sangfor IAM 2 1 gt gt Access Control Policy T Help User admin Logout byat Template b Firewall Access Control Policy List y IAM _Template Basic Interne Allow DNS HTTP HTTPS FTP Mail MSN enabl h Access Control Policy d Never expire Enable View Associated User Rename E t Access Audit e relative audit Authentication Options AA O _Template Block All P2P Block All P2P download tools Never expire Enable View Associated User Rename GOrganization Structure _Template Monitor IM ch Monitor IM chat content GQ MSN ICQ Skype i 3 d i i Never expire Enable View Associated User Rename User Import at content Yahoo Message UC POPO GTalk Fetion Ali LDAP Syne Prevent deceiving from illegal SSL protocol c _Template Anti fishin Online Users d ertificate enable URL filter relative domain na Never expire Enable View Associated User Rename gt g webpage gt Bandwidth Management me gt Delayed Email Audit _Template Open all Inter ae b Internet Access Audit Open all Internet access privilege and recor Fi net access privilege an Never expire Enable View Associated User Rename gt Logs Troubleshooting f d all actions gt Advanced d audit
333. t button to save the settings or click the lt Cancel gt button to give up configuring this page This section configures the global settings of the WAN optimization module As to the configuration of disabling the WAN optimization function for a single user please refer to Section 7 1 2 1 Access Control 106 SANGFOR IAM v2 1 User Manual Chapter 7 IAM IAM covers configuration of Access Control Policy Authentication Option Authentication Server Organization Structure User Import LDAP Sync and Online Users The default page 1s as shown below Sangfor IAM 2 1 gt gt Access Control Policy T Help User admin Logout H j j j j Sprea e Import Policy pol Browse Select and import policy file Download Policy Template Object Firewall Access Control Policy List B peme o EA AO SY AAA 4 TAM _Template Basic Interne Allow DNS HTTP HTTPS FTP Mail MSN enabl Access Control Policy O Never expire Enable View Associated User Rename t Access Audit e relative audit Authentication Options l huthentication Zerver d _Template Block All P2P Block All P2P download tools Never expire Enable View Associated User Rename Organization Structure _Template Monitor IM ch Monitor IM chat content GQ MSN ICO Skype l d _ Never expire Enable View Associated User Rename User Import at content Yahoo Message UC POPO GTalk Fetion Ali LDAP Syne Prevent deceiving from illegal SSL protocol c
334. t if you find any application that cannot be blocked please contact us Select All Inverse Allow Deny MoveUp MoveDown Add Delete Application Action All day v Select All Inverse Allow Deny MoveUp MoveDown Add Delete Default Action Allow O Deny If several policies are associated adopt the default action of the next policy and continue matching downwards fok Cancel Policy Select a policy to edit 111 SANGFOR IAM v2 1 User Manual Expiry Date Select Never expire or select Expired on and configure the date The expired policy will get invalid Status Configures the status of this policy itself enabled or disabled Select Enable to enable this access control policy The object of an Access Control Policy consists of nine modules Access Control Web Filter Email Filter SSL Management Application Audit Flow Time Statistics Ingress System Risk Ident and Reminder The followings are detailed introductions to each module 7 1 2 1 Access Control To facilitate network administrator to control the Internet activity of the LAN users SANGFOR IAM gateway device provides the control service based on inspecting the content of the data packets of a specific application as well as the control function for Internet service according to the destination IP address protocol port and schedule Access Control includes configuration of Application Control Service Control and
335. t List Tunnel Route 4 IPSec Connection Device List Outbound Policy Inbound Policy Before establishing IPSec connection with a third party first configures the policy to be used by the peer device The policy includes the rules of Protocol AH or ESP Authentication Algorithm MD5 or SHA 1 and Encryption Algorithm DES 3DES or AES Click the lt New gt button and the Security Option appears as shown below E Security Option Web Page Dialog Description Protocol ESP h Authentication Algorithm Encryption Algorithm C Mull I DES f MDS 3DES SHA 1 AES I SANGFOR_DES SANGFOR IAM gateway device will negotiate and establish IPSec connection with the peer device according to the configured policy 292 SANGFOR IAM v2 1 User Manual Y The Encryption Algorithm functions during the second Phase of IPSec connection If there are multiple devices interconnected and each applies a different policy you then have to add the policy of each device to the security potion list 1 e create the corresponding policy for each device 13 3 10 3 Outbound Policy Outbound Policy configures the rule used for the data packets transmission from the local device to the peer device Click the lt New gt button and the Policy Settings appear as shown below SANGFOR Sangfor IAM 2 1 Dai LIL Manag wtr Delayed Email Audit gt gt Outbound Policy Internet Access Audit Po
336. t New gt button to enter the Edit Multiline page and add a new line the configuration dialog is as shown below 23 Edit Multiline Web Page Dialog Line Mame ES Line Alias Preset Bandwidth Uplink Kbps Downlink Kbps Mote If the line type is Ethernet please enter at least one testing DNS to make sure the normal running of WPN If the line type is ADSL or Dial Up the testing DNS can be ignored Testing DNS i TestingDNS2 o O Connection Mode Directly connect to Internet Use Static Internet IP Static IF Cancel 279 SANGFOR IAM v2 1 User Manual Select a line and name it configure the Preset Bandwidth and Connection Mode according to the actual information of the line and then click the lt OK gt button to complete configuring this line Static IP If the interface IP address is a static IP address type it in this text box if it is a dynamic IP address leave this text box blank If it is an Ethernet line you have to configure the testing DNS which is working for the Internet If 1t 1s an ADSL or Dial up line the Testing DNS can be left blank As to the Preset Bandwidth the uplink and downlink bandwidth must be coherent to the actual bandwidth Under the default configuration page click the lt Advanced gt button to open the Multiline Advanced Settings configuration dialog as shown below Multiline Advanced Settings Web Page Dialog E ed eso
337. ta packets are transmitted Target Line Configures the line that acts as the egress to forward the data packets to the external networks The data packets will be forwarded to the external network through this line when the conditions configured above are satisfied As to the configuration of uplink downlink bandwidth of a line you can choose either Kbps or Mbps as the unit The virtual line rule must be coherent to the link selection policy configured on the front end device Generally you can import the policy routing table of the front end device A bridge can have several virtual lines and multiple bridges may belong to a same virtual line 230 SANGFOR IAM v2 1 User Manual Maximum 4 virtual lines are supported by one IAM gateway device a Virtual Line configuration is only available for Bridge mode 231 SANGFOR IAM v2 1 User Manual Chapter 9 Delayed Email Audit Delayed Email Audit configures the options for auditing some specific emails including Email Audit Policy Audited Email and Unaudited Email 9 1 Email Audit Policy Email Audit Policy defines the email audit policy to handle the applicable emails Configurations are Audit Timeout Settings and Sending Attempts Click Delayed Email Audit or Email Audit Policy the Edit Audit Policy configuration page appears as shown below Sangfor IAM 2 1 gt gt Email Audit Policy User admin Logout gt System Timeo
338. tatus 1 admin System administrator Administrator Enable Edit OR Sure Select Al License Gateway Mode Network Interface Multi Node Syne Date Time Web UI Backup Restore lt Select All gt lt Inverse gt Click the corresponding button to select the needed administrator s lt Delete gt lt Enable gt lt Disable gt Click the corresponding button to delete enable or disable the selected administrator lt Add gt Click this button to enter the Edit Administrator page as shown below gt Edit Administrator Administrator Mame Password Confirm Password Administrator Type System administrator Common administrator Login IF List Only the first 32 IP addresses or ranges are valid Administrator Name Type in a unique name for this administrator to distinguish it from others Description Type in a brief description for this administrator Password Configures the login password for this administrator Administrator Type Defines the role of the administrator System administrator or Common administrator System administrator has all the privileges and can manage all the functions and user groups Common admunistrator s privileges of managing is defined in much more details More 4 SANGFOR IAM v2 1 User Manual introductions are followed in this section Login IP List Configures the IP address es with which administrator s can log in to the console Y
339. te Ranking x Default Daily Statistical Report of Outgoing File Alarm_20100908 3 3 3 Search WebBBS Post Search WebMail Search IM Chat Content X Outgoing File Alarm Based User Ranking Summary Comparison Default Daily Default Daily Statistical Report on Summar HB Default Weekly Summary Risk Behavior_20100908 Report_20100908 Report_20100904 gt gt More reports Under the above page you can make statistics and search for the behavior records of the LAN user or generate PDF format report according to your needs 242 SANGFOR IAM v2 1 User Manual Y As the storage capacity of the IAM gateway device is limited and data retrieval and search among massive data records in the Data Center will consume large resources it is recommended NOT to have the internal Data Center store large amount of data If your networking produces massive logs you can install an independent external Data Center server to store logs and search for specific data 243 SANGFOR IAM v2 1 User Manual Chapter 11 Logs Troubleshooting Logs Troubleshooting covers System Logs Policy Troubleshooting and Packet Capture The configuration page is as shown below SANGFOR Sangfor IAM 2 1 User admin Logout Object WAN Optimization Access Log System Information 16 11 06 O aclog cpp 151 delete file Amp 3194685943 FAM A Access Log System Information 16 11 06 O aclog cpp 145 Release action watch shared me
340. te of logging in to the console is issued Download Console Root Certificate Click the link to download the SSL certificate of the console Having the PC installed this certificate the alarm prompt requesting for SSL certificate when you are logging in to the console will disappear 3 10 Backup Restore Sangfor IAM 2 1 gt gt Backup Restore User admin Logout Backup Configuration Click to backup configuration 4 System Running Status Restore from configuration automatically backed up at 2010 8 20 00 00 01 Security Status License Re oon ae O Restore from configuration file ETE Browse Select configuration file Gateway Mode al Mangpecas Restore Factory Settings Restore F X ory Settings Multi Node Syne Date Time Administrators Web UI Backup Restore 44 SANGFOR IAM v2 1 User Manual Backup Configuration Click the link lt Click to backup configuration gt to download the configurations to the local computer and to backup them Restore from configuration automatically backed up at some time Select the time when the configuration file is backed up The backup configurations will replace the present ones Generally the configuration file will be backed up for 7 days Restore from the configuration file Click the lt Browse gt button select and upload a backed up configuration file and then click the lt Restore gt button to have the backed up configuration replace the p
341. th the following suffixes one suffix per row Check this option and it will not record the URLs what contain any of the following suffixes configured The suffix may be matched incompletely Wildcard are not supported If both the Not record URLs with the following prefixes one prefix per row and the Not record URLs with the following suffixes one suffix per row options are checked these two URL filter rules are of OR relationship That is to say if either of them is satisfied the URL will not be audited recorded A prefix matches a URL from the first character 1t may be incompletely matched and does not support wildcard For instance if one of the prefixes configured is www s the URLs such as www sina com cn www sohu com will not be audited recorded A suffix matches a URL from the end of it It may be incompletely matched and do not support wildcard 12 4 Excluded IP Domain User admin Logout SANGFOR Sangfor IAM 2 1 gt gt Excluded IP Domain Excluded IP You can enter LAN or WAN IP addresses IP ranges or subnets If the IP addresses of LAN users or the e destination IP addresses are specified in the following list they will not be monitored or controlled lt but still restricted D Object by firewall rules and IM monitoring gt Firewall Excluded Domain Specify a domain and all the involved hosts are included in automatically That is to say these gt IAM gt Bandwidth
342. tication Sol Settings Page Display After Authentication O Go to the recently requested Webpage O 0 to the Logout page 2 Go to customized page URL Hitp ik O Go to user ranking page Authentication Conflict Settings SAMP Option Enable t when the device requires crossing the layer 3 switch and binding MAC address Other Authentication Options Go to the recently requested Webpage If the user gets authenticated successfully the WEB page will be redirected to the page that is requested by the user before successful authentication Go to the Logout page If the user gets authenticated successfully the Web page will be redirected to the logout page Go to customized page URL If the LAN user gets authenticated successfully the Web page will be redirected to the user defined page Go to user ranking page If the LAN user gets authenticated successfully the Web page will be redirected to a ranking statistics page of the internal Data Center 7 2 4 Authentication Conflict Settings Authentication Conflict Settings defines the handling method of the IAM gateway device if it 18 found that there are several users logging in with a same account but this account does not allow multiple users to log in with it Options are Logout the previous login and authenticate the account on current IP address and Prompt the login on another IP address but not logout it 173 SANGFOR IAM v2 1 User Manual gt gt
343. timization In a real enterprise network the bandwidth resources are limited and bandwidth resources waste also exists It is possible that thousands of LAN users visit a well known website and the same data have to be transmitted thousands of times or more which consumes and wastes massive bandwidth resources The SANGFOR IAM gateway device will help to solve this problem The preliminary data requested by a LAN user who visits this website for the first time will be cached by the IAM gateway device if a second LAN user wants to visit the same website the requested data basically the same with the data requested by the first LAN user will be directly fetched from the cache the user need not request data resources over the Internet WAN Optimization covers Optimization Status and Proxy Options The cache function can accelerate HTTP application and improve the speed of visiting websites The default page 1s as shown below SANGFOR Sangfor IAM 2 1 gt gt Optimization Status E Help User admin Logout l System Status E b System ey eit b Object Disk Usage 0 GB 4 75 GB Sessions 0 gt Firewall i 3 A VAN Optimization Memory Usage 0 04 MB 100 01 MB Cached Objects Memory objects 11 Disk Objects 2 Optimization us F Optimization Status E ears ens ppt slrerie esas EPA oia AEE E A EE EE eee AAEE E AEA R E re Optimization Cache Hit gt Bandwidth Management b Delayed Email Audit Statistics Time Last
344. tion Application Type NENA Z A Enable Rule O Enable Disable Data Packet Type os Common protocol TCP OUDP OlcmP O Others Protocol number 0 Direction O LAN gt WAN LAN gt WAN O VWAN LAN Destination Port All Specified port or port range ho IP Address All Specified IP or IP range Match Target Domain Mm one domain per row O The length must be between Jand C Match self relation C Match multiple relation Packet Content Matching Relations Among Rules And Or SelectAll Inverse Add Delete Configure in Packet Content Matching section the feature value according to the analysis on the data packets Internal Rule Library Released At Indicates the latest time that the current version of internal rule library was released at Application Ident Rule supports Import and Export of the rules To export the existing user defined rule s just check the rule s click the lt Export gt button and name the file and then finally confirm to export the internal rule cannot be exported Import Rule To import a rule click the lt Browse gt button and upload the rule extension of the rule file is ccf then click the lt Import gt button Search Rule Type in the keyword of a rule name click the lt Search gt button and you can find the rule whose name contains this keyword Priority Rules Click the lt Adjust Priority gt button to switch the priority between
345. tion Auto Update Time IAM pee Update Virus Library Po Browse Upload Ahen the library file is very large please set Oper f ation Timeout to a higher value in System gt WWeb UI Delayed Email Audit Internet Access Audit HTTP Antivirus O Enable Disable Logs Troubleshooting b Advanced FTP Antivirus O Enable Disable 4 Security Gateway Antivirus POP3 Antivirus O Enable Disable Scan incoming emails for virus pack emails infected with virus and send to user Please Spam Filter first enable Email Fiter on Access Control Policy page i SMTP Antivirus O Enable Disable Scan outgoing emails for virus emails containing virus will not be sent Wizard Antivirus Free Website List only applicable for HTTP an tivirus Format One domain name per row e g www google com O The websites specified below will not be scanned for virus when they are visited Domain name Ad Clear List Antivirus File Type The file types specified below will be scanned for virus applicable for HTTP FTP an Format One file type per row e g exe tivirus Filetype Add Cher List 260 SANGFOR IAM v2 1 User Manual Update Service Expired On Displays the expiry date of antivirus update service of the IAM gateway device Within the expiry date the IAM gateway device will automatically connect the website ht1p www sangfor com to update the virus library Virus Library Released On Displays the issue date of
346. to Section 6 2 1 System Settings Add a static route in Static Routing page the LAN IP addresses 192 168 2 0 24 directing to gateway 10 251 251 253 52 SANGFOR IAM v2 1 User Manual 3 15 Generate Certificate Generate Certificate Generates the hardware certificate which is the only label to distinguish this device This certificate can function as its ID when it registers on the SC Secure Center Management The Generate Certificate page 1s as shown below gt gt Generate Certificate Useradmin Logout Mote Hardware certificate is an unique identifier of this device To prevent other computer from using the same account as 4 System this device after it joins SC Management you can generate the hardware certificate here and import ft ta the account Bunning Status Security Status License Gateway Mode Network Interface Multi Mode Sync Date Time Administrators Web UI Backup Restore Reboot Maintenance duto Update 4 Route Policy Routing Static Routing Generate Certificate 3 16 High Availability High Availability configured the mode of the redundant system high availability Setting options are High Availability Device Name Active Standby Status Update Mode Current Status The configuration page is as shown below gt gt High Availability User admin Logout d System High Running Status aveitebity T Security Status Maintenance IF for License Device Mame
347. to modifying the system time directly you can configure a Time Server to synchronize the time and select a local Time Zone The configuration page is as shown below Sangfor IAM 2 1 gt gt Date Time T Help User admin Logout Note The device will restart after you save the changes to time and date 4 System Running Status Time Synchronization Enable Disable Time Server pool ntp org Time Zone GMT 8 00 Beijing Hong Kong TaiPei Singapore Y Time settings will be synchronized with the time server System Date 2010 08 20 System Time Mos Use System Time Use Local Time Security Status License Gateway Mode Network Interface Multi Node Sync Administrators Web UI Backup Restore Reboot Maintenance lt Use System Time gt Click this button to update the time of the IAM gateway device lt User Local Time gt Click this button to update the system date time of the IAM gateway device with the date time of the local PC with which you have logged in to the console of IAM gateway device Having completed configuring this page you have to click the lt OK gt button to save all the settings 3 8 Administrators Administrators configures the console login user s who can manage the IAM gateway device through the console 40 SANGFOR IAM v2 1 User Manual SANGFOR Sangfor IAM 2 1 Help gt gt Administrators User admin Logout Running S
348. to your case Change MSS Configures the maximum size of the fragmentation under UDP transmission MTU Min Compression Value and Change MSS are configured with the default values If you need change the values please follow the instructions given by the SANGFOR technicians Directly connect Indirectly connect Select the connecting methods fulfilled between the IAM gateway device and the Internet Directly connect or Indirectly connect If the Internet IP address can be obtained directly or the Internet users can access the VPN port of the IAM gateway device with DNAT destination translation function select Directly connect if the Internet IP address cannot be obtained select Indirectly connect Performance and Broadcast Configured the maximum number of VPN threads connections and whether to allow broadcast packets transmission among the VPN channels A Performance and Broadcast Web Page Dialog x VPM Performance Threads Broadcast Packet Enable Broadcast Packet Start Port End Port Threads Configures the maximum number of VPN connections It is 20 by default One IAM gateway device allows maximum 1280 VPN connections If you need to modify this parameter please DO follow the instructions given by the SANGFOR technicians Broadcast Packet Configures whether to allow broadcast packets transmission among the VPN 268 SANGFOR IAM v2 1 User Manual channels or not
349. ts group and the online user list Member Management Indicates this admin can manage and edit the selected group and sub group user Once it is checked it defaults with the View privilege and the privilege to block online user s Policy Management Indicates this admin can manage the selected group and sub group user Once it is checked it defaults with the View privilege Delayed Email Audit Indicates the admin can audit the delayed emails of the selected group s It is applicable to different user groups Data Center Audit Indicates the admin can log in to the internal Data Center to view the logs of the selected group s The options of Data Center Privileges can be configured individually which are System Management Customized Report and Intelligent Report As to System and Object function modules you can check Edit Privilege and View Privilege o Policy Management only allows the administrator to edit the association relationship between the group user and the policy The policy itself cannot be modified unless the admin is the administrator who has created this policy or a system administrator Ifan administrator has neither the privilege to view nor the privilege to edit a certain function module this module will not display on the left tree of the console in other word it is unavailable 3 9 WEBUI WEB UI configures the Default Encoding HTTPS Login Port Webp
350. tuation remains after restart please contact our Customer Service to confirm whether the device is damaged The CONSOLE interface is only for debugging by technicians The end users connect to the device via the network interfaces 1 4 Configuration and Management Before configuring the device please prepare a computer and make sure the web browser for example Internet Explorer browser of the computer can be used normally Then connect the computer to the IAM gateway device in a same local area network and configure the IAM gateway on the computer over the established network 1 5 Wiring Method of Standalone Connect the power cable to the Power interface on the rear panel of the IAM gateway device and switch on the power supply The POWER indicator in green and ALARM indicator in red on the front panel will be lighted The ALARM indicator will go out one or two minutes later indicating the device runs normally Follow the instructions below to wire the interfaces Use standard RJ 45 Ethernet cable to connect the LAN interface to the local area network and then configure the IAM gateway device Use standard RJ 45 Ethernet cable to connect the WAN1 interface with the networking device 13 SANGFOR IAM v2 1 User Manual such as router optical fiber transceiver ADSL Modem etc Use standard RJ 45 Ethernet cable to connect DMZ interface to the DMZ zone network Generally the Web server and Mail server providin
351. ual Edit Access Control Policy E Help O Single poliey O Mutiple policies 2 Description Expiry Date Never expire Expired on Status O Enable O Disable After identifying the features of the outgoing files the system will send an alarm email reporting about the potential information disclosure To audit the outgoing files transferred by FTP HTTP and email please enable relevant options under Application Content Audit in Audit Option tab Enable Outgoing File Alarm Note If the FTP upload audit is not enabled the file types uploaded by FTP will not be audited If the Web upload audit is not enabled the file types uploaded by webpage will not be audited If the outgoing email audit is not enabled the file types sent by email will not be audited Add the file types to be alarmed and audited Select All Inverse Alarm All Alarm Encrypted Enable Disable Add Edit Delete Classification File Type Ident Method Alarm Option Email Alarm Select All Inverse Alarm All Alarm Encrypted Enable Disable Add Edit Delete Enable alarm on multi layer nested compression more than 2 layers Enable alarm free extension Enter fletype comma separate C Set administrator email address for this policy A it is effective only when Disclosure Alarm is enabled on Advanced gt Alarm page Enable Outgoing File Alarm Check this option to activate the outgoing file alarm function lt Select All gt lt Inverse gt Click it
352. ubnet 10 251 251 0 255 255 255 0 Configure Translate Source IP to WAN interface address or Specified IP addresses Specified requires Start IP and End IP they are only required while the IP address and line is specified for Internet access Generally we select WAN interface address which means the source address can access all the public IP addresses through the WAN interface s SANGFOR IAM v2 1 User Manual If Advanced Settings is checked more settings are seen Detailed introductions are as follows Destination Address Options are All and Specified All means all the destination IP addresses while Specified indicates that the destination addresses are the specified ones Destination Address and Source Address can be configured at the same time If both of them are configured only when both of the conditions are satisfied will the source translation SNAT rule will be fulfilled if only one of the conditions is configured then only the corresponding condition needs to be satisfied Protocol Options are All and Specified All indicates all the protocol on which the SNAT rule is applied Specified is selected and entered when the protocol and line applied are specified Having completed configuring this page you have to click the lt OK gt button to save the settings Y Firewall rule LAN gt WAN has to be configured to allow the data transmission 5 2 2 DNAT If a LAN loc
353. ule will be fulfilled if only one of the conditions is configured then only the corresponding condition needs to be 91 SANGFOR IAM v2 1 User Manual satisfied Having completed configuring this page you have to click the lt OK gt button to save the settings Ifthe Source port of TCP Protocol is configured as 0 it indicates all the ports Settings of allowing any Internet IP address to access the LAN IP 10 251 251 61 at port 80 are configured in Firewall gt Firewall Rules gt WAN lt gt LAN page For details please refer to Section 5 1 3 WAN lt gt LAN The configuration page is as shown below Sangfor IAM 2 1 Useradmin Logout l System b Object 4 Firewall 4 Firewall Fules LAN lt gt DMZ DMZ lt gt WAN WAN lt gt LAN VPN lt gt WAN VPN gt LAN DMZ lt gt DMZ 4 WaT Rules SNAT DNAT inti Dos ABP Protection WAN Optimization TAN Bandwidth Management gt Delayed Email Audit Internet Access Audit Logs Troubleshooting gt Advanced w o E A er Security 5 3 Anti DoS Rule Mame Description sequence Number Direction Action Service Source IP Group Destination IF Group Schedule Enable Rule Enable Log gt gt Edit Firewall Rule LAN lt gt LAN H Allows O Deny HTTP Add Service LL Add IP Group LL Add IP Group All day Add Schedule 6 Enable Disable O En
354. up i Source Created by administrator Advanced Settings y Access Control Policy O Bindi Bind MAc Bind both IP and MAC No binding Format Instruction 00 95 00 03 06 48 192 168 1 2 aloo pat rte ll E eo do o Ed Binding Scan MAC address Clear List Start IP 1 92 168 1 1 Enter the start IP of MAC scanning End IP 192 168 1255 Enter the end IP of MAC scanning Scan MAC Address Group 12222 qe Password O Dkey O None O Only alow SSO Custom password Password Authentication Method Confirm password LDAP authentication CJ RADIUS authentication C POP3 authentication Public Account C Allow multiple users to sign onto the same account multi user login Expiry Date Never O Expired on Enable This User Enable Disable To add MAC address you can directly enter the MAC address es in Binding text box or click lt Scan MAC address gt lt Scan MAC address gt Click it and enter the to be scanned IP range the device will scan and get the MAC addresses of these IP addresses lt Clear List gt Click it to clear all the MAC addresses in the list a l Y The local device scans the MAC addresses of the configured IP addresses applying NETBIOS protocol The scanned IP addresses can be of different network segments on condition that the NETBIOS protocol of the segment is enabled and that there is no firewall to block it 195 SANGFOR IAM v2 1 User Manual 7 4 5
355. us software Expiry Date Never expire O Expired on Status Enable O Disable access Control Cc il a dl dl baiah ese o M Proxy Control O Disallow users to use transparent proxy of the device Disallow users to use external HTTP proxy Disallow users to use external Socks4 and Socks5 proxies Disallow other protocols at standard HTTP and SSL protocol ports C Enable proxy detection to detect if LAN users access Internet through other user Note LAN users are prohibited from using the external proxy server to access the Internet It is not allowed to transfer non HTTP data at 80 port or non HTTPS data at 443 port Check Disallow users to use transparent proxy of the device or Disallow users to use external HTTP proxy or Disallow users to use external Socks4 and Socks3 proxies or Disallow other protocols at standard HTTP and SSL protocol ports Disallow other protocols at standard HTTP and SSL protocol ports Select this item to prevent some applications from using HTTP port TCP 80 and SSL port TCP 443 to transmit their data and thus disallow them to shy away from the control of the IAM gateway device 116 SANGFOR IAM v2 1 User Manual Some known or unknown software tools often utilize the well known port s to transmit their data so as to bypass the frontend firewall however the contents of the data are of their own protocol format Select Disallow other protocols at standa
356. used by non browser network software and non standard protocol flow at common ports 21 25 80 110 443 Outgoing Email Identification it is effective only when Audit outgoing emails is enabled under Email Audit in Application Audit tab Leach IP address cannot send more than so emails of the same size every minutes C Each IP address cannot send more than Bo emails every Bs minutes lf one of the above behaviors is detected then O Block the user from sending emails for minutes _ set administrator email address for this policy Enable Disable Select it to enable or disable the risky behavior identification function Identification Sensitivity Configures the sensitivity level of the rule detecting risky behaviors Options are High Medium and Low Alarm Level Configures the alarm priority of the identified risky behaviors options are High Medium Low and Disable Intercept Level Configures the measure interception level taken when risky behavior is identified options are High Medium Low and Disable Outgoing Email Identification Configures the options to identify and block outgoing email anomaly Identification can be based on the number of same sized emails sent by a single IP address in certain time period and frequency of the emails sent by a single IP address in a certain time period etc Set administrator email address for this policy Configure the e
357. ut 1 hours gt Object When timeout value is reached the email still not audited will be b Firewall Audit Timeout Settings Sent gt WAN Optimization gt TAM Deleted gt Bandwidth Management Maximum Sending Attempts 4 Delayed Email Audit Sending Attempts Email Audit Policy Ahen the maximum number of sending attempts is reached the email still not sent out will be deleted and logged Audited Email Unaudited Email gt Imternet Access Audit gt Logs Troubleshooting gt Advanced gt Security gt Wizard Timeout Configures the timeout for audit It is 1 hour by default When timeout value is reached the email still not audited will be Configures the handling method to the unaudited email if the audit timeout is reached Sent or Deleted from the disk Maximum Sending Attempts Configures the maximum attempts the email is sent If the number of tries reaches the maximum attempts the to be sent email will be deleted Put SANGFOR IAM v2 1 User Manual 9 2 Audited Email SANGFOR Sangfor IAM 2 1 User admin Logout System Object Firewall WAN Optimization IAM Bandwidth Management Delayed Email Audit Email Audit Policy Mi iudited Email Unaudited Email Internet Access Audit Logs Troubleshooting Advanced Security Wizard gt gt Audited Email a Emel Gist Oaa y E From To ma Sie tasters Enalsiatu
358. vanced Settings tab If a website exists in both the two lists it will be e xcluded first Format One domain IP address or IP range per row Second level domain is supported For example 192 168 0 1 192 168 0 20 or google com Domain name O IP address O IP range Clear List Domsinneme aw Note To disable the WAN Optimization function for some groups please configure it on the Access Control Policy gt Access Control Proxy Control page Cancel 6 2 1 System Settings System Settings globally enables or disables the WAN optimization function as well as displays the Cache Usage information You can also clear the cache on this page gt gt Proxy Options e WAN Optimization Enable Disable The system is currently Enabled Memory 0 MBS MBI Disk 0 GBS GB Clear Cache es Cache Usage L Enable Proxy Port The proxy options must be configured before the browser and application software can connect to the Internet The HTTP proxy ls supported If this function is not enabled only the transparent proxy ls Supported For deployment of single arm mode this option is typically checked Enter 5 ports at most and use comma to separate Po ES Parameter Settings Restore Detautt WAN Optimization Globally enables the WAN optimization function Select Enable or 102 SANGFOR IAM v2 1 User Manual Disable and then click the lt OK gt button to enable and disab
359. vice will mistakenly take the virus library as virus which disables the LAN computer to update its antivirus software Ifan HTTP page contains virus the IAM gateway device will block this page As to the virus file downloaded through HTTP or FTP the IAM gateway device will influence the integrity of the file which cannot be opened If the received email contains virus the IAM gateway device will packet the file label 1t as virus email and then send it to the receiver 261 SANGFOR IAM v2 1 User Manual 13 2 IPS 13 2 1 IPS Options IPS Intrusion Prevention System can discover the potential risks that may be brought to the local area network LAN by detecting the data packets and analyzing its true use and therefore decide whether to allow the data packets get into the local area network This section mainly introduces the parameters and the configuration of the intrusion protection system IPS Enable IPS Select Enable and click the lt OK gt button to enable the IPS function Sangfor IAM 2 1 User admin Logout h System Object Firewall WAN Optimization TAM Bandwidth Management Delayed Email Audit Internet Access Audit Logs Troubleshooting Advanced Security Gateway Antivirus gt Spam Filter 1 EE IPS Options IPS Rules Wizard gt gt IPS Options Enable IPS Defense Level Defense Time After Intrusion ls Detected Log Type of Intrusion Event
360. walls Application identification rule can detect traffic on the basis of protocol port direction length of data packet and the content of the data packets etc which helps to identify P2P traffic quite well Application identification rule falls into internal rule and user defined rule The internal rules cannot be modified while the user defined rule can be added deleted and edited etc To obtain flow information of specific applications you can choose the corresponding application type or application in association with the Service Control configuration in IAM gt Access Control Policy page gt Access Control and Bandwidth Settings configuration in Bandwidth Management to create a policy SANGFOR IAM gateway device adopts some patented technology to efficiently block the above mentioned chat and IM software tools Because the data packets of each kind of software have a unique feature value when the software communicates with the external networks IAM gateway device will detect the feature contained in the data packets and determines whether the data packets should be blocked If the data packets contain the features we configured then it will not be sent or received In this way this software will be unavailable for the LAN users 56 SANGFOR IAM v2 1 User Manual gt gt Application Ident Rule Application Ident Rule Update E e Update Service Expired On 2011 07 15 a Internal Rule Library Relea
361. ware bind IP MAC address of three layers and monitor encrypted IM message and can be referenced by IAM gt Access Control Policy gt Edit Access Control Policy page gt Ingress Rule If the access control policy has referenced ingress rule s users have to satisfy the corresponding rules to access the Internet and install the ActiveX control when getting access to the Internet for the first time IAM gateway device is built in with some ingress rules you can define ingress rule s by yourself 71 SANGFOR IAM v2 1 User Manual User admin Logout b SANGFOR Sangfor IAM 2 1 System 4 Object Application Ident Rule Intelligent Ident Rule Service IP Group Schedule URL Group White List Group Keyword Group File Type Group Ingress Rule SSL Certificate Firewall WAN Optimization TAM gt Bandwidth Management Delayed Email Audit Internet Access Audit Logs Troubleshooting gt Advanced Security DHCP Wizard e Internal Rule List Released On 2010 05 26 Update Internal Rule fT Browse Upload Select and upload internal rule file e Import Rule Po Browse Select and import ingress rule file l Ingress Rule List O Display Internal Rule No 1 Disable proxy software2 Process Disable proxy software2 SyGate 2 Disable proxy software3 Process Disable proxy software3 Proxy Fox 3 Disable proxy softwareg Process Disable proxy softwareg SecretAgent 4 Disa
362. we need to configure a policy routing rule Specific steps and settings are as shown below 49 SANGFOR IAM v2 1 User Manual Sangfor IAM 2 1 gt gt Edit Policy Routing User admin Logout Policy Name CHINA TELECOM 4 System ae ee Source IP an Single IP Prange Subnet Security Status ES O al O Single Prange O Subnet Network Interface End IP 221 199 32 20 Multi Node Syne D Ta se Select protocol type TCP v Administrators Web UI O an Backup Restore O Specified The routing policy will be applied only when the source port belongs to the following range Reboot ee Start port End port _ Maintenance Auto Update All k cht Destination Port Specified The routing policy will be applied only when the destination port belongs to the following range Generate Certificate Target Line Line 2 v High Availability gt Object b Firewall 1 l Ifthe selected Target Line is unavailable IAM gateway device will arrange the data packets with an available target line If you need the routing table of each ISP please contact the Customer Service of SANGFOR Having gained the routing table click the lt Browse gt button to upload the policy routing and then click the lt Import gt button to import it 3 14 2 Static Routing SAGFOR IAM gateway device allows you to configure Static Routing The configuration page is as shown below 50 SANGFOR IAM v2
363. websites specified in the following list are accessed they will be cached regardless of the visit freq b Security t uency gt DHCP gt Wizard Format One domain IP address or IP range per row Second level domain is supported For example 192 16 8 0 1 192 168 0 20 or google com Domain name O IP address O IP range Clean List Domain mame a lox Restore Default Cancel Default Valid Period _ minutes Check this item and configure the update interval of the cache Since most of the websites do not define the expiry time of a webpage the IAM gateway device will not cache these WebPages if you leave this item unchecked it is unchecked by default If 105 SANGFOR IAM v2 1 User Manual this item is checked the program will automatically define an expiry date for these WebPages Check for Updates Upon Every Request Check this item and every request will be inspected regardless of whether the corresponding cache is the latest For sure the cache hit percent will lower down if it is checked Cache Website List Configures the website s that has higher priority to be cached When the websites specified in the list are visited related data will be cached regardless of visit frequency Enter the domain name or IP address or IP range into the list lt Restored Default gt Click this button to restore the factory settings Having completed configuring the page you have to click the lt OK g
364. will allow the LAN users to send or receive emails only through the email addresses with the vpn com cn suffix Deny emails containing the following keywords in title or content and Deny emails containing the attachments of the following types are applied to sending emails by the LAN users Check the corresponding item and type the keyword or extension name of the attachment in the text box one entry keyword or extension name per row 7 1 2 3 2 Delayed Email Audit The to be sent emails will be delayed for audit Only when they have been audited will they be sent 132 SANGFOR IAM v2 1 User Manual The configuration page is as shown below Edit Access Control Policy E Help Single policy O Mutiple policies Description AAA Expiry Date Never expire Expired on Status O Enable Disable C Enable Email Fitter lail Delayed Enail Audit C Enable Delayed Email Audit O Audit Address List Emails sent to the following addresses or suffixes will be delayed for audit before they are sent out Note abc com includes abc com and abc com cn If abc com is entered here the emails addressed to abc com or abc com cn will be audited before they are sent out The email whose SMTP authentication password contains less than 3 characters cannot be sent out after being audited C Audit free Address List Emails sent to the following addresses or suffixes will not be audited Note abc com includes
365. wn below 197 SANGFOR IAM v2 1 User Manual gt gt Edit User T Help l Basic Settings u Login Name Cannot contain the special characters Description FONO Cannot contain the special characters 14598 40 gt wn Display Name O Cannot contain the special characters Current Group 1222211 Source Created by administrator l Advanced Settings E Access Control Policy ObBind IP Bind MAc Bind both IP and MAC No binding Format Instruction 00 95 00 03 06 48 192 168 1 2 00 0Oc 29 7a b8 2Z0f 192 168 1 99 Binding Scan MAC address Clear List Group 12222 1gwe8 Select Ea O root Password O Dkey S O 2222 DO ve Y custom password O O hur OK Cancel Password OObvvvvvvvvvvvvv Authentication Method Confirm password CILDAP authentication CIRADIUS authentication CI POP3 authentication Public Account LC Allow multiple users to sign onto the same account multi user login Expiry Date Never O Expired on Enable This User Enable Disable Click the lt Select gt button to view the organization structure list the user groups Click lt OK gt to add the needed and selected user group Click lt Cancel gt to give up selecting the user group 7 4 5 3 Authentication Method Authentication Method includes four options namely Password DKEY None and Only allow SSO The configuration page is as shown below 198 SANGFOR IAM v2 1 Us
366. word Group page as shown below So WA Sangfor IAM 2 1 gt gt Edit Keyword Group Useradmin Logout D System Pornography 4 Object APplicac 10m ident male Description Pornography keyword Intelligent Ident Fule Seis At most five keywords per row Use comma to separate CIP Group Schedule URL Group gt White List Group Keyword File Type Group gt Ingress Pule SSL Certificate Firewall WAN Optimization Tan Bandwidth Management TTF TF Tr SANGFOR IAM v2 1 User Manual Name Names the new keyword group Description Type in a brief description for this keyword group Keyword Configures the keywords one entry keyword per row Having completed configuring you have to click the lt OK gt button to save the settings 4 9 File Type Group File Type Group defines the needed file types File Type Group can be referenced by IAM gt Access Control Policy gt Edit Access Control Policy page gt Web Filter gt File Type Filter to control HTTP and FIP upload and download and can be referenced by Bandwidth Management gt Bandwidth Settings page gt Bandwidth Channel to control the upload and download bandwidth of the configured file types in the file type group Suor WAI Sangfor IAM 2 1 gt gt File Type Group E Help Useradmin Logout 4 Object 1 Movie Movie format file Edit El Aa a a 2 Music Music format file Edit C Intelligent Ident Fule r 7 3
367. x per row You can define whether to record the URL in detail or record only the visits to text webpages or record the download of all HTTP file types or record the URLs that contain certain prefix or suffix Optimize access logs Select this option and it only records the text webpage only once if a same domain is visited again in a short period Only record visited text text html webpages Select this option and it only records the access to text Webpage otherwise it records the accesses to all the types of webpages Only record root domain name of visited webpages Select this option and it will not record URL in detail but only the root of the URL If you want to have it record the full URL DO NOT select this option Record all visited webpages Select this option and it will record every request and thus produce large number of logs This option is not recommended Not record the following file types downloaded by HTTP Check this option and type the file types in the text box It will record the download of all the filled in HTTP file types Different file types are separated from each other by a comma Not record URLs with the following prefixes one prefix per row Check this option and it will not record the URLs that contain any of the following prefixes configured The prefix may be matched incompletely Wildcard are not supported 256 SANGFOR IAM v2 1 User Manual Not record URLs wi
368. y different users will queue up and take turns for processing Max Bandwicth Per IP Clenable Uplink 0 KBs Downlink KBs Yalid Line Destination ALL wt Enable This Channel O Enable Disable Service Type Options are Application Website and File If Application is selected you need then select an Application Type and a specific Application If Website is selected you need then select a Website Type from the internal library If File is selected you need then select a File Type from the file type group User Group Configures the valid users and user groups You can select All to have all the user and user groups applied to this policy or select Custom to have some of the users or user groups be applied to this policy The configuration page is as shown below 219 SANGFOR IAM v2 1 User Manual gt gt Edit Bandwidth Channel Format One channel name per row The name cannot be repeated Channel Mame Service Application an O custom User troup All Custom Selected Group Selected User Select LiserSroup Mote Selected group and selected user are of the or relationship T he channel will be applied to all selected groups and users If you wan BE tto select user only please enter user name in the above list box one ta name per row EE Channel Type Guaranteed channel C Priority High Th OK Cancel unity to use the idle bandwidth of other channels e Gua
Download Pdf Manuals
Related Search