HP OfficeConnect Firewall Series User's Manual
Contents
1. 130 24 1 1 1 FOG STATEMENT en 130 24 1 1 2 INFORMATION TO THE USER 130 24 1 1 3 ICES STATEMENT 2222242 130 24 1 1 4 CE STATEMENT EUROPE 130 25 GIOSSALPY cccceeeeeeeeeeees 131 26 Index eenneeenseeeneneesnnneenennn 137 List of Figures Fgue2 1 FONG ANG EEDS Luna 3 Figure 2 2 Rear Panel Connections uunenesenesennnenenennenenennnnnennnennnnnnnnnenenn anne 4 Figure 3 1 Overview of Hardware Connections rrrnnvrrnnvennnvrrnnvrrnnnnvernnvenrnnnnnn 10 Figure 3 2 Assembling the rack mount Kit usnnnnnnnnnrnnnnrnnnvnnnnnrnrnvnnnvennnnnrnnennnn 11 Foue S 3 Mack NT ed 11 Figure 3 4 LOGIN STEG 15 Figure 3 5 System Access Configuration Page rrnrrnnnnnvnnvnrnnnnvnnvnrnnnnnrnnvernnnnn 15 OfficeConnect VPN Firewall User s Manual Figure 3 6 System Time Configuration Page rrnrrnrrrnvnnvnnrernrnnrnnnvernennrnnrernennn 16 Figure 3 7 IP Setup Configuration Page mrvrrnvrrnvrnvernvernvernnvrnnvrnvernvernnrrnernvennn 16 Figure 3 8 DHCP Server Configuration Page rrnrrrnvrnnvnnvernvernvrrnnvernvernvrrnnrnnenn 16 Figure 3 9 WAN PPPoE Configuration Page rrrnrrnvvrnvernvrrnvrnvernvernvernnrnnernnennn 17 Figure 3 10 WAN Dynamic IP Configuration Page mrrrrnvernvvnrnvrrnvernrnvrrnvernnn 17 Figure 3 11 WAN Static IP Configuration Page ernrvrrnvrrnvennvvrrnvrrnnverrnvrrnvernnn 18 Figure 4 1 Configuration Manager Login Screen nsernvrrn2. Network Host List y Address MAC Address gt gt Firewall gt VPN gt gt gt Traffic MGMT 192 168 1 4 00 15 58 88 ad d1 UnknownHost Monitoring z 192 168 1 8 00 13 49 3d da 75 UnknownHost Help Ol 3 192 168 1 110 00 de ad 10 75 01 UnknownHost Select All Add to services Service type CO IP MAC binding M Fixed DHCP Lease Logout Figure 5 4 Host Discovery Configuration Page 5 4 DNS 5 4 1 About DNS Domain Name System DNS servers map the user friendly domain names that users type into their Web browsers e g yahoo com to the equivalent numerical IP addresses that are used for Internet routing When a PC user types a domain name into a browser the PC must first send a request to a DNS server to obtain the equivalent IP address The DNS server will attempt to look up the domain name in its own database and will communicate with higher level DNS servers when the name cannot be found locally When the address is found it is sent back to the requesting PC and is referenced in IP packets for the remainder of the communication 30 OfficeConnect VPN Firewall User s Manual 5 42 Assigning DNS Addresses Multiple DNS addresses are useful to provide alternatives when one of the servers is down or is encountering heavy traffic ISPs typically provide primary and secondary DNS addresses and may provide additional addresses Your LAN PCs learn these DNS addresses in one of the
3. Backup Interface Please note that the Primary Link Device Summary Deferred Time When the primary WAN has returned its service the Administration Policy Configuration rollover from the backup WAN links back to primary ul No Policy i WAN will take place based on the configurable Hebei Load Balancing rollover deferred time a p Rollover Monitoring Follow these steps to configuring the WAN Failover Figure 13 2 I Ws Traffic MGMT gt WAN Link Mgmt Setup 1 Click on Traffic MGMT gt WAN Link Mgmt to enter the WAN Link Configuration page See Figure 13 1 WAN Link Mgmt Configuration 3COM Page Setup Device Summar DN OfficeConnect Gigabit VPN Firewall L 3C om Ve Traffic MGMT gt WAN Link Mgmt Setup Device Summary l Administration A Policy Confiquration Administration gt Policy Configuration Network O N m P 0 l C Network gt O No Polic j 7 renal BP Hrena Load Balancing ke 4 Rollover VPN 2 GE Rollover me ie Connectivity Check Traffic MGMT Enable Connectivity Check Monitoring Check Interval 5 1 60 sec eee EE Figure 13 2 Enable the WAN Failover Check IP Address 0 0 0 0 Optional Gateway IP Address 192 192 6 254 oe ee 3 Enter a number between 1 and 60 in the Check Interval field The ee ae default value is 5 seconds Pa Link Status Reachable l El ogout 4 Enter the IP address of the target device into the Check IP Address
4. 14 4 1 1 Configure Rules on OfficeConnect Gigabit VPN Firewall 1 ISR1 89 14 4 1 2 Configure Rules on OfficeConnect Gigabit VPN Firewall 2 ISR2 91 14 4 1 3 Establish Tunnel and Verify 92 14 5 Managing VPN User Account srnnnnnvnnnnnvvensnnvennnnvnveennn 92 15 Configuring L2TP Server 95 19 1 AMMOGUCTION EEE ersnausasnaeaieuacsescttns 95 15 2 L2TP Server Configuration Parameters 95 15 3 Configuring L2TP Server rmmnvernvrrnvrnvernvernvrrrnrrrrernvenns 96 15 4 Viewing Active L2TP Session nenn 96 16 Configuring PPTP Server 97 19 1 MOEN esse 97 16 2 PPTP Server Configuration Parameters 97 163 Configuring PPTP Semele soccer dtc Ae 98 16 4 Viewing Active PPTP Session un nn 98 17 System Management 101 OfficeConnect VPN Firewall User s Manual Chapter 1 Introduction 17 1 Configure Port Mirroring rrernrrnnrvrnnvennvennrrvernvennnnnnnr 101 19 2 Network ClaSS S 2er 111 17 2 Change the Login Password srrnrnnnvnnvnvvnrnvnnrrrvnnrnnnn 101 19 3 SUDNCUMASKS aay eee ey 112 17 3 Configuring the Management Interface 103 20 T roubleshooting 115 17 4 Modify System Information rser4rnn rennen 103 17 5 Setup Date and Time ucuenensnesnesennenenennnennennnnnnennn 104 LEON SEO FUN See Hie 17 5 1 View the System Date and Ti
5. 24 1 1 3 ICES STATEMENT This Class A digital apparatus complies with Canadian ICES 003 Cet appareil num rique de la Classe A est conforme a la norme NMB 003 du Canada 24 1 1 4 CE STATEMENT EUROPE 3Com Europe Limited Peoplebuilding 2 Peoplebuilding Estate Maylands Avenue Hemel Hempstead Hertfordshire HP2 4NW mgdom This product complies with the European Low Voltage Directive 73 23 EEC and EMC Directive 89 336 EEC as amended by European Directive 93 68 EEC Warning This is a class A product In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures A copy of the signed Declaration of Conformity can be downloaded from the Product Support web page for the OfficeConnect Gigabit VPN Firewall SCREVF100 73 at http www 3Com com Also available at http support 3com com doc 3CREVF100 73_EU_DOC pdf OfficeConnect Gigabit VPN Firewall Users Manual 25 Glossary 10BASE T 100BASE T ADSL authenticate binary A designation for the type of wiring used by Ethernet networks with a data rate of 10 Mbps Also known as Category 3 CAT 3 wiring See also data rate Ethernet A designation for the type of wiring used by Ethernet networks with a data rate of 100 Mbps Also known as Category 5 CAT 5 wiring See also data rate Ethernet Asymmetric Digital Subscriber Line The most commonly deployed flavor of DSL for home users The term a
6. LEDs Power LED does not illuminate after product is turned on LINK WAN LED does not illuminate after Ethernet cable is attached PC cannot access Internet Verify that you are using the power adapter provided with the device and that it is securely connected to the OfficeConnect Gigabit VPN Firewall and a wall socket power strip Verify that an Ethernet cable like the one provided is securely connected to the Ethernet port of your ADSL or cable modem and the WAN port of the OfficeConnect Gigabit VPN Firewall Make sure that your ADSL or cable modem is powered on Wait 30 seconds to allow the OfficeConnect Gigabit VPN Firewall to negotiate a connection with your broadband modem 115 Verify that the Ethernet cable is securely connected to your LAN hub or PC and to the OfficeConnect Gigabit VPN Firewall Make sure the PC and or hub is turned on Verify that your cable is sufficient for your network requirements A 100 Mbit sec network 100BaseTx should use cables labeled Cat 5 10Mbit sec cables may tolerate lower quality cables Internet Access Use the ping utility discussed in the following section to check whether your PC can communicate with the OfficeConnect Gigabit VPN Firewall s LAN IP address by default 192 168 1 1 If it cannot check the Ethernet cabling If you statically assigned a private IP address to the computer not a registered public address verify the following e Ch
7. Protocol TCP vi ICMP Type Start Port End Port gt gt Firewall gt VPN gt gt gt Traffic MGMT Monitoring Help Add Custom Services List v Nome Protocot startrot endvort _10PType ea Select Al Logout Figure 11 11 Service List Configuration Page 11 6 2 1 Service List Configuration Parameters Table 11 5 describes the available configuration parameters for firewall service list Table 11 5 Service List configuration parameters Chapter 14 Configuring IPSec VPN Enter the name of the Service to be added Note that only alphanumeric characters are allowed in a Enter the type of protocol the service uses Enter the start port number that is set for this service service ICMP Type If the transport layer protocol is ICMP enter the ICMP Type in this field Enter the finish port number that is set for this 11 6 2 2 Access Service List Configuration Page Log into Configuration Manager as admin click the Firewall menu and then click Service submenu The Service List Configuration page displays as shown in Figure 11 11 Note that when you open the Service List Configuration page a list of existing configured services is also displayed at the bottom half of the configuration page such as those shown in Figure 11 11 11 6 2 3 Add a Service To add a service follow the instructions below 1 Open the Service List Configuration Page see section 11 6 2 2 Access
8. This option allows you to apply this rule to all the computers in the local network IP Address Select any of these options and enter details as Subnet and described in the Source section above Range Service This option allows you to select any of the pre configured services selectable from the drop down list instead of the destination port The following are examples of services AH AH and ESP AIM AOL AUTH BIT TORRENT CIFS DHCP DNS EMULE ESP FINGER FTP GRE HTTP HTTPS HTTP PROXY ICMP IGMP IMAP4 IMAPS IP Phone IRC ISAKMP KERBEROS L2TP LDAP MSN Messenger NETHOOD NetMeeting Setup NetMeeting T 120 NNTP NTP PING POP3 PPTP QQ QUAKE RDP RealAudio SIP SKYPE SMTP SNMP SNMP TRAP SOCKS SSH TCP TELENET TFTP UDP Yahoo Messenger 3Com NBX Telephony Note service is a combination of protocol and port number They appear here after you add them in the Firewall Service configuration page Schedule Select a pre configured schedule during which the rule is active Select None to make the rule active at all times Chapter 14 Configuring IPSec VPN Fr PE Select Allow from the drop down list to configure rule as an allow rule This rule when bound to the firewall will allow matching packets to pass Select Deny from the drop down list to configure rule as an deny rule This rule when bound to the firewall will allow matching packets to drop Log This op
9. Appendix 20 for troubleshooting suggestions MTU Default Custom TT pytes MAG Address Use Default Address 00 1F 33 1E C7 28 3 4 3 Default Router Settings Logout Use this computer s MAC 00 12 0E 07 18 1C ee In addition to handling the DSL connection to your ISP the OfficeConnect Gigabit VPN Firewall can provide a variety of services to your network The a 2 device is pre configured with default settings for use with a typical home or small f f f office network Figure 3 11 WAN Static IP Configuration Page c Static IP Connection Mode 18 OfficeConnect Gigabit VPN Firewall Users Manual Table 3 2 lists some of the most important default settings these and other Option f ibed fully in th h ol iliar wi eatures are described fully in the subsequent chapters If you are familiar with LAN Port IP network configuration settings review the settings in Table 3 2 to verify that they Address meet the needs of your network Follow the instructions to change them if necessary If you are unfamiliar with these settings try using the device without modification or contact your ISP for assistance Before you modifying any settings review Chapter 4 for general information about accessing and using the Configuration Manager program We strongly recommend that you contact your ISP prior to changing the default configuration Table 3 2 Default Settings Summary Option Default Setting Explanation Instructions
10. Chapter 14 Configuring IPSec VPN To configure the P2P Service Prevention please refer to the following sections 11 6 7 1 Adding a P2P Service Prevention Rule Follow these steps to add a new P2P Service Prevention Rule 1 Click on Firewall gt P2P Prevention menu to enter the P2P Service Prevention configuration page 2 Prior to configuring the P2P Service Prevention rule please tick the Enable P2P Prevention chick box 3 Make changes to any or all of the following fields Name Protocol Start Port End Port Please see Table 11 9 for detail explanation of these fields 4 Click on the au button to save the change The new entry will then be displayed in the P2P Service Prevention Rule Table at the buttom half of the Configuration Page 11 6 7 2 Editing a P2P Service Prevention Rule Follow these steps to edit an existing P2P Service Prevention Rule 1 Click on Firewall gt P2P Prevention menu to enter the P2P Prevention configuration page 2 Click on icon of the rule to be modified in the P2P Prevention Policy list table 3 Make changes to any or all of the following fields Name Protocol Start Port End Port Please see Table 11 9 for detail explanation of these fields 4 Click on the mal button to save the changes 11 6 7 3 Removing a P2P Service Prevention Rule A lt is impossible to remove the default rules listed in theP2P Service Prevention Rule Table WARNING To removing an existing rule for th
11. Curaco Dominican Republic El Salvador Equator French Guyana Grenada Guadalupe Guatemala Guyana 127 AT amp T 800 988 2112 AT amp T 800 988 2112 AT amp T 800 988 2112 AT amp T 800 988 2112 571 592 5000 AT amp T 800 988 2112 AT amp T 800 988 2112 AT amp T 800 988 2112 AT amp T 800 988 2112 AT amp T 800 988 2112 AT amp T 800 988 2112 AT amp T 800 988 2112 AT amp T 800 988 2112 AT amp T 800 988 2112 AT amp T 800 988 2112 Appendix 21 SAFETY INFORMATION Country Telephone Number Haiti AT amp T 800 988 2112 Honduras AT amp T 800 988 2112 Jamaica AT amp T 800 988 2112 Mexico 1800 849 2273 Mexico Local 52 55 52 01 0004 Monserrat AT amp T 800 988 2112 Nicaragua AT amp T 800 988 2112 Panama AT amp T 800 988 2112 Paraguay AT amp T 800 988 2112 Peru AT amp T 800 988 2112 Puerto Rico AT amp T 800 988 2112 Rest of Latin America 1 508 323 6234 OfficeConnect VPN Firewall User s Manual Country Telephone Number Spanish speakers enter the URL http lat 3com com lat support form html Portuguese speakers enter the URL http lat 3com com br support form html English speakers in Latin America should send an e mail to lat support anc 3com com Country Telephone Number St Kitts Nevis AT amp T 800 988 2112 St Lucia AT amp T 800 988 2112 St Vincent AT amp T 800 988 2112 Suriname AT amp T 800 988 2112 Trinidad and Tobago AT amp T 80
12. address here and make sure you check the MAC cloning check box e Click analy to save the static IP settings Cicko Apply button to save the dynamic IP You have now completed customizing basic configuration settings Read the settings following section to determine if you have access to the Internet ip Setup _ Network Binding At this point the OfficeConnect Gigabit VPN Firewall should enable any Device Summary Interface WANI computer on your LAN to use the OfficeConnect Gigabit VPN Firewall s ADSL or ISP Login Current IP Login Require o cable modem connection to access the Internet gt Network gt Firewall gt VPN gt gt Interface IP Address gt ee lstatic IP Address O DHCP To test the Internet connection open your web browser and type the URL of IP Address 208 128 128 168 Traffic MGMT Monitoring Help any external website such as http www 3com com The LED labeled WAN IP Subnet Mask 255 255 255 0 WM Gateway IP Address 208 128 168 254 should be blinking rapidly and may appear solid as the device connects to the DNS Server DNS Mode Use These DNS Servers Get Automatically from ISP 1 site You should also be able to browse the web site through your web browser Primary DNS Server 208 128 128 128 Secondary DNS Server 0 0 0 0 Optional If the LEDs do not illuminate as expected or the web page does not display see Network
13. check box checked 6 Click on Enable Traffic Shaping radio button in case you want to configure a QoS policy with traffic shaping mechanism And then provide minimum maximum bandwidth for the outgoing TX direction and incoming RX direction 7 Click on Enable Prioritize radio button in case you want to configure a QoS policy with traffic prioritize mechanism After that user can select DiffServ Code Point DSCP or 802 1p tag for the ingress packet 8 To configure traffic prioritization for the egress packet make the Enable Remark check box checked and then select DiffServ Code Point and 802 1p tag 9 Click on the apply button to save the settings Chapter 14 Configuring IPSec VPN 12 4 Traffic Classification OfficeConnect Gigabit VPN Firewall allows you to define QoS policy to classify the traffic based on the following parameters gt Source destination IP address gt Source destination port gt Protocol gt DiffServ Code Point DSCP OfficeConnect Gigabit VPN Firewall supports two priority marking methods for packet prioritization gt DSCP gt 802 1p Priority The matching of packets by rules is connection based known as Stateful Packet Inspection SPI using the same connection tracking mechanism used by OfficeConnect Gigabit VPN Firewall Once a packet matches a rule all subsequence packets with the same attributes receive the same QoS parameters both inbound and outbound To c
14. the database as Unknown 5 3 1 Manually add a Fixed DHCP Lease To add a fixed DHCP Lease follow these steps 1 Enter the name of the PC or device 2 Enter the IP address of the PC or device The DHCP Server will permanently reserve the IP address for the specified device 3 Enter the MAC address of the PC or device Please note that the MAC address format is six colon separated pairs of hexadecimal characters 0 9 and A F such as 00 0D 31 45 17 1B 4 Click button to add the new entry 5 3 2 Import Discovered LAN Hosts as Fixed DHCP Entries The following steps show you how to configure multiple DHCP entries by importing discovered LAN hosts 1 Click Import from Host Discovery button The host discovery configuration page will be shown as Figure 5 4 Select an appropriate interface from the Interface drop down list Click Discovery button to start the LAN host discovery The Host List table displays all discovered LAN hosts Click on the check box in front of the LAN host to be selected Or click Select All button to select all discovered entries 6 Click on the check box of Fixed DHCP Lease and then click anni to save the settings of ON 29 Chapter 5 Configuring LAN Settings DN OfficeConnect Gigabit VPN Firewall 3C om Ve Network gt IP Setup Fixed DHCP Lease Fixed DHCP Lease Device Summary Operation succeeded Administration Interface VLAN1 LAN eth0 1
15. MSN Messenger Service Version 3 6 0039 TCP 1863 TCP 80 ep C C UD UD U U gt Oo OT Oo oO Flight Simulator 2002 Gaming Zone MSG1 MSN ZONE HTTPS HTTP DN QUAKE Flight Simulator 2002 Professional Edition TCP 443 TCP 80 UDP 53 UDP 27910 on Quake II Gaming Quake II OfficeConnect VPN Firewall User s Manual ALG Application Protocol and Predefined Tested Software Name Port Service Name Version Other common Applications POP3 TCP 110 POP3 Outlook Express 5 IMAP TCP 143 IMAP4 Outlook Express 5 SMTP TCP 25 SMTP Outlook Express 5 HTTPS TLS SSL TCP 443 HTTPS Internet Explorer 5 TCP 80 HTTP UDP 53 DN zone TCP 28801 TCP 443 TCP 80 UDP 53 TCP 47624 TCP 28801 TCP 443 TCP 80 UDP 53 Diablo II BATTLE TCP 4000 NETTER TCP 6112 BATTLE NET UDP MSN ZONE HTTPS HTTP DN MSG1 MSN ZONE HTTPS HTTP DNS DIABLO II BATTLE NET TCP BATTLE NET UDP DNS Diablo Il LDAP ILS Openidap 2 0 25 Eu a NNTP Outlook Express 5 SEE a men mu Finger Redhat Linux 7 3 ho u gt am dl ep Age Of Empires Gaming Zone Age of Empires Gold Edition Diablo Il C UD TU gt OT D TCP 47624 TCP 28801 UDP 6112 110 OfficeConnect VPN Firewall User s Manual 1 9 IP Addresses Network Masks and Subnets 19 1 IP Addresses This section pertains only to IP addresses for IPv4 version 4 of the Internet Protocol IPv6 addresses are not co
16. OfficeConnect product range from 3Com has changed all this bringing networks to the small office The products that compose the OfficeConnect line give you the small office user the same power flexibility and protection that has been available only to large corporations Now you can network the computers in your office connect them all to a single Internet outlet and harness the combined power of all of your computers This User Manual will show you how to set up the OfficeConnect Gigabit VPN Firewall and how to customize its configuration to get the most out of this product 1 1 OfficeConnect Gigabit VPN Firewall The OfficeConnect Gigabit VPN Firewall is designed to provide a robust secure solution for multi site small businesses This completely equipped broadband capable Virtual Private Network VPN firewall prevents unauthorised external access to your network and by creating Virtual Private Networks VPNs encrypted links to other private networks The OfficeConnect Gigabit VPN Firewall also provides Denial of Service DoS protection and intrusion detection OfficeConnect VPN Firewall User s Manual using Stateful Packet Inspection SPI web content filtering logging and reporting 1 2 System Requirements In order to use the OfficeConnect Gigabit VPN Firewall for Internet access you must have the following gt ADSL or cable modem and the corresponding service up and running with
17. Optional IKEv1 Main v 3DES v Group 2 1024 bit ESP OAH 3DES v DH Group 2 1024 bit L2TP Remote Gateway Remote Site Remote IP IP Address Subnet Mask Remote Id Type Identifier Method Preshared key HASH SA Lifetime sec Authentication SA Lifetime 123 1 1 123 Subnet v 1192 168 2 0 255 255 255 255 Bl IP ADDRESS Optional Pre shared key o 8 49 chars HA 1 28800 HA 1 600 e v Figure 14 5 Intranet VPN Policy Configuration on ISR1 Step 1 Configure VPN connection rules Refer to the section 14 2 Establish VPN Connection Using Automatic Keying to configure VPN policies on ISR1 using automatic keying Step 2 Configure Firewall rules 90 1 Configure outbound Firewall rule to allow packets from 192 168 1 0 255 255 255 0 to 192 168 2 0 255 255 255 0 without any NAT 2 Configure inbound Firewall rule to allow packets from 192 168 2 0 255 255 255 0 to 192 168 1 0 255 255 255 0 without any NAT OfficeConnect Gigabit VPN Firewall Users Manual Table 14 2 and Table 14 3 provide the parameters to be configured for the outbound and inbound Firewall rule fields For a general description on configuring any inbound outbound Firewall rule please refer to sections 11 3 and 11 4 Table 14 2 Outbound Un translated Firewall Rule for VPN Packets on ISR1 a a Destination IP Note The outbound Un translated Firewall rule has to be added the e
18. Private Select Private if this static route entry will not be advertised in RIP Interface Specifies the interface which is the physical network interface through which route is accessible OfficeConnect VPN Firewall User s Manual Field Description Gateway IP Address Gateway IP address 9 3 2 Adding Static Routes Follow these instructions to add a static route to the routing table 1 Click Network LJ Routing submenu to enter the Static Routes Configuration page Click L4d0 Enter a route name for this static route in the Route Name field button to enter Add Static Route page If you want to advertise this static route in RIP please do not check Private button 5 Enter the Destination Address Subnet Mask and Gateway IP Address to the specified field 6 Select a interface from the Interface drop down list 7 Click Apply to add a new route 9 3 3 Deleting Static Routes Follow these instructions to delete a static route from the routing table 1 Click Network LJ Routing submenu to enter the Static Routes Configuration page 2 Click on the check box in front of the rule to be selected 3 Click to delete the selected route entries Do not remove the route for default gateway unless you know what you are doing Removing the default route will render the WARNING Internet unreachable Chapter 9 Configuring Routes 9 3 4 Viewing the Static Routing Table All IP enabled computers and route
19. Rollover Settings field WAN 1 WAN 2 Primary Interface o 5 Select an interface from the Primary Interface The selected 80 m Figure 13 1 WAN Link Mgmt Configuration Page interface will be the Primary Interface OfficeConnect VPN Firewall User s Manual Chapter 14 Configuring IPSec VPN 6 If you want to assign another WAN port as a backup interface Description please tick on the checkbox in the Backup Interfaces field 7 Enter a number between 1 and 86400 in the Deferred Time field Pe the link status Please note that the default value is 600 seconds Gateway IP The gateway IP address Please note that this field is 8 Click on the Apply button to save the settings Address read only Link Status Display the current WAN link status 13 3 Configuring WAN Load Balancing Load Balancing When the WAN Load Balancing is selected The Settings OfficeConnect Gigabit VPN Firewall can distribute The configuration parameters for the WAN Load Balancing are shown in the EE EN following table l l per connection basis Connectivity Check This option is available under both Load balancing down list and Rollover mode and mandatory for Rollover a Weighted Round Robin This algorithm a l i assigns network session capacity to each Connectivity check is used to monitor the link status WAN link in different portions called weight for the WAN ports by sending PING request packets and handles network
20. at least one public Internet address assigned to your WAN One or more computers each containing an Ethernet 10Base T 100Base T 1000Base T network interface card NIC Optional An Ethernet switch if you are connecting the device to more than four computers on an Ethernet network For system configuration using the supplied web based program a web browser such as Internet Explorer v5 5 or later 1 3 Using this Document 1 3 1 gt Notational conventions Acronyms are defined the first time they appear in text and in the glossary Appendix 25 For brevity the OfficeConnect Gigabit VPN Firewall is sometimes referred to as the router The terms LAN and network are used interchangeably to refer to a group of Ethernet connected computers at one site Chapter 1 Introduction 1 3 2 Typographical conventions gt Italics are used to identify terms that are defined in the glossary Chapter 25 gt Boldface type text is used for items you select from menus and drop down lists and text strings you type when prompted by the program 1 3 3 Special messages This document uses the following icons to call your attention to specific instructions or explanations Provides clarification or non essential information on the current topic Explains terms or acronyms that may be unfamiliar to many readers These terms are also included in the Glossary Definition A Provides messages of high importance includ
21. 17 1 Configure Port Mirroring Port mirroring monitors and mirrors network traffic by forwarding copies of incoming and outgoing packets from one port to a monitoring port Port mirroring can be used as a diagnostic tool as well as a debugging feature Port mirroring also enables switch performance monitoring Network administrators can configure port mirroring by selecting a specific port from which to copy all packets and other ports to which the packets copied Follow these steps to configure the port mirroring feature 1 Log into the configuration manager click Monitoring menu and then click Port Mirroring submenu to enter the Port Mirroring Configuration Page See Figure 17 1 Chapter 17 System Management N gt OfficeConnect Gigabit VPN Firewall Monitoring gt Port Mirroring Setup 3C om Setup Device Summary Administration Network Firewall VPN Enable Port Mirroring Port 1 Port 2 Port 3 Port 4 Port 5 Port 6 Port 7 Port 8 Traffic MGMT Mirror Port oO O O O O Monitoring Egress Fi Fi Fi d Fi Fi o Help Ingress Oo Fi o Oo d O Oo rv TFT Y Yy Logout Figure 17 1 Port Mirroring Configuration Page Make the Enable Port Mirroring checkbox checked Click on the Mirror Port radio button to select a desired port that is used to monitor packets to and from other ports 4 Click on the ports that you want the packets sent out of the selected ports monitored Any p
22. 2 3 Configuring DHCP Server By default the OfficeConnect Gigabit VPN Firewall is configured as a DHCP server on the LAN side with a predefined IP address pool of 192 168 1 10 through 192 168 1 42 subnet mask 255 255 255 0 To change this range of addresses follow the procedures described in this section First you must configure your PCs to accept DHCP information assigned by a DHCP server 1 Log into Configuration Manager as administrator click the LAN menu and then click the DHCP submenu The DHCP Configuration page displays as shown in Figure 5 3 Chapter 5 Configuring LAN Settings DN OfficeConnect Gigabit VPN Firewall 7 Ne Network gt IP Setup DHCP 3C om DHCP Device Summary Interface LAN1 LAN eth0 1 Administration O None Network Firewall DHCP Server Configuration we FT F VPN IP Address Pool Begin 192 168 1 2 Auto Range TNG MGMT IP Address Pool End 192 168 1 254 Monitoring Default Gateway 192 168 1 1 Help Domain Name domain com Lease Time 124 Hours Use WAN DNS Server Address Fi Primary DNS Server Address 192 168 1 1 Secondary DNS Server Address 0 0 0 0 Optional Primary WINS Server Address 0 0 0 0 Optional Secondary WINS Server Address 0 0 0 0 Optional NBX Call Processor Options 184 0 0 0 0 Optional Logout Enable SIP Servers Options 120 o O DHCP Relay Agent Configuration ges Ei Figure 5 3 DHCP Configuration Page 2 Enter
23. 31 19 20 54 Ada 2 Click on the check box in front of the rule to be deleted IP MAG Binding Policies i 3 Click on the button to remove the selected rules Import from Host Discovery Ba IP Addresses MAC Addresses Edit Logout isable 11 6 6 Configuring Port Triggering Port triggering feature can automate port forward incoming port traffic to initiator IKI when initiator which behind NAT router connects to a predetermined outgoing Figure 11 16 IP MAC Binding Configuration Page on port of remote host It is useful if no application layer gateway support for the 2 Enter an IP address and MAC address on Add IP MAG Address special application which requires remote host make another connection back to section initiator 3 Click on the age button to save the change The new entry 11 6 6 1 Confiqurati ramel for the Port Tri nafeat r will be displayed in the IP MAC Policy Table at the bottom half of the et WVONUJUTANON PAGES IDEE POLE Ge ne ae IP MAG Binding configuration page The configuration parameters for the Port Triggering feature are shown as below 4 Please note that instead of manually create IP MAC binding rule you can optionaly create multiple IP MAC binding rule at the same time by using the Import from Host Discovery feature eS ea 11 6 5 2 Editing an IP MAC binding rule Name Specify a name for this rule To editing an existing IP MAC binding rule for the firewall follow these steps Service User Selec
24. 68 Figure 128 Sonmgunng VEN USF RCD nase ee 93 Figure 11 13 Schedule Configuration Page nnna 69 Figure 14 9 Editing an existing VPN User rrnnrrrnnnvveronnvernnnvvrvervnvversnnvennnnveennnn 93 Chapter 1 Introduction Figure 14 10 VPN User Group Configuration Page rnnrrnvrrnnnnvnnvnrnnnnvrnnvernnenn 94 Figure 14 11 Configuring a User Group rrnrrrnennvnnrvrnennrnnnvernennnnnvernennrenrernennn 94 Figure 15 1 L2TP Server Configuration Page msrrnvrnnnnnvnnvnnnvnnvnnrvvrnnnnrnnvennnnnn 96 Figure 15 2 Viewing Active L2TP Sessions mrrnnvvnnvernvnrnvnnrennnvernrernrnrvennvennn 96 Figure 16 1 PPTP Server Configuration Page nmnsnsnnnnnnnennnnnnnnnnnnnnn 97 Figure 16 2 Viewing Active PPTP Sessions mrumrrrrvvvvererrvrrerrerserrersersener 98 Figure 17 1 Port Mirroring Configuration Page 101 Figure 17 2 System Access Account Configuration Page 102 Figure 17 3 Management Interface Configuration Page s s s 103 Figure 17 4 System Information Configuration Page rrrrrnvrnvernvnnvrnvernnrnnn 103 Figure 17 5 Date and Time Configuration Page nnmnsenrnennnnennnnnennnnnnnn 104 Figure 17 6 Default Setting Configuration Page nmnmenrsennennennnnennennnnnnn 105 Figure 17 7 Windows File Browser rrnnnnnnrnnnvvnnvnnnnvnnnnvnnnnvnnnvnnnrnnrnrernrennnneenn 105 Figure 17 8 Firmware Upgrade Page munnvnnnvnnvnnnvnnnvnnnvnnnnvnnennnennnvnnnnnnnnnennne 106 Figure 17 9 Confirmatio
25. A F such as 00 0D 31 45 17 1B Chapter 17 System Management Click on Add button the save the change If you want to limit the WAN user to access the management interfaces you can click on IP address range or Only this IP address to specify one or multiple WAN users to access the management interfaces 17 4 Modify System Information As illustrated in Figure 17 4 you can use System Information Setup page to enter system specific information such as system name unique name for this device system location where this device is located and contact person information for this device Note that all fields allow only alphanumeric characters When you are done entering system specific information click on eat button to save the changes er Q OfficeConnect Gigabit VPN Firewall Administration gt System Name Setup 3C 0 m Setup Device Summary Administration Network System Name OfficeConnect Gigabit VPN Firewall SE System Location Firewall VPN Traffic MGMT Monitoring Help System Contact Yv YV Y WwW Help Apply Cancel Logout Figure 17 4 System Information Configuration Page 103 Chapter 17 System Management 17 5 Setup Date and Time The OfficeConnect Gigabit VPN Firewall keeps a record of the current date and time which it uses to calculate and report various performance data Changing the OfficeConnect Gigabit VPN Firew
26. Action Allow NAT IP Address IP Address 192 168 1 20 Port Auto 7 Log Logout Figure 11 5 Inbound ACL Configuration Example 11 3 3 Add Inbound ACL Rules To add an inbound ACL rule follow the instructions below 1 Click Add button in the inbound access control list table to add a new inbound ACL rule 2 Make changes to any or all of the following fields source destination IP Service and Schedule Please see Table 11 1 for explanation of these fields Set desired action Allow or Deny from the Action drop down list If you want to use NAT in this rule select IP Address and specify IP address for the reverse NAPT See 11 2 4 for detailed explanation 5 If you want to manually assign the port number select Assign from the drop down list and specify port number in the Port field Otherwise select Auto to assign the destination port automatically 6 Click on the Bun button to create the new ACL rule The new ACL rule will then be displayed in the inbound access control list table at the bottom half of the ACL Configuration page OfficeConnect VPN Firewall User s Manual 7 Figure 11 5 Inbound ACL Configuration Example illustrates how to create a rule to allow inbound HTTP i e web server service This rule allows inbound HTTP traffic to be directed to the host w IP address 192 168 1 28 11 3 4 Modify Inbound ACL Rules To modify an
27. DHCP Dynamic DHCP server enabled The OfficeConnect Gigabit Host Configuration with the following pool VPN Firewall maintains a pool of addresses Protocol of private IP addresses for 192 168 1 2 through dynamic assignment to your 192 168 1 254 LAN computers To use this service you must have set up your computers to accept IP information dynamically as described in Part 2 of the Quick Start Guide See section 5 2 for an explanation of the DHCP service 19 Default Setting Static IP address 192 168 1 1 subnet mask 255 255 255 0 Chapter 3 Quick Start Guide Explanation Instructions This is the IP address of the LAN port on the OfficeConnect Gigabit VPN Firewall The LAN port connects the device to your Ethernet network Typically you will not need to change this address See section 5 1 LAN IP Address for instructions OfficeConnect VPN Firewall User s Manual 4 Getting Started with the Configuration Manager The OfficeConnect Gigabit VPN Firewall includes a preinstalled program called the Configuration Manager which provides an interface to the software installed on the device It enables you to configure the device settings to meet the needs of your network You access it through your web browser from any PC connected to the OfficeConnect Gigabit VPN Firewall via the LAN or WAN ports This chapter describes the general guides for using the Configuration Manager 4 1 Log into Configuration Manage
28. Ethernet cabling usually uses this type of connector Forwarding data between your network and the Internet on the most efficient route based on the data s destination OfficeConnect Gigabit VPN Firewall Users Manual rule SDNS SNMP subnet subnet mask TCP TCP IP IP address and current network conditions A device that performs routing is called a router See filtering rule NAT rule Secondary Domain Name System server A DNS server that can be used if the primary DSN server is not available See DNS Simple Network Management Protocol The TCP IP protocol used for network management A subnet is a portion of a network The subnet is distinguished from the larger network by a subnet mask which selects some of the computers of the network and excludes all others The subnet s computers remain physically connected to the rest of the parent network but they are treated as though they were on a separate network See also network mask A mask that defines a subnet See also network mask See TCP IP Transmission Control Protocol Internet Protocol The basic protocols used on the Internet TCP is responsible for dividing data up into packets for delivery and reassembling them at the destination while IP is responsible for delivering the packets from source to destination When TCP and IP are bundled with higher level applications such as HTTP FTP Telnet etc TCP IP refers to this whole suite
29. No configuration is required for stateful packet inspection and please note that the firewall service is enabled by default 11 1 2 DoS Denial of Service Protection Both DoS protection and stateful packet inspection provide first line of defense for your network No configuration is required for both protections on your network as long as firewall is enabled for the OfficeConnect Gigabit VPN Firewall By default the firewall is enabled at the factory 11 1 3 Firewall and Access Control List ACL 11 1 3 1 Priority Order of ACL Rule All ACL rules have a rule ID assigned the smaller the rule ID the higher the priority Firewall monitors the traffic by extracting header information from the packet and then either drops or forwards the packet by looking for a match in the ACL rule table based on the header information Note that the ACL rule checking starts from the rule with the smallest rule ID until a match is found or all the ACL rules are examined If no match is found the packet is dropped otherwise the packet is either dropped or forwarded based on the action defined in the matched ACL rule 51 Chapter 14 Configuring IPSec VPN 11 1 3 2 Tracking Connection State The stateful inspection engine in the firewall keeps track of the state or progress of a network connection By storing information about each connection in a state table OfficeConnect Gigabit VPN Firewall is able to quickly determine if a packet passing throu
30. Part 3 Configuring Your Computers Part 3 of the Quick Start Guide provides instructions for configuring the Internet settings on your computers to work with the OfficeConnect Gigabit VPN Firewall Chapter 3 Quick Start Guide 3 3 1 Before you begin By default the OfficeConnect Gigabit VPN Firewall automatically assigns all required Internet settings to your PCs You need only to configure the PCs to accept the information when it is assigned In some cases you may want to configure network settings manually to some or all of your computers rather than allow the OfficeConnect Gigabit VPN Firewall to do so See Assigning static IP addresses to your PCs in page 14 for instructions gt If you have connected your PC via Ethernet to the OfficeConnect Gigabit VPN Firewall follow the instructions that correspond to the operating system installed on your PC 3 3 2 Windows XP PCs 1 Inthe Windows task bar click the lt Start gt button and then click Control Panel Double click the Network Connections icon In the LAN or High Speed Internet window right click on icon corresponding to your network interface card NIC and select Properties Often this icon is labeled Local Area Connection The Local Area Connection dialog box displays with a list of currently installed network items 4 Ensure that the check box to the left of the item labeled Internet Protocol TCP IP is checked and click lt Properties gt
31. Please visit http www oray cn for more details DtDNS com Please visit http www dtdns com for more details 3322 org Please visit http www 3322 com for more details Registered Domain Enter the registered domain name in the specified field Name Account Enter the username provided by your DDNS service provider in the specified field Password Enter the password provided by your DDNS service provider in the specified field 10 2 Access DDNS Configuration Page Log into Configuration Manager as admin and then click the DDNS menu The DDNS Configuration page displays as shown in Figure 10 2 Note that when you open the DDNS Configuration page a list of existing DDNS configuration is displayed at the bottom half of the configuration page such as those shown in Figure 10 2 50 Specifies an interface to be used for the DDNS update OfficeConnect VPN Firewall User s Manual 10 3 Configuring HTTP DDNS Client Qo OfficeConnect Gigabit VPN Firewall Network gt DDNS Setup 3C om Setup Device Summary General inistratio Aaministrefion Choose WAN interface WAN 1M DDNS service DynDNS org Registered Domain Name myhost dyndns org Network Firewall VPN Traffic MGMT Monitoring Help Password 20000000 Example name dyndns org er P F v Account username Failure retry time 60 seconds Use wildcards go ElLogout Figure 10 2 HTTP D
32. Routing Static Route 3C O m Static Route Device Summary Route Display Administration Network gt Gateway Metric Flag Firewall etho 1 VLANL LAN 0 0 0 0 255 255 255 0 192 168 1 110 10 S VPN P etho 1 VLANL LAN 192 168 1 0 255 255 255 0 0 0 0 0 0 C gt gt Traffic MGMT Flag C Directly Connected 5 Static R RIP I ICMP Redirected Monitoring Help Routing Policies 255 255 255 0 192 168 1 110 Select Al Logout Figure 9 1 Routing Configuration Page 9 2 Dynamic Routing using RIP Routing Information Protocol RIP enables routing information exchange between routers thus routes are updated automatically without human intervention It is recommended that you enable RIP in the System Services Configuration Page as shown in Figure 9 2 45 Chapter 9 Configuring Routes Po OfficeConnect Gigabit VPN Firewall Network gt Routing RIP 3com Va A A Device Summary Administration General gt gt bie Enable RIP Firewall gt VPN gt gt RIP Version RIP 1 Mi gt Poisoned Reverse Fi Traffic MGMT Monitoring Help Silent Mode go l Logout IK Figure 9 2 RIP Configuration Page 9 2 1 Enabling Disabling RIP Follow these instructions to enable or disable RIP 1 Click Network Routing submenu and click RIP tab click the Yes or No radio button in Enable RIP field depending on whether you
33. Service List Configuration Page 2 Enter a desired name preferably a meaningful name that signifies the nature of the service in the Name field Note that only alphanumeric characters are allowed in a name 65 Chapter 14 Configuring IPSec VPN 3 Make changes to any or all of the following fields public port and protocol Please see Table 11 5 for explanation of these fields 4 Click on the button to create the new service The new service will then be displayed in the service list table at the bottom half of the Service Configuration page 11 6 2 4 Modify a Service To modify a service follow the instructions below 1 Open the Service List Configuration Page see section 11 6 2 2 Access Service List Configuration Page 2 Select the service from the service drop down list or click on the sf icon of the service to be modified in the service list table 3 Make desired changes to any or all of the following fields name public port and protocol Please see Table 11 5 for explanation of these fields 4 Click on the apply button to modify this service The new settings for this service will then be displayed in the service list table at the bottom half of the Service Configuration page 11 6 2 5 Delete a Service To delete a service follow the instructions below 1 Open the Service List Configuration Page see section 11 6 2 2 Access Service List Configuration Page 2 Click on the check box in front of r
34. Service Name Version 18 aia Configuration Netmeeting with TCP 1720 Mas lizo UDP 53 D Table 18 1 Supported ALG UDP 5060 SIP User Agent 2 0 ALG Application Protocol and Predefined Tested Software DOSE ee eee u Name Port Service Name Version UDP 53 l PCAnywhere UDP 22 PC ANYWHERE pcAnywhere 9 0 0 TCP 21 F WFTPD version RTSP 554 TCP 554 RTSP554 RealPlayer 8 Plus UDP 53 DNS ee ae Redhat Linux 7 3 UDP 53 DNS sd QuickTime Version 6 Security ALGs TORSO pis LOTP UDP 1701 L2TP Windows 2000 RTSP 7070 TCP 7070 RTSP7070 RealPlayer 8 Plus UDP 53 DNS Server built in UDP 53 a VERE PPTP TCP 1723 PPTP Windows 2000 Server built in S S TCP 80 HTTP LU ui DNS Net2Phone UDP 6801 N2P Net2Phone IPSec Only UDP 500 IKE Windows 2000 me pee Ee eer TCP 80 HTTP ESP S S S S Table 18 1 lists all the supported ALGs Application Layer Gateway Release TCP 443 HTTPS 1 5 0 UDP S3 DN DN op CUSeeMe TCP 7648 CUSEEME CUSeeMe Version AOL Chat JER 5190 BOE AO 5 0 0 043 HTTP Messenger Version TCP 80 HTTP en 5 0 2938 Netmeeting TCP 1720 323 ICQ Chat TCP 5191 ICQ_2000 ICQ 2000b NB Application TCP 80 HTTP UDP 53 should be Netmeeting with TCP 1720 H323 Windows SA to use UDP S3 ILS TCP 389 Netmeeting Version 3 01 IRC TCP 6667 MIRC v6 02 109 Opengk Version TCP 80 HTTP Chapter 18 ALG Configuration ALG Application Protocol and Name Port MSIM Predefined Service Name DNS MSN HTTP DN Tested Software Version
35. WARNING operation of the equipment is not compromised OfficeConnect Gigabit VPN Firewall Users Manual Mechanical Loading Mounting of the equipment in the rack should be such that a hazardous condition is not achieved due to WARNING uneven mechanical loading Circuit Overloading Consideration should be given to the connection of the equipment to the supply circuit and the effect A that overloading of the circuits might have on overcurrent protection and supply wiring Appropriate consideration of AARE equipment nameplate ratings should be used when addressing this concern Reliable Earthing Reliable earthing of rack mounted equipment A should be maintained Particular attention should be given to supply connections other than direct connections to the branch WARNING circuit e g use of power strips Follow these instructions to install OfficeConnect Gigabit VPN Firewall to your 19 inch rack 1 Place the unit the right way up on a hard flat surface with the front facing towards you 2 Locate a mounting bracket over the mounting holes on one side of the unit as shown in Figure 3 2 below Insert the two screws and fully tighten with a suitable screwdriver Repeat the two previous steps for the other side of the unit Insert the unit into the 19 inch rack and secure with suitable screws not provided 6 Reconnect all cables 11 Chapter 3 Quick Start Guide Figure 3 3 Rack Mounting 3 3
36. a Device Summary Administration General Network Enable SNMP Firewall se TF TY ven mey Traffic MGMT Monitoring SNMP Entry Help Insert New Community SNMP Management Management Station 192 168 1 10 O Open Access Community String Standard public O User Defined Access Mode Read Only Add Logout SNMP List Hummel le ir ee EE IES Select All lt Figure 17 11 SNMP Community Configuration Page 2 To enable the SNMP feature check the Enable SNMP checkbox and then click the 1 button to save the change 3 Check the Insert New Community checkbox to add anew SNMP community To edit an existing SNMP community click on the icon of the entry to be modified in the SNMP List table 4 Toconfigure the SNMP management station click on Management Station radio button and then enter the IP address of the permitted management station Otherwise click on Open Access to permit SNMP access to all management stations 5 To configure the SNMP community select one of the pre defined communities from the Standard drop down list Or specify a user defined community string into the User Defined field 6 To define the access mode select Read Only if you want to restrict the management access to read only Otherwise select Read Write to permit full access to the specified SNMP community 7 Click on the button to create the new community or clicks on the A butto
37. button 5 Inthe Internet Protocol TCP IP Properties dialog box click the radio button labeled Obtain an IP address automatically Also click the radio button labeled Obtain DNS server address automatically 12 OfficeConnect Gigabit VPN Firewall Users Manual 6 Click lt OK gt button twice to confirm your changes and close the Control Panel 3 3 3 Windows 2000 PCs First check for the IP protocol and if necessary install it 1 Inthe Windows task bar click the lt Start gt button point to Settings and then click Control Panel Double click the Network and Dial up Connections icon In the Network and Dial up Connections window right click the Local Area Connection icon and then select Properties The Local Area Connection Properties dialog box displays a list of currently installed network components If the list includes Internet Protocol TCP IP then the protocol has already been enabled Skip to step 10 4 If Internet Protocol TCP IP does not display as an installed component click lt Install gt button 5 Inthe Select Network Component Type dialog box select Protocol and then click lt Add gt button 6 Select Internet Protocol TCP IP in the Network Protocols list and then click lt OK gt button You may be prompted to install files from your Windows 2000 installation CD or other media Follow the instructions to install the files 7 If prompted click lt OK gt button to restart your
38. contact your supplier WARNING Disconnect the power adapter before moving the unit WARNING RJ 45 ports These are shielded RJ 45 data sockets They cannot be used as telephone sockets Only connect RJ 45 data connectors to these sockets Appendix 22 OBTAINING SUPPORT FOR YOUR PRODUCT Wichtige Sicherheitshinweise gt FP PrP gt gt gt gt VORSICHT Warnhinweise enthalten Anweisungen die Sie zu Ihrer eigenen Sicherheit befolgen m ssen Alle Anweisungen sind sorgf ltig zu befolgen Sie m ssen die folgenden Sicherheitsinformationen sorgf ltig durchlesen bevor Sie das Ger ts installieren oder ausbauen VORSICHT Bei der Installation und beim Ausbau des Ger ts ist mit h chster Vorsicht vorzugehen VORSICHT Stapeln Sie das Ger ts nur mit anderen OfficeConnect Ger tes zusammen VORSICHT Aufgrund von internationalen Sicherheitsnormen darf das Ger t nur mit dem mitgelieferten Netzadapter verwendet werden VORSICHT Die Netzsteckdose mu in der N he des Ger ts und leicht zug nglich sein Die Stromversorgung des Ger ts kann nur durch Herausziehen des Ger tenetzkabels aus der Netzsteckdose unterbrochen werden VORSICHT Der Betrieb dieses Ger ts erfolgt unter den SELV Bedingungen Sicherheitskleinstspannung gem IEC 60950 Diese Bedingungen sind nur gegeben wenn auch die an das Ger t angeschlossenen Ger te unter SELV Bedingungen betrieben werden VORSICHT Es sind keine von dem Benutzer zu er
39. down list to select one of the following IPSec Mode Select Tunnel mode if you want to create a site to Select this option to accept connection request from 83 Chapter 14 Configuring IPSec VPN om een em This option allows you to include all the computers that are connected in an IP subnet The following fields become available when this option is selected IP Address Specify the appropriate network address Subnet Mask Enter the subnet mask Remote Gateway You have a choice of entering either the IP address for the remote secure gateway IP Address Select this option to specify an IP address for the remote secure gateway IKE Identity Use the following options to configure identities for IKE protocol Local ID Type This option allows you to configure local identity type IP Address Set the IKE local identity type to be the IPv4 address FQDN user FQDN _ Set the IKE local identity type to be the Fully Qualified Domain Name FQDN Enter the identity string in the Identifier field For examples vpn1 3com com Any Set the IKE local identity type to be Any Remote ID This option allows you to configure local identity type Type IP Address Setthe IKE local identity type to be the IPv4 address 84 OfficeConnect Gigabit VPN Firewall Users Manual CEE een FQDN user FQDN _ Set the IKE local identity type to be the Fully Qualified Domain Name FQDN Enter the identity string in the Ident
40. first DNS server address in the specified Chapter 16 Configuring PPTP Server om fm Secondary DNS If you want to specify the secondary DNS address Server enter the address in the specified field Primary WINS Server field Enter the first WINS server address in the specified Secondary WINS Server If you want to specify the secondary WINS server address enter the address in the specified field Specifies a user group from the drop down list Make sure the user group has been configured properly D N SL3108 T Ne 3COM VPN gt PPTP PPTP PPTP i Device Summary Administration General gt Network gt Firewall gt VPN gt gt gt Enable PPTP O Yes No Start IP f10 Vi W2 lji End IP f10 Vi 2 100 Traffic MGMT Monitoring Primary DNS Server 192 168 i Secondary DNS Server o Jo 0 ol ol o r 1 Jo optional Primary WINS Server 0 0 optional Secondary WINS Server 0 JO optional User Group GROUP1 3 O Required Encryption MPPE Logout Figure 16 1 PPTP Server Configuration Page 97 Chapter 16 Configuring PPTP Server 16 3 Configuring PPTP Server Log into Configuration Manager as admin click the VPN menu and then click PPTP submenu The PPTP Server Configuration page displays as shown in Figure 16 1 PPTP Server Configuration Page To configure the PPTP Server follow below instru
41. following ways gt Statically If your ISP provides you with their DNS server addresses you can assign them to each PC by modifying the PCs IP properties gt Dynamically from a DHCP pool You can configure the DHCP Server the OfficeConnect Gigabit VPN Firewall and create an address pool that specify the DNS addresses to be distributed to the PCs Refer to the section Configuring DHCP Server on page 27 for instructions on creating DHCP address pools In either case you can specify the actual addresses of the ISP s DNS servers on the PC or in the DHCP pool or you can specify the address of the LAN port on the OfficeConnect Gigabit VPN Firewall e g 192 168 1 1 When you specify the LAN port IP address the device performs DNS relay as described in the following section If you specify the actual DNS addresses on the PCs or in the Note DHCP pool the DNS relay feature is not used 5 4 3 Configuring DNS Relay When you specify the device s LAN port IP address as the DNS address then the OfficeConnect Gigabit VPN Firewall automatically performs DNS relay i e because the device itself is not a DNS server it forwards domain name lookup requests from the LAN PCs to a DNS server at the ISP It then relays the DNS server s response to the PC OfficeConnect VPN Firewall User s Manual Chapter 5 Configuring LAN Settings When performing DNS relay the OfficeConnect Gigabit VPN Firewall must address maintain the IP add
42. for the DiffServ QoS 7 Make the 802 1p check box checked if you want to allow 802 1p to DSCP mapping 8 Click on the ab button to save the settings 75 Chapter 14 Configuring IPSec VPN OfficeConnect Gigabit VPN Firewall User s Manual OfficeConnect Gigabit VPN Firewall EAN OfficeConnect Gigabit VPN Firewall Traffic MGMT gt QoS Policies Traffic MGMT gt Interface Interface Sscom Device Summary Class Definition Policies Interface Device Summary Administration gt Interface Setting Administration gt General Network Interface YLANZAWAN1 eth0 7 Network k Enable QoS Firewall gt Max Tx o Kbps Firewall gt Apply Cancel VPN Max Rx 0 Kbps VPN gt Apply y Cancel Traffic MGMT gt QoS Properties Traffic MGMT gt Monitoring 3 Monitoring gt Enable Qos bane Enable Fragment m Hei Qos Policies Enable DSCP Queuing Tx Okbps Rx Okbps 100 BE VAN WAN lg ma oa AERO ER TS TON EST IT Om a Om a AF4 25 100 EF 33 1 100 Enable 802 1p Logout Logout Figure 12 2 Maximum Interface Bandwidth Configuration Page Figure 12 3 QoS Configuration Page a 2 Click Class Definition tag on the top of the QoS configuration page 12 3 Defining the QoS Class Object to enter the Class Definition page See Qo OfficeConnect Gig
43. have already established ADSL or cable modem service with your Internet service provider ISP These instructions provide a basic configuration that should be compatible with your home or small office network setup Refer to the subsequent chapters for additional configuration instructions 3 1 Part 1 Connecting the Hardware In Part 1 you connect the device to an ADSL or a cable modem which in turn is connected to a phone jack or a cable outlet the power outlet and your computer or network Before you begin turn the power off for all devices These A include your computer s your LAN hub switch if applicable WARNING and the OfficeConnect Gigabit VPN Firewall Chapter 3 Quick Start Guide RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE DISPOSE OF USED BATTERIES WARNING ACCORDING TO THE INSTRUCTIONS Figure 3 1 illustrates the hardware connections Please follow the steps that follow for specific instructions 3 1 1 Step 1 Connect an ADSL or a cable modem For the OfficeConnect Gigabit VPN Firewall Connect one end of the Ethernet cable to the port labeled WAN on the front panel of the device Connect the other end to the Ethernet port on the ADSL or cable modem 3 1 2 Step 2 Connect computers or a LAN If your LAN has no more than 6 computers you can use an Ethernet cable to connect computers directly to the built in switch on the device Note that you should attach one end of the Et
44. in front of the user entry to be selected Click on Enable or Disable button to modify the selected entries Follow these steps to configure the Local Group 1 Click on VPN gt Users gt Local Group to enter the Local Group configuration page 93 Chapter 14 Configuring IPSec VPN EN 3COM Device Summary Administration Network Firewall VPN Traffic MGMT Monitoring Help Logout 94 OfficeConnect Gigabit VPN Firewall VPN gt Users Local Group Local User Local Group Groups List EEE Er v v v Y v vw Figure 14 10 VPN User Group Configuration Page Enter the group name into the space provided Move the cursor to the desired user in the left pane Hold the CTRL key down to click on multiple users Release the CTRL key and click on the Right Arrow button to add selected users into the right pane as group members OfficeConnect Gigabit VPN Firewall User s Manual Local User Local Group Local Group Groupname MIS Group Users Members Figure 14 11 Configuring a User Group 4 Click on ae button to save the change OfficeConnect VPN Firewall User s Manual Chapter 15 Configuring L2TP Server ME BEN zc 1 5 Co ntig U ri ng L21 P Se rver Enable L2TP Click on Yes radio button if you want to enable the L2TP server 15 1 Introduction Enter the starting IP address of L2TP address pool in the specified field The OfficeConnect Gigabit VPN Firew
45. inbound ACL rule follow the instructions below 1 Open the Outbound ACL Rule Configuration Page see section 11 3 2 Access Inbound ACL Rule Configuration Page 2 Click onthe icon of the rule to be modified in the inbound ACL list table 3 Make desired changes to any or all of the following fields action source destination IP Service Schedule Action NAT and Log Please see Table 11 1 for explanation of these fields 4 Click on the ga button to modify this ACL rule The new settings for this ACL rule will then be displayed in the inbound access control list table at the bottom half of the Inbound ACL Configuration page 11 3 5 Delete Inbound ACL Rules To delete an inbound ACL rule click on the check box in front of the rule to be deleted and follow the instructions below to delete selected inbound ACL rules 1 Open the Inbound ACL Rule Configuration Page see section 11 3 2 Access Inbound ACL Rule Configuration Page 2 Click on the check box in front of the rule to be selected 3 Click on the button to delete the selected inbound ACL rules Note that the ACL rule deleted will be removed from the ACL rule table located at the bottom half of the same configuration page 11 3 6 Display Inbound ACL Rules To see existing inbound ACL rules just open the Inbound ACL Rule Configuration page as described in section 11 3 2 Access Inbound ACL Rule Configuration Page Chapter 14 Configuring IPSec VPN 11 4 Configuring
46. publicly known IP address into a private IP address for each computer on your LAN Only your router and your LAN know these addresses the outside world sees only the public IP address when talking to a computer on your LAN Appendix 21 SAFETY INFORMATION NAT rule network network mask NIC packet ping 134 A defined method for translating between public and private IP addresses on your LAN A group of computers that are connected together allowing them to communicate with each other and share resources such as software files etc A network can be small such as a LAN or very large such as the nternet A network mask is a sequence of bits applied to an IP address to select the network ID while ignoring the host ID Bits set to 1 mean select this bit while bits set to 0 mean ignore this bit For example if the network mask 255 255 255 0 is applied to the IP address 100 10 50 1 the network ID is 100 10 50 and the host ID is 1 See also binary IP address subnet IP Addresses Explained section Network Interface Card An adapter card that plugs into your computer and provides the physical interface to your network cabling which for Ethernet NICs is typically an RJ 45 connector See Ethernet RJ 45 Data transmitted on a network consists of units called packets Each packet contains a payload the data plus overhead information such as where it came from Source address and where it should g
47. shown in Figure 11 6 1 Click Add button in the outbound access control list table to add a new inbound ACL rule 2 Make changes to any or all of the following fields source destination IP Service and Schedule Please see Table 11 1 for explanation of these fields Chapter 14 Configuring IPSec VPN Set desired action Allow or Deny from the Action drop down list If you want to use NAT in this rule select IP Address and specify IP address for the NAT See 11 2 4 for detailed explanation 5 Click on the el button to create the new ACL rule The new ACL rule will then be displayed in the outbound access control list table at the top half of the ACL Configuration page Figure 11 7 illustrates how to create a rule to allow outbound HTTP i e web server access NN OfficeConnect Gigabit VPN Firewall 7 Ne Firewall gt ACL LAN WAN 3COM LANWAN Device Summary Add LAN WAN Outbound Rule Administration gt Condition Network gt Source Any x Firewall gt Destination Any v N gt i Fr ve Service ANY v Traffic MGMT gt gt Monitoring Schedule None Help Action Action Allow 9 NAT Auto v Log m Logout Figure 11 7 Outbound ACL Configuration Example 11 4 3 Modify Outbound ACL Rules To modify an outbound ACL rule follow the instructions below 1 Open the Outbound ACL Rule Configuration Page see section 11 4 2 2 Click on the icon of the rule to be modif
48. the Apply button to create the new schedule Repeat these steps to configure Schedule2 and Schedule3 69 Chapter 14 Configuring IPSec VPN 11 6 4 4 Schedule Example 1 Create a Schedule see Figure 11 14 ON OfficeConnect Gigabit VPN Firewall I Ne Firewall gt Schedule Setup 3C 0 m Setup Device Summary Administration gt Add Schedule gt Network Kama MIS Schedule Firewall gt i Fi gt Scheduled Days sun YlMon MiTue Mwed MThu MFri O Sat Traffic MGMT gt Select All Monitoring gt Help Scheduled Time Start Time AM M 09 M 30 4 hh mm End Time PM m 09 9 30 M hh mm Add Custom Schedules List v name Scheduled Days Start Time End Time _ edit O 1 Sun Mon Tue Wed Thu Fri Sat AM 00 00 PM 00 00 Logout Figure 11 14 Schedule Example Create a Schedule 2 Associate the Schedule to an outbound ACL rule by selecting an existing Schedule from the Schedule drop down list Figure 11 15 shows that MISgroup1 is denied FTP access during office hours 70 OfficeConnect Gigabit VPN Firewall Users Manual Nr N OfficeConnect Gigabit VPN Firewall 3C om Firewall gt ACL LAN WAN LAN WAN DMZ WAN LAN DMZ Self Access Device Summary Add LAN WAN Outbound Rule Administration Condition Network Source Subnet Firewall gt Address 192 168 1 0 VPN gt Mask 255 255 255 255 8 a Traffic M
49. to 192 168 1 0 255 255 255 0 without any NAT 2 Configure inbound Firewall rule to allow packets from 192 168 1 0 255 255 255 0 to 192 168 2 0 255 255 255 0 without any NAT Table 14 4 and Table 14 5 provide the parameters to be configured for the outbound and inbound Firewall rule fields For a general description on 91 Chapter 14 Configuring IPSec VPN configuring any inbound outbound Firewall rule please refer to sections 11 3 and 11 4 Table 14 4 Outbound Un translated Firewall Rule for VPN Packets on ISR1 mm Destination IP Note The outbound Un translated Firewall rule has to be added the existing rule ID 1001 Table 14 5 Inbound Un translated Firewall Rule for VPN Packets on ISR1 Value 255 255 255 0 Destination IP OfficeConnect Gigabit VPN Firewall Users Manual EE 14 4 1 3 Establish Tunnel and Verify gt Ping continuously from a host in the LAN behind ISR1 to a host in the LAN behind ISR2 The first few pings might fail After a few seconds the host in the LAN behind ISR1 should start getting ping response 14 5 Managing VPN User Account OfficeConnect Gigabit VPN Firewall provides a mechanism for user level authentication that gives user to access VPN tunnels and send data across the encrypted connection You can configure the router to use the local user database to authenticate users and control their access to the network resource Follow these steps to add a new
50. to the Sender and Receiver E Mail Address fields Here is an example of Email address user01 domain com 6 If authentication is required please select a corresponding authentication method either Plain Text or CRAM MD5 based on the information provided by your network administrator And specify the username and password into the space provided If the OfficeConnect Gigabit VPN Firewall needs to respond the IDENT protocol from the SMTP Server check the Respond to Identd from SMTP Server checkbox 7 Enter a Schedule for sending the logs From the drop down list select Never Hourly Daily or Weekly Then fill in the Day and Time fields that correspond to your selection 8 Click the annk button to save the changes 17 11 Configuring SNMP The SNMP agents maintain a list of variables which are used to manage the device The variables are defined in the Management Information Base MIB The SNMP agent defines the MIB specification format as well as the format used to access the information over the network Access rights to the SNMP agents are controlled by access strings Follow these steps to enable disable the SNMP function or configure the SNMP communities 1 Click Administration gt SNMP gt Communities to enter the SNMP Communities configuration page 107 Chapter 17 System Management Nr Q OfficeConnect Gigabit VPN Firewall I Ne Administration gt SNMP gt Communities Setup 3C 0 m Setup
51. two subnets Each subnet uses the remaining 7 bits in field4 for its host IDs which range from 0 to 127 instead of the usual 0 to 255 for a class C address Similarly to split a class C network into four subnets the mask is 299 255 255 192 or 11111111 11111111 11111111 11000000 The two extra bits in field4 can have four values 00 01 10 11 so there are four subnets Each subnet uses the remaining six bits in field4 for its host IDs ranging from 0 to 63 Sometimes a subnet mask does not specify any additional network ID bits and thus no subnets Such a mask is called a default subnet mask These masks are Class A 255 0 0 0 Note Class B 255 255 0 0 Class C 255 255 255 0 These are called default because they are used when a network is OfficeConnect VPN Firewall User s Manual Chapter 19 IP Addresses Network Masks and Subnets initially configured at which time it has no subnets 113 OfficeConnect VPN Firewall User s Manual 20 Troubleshooting This appendix suggests solutions for problems you may encounter in installing or using the OfficeConnect Gigabit VPN Firewall and provides instructions for Problem Appendix 20 Troubleshooting Troubleshooting Suggestion LINK LAN LED does not illuminate after Ethernet cable is attached using several IP utilities to diagnose problems Contact Customer Support if these suggestions do not resolve the problem Problem Troubleshooting Suggestion
52. user stations and network devices into a single unit regardless of the physical LAN segment to which they are attached VLANs allow network traffic to flow more efficiently within subgroups VLANs use software to reduce the amount of time it takes for network changes additions and moves to be implemented VLANs restrict traffic within the VLAN VLANs have no minimum number of ports and can be created per unit per device or through any other logical connection combination since they are software based and not defined by physical attributes VLANs function at Layer 2 Since VLANs isolate traffic within the VLAN a Layer 3 router working at a protocol level is required to allow traffic flow between VLANs Layer 3 routers identify segments and coordinate with VLANs VLANs are Broadcast and Multicast domains Broadcast and Multicast traffic is transmitted only in the VLAN in which the traffic is generated VLAN tagging provides a method of transferring VLAN information between VLAN groups VLAN 1is the default VLAN All ports are untagged members of VLAN1 by default If any port becomes an untagged member of a different VLAN then the port is removed from untagged membership of VLAN1 For example If port 24 is made an untagged member of VLAN 5 the port will no longer be a member of VLAN1 However if the port is made an tagged member of VLANS it still remains untagged in VLAN1 Chapter 5 Configuring LAN Settings A port can only be an un
53. user to the local user database 1 Click on VPN gt Users gt Local User to enter the Local User configuration page OfficeConnect VPN Firewall User s Manual Nr N OfficeConnect Gigabit VPN Firewall I Ne VPN gt Users Local User 3C O m Local User i Local Group Device Summary Users List Administration gt Network yt meme 1 Group eit Firewall gt von Traffic MGMT gt Monitoring gt Help Hep l Logout Figure 14 7 VPN User Account Configuration Page 2 Click on Add button to add a new user Local User Local Group Local User Password r F FTF F F Figure 14 8 Configuring VPN User Account 3 Enter the username and password into the space provided 4 Click on SD button to save the change To edit an existing user please follow these steps smv Y vw Chapter 14 Configuring IPSec VPN 1 Click on the icon of the entry to be modified in the Users List table Local User Local Group Users List pvt Nm roe it JOP test Figure 14 9 Editing an existing VPN User Enter the username and password into the space provided Click on Apply button to save the change To delete one or more user entries please follow these steps Check the checkbox in front of the user entry to be selected Click on Delete button to remove selected entries oe gt SE oe NY To enable disable one or more user entries please follow these steps i Check the checkbox
54. you want to use your preferred DNS servers Optional Enter AC name in the space provided if required by your ISP Otherwise please leave this field blank Optional Enter Service name in the space provided if required by your ISP Otherwise please leave this field blank Optional If you like to use DNS setting provided by your ISP please select Get Automatically from ISP radio button Otherwise select OfficeConnect VPN Firewall User s Manual Use These DNS Servers radio button and enter IP addresses for the primary and secondary DNS servers 6 Choose a connection option and enter appropriate setting if desired The default setting is Disable 7 Click to save the PPPoE settings when you are done with the configuration You ll see a summary of the WAN configuration at the bottom half of the configuration page Note that if the default gateway address is not shown immediately click on the WAN menu to open the WAN configuration page again 8 3 PPIP 8 3 1 WAN PPTP Configuration Parameters Table 8 2 WAN PPTP Configuration Parameters Setting Description User Name and Enter the username and password you use to log into Password your ISP Note this is different from the information you used to log into Configuration Manager Service Name If your ISP requires Service Name please enter the valid Service name into this field Leave this field blank if it is not necessary PPTP Server IP IP Address o
55. your ISP requires PPPoE AC Name please enter the Optional valid AC name into this field Leave this field blank if it is not necessary Service Name If your ISP requires Service Name please enter the valid Service name into this field Leave this field blank if it is not necessary 39 Chapter 8 Configuring WAN Settings Setting 8 2 2 Description Dial On Demand Enter the inactivity timeout period at which you want to disconnect the Internet connection when there is no traffic The minimum value of inactivity timeout is 30 seconds RIP and SNTP services may interfere with this function if there are activities from these two services Make sure that the update interval setting of the system date and time in the System Management Date Time Setup configuration page see 17 5 Setup Date and Time for details is greater than the inactivity timeout value Unnumbered If your ISP assigned a block of IP addresses you would select Enable radio button to give your PPPoE interface an IP address from the same range assigned to your LAN Otherwise select Disable Configuring PPPoE for WAN Follow the instructions below to configure PPPoE settings 40 1 Please make the Login Required checkbox checked as shown in Figure 8 1 If you are connecting to the Internet using PPPoE you probably only have to enter User Name and Password in the PPPoE Configuration page as shown in Figure 8 1 unless
56. 0 988 2112 Turks and Caicos AT amp T 800 988 2112 Uruguay Montivideo AT amp T 800 988 2112 Venezuela AT amp T 800 988 2112 Virgin Islands AT amp T 800 988 2112 You can also obtain support in this region in the following ways 128 US and Canada Telephone Technical Support and Repair All locations Network Jacks Wired 1 847 262 0070 All other 3Com products 1 800 876 3226 OfficeConnect Gigabit VPN Firewall Users Manual 23 END USER SOFTWARE LICENCE AGREEMENT 3Com Corporation END USER SOFTWARE LICENSE AGREEMENT YOU SHOULD CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE DOWNLOADING INSTALLING AND USING THIS PRODUCT THE USE OF WHICH IS LICENSED BY 3COM CORPORATION 3COM TO ITS CUSTOMERS FOR THEIR USE ONLY AS SET FORTH BELOW DOWNLOADING INSTALLING OR OTHERWISE USING ANY PART OF THE SOFTWARE OR DOCUMENTATION INDICATES THAT YOU ACCEPT THESE TERMS AND CONDITIONS IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT DO NOT DOWNLOAD INSTALL OR OTHERWISE USE THE SOFTWARE OR DOCUMENTATION DO NOT CLICK ON THE I AGREE OR SIMILAR BUTTON AND IF YOU HAVE RECEIVED THE SOFTWARE AND DOCUMENTATION ON PHYSICAL MEDIA RETURN THE ENTIRE PRODUCT WITH THE SOFTWARE AND DOCUMENTATION UNUSED TO THE SUPPLIER WHERE YOU OBTAINED IT LICENSE 3Com grants you a nonexclusive nontransferable except as specified herein license to use the accompanying software program s in executable form the Software and accomp
57. 16 57 53 eo DN Sup 16 57 54 m _ pr w One to One MAT gt gt 192 168 1 100 I x P 192 168 1 101 gt 192 168 1 102 Figure 11 1 One to One NAT and One to Many NAT 11 2 2 NAPT or One to Many NAT Also called IP Masquerading this feature maps many internal hosts to one globally valid Internet address The mapping contains a pool of network ports to be used for translation Every packet is translated with the globally valid Internet address and the port number is translated with an un used port from the pool of network ports Figure 11 1 shows that all the hosts on the local network gain access to the Internet by mapping to only one globally valid IP address and different port numbers from a free pool of network ports 11 2 3 Reverse Static NAT Chapter 14 Configuring IPSec VPN Reverse static NAT maps a globally valid IP address to an internal host address for the inbound traffic All packets coming to that globally valid IP address are relayed to the internal address This is useful when hosting services in an internal machine 11 2 4 Virtual Server or Reverse NAPT Reverse NAPT is also called inbound mapping port mapping or virtual server Any packet coming to the OfficeConnect Gigabit VPN Firewall can be relayed to the internal host based on the protocol port number and or IP address specified in the ACL rule This is useful when multiple services are hosted on different internal machines This me
58. 3 3507 5984 1800 812 612 0800 450 454 1800 144 10220 or 029003078 800 810 0504 800 448 1433 080 698 0880 00801 444 318 001 800 441 2152 OfficeConnect Gigabit VPN Firewall Users Manual Pakistan Call the U S direct by dialing 00 800 01001 then dialing 800 763 6780 Sri Lanka Call the U S direct by dialing 02 430 430 then dialing 800 763 6780 Vietnam Call the U S direct by dialing 1 201 0288 then dialing 800 763 6780 You can also obtain non urgent support in this region at this email address apr technical support 3com com Or request a return material authorization number RMA by FAX using this number 61 2 9937 5048 or send an email at this email address ap rma request 3com com Country Telephone Number Europe Middle East and Africa Telephone Technical Support and Repair From anywhere in these regions not listed below call 44 1442 435529 From the following countries call the appropriate number Austria 0800 297 468 Country Belgium Denmark Finland France Germany Hungary lreland Israel Italy Luxembourg Netherlands Norway Poland Portugal Russia Saudi Arabia South Africa Spain Sweden Switzerland U A E U K 123 Appendix 22 OBTAINING SUPPORT FOR YOUR PRODUCT Telephone Number 0800 71429 800 17309 0800 113153 0800 917959 0800 182 1502 06800 12813 1 800 533 117 180 945 3794 0800 879489 800 23625 0800 0227788 800 11376 00800 4411 357 800 831416 8
59. 39 8 2 2 Configuring PPPoE for WAN cccsseeeeee 40 8 3 PIP 2 40 8 3 1 WAN PPTP Configuration Parameters 40 8 3 2 Configuring PPTP for WAN rsrrvesvernvrnververnrnns 40 8 4 DyYnamie lP ana rk 41 8 4 1 WAN Dynamic IP Configuration Parameters aiea in 41 8 4 2 Configuring Dynamic IP for WAN 0 41 8 5 Pa 42 8 5 1 WAN Static IP Configuration Parameters 42 10 11 Chapter 1 Introduction 8 5 2 Configuring Static IP for WAN rarernrrrnnvennnen 42 8 6 Viewing WAN Statistics rrrnrrrnrrrnrnnrrrnrernnrrrnrnnvennvennr 43 Configuring Routes 45 9 1 Overview of IP Routes rrrrrrrrrrnnnnnnnnnnrnnnnvevennnnnnnnrevennn 45 9 1 1 Do I need to define IP routes 45 9 2 Dynamic Routing using RIP Routing Information PROLOCO NE 45 9 2 1 Enabling Disabling RIP 46 9 3 Static FOGH 46 9 3 1 Static Route Configuration Parameters 46 9 3 2 Adding Static Routes rrnrrnnrrnnvrrnvernverrnvnernneennn 47 9 3 3 Deleting Static Routes rrarrrrnrrrnnrvrnnnvrnnnnvvennn 47 9 3 4 Viewing the Static Routing Table 47 Configuring DDNS 49 10 1 DDNS Configuration Parameters rrrnvrrnrvrnnvennvennnne 49 10 2 Access DDNS Configuration Page 50 10 3 Configuring HTTP DDNS Client 50 Configuring Firewall NAT DC UNOS EEE 51 Cha
60. 4 Received 4 Lost Hx loss Approximate round trip times in milli seconds Minimum ms Maximum ms Average Pms DIN m Figure 20 1 Using the ping Utility If the target computer cannot be located you will receive the message Request timed out Using the ping command you can test whether the path to the OfficeConnect Gigabit VPN Firewall is working using the preconfigured default LAN IP address 192 168 1 1 or another address you assigned erred to another higher level server and so on until the entry is found The rver then returns the associated IP address Yindows based computers you can execute the nslookup command from art menu Click the Start button and then click Run In the Open text box De the following nslookup A Command Prompt window displays with a bracket prompt gt At the prompt type the name of the Internet address you are interested in such aS www absnews com The window will display the associate IP address if known as shown in Figure 20 2 117 Appendix 21 SAFETY INFORMATION OfficeConnect VPN Firewall User s Manual SETET nelockup C gt ns lookup Default Server tp dc 1 corpnet asus Address 192 168 28 68 gt www abcnews conm Server tp de 1 corpnet asus Address 172 168 28 68 abcnews com 264 282 132 19 www abcnews com Figure 20 2 Using the nslookup Utility There may be several addresses associated with an Int
61. 55 255 0 a 4 Enter gateway address provided by your ISP in the space provided en ESEL m _ Enter the IP address of the primary DNS server This information er PEN re should be provided by your ISP Secondary DNS server is optional Help ta o kg aR gt 6 Click to save the static IP settings when you are done an OG oe with the configuration You ll see a summary of the WAN configuration at the bottom half of the configuration page VLANZ HAN1 etho 7 hourly Logout 8 6 Viewing WAN Statistics You can view statistics of your WAN traffic You will not typically need to view lt this data but you may find it helpful when working with your ISP to diagnose S Figure 8 4 WAN Statistics Page network and Internet data transmission problems To view WAN IP statistics click Status on the menu Figure 8 4 shows the WAN Statistics page 43 OfficeConnect VPN Firewall User s Manual 9 Configuring Routes You can use Configuration Manager to define specific routes for your Internet and network data communication This chapter describes basic routing concepts and provides instructions for creating routes Note that most users do not need to define routes 9 1 Overview of IP Routes The essential challenge of a router is when it receives data intended for a particular destination which next device should it send that data to When you define IP routes you provide the rules that the OfficeConnect
62. 800 988 2112 AT amp T 800 988 2112 AT amp T 800 988 2112 AT amp T 800 988 2112 AT amp T 800 988 2112 AT amp T 800 988 2112 AT amp T 800 988 2112 AT amp T 800 988 2112 AT amp T 800 988 2112 AT amp T 800 988 2112 AT amp T 800 988 2112 AT amp T 800 988 2112 1800 849 2273 52 55 52 01 0004 AT amp T 800 988 2112 OfficeConnect Gigabit VPN Firewall Users Manual Country Telephone Number Nicaragua AT amp T 800 988 2112 Panama AT amp T 800 988 2112 Paraguay AT amp T 800 988 2112 Peru AT amp T 800 988 2112 Puerto Rico AT amp T 800 988 2112 Rest of Latin America 1 508 323 6234 Appendix 22 OBTAINING SUPPORT FOR YOUR PRODUCT Country Telephone Number English speakers in Latin America should send an e mail to lat support anc 3com com Country Telephone Number St Kitts Nevis AT amp T 800 988 2112 St Lucia AT amp T 800 988 2112 St Vincent AT amp T 800 988 2112 Suriname AT amp T 800 988 2112 Trinidad and Tobago AT amp T 800 988 2112 Turks and Caicos AT amp T 800 988 2112 Uruguay Montivideo AT amp T 800 988 2112 Venezuela AT amp T 800 988 2112 Virgin Islands AT amp T 800 988 2112 You can also obtain support in this region in the following ways Spanish speakers enter the URL http lat 3com com lat support form html Portuguese speakers enter the URL http lat 3com com br support form html US and Canada Telephone Technical Support
63. 8005558588 800 8 445 312 0800 995 014 900 938 919 020 795 482 0800 553 072 04 3908997 0800 096 3266 Appendix 21 SAFETY INFORMATION Country Telephone Number You can also obtain support in this region using this URL http emea 3com com support email html You can also obtain non urgent support in this region at these email addresses Technical support and general requests customer_support 3com com Return material authorization number warranty _repair 3com com Contact Requests emea_contact 3com com Country Telephone Number Country OfficeConnect VPN Firewall User s Manual Telephone Number Latin America Telephone Technical Support and Repair Antigua AT amp T 800 988 2112 Antigua Barbuda AT amp T 800 988 2112 Argentina AT amp T 800 988 2112 Aruba AT amp T 800 988 2112 Bahamas AT amp T 800 988 2112 Barbados AT amp T 800 988 2112 Belize AT amp T 800 988 2112 Bermuda AT amp T 800 988 2112 Bolivia AT amp T 800 988 2112 Brasil 0800 133266 0800 13 3COM 124 Brasil Local British Virgin Islands Cayman Islands Chile Colombia Colombia Local Costa Rica Curaco Dominican Republic El Salvador Equator French Guyana Grenada Guadalupe Guatemala Guyana Haiti Honduras Jamaica Mexico Mexico Local Monserrat 5511 5643 2700 AT amp T 800 988 2112 AT amp T 800 988 2112 AT amp T 800 988 2112 AT amp T 800 988 2112 571 592 5000 AT amp T 800 988 2112 AT amp T
64. DNS Configuration Page Follow these instructions to configure the HTTP DDNS 1 First you should have already registered a domain name to the DDNS service provider If you have not done so please visit www dyndns org or www tzo com for more details 2 Click Network gt DDNS submenu to open the DDNS configuration page Select a DDNS service provider from radio buttons Enter the registered domain name username and password in the specified fields 5 Open the DDNS Configuration page see section 10 2 6 Click on Ale button to send a DNS update request to your DDNS service provider Note that DNS update request will also be sent to your DDNS Service provider automatically whenever the WAN port status is changed OfficeConnect VPN Firewall User s Manual 11 Configuring Firewall NAT Settings The OfficeConnect Gigabit VPN Firewall provides built in firewall NAT functions enabling you to protect the system against denial of service DoS attacks and other types of malicious accesses to your LAN while providing Internet access sharing at the same time You can also specify how to monitor attempted attacks and who should be automatically notified This chapter describes how to create modify delete ACL Access Control List rules to control the data passing through your network You will use firewall configuration pages to gt Create modify delete and view inbound outbound ACL rules gt Create modify and delete pre def
65. EE k the mode of selected port to LAN port or DMZ port Select the port osean 1 type from the drop down list Once the DMZ port is enabled the Administration gt NTE Sek corresponding DMZ interface will be activated as well and you een Wem should be able to configure the DMZ interface in the IP Setup ga ER configuration page um gt 58 GER gt 3 To enable the selected port please keep the Enable check box r e jii ur mt 1 88 MB 4 20 MB 6 08 ME CEE checked Otherwise please click on the Enable check box to disable the selected port rday today 199 kB 980 kB 1 15 MB m ted VLANL LAN etho 1 hourly 4 Tochange the selected port speed please select a value from the Speed drop down list logout 5 Click alli to save the settings you made lt a Figure 5 7 LAN Statistics Page 5 6 Viewing LAN Statistics You can view statistics of your LAN traffic on the OfficeConnect Gigabit VPN Firewall You will not typically need to view this data but you may find it helpful when working with your ISP to diagnose network and Internet data transmission problems To view LAN IP statistics click Traffic Statistics in the Monitoring submenu and select VLAN LAN eth0 1 from the interface drop down button Figure 5 7 shows the LAN Statistics page 32 OfficeConnect VPN Firewall User s Manual 6 Configuring VLAN Settings 6 1 VLAN Overview VLANs are logical subgroups with a Local Area Network LAN which combine
66. GMT gt Destination any v Schedule drop down list Monitoring gt Senice Hele Schedule Action Action Deny Block LAN pot C Block Time Seconds Auto Log m Logout Figure 11 15 Schedule Example Deny FTP Access for MISgroup1 During OfficeHours 11 6 5 Configuring IP MAC Binding This feaure allows the system administrator to binding an IP address with a specific MAC address to prevent LAN computers being affected by the ARP spoofing attack Please refer the following sections to configuring the IP MAC binding rules 11 6 5 1 Adding an IP MAC binding rule To adding an IP MAC binding for the firewall follow these steps 1 Click on Firewall gt IP MAC Binding to enter the IP MAC Binding configuration page See Figure 11 16 IP MAC Binding Configuration Page OfficeConnect VPN Firewall User s Manual Chapter 14 Configuring IPSec VPN DN OfficeConnect Gigabit VPN Firewall Apply 7 Ne Firewall gt IPIMAC Binding Setup 4 Click on the button to save the changes 3COM Setup i Device Summary General gt Administration gt Enable IP MAC Binding 11 6 5 3 Removing an existing IP MAC binding rule Network gt Enable ARP Attack Prevention O ohare 4 pa To removing an existing IP MAC binding rule for the firewall follow these steps Traffic MGMT gt oe ee 1 Click on Firewall gt IP MAC Binding to enter the IP MAC Binding IP Address 192 168 1 17 configuration page MAC Address 00 0D
67. Gigabit VPN Firewall uses to make these decisions 9 1 1 Do I need to define IP routes Most users do not need to define IP routes On a typical small home or office LAN the existing routes that set up the default gateways for your LAN computers and for the OfficeConnect Gigabit VPN Firewall provide the most appropriate path for all your Internet traffic gt On your LAN computers a default gateway directs all Internet traffic to the LAN port on the OfficeConnect Gigabit VPN Firewall Your LAN computers know their default gateway either because you assigned it to them when you modified their TCP IP properties or because you configured them to receive the information dynamically from a server whenever they access the Internet Each of these processes is described in the Quick Start Guide instructions Part 2 gt On the OfficeConnect Gigabit VPN Firewall itself a default gateway is defined to direct all outbound Internet traffic to a router at your ISP This Chapter 9 Configuring Routes default gateway is assigned automatically by your ISP whenever the device negotiates an Internet connection The process for adding a default route is described in section 9 3 2 Adding Static Routes You may need to define routes if your home setup includes two or more networks or subnets if you connect to two or more ISP services or if you connect to a remote corporate LAN DN OfficeConnect Gigabit VPN Firewall I Ne Network gt
68. LAN DHCP 25 LAN IP address 25 33 specifying 25 33 36 LAN network mask 25 33 LAN Statistics page 33 LAN subnet mask 25 LEDs 3 128 troubleshooting 115 Login to Configuration Manager 21 MAC addresses 128 in DHCP Address Table 29 Mask See Network mask Mbps 128 NAT defined 52 128 NAPT 53 Overload 53 PAT 53 Reverse NAPT 53 Reverse Static 53 Appendix 26 Index Static 52 Virtual Server 53 Navigating 21 Netmask See Network mask Network See LAN Network classes 111 Network ID 111 Network interface card 12 Network mask 129 Network mask 112 NIC 129 Node on network defined 25 Notational conventions 12 nslookup 117 Outbound ACL Configuration page 57 Packet 129 filtering 51 Pages DHCP Address Table 27 DHCP Server Configuration 27 Firmware Upgrade Upgrade 106 139 LAN Statistics 33 Routing Configuration 45 47 User Password Configuration 102 WAN Statistics 43 Pages Inbound ACL Configuration 54 Pages Outbound ACL Configuration 57 Parts checking for 3 Password changing 101 default 15 21 recovering 116 PC configuration 12 PC Configuration static IP addresses 14 Performance statistics 32 43 Ping 116 129 Port 129 Power adapter 9 PPP 129 PPPoE 129 Primary DNS 40 41 42 140 OfficeConnect VPN Firewall User s Manual Protocol 129 Quick Configuration logging in 14 Rear Panel 3 Remote 129 RIP 129 RJ 45 129 Routing 129 Routing Co
69. LAN IP in the DNS Server IP Address field in DHCP configuration page as shown in Figure 5 3 Logout 2 Configure the LAN PCs to use the IP addresses assigned by the DHCP server on the OfficeConnect Gigabit VPN Firewall or enter the OfficeConnect Gigabit VPN Firewall s LAN IP address as their DNS server address manually for each PC on your LAN Fi 5 P fi ion P DNS addresses that are assigned to LAN PCs prior to enabling gure ort Sep Configuration Page DNS relay will remain in effect until the PC is rebooted DNS relay To configure the port settings click Network in the main menu and then click 4 will only take effect when a PC s DNS address is the LAN IP Port Setup sub menu See Figure 5 5 Port Setup Configuration Page address 1 Move the mouse cursor to the desired port icon and then click on the Note i i i i Serie Heer TONTE ONG ED wow I a DNG CNE icon to configure the selected port See Figure 5 6 Port Selection other than the LAN IP address in a DHCP pool or statically on a PC then that address will be used instead of the DNS relay 1 Interface LAN7 WAN1 eth0 7 31 Chapter 5 Configuring LAN Settings OfficeConnect VPN Firewall User s Manual Figure 5 6 Port Selection DN OfficeConnect Gigabit VPN Firewall 3 C 0 m Ve Monitoring gt Traffic Statistics Interface Statistics 2 If the selected port is Port 3 or Port 4 you should be able to change Interface Statistics
70. MP Attacks Ping of Death Smurf Twinge ICMP Flooder UDP Flooder SYN Flooders Flooder TCP XMAS Scan TCP Null Scan Port Scans TCP SYN Scan TCP Stealth Scan TCP sequence number prediction TCP TCP Attacks out of sequence attacks Protection with PF Rules Echo Chargen Ascend Kill IP Spoofing LAND Targa Tentacle MIME Flood Winnuke FTP Bounce IP unaligned time stamp attack Miscellaneous Attacks 2 4 1 4 Application Command Filtering The OfficeConnect Gigabit VPN Firewall allows network administrators to block monitor and report on network users access to non business and objectionable content This high performance content access control results in increased productivity lower bandwidth usage and reduced legal liability The OfficeConnect Gigabit VPN Firewall has the ability to handle active content filtering on certain application protocols such as HTTP FTP SMTP and RPC gt HTTP You can define HTTP extension based filtering schemes for blocking gt Activex gt Java Archive gt Java Applets URLs based on file extensions Chapter 2 Getting to Know the OfficeConnect Gigabit VPN Firewall 2 4 1 5 Application Level Gateway ALG Applications such as FTP games etc open connections dynamically based on the respective application parameter To go through the firewall on the OfficeConnect Gigabit VPN Firewall packets pertaining to an application require a corresponding allow rule In the absenc
71. MY es oN 3com 3Com OfficeConnect Gigabit VPN Firewall SCREVF100 73 User Guide 3Com Corporation 350 Campus Drive Marlborough MA USA 01752 3064 Copyright O 2008 3Com Corporation All rights reserved No part of this documentation may be reproduced in any form or by any means or used to make any derivative work such as translation transformation or adaptation without written permission from 3Com Technologies 3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change 3Com Corporation provides this documentation without warranty term or condition of any kind either implied or expressed including but not limited to the implied warranties terms or conditions of merchantability satisfactory quality and fitness for a particular purpose 3Com may make improvements or changes in the product s and or the program s described in this documentation at any time If there is any software on removable media described in this documentation it is furnished under a license agreement included with the product as a separate document in the hard copy documentation or on the removable media in a directory file named LICENSE TXT or LICENSE TXT If you are unable to locate a copy please contact 3Com and a copy will be provided to you UNITED STATES GOVERNMENT LEGEND If yo
72. N Configure VPN connection rules gt Configure Firewall access rules to allow inbound and outbound VPN traffic gt Configure a Firewall self rule to allow IKE packets into the OfficeConnect Gigabit VPN Firewall 14 4 1 1 Configure Rules on OfficeConnect Gigabit VPN Firewall 1 ISR1 This section describes the steps to establish the VPN Firewall for the Internet scenario Figure 14 4 depicts the typical Intranet connections Note that ADSL or cable modem is not required if the two networks are connected via Ethernet connections The setting of each configuration step is illustrated in a figure For instructions on configuration of each step please refer to the corresponding section for details ADSL Cable Modem E ADSL Cable Modem T A WAN i WAN 212 1 1 212 123 1 1 123 ISR1 sr a LAN a LAN 192 168 1 1 192 168 2 1 PC PC PC PC PC PC Mr BU Mr BU BE 192 168 1 10 192 168 1 11 192 168 1 12 192 168 2 20 192 168 2 21 192 168 2 22 Figure 14 4 Typical Intranet Network Diagram 89 Chapter 14 Configuring IPSec VPN General Policy Name Policy Type IPSec Mode Local Gateway Local Site Local IP IP Address Subnet Mask Auto Policy Local ld Type Identifier IKE Proposal IKE Version Exchange Mode Encryption DH IPSec Proposal Protocol Encryption PFS TP ADDRESS M ISR1_TO_ISR2 Auto v Tunnel vi WANL IM Subnet 192 168 1 0 255 255 255 0
73. Outbound ACL Rules By creating ACL rules in outbound ACL configuration page as shown in Figure 11 6 you can control allow or deny Internet or external network access for computers on your LAN Options in this configuration page allow you to Add a rule and set parameters for it Modify an existing rule Delete an existing rule vv wv y View configured ACL rules DN OfficeConnect Gigabit VPN Firewall I Ne Firewall gt ACL LAN WAN 3C om LANWAN Device Summary Add LAN WAN Outbound Rule Administration gt Condition Network gt Source ay M Firewall gt VPN gt Traffic MGMT gt Monitoring gt Help Destination an M Service ANY hel Schedule None Action Action Allow V NAT Auto v Log Fi l Logout Figure 11 6 Outbound ACL Configuration Page 11 4 1 Outbound ACL Rule Configuration Parameters Table 11 2 describes the configuration parameters available for firewall outbound ACL rule Table 11 2 Outbound ACL Rule Configuration Parameters 57 Chapter 14 Configuring IPSec VPN OfficeConnect Gigabit VPN Firewall Users Manual EE EE VE gt Source 0 computers in the local network This option allows you to set the source network to which this rule should p y IP Address Select any of these options and enter details as described apply Use the drop down list to select one of the following options Subnet and in the Source section above Any This option allows you to ap
74. T COM L System Volume Information ntldr LI WINNT pagefile sys I WUTemp 5 tmuninst ini arcldr exe arcsetup exe AUTOEXEC BAT My Network P File name v Files of type fan Files v Cancel Ls Figure 17 7 Windows File Browser 3 Click on Restore button to restore the system configuration Note that the OfficeConnect Gigabit VPN Firewall will reboot to make the new system configuration in effect 17 7 Upgrade Firmware 3Com may from time to time provide you with an update to the firmware running on the OfficeConnect Gigabit VPN Firewall All system software is contained in a single file called an image Configuration Manager provides an easy way to upload the new firmware image To upgrade the image follow this procedure 105 Chapter 17 System Management 1 Log into Configuration Manager click the System Management menu and then click the Firmware Upgrade submenu The Firmware Upgrade page displays as shown in Figure 17 8 Ro Q OfficeConnect Gigabit VPN Firewall 3C om Administration gt Backup amp Upgrade Upgrade Configuration Upgrade Device Summary Administration Network Firewall Upgrade firmware from VPN Traffic MGMT Monitoring Help ev Y Y vy l Logout Figure 17 8 Firmware Upgrade Page 2 Inthe Firmware text box enter the path and name of the firmware Browse image file Alternatively you may click on button to sear
75. a computer that forwards DHCP data between computers that request IP addresses and the DHCP server that assigns the addresses Each of the OfficeConnect Gigabit VPN Firewalls interfaces can be configured as a DHCP relay See DHCP Dynamic Host Configuration Protocol server A DHCP server is a computer that is responsible for assigning IP addresses to the computers on aLAN See DHCP Domain Name System The DNS maps domain names into IP addresses DNS information is distributed hierarchically throughout the Internet among computers called DNS servers When you start to access a web site a DNS server looks up the Appendix 21 SAFETY INFORMATION domain name download DSL Ethernet filtering filtering rule 132 requested domain name to find its corresponding IP address If the DNS server cannot find the IP address it communicates with higher level DNS servers to determine the IP address See also domain name A domain name is a user friendly name used in place of its associated IP address For example www 3com com is the domain name associated with IP address 192 136 34 41 Domain names must be unique their assignment is controlled by the Internet Corporation for Assigned Names and Numbers ICANN Domain names are a key element of URLs which identify a specific file at a web site e g http Awww 3com com See also DNS To transfer data in the downstream direction i e from the Internet to the user Digi
76. abit VPN Firewall To define the QoS class object follow these steps 3Com Traffic MGMT gt QoS Class Definition Policies Class Definition 1 Click Traffic MGMP menu and then click QoS sub menu to enter Device Summary n OS Class Table to QoS configuration page See Figure 12 3 mea cc Network LLI TrafficShaping Kbits s Prioritize Remark Firewall Lvl e Name Txmin Txmax RxMin RX Max Share Type DSCP 802 1p DSCP 802 1p Monitoring gt Help l Logout Figure 12 4 QoS Class Definition Page 76 OfficeConnect VPN Firewall User s Manual 3 Click ae button to create anew QoS Class Object See DN OfficeConnect Gigabit VPN Firewall Ne Traffic MGMT gt QoS Class Definition 3COM Class Definition Device Summary a Qos Class Add Administration Network Name MIS Class Firewall VPN Traffic MGMT Monitoring Help TX Bandwidth Min 64 Max 128 Kbits s Enable Traffic Shaping Prioritize Enable Traffic Shaping 0 unlimited as F F Y RX Bandwidth Min 256 Max 384 Kbits s Share Type All Share vi O Enable Prioritize Ingress Prioritize Enable Remark CO Egress Prioritize Logout Figure 12 5 Add a new QoS Class Object 4 Enter a name to the new QoS Class Object If you want to enable traffic shaping and prioritization make Enable Traffic Shapping Prioritize
77. acket sent out of the selected port s will have a duplicate copy delivered to the mirror port 5 Click on the ports that you want the packets coming into the selected ports monitored Any packet sent to the selected port s will have a duplicate copy delivered to the mirror port 6 Click on the button to save the changes 17 2 Change the Login Password The first time you log into the Configuration Manager you use the default username and password admin and password The system allows two types of users administrator username admin and guest username guest Administrator has the privilege to modify the system settings while guest can 101 Chapter 17 System Management only view the system settings Passwords of both the admin and guest accounts can be changed by the administrator Note This username and password is only used for logging into the Configuration Manager it is not the same as the login password you may use to connect to your ISP DN OfficeConnect Gigabit VPN Firewall Ne er 2 Administration gt System Access Account 3C O Account Device Summary Administration gt Idle time Network 2 Auto logout after 900 Minutes Firewall gt Traffic MGMT gt Monitoring gt leig Add Account Access Level Management 5 12 chars J6 12 chars Username Password Confirm Password Add Summary OJ sername acestor a menenen monitor L
78. ademark of Netscape Communications JavaScript is a trademark of Sun Microsystems All other company and product names may be trademarks of the respective companies with which they are associated ENVIRONMENTAL STATEMENT It is the policy of 3Com Corporation to be environmentally friendly in all operations To uphold our policy we are committed to Establishing environmental performance standards that comply with national legislation and regulations Conserving energy materials and natural resources in all operations Reducing the waste generated by all operations Ensuring that all waste conforms to recognized environmental standards Maximizing the recyclable and reusable content of all products Ensuring that all products can be recycled reused and disposed of safely Ensuring that all products are labeled according to recognized environmental standards Improving our environmental record on a continual basis End of Life Statement 3Com processes allow for the recovery reclamation and safe disposal of all end of life electronic components Regulated Materials Statement 3Com products do not contain any hazardous or ozone depleting material Environmental Statement about the Documentation The documentation for this product is printed on paper that comes from sustainable managed forests it is fully biodegradable and recyclable and is completely chlorine free The varnish is environmentally friendly and the inks are vegetable base
79. all can terminate L2TP over IPsec connections from incoming Microsoft Windows 2000 and Windows XP clients Enter the ending IP address of L2TP address poll in You can use Layer 2 Tunneling Protocol L2TP to create VPN over public the specified field networks such as the Internet L2TP provides interoperability between different Primary DNS VPN vendors that protocols such as PPTP and L2F do not although L2TP combines the best of both protocols and is an extension of them L2TP is Enter the first DNS server address in the specified Server field Secondary DNS If you want to specify the secondary DNS address supported on Microsoft Windows 2000 Operating System L2TP supports several of the authentication options supported by PPP including Password SPINEI oe dl Authentication Protocol PAP Challenge Handshake Authentication Protocol Primary WINS Enter the first WINS server address in the specified CHAP and Microsoft Challenge Handshake Authentication Protocol MS Server field CHAP You can use L2TP to authenticate the endpoints of a VPN tunnel to provide additional security and you can implement it with IPsec to provide a Secondary WINS If you want to specify the secondary WINS server Server address enter the address in the specified field secure encrypted VPN solution Specifies a user group from the drop down list Make The chapter contains instructions for configuring L2TP server and also provides sure the user grou
80. all date and time does not affect the date and time on your PCSs PQ OfficeConnect Gigabit VPN Firewall 3C om Administration gt System Time Setup Setup Device Summary Administration gt Current Time 7 14 2008 07 13 18 Network gt Time Zone GMT 08 00 Daylight Saving Firewall Use Default NTP Server MEN i 192 43 244 18 M Lie raed Use Custom NTP Server Monitoring gt Help IP Address Polling Interval in mins Range 1 14400 Last Successful SNTP Connection O Configure Date and Time Manually Mon Day Year Hour Min Sec Logout Apply Figure 17 5 Date and Time Configuration Page Although there is an internal real time clock in the OfficeConnect Gigabit VPN Firewall you ll probably still need to configure the NTP service so that the date and time can be maintained by external network time server NTP Server The only fields configurable in this configuration page are the Time Zone IP address of time servers and the desired update interval Select your time zone from the Time Zone drop down list change the IP address of the time servers 104 OfficeConnect VPN Firewall User s Manual and the update interval if desired and then click on FM button to save the changes 17 5 1 View the System Date and Time To view the updated system date and time log into Configuration Manager as admin click the Administration menu and then click the Date and Time Setup submenu 17 6 Sy
81. alog box select Protocol and then click lt Add gt button Select Microsoft in the Manufacturers list box and then click TCP IP in the Network Protocols list box and then click lt OK gt button You may be prompted to install files from your Windows 95 98 or Me installation CD or other media Follow the instructions to install the files If prompted click lt OK gt button to restart your computer with the new settings Next configure the PCs to accept IP information assigned by the OfficeConnect Gigabit VPN Firewall 13 10 11 12 3 3 5 Chapter 3 Quick Start Guide In the Control Panel double click the Network icon In the Network dialog box select an entry started with TCP IP O and the name of your network adapter and then click lt Properties gt button In the TCP IP Properties dialog box click the radio button labeled Obtain an IP address automatically In the TCP IP Properties dialog box click the Default Gateway tab Enter 192 168 1 1 the default LAN port IP address of the OfficeConnect Gigabit VPN Firewall in the New gateway address field and click lt Add gt button to add the default gateway entry Click lt OK gt button twice to confirm and save your changes and then close the Control Panel If prompted to restart your computer click lt OK gt button to do so with the new settings Windows NT 4 0 workstations First check for the IP protocol and if necessary in
82. and Repair All locations Network Jacks Wired 1 847 262 0070 All other 3Com products 1 800 876 3226 Country Telephone Number Asia Pacific Rim Telephone Technical Support and Repair Australia 1800 075 316 Hong Kong 2907 0456 India 000 800 440 1193 Indonesia 001 803 852 9825 Japan 03 3507 5984 Malaysia 1800 812 612 New Zealand 0800 450 454 Philippines 1800 144 10220 or 125 Appendix 21 SAFETY INFORMATION 126 OfficeConnect VPN Firewall User s Manual Country TelephoneNumber gt Country Telephone Number 029003078 PR of China 800 810 0504 From anywhere in these regions not listed below call 44 1442 435529 Singapore 800 448 1433 South Korea 080 698 0880 From the following countries call the appropriate number Taiwan 00801 444 318 Thailand 001 800 441 2152 Austria 0800 297 468 Pakistan Call the U S direct by dialing 00800 01001 then Bdgum 0800 71429 dialing 800 763 6780 Denmark 800 17309 Sri Lanka Call the U S direct by dialing 02 430 430 then Finland 0800 113153 dialing 800 763 6780 France 0800 917959 Vietnam Call the U S direct by dialing 1 201 0288 then Germany 0800 182 1502 dialing 800 763 6780 Hungary 06800 12813 lreland 1 800 533 117 You can also obtain non urgent support in this region at this email address Israel 180 945 3794 apr technical support 3com com aly 0800 879489 Or request a return material authorization number RMA by FAX using ans 800 23625 this number 61 2 9937 5048 or se
83. and Repair To obtain telephone support as part of your warranty and other service benefits you must first register your product at http eSupport 3com com When you contact 3Com for assistance please have the following information ready m Product model name part number and serial number m A list of system hardware and software including revision level m Diagnostic error messages m Details about recent configuration changes if applicable To send a product directly to 3Com for repair you must first obtain a return authorization number RMA Products sent to 3Com without authorization 122 OfficeConnect VPN Firewall User s Manual numbers clearly marked on the outside of the package will be returned to the sender unopened at the sender s expense If your product is registered and under warranty you can obtain an RMA number online at http eSupport 3com com First time users will need to apply for a user name and password Telephone numbers are correct at the time of publication Find a current directory of support telephone numbers posted on the 3Com web site at http csoweb4 3com com contactus Country Telephone Number Asia Pacific Rim Telephone Technical Support and Repair Australia Hong Kong India Indonesia Japan Malaysia New Zealand Philippines PR of China Singapore South Korea Taiwan Thailand 1800 075 316 2907 0456 000 800 440 1193 001 803 852 9825 0
84. ans that the inbound traffic of these four services will be directed to respective host hosting these services 11 3 Configuring Inbound ACL Rules By creating ACL rules in Inbound ACL configuration page as shown in Figure 11 2 you can control allow or deny incoming access to computers on your LAN Options in this configuration page allow you to Add a rule and set parameters for it Modify an existing rule Delete an existing rule vyv v vy y View configured ACL rules 53 Comment Julian1 Put a rever static nat diagram here Chapter 14 Configuring IPSec VPN OfficeConnect Gigabit VPN Firewall Users Manual DN OfficeConnect Gigabit VPN Firewall Description IN Firewall gt ACL LAN WAN men LANWAN IP Address Specify the appropriate network address Device Summary Add LAN WAN Inbound Rule dministration gt Condition Subnet This option allows you to include all the computers that are Firewall p Destination Any i m gt Senie any J connected in an IP subnet When this option is selected Dar za Schedule Nong x z the following fields become available for entry Action Action Allow NAT None Enter the appropriate IP address Log O Enter the corresponding subnet mask Range This option allows you to include a range of IP addresses for applying this rule The following fields become available for entry when this option is selected Figure 11 2 Inbound ACL Co
85. ansfer from the United States or country where you legally obtained it without an approved U S Department of Commerce export license and appropriate foreign export or import license as required You agree that you will not export or re export the Technical Data or any copies thereof or any products utilizing the Technical Data in violation of any applicable laws or regulations of the United States or the country where you legally obtained it You are responsible for obtaining any licenses to export re export or import the Technical Data In addition to the above the Product may not be used exported or re exported i into or to a national or resident of any country to which the U S has embargoed or ii to any one on the U S Commerce Department s Table of Denial Orders or the U S Treasury Department s list of Specially Designated Nationals TRADE SECRETS TITLE You acknowledge and agree that the structure sequence and organization of the Software are the valuable trade secrets of 3Com and its suppliers You agree to hold such trade secrets in confidence You further acknowledge and agree that ownership of and title to the Software and Documentation and all subsequent copies thereof regardless of the form or media are held by 3Com and its suppliers UNITED STATES GOVERNMENT LEGENDS The Software Documentation and any other technical data provided hereunder is commercial in nature and developed solely at private expense The Software is deli
86. anying documentation the Documentation subject to the terms and restrictions set forth in this Agreement You are not permitted to lease rent distribute or sublicense except as specified herein the Software or Documentation or to use the Software or Documentation in a time sharing arrangement or in any other unauthorized manner Further no license is granted to you in the human readable code of the Software source code Except as provided below this Agreement does not grant you any rights to patents copyrights trade secrets trademarks or any other rights with respect to the Software or Documentation Subject to the restrictions set forth herein the Software is licensed to be used on any workstation or any network server owned by or leased to you for your internal use provided that the Software is used only in connection with this 3Com product You may reproduce and provide one 1 copy of the Software and Documentation for each such workstation or network server on which the Software is used as permitted hereunder Otherwise the Software and Documentation may be copied only as essential for backup or archive purposes in support of your use of the Software as permitted hereunder Each copy of the Software and Documentation must contain 3Com s and its licensors proprietary rights and copyright notices in the same form as on the original You agree not to remove or deface any portion of any legend provided on any licensed program or docum
87. ates uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications Operation of this equipment in a residential area is likely to cause harmful interference to radio communications in which case the user will be required to correct the interference at their own expense 24 1 1 2 INFORMATION TO THE USER If this equipment does cause interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures e Reorient the receiving antenna e Relocate the equipment with respect to the receiver e Move the equipment away from the receiver e Plug the equipment into a different outlet so that equipment and receiver are on different branch circuits If necessary the user should consult the dealer or an experienced radio television technician for additional suggestions The user may find the following booklet prepared by the Federal Communications Commission helpful How to Identify and Resolve Radio TV Interference Problems This booklet is available from the U S Government Printing Office Washington DC 20402 Stock No 004 000 00345 4 130 OfficeConnect VPN Firewall User s Manual In order to meet FCC emissions limits this equipment must be used only with cables which comply with IEEE 802 3
88. ath between end stations on a network eliminating loops Loops occur when alternate routes exist between hosts Loops in an extended network can cause bridges to forward traffic indefinitely resulting in increased traffic and reducing network efficiency While Classic STP prevents Layer 2 forwarding loops in a general network topology convergence can take between 30 60 seconds Rapid Spanning Tree Protocol RSTP detects and uses network topologies that allow a faster STP convergence without creating forwarding loops The device supports the following STP versions Classic STP Provide a single path between end stations avoiding and eliminating loops Rapid STP Detect and use network topologies that provide faster convergence of the spanning tree without creating forwarding loops While Classic STP prevents Layer 2 forwarding loops in a general network topology convergence can take between 30 60 seconds Rapid Spanning Tree Protocol RSTP detects and uses network topologies that allow a faster STP convergence without creating forwarding loops Chapter 5 Configuring LAN Settings 7 2 Spanning Tree Configuration Parameters Table 7 1 describes the configuration parameters available for VLAN configuration Table 7 1 Spanning Tree Configuration Parameters Setting System Priority Hello Time Max Age Forward Delay 35 Description Specifies the bridge priority value When switches or br
89. ault LAN IP settings at this point until after you have completed the rest of the configurations and confirm that your Internet connection is working Qo OfficeConnect Gigabit VPN Firewall 3C om Network gt IP Setup IP Setup IP Setup Device Summary Administration gt Interfaces List VPN k Traffic MGMT a a Help 16 OfficeConnect Gigabit VPN Firewall User s Manual N OfficeConnect Gigabit VPN Firewall Ne Network gt IP Setup IP Setup IP Setup Fixed DHCP Lease DHCP Lease Table Device Summary ee gt Interface LAN1 LAN etho 1 Network gt TCP IP Setup Firewall IP Address 192 168 1 7 VPN gt Traffic MGMT gt Subnet Mask 255 255 255 0 v raffic Monitoring gt Help l Logout Figure 3 7 IP Setup Configuration Page EAN OfficeConnect Gigabit VPN Firewall I Ne Network gt IP Setup DHCP 3com IP Setup Fixed DHCP Lease DHCP Lease Table Device Summary had Administration gt Interface LAN1 LAN etho 1 Network gt O None Firewall gt VPN DHCP Server Configuration Traffic MGMT a IP Address Pool Begin 192 168 1 8 __Autorange Gi oe ek IP Address Pool End 192 168 1 254 Default Gateway 192 168 1 7 Lease Time 24 Hours Use WAN DNS Server Address Fi Primary DNS Server Address 192 168 1 7 Secondary DNS Server Address 0 0 0 0 Optional Primar
90. bed in section 11 5 2 Access Content Filter Configuration Page 11 5 7 Content Filter Rule Example 1 Open the Content Filter Configuration page see section 11 5 2 Access Content Filter Configuration Page Figure 11 9 shows a Content filter rule example It demonstrates 2 Click the check boxes of any Web Components you wish to block gt Howto add the keyword mail Any URL containing this keyword will be If you wish to configure the Trust IP click the Allow Trusted IP To blocked Visit Blocked Sites and enter IP address in the IP Address filed gt How to configure the Web Components 4 Click onthe Gp button to save your changes Enter a keyword to the Keyword field 6 Click on the u button to create the Content Filter rule The new rule will then be displayed in the Content filter Configuration Summary table 61 Chapter 14 Configuring IPSec VPN OfficeConnect Gigabit VPN Firewall Users Manual PAY OfficeConnect Gigabit VPN Firewall 11 6 1 Configuring Self Access Rules Firewall gt Content Filter Setup SCOM in Self Access rules control access to the OfficeConnect Gigabit VPN Firewall itself Device Summa i i ad You may use Self Access Rule Configuration page as illustrated in Figure 11 10 Administration gt Enable Web Content Filter he Schedule 1 v to Hektor Web Components Proxy MlJava M Activex M Cookies Traffic MGMT gt Allow Tru
91. cal Site where it is decrypted and forwarded to the intended destination This option allows you to set the local secure network to which this rule should apply This option allows you to apply this rule inclusively on all The chapter contains instructions for configuring VPN connections using automatic keying and manual keys computers in the internal network Use the Type drop down list to select one of the following 14 1 VPN Tunnel Configuration Parameters Select this option to accept connection request from any computer Table 14 1 describes all the VPN tunnel configuration parameters available for p various VPN configurations This option allows you to include all the computers that are connected in an IP subnet The following fields Table 14 1 VPN Tunnel Configuration Parameter become available when this option is selected Description i 3 ads Subnet Mask Enter the subnet mask Policy Name Enter a unique name preferably a meaningful name Remote Site that signifies the tunnel connection Note that only Strie This option allows you to set the remote destination secure network to alphanumeric characters are allowed in this field l l l which this rule should apply This option allows you to apply this rule Policy Type Select Auto for automatic keying such as IKEv1 or inclusively on all computers in the external network Use the Type drop IKEv2 Otherwise select Manual for manual keying
92. ch as the OfficeConnect Gigabit VPN Firewall to act as an agent between the Internet public network and a local private network This means that a NAT IP address can represent an entire group of computers to any entity outside a network Network Address Translation NAT is a mechanism for conserving registered IP addresses in large networks and simplifying IP addressing management tasks Because of the translation of IP addresses NAT also conceals true network address from privy eyes and provide a certain degree security to the local network The NAT modes supported are static NAT dynamic NAT NAPT reverse static NAT and reverse NAPT 11 2 1 Static or One to One NAT Static NAT maps an internal host address to a globally valid Internet address one to one The IP address in each packet is directly translated with a globally valid IP contained in the mapping Figure 11 1 illustrates the IP address mapping relationship between the three private IP addresses and the three globally valid IP addresses Note that this mapping is static i e the mapping will not change over time until this mapping is manually changed by the administrator This means that a host will always use the same global valid IP address for all its outgoing traffic OfficeConnect VPN Firewall User s Manual _ a One to Many NAT n gt 192 168 1 102 192 168 1 100 192 168 1 101 NL gt L gt 172 16 57 52 SJ 172
93. ch attacks The Smurf attack is a way of generating a lot of computer network traffic to a victim host That is itis a type of denial of service attack Specifically it floods a target system via spoofed broadcast ping messages 11 6 3 2 Access DoS Configuration Page Log into Configuration Manager as admin click the Firewall menu and then click the Setting submenu The DoS Configuration page displays as shown in Figure 11 12 11 6 3 3 Configuring DoS Settings By default most DoS protection against all supported attack types are disabled Figure 11 12 shows the default configuration for DoS settings You may check or uncheck the Enable DoS Check to enable disable the DoS check function You may check or un check individual type of attack defense to disable or enable protection against that specific type of attack 68 OfficeConnect Gigabit VPN Firewall User s Manual P Device Summary General Ml Allow ping request Administration gt O Allow traceroute from WAN bend k C Enable UPnP Firewall AE gt M Enable DoS check Traffic MGMT gt Monitoring gt Help DoS Check Options CITCF Flooding CI UDP Flooding TCP Port Scan UDP Port Scan EJICMP Scan OIP Spoofing Ping of Death Logout LAND Cl Echo Chargen C TearDrop CTCP XMAS NULL SYNFIN Scan CI Smurf FI WinNUKE Figure 11 12 DoS Configuration Page 11 6 4 Configuring Schedule With this option you can configure access Schedule records for
94. ch for it on your hard drive 3 Click on Upgrade button to update the firmware Note it may take up to 5 minutes for the firmware upgrade Note that after the transfer of firmware is completed the OfficeConnect Gigabit VPN Firewall will reboot to make the new firmware in effect 17 8 Reset the OfficeConnect Gigabit VPN Firewall To reset the OfficeConnect Gigabit VPN Firewall click on the ably button in the Configuration Manager Reset page 106 OfficeConnect VPN Firewall User s Manual 17 9 Logout Configuration Manager jon To logout of Configuration Manager click on the button in the Configuration Manager Logout page If you are using IE as your browser a window similar to the one shown in Figure 17 9 will prompt for confirmation before closing your browser Microsoft Internet Explorer 3 E x 2 The Web page you are viewing is trying bo clase the window La Do you want ko close this window Yes Mo Figure 17 9 Confirmation for Closing Browser IE 17 10 Configuring Logging The event logger in the OfficeConnect Gigabit VPN Firewall can be configured to log general or security related events to the local database or deliver the generated event to the external SMTP or Syslog server To configure the Logging please follow these steps 1 Click on Administration gt Logging menu to enter the Logging configuration page See Figure 17 10 OfficeConnect VPN Firewall User s Manual Ro 3com D
95. changes you have made and reverts all fields ese back to the default value TT Adds a new item into the existing configuration e g a static route or a firewall ACL rule and etc Deletes the selected item e g a static route or a firewall ACL rule and etc Delete Select All Selects all items from the existing configuration page Enable Enables a selected item Disable Disables a selected item Logs out from Configuration Manager Logout 4 3 Overview of System Configuration To view the overall system status log into Configuration Manager as administrator and then click the Device Summary menu OfficeConnect VPN Firewall User s Manual Chapter 4 Getting Started with the Configuration Manager DN VPN Gigabit Firewall Ne Device Summary Device View 3Ccom Device Summary Device View Color Key ini i gt ee Baw tere Firewall gt VPN gt Traffic MGMT gt Monitoring gt Device Summary Information gt 0 Product Description 3C om OfficeConnect VPN Firewall System Name System Location System Contact Serial Number Product 3C Number 3CREVF 100 73 System Object ID 1 3 6 1 4 1 43 1 19 20 System Up Time 0 day 4 hr 55 min 52 sec Software Version Eddystone_v2 2 3 img Boot Version 1 0 2 Hardware Version 1 16 0 Ul Logout l s m gt Figure 4 3 Device Summary Page 23 OfficeConnect VPN Firewall User s Manual
96. ckly to ensure you get full use of the warranty and other service benefits available to you Warranty and other service benefits are enabled through product registration Register your product at http eSupport 3com com 3Com eSupport services are based on accounts that you create or have authorization to access First time users must apply for a user name and password that provides access to a number of eSupport features including Product Registration Repair Services and Service Request If you have trouble registering your product please contact 3Com Global Services for assistance Troubleshoot Online You will find support tools posted on the 3Com Web site at www 3Com com 3Com Knowledgebase Helps you to troubleshoot 3Com products This Appendix 22 OBTAINING SUPPORT FOR YOUR PRODUCT query based interactive tool is located at http knowledgebase 3com com It contains thousands of technical solutions written by 3Com support engineers Purchase Extended Warranty and Professional Services To enhance response times or extend warranty benefits contact 3Com or your authorized 3Com reseller Value added services like 3Com Expresss and Guardians can include 24x7 telephone technical support software upgrades onsite assistance or advance hardware replacement Experienced engineers are available to manage your installation with minimal disruption to your network Expert assessment and implementation services are offered to fil
97. computer with the new settings Next configure the PCs to accept IP addresses assigned by the OfficeConnect Gigabit VPN Firewall 8 Inthe Control Panel double click the Network and Dial up Connections icon 9 In Network and Dial up Connections window right click the Local Area Connection icon and then select Properties OfficeConnect Gigabit VPN Firewall Users Manual 10 11 12 3 3 4 In the Local Area Connection Properties dialog box select Internet Protocol TCP IP and then click lt Properties gt button In the Internet Protocol TCP IP Properties dialog box click the radio button labeled Obtain an IP address automatically Also click the radio button labeled Obtain DNS server address automatically Click lt OK gt button twice to confirm and save your changes and then close the Control Panel Windows 95 98 and Me PCs In the Windows task bar click the lt Start gt button point to Settings and then click Control Panel Double click the Network icon In the Network dialog box look for an entry started w TCP IP O and the name of your network adapter and then click lt Properties gt button You may have to scroll down the list to find this entry If the list includes such an entry then the TCP IP protocol has already been enabled Skip to step 8 If Internet Protocol TCP IP does not display as an installed component click lt Add gt button In the Select Network Component Type di
98. count and change the password in the spaces provided if desired Another method is to set the IP address of your PC to any IP address in When changing passwords make sure you enter the existing login the 192 168 1 0 network such as 192 168 1 2 password in the Old Password field enter the new password in New Password field and confirm the new password in Retype New Password ET p yp 3 Enter your user name and password and then click to enter the Configuration Manager The first time you log into this field and click PRY button to save the change program use these defaults Default User Name admin 15 Chapter 3 Quick Start Guide N OfficeConnect Gigabit VPN Firewall Administration gt System Time Setup Setup Device Summary Administration Network Firewall VPN Traffic MGMT Monitoring Help Time Zone drop down 192 43 244 18 Vv Use Custom NTP Server IP Address Gicyo 0 Fra Range 1 14400 Polling Interval in mins Last Successful SNTP Connection Update Now O Configure Date and Time Manually Mon Day Year Hour Min Sec a 14 2008 0 zu 58 Logout Figure 3 6 System Time Configuration Page 5 Click on Administration gt System Time menu and set the time zone for the OfficeConnect Gigabit VPN Firewall by selecting your time Apply zone from the Time Zone drop down list Click I to save the settings 6 It is recommended that you keep the def
99. cs Check or un check this option to enable or disable protection against SYN Flood attacks This attack involves sending connection requests to a server but never fully completing the connections This will cause some computers to get into a stuck state where they cannot accept connections from legitimate users SYN is short for SYNchronize this is the first step in opening an Internet connection You can select this box if you wish to protect the network from TCP SYN flooding By default SYN Flood protection is enabled Check or un check this option to enable or disable protection against Winnuke attacks Some older versions of the Microsoft OfficeConnect VPN Firewall User s Manual Windows OS are vulnerable to this attack If the computers in the LAN are not updated with recent versions patches you are advised to enable this protection by checking this check box TCP UDP ICM P Port Scan Check or un check this option to enable or disable protection against such attacks A UDP flood is a form of denial of service attack that can be initiated when one machine sends a large number of UDP packets to random ports on a remote host As a result the distant host will 1 check for the application listening at that port 2 see that no application is listening at that port and 3 reply with an ICMP Destination Unreachable packet When the victimized system is flooded it is forced to send many ICMP packets eventually maki
100. ctions 1 To enable PPTP Server functionality on the OfficeConnect Gigabit VPN Firewall select Yes in the Enable PPTP field 2 Make changes to any or all of the following fields Start IP End IP Primary DNS Server Secondary DNS Server Primary WINS Server Secondary WINS Server and User Group for PPTP Server Please see Table 16 1 for explanation of these fields 3 Click on the button to modify PPTP Server settings 16 4 Viewing Active PPTP Session Log into Configuration Manager as admin click the VPN menu click PPTP submenu and then click the Status tab on the top of the configuration page as shown in Figure 16 2 98 Device Summary Administration Network Firewall VPN Traffic MGMT Monitoring Logout Zr TF TW OfficeConnect VPN Firewall User s Manual tatus K Status Active Sessions Figure 16 2 Viewing Active PPTP Sessions OfficeConnect VPN Firewall User s Manual Chapter 16 Configuring PPTP Server 99 OfficeConnect VPN Firewall User s Manual 1 F System Management This chapter describes the following administrative tasks that you can perform using Configuration Manager Configure Port Mirroring Modify password Modify system Information Modify system date and time Reset backup and restore system configuration Update firmware v vy Vy vV vV W y Logout of Configuration Manager You can access these tasks from the System Management menu
101. d menus are grouped into categories such as System Network and etc You can click on any of these to display a specific configuration page 21 Chapter 4 Getting Started with the Configuration Manager ALA VPN Gigabit Firewall I Ne Traffic Statistics 3COM Interfaces Statistics NOTERE Intertace LAN1 ethl V FEITE Device Summary E etho 1 25 06 2008 12 44 Administration gt l l gt received 1 57 MB 25 0 ee transmitted 3 93 MB 75 0 Firewall gt total 5 50 MB VPN gt Traffic MGMT gt rx tx total J 638 kB 1 38 MB 2 00 ME E Diagnostics 567 kB 1 68 MB 2 23 ME EEE Help Port Mirroring etho 1 hourly 25 06 2008 12 44 900 kB Logout 600 kB 300 kB 13 14 15 16 17 18 19 20 21 22 23 00 01 02 03 04 05 06 OF 08 09 10 11 12 lt LL v Figure 4 2 Typical Configuration Manager Page A separate page displays in the right hand side frame for each menu For example the configuration page displayed in Figure 4 2 is intended for DHCP configuration 4 2 1 Commonly Used Buttons and Icons The following buttons or icons are used throughout the application The following table describes the function for each button or icon Table 4 1 Description of Commonly Used Buttons and Icons Button Icon Function Apply Stores any changes you have made on the current page 22 OfficeConnect VPN Firewall User s Manual Button Icon Function Discards any
102. d with a low heavy metal content OfficeConnect VPN Firewall User s Manual Introduction Table of Co nte nts 2 4 1 3 Defense against DoS Attacks 5 1 Introduction Se D 2 4 1 4 Application Command Filtering 5 2 4 1 5 Application Level Gateway ALG 6 1 1 OfficeConnect Gigabit VPN Firewall 12 2416 Local Content Filtering can 6 1 2 System Requirementis ranrnnvnnnvnnnvnnvnnonnnnennnvnnnvnnnnn 12 0417 erd Allee 6 Bee spe a rinetcaneaie sat auskants Me gt 43 VPN 6 1 3 1 Notational CONVENTIONS 20u4240nn nennen 12 243 WAN Failover amp Load Balancing cc 7 1 3 2 Typographical conventions s es 2 244 QoS and Bandwidth Management cu 7 1 3 3 Special messages mmmmrnennvnnvrrnennvnnreranennernvernenne 2 245 Virtual LAN Interfaces VLAN m m 7 2 Getting to Know the 3 Quick Start Guide OfficeConnect Gigabit VPN 3 1 Part 1 Connecting the Hardware 9 i 3 1 1 Step 1 Connect an ADSL or a cable Firewall l enn 3 MOde 2 9 2 1 Pas ln ee 3 3 1 2 Step 2 Connect computers or a LAN 9 2 2 EtonlPahelkasssiziersenssessien ee 3 3 1 3 Step 3 Attach the power adapter 9 2 3 Rear Panel vamser dhaaebesvense anken G 3 3 1 4 Step 4 Turn on the OfficeConnect Gigabit 2 4 Major FAU ee 4 VPN Firewall the ADSL or cable modem and power up your Computers rrrrrvrrrnvrrrnvrrr 10 2 4 1 Firewall Fealtfes ns 4 3 2 Part 2 Rack Moun
103. ddress from a DHCP server Click lt OK gt button twice to confirm and save your changes and then close the Control Panel Assigning static IP addresses to your PCs In some cases you may want to assign IP addresses to some or all of your PCs directly often called statically rather than allowing the OfficeConnect Gigabit VPN Firewall to assign them This option may be desirable but not required if gt You have obtained one or more public IP addresses that you want to always associate with specific computers for example if you are using a computer as a public web server gt You maintain different subnets on your LAN However during the first time configuration of your OfficeConnect Gigabit VPN Firewall you must assign an IP address in the 192 168 1 0 network for your PC say 192 168 1 2 in order to establish connection between the OfficeConnect Gigabit VPN Firewall and your PC as the default LAN IP on OfficeConnect Gigabit VPN Firewall is pre configured as 192 168 1 1 Enter 255 255 255 0 for 14 OfficeConnect Gigabit VPN Firewall User s Manual the subnet mask and 192 168 1 1 for the default gateway These settings may be changed later to reflect your true network environment On each PC to which you want to assign static information follow the instructions on pages 12 through 13 relating only to checking for and or installing the IP protocol Once it is installed continue to follow the instructions fo
104. e Configuration rrsrrrnvrrnvvrnnvrrnverrrnvrrnvernnn 39 Figure 11 14 Schedule Example Create a Schedule unnennn 70 Figure 8 2 WAN Dynamic IP DHCP client Configuration Page 42 Figure 11 15 Schedule Example Deny FTP Access for MISgroup1 During Figure 8 3 WAN Static IP Configuration Page eeann 42 ME HA NA 70 Figure 8 4 WAN Statistics Page cccsscsssecsssecsssseecsseessseessseessseeesseeessanessnees 43 GUESS Binding GOMGUEAUON Page is spes 2 Figure 9 1 Routing Configuration Page rrrnnnvrnnnvennnvennnvennornvvennnvennnvennnvennnnnnnn 45 Piguie 11 17 Por Tnggenng Sontiguralien Page uses een ze Figure 9 2 RIP Configuration Page eannan 46 Figure 12 1 Interface Settings List Table nennen 75 Figure 9 3 Viewing Routing Table usnorennorennvvernnvenannorennvvernnvennnvenaneenenennennnvene 47 Figure 12 2 Maximum Interface Bandwidth Configuration Page nn 78 Figure 10 1 Network Diagram for HTTP DDNS nun 49 Figure 12 3 QoS Configuration Page mrrrrnrrnnnvennvennvrrnnavennvrrnnvennvennvnrnnvernvennnnn 76 Figure 10 2 HTTP DDNS Configuration Page sessesscccsssssssssssssssssssssssssssssese 50 Figure 12 4 QoS Class Definition Page rrnrrrnnrennvennvrnnnvennnvrnnnvrnnvernrrrnnvennvennnn 76 Figure 11 1 One to One NAT and One to Many NAT ac 53 Figure 12 5 Add a new QoS Class Object unnnvnvnrvvrvnvvnververvnnververenvenverresenveneen 77 Figure 11 2 Inbound ACL Configuration Page ms
105. e during which the rule is active Select None Enter the ending IP address of the range to make the rule active at all times Destination This option allows you to set the destination network to which this rule should Select Allow from the drop down list to configure rule as an apply Use the drop down list to select one of the following options allow rule This rule when bound to the firewall will allow This option allows you to apply this rule to all the moen pa op 58 OfficeConnect VPN Firewall User s Manual F Pr Select Deny from the drop down list to configure rule as an deny rule This rule when bound to the firewall will allow matching packets to drop T None Select this option if you don t intend to use NAT in this outbound ACL rule IP Address Select this option if you want to change the source IP address of the outbound traffic to the specified IP address Auto Select Auto if you want to assign the IP address automatically Log This option allows you to enable or disable logging for this ACL rule 11 4 2 Access Outbound ACL Rule Configuration Page Log into Configuration Manager as admin click the Firewall menu and then click the Outbound ACL submenu The Firewall Outbound ACL Configuration page displays as shown in Figure 11 6 Note that when you open the Outbound ACL Configuration page a list of existing ACL rules is also displayed at the bottom half of the configuration page such as those
106. e firewall follow these steps 1 Click on Firewall gt P2P Prevention to enter the P2P Prevention configuration page 73 Chapter 14 Configuring IPSec VPN OfficeConnect Gigabit VPN Firewall Users Manual 2 Click on the check box in front of the rule to be deleted 1 Click on Firewall gt Session Limit menu to enter the Session Limit configuration page 3 Click on the button to remove the selected rules 2 Leave the Disable checkbox unchecked if you want to enable the Session Limit feature otherwise tick the Disable checkbox 11 6 8 Configuring Session Limit 3 Make changes to any or all of the following fields Single IP cannot exceed X Sessions and When single IP exceed X Sessions Session Limit is used to limit the number of firewall sessions i e TCP UDP Please see Table 11 10 for detail explanation of these fields connections or ICMP Request Response that each user can create and occupy therefore preventing malicious users from hogging the system and network resources Besides also could against some viruses which attempt to generate large sessions The following table shows the configuration parameters of Session Limit Table 11 10 Session Limit Configuration Parameters Go 2 Disable Tick this check box if you want to disable the Session Limit function Single IP cannot Specified a number of session that a network host can exceed X Sessions create When single IP Specified a number of session that a netwo
107. e of such rules the packets will be dropped by the OfficeConnect Gigabit VPN Firewall As it is not feasible to create policies for numerous applications dynamically at the same time without compromising security intelligence in the form of Application Level Gateways ALG is built to parse packets for applications and open dynamic associations The OfficeConnect Gigabit VPN Firewall provides a number of ALGs for popular applications such as FTP H 323 RTSP SIP etc 2 4 1 6 Local Content Filtering A set of keywords that should not appear in the URL Uniform Resource Locator e g www yahoo com can be defined Any URL containing one or more of these keywords will be blocked This is a policy independent feature i e it cannot be associated to ACL rules This feature can be independently enabled or disabled but works only if firewall is enabled 2 4 1 7 Log and Alerts Events in the network that could be attempts to affect its security are recorded in the OfficeConnect Gigabit VPN Firewall System log file Event details are recorded in WELF WebTrends Enhanced Log Format format so that statistical tools can be used to generate custom reports The OfficeConnect Gigabit VPN Firewall can also forward Syslog information to a Syslog server on a private network The OfficeConnect Gigabit VPN Firewall supports gt Alerts sent to the administrator via e mail OfficeConnect VPN Firewall User s Manual gt Maintains at a minimum log de
108. eae 11 6 2 6 View Configured Services 11 6 3 Configuring DoS Settings nennen 11 6 3 1 DoS Protection Configuration Parameters srrrrnnnnvvrnnnnnvvrrnnnnnnnvvennnnnne 11 6 3 2 Access DoS Configuration Page 11 6 3 3 Configuring DoS Settings 11 6 4 Configuring Schedule n enrrnnnnnnnnvnnnnnnnnrnennnnn 11 6 4 1 Schedule Configuration Parameters taii 11 6 4 2 Access Schedule Configuration Pen 11 6 4 3 Add a Schedule rarrernrvennrvennnvennnvenennn 11 6 4 4 Schedule Example Chapter 1 Introduction 11 6 5 Configuring IP MAC Binding 70 11 6 5 1 Adding an IP MAC binding rule 70 11 6 5 2 Editing an IP MAC binding rule 71 11 6 5 3 Removing an existing IP MAC DINANO HUG sara 71 11 6 6 Configuring Port Triggering cccceeseeeee 71 11 6 6 1 Configuration parameters for the Port Triggering feature eee 71 11 6 6 2 Adding an Port Triggering Rule 72 11 6 6 3 Editing an Port Triggering Rule 72 11 6 6 4 Removing Port Triggering Rules 73 11 6 7 Configuring P2P Service Prevention 73 11 6 7 1 Adding a P2P Service Prevention RUG ee 73 11 6 7 2 Editing a P2P Service Prevention KO EE A A O TE T 73 11 6 7 3 Removing a P2P Service Prevention Rule rrserernvvervvennvnnannnven 73 11 6 8 Configuring Session Limit 74 12 Configuring Quali
109. ec submenu 2 Click on the check box in front of rule to be deleted 3 Click on the button to delete selected rules 14 3 4 Display VPN Rules To see existing VPN rules follow the instructions below 1 Log into Configuration Manager as admin click the VPN menu and then click the IPSec submenu 2 All the configured VPN policies are displayed in the VPN policy list table 14 4 VPN Connection Examples Gateways with integrated VPN and Firewall are useful in scenarios where gt The traffic between branch offices is protected by VPN and Traffic destined for public Internet goes through Firewall NAT To avoid NAT IPSec interoperability issues outgoing traffic is first processed by Firewall NAT and then by IPSec Hence you must ensure that appropriate Firewall rules are configured to let the VPN traffic goes through This section describes these scenarios and presents step by step instructions for configuring these scenarios 14 4 1 Intranet Scenario firewall VPN and no NAT for VPN traffic This is a common scenario where traffic to the public Internet goes through the Firewall NAT only and traffic between private networks is allowed without NAT before IPSec processing The same authority administers the networks that are protected by VPN to avoid any possible address clash Configure each of the OfficeConnect Gigabit VPN Firewall for the Intranet scenario using the following steps Chapter 14 Configuring IPSec VP
110. eck that the gateway IP address on the computer is your public IP address see the Quick Start Guide chapter Part 2 for instructions on viewing the IP information If it is not correct the address or configure the PC to receive IP information automatically e Verify with your ISP that the DNS server specified for the PC is valid Correct the address or configure the PC to receive this information automatically e Verify that a Network Address Translation rule has been defined on the OfficeConnect Gigabit VPN Firewall to translate the private address to your public IP address The assigned IP address must be within the range specified in the NAT rules Or Appendix 21 SAFETY INFORMATION Problem Troubleshooting Suggestion configure the PC to accept an address assigned by another device see section 3 3 Part 3 Configuring Your Computers The default configuration includes a NAT rule for all dynamically assigned addresses within a predefined pool PCs cannot display Verify that the DNS server specified on the PCs is correct web pages on the for your ISP as discussed in the item above You can use Internet the ping utility discussed in the following section to test connectivity with your ISP s DNS server Configuration Manager Program You forgot lost your If you have not changed the password from the default try Configuration using admin as both the user ID and password Manager user ID or Otherwise you ca
111. eil et son acc s doit tre facile Vous ne pouvez mettre l appareil hors circuit qu en debranchant son cordon lectrique au niveau de la prise AVERTISSEMENT L appareil fonctionne une tension de s curit extr mement basse conform ment la norme CEI 60950 La conformit cette norme n est maintenue que si quipement auquel il est raccord fonctionne galement dans des conditions conformes cette norme AVERTISSEMENT II n y a pas d l ment rempla able ou r parable par l utilisateur l int rieur de l appareil Si vous rencontrez avec cet appareil un probl me ne pouvant tre r solu par les actions de r solution de probl mes pr sent s dans ce manuel veuillez contacter votre fournisseur AVERTISSEMENT D branchez l adaptateur lectrique avant de d sinstaller cet apparell AVERTISSEMENT Ports RJ 45 Il s agit de prises de donn es femelles blind es RJ 45 Vous ne pouvez pas les utiliser comme prise de t l phone Branchez uniquement femelles werden OfficeConnect Gigabit VPN Firewall Users Manual 22 OBTAINING SUPPORT FOR YOUR PRODUCT 3Com offers product registration case management and repair services through eSupport 3com com You must have a user name and password to access these services which are described in this appendix Register Your Product to Gain Service Benefits Warranty and other service benefits start from the date of purchase so it is important to register your product qui
112. ending mangled IP fragments with overlapping over sized payloads to the target machine A bug in the TCP IP fragmentation re assembly code of various operating systems caused the fragments to be improperly handled crashing them as a result of this 4 Windows 3 1x Windows 95 and Windows NT operating systems as well as versions of Linux prior to versions 2 0 32 and 2 1 63 are vulnerable to this attack TCP Check or un check this option to enable or disable protection XMAS NULL S YNFIN Scan against such attacks During a normal TCP connection the source initiates the connection by sending a SYN packet to a port on the destination system If a service is listening on that port the service responds with a SYN ACK packet The client 67 Chapter 14 Configuring IPSec VPN ER vie initiating the connection then responds with an ACK packet and the connection is established If the destination host is not waiting for a connection on the specified port it responds with an RST packet Most system logs do not log completed connections until the final ACK packet is received from the source Sending other types of packets that do not follow this sequence can elicit useful responses from the target host without causing a connection to be logged This is known as a TCP half scan or a stealth scan because it does not generate a log entry on the scanned host Check or un check this option to enable or disable protection against su
113. entation delivered to you under this Agreement ASSIGNMENT NO REVERSE ENGINEERING You may transfer the Software Documentation and the licenses granted herein to another party in the same country in which you obtained the Software and Documentation if the other party agrees in writing to accept and be bound by the terms and conditions of this Agreement If you transfer the Software and Documentation you must at the same time either transfer all copies of the Software and Documentation to the party or you must destroy any copies not transferred Except as set forth above you may not assign or transfer your rights under this Agreement Modification reverse engineering reverse compiling or disassembly of the Software is expressly prohibited However if you are a European Union EU resident information necessary to achieve interoperability of the Software with other programs within the meaning of the EU Directive on the Legal Protection of Computer Programs is available to you from 3Com upon written request EXPORT RESTRICTIONS The Software including the Documentation and all related technical Appendix 22 OBTAINING SUPPORT FOR YOUR PRODUCT data and any copies thereof collectively Technical Data is subject to United States Export control laws and may be subject to export or import regulations in other countries In addition the Technical Data covered by this Agreement may contain data encryption code which is unlawful to export or tr
114. enu and then click Interface sub menu The existing settings are summarized in the Interface Settings table See Figure 12 1 Click on the icon to edit the selected interface Enter Max TX to limit the gateway s bandwidth transmission rate The purpose is to limit the bandwidth of the WAN device to that of the weakest outbound link for instance the DSL speed provided by the ISP This forces OffceConnect Gigabit VPN Firewall to be the network bottleneck where sophisticated QoS prioritization can be Chapter 14 Configuring IPSec VPN performed If the device s bandwidth is not limited correctly the bottleneck will be in an unknown router or modem on the network path rendering QoS useless In the same manner enter Max RX to limit the gateway s bandwidth reception rate to that of the DSL modem NN OfficeConnect Gigabit VPN Firewall IN Traffic MGMT gt Interface Interface 3C O m Interface Device Summary Administration Interface Settings Network VLANF WANI 0 Kbps 0 Kbps Disabled Disabled etho 7 VLANS WANZ 0 Kbps 0 Kbps Disabled Disabled etho 8 Firewall Interface VPN Traffic MGMT Monitoring Help EEE T E PEA EE ee se F F Logout Figure 12 1 Interface Settings List Table 5 Make the Enable QoS check box checked if you want to associate QoS policy to the selected WAN interface 6 Make the Enable DSCP Queuing check box checked if you want to create queues
115. equired for the security decision from the packet and maintains this information for evaluating subsequent connection attempts It has awareness of application and creates dynamic sessions that allow dynamic connections so that no ports need to be opened other than the required ones This provides a solution which is highly secure and that offers scalability and extensibility 2 4 1 3 Defense against DoS Attacks The OfficeConnect Gigabit VPN Firewall has an Attack Defense Engine that protects internal networks from known types of Internet attacks It provides automatic protection from Denial of Service DoS attacks such as SYN flooding IP smurfing LAND Ping of Death and all re assembly attacks It can drop ICMP redirects and IP loose strict source routing packets For example the OfficeConnect Gigabit VPN Firewall provides protection from WinNuke a widely used program to remotely crash unprotected Windows systems in the Internet The OfficeConnect Gigabit VPN Firewall also provides protection from a variety of common Internet attacks such as IP Spoofing Ping of Death Land Attack Reassembly and SYN flooding The type of attack protections provided by the OfficeConnect Gigabit VPN Firewall are listed in Table 2 3 Table 2 3 DoS Attacks Type of Attack Name of Attacks Bonk Boink Teardrop New Tear Re assembly attacks Overdrop Opentear Syndrop Jolt Chapter 2 Getting to Know the OfficeConnect Gigabit VPN Firewall IC
116. ernet name This is common for web sites that receive heavy traffic they use multiple redundant servers to carry the same information To exit from the nslookup utility type exit and press lt Enter gt at the command prompt 118 OfficeConnect Gigabit VPN Firewall Users Manual 21 SAFETY INFORMATION Important Safety Information gt gt gt gt gt P PPP WARNING Warnings contain directions that you must follow for your personal safety Follow all directions carefully You must read the following safety information carefully before you install or remove the unit WARNING Exceptional care must be taken during installation and removal of the unit WARNING Only stack the Firewall with other OfficeConnect units WARNING To ensure compliance with international safety standards only use the power adapter that is supplied with the unit WARNING The socket outlet must be near to the unit and easily accessible You can only remove power from the unit by disconnecting the power cord from the outlet WARNING This unit operates under SELV Safety Extra Low Voltage conditions according to IEC 60950 The conditions are only maintained if the equipment to which it is connected also operates under SELV conditions WARNING There are no user replaceable fuses or user serviceable parts inside the Firewall If you have a physical problem with the unit that cannot be solved with problem solving actions in this guide
117. eventual association with ACL rules ACL rules associated with a Schedule record will be active only during the scheduled period If the ACL rule denies HTTP access during 10 00hrs to 18 00hrs then before 10 00hrs and after 18 00hrs the HTTP traffic will be permitted to pass through One Schedule record can contain up to three time periods For example Office hours on weekdays Mon Fri can have the following periods gt Pre lunch period between 9 00 and 13 00 Hrs gt Post lunch period between 14 00 and 18 30 Hrs Office hours on weekends Saturday Sunday can have the following periods gt 9 00 to 12 00 Hrs Such varying time periods can be configured into a single Schedule record Access rules can be activated based on these time periods gt OfficeConnect Gigabit VPN Firewall Firewall gt Setting General 3C O m General OfficeConnect VPN Firewall User s Manual Chapter 14 Configuring IPSec VPN 11 6 4 1 Schedule Configuration Parameters Table 11 7 describes the configuration parameters available for a Schedule PAN OfficeConnect Gigabit VPN Firewall gt Schedule Setup 3com Table 11 7 Schedule Configuration Parameters Device Summary Administration Firewall Add Schedule Name E dn an Scheduled Days MSun M Mon tue MWed MTh MFri Msat Active on days Check the radio button All Days or Specific Days Trame ca onitoring ii el Scheduled Time art Time a
118. evice Summary Administration Network Firewall VPN Traffic MGMT Monitoring Help Logout 4 N U OfficeConnect Gigabit VPN Firewall Administration gt Logging Setup Setup Log Options Log Identifier 3Com Firewall System Logs Firewall Log General Log MIACL Log DoS Log MWAN Link Status Log CNTP Log Syslog Configuration Enable Remote Syslog U Se 3 E mail Logs Enable E mail Logs U m m I anin Anthentiratinn af Figure 17 10 Logging Configuration Page Specify a log identifier in the space provided The log identifier is a mandatory field used to identify the log messages Please note that the log identifier string should not contain any special characters including space and the default value of Log Identifier is 3Com Firewall In the System Logs field please check the checkbox for the type of system events to be logged The available options are shown below Firewall Log General Log ACLLog Dos Log WAN Link Status Log NTP Log In the Syslog Configuration field please check the Enable Remote Syslog check box to enable the syslog function and then enter the IP address of the Syslog server Chapter 17 System Management 5 Inthe E mail Configuration field please check the Enable E mail Logs checkbox to enable the E mail Log function Enter the IP address of the Email SMTP server into the E Mail Server Address and Email address
119. ewall Network gt IP Setup IP Setup IP Setup Interfaces List etho 7 VLAN 7 WANL 100M Full 192 192 6 114 24 DHCP eth0 8 VLANS WANZ 0 0 0 0 0 DHCP etho 1i VLANI LAN 100M Full 192 168 1 1 24 Figure 5 1 Interface List OfficeConnect Gigabit VPN Firewall IP Setup Get weg FEST Interface LAN1 LAN etho 1 TCP IP Setup IP Address 192 168 1 1 Subnet Mask 255 255 255 0 M tr Figure 5 2 IP Setup Configuration Page OfficeConnect VPN Firewall User s Manual 3 Inthe IP Setup configuration page enter a LAN IP address and subnet mask for the OfficeConnect Gigabit VPN Firewall in the space provided 4 Click L PRY to save the LAN IP address If you were using an Ethernet connection for the current session and changed the IP address the connection will be terminated 5 Reconfigure your PCs if necessary so that their IP addresses place them in the same subnet as the new IP address of the LAN port See the Quick Start Guide chapter Part 3 Configuring Your Computers for instructions 6 Log into Configuration Manager by typing the new IP address in your Web browser s address location box 5 2 DHCP Dynamic Host Control Protocol 5 2 1 What is DHCP DHCP is a protocol that enables network administrators to centrally manage the assignment and distribution of IP information to computers on a network When you enable DHCP on a network you allow a device such as t
120. f Access This option lists the default set of DoS attacks against which the l l configuration page OfficeConnect Gigabit VPN Firewall provides protection Table 11 4 Self Access Configuration Parameters poo p The following sections describe usage of these options 62 OfficeConnect VPN Firewall User s Manual Chapter 14 Configuring IPSec VPN pee gt Source Destination This option allows you to set the source network to which this rule should apply Use the drop down list to select one of the following options This option allows you to apply this rule to all the computers in the source network such as those on the Internet IP Address This option allows you to specify an IP address on which this rule will be applied IP Address Specify the appropriate network address Subnet This option allows you to include all the computers that are connected in an IP subnet When this option is selected the following fields become available for entry Enter the appropriate IP address Enter the corresponding subnet mask Range This option allows you to include a range of IP addresses for applying this rule The following fields become available for entry when this option is selected Enter the starting IP address of the range Enter the ending IP address of the range This option allows you to set the destination network to which this rule should apply Use the drop down list to select one of the following options
121. f the PPTP server Address Interface IP IP Address assigned by your ISP to make the connection Address with the PPTP server 8 3 2 Configuring PPTP for WAN Follow the instructions below to configure PPPoE settings OfficeConnect VPN Firewall User s Manual 1 Please make the Login Required checkbox checked as shown in Figure 8 1 2 If you are connecting to the Internet using PPTP you have to enter User Name and Password in the specified fields Enter a valid PPTP IP address in the PPTP Server IP Address field If the IP address of WAN interface is automatically assigned by your ISP select DHCP radio button in the Connection Mode field Otherwise select Static IP Address button and enter valid IP address Subnet mask and Gateway IP address in the specified fields 5 Optional If you like to use DNS setting provided by your ISP please select Get Automatically from ISP radio button Otherwise select Use These DNS Servers radio button and enter IP addresses for the primary and secondary DNS servers 6 Click to save the PPTP settings when you are done with the configuration You ll see a summary of the WAN configuration at the bottom half of the configuration page Note that if the default gateway address is not shown immediately click on the WAN menu to open the WAN configuration page again 8 4 Dynamic IP 8 4 1 WAN Dynamic IP Configuration Parameters Table 8 3 describes the configuration parameter
122. from the drop down list 10 Select Class Object from the drop down list 11 Click on the GRE button to save the settings 78 OfficeConnect VPN Firewall User s Manual Chapter 14 Configuring IPSec VPN rn in 1 3 Co nfig U rl ng WAN Lo ad Check Interval The interval that the router sends PING request Balanc ng amp Fal lover packets at The allowable value is 1 to 60 seconds Check IP Address Enter the IP address of the specific network device 13 1 Introduction that the traffic will pass through This field is optional Normally you don t need to provide any IP address WAN Load Balancing and Failover allows user to select one of the WAN here unless you know the traffic must pass a specific interfaces as a backup WAN port If the primary WAN port is down or network device If this field is absent the route will unavailable all outbound traffic can be switched to the selected backup WAN send PING request to gateway IP address to monitor port Moreover OfficeConnect Gigabit VPN Firewall also allows user to configure the link status WAN Load Balancing to dividing outbound traffic flows between the two WAN Gateway IP The gateway IP address Please note that this field is ports so that user can be able to fully utilize the available bandwidth 7 9 y Address read only The configuration parameters for the WAN Failover are shown in the following Rollover Settings A rollover process means a change to default table gateway O
123. g Port Rang Please see Table 11 8 for detail explanation of these fields Click on the uch button to save the changes button to save the change The new entry OfficeConnect Gigabit VPN Firewall Setup A lt OfficeConnect VPN Firewall User s Manual 11 6 6 4 Removing Port Triggering Rules To removing an existing Port Triggering rule for the firewall follow these steps 1 Click on Firewall gt Port Triggering menu to enter the Port Triggering configuration page 2 Click on the check box in front of the rule to be deleted 3 Click on the button to remove the selected rules 11 6 7 Configuring P2P Service Prevention P2P file sharing applications such as Kazaa eDonkey Bit Torrent and others have grown increasingly popular on the Internet However the P2P applications can also exhaust bandwidth and seriously degrade network performance For this reason it is necessary to introduce the P2P Service Prevention mechanism to prevent P2P applications from burdening your network bandwidth The configuration parameters for the P2P Service Prevention are shown as Table 11 9 Table 11 9 P2P Service Prevention Configuration Parameters Mu EEE nu Enable P2P To enable P2P Service Prevention tick the check Prevention bo X Name Specify a name of the service to be created Select an appropriate protocol from the drop down list StartPort The start TCP or UDP port range End Port The end TCP or UDP port range
124. g the United Nations Convention on Contracts for the International Sale of Goods SEVERABILITY In the event any provision of this Agreement is found to be invalid illegal or unenforceable the validity legality and enforceability of any of the remaining provisions shall not in any way be affected or impaired and a valid legal and enforceable provision of similar intent and economic impact shall be substituted therefor ENTIRE AGREEMENT This Agreement sets forth the entire understanding and agreement between you and 3Com and supersedes all prior agreements whether written or oral with respect to the Software and Documentation and may be amended only in a writing signed by both parties Should you have any questions concerning this Agreement or if you desire to contact 3Com for any reason please contact the 3Com subsidiary serving your country or write 3Com Corporation 350 Campus Drive Marlborough MA USA 01752 3064 This product contains encryption and may require U S and or local government authorisation prior to export or import to another country 129 Appendix 21 SAFETY INFORMATION 24 Regulatory Notices 24 1 1 1 FCC STATEMENT This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to part 15 of the FCC rules These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment gener
125. gh the firewall belongs to an already established connection If it does it is passed through the firewall without going through ACL rule evaluation For example an ACL rule allows outbound ICMP packet from 192 168 1 1 to 192 168 2 1 When 192 168 1 1 sends an ICMP echo request i e a ping packet to 192 168 2 1 192 168 2 1 will send an ICMP echo reply to 192 168 1 1 In the OfficeConnect Gigabit VPN Firewall you don t need to create another inbound ACL rule because stateful packet inspection engine will remember the connection state and allows the ICMP echo reply to pass through the firewall 11 1 4 Default ACL Rules The OfficeConnect Gigabit VPN Firewall supports three types of default access rules gt Inbound Access Rules for controlling incoming access to computers on your LAN gt Outbound Access Rules for controlling outbound access to external networks for hosts on your LAN gt Self Access Rules for controlling access to the OfficeConnect Gigabit VPN Firewall itself Default Inbound Access Rules No default inbound access rule is configured That is all traffic from external hosts to the internal hosts is denied Default Outbound Access Rules The default outbound access rule allows all the traffic originated from your LAN to be forwarded to the external network using NAT 52 OfficeConnect Gigabit VPN Firewall Users Manual 11 2 NAT Overview Network Address Translation allows use of a single device su
126. he OfficeConnect Gigabit VPN Firewall to assign temporary IP addresses to your computers whenever they connect to your network The assigning device is called a DHCP server and the receiving device is a DHCP client If you followed the Quick Start Guide instructions you either configured each LAN PC with an IP address or you specified that Per it will receive IP information dynamically automatically If you A chose to have the information assigned dynamically then you Note configured your PCs as DHCP clients that will accept IP addresses assigned from a DCHP server such as the OfficeConnect Gigabit VPN Firewall OfficeConnect VPN Firewall User s Manual The DHCP server draws from a defined pool of IP addresses and leases them for a specified amount of time to your computers when they request an Internet session It monitors collects and redistributes the addresses as needed On a DHCP enabled network the IP information is assigned dynamically rather than statically A DHCP client can be assigned a different address from the pool each time it reconnects to the network 5 2 2 Why use DHCP DHCP allows you to manage and distribute IP addresses throughout your network from the OfficeConnect Gigabit VPN Firewall Without DHCP you would have to configure each computer separately with IP address and related information DHCP is commonly used with large networks and those that are frequently expanded or otherwise updated 5
127. he VPN tunnel using the Configuration Manager Internet Key Exchange IKE is the automatic keying protocol used to exchange the key that is used to encrypt authenticate the data 85 Chapter 14 Configuring IPSec VPN packets according to the user configured rule The parameters that should be configured are gt the network addresses of internal and remote networks gt the remote gateway address and the local gateway address gt pre shared secret for remote gateway authentication gt appropriate priority for the connection This option sequence brings up the screen as illustrated in Figure 4 2 Fields and buttons represent the basic VPN parameters Use them to configure basic Access Rule that will be used to establish a tunnel from local secure group to remote secure group with basic parameters Options in this screen allow you to gt Adda VPN policy and set basic parameters for it gt Modify a VPN policy gt Delete an existing VPN policy 14 2 1 Adda Rule for VPN Connection Using Pre shared Key VPN Tunnel Configuration Page as illustrated in the Figure 14 2 is used to configure a rule for VPN connection using pre shared key To add a rule for a VPN connection follow the instructions below 1 Log into Configuration Manager as admin click the VPN menu and then click the IPSec submenu The VPN policy list table displays as shown in Figure 14 1 IPSec VPN Policy List Table 2 Prior to adding a VPN policy ma
128. hernet cable to any of the port labeled LAN1 LANG on the front panel of the device and connect the other end to the Ethernet port of a computer If your LAN has more than 6 computers you can attach one end of an Ethernet cable to a hub or a switch probably an uplink port please refer to the hub or switch documentations for instructions and the other to the Ethernet switch port labeled LAN1 LAN6 on the OfficeConnect Gigabit VPN Firewall Note that either the crossover or straight through Ethernet cable can be used to connect the built in switch and computers hubs or switches as the built in switch is smart enough to make connections with either type of cables 3 1 3 Step 3 Attach the power adapter Connect the AC power adapter to the POWER connector on the back of the device and plug in the adapter to a wall outlet or a power strip Chapter 3 Quick Start Guide 3 1 4 Step 4 Turn on the OfficeConnect Gigabit VPN Firewall the ADSL or cable modem and power up your computers Press the Power switch on the rear panel of the OfficeConnect Gigabit VPN Firewall to the ON position Turn on your ADSL or cable modem Turn on and boot up your computer s and any LAN devices such as hubs or switches i Your existing am gt Cable DSL amp Intemelzp GE gg Modem OfficeConnect VPN Firewall OfficeConnect Switch Figure 3 1 Overview of Hardware Connections You should verify that the LEDs are illumi
129. iately loses edge port status and becomes a normal spanning tree port Path Cost Indicates the port contribution to the root path cost The path cost is adjusted to a higher or lower value and is used to forward traffic when a path is re routed 7 3 Configuring the Spanning Tree settings Follow these steps to change the Spanning Tree settings 1 Log into Configuration Manager as administrator and then click the Network menu 36 OfficeConnect VPN Firewall User s Manual When the submenus of Network menu displays clicks on Spanning Tree submenu to display the Spanning Tree Configuration page as shown in Figure 7 1 DN OfficeConnect Gigabit VPN Firewall Ne S Spanning Tree 3C0 Status Device Summary RSTP System Configuration ority 32768 0 61440 2 1 10 seconds 120 6 40 seconds 15 4 30 seconds Administration gt IP Setup Port Setup VLAN Firewall VPN Traffic MGMT Monitoring Help rv Yy Routing DDNS Path Cost 0 200000000 0 means autogenerated pathcost on Normal v m ojojo l Logout oO fo o rh oO Figure 7 1 Spanning Tree Configuration Page 2 Enter the bridge priority value into the System Priority field Please see Table 7 1 for more detail description 3 Enter the Hello Time value in the specified field The Hello Time indicates the amount of t
130. idges are running STP each is assigned a priority After exchanging BPDUs the device with the lowest priority value be comes the Root Bridge The field range is 0 61440 The default value is 32768 The port priority value is provided in increments of 4096 Specifies the device Hello Time The Hello Time indicates the amount of time in seconds a Root Bridge waits between configuration messages The default is 2 seconds Specifies the device Maximum Age Time The Maximum Age Time is the amount of time in seconds a bridge waits before sending configuration messages The default Maximum Age Time is 20 seconds Specifies the device Forward Delay Time The Forward Delay Time is the amount of time in seconds a bridge remains in a listening and learning state before forwarding packets The default is 15 seconds Chapter 5 Configuring LAN Settings Force Version Specifies the STP version to run on the device The possible values are Normal RTSP mode only Compatible STP compatible mode Per port settings Enable Indicates that STP or RSTP is enabled on the port Edge Indicates if Edge Port is enabled on the port If Edge Port is enabled for a port the Port State is automatically placed in the Forwarding state when the port link is up Edge Port optimizes the STP protocol convergence STP convergence takes 30 seconds and is not dependent on the number of switches in the network However an edge port that receives a BPDU immed
131. ied in the inbound ACL list table 59 Chapter 14 Configuring IPSec VPN 3 Make desired changes to any or all of the following fields action source destination IP Service Schedule Action NAT and Log Please see Table 11 1 for explanation of these fields 4 Click on the anbi button to modify this ACL rule The new settings for this ACL rule will then be displayed in the inbound access control list table at the bottom half of the Outbound ACL Configuration page OfficeConnect Gigabit VPN Firewall Users Manual 11 5 1 Content Filter Configuration Parameters Table 11 3 describes the configuration parameters available for a Content filter rule Table 11 3 Content Filter Configuration Parameters u ei Enable Web Click on Yes or No radio button to enable or disable Content Filter 11 4 4 Delete Outbound ACL Rules To delete an outbound ACL rule click on the check box in front of the rule to be l I Content filtering deleted and follow the instructions below to delete selected outbound ACL rules Select a pre configured schedule during which the rule is 1 Open the Inbound ACL Rule Configuration Page see section 11 3 2 Access Inbound ACL Rule Configuration Page active Select None to make the rule active at all times 2 Click on the check box in front of the rule to be selected Web Components You can block the following Web component types Blocking Proxy Java ActiveX and Cookies E
132. ifier field For examples vpn1 3com com For examples vpn1 3com com Set the IKE local identity type to be Any Comment Julian3 Need to kn the meaning of Any IKE Proposal Settings only available for Auto Keying Note that all options for the IKE proposal settings are available only when pre shared key is selected IKE Version IKEv1 and IKEv2 are supported Make sure the proper version of IKE protocol is selected Exchange Mode Main mode and aggressive mode are supported Click the proper radio button for the desired Exchange mode NAT Traversal Check this option to enable the NAT Traversal support Pre shared Key Enter the shared secret this should match the secret key at the other end IKE Encryption Select the IKE encryption from the drop down list The following encryption algorithms are supported DES Comment Julian2 Need to kn AES 128 the meaning of Any AES 192 AES 256 KE Select the IKE authentication from the drop down list OfficeConnect VPN Firewall User s Manual Fe NN see Authentication The following encryption algorithms are supported MD 5 SHA 1 SA Lifetime Enter the IKE security association life time in seconds Select a proper Diffie Hellman key exchange algorithm from the drop down list Currently the following algorithms are supported DH Group 1 DH Group 2 DH Group 5 IPSec Proposal Settings IPSec Encryption Select the IPSec encryption from the drop do
133. igure 11 17 Port Triggering Configuration Page 2 Make changes to any or all of the following fields Service Name Service User Outgoing Incoming Protocol and Outgoing Incoming Port Rang Please see Table 11 8 for detail explanation of these fields 72 3 ON S Ne 3COM Device Summary Administration Network Firewall VPN Traffic MGMT Monitoring Help Logout OfficeConnect Gigabit VPN Firewall User s Manual Click on the Au will then be displayed in the Port Triggering Policy List Table at the buttom half of the Port Triggering Configuration Page Firewall gt Port Triggering Setup General Enable Port Trigger Port Trigger Timeout 110 Minutes By F F Add Port Trigger Rules Name Service User any ml Protocol TCP vi Port Range Protocol TCP UDP Port Range Outgoing Add Port Trigger Policies Protocol start Port End Port Protocol Start Port End Port Seier Al Help lt Figure 11 17 Port Triggering Configuration Page 11 6 6 3 Editing an Port Triggering Rule Follow these steps to modify an existing Port Triggering Rule 1 Click on Firewall gt Port Triggering menu to enter the Port Triggering configuration page Click on icon of the rule to be modified in the Port Triggering Policy list table Make changes to any or all of the following fields Service Name Service User Outgoing Incoming Protocol and Outgoing Incomin
134. ime in seconds a Root Bridge waits between configuration messages 4 Enter the Max Age Time value in the specified field Please note that the default value is 20 seconds 5 Enter the Forward Delay Time value in the specified field Please note that the default value if 15 seconds 6 Select an appropriate STP version from the Force Version drop down list 7 Goto the RSTP Configuration List Click on the Enable button to enable the Spanning Tree function on the specified port If this port is also an edge port click on the Edge button OfficeConnect VPN Firewall User s Manual 8 Enter the path code in the space provided to indicate the port contribute to the root path cost 9 Click to save the LAN IP address 7 4 Viewing the Spanning Tree Status To display the port status of Spanning Tree log into Configuration Manager as administrator click on the Network menu and Spanning Tree submenu and then click on the Status tab button See Figure 7 2 RSTP STP Status Page Qo N OfficeConnect Gigabit VPN Firewall Network gt Spanning Tree Setup 3C om Setup Device Summary RSTP Bridge Status Administration Network Firewall VPN Traffic MGMT Monitoring Help www Y v vy l Logout Figure 7 2 RSTP STP Status Page 37 Chapter 5 Configuring LAN Settings OfficeConnect VPN Firewall User s Manual S Configuring WAN Settings This chapter describes how to configure WAN settings fo
135. incoming traffic to be directed Note this option is called reverse NAPT or virtual server MM Service This option allows you to select any of the pre configured services selectable from the drop down list instead of the destination port The following are examples of services AH AH and ESP AIM AOL AUTH BIT TORRENT CIFS DHCP DNS EMULE ESP FINGER FTP GRE HTTP HTTPS HTTP PROXY ICMP IGMP IMAP4 IMAPS IP Phone IRC ISAKMP KERBEROS L2TP LDAP MSN Messenger NETHOOD NetMeeting Setup NetMeeting T 120 NNTP NTP PING POP3 PPTP QQ QUAKE RDP RealAudio SIP SKYPE SMTP SNMP SNMP TRAP SOCKS SSH TCP TELENET TFTP UDP Yahoo Messenger 3Com NBX Telephony Port Number Select Assign to manually specify a destination port number Select Auto to specify a destination port number automatically Log This option allows you to enable or disable logging for this ACL rule Note service is a combination of protocol and port number They appear here after you add them in the Firewall Service configuration page 11 3 2 Access Inbound ACL Rule Configuration Page Schedule To log into Configuration Manager as admin click the Firewall menu and then click the ACL submenu The ACL Rule List Table displays as shown in Figure 11 3 Select a pre configured schedule during which the rule is active Select None to make the rule active at all times Select Allow from the drop down lis
136. ined services IP pools NAT pools application filters and Schedules to be used in inbound outbound ACL configurations gt View firewall statistics Note When you define an ACL rule you instruct the OfficeConnect Gigabit VPN Firewall to examine each data packet it receives to determine whether it meets criteria set forth in the rule The criteria can include the network or internet protocol it is carrying the direction in which it is traveling for example from the LAN to the Internet or vice versa the IP address of the sending computer the destination IP address and other characteristics of the packet data If the packet matches the criteria established in a rule the packet can either be accepted forwarded towards its destination or denied discarded depending on the action specified in the rule Chapter 11 Configuring Firewall NAT Settings 11 1 Firewall Overview 11 1 1 Stateful Packet Inspection The stateful packet inspection engine in the OfficeConnect Gigabit VPN Firewall maintains a state table that is used to keep track of connection states of all the packets passing through the firewall The firewall will open a hole to allow the packet to pass through if the state of the packet that belongs to an already established connection matches the state maintained by the stateful packet inspection engine Otherwise the packet will be dropped This hole will be closed when the connection session terminates
137. ing messages relating to personal safety or system integrity WARNING OfficeConnect VPN Firewall User s Manual OfficeConnect VPN Firewall User s Manual 2 Getting to Know the OfficeConnect Gigabit VPN Firewall 2 1 Parts List In addition to this document your OfficeConnect Gigabit VPN Firewall should come with the following gt The OfficeConnect Gigabit VPN Firewall v Power cord RJ45 to DB9 console port cable Four rubber feet Rack mount kit One CD ROM containing The 3Com detect program and this user guide vv vV wv Yy One Warranty Flyer v Release note 2 2 Front Panel The front panel contains LED indicators that show the status of the unit and the ports for the data connections POWER Chapter 2 Getting to Know the OfficeConnect Gigabit VPN Firewall WAN1 WAN2 LAN1 DMZ1 LAN2 DMZ2 LAN3 LAN6 CONSOLE JCREVF 10072 OffiesConovet Gigabit VPN Firewall TEST LED Label POWER STATUS Link Act 1000 DMZ CONSOLE Reset Figure 2 1 Front Panel LEDs Table 2 1 Front Panel Label and LEDs Color Function Green On Unit is powered on Off Unit is powered off Amber For factory testing only Green Green Link is established Flashing Data is transmitted Off No Link Green Amber Green Gigabit link Amber 100M link Off 10M link or no link Green Green This port is used as DMZ port Off This port is used as LAN port RJ 45 serial port for co
138. interface status change to an external interface sends a DDNS update to the DDNS service provider Dynamic DNS Client DDNS client uses the mechanism provided by the popular DDNS service providers for updating the DNS records dynamically In this case the service provider updates DNS records in the DNS OfficeConnect Gigabit VPN Firewall uses HTTP to trigger this update The OfficeConnect Gigabit VPN Firewall supports HTTP DDNS update with the following service providers DynDNS org TZO com Oray net DtDNS com vv Vv VW YW 3322 0rg Chapter 10 Configuring DDNS ac Internet NDS Nm HTTP DDNS Server DynDNS TokyoDNS DynDNS ISR TokyoDNS sl1000 dns tokyo jp s11000 homeunix com fr i Figure 10 1 Network Diagram for HTTP DDNS Whenever IP address of the configured DDNS interface changes DDNS update is sent to the specified DDNS service provider OfficeConnect Gigabit VPN Firewall should be configured with the DDNS username and password that are obtained from the DDNS service provider 10 1 DDNS Configuration Parameters Table 10 1 describes the configuration parameters available for DDNS service Table 10 1 DDNS Configuration Parameters Field Description 49 Chapter 10 Configuring DDNS Field Description Choose WAN Interface Select DDNS Service DynDNS Please visit http www dyndns org for more details TZO com Please visit http www tzo com for more details Oray net
139. ithm for IKE lifetime for IKE encryption authentication algorithm for IPSec operation mode for IPSec PFS group for IPSec and lifetime for IPSec Please see Table 14 1 for explanation of these fields Click on the MU button to modify this VPN rule The new settings for this VPN rule will then be displayed in the VPN policy list table 14 2 3 Delete VPN Rules To delete an VPN policies follow the instructions below 1 2 3 Log into Configuration Manager as admin click the VPN menu and then click the IPSec submenu Click on the check box in front of rule to be deleted Click on the button to delete selected rules 14 2 4 Display VPN Rules To see existing VPN rules follow the instructions below 1 Log into Configuration Manager as admin click the VPN menu and then click the IPSec submenu All the configured VPN policies are displayed in the VPN policy list table 14 3 Establish VPN Connection Using Manual Keys This section describes the steps to establish the VPN tunnel using manual keying Manual keying is a method to achieve security when ease of 87 Chapter 14 Configuring IPSec VPN configuration and maintenance is more important or automatic keying is not feasible due to interoperability issues between IKE implementations on the gateways However this is a weak security option as all packets use the same keys unless you as the network administrator use different key for authenticatio
140. ity OfficeConnect VPN Firewall User s Manual Tunnel Mode for Network Network Connectivity Hardware Encryption Algorithm DES 3DES AES ardware Authentication Algorithm MD5 SHA 1 Transforms ESP AH Key Management IKE IKEv2 Main Mode Aggressive Mode Quick Mode Mode configuration for IKE gt Site to Site VPN connection Site to Site VPN connection is an alternative WAN infrastructure that is used to connect branch offices home offices or business partners sites to all or portions of a company s network gt Remote Access VPN Corporations use VPN to establish secure end to end private network connections over a public networking infrastructure VPN have become the logical solution for remote access connectivity Deploying a remote access VPN enables corporations to reduce communications expenses by leveraging the local dial up infrastructure of Internet Service Providers At the same time VPNs allow mobile workers telecommuters and day extenders to take advantage of broadband connectivity 2 4 3 WAN Failover amp Load Balancing WAN Failover and Load Balancing allows you to designate the one of the assigned interfaces as a backup WAN port If the primary WAN port is down and or unavailable traffic is only routed through the backup WAN port This Chapter 2 Getting to Know the OfficeConnect Gigabit VPN Firewall allows OfficeConnect Gigabit VPN Firewall to maintain a persistent connection for WAN po
141. ke sure that the VPN service is enabled in VPN policy list table 3 Click on the an button to enter the VPN Tunnel Configuration Page as illustrated in Figure 14 2 86 OfficeConnect Gigabit VPN Firewall User s Manual Enter a desired name preferably a meaningful name that signifies the nature of the VPN connection in the Name field Note that only alphanumeric characters are allowed in a name 4 5 rule a 3com Device Summary Administration Network Firewall VPN Traffic MGMT Monitoring Help Logout Click on Enable or Disable radio button to enable or disable this OfficeConnect Gigabit VPN Firewall VPN gt IPSec Setup Setup tatus i General Enable IPSec Enable NAT Traversal Fi IPSec Policies v Name Remote Gateway Local Network Remote Network Type Mode Edit Select Al Figure 14 1 IPSec VPN Policy List Table OfficeConnect VPN Firewall User s Manual General Policy Name Policy Type IPSec Mode Local Gateway Local Site Local IP IP Address Subnet Mask Auto Policy Local Id Type Identifier IKE Proposal IKE Version Exchange Mode Encryption DH IPSec Proposal Protocol Encryption PES tunnel0 Auto M Tunnel v WANI V Subnet 192 168 1 0 255 255 255 0 v IP ADDRESS Optional IKEv1 Main v 3DES Group 2 1024 bit ESP OAH 3DES v None v L2TP Remote Gateway Remote Site Remote IP IP Add
142. l resource gaps and ensure the success of your networking projects More information on 3Com maintenance and Professional Services is available at www 3com com Contact your authorized 3Com reseller or 3Com for additional product and support information See the table of access numbers later in this appendix Access Software Downloads Software Updates are the bug fix maintenance releases for the version of software initially purchased with the product In order to access these Software Updates you must first register your product on the 3Com Web site at http eSupport 3com com First time users will need to apply for a user name and password A link to software downloads can be found at http eSupport 3com com or 121 Appendix 21 SAFETY INFORMATION under the Product Support heading at http www 3com com Software Upgrades are the feature releases that follow the software version included with your original product In order to access upgrades and related documentation you must first purchase a service contract from 3Com or your reseller Contact Us 3Com offers telephone e mail and internet access to technical support and repair services To access these services for your region use the appropriate telephone number URL or e mail address from the list below You will find a current directory of support telephone numbers posted on the 3Com web site at http csoweb4 3com com contactus Telephone Technical Support
143. m v v v mm you select Specific Days check the radio button for on Ed Add each day you want to schedule to be in effect Days of Week Set the days for the schedule Custom Schedules List v Name Scheduled Days Start Time End Time Edit O 1 Sun Mon Tue Wed Thu Fri Sat AM 00 00 PM 00 00 SelectAl Delete Active on time of Check the radio button All Day or Specific Times Elvogout days you select Specific Times enter Start Time and End Time in the specified fields Figure 11 13 Schedule Configuration Page 11 6 4 2 Access Schedule Configuration Page 11 6 4 3 Adda Schedule Log into Configuration Manager as admin click the Firewall menu and then click To configure schedules follow the instructions below the Schedule submenu The Schedule Configuration page displays as shown in 1 Open the Schedule Configuration page see section 11 6 4 2 Access Figure 11 13 Schedule Configuration Page 2 Select Schedule1 tab button from the top of the Schedule Configuration page 3 Check the radio button for All Days or Specific Days If you chose Specific Days check the radio button for each day you want the schedule to be in effect 4 Check the radio button to schedule the time of day All Day or Specific Times If you chose Specific Times enter the Start Time and End Time fields Hour Minute AM PM which will limit access during certain times for the selected days Click on
144. me 54 Figure 12 6 QoS Policy Configuration Page rrnrrnrnnnvennvennvnnrennnvernvennvrnvennvennn 78 Figure 11 3 ACL Rule List Table nrnna 56 Pigura ta AN ENE MOE CONGU Rage asked annan 80 Figure 11 4 Tab Buttons for Different Traffic Types acc 56 Figure 13 2 Enable the WAN Failover errnrrrrnrvrnnrvrrnnvernnnrvrrnvvernnvernnvennnvensnnnnnn 80 Figure 11 5 Inbound ACL Configuration Example acc 56 Figure 14 1 IPSec VPN Policy List Table rarrrnnnrrnnnvrnnnvennnvnvennnvennnvernnvennnvennn 86 Figure 11 6 Outbound ACL Configuration Page rrrnnnvnrnvernvernnvrrnvenrrnvrrnvernnn 57 Figure 14 2 VEN Tunnel Conngurabion Page Fre Shared Key MOOG is 1 Figure 11 7 Outbound ACL Configuration Example 20u222004220040nnn een 59 Figure 14 3 VEN Tunnel Connguration Page Manual Key Modasi ssis 88 Figure 11 8 Content Filter Configuration Page rrrnnvrnnnvennnvennnvvrnnnnvennnvennnvennn 61 POUE 122 Ipea MANET NeWWonr DEAN nennen een 89 Figure 11 9 Content filter Rule Example 62 PIQUE 4 OSTA EME NOP ONC yeCZOONQUIAUG KE ON KOEN ee ee 90 Figure 11 10 Self Access Rule Table Page rrrnnvrnnnvrnnnvennnvernnnnvennnvernnvennnvennn 62 Figure 14 6 Intranet VEN OlGyCOMIOUI AMON ONIN OI certian ties 91 Figure 11 11 Service List Configuration Page rrrnvvrnnvnrnvernvernnvrernverrnvrrnvernnn 65 POUE EVEN USeh Ac COUnt GONGEN PAGE ao 93 Figure 11 12 DoS Configuration Page wrrrrnrvrnnvernvernrrrnnavennvrrnnvennvennvrrnnnennnenn
145. me au 104 2018 MI 116 17 6 System Configuration Management 104 20 12 NSIOOKUp er 117 17 6 1 Reset System Configuration 104 21 SAFETY IN FORMATION 1 1 Q 17 6 2 Backup System Configuration 105 Important Safety Information eoernvnnvrrrernvnnrrorrrrnrnnrnrnennenn 119 17 6 3 Restore System Configuration 105 Wichtige Sicherheitshinweise unsnnennennennenne 119 17 7 Upgrade Firmware mrsennnvonnvnnvnonnnvnnnnvnnnvnnnvnnnnnennne 105 Consignes importantes de s curit rrersrrrnvrrnvernrrrrrnvernnn 120 17 8 Reset the OfficeConnect Gigabit VPN Firewall 106 17 9 Logout Configuration Manager rrrerrnvrnrnvvnrnvvrnnvnnr 106 22 OBTAI N NG SU PPO RI FOR 12 10 COMMUTING Logging area a 106 YOU R P ROD UCT ee 21 17 11 Configuring SNMP ccccsccssssesssscssseeessesseseesseesseeeesseeen 107 1 8 ALG C fi i 1 Register Your Product to Gain Service Benelfits 121 on Iguration nee ee 09 Troubleshoot Online eee 121 1 9 P A d d resse S N etw O rk M as k S Purchase Extended Warranty and Professional Services 121 Access Software Downloads ccscccssccssecesseeeseeeseeeees 121 and Subnets nun nnnnnnnnnnnnnnnnn 1 1 1 Gonlacl Jean ee el 122 19 PAGES JR 111 EE AR ee i 19 1 1 Structure of an IP address 111 Chapter 1 Introduction 23 END USER SOFTWARE LICENCE AGREEMENT 129 24 Regulatory Notices
146. n 14 3 1 Add a Rule for VPN Connection Using Manual Key VPN Tunnel Configuration Page as illustrated in the Figure 14 3 is used to configure a rule for VPN connection using manual key To add a rule for a VPN connection follow the instructions below 1 Log into Configuration Manager as admin click the VPN menu and then click the IPSec submenu The VPN policy list table displays as shown in Figure 14 1 General Policy Name tunnelO Policy Type Manual vi IPSec Mode Tunnel L2TP Local Gateway WANI Remote Gateway 0 0 0 0 Local Site Remote Site Local IP Subnet Remote IP any IP Address 192 168 1 0 IP Address ooa Subnet Mask 255 255 255 0 v Subnet Mask Manual Policy Protocol OESP OAH SPl Incoming Hex 3 8 Chars SPI Outgoing Hex 3 8 Chars Encryption 3DES v Authentication SHA 1 Key Key DES 6 Char amp 3DES 24 Char MD5 16 Char amp SHA 1 20 Char Figure 14 3 VPN Tunnel Configuration Page Manual Key Mode 2 Make sure that the VPN service is enabled in VPN policy list table 88 OfficeConnect Gigabit VPN Firewall Users Manual Click on the Au button to enter the VPN Tunnel Configuration Page as illustrated in Figure 14 2 Enter a desired name preferably a meaningful name that signifies the nature of the VPN connection in the Name field Note that only alphanumeric characters are allowed in a name Select the Manual from the Policy Type drop down list Option fields for ma
147. n appropriate load balancing algorithm from the Algorithm drop down list Weighted Round Robin Only Tick the Calculate from Tx Max checkbox to allow the system to automatically calculate the weight based on the configured maximum transmits bandwidth of the WAN interface Weighted Round Robin Only If you want to manually assign the weight please specify a number into WAN1 and WAN2 fields For example If you assign 10 to WAN1 field and 100 to WAN2 field it means the first 10 sessions will go through WAN1 interface and the subsequent 100 sessions will go through WAN interface Click on the 1 button to save the settings OfficeConnect Gigabit VPN Firewall Users Manual OfficeConnect VPN Firewall User s Manual Chapter 14 Configuring IPSec VPN 1 4 Configuring IPSec VPN site VPN tunnel If you want to use L2TP over IPSec a Transport mode setting is required OfficeConnect Gigabit VPN Firewall provides secure encrypted communication This option allows you to setup IPSec policy for to business partners and remote offices at a fraction of the cost of dedicated LOTP IPSec leased lines Using the OfficeConnect Gigabit VPN Firewall Configuration Manager you can quickly create a VPN policy to a remote site Whenever data Local Gateway Ed is intended for the remote site the OfficeConnect Gigabit VPN Firewall ANE Oe EPE ee AEE automatically encrypts the data and sends it over the Internet to the remote site Lo
148. n for Closing Browser IE rnrrnrrrnrernvennvrnvrnnrvennvenr 106 Figure 17 10 Logging Configuration Page 2 ur0nsennennnnennennennnennennnnnenn 107 Figure 17 11 SNMP Community Configuration Page 2r2une0unnnnn een 108 Figure 17 12 SNMP Trap Configuration Page ummenmnnennnennnnnnnnnnnnennnnnnnn 108 Figure 20 1 Using the ping Utility essornnvrnnvernnvrnnnvennnernnvennvennnerrnvennvennnnenn 117 Figure 20 2 Using the nslookup Utility nee 118 10 OfficeConnect VPN Firewall User s Manual List of Tables Table 2 1 Front Panel Label and LEDS usserrnvrnnvennnvrnnvennnnvrsnvennvernnersnvesnvesnneenn 3 Table 2 2 Rear Panel Labels and LEDS anrnnnnvnnnvnnnvnnnnvnnnvennnnvnnnvnnnrnnnnvnnnvennrnennn 4 Frede SDS Alacks aa E eens 5 Table 2 4 VPN Features of the OfficeConnect Gigabit VPN Firewall 6 Table B21 LED MAGICA ONS aaa an 10 Table 3 2 Default Settings Summary rrrrrnrrrnrvrnnvennvennrrvernvennvrrnnvennvennvnrnnvennven 19 Table 4 1 Description of Commonly Used Buttons and Icons 22 Table 5 1 LAN IP Configuration Parameters srrrnrennrrrnnvrnnvernravennvernvrrnnvennvenn 25 Table 5 2 DHCP Configuration Parameters mrrnvrrnvrrnvennnvrrnvernnnrrrnvernverrnerrnnenn 27 Table 5 3 DHCP Address Assignment rrnnrrnvnnrnvrrnvernverrnnvernvernnvrrnrernrerrnnrrnnenn 29 Table 6 1 VLAN Configuration Parameters mrsvrrnvvrnvervr
149. n reset the device to the default password configuration by following the instructions provided in section 17 6 1 Reset System Configuration WARNING Resetting the device removes any custom settings and returns all settings to their default values 116 OfficeConnect VPN Firewall User s Manual Problem Troubleshooting Suggestion Cannot access the Use the ping utility discussed in the following section to Configuration check whether your PC can communicate with the OfficeConnect Gigabit VPN Firewall s LAN IP address by from your browser default 192 168 1 1 If it cannot check the Ethernet Manager program cabling Verify that you are using Internet Explorer v5 5 Netscape 7 0 2 or later Support for Javascript must be enabled in your browser Support for Java may also be required Verify that the PC s IP address is defined as being on the same subnet as the IP address assigned to the LAN port on the OfficeConnect Gigabit VPN Firewall Changes to Be sure to click on MUM button to save any Configuration changes Manager are not being retained 20 1 Diagnosing Problem using IP Utilities 20 1 1 ping Ping is acommand you can use to check whether your PC can recognize other computers on your network and the Internet A ping command sends a message to the computer you specify Ifthe computer receives the message it sends messages in reply To use it you must know the IP address of the computer wi
150. n to save the changes 108 OfficeConnect VPN Firewall User s Manual The SNMP Traps Setup Page contains information for defining filters that determine whether traps are sent to specific users and the trap type sent Follow these steps to configure the SNMP Trap settings 1 Click Administration gt SNMP gt Trap to enter the SNMP Trap configuration page Qo OfficeConnect Gigabit VPN Firewall Administration gt SNMP gt Trap Setup 3 C 0 m Setup Device Summary General Administration Network 2 Recipient IP Address 192 168 1 10 irewi gt Frame Community String private VPN gt i Trap Version SNMPv2c Traffic MGMT gt AEE Monitoring gt Add Help Trap List v Recipiente trap Community String edit Select All Logout Figure 17 12 SNMP Trap Configuration Page 2 Enter an IP address into the Recipient IP Address field The SNMP trap will be sent to the specified IP address 3 To define the community string of the manager please enter community string in the space provided 4 Select an appropriate trap version from the Trap Version drop down list Click on the button to create the new entry 6 To edit the existing entry click on the icon to enter the SNMP Trap configuration page Make any changes you like and then click on the aly button to save the changes OfficeConnect VPN Firewall User s Manual Chapter 18 ALG Configuration i Name Port
151. nated as indicated in Table 3 1 Table 3 1 LED Indicators This LED should be POWER Solid green to indicate that the device is turned on If this light is not on check if the power adapter is attached to the OfficeConnect Gigabit VPN Firewall and if it is plugged into a 10 OfficeConnect Gigabit VPN Firewall User s Manual power source LAN1 Solid green to indicate that the device can communicate with LAN6 your LAN or flashing when the device is sending or receiving data from your LAN computer WAN1 Solid green to indicate that the device has successfully WAN2 established a connection with your ISP or flashing when the device is sending or receiving data from the Internet If the LEDs illuminate as expected the OfficeConnect Gigabit VPN Firewall hardware is working properly 3 2 Part 2 Rack Mounting Instructions The OfficeConnect Gigabit VPN Firewall is 1U high and will fit a 19 inch rack if the rack mount kit is properly installed Elevated Operating Ambient If installed in a closed or multi unit rack assembly the operating ambient temperature of the A rack environment may be greater than room ambient Therefore consideration should be given to installing the equipment in an aS environment compatible with the maximum ambient temperature Tma specified by the manufacturer A Reduced Air Flow Installation of the equipment in a rack should be such that the amount of air flow required for safe
152. nd an email at this email address ap rma request 3com ei aaae Norway 800 11376 Poland 00800 4411 357 Portugal 800 831416 Country Telephone Number EN 88005558588 Europe Middle East and Africa Telephone Technical Support and Repair SE N 800 8 445 312 OfficeConnect Gigabit VPN Firewall Users Manual Country South Africa Spain Sweden Switzerland U A E U K Telephone Number 0800 995 014 900 938 919 020 795 482 0800 553 072 04 3908997 0800 096 3266 You can also obtain support in this region using this URL http emea 3com com support email html You can also obtain non urgent support in this region at these email addresses Technical support and general requests customer support 3com com Return material authorization number warranty _repair 3com com Contact Requests emea_contact 3com com Country Telephone Number Appendix 22 OBTAINING SUPPORT FOR YOUR PRODUCT Latin America Telephone Technical Support and Repair Antigua Antigua Barbuda Argentina Aruba AT amp T 800 988 2112 AT amp T 800 988 2112 AT amp T 800 988 2112 AT amp T 800 988 2112 Country Telephone Number Bahamas AT amp T 800 988 2112 Barbados AT amp T 800 988 2112 Belize AT amp T 800 988 2112 Bermuda AT amp T 800 988 2112 Bolivia AT amp T 800 988 2112 Brasil 0800 133266 0800 13 3COM Brasil Local 5511 5643 2700 British Virgin Islands Cayman Islands Chile Colombia Colombia Local Costa Rica
153. ndividual leg of the data s journey is called a hop The number of hops that data has taken on its route to its destination Alternatively the maximum number of hops that a packet is allowed to take before being discarded see also TTL A device usually a computer connected to a network Hyper Text Transfer Protocol HTTP is the main protocol used to transfer data from web sites so that it can be displayed by web browsers See also web browser web site Internet Control Message Protocol An Internet protocol used to report errors and other OfficeConnect Gigabit VPN Firewall Users Manual IGMP Internet intranet IP IP address network related information The ping command makes use of ICMP Internet Group Management Protocol An Internet protocol that enables a computer to share information about its membership in multicast groups with adjacent routers A multicast group of computers is one whose members have designated as interested in receiving specific content from the others Multicasting to an IGMP group can be used to simultaneously update the address books of a group of mobile computer users or to send company newsletters to a distribution list The global collection of interconnected networks used for both private and business communications A private company internal network that looks like part of the Internet users access information using web browsers but is accessible only by em
154. nect Gigabit VPN Firewall Primary You must at least enter the IP address of the primary Secondary DNS DNS server Secondary DNS is optional 8 5 2 Configuring Static IP for WAN ISP Login Current IP Login Required d Interface IP Address Connection Mode IP Address IP Subnet Mask Gateway IP Address DNS Server DNS Mode Primary DNS Server Secondary DNS Server Network MTU Size MAC Address Static IP Address DHCP 1172 21 150 1 255 255 255 255 W 172 21 150 254 Use These DNS Servers Get Automatically from ISP 172 21 150 100 0 0 0 0 Optional Default 1500 O Custom 1507 Bytes Use Default Address MAIRA ECAA O Use this computer s MAC 00 0F CB FA CB E9 Use this MAC Address Figure 8 3 WAN Static IP Configuration Page Follow the instructions below to configure static IP settings 1 Select Static from the Connection Mode drop down list as shown in Figure 8 3 OfficeConnect VPN Firewall User s Manual Chapter 8 Configuring WAN Settings 2 Enter WAN IP address in the IP Address field This information PAY OfficeConnect Gigabit VPN Firewall should be provided by your ISP scom Monitoring gt Traffic Statistics Interface Statistics a Interface Statistics i Port Statistics 3 Enter Subnet Mask for the WAN This information should be Device Summary l provided by your ISP Typically it is 255 2
155. nfiguration Page Enter the starting IP address of the range 11 3 1 Inbound ACL Rule Configuration Parameters Enter the ending IP address of the range Table 11 1 describes the configuration parameters available for firewall inbound Destination l Logout ACL rule This option allows you to set the destination network to which this rule should Table 11 1 Inbound ACL Rule Configuration Parameters apply Use the drop down list to select one of the following options ee Source This option allows you to apply this rule to all the computers in the local network IP Address Select any ofthese options and enter details as described This option allows you to set the source network to which this rule should apply Use the drop down list to select one of the following options Subnet and in the Source section above Range This option allows you to apply this rule to all the computers in the source network such as those on the Interface This option allows you to set the destination address IP address of selected interface Internet IP Address This option allows you to specify an IP address on which this rule will be applied OfficeConnect VPN Firewall User s Manual Chapter 14 Configuring IPSec VPN SEE 2s None Select this option if you don t intend to use NAT in this inbound ACL rule IP Address Select this option to specify the IP address of the computer usually a server in your LAN that you want the
156. nfiguration page 45 47 Secondary DNS 40 41 42 Static IP addresses 14 Static routes adding 47 Statically assigned IP addresses 27 Subnet 130 Subnet mask See Network mask Subnet masks 112 System requirements for Configuration Manager 21 System requirements 12 TCP IP 130 Testing setup 18 OfficeConnect VPN Firewall User s Manual Time and date changing 104 Troubleshooting 115 TTL 130 Twisted pair 130 Typographical conventions 2 Upgrading firmware 105 Upstream 130 User Password Configuration page 102 Username default 15 21 WAN 131 WAN DHCP 39 Appendix 26 Index WAN IP address 39 WAN Statistics page 43 Web browser 131 requirements 12 version requirements 21 Web browsers compatible versions 21 Web page 131 Web site 131 Windows NT configuring IP information 13 World Wide Web 131 141 OfficeConnect VPN Firewall User s Manual www 3Com com Part Number 10016886 Rev AA Published August 2008 142
157. ng it unreachable by other clients The attacker may also spoof the IP address of the UDP packets ensuring that the excessive ICMP return packets do not reach him thus making the attacker s etwork location anonymous IP Spoofing Check or un check this option to enable or disable protection against such attacks IP spoofing is one of the most common forms of on line camouflage In IP spoofing an attacker gains unauthorized access to a computer or a network by making it appear that a malicious message has come from a trusted machine by spoofing the IP address of that machine Ping of Death Check or un check this option to enable or disable protection against such attacks A ping of death is a type of attack ona Chapter 14 Configuring IPSec VPN computer that involves sending a malformed or otherwise malicious ping to a computer A ping is normally 64 bytes in size or 84 bytes when IP header is considered many computer systems cannot handle a ping larger than the maximum IP packet size which is 65 535 bytes Sending a ping of this size can crash the target computer LAND Attack Check or un check this option to enable or disable protection against such attacks A LAND attack is a DoS Denial of Service attack that consists of sending a special poison spoofed packet to a computer causing it to lock up TearDrop Check or un check this option to enable or disable protection against such attacks A Teardrop attack involves s
158. nly one WAN link is active at a time when in the rollover mode When the primary WAN has lost Table 13 1 WAN Failover Configuration Parameters en EEE scsi Connectivity Check This option is available under both Load balancing physical connection the configurable backup WAN links must be able to take over Besides anytime when a used WAN lost its connection the rollover rocess will chose a link that has been up for the and Rollover mode and mandatory for Rollover P ve ER l l l longest time to take over the lost WAN link This Connectivity check is used to monitor the link status operation is transparent to all hosts on the LAN side for the WAN ports by sending PING request packets although the users may experience slight service periodically to the configured IP address interruption During the rollover process all services must be re negotiated This includes Dynamic DNS Enable Connectivity To enable the connectivity check please tick this Check check box and any VPN tunnels policies 79 Chapter 14 Configuring IPSec VPN OfficeConnect Gigabit VPN Firewall Users Manual Description 2 Inthe Policy Configuration field click on Rollover radio button to enable the WAN Failover Primary Interface Click on the desired radio button to select the Primary See 7 Traffic MGMT gt WAN Link Mgmt Setup Interface 3 C om Tick the check box to enable the Backup Interface Setup
159. nnect the PPPoE interface after the assigned idle timeout period has elapsed e Tick the Unnumbered checkbox to enable the PPP unnumbered function e You don t need to enter primary secondary DNS IP addresses as PPPoE is able to automatically obtain this information for you from your ISP However if you prefer to use your favorite DNS servers you may enter them in the space provided e Click on wa button to save the PPPoE settings Chapter 3 Quick Start Guide OfficeConnect Gigabit VPN Firewall Users Manual b Dynamic IP Connection Mode see Figure 3 10 e Enter WAN IP address in the IP Address field This e Select the DHCP radio button to enable the DHCP function information should be provided by your ISP amp You don t need to enter primary secondary DNS IP e Enter IP Subnet Mask for the WAN This information should addresses as DHCP client is able to automatically obtain this De provided 0Y YOU halve pica 1 2997499299 information for you from your ISP However if you prefer to e Enter Gateway IP address provided by your ISP in the space use your favorite DNS servers you may enter them in the provided space provided pace provi e Enter at lease the primary DNS IP address provided by your e lf you had previously registered a specific MAC address with ISP Secondary DNS IP address is optional Enter it in the your ISP for Internet connections enter the registered MAC space provided if you have such information from your ISP
160. nsole management Resets the device 2 3 Rear Panel The rear panel contains the AC inlet and power switch See Figure 2 2 Rear Panel Connections 3 Chapter 2 Getting to Know the OfficeConnect Gigabit VPN Firewall AC Inlet N 1 VO gt JEG U TU Power Switch Figure 2 2 Rear Panel Connections Table 2 2 Rear Panel Labels and LEDs Label Function 0 Switches the unit on and off POWER Connects to the supplied power adapter 2 4 Major Features 2 4 1 Firewall Features The Firewall as implemented in the OfficeConnect Gigabit VPN Firewall provides the following features to protect your network from being attacked and to prevent your network from being used as the springboard for attacks Address Sharing and Management Packet Filtering Stateful Packet Inspection Defense against Denial of Service Attacks Log and Alert gt gt gt gt gt Application Content Filtering gt gt Remote Access gt Keyword based Content filtering OfficeConnect VPN Firewall User s Manual gt WAN Failover amp Load Balancing 2 4 1 1 Address Sharing and Management The OfficeConnect Gigabit VPN Firewall provides NAT to share a single high speed Internet connection and to save the cost of multiple connections required for the hosts on the LAN segments connected to the OfficeConnect Gigabit VPN Firewall This feature conceals network address and prevents them from becoming public It ma
161. nual keying displays as shown in Figure 14 3 Make changes to any or all of the following fields local remote secure group remote gateway key management type select Manual Key SPI Incoming SPI Outgoing Encryption Key Authentication Key and lifetime for IPSec Please see Table 14 1 for explanation of these fields Click on the Apply button to create the new VPN rule The new VPN rule will then be displayed in the VPN policy rule list table 14 3 2 Modify VPN Rules To modify a VPN rule follow the instructions below 1 Log into Configuration Manager as admin click the VPN menu and then click the IPSec submenu Prior to modifying a VPN rule make sure that the VPN service is enabled in System Service Configuration page Click on the icon of the rule to be modified in the VPN policy rule table Make changes to any or all of the following fields local remote secure group remote gateway key management type select Manual Key SPI Incoming SPI Outgoing Encryption Key Authentication Key and lifetime for IPSec Please see Table 14 1 for explanation of these fields Click on the el button to modify this VPN rule The new settings for this VPN rule will then be displayed in the VPN policy list table 14 3 3 Delete VPN Rules To delete an VPN policies follow the instructions below OfficeConnect VPN Firewall User s Manual 1 Log into Configuration Manager as admin click the VPN menu and then click the IPS
162. o destination address Packet Internet or Inter Network Groper A program used to verify whether the host associated with an IP address is online It can also be used to reveal the IP address for a given domain name port PPP PPPoE protocol remote RIP RJ 45 routing OfficeConnect VPN Firewall User s Manual A physical access point to a device such as a computer or router through which data flows into and out of the device Point to Point Protocol A protocol for serial data transmission that is used to carry IP and other protocol data between your ISP and your computer The WAN interface on the OfficeConnect Gigabit VPN Firewall uses two forms of PPP called PPPoA and PPPoE See also PPPoA PPPoE Point to Point Protocol over Ethernet One of the two types of PPP interfaces you can define for a Virtual Circuit VC the other type being PPPoA You can define one or more PPPoE interfaces per VC A set of rules governing the transmission of data In order for a data transmission to work both ends of the connection have to follow the rules of the protocol In a physically separate location For example an employee away on travel who logs in to the company s intranet is a remote user Routing Information Protocol The original TCP IP routing protocol There are two versions of RIP version and version Il Registered Jack Standard 45 The 8 pin plug used in transmitting data over phone lines
163. of an IP address Table 19 1 IP Address structure Class A Network ID Host ID Class B Network ID Host ID Class C Network ID Host ID Here are some examples of valid IP addresses Class A 10 30 6 125 network 10 host 30 6 125 Class B 129 88 16 49 network 129 88 host 16 49 Class C 192 60 201 11 network 192 60 201 host 11 19 2 Network classes The three commonly used network classes are A B and C There is also a class D but it has a special use beyond the scope of this discussion These classes have different uses and characteristics Class A networks are the Internet s largest networks each with room for over 16 million hosts Up to 126 of these huge networks can exist for a total of over 2 111 Chapter 19 IP Addresses Network Masks and Subnets billion hosts Because of their huge size these networks are used for WANs and by organizations at the infrastructure level of the Internet such as your ISP Class B networks are smaller but still quite large each able to hold over 65 000 hosts There can be up to 16 384 class B networks in existence A class B network might be appropriate for a large organization such as a business or government agency Class C networks are the smallest only able to hold 254 hosts at most but the total possible number of class C networks exceeds 2 million 2 097 152 to be exact LANs connected to the Internet are usually class C networks Some important n
164. of protocols Appendix 22 OBTAINING SUPPORT FOR YOUR PRODUCT Telnet An interactive character based program used to access a remote computer While HTTP the web protocol and FTP only allow you to download files from a remote computer Telnet allows you to log into and use a computer from a remote location TFTP Trivial File Transfer Protocol A protocol for file transfers TFTP is easier to use than File Transfer Protocol FTP but not as capable or secure TTL Time To Live A field in an IP packet that limits the life span of that packet Originally meant as a time duration the TTL is usually represented instead as a maximum hop count each router that receives a packet decrements this field by one When the TTL reaches zero the packet is discarded twisted pair The ordinary copper telephone wiring long used by telephone companies It contains one or more wire pairs twisted together to reduce inductance and noise Each telephone line uses one pair In homes it is most often installed with two pairs For Ethernet LANs a higher grade called Category 3 CAT 3 is used for 10BASE T networks and an even higher grade called Category 5 CAT 5 is used for 100BASE T networks See also 10BASE T 100BASE T Ethernet upstream The direction of data transmission from the user to the Internet 135 Appendix 21 SAFETY INFORMATION WAN Wide Area Network Any network spread over a large geographical area such as a country or continen
165. of the Self Access rule to be modified in the Self Access rule table 3 Make desired changes to any or all of the following fields Source Destination Service Schedule and Action See Table 11 4 Self Access Configuration Parameters for more detailed explanation 4 Click on the aa button to save the changes 11 6 1 5 Delete a Self Access Rule To delete a Self Access rule follow the instruction below 1 Open the Self Access Rule Table see section 11 6 1 2 Access Self Access Rule 2 Click on the check box in front of rule to be deleted 3 Click on the button to delete selected rules 11 6 1 6 View Configured Self Access Rules To see existing Self Access Rules just open the Self Access Rule Table page as described in section 11 6 1 2 Access Self Access Rule OfficeConnect VPN Firewall User s Manual 11 6 2 Configuring Service List Services are a combination of Protocol and Port number It is used in inbound and outbound ACL rule configuration You may use Service Configuration Page to gt Add a service and set parameters for it gt Modify an existing service gt Delete an existing service gt View configured services Figure 11 11 shows the Firewall Service List Configuration page The configured services are listed at the bottom half of the same page DN OfficeConnect Gigabit VPN Firewall 7 Ne Firewall gt Service Custom 3C O m Custom Device Summary Administration Add Service Network Name
166. ogout ues Select Al J BS gt Figure 17 2 System Access Account Configuration Page Table 17 1 describes all the System Access Account configuration parameters Table 17 1 System Access Account Configuration Parameters ee You can specify and idle timeout threshold for the Auto Logout After management session 102 OfficeConnect VPN Firewall User s Manual cn Add Account Enter the username for the specific management account Password Enter the password for the specific management account Enter the password again to confirm the new Confirm Password password Access Level Specifies the Access Level from the drop down list Management If you need to assign a read write privilege to a specific user please select Management from the drop down list Monitor If you need to assign a read only privilege to a specific user please select Monitor from the drop down list Follow these steps to add a management account 1 Log into the Configuration Manager as administrator click on Administrator menu and then click on System Access submenu to enter the Management Account Configuration Page 2 Enter the username into the Username field for the new management account 3 Enter the password into the Password field for the new management account 4 To confirm the new password enter the new password into the Confirm Password field again 5 Click on appl button to save the new pass
167. on at the bottom half of the configuration page Note that if the default gateway address is not shown immediately click on the WAN menu to open the WAN configuration page again 41 Chapter 8 Configuring WAN Settings DN OfficeConnect Gigabit VPN Firewall Ne ET om Network gt IP Setup IP Setup IP Setup if Network Bindir Device Summary ISP Login Current IP Login Required Fi Administration gt Interface IP Address gt Network Connection Mode O Static IP Address DHCP Firewall VPN gt Traffic MGMT gt DNS Server Monitoring gt DNS Mode Use These DNS Servers Get Automatically from ISP Help Network Default 1500 MTU Size O Custom Bytes Use Default Address WIESSAERTZZE MAC Address O Use this computers MAC 00 0F CB FA CB E9 O Use this MAC Address Logout Figure 8 2 WAN Dynamic IP DHCP client Configuration Page 8 5 static IP 85 1 WAN Static IP Configuration Parameters Table 8 4 describes the configuration parameters available for static IP connection mode Table 8 4 WAN Static IP Configuration Parameters Setting Description IP Address WAN IP address provided by your ISP IP Subnet Mask WAN subnet mask provided by your ISP Typically it is set as 255 255 255 0 42 OfficeConnect VPN Firewall User s Manual Setting Description Gateway IP Gateway IP address provided by your ISP It must be in Address the same subnet as the WAN on the OfficeCon
168. onfigure the QoS policy follow these steps 1 Click Traffic MGMT from the main menu and then click QoS sub menu to enter the QoS Configuration page 2 Select an appropriate interface from Policy on drop down list 3 Click button to enter the QoS Policy Configuration page See Figure 12 6 77 Chapter 14 Configuring IPSec VPN OfficeConnect Gigabit VPN Firewall Users Manual DN OfficeConnect Gigabit VPN Firewall Traffic MGMT gt QoS Policies 3C 0 Policies Class Definition Device Summary Administration Add Policy gt mise Policy on VLAN7AWANI eth0 7 Firewall b VPN gt From VLANI LAN Traffic MGMT gt To VLAN7 WAN1 Monitoring gt Help Source Subnet v Address 192 168 1 0 Mask 255 209 200 0 v Destination Any v Serice ANY v DSCP no use v Class MIS_Class Logout Figure 12 6 QoS Policy Configuration Page 4 Select the originated network interface from the From drop down list Select the destination network interface from the To drop down list To configure the source address select the address type from the drop down list and then fill appropriate value to the Address and Mask fields 7 To configure the destination address select the address type from the drop down list and then fill appropriate value to the Address and Mask fields Select Service from the drop down list Select DSCP
169. otes regarding IP addresses gt The class can be determined easily from field1 field1 1 126 Class A field1 128 191 Class B field1 192 223 Class C field1 values not shown are reserved for special uses gt A host ID can have any value except all fields set to 0 or all fields set to 255 as those values are reserved for special uses 19 3 Subnet masks A mask looks like a regular IP address but contains a pattern of bits that tells what parts of an IP address are the network ID and Definition what parts are the host ID bits set to 1 mean this bit is part of the mask network ID and bits set to 0 mean this bit is part of the host ID Subnet masks are used to define subnets what you get after dividing a network into smaller pieces A subnet s network ID is created by borrowing one or 112 OfficeConnect VPN Firewall User s Manual more bits from the host ID portion of the address The subnet mask identifies these host ID bits For example consider a class C network 192 168 1 To split this into two subnets you would use the subnet mask 255 255 255 128 I s easier to see what s happening if we write this in binary 11111111 11111111 11111111 10000000 As with any class C address all of the bits in field1 through field 3 are part of the network ID but note how the mask specifies that the first bit in field 4 is also included Since this extra bit has only two values 0 and 1 this means there are
170. p has been configured properly an example for configuring L2TP over IPSec 15 2 L2TP Server Configuration Parameters Table 14 1describes all the L2TP Server configuration parameters Table 15 1 L2TP Server Configuration Parameters MM General Settings 95 Chapter 16 Configuring PPTP Server A A SL3108 IN VPN gt L2TP L2TP scom u Device Summary General Enable L2TP Yes No Administration Network Firewall VPN Traffic MGMT Monitoring Start IP 10 1 J1 J1 End IP 10 1 Zr P VT YW Primary DNS Server 192 168 optional Primary WINS Server 0 Jo optional 1 1 Secondary DNS Server 0 JO JO 0 0 Secondary WINS Server JO User Group GROUP1 CO Required Encryption MPPE optional Logout Figure 15 1 L2TP Server Configuration Page 15 3 Configuring L2TP Server Log into Configuration Manager as admin click the VPN menu and then click L2TP submenu The L2TP Server Configuration page displays as shown in Figure 15 1 To configure the L2TP Server follow below instructions 1 To enable L2TP Server functionality on the OfficeConnect Gigabit VPN Firewall select Yes in the Enable L2TP field 2 Make changes to any or all of the following fields Start IP End IP Primary DNS Server Secondary DNS Server Primary WINS Server Secondary WINS Server and User G
171. ployees See TCP IP Internet Protocol address The address of a host computer on the Internet consisting of four numbers each from 0 to 255 separated by periods e g 209 191 4 240 An IP address consists of a network ID that identifies the particular network the host belongs to and a host ID uniquely identifying the host itself on that network A network mask is used to define the network ID and the host ID Because IP addresses are difficult to remember they usually have an associated ISP LAN LED MAC address mask Mbps NAT 133 Appendix 22 OBTAINING SUPPORT FOR YOUR PRODUCT domain name that can be specified instead See also domain name network mask Internet Service Provider A company that provides Internet access to its customers usually for a fee Local Area Network A network limited to a small geographic area such as a home office or small building Light Emitting Diode An electronic light emitting device The indicator lights on the front of the OfficeConnect Gigabit VPN Firewall are LEDs Media Access Control address The permanent hardware address of a device assigned by its manufacturer MAC addresses are expressed as Six pairs of characters See network mask Abbreviation for Megabits per second or one million bits per second Network data rates are often expressed in Mbps Network Address Translation A service performed by many routers that translates your network s
172. ply this rule to all the Range computers in the source network such as those on the l Service Internet This option allows you to select any of the pre configured services selectable IP Address This option allows you to specify an IP address on which from the drop down list instead of the destination port The following are this rule will be applied examples of services IP Address Specify the appropriate network address AH AH and ESP AIM AOL AUTH BIT TORRENT CIFS DHCP DNS Subnet This option allows you to include all the computers that are EMULE ESP FINGER FTP GRE HTTP HTTPS HTTP PROXY ICMP connected in an IP subnet When this option is selected IGMP IMAP4 IMAPS IP Phone IRG ISAKMP KERBEROS L2TP LDAP the following fields become available for entry MSN Messenger NETHOOD NetMeeting Setup NetMeeting T 120 NNTP NTP PING POP3 PPTP QQ QUAKE RDP RealAudio SIP SU IF aodless SKYPE SMTP SNMP SNMP TRAP SOCKS SSH TCP TELENET TFTP Enter the corresponding subnet mask UDP Yahoo Messenger 3Com NBX Telephony This option allows you to include a range of IP addresses Note service is a combination of protocol and port number They appear here for applying this rule The following fields become available after you add them in the Firewall Service configuration page for entry when this option is selected Schedule Enter the starting IP address of the range Select a pre configured schedul
173. procedures below using the reset switch 1 Push and hold the reset button for at least 10 seconds You will see the TEST LED flashing at 0 5 second interval 2 Releases the reset button and the system configuration will be revert to the factory default once the system boot is complete 17 6 2 Backup System Configuration Follow the steps below to backup system configuration 1 Log into Configuration Manager as admin and then click the Administration menu click the Backup Restore Upgrade submenu The configuration page displays as shown in Figure 17 6 2 Click on Backup button to backup the system configuration 17 6 3 Restore System Configuration Follow the steps below to backup system configuration Chapter 17 System Management 1 Log into Configuration Manager as admin and then click the Administration menu click the Backup Restore Upgrade submenu The configuration page displays as shown in Figure 17 6 2 Enter the path and name of the system configuration file that you want to restore in the Configuration File text box Alternatively you may click on the 2279 button to search for the system configuration file on your hard drive A window similar to the one shown in Figure 17 7 will pop up for you to select the configuration file to restore Lookin esp Loca bike mete z m boot ini 1 Documents and Settings CONFIG SYS Download IO SYS Program Files gt MSDOS SYS I RECYCLER El NTDETEC
174. ps unregistered IP addresses of hosts connected to the LAN with valid ones for Internet access The OfficeConnect Gigabit VPN Firewall also provides reverse NAT capability which enables SOHO users to host various services such as e mail servers web servers etc The NAT rules drive the translation mechanism at the NAT router 2 4 1 1 ACL Access Control List ACL rule is one of the basic building blocks for network security Firewall monitors each individual packet decodes the header information of inbound and outbound traffic and then either blocks the packet from passing or allows it to pass based on the contents of the source address destination address source port destination port protocol and other criterion e g application filter Schedules defined in the ACL rules ACL is a very appropriate measure for providing isolation of one subnet from another It can be used as the first line of defense in the network to block inbound packets of specific types from ever reaching the protected network The OfficeConnect Gigabit VPN Firewall s ACL methodology supports gt Filtering based on destination and source IP address port number and protocol gt Filter Rule priorities gt Time based filters OfficeConnect VPN Firewall User s Manual gt Application specific filters 2 4 1 2 Stateful Packet Inspection The OfficeConnect Gigabit VPN Firewall uses stateful packet inspection that extracts state related information r
175. pter 1 Introduction 11 1 Firewall Overview msserrnvernvernnvrrnvennnnvrrnvennvernnvernvennner 51 11 1 1 Stateful Packet Inspection neenn 51 11 1 2 DoS Denial of Service Protection 51 11 1 3 Firewall and Access Control List ACL 51 1113 1 Priority Order of ACL Rule 51 11 1 3 2 Tracking Connection State 52 11 1 4 Default ACL Rules rrsrrrnvernrornnvrrnvernvenernvernnernne 52 11 2 NAT ONE Re ee 52 11 2 1 Static or One to One NAT 52 11 2 2 NAPT or One to Many NAT 53 11 2 3 Reverse Static NAT uusensnesenesenesnnnenennenenennn 53 11 2 4 Virtual Server or Reverse NAPT 53 11 3 Configuring Inbound ACL Rules ene 53 11 3 1 Inbound ACL Rule Configuration Parameters rrvnnrrvnnnrvvnnnrevnnnrvnrevnnnsennnnrennnneennnne 54 11 3 2 Access Inbound ACL Rule Configuration Pages 55 11 3 3 Add Inbound ACL Rules ene 56 11 3 4 Modify Inbound ACL Rules n 57 11 3 5 Delete Inbound ACL Rules eee 57 11 3 6 Display Inbound ACL Rules 57 11 4 Configuring Outbound ACL Rules eects 57 OfficeConnect VPN Firewall User s Manual 11 4 1 Outbound ACL Rule Configuration Parameters cccccccceeccccsccccescecscccceccececceerseeeeass 57 11 4 2 Access Outbound ACL Rule Configuration PI 59 11 4 3 Modify O
176. r The Configuration Manager program is preinstalled on the OfficeConnect Gigabit VPN Firewall To access the program you need the following gt A computer connected to the LAN or WAN port on the OfficeConnect Gigabit VPN Firewall as described in the Quick Start Guide chapter gt Aweb browser installed on the computer The program is designed to work best with Microsoft Internet Explorer 5 5 Netscape 7 0 2 or later You may access the program from any computer connected to the OfficeConnect Gigabit VPN Firewall via the LAN or WAN ports However the instructions provided here are for computers connected via the LAN ports 1 From a LAN computer open your web browser type the following in the web address or location box and press lt Enter gt http 192 168 1 1 This is the predefined IP address for the LAN port on the OfficeConnect Gigabit VPN Firewall A login screen displays as shown in Figure 4 1 Chapter 4 Getting Started with the Configuration Manager Eddystone Login password oo Figure 4 1 Configuration Manager Login Screen 2 Enter your user name and password and then click analy The first time you log into the program use these defaults Default User Name admin Default Password password 4 2 Functional Layout Typical Configuration Manager page consists of two separate frames The left frame as shown in Figure 4 2 contains all the menus available for device configuration Relate
177. r displaying each of the Internet Protocol TCP IP properties Instead of enabling dynamic assignment of the IP addresses for the computer DNS server and default gateway click the radio buttons that enable you to enter the information manually Your PCs must have IP addresses that place them in the same subnet as the OfficeConnect Gigabit VPN Firewall s LAN port If you manually assign IP information to all your LAN PCs you can follow the instructions in Chapter 5 to change the LAN port IP address accordingly 3 4 Part 4 Quick Configuration of the OfficeConnect Gigabit VPN Firewall In Part 4 you log into the Configuration Manager on the OfficeConnect Gigabit VPN Firewall and configure basic settings for your Internet connection Your ISP should provide you with the necessary information to complete this step Note the intent here is to quickly get the OfficeConnect Gigabit VPN Firewall up and running instructions are concise You may refer to corresponding chapters for more details 3 4 1 Setting Up the OfficeConnect Gigabit VPN Firewall Follow these instructions to setup the OfficeConnect Gigabit VPN Firewall 1 Before accessing the Configuration Manager in the OfficeConnect Gigabit VPN Firewall make sure that the HTTP proxy setting is OfficeConnect Gigabit VPN Firewall Users Manual Chapter 3 Quick Start Guide 3 disabled in your browser In IE click Tools gt Internet Options gt Connection
178. r equivalent numeric IP addresses Typically the server s are located with your ISP However you may enter LAN IP address of the OfficeConnect Gigabit VPN Firewall as it will serve as DNS proxy for the LAN computers and forward the DNS request from the LAN to DNS servers and relay the results back to the LAN computers Note that both the primary and secondary DNS Field Primary Secondary WINS Server IP Address optional NBX Call Processor Options 184 Enable SIP Servers Options 120 SIP Server Encoding type Primary SIP Address Secondary SIP Address OfficeConnect VPN Firewall User s Manual Description servers are optional The IP address of the WINS servers to be used by computers that receive IP addresses from the DHCP IP address pool You don t need to enter this information unless your network has WINS servers If you have a 3Com NBX Call Processor on your network please enter its IP address in this field To enable the SIP Servers Options 120 please ensure that the enable checkbox is ticked If the type of SIP server address is FQDN please click on FQDN radio button otherwise click on IP Address button The IP address or fully qualified domain name of the Primary SIP Address The IP address or fully qualified domain name of the Secondary SIP Address 3 Click FG to save the DHCP server configurations OfficeConnect VPN Firewall User s Manual 5 2 4 Viewing Current DHCP Add
179. r the WAN interface on the OfficeConnect Gigabit VPN Firewall that communicates with your ISP You ll learn to configure IP address DHCP and DNS server for your WAN in this chapter 8 1 WAN Connection Mode Three modes of WAN connection are supported by the OfficeConnect Gigabit VPN Firewall PPPoE PPTP Telstra BigPond dynamic IP and static IP If your WAN connection requires a login please make the Login Required checkbox checked as shown in Figure 8 1 Interface LAN7 WAN1 eth0 7 ISP Login Current IP Login Required Connection Login Password i E Mode ISP Type ISP Type PPPoE PPTP BigPond AC Name Optional Serice Name Optional Dial on Demand C Disconnect after Idle 5 Minutes Unnumbered O DNS Server DNS Mode Use These DNS Servers Get Automatically from ISP Network a Default 1492 Custom 70 Bytes Use Default Address seele MAC Address O Use this computer s MAC 00 0F CB FA CB E9 O Use this MAC Address Chapter 8 Configuring WAN Settings Figure 8 1 WAN Connection Type Configuration 8 2 PPPoE 8 2 1 WAN PPPoE Configuration Parameters Table 8 1 describes the configuration parameters available for PPPoE connection mode Table 8 1 WAN PPPoE Configuration Parameters Setting Description User Name and Enter the username and password you use to log into Password your ISP Note this is different from the information you used to log into Configuration Manager AC Name If
180. red VLAN to enter the VLAN Configuration page Nr OfficeConnect Gigabit VPN Firewall IN Network gt VLAN VLAN 3C om VLAN Device Summary Administration Network Select membership type DJ O E O Untagged Tagged Not 4 Member Meo ee Modify WLAN etho 1 VLAN ID 1 1 4094 Tag Port Firewall VPN Traffic MGMT Monitoring Help v v v v v v Untag Port port5 port6 port ports Logout Figure 6 2 VLAN Configuration Page 34 OfficeConnect VPN Firewall User s Manual 7 Enter a valid ID into the specified VLAN ID field 8 Move the mouse cursor to the desired VLAN membership type icon and click on the icon to select the membership type LJ Untagged VLAN 7 Tagged VLAN Not A Member Select membership type N O C Untagged Tagged Mot 4 Member Figure 6 3 Select a VLAN Membership Type 9 Move the mouse cursor to the desired port icon and click on the RJ45 icon to apply the membership type to the selected port Please see Figure 6 4 c CI CI cl filt Figure 6 4 VLAN Membership assignment 10 Click LPP 1 to save the LAN IP address OfficeConnect VPN Firewall User s Manual F Configuring Spanning Tree Settings 7 1 Spanning Tree Overview This section contains information for configuring STP The Spanning Tree Protocol STP provides tree topography for any arrangement of bridges STP also provides a single p
181. ress Subnet Mask Remote Id Type Identifier Method Preshared key HASH SA Lifetime sec Authentication SA Lifetime 0 0 0 0 Any v m IP AD Di RES 5 vw Optional Pre shared key v 00000000 8 49 chars HA 1 V 28800 HA 1 600 e v Figure 14 2 VPN Tunnel Configuration Page Pre shared Key Mode 5 Make changes to any or all of the following fields local remote secure group remote gateway key management type select Preshared Key pre shared key for IKE encryption authentication algorithm for IKE lifetime for IKE encryption authentication algorithm for IPSec operation mode for IPSec PFS group for IPSec and lifetime for IPSec Please see Table 14 1 for explanation of these fields 6 Click on the el button to create the new VPN rule The new VPN rule will then be displayed in the VPN policy list table 14 2 2 Modify VPN Rules To modify a VPN rule follow the instructions below Chapter 14 Configuring IPSec VPN Log into Configuration Manager as admin click the VPN menu and then click the IPSec submenu Prior to modifying a VPN rule make sure that the VPN service is enabled in System Service Configuration page Click on the icon of the rule to be modified in the VPN policy rule table Make changes to any or all of the following fields local remote secure group remote gateway key management type select Preshared Key pre shared key for IKE encryption authentication algor
182. ress Assignments When the OfficeConnect Gigabit VPN Firewall functions as a DHCP server for your LAN it keeps a record of any addresses it has leased to your computers To view a table of all current IP address assignments just go to the DHCP Server Configuration page A page displays similar to that shown in Figure 5 3 the bottom half of the same page shows the existing DHCP address assignments The DHCP Server Address Table lists any IP addresses that are currently leased to LAN devices For each leased address the table lists the following information Table 5 3 DHCP Address Assignment Field Description MAC Address A hardware ID of the device that leases an IP address from the DHCP server Assigned IP The address that has been leased from the pool Address IP Address The time when the leased address is to be terminated Expired on 5 3 Configuring Fixed DHCP Leases Fixed DHCP Leases are IP addresses assigned to hosts requiring permanent IP settings To configuring fixed DHCP Leases you can follow one of the following methods gt Manually enter fixed DHCP entry You can manually enter information about a network device Chapter 5 Configuring LAN Settings gt Import discovered LAN hosts as fixed DHCP entries The local network is scanned using ARP requests The ARP scan will detect active devices that are not DHCP clients However sometimes the name of the PC or device cannot be accurately determined and will appear in
183. resses of the DNS servers it contacts It can learn these addresses in either or both of the following ways gt Learned through PPPoE or Dynamic IP Connection If the OfficeConnect Gigabit VPN Firewall uses a PPPoE see section 8 2 2 5 5 Configuring the Port Settings Configuring PPPoE for WAN or Dynamic IP see section 8 4 2 Configuring This page allows you to enable disable a specific port change the port speed or Dynamic IP for WAN connection to the ISP the primary and secondary pan y P p I p p l enable disable DMZ ports Follow these steps to configure the port settings DNS addresses can be learned via the PPPoE protocol Using this option 7 Bann p di provides the advantage that you will not need to reconfigure the PCs or the PA Orc ia Gigabit OfficeConnect Gigabit VPN Firewall if the ISP changes their DNS 3COM voce View EEE addresses pecan 1 gt Configured on the OfficeConnect Gigabit VPN Firewall You can also nat ke ee specify the ISP s DNS addresses in the WAN Configuration page as ve an sms shown in Help oons tt ene St VEN ess System Contact Serial Number Product 3C Number 3CREVF100 73 System Object ID 1 3 6 1 4 1 43 1 19 20 System Up Time 1 day 3 hr 47 min 59 sec Software Version Eddystone v2 2 6a img Boot Version 1 0 2 Hardware Version 1 16 0 System Location Follow these steps to configure DNS relay 1 Enter
184. rk host can exceed X Sessions create Once a network host creates more sessions than the limit the user is blocked to create more sessions for the next defined minutes if selecting block this IP to add new session for X minutes Or all of the traffic created from the user is discarded for the specified minutes if selecting block this IP s all connection for X minutes Follow these steps to configure the Session Limit function 74 OfficeConnect VPN Firewall User s Manual 1 2 Configuring Quality of Service 12 1 Overview Quality of Service QoS is the ability to provide different priority to different applications users or data flows or to guarantee a certain level of performance to a data flow For instance a required bit rate delay jitter packet dropping probability and or bit error rate may be guaranteed Quality of Service QoS guarantees are important if the network capacity is insufficient especially for real time streaming multimedia applications such as voice over IP online games and IP TV You may follow these steps to configure the QoS on the OfficeConnect Gigabit VPN Firewall Step 1 Define the maximum bandwidth of WAN interface Step 2 Create a QoS Class Object Step 3 Create a QoS Policy and apply the policy to a specific interface 12 2 Define the Maximum Bandwidth To define the maximum bandwidth of WAN interface follow these steps 1 Click Traffic MGMG menu in the main m
185. roup for L2TP Server Please see Table 15 1for explanation of these fields 3 Click on the button to modify L2TP Server settings 96 OfficeConnect VPN Firewall User s Manual 15 4 Viewing Active L2TP Session Log into Configuration Manager as admin click the VPN menu click L2TP submenu and then click the Status tab on the top of the configuration page as shown in Figure 15 2 DN SL3108 Ne VPN gt PPTP Status SCOM oe sum Device Summary Active Sessions IP Address Administration Network Firewall VPN Traffic MGMT Monitoring se TFT rT Logout Figure 15 2 Viewing Active L2TP Sessions OfficeConnect VPN Firewall User s Manual 16 Configuring PPTP Server 16 1 Introduction PPTP Point to Point Tunnelling Protocol is an encrypted VPN protocol like IPSec It is not as secure as IPSec but is easy to administrate PPTP does not support gateway to gateway connections and is only suitable for connecting remote users 16 2 PPTP Server Configuration Parameters Table 16 1 describes all the PPTP Server configuration parameters Table 16 1 PPTP Server Configuration Parameters san vs General Settings Enable PPTP Click on Yes radio button if you want to enable the PPTP server Enter the starting IP address of PPTP address pool in Enter the ending IP address of PPTP address poll in the specified field the specified field Primary DNS Server field Enter the
186. rs maintain a table of IP addresses that are commonly accessed by their users For each of these destination IP addresses the table lists the IP address of the first hop the data should take This table is known as the device s routing table DN OfficeConnect Gigabit VPN Firewall S Ns P Routing 3C om Static Route Device Summary Route Display Administration gt etho 1 VLAN1 LAN 0 0 0 0 255 255 255 0 192 168 1 110 10 5 etho 1 VLAN1 LAN 192 168 1 0 255 255 255 0 0 0 0 0 0 C Flag C Directly Connected 5 Static R RIP I ICMP Redirected IP Setup Port Setup VLAN Spanning Tree Firewall gt VPN gt Traffic MGMT gt Monitoring gt Help Default 0 0 0 0 255 255 255 0 192 168 1 110 10 False Select All Add Logout Figure 9 3 Viewing Routing Table 47 OfficeConnect VPN Firewall User s Manual 10 Configuring DDNS Dynamic DNS is a service that allows computers to use the same domain name even when the IP address changes from time to time during reboot or when the ISP s DHCP server resets IP leases OfficeConnect Gigabit VPN Firewall connects to a Dynamic DNS service whenever the WAN IP address changes It supports setting up the web services such as Web server FTP server using a domain name instead of the IP address Dynamic DNS supports the DDNS clients with the following features gt Update DNS records addition when an external interface comes up Any
187. rt traffic by failing over to the backup WAN port The primary and secondary WAN ports can also be used in a more dynamic setup where the administrator can choose a method of dividing outbound traffic flows between the two WAN ports This feature is referred to as load balancing 2 4 4 QoS and Bandwidth Management QoS and Bandwidth Management function allows voice and data traffic to flow through where voice traffic is transmitted in the highest priority With DiffServ QoS enabled it guarantees voice packets to have first priority to pass through a DiffServ QoS enabled devices such as router or switch 2 4 5 Virtual LAN Interfaces VLAN The Virtual Local Area Network VLAN feature allows OfficeConnect Gigabit VPN Firewall to be partitioned into non interacting network domains OfficeConnect VPN Firewall User s Manual 3 Quick Start Guide This Quick Start Guide provides basic instructions for connecting the OfficeConnect Gigabit VPN Firewall to a computer or a LAN and to the Internet gt Part 1 provides instructions to set up the hardware gt Part 2 describes how to configure Internet properties on your computer s gt Part 3 shows you how to configure basic settings on the OfficeConnect Gigabit VPN Firewall to get your LAN connected to the Internet After setting up and configuring the device you can follow the instructions on page 18 to verify that it is working properly This Quick Start Guide assumes that you
188. s tab gt LAN settings and then uncheck Use proxy server for your LAN 2 On any PC connected to one of the four LAN ports on the Default Password password OfficeConnect Gigabit VPN Firewall open your Web browser and type the following URL in the address location box and press lt Enter gt Note http 192 168 1 1 This is the predefined IP address for the LAN port on the OfficeConnect PAN OfficeConnect Gigabit VPN Firewall Administration gt System Access Account Gigabit VPN Firewall scom um nn You can change the password at any time Device Summary A login screen displays as shown in Figure 3 4 aamstrstion gt EE Network i Auto logout after 900 Minutes Firewall gt von gt Eddystone Login et Help Add Account Username 5 12 chars Access Level Management v Password 5 12 chars Confirm Password password Ooo Add Summary y username Access Levei Edit l Logout olo admin management A ues monitor Figure 3 4 Login Screen J Iv Figure 3 5 System Access Configuration Page If you have problem connecting to the OfficeConnect Gigabit VPN 4 Click on Administration gt System Access menu to enter Account Firewall you may want to check if your PC is configured to accept IP i ge configuration page as shown in Figure 3 5 Select an appropriate address assignment from the OfficeConnect Gigabit VPN Firewall ac
189. s Configuring LAN Settings This chapter describes how to configure LAN properties for the LAN interface on the OfficeConnect Gigabit VPN Firewall that communicates with your LAN computers You ll learn to configure IP address DHCP and DNS server for your LAN in this chapter 5 1 LAN IP Address If you are using the OfficeConnect Gigabit VPN Firewall with multiple PCs on your LAN you must connect the LAN via the Ethernet ports on the built in Ethernet switch You must assign a unique IP address to each device residing on your LAN The LAN IP address identifies the OfficeConnect Gigabit VPN Firewall as a node on your network that is its IP address must be in the same subnet as the PCs on your LAN The default LAN IP for the OfficeConnect Gigabit VPN Firewall is 192 168 1 1 A network node can be thought of as any interface where a Definition VPN Firewall s LAN port and the network interface cards on your PCs See Appendix 18 for an explanation of subnets You can change the default to reflect the set of IP addresses that you want to use with your network The OfficeConnect Gigabit VPN Firewall itself can function as a Note DHCP server for your LAN computers as described in section device connects to the network such as the OfficeConnect Gigabit Chapter 5 Configuring LAN Settings 5 2 3 Configuring DHCP Server but not for its own LAN port 5 1 1 LAN IP Configuration Parameters Table 5 1describes the configuration parame
190. s available for dynamic IP connection mode Table 8 3 WAN Dynamic IP Configuration Parameters Field Description Chapter 8 Configuring WAN Settings Field Description Primary IP address of the primary and or secondary DNS are Secondary DNS optional as DHCP client will automatically obtain the DNS IP addresses configured at your ISP However if there are other DNS servers you would rather use enter the IP addresses in the spaces provided MAC Cloning The default is to use the MAC address of the WAN interface However if you had registered a MAC address previously with your ISP you may need to enter that MAC address here 8 4 2 Configuring Dynamic IP for WAN Follow the instructions below to configure dynamic IP settings 1 Please make the Login Required checkbox unchecked as shown in Figure 8 1 2 Optional If you want to manually enter the DNS servers please click Use These DNS Servers radio button and enter the IP addresses for the primary and secondary DNS servers if you want to use your preferred DNS servers otherwise skip this step 3 If you had previously registered a specific MAC address with your ISP for Internet access click Use this MAC Addresse radio button and enter the registered MAC address here and make sure you check the MAC cloning check box 4 Click apply to save the Dynamic IP settings when you are done with the configuration You ll see a summary of the WAN configurati
191. setzende oder zu wartende Teile n dem Ger t vorhanden Wenn Sie ein Problem mit dem Firewall haben das nicht mittels der Fehleranalyse in dieser Anleitung behoben werden kann setzen Sie sich mit Ihrem Lieferanten in Verbindung VORSICHT Vor dem Ausbau des Ger ts das Netzadapterkabel herausziehen VORSICHT RJ 45 Anschl sse Dies sind abgeschirmte RJ 45 Datenbuchsen Sie k nnen nicht als Telefonanschlu buchsen verwendet werden An diesen Buchsen d rfen nur RJ 45 Datenstecker angeschlossen werden 119 Appendix 21 SAFETY INFORMATION Consignes importantes de s curit OfficeConnect VPN Firewall User s Manual des connecteurs de donn es RJ 45 dans ces prises AN A A AN 120 AVERTISSEMENT Les avertissements pr sentent des consignes que vous devez respecter pour garantir votre s curit personnelle Vous devez respecter attentivement toutes les consignes Nous vous demandons de lire attentivement les consignes de s curit ci apr s avant d installer ou de d sinstaller l appareil AVERTISSEMENT Faites tr s attention lors de l installation et de la d sinstallation de l appareil AVERTISSEMENT L appareil ne doit tre empil qu avec d autres produits OfficeConnect AVERTISSEMENT Pour garantir le respect des normes internationales de s curit utilisez uniquement l adaptateur lectrique remis avec cet appareil AVERTISSEMENT La prise secteur doit se trouver proximit de l appar
192. stall it 1 10 Inthe Windows NT task bar click the lt Start gt button point to Settings and then click Control Panel In the Control Panel window double click the Network icon In the Network dialog box click the Protocols tab The Protocols tab displays a list of currently installed network protocols If the list includes TCP IP Protocol then the protocol has already been enabled Skip to step 14 TCP IP does not display as an installed component click lt Add gt utton In the Select Network Protocol dialog box select TCP IP and then click lt OK gt button You may be prompted to install files from your Windows NT installation CD or other media Follow the instructions to install the files Chapter 3 Quick Start Guide 11 12 13 14 15 16 3 3 6 After all files are installed a window displays to inform you that a TCP IP service called DHCP can be set up to dynamically assign IP information Click lt Yes gt button to continue and then click lt OK gt button if prompted to restart your computer Next configure the PCs to accept IP addresses assigned by the OfficeConnect Gigabit VPN Firewall Open the Control Panel window and then double click the Network icon In the Network dialog box click the Protocols tab In the Protocols tab select TCP IP and then click lt Properties gt button In the Microsoft TCP IP Properties dialog box click the radio button labeled Obtain an IP a
193. sted IP address RE uer address gt Adda Self Access rule and set basic parameters for it Help gt Modify an existing Self Access rule are eld gt Delete an existing Self Access rule Add Allowed Keyword add vy Allowedkeyword edit gt View existing Self Access rules Logout Blocked Keywords Ro Q OfficeConnect Gigabit VPN Firewall Add Blocked Keyword mail Add 3 C 0 m Firewall gt ACL Self Access VI viockedepmord een I LANWAN OMZWAN Self Access z Device Summary 7 Administration gt Self Access Policies i i etwor Destination Schedule Figure 11 9 Content filter Rule Example Network p ES BR EEE ven Traffic MGMT gt i i Monitoring gt 11 6 Configuring Advanced Firewall Features Hev This option sequence brings up the screen with the following sub options for setting advanced firewall features gt Self Access This option allows you to configure rules for controlling logo packets targeting the OfficeConnect Gigabit VPN Firewall itself Services Use this option to configure services applications using specified port numbers Each service record contains the name of service Figure 11 10 Self Access Rule Table Page record the IP protocol value and its corresponding port number 11 6 1 1 Self Access Configuration Parameters gt DoS Use this option to configure DoS Denial of Service parameters l l l l l Table 11 4 describes the configuration parameters available in the Sel
194. stem Configuration Management 17 6 1 Reset System Configuration At times you may want to revert to factory default settings to eliminate problems resulted from incorrect system configuration Follow the steps below to reset system configuration 1 Log into Configuration Manager as admin and then click the Administration menu click the Backup Restore Upgrade submenu The configuration page displays as shown in Figure 17 6 2 Click on Initialize all information button to set the system configuration back to factory default Note that the OfficeConnect Gigabit VPN Firewall will reboot to make the factory default configuration in effect OfficeConnect VPN Firewall User s Manual DN OfficeConnect Gigabit VPN Firewall Administration gt Backup amp Upgrade Configuration Configuration Upgrac Device Summary Administration gt Network gt Firewall gt Backup Restore VPN gt Configuration Traffic MGMT d a ianiai gt Restore from file HE Help Reset Power cycle and maintain all configuration information Initialize all information Return all configuration information to factory defaults Logout Figure 17 6 Default Setting Configuration Page Sometimes you may find that you have no way to access the OfficeConnect Gigabit VPN Firewall e g you forget your password The only way out in this scenario is to reset the system configuration to the factory default by following the
195. symmetrical refers to its unequal data rates for downloading and uploading the download rate is higher than the upload rate The asymmetrical rates benefit home users because they typically download much more data from the Internet than they upload To verify user s identity such as by prompting for a password The base two system of numbers that uses only two digits 0 and 1 to represent all numbers In binary the number 1 is written as 1 2 as 10 3 as 11 4 as 100 etc Although expressed as decimal numbers for convenience IP addresses in actual use are binary numbers e g the IP address 209 191 4 240 is 11010001 10111111 00000100 11110000 in binary See also bit IP address network mask bit bps broadband broadcast DHCP DHCP relay DHCP server DNS 131 Appendix 22 OBTAINING SUPPORT FOR YOUR PRODUCT Short for binary digit a bit is a number that can have two values 0 or 1 See also binary bits per second A telecommunications technology that can send different types of data over the same medium DSL is a broadband technology To send data to all computers on a network Dynamic Host Configuration Protocol DHCP automates address assignment and management When a computer connects to the LAN DHCP assigns it an IP address from a shared pool of IP addresses after a specified time limit DHCP returns the address to the pool Dynamic Host Configuration Protocol relay A DHCP relay is
196. t With respect to the OfficeConnect Gigabit VPN Firewall WAN refers to the Internet Web browser A software program that uses Hyper Text Transfer Protocol HTTP to download information from and upload to web sites and displays the information which may consist of text graphic images audio or video to the user Web browsers use Hyper Text Transfer Protocol HTTP Popular web browsers include Netscape Navigator and Microsoft Internet Explorer See also HTTP web site WWW Web page A web site file typically containing text graphics and hyperlinks cross references to the other pages on that web site as well as to pages on other web sites When a user accesses a web site the first page that is displayed is called the home page See also hyperlink web site Web site A computer on the Internet that distributes information to and gets information from remote users through web browsers A web site typically consists of web pages that contain text graphics and hyperlinks See also hyperlink web page WWW World Wide Web Also called the Web Collective term for all web sites anywhere in the world that can be accessed via the Internet 136 OfficeConnect VPN Firewall User s Manual OfficeConnect VPN Firewall User s Manual 100BASE T 126 10BASE T 126 ADSL 126 authenticate 126 Binary numbers 126 Bits 126 Broadband 126 Broadcast 126 Computers configuring IP information 12 Configuration Manager overvie
197. t Any will allow this service to be used by any Table 11 8 Port Triggering Configuration Parameters computers in your LAN network Otherwise select 1 Click on Firewall gt IP MAC Binding to enter the IP MAC Binding configuration page Single Address and enter the IP address of one Policies table computer 3 Make desired changes to any or all of the following fields IP Address MAC Address 71 Chapter 14 Configuring IPSec VPN we Outgoing Protocol Select the protocol type from the drop down list The available options are TCP and UDP Outgoing Port The port range this application uses when it sends Range outbound packets The outgoing port numbers act as the trigger When the router detects the outgoing packets with these port numbers it will allow the corresponding inbound packets with the incoming port numbers specified in the Incoming Port Range field to pass through the router Incoming Protocol The protocol that the corresponding inbound packet used The available options are TCP and UDP Incoming Port The port range that the corresponding inbound packet Range used Please refer to the following sections to configuring the Port Triggering rule for the OfficeConnect Gigabit VPN Firewall 11 6 6 2 Adding an Port Triggering Rule Follow these steps to setup a Port Triggering Rule 1 Click on Firewall gt Port Triggering menu to enter the Port Triggering configuration page See F
198. t the bottom half of the configuration page enabled such as those shown in Figure 11 8 60 OfficeConnect VPN Firewall User s Manual Chapter 14 Configuring IPSec VPN PAY OfficeConnect Gigabit VPN Firewall 11 5 4 Modify an Content Filter Rule Firewall gt Content Filter Setup 3COM Setup To modify a Content Filter rule you must first delete the existing Content filter Device Summary General J rule see Section 11 5 5 and then add a new one see Section 11 5 3 Add an GR gt Enable Web Content Filter Network Euler None W Content Filter Rule Firewall gt Web Components O Proxy Java Activex C Cookies VPN Allow Trusted IP address oO GENE 11 5 5 Delete an Content Filter Rule To delete a Content Filter rule just click on the IT in front of the rule to be Allowed keywords deleted or follow the instructions below Add Allowed Keyword Add ar 1 Open the URL Configuration page see section 11 5 2 Access a Content Filter Configuration Page Blocked Keywords Add Blocked Keyword I Asa 2 Click on the check box in front of rule to be deleted l o BlockedKeyword i Et 3 3 Click on the button to delete selected rules Figure 11 8 Content Filter Configuration Page 11 5 6 View Configured Content Filter Rules l To see existing Content filter rules just open the Content Filter Configuration 11 5 3 Add an Content Filter Rule To add a Content Filter follow the instructions below page as descri
199. t to configure rule as an allow rule This rule when bound to the firewall will allow matching packets to pass Select Deny from the drop down list to configure rule as an deny rule This rule when bound to the firewall will allow matching packets to drop 55 Chapter 14 Configuring IPSec VPN Nr N OfficeConnect Gigabit VPN Firewall I Ve Firewall gt ACL LAN WAN LAN WAN Self Access Device Summary Administration Default LAN to WAN Policy Allow LAN to WAN Policies OS VS 7 gt ea WAN to LAN Policies Felle Bar Men Ss tn re Network Firewall VPN Traffic MGMT Monitoring Help Tr zv Logout Figure 11 3 ACL Rule List Table You can configure ACL rules for LAN WAN DMZ WAN DMZ LAN and Self Access traffic by clicking tab button on the top of the ACL Rule List Table See Figure 11 4 Firewall gt ACL LAN WAN LAN WAN DMZ VAM LAN DMZ sell Access Default LAN to WAN Policy Figure 11 4 Tab Buttons for Different Traffic Types 56 OfficeConnect Gigabit VPN Firewall Users Manual no OfficeConnect Gigabit VPN Firewall I Ve Firewall gt ACL LAN WAN 3C om anwan ae Device Summary Add LAN WAN Inbound Rule Condition Administration Network Source Any Mi Firewall VPN Traffic MGMT Monitoring Help Destination any v Service HTTP v me F vv vy Schedule None Action
200. tagged member of one VLAN By default it is untagged member of VLAN1 The system cannot remove its untagged membership from the present VLAN directly it has to add the port as one of the untagged membership in a new VLAN There is no restriction on tagged membership A port can be a tagged member of any number of multiple VLANs 6 2 VLAN Configuration Parameters Table 6 1 describes the configuration parameters available for VLAN configuration Table 6 1 VLAN Configuration Parameters Setting Description VLAN ID Specifies the VLAN ID to which the port is assigned Tag Port Specifies a physical port to be a tagged member of a VLAN Untag Port Specifies a physical port to be a untagged member of a VLAN 6 3 Configuring the VLAN settings Follow these steps to change the VLAN settings 1 Log into Configuration Manager as administrator and then click the Network menu When the submenus of Network menu displays clicks VLAN submenu to display the VLAN configuration summary page as shown in Figure 6 1 33 Chapter 5 Configuring LAN Settings OfficeConnect Gigabit VPN Firewall S Ne VLAN 3COM an Device Summary VLAN list Administration gt IP Setup Port Setup Firewall gt VPN gt Traffic MGMT gt Monitoring gt Help Spanning Tree Routing DDNS VLAN6 DMZ2 VLAN7 WANL VLANS WANZ Logout Figure 6 1 VLAN Configuration Summary Page 6 Click on the Pan icon of the desi
201. tails such as time of packet arrival description of action taken by Firewall and reason for action gt Supports the UNIX Syslog format gt Sends log report e mails as scheduled by the network administrator or by default when the log file is full gt All the messages are sent in the WELF format gt ICMP logging to show code and type 2 4 2 VPN The introduction of broadband Internet access at an affordable price has attracted a large number of users to use the Internet for business Large scale use of a very open public network such as the Internet comes with a lot of advantages and associated risks These risks include the lack of confidentiality of data being sent and the authenticity of the identities of the parties involved in the exchange of data The VPN supported in the OfficeConnect Gigabit VPN Firewall is intended to resolve these issues at an affordable price The VPN supported by the OfficeConnect Gigabit VPN Firewall is IPSec compliant Packets sent via VPN are encrypted to maintain privacy The encrypted packets are then tunneled through a public network As a result tunnel participants enjoy the same security features and facilities that are available only to members of private networks at a reduced cost The following table lists the VPN features supported by the OfficeConnect Gigabit VPN Firewall Table 2 4 VPN Features of the OfficeConnect Gigabit VPN Firewall Transport Mode for Client Client Connectiv
202. tal Subscriber Line A technology that allows both digital data and analog voice signals to travel over existing copper telephone lines The most commonly installed computer network technology usually using twisted pair wiring Ethernet data rates are 10 Mbps and 100 Mbps See also 10BASE T 100BASE T twisted pair To screen out selected types of data based on filtering rules Filtering can be applied in one direction upstream or downstream or in both directions A rule that specifies what kinds of data the a routing device will accept and or reject Filtering rules are defined to firewall FTP hop hop count host HTTP ICMP OfficeConnect VPN Firewall User s Manual operate on an interface or multiple interfaces and in a particular direction upstream downstream or both Any method of protecting a computer or LAN connected to the Internet from intrusion or attack from the outside Some firewall protection can be provided by packet filtering and Network Address Translation services File Transfer Protocol A program used to transfer files between computers connected to the Internet Common uses include uploading new or updated files to a web server and downloading files from a web server When you send data through the Internet it is sent first from your computer to a router and then from one router to another until it finally reaches a router that is directly connected to the recipient Each i
203. ters available for LAN IP configuration Table 5 1 LAN IP Configuration Parameters Setting Description IP Address The LAN IP address of the OfficeConnect Gigabit VPN Firewall This IP is used by your computers to identify the OfficeConnect Gigabit VPN Firewall s LAN port Note that the public IP address assigned to you by your ISP is not your LAN IP address The public IP address identifies the WAN port on the OfficeConnect Gigabit VPN Firewall to the Internet Subnet Mask The LAN subnet mask identifies which parts of the LAN IP Address refer to your network as a whole and which parts refer specifically to nodes on the network Your device is preconfigured with a default subnet mask of 255 255 255 0 5 1 2 Configuring the LAN IP Address Follow these steps to change the default LAN IP address 1 Log into Configuration Manager as administrator and then click Network gt IP Setup menu to display the Interface List Table as shown in Figure 5 1 2 Click on the icon of the VLAN1 LAN entry to be modified in the Interface List Table 25 Chapter 5 Configuring LAN Settings AN GEN 3COM Device Summary Administration Network Firewall VPN Traffic MGMT Monitoring Help Logout N EN 3com Device Summary Administration Network Firewall VPN Traffic MGMT Monitoring Help Logout ee F Y y er PY Y Yy Network gt IP Setup IP Setup OfficeConnect Gigabit VPN Fir
204. th which you are trying to communicate OfficeConnect Gigabit VPN Firewall Users Manual On Windows based computers you can execute a ping command from the Start menu Click the Start button and then click Run In the Open text box type a statement such as the following ping 192 168 1 1 Click LIGETI You can substitute any private IP address on your LAN or a public IP address for an Internet site if known If the target computer receives the message a Command Prompt window displays like that shown in Figure 20 1 Appendix 22 OBTAINING SUPPORT FOR YOUR PRODUCT You can also test whether access to the Internet is working by typing an external address such as that for www yahoo com 216 115 108 243 If you do not know the IP address of a particular Internet location you can use the nslookup command as explained in the following section From most other IP enabled operating systems you can execute the same command at a command prompt or through a system administration utility 20 1 2 nslookup You can use the nslookup command to determine the IP address associated G gt gt ping 1972 168 1 1 Pinging 192 168 1 1 with 32 bytes of data Reply from 192 168 1 1 hytes 32 timetl ms TTL 255 Reply from 192 168 1 1 hytes 32 time lt ifms TTL 255 Reply from 192 168 1 1 hytes 32 time lt ifms TTL 255 Reply from 192 168 1 1 bytes 32 time lt ifms TTL 255 Ping statistics for 192 168 1 1 Packets Sent
205. the information for the IP Address Pool Begin End Address Subnet Mask Lease Time and Default Gateway IP Address fields others such as Primary Secondary DNS Server IP Address and Primary Secondary WINS Server IP Address are optional However it is recommended that you enter the primary DNS server IP address in the space provided You may enter the LAN IP or your ISP s DNS IP in the primary DNS Server IP Address field Table 5 2 describes the DHCP configuration parameters in detail Table 5 2 DHCP Configuration Parameters Field Description IP Address Pool Begin End Specify the lowest and highest addresses in the DHCP address pool Subnet Mask Enter the subnet mask to be used for the DHCP address pool Lease Time The amount of time the assigned 27 Chapter 5 Configuring LAN Settings Field Default Gateway IP Address Primary Secondary DNS Server IP Address 28 Description address will be used by a device connected on the LAN The address of the default gateway for computers that receive IP addresses from this pool The default gateway is the device that the DHCP client computers first contacted to communicate with the Internet Typically it is the OfficeConnect Gigabit VPN Firewall s LAN port IP address The IP address of the Domain Name System server to be used by computers that receive IP addresses from this pool The DNS server translates common Internet names that you type into your web browser into thei
206. ting Instructions 10 2 4 1 1 Address Sharing and Management 4 3 3 Part 3 Configuring Your Computers cc008 11 2 4 1 1 ACL Access Control List 4 3 3 1 Before you begin r serersvversvvenanvnnanvnversnvenenvennne 12 2 4 1 2 Stateful Packet Inspection 5 3 3 2 Windows XP PCS cccccccccccecececcceeeeceeeeeeeeees 12 Chapter 1 Introduction OfficeConnect VPN Firewall User s Manual 3 3 3 Windows 2000 PCS rrrnrernrrrnnvernvernvrrnnvennnvnennr 12 5 2 DHCP Dynamic Host Control Protocol 26 3 3 4 Windows 95 98 and Me PCs 13 5 2 1 Whats DIAG Re NA 26 3 3 9 Windows NT 4 0 workstations 13 5 2 2 Why USC DACP ironumsiaa 27 3 3 6 Assigning static IP addresses to your PCs 14 5 2 3 Configuring DHCP Server m srrrnnvrrnnverrnvvrrnvrnr 27 3 4 Part 4 Quick Configuration of the 5 2 4 Viewing Current DHCP Address OfficeConnect Gigabit VPN Firewall 14 PAS SIJNMEN Soan rn oa 29 3 4 1 Setting Up the OfficeConnect Gigabit VPN 5 3 Configuring Fixed DHCP Leases rrrnnrernrvrnnvernvrrnrvennn 29 Firewall EN 14 531 Manually add a Fixed DHCP Lease 29 3 4 2 Testing Your Setup eesenesenesensnnnnenenenennenennnnnnnn 18 532 Import Discovered LAN Hosts as Fixed 3 4 3 Default Router Settings wrnrrrnrrnvrrnvern
207. tion allows you to enable or disable logging for this ACL rule 11 6 1 2 Access Self Access Rule Table Log into Configuration Manager as admin click the Firewall menu click the ACL submenu and then click the Self Access tab button on top of the Self Access rule table The Self Access Rule Table displays as shown in Figure 11 10 11 6 1 3 Adda Self Access Rule To add a Self Access rule follow the instructions below 1 Open the Self Access Rule Table see section 11 6 1 2 Access Self Access Rule 2 Click on the button to display the Self Access Rule Configuration page 3 Make desired changes to any or all of the following fields Source Destination Service Schedule and Action See Table 11 4 Self Access Configuration Parameters for more detailed explanation 4 Click on the Apply button to create the new Self Access rule The new rule will then be displayed in the Self Access Rule table 64 OfficeConnect Gigabit VPN Firewall Users Manual Example Figure 11 10 displays the screen with entries to gt Add anew Self Access rule to e Allow TCP port 80 traffic i e HTTP traffic from the LAN and deny the HTTP traffic from the WAN port i e from the external network to the OfficeConnect Gigabit VPN Firewall 11 6 1 4 Modify a Self Access Rule To modify a Self Access rule follow the instructions below 1 Open the Self Access Rule Table see section 11 6 1 2 Access Self Access Rule 2 Click onthe icon
208. traffic in order without l priority periodically to the configured IP address Least Traffic First By the implication of its name the algorithm chooses the Enable Connectivity To enable the connectivity check please tick this dispatched WAN link according to the most bandwidth remains Check check box Bandwidth You can configure this algorithm to obtain the weight Allocation in Ratio factors from normalizing the configured WAN TX bandwidths tick the box Calculate from Tx Max or Check Interval The interval that the router sends PING request packets at The allowable value is 1 to 60 seconds just set these values manually Check IP Address Enter the IP address of the specific network device that the traffic will pass through This field is optional Normally you don t need to provide any IP address Follow these steps to configure the WAN Load Balancing I A SHEGE 1 Click on Traffic MGMT gt WAN Link Mgmt to enter the WAN Link network device If this field is absent the route will Configuration page See Figure 13 1 WAN Link Mgmt Configuration Page send PING request to gateway IP address to monitor 81 Chapter 14 Configuring IPSec VPN 82 2 Click on the Load Balancing radio button in the Policy Configuration field to enable the WAN load balancing mode If you want to enable the Connectivity Check please tick the Enable Connectivity Check checkbox and then fill in all necessary fields Select a
209. ty of Service 5 12 1 COVE VIGW undra nennen 75 12 2 Define the Maximum Bandwidth 75 Chapter 1 Introduction OfficeConnect VPN Firewall User s Manual 12 3 Defining the QoS Class Object 76 12 4 Face 77 13 Configuring WAN Load Balancing amp Failover 19 Bt rodicio ee 79 13 2 Configuring WAN Failover rrrrnrnnnvnnrrnnvernvnnnvnnnrennvennr 79 13 3 Configuring WAN Load Balancing 81 14 Configuring IPSec VPN 83 14 1 VPN Tunnel Configuration Parameters 83 14 2 Establish VPN Connection Using Automatic 14 2 1 Adda Rule for VPN Connection Using Pre shared Key rerrnvrnnvennvvrnnvrrnvennvnvrrnvennvennneenne 86 14 2 2 Modify VPN Rules rrrnrrrnnverrnvenrnvenrnvenerenverrnvernn 87 14 2 3 Delete VPN Rules rrsnornrnorennvvernvversnvnvennvvensnvere 87 14 2 4 Display VPN Rules 87 14 3 Establish VPN Connection Using Manual Keys 87 14 3 1 Adda Rule for VPN Connection Using Mena Kven 88 14 3 2 Modify VPN RUules rrrnrrrnnvernnvenrnverrnrenervrrenrnvernn 88 14 3 3 Delete VPN Rules rrsnornrnorennvvernvversnvnvennvversnvene 88 14 3 4 Display VPN Rules rrrerrnvonenvonenvenrnvvrenrnvenenvernn 89 14 4 VPN Connection Examples rrrnvrnnvrnvernvernvrrnvrnnvernvennn 89 14 4 1 Intranet Scenario firewall VPN and no NAT for VPN traffic ssrrornnnnrnrnnnnnnvrnnnnvnnnnnrennnn 89
210. u are a United States government agency then this documentation and the software described herein are provided to you subject to the following All technical data and computer software are commercial in nature and developed solely at private expense Software is delivered as Commercial Computer Software as defined in DFARS 252 227 7014 June 1995 or as a commercial item as defined in FAR 2 101 a and as such is provided with only such rights as are provided in 3Com s standard commercial license for the Software Technical data is provided with limited rights only as provided in DFAR 252 227 7015 Nov 1995 or FAR 52 227 14 June 1987 whichever is applicable You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered trademarks are registered in the United States and may or may not be registered in other countries 3Com the 3Com logo and OfficeConnect are registered trademarks of 3Com Corporation Intel and Pentium are registered trademarks of Intel Corporation Microsoft MS DOS Windows and Windows NT are registered trademarks of Microsoft Corporation Novell and NetWare are registered trademarks of Novell Inc UNIX is a registered trademark in the United States and other countries licensed exclusively through X Open Company Ltd Netscape Navigator is a registered tr
211. ule to be deleted 3 Click on the button to delete selected rules 11 6 2 6 View Configured Services To see a list of existing services follow the instructions below 1 Open the Service List Configuration Page see section 11 6 2 2 Access Service List Configuration Page 2 The service list table located at the bottom half of the Service Configuration page shows all the configured services 66 OfficeConnect Gigabit VPN Firewall Users Manual 11 6 3 Configuring DoS Settings The OfficeConnect Gigabit VPN Firewall has an Attack Defense Engine that protects internal networks from Denial of Service DoS attacks such as SYN flooding IP smurfing LAND Ping of Death and all re assembly attacks It can drop ICMP redirects and IP loose strict source routing packets For example a security device with the OfficeConnect Gigabit VPN Firewall provides protection from WinNuke a widely used program to remotely crash unprotected Windows systems in the Internet The OfficeConnect Gigabit VPN Firewall also provides protection from a variety of common Internet attacks such as IP Spoofing Ping of Death Land Attack Reassembly and SYN flooding For a complete list of DoS protection provided by the OfficeConnect Gigabit VPN Firewall please see Table 2 3 11 6 3 1 DoS Protection Configuration Parameters Table 11 6 describes the configuration parameters available for DoS Protection Table 11 6 DoS Protection Configuration Parameters or EE
212. uration Parameters 73 Table 11 10 Session Limit Configuration Parameters uenn 74 Table 13 1 WAN Failover Configuration Parameters rrnrrrnvrrnnvrrnvernvnrrnnvernnn 79 Table 14 1 VPNTtunnel Configuration Parameter rrrrnnvennrrnnnvrnnvennrnvennvennnn 83 Table 14 2 Outbound Un translated Firewall Rule for VPN Packets on ISR1 90 Table 14 3 Inbound Un translated Firewall Rule for VPN Packets on ISR1 90 Table 14 4 Outbound Un translated Firewall Rule for VPN Packets on ISR1 92 Table 14 5 Inbound Un translated Firewall Rule for VPN Packets on ISR1 92 Table 15 1 L2TP Server Configuration Parameters rrsrrrnvrrnnvennvernvrrrrnvennnnn 95 Table 16 1 PPTP Server Configuration Parameters c ccccsscsseessseceseeees 97 Table 17 1 System Access Account Configuration Parameters 102 Table 18 1 Supported ALG sernnvennvennnvrnnvennvernnnvennvesnnvrnnvennversnvrsnvesnnnvssnvennnennne 109 Table 19 1 IP Address Structure rsrrrsvvrrvrrnvrrnvernrnvrnnvernnvrrnvrnnvennnerrnvennnneennn 111 11 Chapter 1 Introduction Chapter 1 Introduction 1 Introduction Welcome to the world of networking with 3Com In the modern business environment communication and sharing information is crucial Computer networks have proved to be one of the fastest modes of communication but until recently only large businesses could afford the networking advantage The
213. utbound ACL Rules 59 11 44 Delete Outbound ACL Rules 60 11 4 5 Display Outbound ACL Rules ee 60 11 5 Configuring Content Filter nrrnrrrnrnnvrnvernrrnnvrnvernrnnn 60 11 5 1 Content Filter Configuration Parameters 60 11 5 2 Access Content Filter Configuration Page 60 11 5 3 Add an Content Filter Rule cece 61 11 5 4 Modify an Content Filter Rule 61 11 5 5 Delete an Content Filter Rule 61 11 5 6 View Configured Content Filter Rules 61 11 5 7 Content Filter Rule Example 61 11 6 Configuring Advanced Firewall Features 62 11 6 1 Configuring Self Access Rules 62 11 6 1 1 Self Access Configuration Parameters sau nn e s 62 11 6 1 2 Access Self Access Rule Table 64 11 6 1 3 Add a Self Access Rule 64 11 6 1 4 Modify a Self Access Rule 64 11 6 1 5 Delete a Self Access Rule 64 OfficeConnect VPN Firewall User s Manual 11 6 1 6 View Configured Self Access PUGS suse 11 6 2 Configuring Service List 11 6 2 1 Service List Configuration P dramelers jr 11 6 2 2 Access Service List Configuration PAGE re 11 6 2 3 Ada SCIVICS je 11 6 2 4 Modify a Service mnnvrnnvrnnvrnvernvernvrennn 11 6 2 5 Delete a Service ciner
214. ven sites on the 3 Click on the button to delete the selected inbound ACL rules Note that the ACL rule deleted will be removed from the ACL rule table located at the bottom half of the same configuration page 11 4 5 Display Outbound ACL Rules Trusted list will be subject to Web Components blocking when the blocking of a particular Web Component is enabled To see existing outbound ACL rules just open the outbound ACL Rule Trust IP Enter IP address in the Trust IP field Configuration Page Blocked Define a keyword that should not appear in the URL Keywords 11 5 2 Access Content Filter Configuration Page Configuration page as described in section 11 3 2 Access Inbound ACL Rule 11 5 Configuring Content Filter l Log into Configuration Manager as admin click the Firewall menu and then Keyword based Content Uniform Resource Locator e g www yahoo com l l l l l oe l l click the Content Filter submenu The Firewall Content filter Configuration page filtering allows you to define one or more keywords that should not appear in l Ke a l l displays as shown in Figure 11 8 URL s Any URL containing one or more of these keywords will be blocked This is a policy independent feature i e it cannot be associated to ACL rules This Note that when you open the Content filter Configuration page a list of existing feature can be independently enabled disabled but works only if firewall is Content filter rules is also displayed a
215. vennvrvvrnvernvvernvernvrrnenn 21 Figure 4 2 Typical Configuration Manager Page 2ur20nn20nnnnen nennen 22 Figure 4 3 Device Summary Page rrnrrnnennvennvennvrnvernvenrnvernvernvrnnernvernvernnrsnenennen 23 FIgUrE 5 1 MATCMACS list a inne 26 Figure 5 2 IP Setup Configuration Page mrnvrrnvrnnvrnvennvernvennnvrnnrrnvernvernnrsnennvennn 26 Figure 5 3 DHCP Configuration Page ccccsscsscsessecssesssessesseeseessesseeeenees 27 Figure 5 4 Host Discovery Configuration Page rrnvrnnvnnnvnrnvnnvvnnvennnvennvnrnnnnnenn 30 Figure 5 5 Port Setup Configuration Page mmmnnsennnnennnnnnnennnnnnnnnnnennennnn 31 Figure 5 6 Port Seleclion d vr vris 32 Figure 5 7 LAN Statistics Page rmmnrvrnvrrnvennvernnvrrnnvennnvrrnvennvennnersnvernvesnnnvrsnvennner 32 Figure 6 1 VLAN Configuration Summary Page rrnnrnnvernvernvrnnvrnvernnvernvernvrnnen 34 Figure 6 2 VLAN Configuration Page rrrrnnvennvrnnvrnvvrnvennnvernvrrnrrnvernvernvrsnernnennn 34 Figure 6 3 Select a VLAN Membership Type c ccsccssessessteecetessesseeseeneens 34 Figure 6 4 VLAN Membership assignment c ccceccceseeseeseeeesseeeseesseesneeeaes 34 Figure 7 1 Spanning Tree Configuration Page rnnvnnnvnnnvnnnvnnvvnnvvennvennvnrnvnnnenn 36 Figure 7 2 RSTP STP Status Page ccscssssessesssessseesssesesesseessersesesseeesenes 37 OfficeConnect VPN Firewall User s Manual Chapter 1 Introduction Figure 8 1 WAN Connection Typ
216. vered This section assumes basic knowledge of binary numbers bits and bytes For details on this subject see Appendix 18 IP addresses the Internet s version of telephone numbers are used to identify individual nodes computers or devices on the Internet Every IP address contains four numbers each from 0 to 255 and separated by dots periods e g 20 56 0 211 These numbers are called from left to right field1 field2 field3 and field4 This style of writing IP addresses as decimal numbers separated by dots is called dotted decimal notation The IP address 20 56 0 211 is read twenty dot fifty six dot zero dot two eleven 19 1 1 Structure of an IP address IP addresses have a hierarchical design similar to that of telephone numbers For example a 7 digit telephone number starts with a 3 digit prefix that identifies a group of thousands of telephone lines and ends with four digits that identify one specific line in that group Similarly IP addresses contain two kinds of information Chapter 19 IP Addresses Network Masks and Subnets gt Network ID Identifies a particular network within the Internet or Intranet gt Host ID Identifies a particular computer or device on the network The first part of every IP address contains the network ID and the rest of the address contains the host ID The length of the network ID depends on the network s class see following section Table 19 1 shows the structure
217. vered as Commercial Computer Software as defined in DFARS 252 227 7014 June 1995 or as acommercial item as defined in FAR 2 101 a and as such is provided with only such rights as are provided in this Agreement which is 3Com s standard commercial license for the Software Technical data is provided with limited rights only as provided in DFAR 252 227 7015 Nov 1995 or FAR 52 227 14 June 1987 whichever is applicable TERM AND TERMINATION The licenses granted hereunder are perpetual unless terminated earlier as specified below You may terminate the licenses and this Agreement at any time by destroying the Software and Documentation together with all copies and merged portions in any form The licenses and this Agreement will also terminate immediately if you fail to comply with any term or condition of this Agreement Upon such termination you agree to destroy the Software and Documentation together with all copies and merged portions in any form LIMITED WARRANTIES AND LIMITATION OF LIABILITY All warranties and limitations of liability applicable to the Software are as stated on the Limited Warranty Card or in the product manual whether in paper or electronic form accompanying the Software Such warranties and limitations of liability are incorporated herein in their entirety by this reference GOVERNING LAW This Agreement shall be governed by the laws of the State of California U S A excluding its conflicts of laws principles and excludin
218. vern venn 18 DHCP EMELIE 29 4 Getting Started with the 5 4 DNS ansehen tete 30 5 4 1 ADD DNS re 30 Configuration Manager 21 542 Assigning DNS Addresse mum 30 4 1 Log into Configuration Manager mvrrnvrrvvrnvernvernvrnnnn 21 5 4 3 Configuring DNS Relay rrnnnnnnnvnrvrrnvnnrrrrennnnnnn 30 42 P nelionallkavoulitssieisseesenten sei 21 5 5 Configuring the Port Settings 31 424 Commonly Used Buttons and ICONS au 99 5 6 Viewing LAN Statistics rrrrrrnrernrrrrnvrrnvernrnrrrnvernnrrrnnenn 32 4 3 Overview of System Configuration uwvarvvvvrervrrerrnn 22 6 Co nfiguring VLAN Settings 33 9 Configuring LAN Settings 25 6 1 VLAN OVerview arms 33 51 LAN IP Address vsr 25 VERN MOON AER Se 33 511 LAN IP Configuration Parameters acc 25 6 3 Configuring the VLAN settings rrrnrennrrnnrvrnnvennvennnr 33 5 1 2 Configuring the LAN IP Address 25 OfficeConnect VPN Firewall User s Manual 7 Configuring Spanning Tree Settings 35 7 1 Spanning Tree Overview rrrnvrrnvrnvernvernvernvrnanvrnnennvenns 35 7 2 Spanning Tree Configuration Parameters 35 7 3 Configuring the Spanning Tree settingS 36 7 4 Viewing the Spanning Tree Status 37 Configuring WAN Settings 39 8 1 WAN Connection Mode cecceceeseeeeeeeseseeeeeeeeeeees 39 8 2 igs eer up 39 8 2 1 WAN PPPoE Configuration Parameters
219. vice Name Optional Dial on Demand C Disconnect after Idle Minutes Unnumbered O DNS Server DNS Mode Use These DNS Servers Get Automatically from ISP Logout Network us Default 1492 ize O Custom E og Bytes Use Default Address 00 1F 33 1E C 2F MAC Address Use this computer s MAC 00 0F CB FA CB E9 vi Figure 3 9 WAN PPPoE Configuration Page 17 Device Summary Administration Network Firewall VPN Traffic MGMT Monitoring Help TF Tw Logout Chapter 3 Quick Start Guide OfficeConnect Gigabit VPN Firewall Network gt IP Setup IP Setup Network Binding IP Setup Interface LAN7 WAN1 eth0 7 ISP Login Current IP Login Required d Interface IP Address Connection Mode O Static IP Address amp DHCP DNS Server DNS Mode Use These DNS Servers Get Automatically from ISP Network me Default 1500 ize Custom 777 Bytes Use Default Address DORE Cr 28 MAC Address Use this computer s MAC 00 0F CB FA CB E9 O Use this MAC Address Cm ms s Figure 3 10 WAN Dynamic IP Configuration Page PPPoE Connection Mode see Figure 3 9 e Tick the Login Required checkbox e Enter the user name and password provided by your ISP e Click on the PPPoE radio button e AC Name and Service Name are optional You may leave it empty if your ISP did not provide such information e Tick the Disconnect checkbox if you want to disco
220. vrrnverrrnvrrnvernverrnvrrnnenn 33 Table 7 1 Spanning Tree Configuration Parameters srrrnnvennnvennnvvrnnvvrnrnnvrnnn 35 Table 8 1 WAN PPPoE Configuration Parameters mmrorrarrrnrernvernvervrrrnvrnnvenr 39 Table 8 2 WAN PPTP Configuration Parameters rrrnnvrrnnvernnverrnvvrnnnnvernnvennn 40 Table 8 3 WAN Dynamic IP Configuration Parameters 41 Table 8 4 WAN Static IP Configuration Parameters rrsrrrnnvrrnnvernnvvrnnvvvernnvennn 42 Table 9 1 Static Route Configuration Parameters rrrnnvrrnnvennnvernnvvrnnnnvennnvnnnn 46 Table 10 1 DDNS Configuration Parameters srrrnrrrnrrrnnvrnnvernvrvernvernvernnvennvenn 49 Table 11 1 Inbound ACL Rule Configuration Parameters 54 Table 11 2 Outbound ACL Rule Configuration Parameters 57 OfficeConnect VPN Firewall User s Manual Table 11 3 Content Filter Configuration Parameters rnrrrnrrrnnrrnnvernrrrnnnvennnn 60 Table 11 4 Self Access Configuration Parameters rrrnrrrnvrnnnvrnnvernvrnennvennnn 62 Table 11 5 Service List configuration parameters rrrnvrrnnvernnvrrrnvvrnnnnvernnvrnnn 65 Table 11 6 DoS Protection Configuration Parameters n 66 Table 11 7 Schedule Configuration Parameters mrsmrrvrrnvernvrrrnvrrvnvrrrnvrrnnenn 69 Table 11 8 Port Triggering Configuration Parameters rrsrrrrnvrrrnvvrnnvvrnnvnvenrn 71 Table 11 9 P2P Service Prevention Config
221. w 21 troubleshooting 116 Connectors rear panel 3 Date and time changing 104 Default configuration 18 Default gateway 45 DHCP defined 26 126 26 Index DHCP Address Table page 27 DHCP client defined 26 DHCP relay 126 DHCP server 126 defined 26 pools 27 viewing assigned addresses 29 DHCP Server Configuration page 27 Diagnosing problems after installation 18 DNS 28 30 126 defined 30 relay 30 Domain name 127 Domain Name System See DNS download 127 DSL defined 127 Dynamically assigned IP addresses 27 137 Appendix 20 Troubleshooting Eth 0 interface defined 19 Ethernet defined 127 Ethernet cable 9 Filtering rule 127 Firewall 127 Firmware Upgrade page 106 Firmware upgrades 105 Front panel 3 FTP 127 Gatewas in DHCP pools 28 Gateway defined 45 Hardware connections 9 10 Hop 127 Hop count 127 Host 127 Host ID 111 HTTP 127 HTTP DDNS 50 138 OfficeConnect VPN Firewall User s Manual Inbound ACL Configuration page 54 Internet 128 troubleshooting access to 115 Intranet 128 IP addresses 128 explained 111 IP configuration static 14 static IP addresses 14 Windows 2000 12 Windows Me 13 Windows NT 4 0 13 IP Configuration Windows XP 12 IP information configuring on LAN computers 12 IP routes dynamically configuring 46 manually configuring 47 IP Routes defined 45 ISP 128 OfficeConnect VPN Firewall User s Manual LAN 128
222. want to enable or disable RIP Select RIPv1 or RIPv2 from the RIP Version drop down list If automatic route summarization is required click Auto Summary option box 4 If authentication for RIPv2 is required select Yes button in the Authentication field and enter First Key Parameters and Second Key Parameters in the specified fields 5 Click to enable or disable RIP 46 OfficeConnect VPN Firewall User s Manual 9 3 Static Routing 9 3 1 Static Route Configuration Parameters The following table defines the available configuration parameters for static routing configuration Table 9 1 Static Route Configuration Parameters Field Description Route Name Specifies route name for a specific static route entry Destination Address Specifies the IP address of the destination computer or an entire destination network It can also be specified as all zeros to indicate that this route should be used for all destinations for which no other route is defined this is the route that creates the default gateway Note that destination IP must be a network ID The default route uses a destination IP of 0 0 0 0 Refer to Appendix 18 for an explanation of network ID Subnet Mask Indicates which parts of the destination address refer to the network and which parts refer to a computer on the network Refer to Appendix 18 for an explanation of network masks The default route uses a netmask of 0 0 0 0
223. wn list The following encryption algorithms are supported DES 3DES AES 128 AES 192 AES 256 IPSec Select the IKE authentication from the drop down list Authentication The following encryption algorithms are supported MD 5 SHA 1 PFS stands for perfect forward secrecy You may choose to use the same keys generated when the IKE tunnel is created for all re negotiations or you can Chapter 14 Configuring IPSec VPN Gat cs Life Times choose to generate new keys for every re negotiation Select None to use the same keys for all the re negotiations Select a specific DH Diffie Hellman group to generate new keys for every re negotiation The supported DH groups are DH 1 DH 2 and DH 5 The greater the group number the more secure the connection is However the greater the group number the more time it takes to negotiate a tunnel Enter the life time of IPSec security association in seconds minutes hours or days and kilo bytes Default value is 3600 seconds Manual Key Specific Options Encryption Key Authentication Enter the encryption key To enter the encryption key in hex start with Ox Enter the authentication To enter the authentication key in hex start with Ox SPI Incoming Enter the inbound security parameter index SPI Outgoing Enter the outbound security parameter index 14 2 Establish VPN Connection Using Automatic Keying This section describes the steps to establish t
224. word OfficeConnect VPN Firewall User s Manual 17 3 Configuring the Management Interface The management service enables system administrator to manage the OfficeConnect Gigabit VPN Firewall from various management interfaces such as Web HTTP HTTPS or Command Line Interface Telnet SSH The system administrator can create security polices to restrict access to the management interfaces from trusted computers or hosts Any management access coming from outside trusted hosts is prohibited Follow these steps to setup the trusted station 1 Click Administration gt System Access menu and then click on Management tab to enter the Management Interface configuration page See Figure 17 3 DN OfficeConnect Gigabit VPN Firewall IN Administration gt System Access Management 3C O m Management Device Summary Administration Network Management Service Firewall Enable Telnet Login from CLAN OWAN VPN Traffic MGMT Monitoring Enable Web Login from LAN OWAN Er Help Enable HTTPS Fi Enable SSH Login from OLAN OWAN Ze y Y y Add Trusted Station for LAN Hosts MAC Address Add Logout Trusted Station for LAN Hosts Fv macndaress Jean Remote Access from WAN Setting v Figure 17 3 Management Interface Configuration Page 2 Enterthe MAC address of the trusted host behind the LAN interface Please note that the MAC address format is six colon separated pairs of hexadecimal characters 0 9 and
225. xisting rule ID 1001 Table 14 3 Inbound Un translated Firewall Rule for VPN Packets on ISR1 255 255 255 0 OfficeConnect VPN Firewall User s Manual Chapter 14 Configuring IPSec VPN General Type Subnet Policy Name ISR2 TO ISR1 Policy Type Auto Destination IP Address 192 168 1 0 ENE Tunnel dl ERE Local Gateway WANI Remote Gateway 212 1 1 212 Local Site Remote Site Mask 255 255 255 0 Local IP Subnet u Remote IP Subnet IP Address 192 168 2 0 IP Address Subnet Mask 255 255 255 0 Ml Subnet Mask 192 168 1 0 255 255 255 255 Local Id Type IP ADDRESS Remote Id Type IP ADDRESS z i Identifi Opti Identifi Opti 14 4 1 2 Configure Rules on OfficeConnect Gigabit VPN Firewall tg ee adi 2 ISR2 IKE Version IKEv1 Method Pre shared key B Exchange Mode Main vi Preshared key ee eeeeee 8 49 chars Step 1 Configure VPN connection rules ae e aa S DH Group 2 1024 bit vi SA Lifetime sec 28800 Refer to the section 14 2 Establish VPN Connection Using Automatic Keying to IPSec Proposal configure VPN policies on ISR2 using automatic keying Protocol ESP OAH 7 Encryption 3DES v Authentication HA 1 vi PFS DH Group 2 1024 bit SA Lifetime 3600 Sec Figure 14 6 Intranet VPN Policy Configuration on ISR2 Step 2 Configure Firewall rules 1 Configure outbound Firewall rule to allow packets from 192 168 2 0 255 255 255 0
226. y WINS Server Address 0 0 0 0 Optional Secondary WINS Server Address 0 0 0 0 Optional Logout NBX Call Processor Options 184 0 0 0 0 Optional LJ Enable SIP Servers Options 120 Fi O DHCP Relay Agent Configuration DHCP server IP address moma Ml Figure 3 8 DHCP Server Configuration Page OfficeConnect Gigabit VPN Firewall Users Manual 7 Itis recommended that you keep the default settings for DHCP server until after you have completed the rest of the configurations and confirm that your Internet connection is working gt Click on Network gt IP Setup to configure the WAN settings for the OfficeConnect Gigabit VPN Firewall OfficeConnect Gigabit VPN Firewall IP Setup IP Setup Device Summary Administration gt Interfaces List name Besen Tann _ Gras True Tem gt f Firma p Porsetup fz vanzwam amp ma 00000 ce fi bi he 0 uam u Traffic MGMT Spanning Tree vanen a dom oaoaraa see 47 Monitoring gt Routing Help DDNS N OfficeConnect Gigabit VPN Firewall IN 3C Network gt IP Setup IP Setup IP Setup Network Binding A A Device Summary Interface YLAN7 WAN1 eth0 7 Administration gt ISP Login Current IP Network gt Login Required Firewall gt Login ISP_User1 VPN Password e00000 Traffic MGMT gt E Monitoring gt ype a ISP Type PPPoE O PPTP O BigPond AC Name Optional Ser
Download Pdf Manuals
Related Search