User Manual Part 2

ManualsBrandsSofaWare Technologies ManualsElectronicsSafe@office/VPN-1 Edge

Table Of Contents

Using NAT Rules

388 Check Point Safe@Office User Guide

• Static NAT is configured for a network object (for information, see Using

Network Objects on page 185)

• NAT rules are received fro

m the Service Center

Implicitly defined NAT rules can only be edited or deleted indirectly. For example, in

order to remove a NAT rule created when a certain network object was defined, you must

modify the relevant network object.

The Address Translation page displays both custom NAT rules and implicitly defined NAT

rules, and it allows you to create, edit, and delete custom NAT rules.

How Does Hide NAT Work?

In Hide NAT, traffic to and from the internal networks traverses an enforcement module.

When a packet from an internal network passes through the gateway, the source IP address

is changed to the hiding IP address, and the source port is changed to a dynamically

assigned port that uniquely identifies the connection. The relationship between the

dynamically assigned port and the internal IP address is recorded in the gateway’s state

tables. When reply packets arrive, the enforcement module uses the destination port to

determine to which connection the packet belongs, and then adjusts the destination port

and IP address accordingly.

Summary of content (405 pages)

PAGE 1
Using NAT Rules • Static NAT is configured for a network object (for information, see Using Network Objects on page 185) • NAT rules are received from the Service Center Implicitly defined NAT rules can only be edited or deleted indirectly. For example, in order to remove a NAT rule created when a certain network object was defined, you must modify the relevant network object.
PAGE 2
Using NAT Rules Adding and Editing NAT Rules This procedure explains how to add and edit custom NAT rules. You cannot add or edit an implicitly defined NAT rule directly. To add or edit a custom NAT rule 1. Click Security in the main menu, and click the NAT tab. The Address Translation page appears. 2. Do one of the following: • To add a new rule, click New. • To edit an existing rule, click Chapter 13: Setting Your Security Policy next to the desired rule.
PAGE 3
Using NAT Rules The Address Translation wizard opens, with the Step 1 of 3: Original Connection Details dialog box displayed. 3. Complete the fields using the relevant information in the following table. 4. Click Next. The Step 2 of 3: Translations to Perform dialog box appears. 5. 390 Complete the fields using the relevant information in the following table.
PAGE 4
Using NAT Rules 6. Click Next. The Step 3 of 3: Save Address Translation dialog box appears. 7. If desired, type a description of the rule in the field provided. 8. Click Finish. The new rule appears in the Address Translation page. Table 67: Address Translation Wizard Fields Field The source is Description Select the original source of the connections you want to translate. This list includes network objects.
PAGE 5
Using NAT Rules Field Description And the Select the original destination of the connections you want to translate. destination is This list includes network objects. To specify an IP address, select Specified IP and type the desired IP address in the text box. To specify an IP address range, select Specified Range and type the desired IP address range in the fields provided. To specify the Safe@Office IP addresses, select This Gateway.
PAGE 6
Using NAT Rules Field Description Change the Select the new destination to which the original destination should be destination to translated. This list includes network objects. To specify an IP address, select Specified IP and type the desired IP address in the field provided. To specify an IP address range, select Specified Range and type the desired IP address range in the fields provided. To specify that the original destination should not be translated, select Don't Change.
PAGE 7
Using the EAP Authenticator A confirmation message appears. b. Click OK. The rule is deleted. Using the EAP Authenticator Wi-Fi Protected Access Enterprise (WPA-Enterprise) and 802.1x are Network Access Control (NAC) protocols that can be used to authenticate users connecting to the Check Point Safe@Office appliance. Both WPA-Enterprise and 802.1x can be used to control access to the wireless network; however, WPA-Enterprise has the added capability of encrypting transmitted data, and 802.
PAGE 8
Using the EAP Authenticator Workflows The Safe@Office built-in EAP authenticator can be used to authenticate wireless clients or wired clients connecting to appliance ports. Using the EAP Authenticator for Authentication of Wireless Clients To use the EAP authenticator for authentication of wireless clients 1. Configure the Safe@Office appliance as follows: a. Configure the desired wireless network for use with the EAP authenticator.
PAGE 9
Using the EAP Authenticator d. For each client that should be allowed to connect to the Safe@Office appliance, add a user with Network Access permissions to the local user database. See Adding and Editing Users on page 643. e. 2. Provide each of the users with the authentication credentials you configured for them. Configure each wireless client as follows: a. Configure the client for server authentication. See Configuring Clients for Server Authentication on Wireless Connections on page 398. b. 3.
PAGE 10
Using the EAP Authenticator The certificate can be any of the following: A self-signed certificate generated by the Safe@Office appliance, version 8.0 or later. If a self-signed certificate is installed on the appliance, but was generated by an earlier firmware version, you must generate a new certificate. For instructions on generating a self-signed certificate, see Generating a Certificate on page 621. c. A certificate received from the Service Center.
PAGE 11
Using the EAP Authenticator Configuring Clients for Server Authentication on Wireless Connections To configure a Microsoft Windows client for server authentication 1. In the START menu, click Control Panel. 2. Click Network Connections. 3. Double-click on the wireless network connection. 4. Do one of the following: • If the Choose a Wireless Network screen appears, click Change Advanced Settings. • If you are already connected to a wireless network, click Properties.
PAGE 12
Using the EAP Authenticator The Wireless network properties dialog box appears displaying the Association tab. 7. In the Network name (SSID) field, type the Safe@Office appliance wireless network name. 8. In the Network Authentication drop-down list, select WPA. Note: You must select WPA, regardless of whether the Safe@Office appliance is configured to use the WPA-Enterprise or 802.1x security protocol. 9. In the Data encryption drop-down list, select AES. 10. Click the Authentication tab.
PAGE 13
Using the EAP Authenticator The Authentication tab appears. 11. In the EAP type drop-down list, select Protected EAP (PEAP). 12. Select the Authenticate as computer when computer information is available check box. 13. Click Properties. The Protected EAP Properties dialog box appears. 14. Make sure that the Validate server certificate check box is selected.
PAGE 14
Using the EAP Authenticator 15. In the Select Authentication Method drop-down list, select Secured password (EAP-MSCHAP v2). 16. If the user credentials for connecting to the Safe@Office appliance differ from the user credentials for connecting to Windows, do the following: a. Click Configure. The EAP MSCHAPv2 Properties dialog box appears. b. Clear the check box. c. Click OK. 17. Click OK in all open windows.
PAGE 15
Using the EAP Authenticator The Authentication tab appears. 5. Select the Enable IEEE 802.1x authentication for this network check box. 6. In the EAP type drop-down list, select Protected EAP (PEAP). 7. Select the Authenticate as computer when computer information is available check box. 8. Click Properties. The Protected EAP Properties dialog box appears. 9. 402 Make sure that the Validate server certificate check box is selected.
PAGE 16
Using the EAP Authenticator 10. In the Select Authentication Method drop-down list, select Secured password (EAP-MSCHAP v2). 11. If the user credentials for connecting to the Safe@Office appliance differ from the user credentials for connecting to Windows, do the following: a. Click Configure. The EAP MSCHAPv2 Properties dialog box appears. b. Clear the check box. c. Click OK. 12. Click OK in all open windows.
PAGE 17
Using the EAP Authenticator The Certificate Import Wizard opens displaying the Welcome to Certificate Import Wizard screen. 2. Click Next. The File to Import dialog box appears. 3. Browse to the Safe@Office appliance's CA certificate (*.p12 file). 4. Click Next.
PAGE 18
Using the EAP Authenticator The Password dialog box appears. Do not type a password. 5. Click Next. The Certificate Store dialog box appears. 6. Click Automatically select the certificate store based on the type of certificate. 7. Click Next.
PAGE 19
Using the EAP Authenticator The Completing the Certificate Import Wizard screen appears. 8. Click Finish. If the Safe@Office appliance certificate was self-signed, a warning message appears. Do the following: a. Click Yes. A success message appears. 9. b. Click OK. To check that the certificate was successfully installed as a trusted root CA, do the following: a. On the client, open Internet Explorer. b. In the Tools menu, click Internet Options.
PAGE 20
Using the EAP Authenticator The Content tab appears. d. Click Certificates. The Certificates dialog box appears. e. Click the Trusted Root Certification Authorities tab. The Trusted Root Certification Authorities tab appears. f. In the list, locate the Safe@Office appliance's CA certificate.
PAGE 21
Using the EAP Authenticator The certificate's name is in the format CA-, where is the Safe@Office appliance's MAC address or gateway name. g. To view further information about the certificate, double-click on it. The Certificate dialog box appears with additional information. Connecting Wireless Clients to the Safe@Office Appliance To connect a Microsoft Windows wireless client to the Safe@Office appliance with WPA Enterprise authentication 1.
PAGE 22
Using the EAP Authenticator A popup message appears asking you to supply credentials. 5. Click on the popup message. The Enter Credentials dialog box appears. 6. Type the Network Access user's user name and password in the fields provided. 7. Click OK. The wireless client attempts to connect to the network. Upon successful connection, the client indicates that it is connected to the network.
PAGE 23
Overview Chapter 14 Using SmartDefense This chapter explains how to use Check Point SmartDefense Services. This chapter includes the following topics: Overview ..................................................................................................410 Configuring SmartDefense .......................................................................411 SmartDefense Categories .........................................................................419 Resetting SmartDefense to its Defaults ........
PAGE 24
Configuring SmartDefense Configuring SmartDefense You can configure SmartDefense using the following tools: • SmartDefense Wizard. Resets all SmartDefense settings to their defaults, and then creates a SmartDefense security policy according to your network and security preferences. See Using the SmartDefense Wizard on page 411. • SmartDefense Tree. Enables you to fine tune individual settings in the SmartDefense policy. You can use the SmartDefense tree instead of, or in addition to, the wizard.
PAGE 25
Configuring SmartDefense To configure the SmartDefense policy using the wizard 1. Click Security in the main menu, and click the SmartDefense tab. The SmartDefense page appears. 2. 412 Click SmartDefense Wizard.
PAGE 26
Configuring SmartDefense The SmartDefense Wizard opens, with the Step 1: SmartDefense Level dialog box displayed. 3. Drag the lever to the desired level of SmartDefense enforcement. For information on the levels, see the following table. 4. Click Next. The Step 2: Application Intelligence Server Types dialog box appears.
PAGE 27
Configuring SmartDefense 5. Select the check boxes next to the types of public servers that are running on your network. 6. Click Next. The Step 3: Application Blocking dialog box appears. 7. Select the check boxes next to the types of applications you want to block from running on your network. 8. Click Next.
PAGE 28
Configuring SmartDefense The Step 4: Confirmation dialog box appears. 9. Click Finish. Existing SmartDefense settings are cleared, and the security policy is applied.
PAGE 29
Configuring SmartDefense Table 68: SmartDefense Security Levels This level… Does this… Minimal Disables all SmartDefense protections, except those that cannot be disabled. Normal Enables the following: • Teardrop • Ping of Death • LAND • Packet Sanity • Max Ping Size (set to 1500) • Welchia • Cisco IOS • Null Payload • IGMP • Small PMTU (Log Only) This level blocks the most common attacks.
PAGE 30
Configuring SmartDefense Using the SmartDefense Tree For convenience, SmartDefense is organized as a tree, in which each branch represents a category of settings. When a category is expanded, the settings it contains appear as nodes. For information on each category and the nodes it contains, see SmartDefense Categories on page 419. Each node represents an attack type, a sanity check, or a protocol or service that is vulnerable to attacks.
PAGE 31
Configuring SmartDefense To configure a SmartDefense node 1. Click Security in the main menu, and click the SmartDefense tab. The SmartDefense page appears. The left pane displays a tree containing SmartDefense categories. • 2. To expand a category, click the icon next to it. • To collapse a category, click the icon next to it. Expand the relevant category, and click on the desired node. The right pane displays a description of the node, followed by fields. 3.
PAGE 32
SmartDefense Categories 4. To reset the node to its default values: a) Click Default. A confirmation message appears. b) Click OK. The fields are reset to their default values, and your changes are saved.
PAGE 33
SmartDefense Categories Denial of Service Denial of Service (DoS) attacks are aimed at overwhelming the target with spurious data, to the point where it is no longer able to respond to legitimate service requests.
PAGE 34
SmartDefense Categories Table 69: Teardrop Fields In this field… Do this… Action Specify what action to take when a Teardrop attack occurs, by selecting one of the following: Track • Block. Block the attack. This is the default. • None. No action. Specify whether to log Teardrop attacks, by selecting one of the following: • Log. Log the attack. This is the default. • None. Do not log the attack.
PAGE 35
SmartDefense Categories Table 70: Ping of Death Fields In this field… Do this… Action Specify what action to take when a Ping of Death attack occurs, by selecting one of the following: Track • Block. Block the attack. This is the default. • None. No action. Specify whether to log Ping of Death attacks, by selecting one of the following: • Log. Log the attack. This is the default. • None. Do not log the attack.
PAGE 36
SmartDefense Categories Table 71: LAND Fields In this field… Do this… Action Specify what action to take when a LAND attack occurs, by selecting one of the following: Track • Block. Block the attack. This is the default. • None. No action. Specify whether to log LAND attacks, by selecting one of the following: • Log. Log the attack. This is the default. • None. Do not log the attack. Non-TCP Flooding Advanced firewalls maintain state information about connections in a State table.
PAGE 37
SmartDefense Categories Table 72: Non-TCP Flooding Fields In this field… Do this… Action Specify what action to take when the percentage of state table capacity used for non-TCP connections reaches the Max. percent non TCP traffic threshold. Select one of the following: Track • Block. Block any additional non-TCP connections. • None. No action. This is the default. Specify whether to log non-TCP connections that exceed the Max.
PAGE 38
SmartDefense Categories DDoS Attack In a distributed denial-of-service attack (DDoS attack), the attacker directs multiple hosts in a coordinated attack on a victim computer or network. The attacking hosts send large amounts of spurious data to the victim, so that the victim is no longer able to respond to legitimate service requests. You can configure how DDoS attacks should be handled.
PAGE 39
SmartDefense Categories IP and ICMP This category allows you to enable various IP and ICMP protocol tests, and to configure various protections against IP and ICMP-related attacks.
PAGE 40
SmartDefense Categories Table 74: Packet Sanity Fields In this field… Do this… Action Specify what action to take when a packet fails a sanity test, by selecting one of the following: Track • Block. Block the packet. This is the default. • None. No action. Specify whether to issue logs for packets that fail the packet sanity tests, by selecting one of the following: • Log. Issue logs. This is the default. • None. Do not issue logs.
PAGE 41
SmartDefense Categories Max Ping Size PING (ICMP echo request) is a program that uses ICMP protocol to check whether a remote machine is up. A request is sent by the client, and the server responds with a reply echoing the client's data. An attacker can echo the client with a large amount of data, causing a buffer overflow. You can protect against such attacks by limiting the allowed size for ICMP echo requests.
PAGE 42
SmartDefense Categories In this field… Do this… Max Ping Size Specify the maximum data size for ICMP echo response. The default value is 548. IP Fragments When an IP packet is too big to be transported by a network link, it is split into several smaller IP packets and transmitted in fragments. To conceal a known attack or exploit, an attacker might imitate this common behavior and break the data section of a single packet into several fragmented packets.
PAGE 43
SmartDefense Categories Table 76: IP Fragments Fields In this field… Do this… Forbid IP Fragments Specify whether all fragmented packets should be dropped, by selecting one of the following: • True. Drop all fragmented packets. • False. No action. This is the default. Under normal circumstances, it is recommended to leave this field set to False. Setting this field to True may disrupt Internet connectivity, because it does not allow any fragmented packets.
PAGE 44
SmartDefense Categories Network Quota An attacker may try to overload a server in your network by establishing a very large number of connections per second. To protect against Denial Of Service (DoS) attacks, Network Quota enforces a limit upon the number of connections per second that are allowed from the same source IP address. You can configure how connections that exceed that limit should be handled.
PAGE 45
SmartDefense Categories In this field… Do this… Max. Type the maximum number of network connections allowed per second Connections/Second from the same source IP address. from Same Source IP The default value is 100. Set a lower threshold for stronger protection against DoS attacks. Note: Setting this value too low can lead to false alarms. Welchia The Welchia worm uses the MS DCOM vulnerability or a WebDAV vulnerability.
PAGE 46
SmartDefense Categories Table 78: Welchia Fields In this field… Do this… Action Specify what action to take when the Welchia worm is detected, by selecting one of the following: Track • Block. Block the attack. This is the default. • None. No action. Specify whether to log Welchia worm attacks, by selecting one of the following: • Log. Log the attack. This is the default. • None. Do not log the attack.
PAGE 47
SmartDefense Categories Table 79: Cisco IOS DOS In this field… Do this… Action Specify what action to take when a Cisco IOS DOS attack occurs, by selecting one of the following: Track • Block. Block the attack. This is the default. • None. No action. Specify whether to log Cisco IOS DOS attacks, by selecting one of the following: Number of Hops to Protect • Log. Log the attack. This is the default. • None. Do not log the attack.
PAGE 48
SmartDefense Categories Null Payload Some worms, such as Sasser, use ICMP echo request packets with null payload to detect potentially vulnerable hosts. You can configure how null payload ping packets should be handled. Table 80: Null Payload Fields In this field… Do this… Action Specify what action to take when null payload ping packets are detected, by selecting one of the following: Track • Block. Block the packets. This is the default. • None. No action.
PAGE 49
SmartDefense Categories Checksum Verification SmartDefense identifies any IP, TCP, or UDP packets with incorrect checksums. You can configure how these packets should be handled. Table 81: Checksum Verification Fields In this field… Do this… Action Specify what action to take when packets with incorrect checksums are detected, by selecting one of the following: Track • Block. Block the packets. This is the default. • None. No action.
PAGE 50
SmartDefense Categories TCP This category allows you to configure various protections related to the TCP protocol. It includes the following: • Flags on page 443 • Sequence Verifier on page 442 • Small PMTU on page 438 • Strict TCP on page 437 • SynDefender on page 440 Strict TCP Out-of-state TCP packets are SYN-ACK or data packets that arrive out of order, before the TCP SYN packet.
PAGE 51
SmartDefense Categories Table 82: Strict TCP In this field… Do this… Action Specify what action to take when an out-of-state TCP packet arrives, by selecting one of the following: Track • Block. Block the packets. • None. No action. This is the default. Specify whether to log null payload ping packets, by selecting one of the following: • Log. Log the packets. This is the default. • None. Do not log the packets.
PAGE 52
SmartDefense Categories Table 83: Small PMTU Fields In this field… Do this… Action Specify what action to take when a packet is smaller than the Minimal MTU Size threshold, by selecting one of the following: Track • Block. Block the packet. • None. No action. This is the default. Specify whether to issue logs for packets are smaller than the Minimal MTU Size threshold, by selecting one of the following: • Log. Issue logs. This is the default. • None. Do not issue logs.
PAGE 53
SmartDefense Categories SynDefender In a SYN attack, the attacker sends many SYN packets without finishing the three-way handshake. This causes the attacked host to be unable to accept new connections. You can protect against this attack by specifying a maximum amount of time for completing handshakes. Table 84: SynDefender Fields In this field… Do this… Action Specify what action to take when a SYN attack occurs, by selecting one of the following: • Block. Block the packet. This is the default.
PAGE 54
SmartDefense Categories In this field… Do this… Log mode Specify upon which events logs should be issued, by selecting one of the following: • None. Do not issue logs. • Log per attack. Issue logs for each SYN attack. This is the default. • Log individual unfinished handshakes. Issue logs for each incomplete handshake. This field is only relevant if the Track field is set to Log.
PAGE 55
SmartDefense Categories Sequence Verifier The Safe@Office appliance examines each TCP packet's sequence number and checks whether it matches a TCP connection state. You can configure how the appliance handles packets that match a TCP connection in terms of the TCP session but have incorrect sequence numbers. Table 85: Strict TCP In this field… Do this… Action Specify what action to take when TCP packets with incorrect sequence numbers arrive, by selecting one of the following: Track • Block.
PAGE 56
SmartDefense Categories Flags The URG flag is used to indicate that there is urgent data in the TCP stream, and that the data should be delivered with high priority. Since handling of the URG flag is inconsistent between different operating systems, an attacker can use the URG flag to conceal certain attacks. You can configure how the URG flag should be handled.
PAGE 57
SmartDefense Categories Port Scan An attacker can perform a port scan to determine whether ports are open and vulnerable to an attack. This is most commonly done by attempting to access a port and waiting for a response. The response indicates whether or not the port is open. This category includes the following types of port scans: • Host Port Scan. The attacker scans a specific host's ports to determine which of the ports are open. • Sweep Scan.
PAGE 58
SmartDefense Categories Table 87: Port Scan Fields In this field… Do this… Number of ports SmartDefense detects ports scans by measuring the number of ports accessed accessed over a period of time. The number of ports accessed must exceed the Number of ports accessed value, within the number of seconds specified by the In a period of [seconds] value, in order for SmartDefense to consider the activity a scan.
PAGE 59
SmartDefense Categories In this field… Do this… Track Specify whether to issue logs for scans, by selecting one of the following: • Log. Issue logs. This is the default. • None. Do not issue logs. This is the default. Detect scans Specify whether to detect only scans originating from the Internet, by from Internet only selecting one of the following: • False. Do not detect only scans from the Internet. This is the default. • True. Detect only scans from the Internet.
PAGE 60
SmartDefense Categories FTP Bounce When connecting to an FTP server, the client sends a PORT command specifying the IP address and port to which the FTP server should connect and send data. An FTP Bounce attack is when an attacker sends a PORT command specifying the IP address of a third party instead of the attacker's own IP address. The FTP server then sends data to the victim machine. You can configure how FTP bounce attacks should be handled.
PAGE 61
SmartDefense Categories Block Known Ports You can choose to block the FTP server from connecting to well-known ports. Note: Known ports are published ports associated with services (for example, SMTP is port 25). This provides a second layer of protection against FTP bounce attacks, by preventing such attacks from reaching well-known ports.
PAGE 62
SmartDefense Categories Block Port Overflow FTP clients send PORT commands when connecting to the FTP sever. A PORT command consists of a series of numbers between 0 and 255, separated by commas. To enforce compliance to the FTP standard and prevent potential attacks against the FTP server, you can block PORT commands that contain a number greater than 255.
PAGE 63
SmartDefense Categories Blocked FTP Commands Some seldom-used FTP commands may compromise FTP server security and integrity. You can specify which FTP commands should be allowed to pass through the security server, and which should be blocked. To enable FTP command blocking • In the Action drop-down list, select Block. The FTP commands listed in the Blocked Commands box will be blocked. FTP command blocking is enabled by default.
PAGE 64
SmartDefense Categories To allow a specific FTP command 1. In the Blocked Commands box, select the desired FTP command. 2. Click Accept. The FTP command appears in the Allowed Commands box. 3. Click Apply. The FTP command will be allowed, regardless of whether FTP command blocking is enabled or disabled. HTTP This category allows you to configure various protections related to the HTTP protocol.
PAGE 65
SmartDefense Categories Table 91: Header Rejection Fields In this field… Do this… Action Specify what action to take when an HTTP header-based exploit is detected, by selecting one of the following: Track • Block. Block the attack. • None. No action. This is the default. Specify whether to log HTTP header-based exploits, by selecting one of the following: HTTP header values • Log. Log the attack. • None. Do not log the attack. This is the default. Select the HTTP header values to detect.
PAGE 66
SmartDefense Categories Table 92: Worm Catcher Fields In this field… Do this… Action Specify what action to take when an HTTP-based worm attack is detected, by selecting one of the following: Track • Block. Block the attack. • None. No action. This is the default. Specify whether to log HTTP-based worm attacks, by selecting one of the following: HTTP-based worm • Log. Log the attack. • None. Do not log the attack. This is the default. Select the worm patterns to detect.
PAGE 67
SmartDefense Categories Table 93: File Print and Sharing Fields In this field… Do this… Action Specify what action to take when a CIFS worm attack is detected, by selecting one of the following: Track • Block. Block the attack. • None. No action. This is the default. Specify whether to log CIFS worm attacks, by selecting one of the following: • • CIFS worm patterns list 454 Log. Log the attack. None. Do not log the attack. This is the default. Select the worm patterns to detect.
PAGE 68
SmartDefense Categories IGMP This category includes the IGMP protocol. IGMP is used by hosts and routers to dynamically register and discover multicast group membership. Attacks on the IGMP protocol usually target a vulnerability in the multicast routing software/hardware used, by sending specially crafted IGMP packets. You can configure how IGMP attacks should be handled.
PAGE 69
SmartDefense Categories In this field… Do this… Enforce IGMP to According to the IGMP specification, IGMP packets must be sent to multicast addresses multicast addresses. Sending IGMP packets to a unicast or broadcast address might constitute and attack; therefore the Safe@Office appliance blocks such packets. Specify whether to allow or block IGMP packets that are sent to nonmulticast addresses, by selecting one of the following: • Block. Block IGMP packets that are sent to non-multicast addresses.
PAGE 70
SmartDefense Categories SIP The SmartDefense SIP Application Level Gateway (ALG) processes the SIP protocol, allows firewall and NAT traversal, and enables Traffic Shaper to operate on SIP connections. By default, the SIP ALG checks SIP sessions for RFC compliance. If desired, you can allow non-RFC-compliant SIP connections, so that VoIP devices that initiate non-standard SIP calls can communicate through the firewall.
PAGE 71
SmartDefense Categories H.323 H.323 telephony is used by various devices and applications, such as Microsoft Netmeeting. SmartDefense allows you to choose whether to disable or enable the H.323 Application Level Gateway (ALG), which allows firewall and NAT traversal of H.323 calls. Table 96: H.323 Fields In this field… Do this… Peer-to-peer Specify whether to enable H.323 support, by selecting one of the following: H.323 Support • Enabled. Enable H.323 support. • Disabled. Disabled H.323 support.
PAGE 72
SmartDefense Categories Peer-to-Peer SmartDefense can block peer-to-peer file-sharing traffic, by identifying the proprietary protocols and preventing the initial connection to the peer-to-peer networks. This prevents not only downloads, but also search operations. This category includes the following nodes: • BitTorrent • eMule • Gnutella • KaZaA • Winny Note: SmartDefense can detect peer-to-peer traffic regardless of the TCP port being used to initiate the session.
PAGE 73
SmartDefense Categories Table 97: Peer to Peer Fields In this field… Do this… Action Specify what action to take when a connection is attempted, by selecting one of the following: Track • Block. Block the connection. • None. No action. This is the default. Specify whether to log peer-to-peer connections, by selecting one of the following: • Log. Log the connection. • None. Do not log the connection. This is the default.
PAGE 74
SmartDefense Categories Instant Messaging Traffic SmartDefense can block instant messaging applications that use VoIP protocols, by identifying the messaging application's fingerprints and HTTP headers. This category includes the following nodes: • ICQ • MSN Messenger • Skype • Yahoo Note: SmartDefense can detect instant messaging traffic regardless of the TCP port being used to initiate the session. Note: Skype versions up to 2.0.0.103 are supported.
PAGE 75
SmartDefense Categories Table 98: Instant Messengers Fields In this field… Do this… Action Specify what action to take when a connection is attempted, by selecting one of the following: Track • Block. Block the connection. • None. No action. This is the default. Specify whether to log instant messenger connections, by selecting one of the following: • Log. Log the connection. • None. Do not log the connection. This is the default.
PAGE 76
SmartDefense Categories Games This category includes XBox LIVE. XBox 360 requires gateways hosting XBox LIVE games to use the "Open NAT" method rather than the normal "Strict NAT" method. Therefore, if you want to host online games on an XBox 360 console, you must first configure your Safe@Office appliance to use the "Open NAT" method.
PAGE 77
Resetting SmartDefense to its Defaults Resetting SmartDefense to its Defaults If desired, you can reset the SmartDefense security policy to its default settings. For information on the default value of each SmartDefense setting, see SmartDefense Categories on page 419. For information on resetting individual nodes in the SmartDefense tree to their default settings, see Using the SmartDefense Tree on page 417. To reset SmartDefense to its defaults 1.
PAGE 78
Overview Chapter 15 Using Antivirus and Antispam Filtering This chapter explains how to use antivirus and antispam filtering. This chapter includes the following topics: Overview ..................................................................................................465 Using VStream Antivirus .........................................................................467 Using VStream Antispam.........................................................................
PAGE 79
Overview Point of Enforcement VStream Antivirus Email Antivirus VStream Antivirus scans for Email Antivirus is centralized, redirecting viruses in the Safe@Office traffic through the Service Center for gateway itself. scanning. You can use either antivirus solution, or both in conjunction. Antispam Filtering Solutions You can scan email messages for spam, by using VStream Antispam and/or the Email Antispam subscription service (part of the centralized Email Filtering service).
PAGE 80
Using VStream Antivirus Using VStream Antivirus The Safe@Office appliance includes VStream Antivirus, an embedded stream-based antivirus engine based on Check Point Stateful Inspection and Application Intelligence technologies, that performs virus scanning at the kernel level. VStream Antivirus scans files for malicious content on the fly, without downloading the files into intermediate storage.
PAGE 81
Using VStream Antivirus If a virus if found in VStream Antivirus does this... The protocol is detected POP3 • Terminates the connection The standard TCP port 110.
PAGE 82
Using VStream Antivirus Default Antivirus Policy The VStream Antivirus default policy includes the following rules: • All SMTP connections are scanned, regardless of the connection's direction. • All POP3 connections are scanned, regardless of the connection's direction. • All IMAP connections are scanned, regardless of the connection's direction. You can easily override the default antivirus policy, by creating user-defined rules.
PAGE 83
Using VStream Antivirus The VStream Antivirus page appears. 2. Drag the On/Off lever upwards or downwards. VStream Antivirus is enabled/disabled for all internal network computers. Viewing VStream Antivirus Signature Database Information VStream Antivirus maintains two databases: a daily database and a main database. The daily database is updated frequently with the newest virus signatures.
PAGE 84
Using VStream Antivirus Table 103: VStream Antivirus Page Fields This field… Displays… Main database The date and time at which the main database was last updated, followed by the version number. Daily database The date and time at which the daily database was last updated, followed by the version number. Next update The next date and time at which the Safe@Office appliance will check for updates. Status The current status of the database.
PAGE 85
Using VStream Antivirus For example, if you want to scan all outgoing SMTP traffic, except traffic from a specific IP address, you can create a rule scanning all outgoing SMTP traffic and move the rule down in the Antivirus Policy table. Then create a rule passing SMTP traffic from the desired IP address and move this rule to a higher location in the Antivirus Policy table than the first rule. In the figure below, the general rule is rule number 2, and the exception is rule number 1.
PAGE 86
Using VStream Antivirus The following rule types exist: Table 104: VStream Antivirus Rule Types Rule Description Pass This rule type enables you to specify that VStream Antivirus should not scan traffic matching the rule. Scan This rule type enables you to specify that VStream Antivirus should scan traffic matching the rule. If a virus is found, it is blocked and logged. Adding and Editing VStream Antivirus Rules To add or edit a VStream Antivirus rule 1.
PAGE 87
Using VStream Antivirus The Antivirus Policy page appears. 2. 474 Do one of the following: • To add a new rule, click Add Rule. • To edit an existing rule, click next to the desired rule.
PAGE 88
Using VStream Antivirus The VStream Policy Rule Wizard opens, with the Step 1: Rule Type dialog box displayed. 3. Select the type of rule you want to create. 4. Click Next. The Step 2: Service dialog box appears. The example below shows a Scan rule.
PAGE 89
Using VStream Antivirus 5. Complete the fields using the relevant information in the following table. 6. Click Next. The Step 3: Destination & Source dialog box appears. 7. To configure advanced settings, click Show Advanced Settings. New fields appear.
PAGE 90
Using VStream Antivirus 8. Complete the fields using the relevant information in the following table. 9. Click Next. The Step 4: Done dialog box appears. 10. If desired, type a description of the rule in the field provided. 11. Click Finish. The new rule appears in the Antivirus Policy page.
PAGE 91
Using VStream Antivirus Table 105: VStream Antivirus Rule Fields In this field… Do this… Any Service Click this option to specify that the rule should apply to any service. Standard Click this option to specify that the rule should apply to a specific standard Service service or network service object. You must then select the desired service or network service object from the drop-down list. Custom Service Click this option to specify that the rule should apply to a specific nonstandard service.
PAGE 92
Using VStream Antivirus In this field… Do this… And the Select the destination of the connections you want to allow or block. This list destination is includes network objects. To specify an IP address, select Specified IP and type the desired IP address in the text box. To specify an IP address range, select Specified Range and type the desired IP address range in the fields provided. To specify the Safe@Office IP addresses, select This Gateway.
PAGE 93
Using VStream Antivirus Enabling/Disabling VStream Antivirus Rules You can temporarily disable a VStream Antivirus rule. To enable/disable a VStream Antivirus rule 1. Click Antivirus in the main menu, and click the Policy tab. The Antivirus Policy page appears. 2. Next to the desired rule, do one of the following: • To enable the rule, click The button changes to • To disable the rule, click The button changes to . and the rule is enabled. . and the rule is disabled.
PAGE 94
Using VStream Antivirus Viewing and Deleting VStream Antivirus Rules To view or delete an existing VStream Antivirus rule 1. Click Antivirus in the main menu, and click the Policy tab. The Antivirus Policy page appears with a list of existing VStream Antivirus rules. 2. To resize a column, drag the relevant column divider right or left. 3. To delete a rule, do the following. a. In the desired rule's row, click . A confirmation message appears. b. Click OK. The rule is deleted.
PAGE 95
Using VStream Antivirus Configuring VStream Antivirus Advanced Settings To configure VStream Antivirus advanced settings 1. Click Antivirus in the main menu, and click the Advanced tab. The Advanced Antivirus Settings page appears. 2. Complete the fields using the following table. 3. Click Apply. 4. To restore the default VStream Antivirus settings, do the following: a) Click Default. A confirmation message appears. b) Click OK.
PAGE 96
Using VStream Antivirus The VStream Antivirus settings are reset to their defaults. For information on the default values, refer to the following table. Table 106: Advanced Antivirus Settings Fields In this field… Do this… File Types Block potentially unsafe Select this option to block all emails containing potentially unsafe file types in email attachments.
PAGE 97
Using VStream Antivirus In this field… Do this… Pass safe file types Select this option to accept common file types that are known to without scanning be safe, without scanning them.
PAGE 98
Using VStream Antivirus In this field… Do this… Archive File Handling Maximum Nesting Level Type the maximum number of nested content levels that VStream Antivirus should scan. Setting a higher number increases security. Setting a lower number prevents attackers from overloading the gateway by sending extremely nested archive files. The default value is 5 levels. Maximum Compression Fill in the field to complete the maximum compression ratio of Ratio 1:x files that VStream Antivirus should scan.
PAGE 99
Using VStream Antivirus In this field… Do this… When a password-protected VStream Antivirus cannot extract and scan password-protected file is found in archive files inside archives. Specify how VStream Antivirus should handle such files, by selecting one of the following: • Pass file without scanning. Accept the file without scanning it. This is the default. • Block file. Block the file.
PAGE 100
Using VStream Antispam Using VStream Antispam The Safe@Office appliance includes VStream Antispam, an embedded antispam engine that scans emails for spam. VStream Antispam is composed three antispam engines, each of which can be enabled or disabled separately: • IP Reputation The IP Reputation engine protects mail servers by checking the email sender’s IP address against an online and constantly updated IP reputation database, before accepting the SMTP email connection.
PAGE 101
Using VStream Antispam that the message is spam. If the spam score exceeds a user-configurable threshold called the “confidence level”, the message can be flagged as spam, or the message can be deleted altogether. In addition, VStream Antispam allows you to define a Safe Sender List, which consists of senders who are exempt from the Block List and Content Based Antispam engines. The following table provides a comparison of the VStream Antispam engines.
PAGE 102
Using VStream Antispam Important: In order to use VStream Antispam, your Safe@Office appliance must be subscribed to a Service Center. How VStream Antispam Works Figure 26: VStream Antispam Flow VStream Antispam works as follows: 1. A TCP connection arrives at the SMTP port (TCP 25) or the POP3 port (TCP 110). 2. The connection is checked against the VStream Antispam policy, to determine whether it should be scanned. 3.
PAGE 103
Using VStream Antispam If the spam score does not exceed the configured confidence level, the email passes to the next enabled VStream Antispam engine for processing. If the spam score exceeds the configured confidence level, VStream Antispam determines that the email is spam and handles it as specified by the IP Reputation engine's settings. 4. d. VStream Antispam caches the results of the IP Reputation check. VStream Antispam checks whether the email sender appears on the Safe Sender List.
PAGE 104
Using VStream Antispam 7. By default, VStream Antispam marks the email as spam. One of the following things happen: • If the connection is an SMTP connection, the mail server forwards the email to the recipient. • If the connection is a POP3 connection, the email client receives the email. Header Marking VStream Antispam adds the following headers to each email that is scanned by the Content Based Antispam or Block List engine, but not blocked: • X-VStream-Spam-Level.
PAGE 105
Using VStream Antispam Default Antispam Policy The VStream Antispam default policy includes the following rules: • All incoming SMTP connections are scanned, unless they originate from VPN. This protects mail servers in your network. • All outgoing POP3 connections are scanned. This protects mail clients in your network. You can easily override the default antispam policy, for example to exclude certain addresses or networks from spam scanning, by creating user-defined rules.
PAGE 106
Using VStream Antispam The VStream Antispam page appears. 2. Complete the fields using the information in the following table.
PAGE 107
Using VStream Antispam Table 108: VStream Antispam Fields In this field… Do this… Content Based Specify the Content Based Antispam engine's mode, by dragging the Antispam lever to one of the following: • On. The Content Based Antispam engine is on. VStream Antispam will check email fingerprints against an online spam detection database. Emails that fail the check will be handled according to configured Content Based Antispam settings. • Monitor Only. The Content Based Antispam engine is on.
PAGE 108
Using VStream Antispam In this field… Do this… IP Reputation Specify the IP Reputation engine's mode for SMTP connections, by Checking dragging the lever to one of the following: • On. The IP Reputation engine is on. VStream Antispam will check the reputation of email senders against an online IP reputation database prior to accepting the TCP connection. Emails that fail the check will be handled according to configured IP Reputation settings. • Monitor Only. The IP Reputation engine is on.
PAGE 109
Using VStream Antispam Table 109: VStream Antispam Status Fields This field… Displays... Email Messages Statistics for the Content Based Antispam and Block List engines. Pending The number of SMTP and POP3 email messages pending for the Content Based Antispam and Block List engines. Spam The number of SMTP and POP3 email messages that the Content Based Antispam and Block List engines determined to be spam.
PAGE 110
Using VStream Antispam This field… Displays... Total The total number of SMTP email connections scanned by the IP Reputation engine. Configuring the Content Based Antispam Engine You can configure how VStream Antispam should handle spam and suspected spam that is detected by the Content Based Antispam engine. For information on enabling this engine, see Enabling/Disabling VStream Antispam on page 492. To configure Content Based Antispam engine settings 1.
PAGE 111
Using VStream Antispam The Content Based Antispam Settings page appears. 3. Complete the fields using the information in the following table. 4. Click Apply. Table 110: Content Based Antispam Settings Fields In this field… Do this… Spam Configure how VStream Antispam should handle spam that is detected using the Content Based Antispam engine.
PAGE 112
Using VStream Antispam In this field… Do this… Action Specify the action VStream Antispam should take upon detecting spam, by selecting one of the following: • None. Take no action. • Reject. Block the email. The email will be permanently deleted. • Mark Subject. Mark the email's Subject line. If you select Mark Subject, the Mark Text field appears. Note: If the Content Based Antispam engine is in Monitor Only mode, this setting is ignored.
PAGE 113
Using VStream Antispam In this field… Do this… Confidence Type the minimum spam confidence level (SCL). If an email's SCL matches or exceeds this threshold, the email is considered spam. Setting a higher SCL reduces the number of legitimate emails erroneously identified as spam. Setting a lower SCL increases the amount of spam that is identified as legitimate email. The default value is 90.
PAGE 114
Using VStream Antispam In this field… Do this… Mark Text Type the prefix to the text appearing in the Subject field of the suspected spam notification email. For example, if you type [SUSPECTED SPAM] and the original email's Subject field displays "Earn Money the Easy Way", the suspected spam notification email's Subject field will display: "[SUSPECTED SPAM] Earn Money the Easy Way". The default value is [SUSPECTED SPAM].
PAGE 115
Using VStream Antispam Configuring the Block List Engine You can configure a list of email addresses and domain names that VStream Antispam should automatically block, if the Block List engine is enabled. For information on enabling the Block List engine, see Enabling/Disabling VStream Antispam on page 492. Adding Blocked Senders To add a blocked sender 1. Click Antispam in the main menu, and click the Antispam tab. The VStream Antispam page appears. 2.
PAGE 116
Using VStream Antispam The Blocked Sender List page appears. 3. Click Add. The Add Email to List dialog box appears. 4. In the field provided, do one of the following: • To block all email from a specific sender, type the sender's email address. • To block all email from addresses ending with a specific domain, type the domain name. For example, if you type "@special-offers.com", then email addresses such as johns@special-offers.com and sarahm@special-offers.com will be blocked.
PAGE 117
Using VStream Antispam 5. Click OK. The sender appears in the Block Sender List table. Viewing and Deleting Blocked Senders To delete a blocked sender 1. Click Antispam in the main menu, and click the Antispam tab. The VStream Antispam page appears. 2. Next to the Block List lever, click Edit List. The Blocked Sender List page appears. 3. In the desired sender's row, click . The sender is deleted. Configuring the Block List Engine Settings To configure Block List engine settings 1.
PAGE 118
Using VStream Antispam The Antispam Block List Settings page appears. 3. Complete the fields using the information in the following table. 4. Click Apply.
PAGE 119
Using VStream Antispam Table 111: Antispam Block List Settings Fields In this field… Do this… Block Action Specify the action VStream Antispam should take upon receiving an email from a blocked sender, by selecting one of the following: • None. Take no action. • Reject. Block the email. • Mark Subject. Mark the email's Subject line. If you select Mark Subject, the Mark Text field appears. Note: If the Block List engine is in Monitor Only mode, this setting is ignored.
PAGE 120
Using VStream Antispam Configuring the IP Reputation Engine You can configure how VStream Antispam should handle spam and suspected spam that is detected by the IP Reputation engine. For information on enabling this engine, see Enabling/Disabling VStream Antispam on page 492. To configure IP Reputation engine settings 1. Click Antispam in the main menu, and click the Antispam tab. The VStream Antispam page appears. 2. Next to the IP Reputation Checking lever, click Settings.
PAGE 121
Using VStream Antispam 4. Click Apply. Table 112: Antispam IP Reputation Settings Fields In this field… Do this… Spam Configure how VStream Antispam should handle spam that is detected using the IP Reputation engine. Action Specify the action VStream Antispam should take upon detecting spam, by selecting one of the following: • Reject. Block the email. • None. Take no action. Note: If the IP Reputation engine is in Monitor Only mode, this setting is ignored.
PAGE 122
Using VStream Antispam In this field… Do this… Action Specify the action VStream Antispam should take upon detecting potential spam, by selecting one of the following: • Reject. Block the email. • None. Take no action. Note: If the IP Reputation engine is in Monitor Only mode, this setting is ignored. For information on changing the engine's mode, see Enabling/Disabling VStream Antispam on page 492.
PAGE 123
Using VStream Antispam Configuring the VStream Antispam Policy VStream Antispam includes a flexible mechanism that allows the user to define exactly which emails should be scanned for spam and which should be considered safe, by specifying the protocol, and the source and destination IP addresses. VStream Antispam processes policy rules in the order they appear in the Antispam Policy table, so that rule 1 is applied before rule 2, and so on.
PAGE 124
Using VStream Antispam The Safe@Office appliance will process rule 1 first, passing outgoing SMTP traffic from the specified IP address, and only then it will process rule 2, scanning all outgoing SMTP traffic. The following rule types exist: Table 113: VStream Antispam Rule Types Rule Description Pass This rule type enables you to specify that VStream Antispam should allow all emails matching the rule, without scanning the emails.
PAGE 125
Using VStream Antispam Adding and Editing VStream Antispam Rules To add or edit a VStream Antispam rule 1. Click Antispam in the main menu, and click the Policy tab. The Antispam Policy page appears. 2. 512 Do one of the following: • To add a new rule, click Add Rule. • To edit an existing rule, click next to the desired rule.
PAGE 126
Using VStream Antispam The VStream Antispam Policy Rule Wizard opens, with the Step 1: Rule Type dialog box displayed. 3. Select the type of rule you want to create. 4. Click Next. The Step 2: Destination & Source dialog box appears. 5. Complete the fields using the relevant information in the following table.
PAGE 127
Using VStream Antispam 6. Click Next. The Step 3: Done dialog box appears. 7. If desired, type a description of the rule in the field provided. 8. Click Finish. The new rule appears in the Antispam Policy page. Table 114: VStream Antispam Policy Rule Wizard Fields In this field… Do this… If the email Select the email protocol to which the rule should apply. The supported protocol is protocols are SMTP and POP3. To specify both SMTP and POP3, select ANY.
PAGE 128
Using VStream Antispam In this field… Do this… The connection Select the source of the connections to which the rule should apply. source is To specify an IP address, select Specified IP and type the desired IP address in the field provided. To specify an IP address range, select Specified Range and type the desired IP address range in the fields provided. To specify connections originating from this gateway, select This Gateway. To specify any source except this gateway, select ANY.
PAGE 129
Using VStream Antispam Enabling/Disabling VStream Antispam Rules You can temporarily disable a VStream Antispam rule. To enable/disable a VStream Antispam rule 1. Click Antispam in the main menu, and click the Policy tab. The Antispam Policy page appears. 2. Next to the desired rule, do one of the following: • To enable the rule, click The button changes to • To disable the rule, click The button changes to . and the rule is enabled. . and the rule is disabled.
PAGE 130
Using VStream Antispam Viewing and Deleting VStream Antispam Rules To view or delete an existing VStream Antispam rule 1. Click Antispam in the main menu, and click the Policy tab. The Antispam Policy page appears with a list of existing VStream Antispam rules. 2. To resize a column, drag the relevant column divider right or left. 3. To delete a rule, do the following. a. In the desired rule's row, click . A confirmation message appears. b. Click OK. The rule is deleted.
PAGE 131
Using VStream Antispam Adding Safe Senders To add a safe sender 1. Click Antispam in the main menu, and click the Safe Senders tab. The Safe Sender List page appears. 2. Click Add. The Add Email to List dialog box appears.
PAGE 132
Using VStream Antispam 3. 4. In the field provided, do one of the following: • To allow all email from a specific sender, type the sender's email address. • To allow all email from addresses ending with a specific domain, type the domain name. For example, if you type "@mycompany.com", then email addresses such as johns@mycompany.com and sarahm@mycompany.com will be allowed. Click OK. The sender appears in the Safe Senders table. Viewing and Deleting Safe Senders To view or delete a safe sender 1.
PAGE 133
Using VStream Antispam Configuring VStream Antispam Advanced Settings To configure VStream Antispam advanced settings 1. Click Antispam in the main menu, and click the Advanced tab. The Advanced Antispam Settings page appears. 2. In the Track Non Spam Emails drop-down list, do one of the following: • To specify that VStream Antispam should log email that is detected as legitimate mail, select Log. • 3.
PAGE 134
Using Centralized Email Filtering • To specify that VStream Antispam should log email sent by addresses on the Safe Sender List, select Log. • 4. To specify that VStream Antivirus should not log email sent by addresses on the Safe Sender List, select None. Click Apply.
PAGE 135
Using Centralized Email Filtering Enabling/Disabling Email Filtering To enable/disable Email Filtering 1. Click Services in the main menu, and click the Email Filtering tab. The Email Filtering page appears. 2. Next to Email Antivirus, drag the On/Off lever upwards or downwards. Email Antivirus is enabled/disabled.
PAGE 136
Using Centralized Email Filtering Selecting Protocols for Scanning If you are locally managed, you can define which protocols should be scanned for viruses and spam: • Email retrieving (POP3). If enabled, all incoming email in the POP3 protocol will be scanned. • Email sending (SMTP). If enabled, all outgoing email will be scanned. Protocols marked with will be scanned, while those marked with will not.
PAGE 137
Using Centralized Email Filtering Configuring Email Filtering Advanced Settings Note: If the Safe@Office appliance is remotely managed, contact your Service Center administrator to change these settings. To configure Email Filtering advanced settings 1. Click Services in the main menu, and click the Email Filtering tab. The Email Filtering page appears. 2.
PAGE 138
Using Centralized Email Filtering Temporarily Disabling Email Filtering If you are having problems sending or receiving email you can temporarily disable the Email Filtering services. To temporarily disable Email Filtering 1. Click Services in the main menu, and click the Email Filtering tab. The Email Filtering page appears. 2. Click Snooze. • Email Antivirus and Email Antispam are temporarily disabled for all internal network computers. • The Snooze button changes to Resume.
PAGE 139
Using Centralized Email Filtering • 3. 526 The Email Filtering Off popup window opens. To re-enable Email Antivirus and Email Antispam, click Resume, either in the popup window, or on the Email Filtering page. • The services are re-enabled for all internal network computers. • If you clicked Resume in the Email Filtering page, the button changes to Snooze. • If you clicked Resume in the Email Filtering Off popup window, the popup window closes.
PAGE 140
Overview Chapter 16 Using Web Content Filtering This chapter explains how to use Web content filtering. This chapter includes the following topics: Overview ..................................................................................................527 Using Web Rules......................................................................................529 Using Web Filtering .................................................................................537 Customizing the Access Denied Page ......
PAGE 141
Overview Web Rules Web Filtering Subscription and Web rules are included with the The Web Filtering service is subscription- Connection Safe@Office appliance and do based and requires a connection to the Requirement not require a Service Center Service Center. subscription or connection. You can use either Web content filtering solution or both in conjunction. When a user attempts to access a Web site, the Safe@Office appliance first evaluates the Web rules.
PAGE 142
Using Web Rules Using Web Rules You can block or allow access to specific Web pages, by defining Web rules. Note: Web rules affect outgoing traffic only and cannot be used to allow or limit access from the Internet to internal Web servers. The Safe@Office appliance processes Web rules in the order they appear in the Web Rules table, so that rule 1 is applied before rule 2, and so on. This enables you to define exceptions to rules, by placing the exceptions higher up in the Web Rules table.
PAGE 143
Using Web Rules The Safe@Office appliance will process rule 1 first, allowing access to the desired page, and only then it will process rule 2, blocking access to the rest of the site. The following rule types exist: Table 116: Web Rule Types Rule Description Allow This rule type enables you to specify that a specific Web page should be allowed. Block This rule type enables you to specify that a specific Web page should be blocked. Adding and Editing Web Rules To add or edit a Web rule 1.
PAGE 144
Using Web Rules The Web Rules page appears. 2. Do one of the following: • To add a new rule, click Add Rule. • To edit an existing rule, click Chapter 16: Using Web Content Filtering next to the desired rule.
PAGE 145
Using Web Rules The Safe@Office Web Rule Wizard opens, with the Step 1: Rule Type dialog box displayed. 3. Select the type of rule you want to create. 4. Click Next. The Step 2: Rule Location dialog box appears. The example below shows a Block rule.
PAGE 146
Using Web Rules 5. Complete the fields using the relevant information in the following table. 6. Click Next. The Step 3: Confirm Rule dialog box appears. 7. Click Finish. The new rule appears in the Web Rules page.
PAGE 147
Using Web Rules Table 117: Web Rules Fields In this field… Do this… Block/Allow Type the URL or IP address to which the rule should apply. access to the following URL Wildcards (*) are supported. For example, to block all URLs that start with "http://www.casino-", set this field's value to: http://www.casino- * Note: If you block a Web site based on its domain name (http://), the Web site is not automatically blocked when surfing to the Web server's IP address (http://).
PAGE 148
Using Web Rules Reordering Web Rules To reorder Web rules 1. Click Security in the main menu, and click the Web Rules tab. The Web Rules page appears. 2. For each rule you want to move, click on the rule and drag it to the desired location in the table. Enabling/Disabling Web Rule Logging You can enable or disable logging for a Web rule, by using the information in Adding and Editing Web Rules on page 530, or by using the following shortcut. To enable/disable logging for a Web rule 1.
PAGE 149
Using Web Rules Viewing and Deleting Web Rules To view or delete an existing Web rule 1. Click Security in the main menu, and click the Web Rules tab. The Web Rules page appears with a list of existing Web rules. 2. To resize a column, drag the relevant column divider right or left. 3. To delete a rule, do the following. a. In the desired rule's row, click . A confirmation message appears. b. Click OK. The rule is deleted.
PAGE 150
Using Web Filtering Using Web Filtering When the Web Filtering service is enabled, access to Web content is restricted according to the categories specified in the Allow Categories area of the Web Filtering page. Note: The Web Filtering service is only available if you are connected to a Service Center and subscribed to this service. For information on using subscription services, see Using Subscription Services on page 551. Enabling/Disabling Web Filtering To enable/disable Web Filtering 1.
PAGE 151
Using Web Filtering The Web Filtering page appears. 2. Drag the On/Off lever upwards or downwards. Web Filtering is enabled/disabled.
PAGE 152
Using Web Filtering Selecting Categories for Blocking You can define which types of Web sites should be considered appropriate for your family or office members, by selecting the categories. Categories marked with will remain will be blocked and will require the administrator visible, while categories marked with password for viewing. Note: If the Safe@Office appliance is remotely managed, contact your Service Center administrator to change these settings.
PAGE 153
Using Web Filtering Configuring Web Filtering Advanced Settings Note: If the Safe@Office appliance is remotely managed, contact your Service Center administrator to change these settings. To configure Web Filtering advanced settings 1. Click Services in the main menu, and click the Web Filtering tab. The Web Filtering page appears. 2.
PAGE 154
Using Web Filtering Temporarily Disabling Web Filtering If desired, you can temporarily disable the Web Filtering service. To temporarily disable Web Filtering 1. Click Services in the main menu, and click the Web Filtering tab. The Web Filtering page appears. 2. Click Snooze. • Web Filtering is temporarily disabled for all internal network computers. • The Snooze button changes to Resume.
PAGE 155
Using Web Filtering • 3. The Web Filtering Off popup window opens. To re-enable the service, click Resume, either in the popup window, or on the Web Filtering page. • The service is re-enabled for all internal network computers. • If you clicked Resume in the Web Filtering page, the button changes to Snooze. • If you clicked Resume in the Web Filtering Off popup window, the popup window closes.
PAGE 156
Customizing the Access Denied Page Customizing the Access Denied Page The Access Denied page appears when a user attempts to access a page that is blocked either by a Web rule or by the Web Filtering service. You can customize this page using the following procedure. To customize the Access Denied page 1. Do one of the following: • Click Security in the main menu, and click the Web Rules tab. The Web Rules page appears. • 2. Click Services in the main menu, and click the Web Filtering tab.
PAGE 157
Customizing the Access Denied Page The Customize Access Denied Page page appears. In the following example, this page was accessed via the Web Rules page. 3. In the text box, type the message that should appear when a user attempts to access a blocked Web page. You can use HTML tags as needed. 4. To display the Access Denied page using HTTPS, select the Use HTTPS check box. 5. To preview the Access Denied page, click Preview. A browser window opens displaying the Access Denied page. 6. Click Apply.
PAGE 158
Overview Chapter 17 Updating the Firmware This chapter explains how to update the Safe@Office appliance's firmware. This chapter includes the following topics: Overview ..................................................................................................545 Using Software Updates ...........................................................................546 Updating the Firmware Manually.............................................................
PAGE 159
Using Software Updates Using Software Updates Note: Software Updates are only available if you are connected to a Service Center and subscribed to this service. For information on using subscription services, see Using Subscription Services on page 551. Checking for Software Updates when Remotely Managed If your Safe@Office appliance is remotely managed, it automatically checks for software updates and installs them without user intervention. However, you can still check for updates manually, if needed.
PAGE 160
Using Software Updates The Software Updates page appears. 2. Click Update Now. The system checks for new updates and installs them.
PAGE 161
Using Software Updates Checking for Software Updates when Locally Managed If your Safe@Office appliance is locally managed, you can set it to automatically check for software updates, or you can set it so that software updates must be checked for manually. To configure software updates when locally managed 1. Click Services in the main menu, and click the Software Updates tab. The Software Updates page appears. 2.
PAGE 162
Updating the Firmware Manually Note: When the Software Updates service is set to Automatic, you can still manually check for updates. 3. To set the Safe@Office appliance so that software updates must be checked for manually, drag the Automatic/Manual lever downwards. The Safe@Office appliance does not check for software updates automatically. 4. To manually check for software updates, click Update Now. The system checks for new updates and installs them.
PAGE 163
Updating the Firmware Manually The Firmware Update page appears. 3. Click Browse. A browse window appears. 4. Select the image file and click Open. The Firmware Update page reappears. The path to the firmware update image file appears in the Browse text box. 5. Click Upload. Your Safe@Office appliance firmware is updated. Updating may take a few minutes. Do not power off the appliance. At the end of the process the Safe@Office appliance restarts automatically.
PAGE 164
Connecting to a Service Center Chapter 18 Using Subscription Services This chapter explains how to connect your Safe@Office appliance to a Service Center and start subscription services. Note: Check with your reseller regarding availability of subscription services, or surf to www.sofaware.com/servicecenters to locate a Service Center in your area. This chapter includes the following topics: Connecting to a Service Center ...............................................................
PAGE 165
Connecting to a Service Center The Account page appears. 2. 552 In the Service Account area, click Connect.
PAGE 166
Connecting to a Service Center The Safe@Office Services Wizard opens, with the Service Center dialog box displayed. 3. Make sure the Connect to a Service Center check box is selected. 4. Do one of the following: • To connect to the SofaWare Service Center, choose usercenter.sofaware.com. • 5. To specify a Service Center, choose Specified IP and then in the Specified IP field, enter the desired Service Center’s IP address, as given to you by your system administrator. Click Next.
PAGE 167
Connecting to a Service Center • If the Service Center requires authentication, the Service Center Login dialog box appears. Enter your gateway ID and registration key in the appropriate fields, as given to you by your service provider, then click Next. • 554 The Connecting screen appears.
PAGE 168
Connecting to a Service Center • 6. The Confirmation dialog box appears with a list of services to which you are subscribed. Click Next. The Done screen appears with a success message. 7. Click Finish.
PAGE 169
Connecting to a Service Center 556 • If a new firmware is available, the Safe@Office appliance may start downloading it. This may take several minutes. Once the download is complete, the Safe@Office appliance restarts using the new firmware. • The Welcome page appears. • The services to which you are subscribed are now available on your Safe@Office appliance and listed as such on the Account page. See Viewing Services Information on page 557 for further information.
PAGE 170
Viewing Services Information Viewing Services Information The Account page displays the following information about your subscription. Table 118: Account Page Fields This field… Displays… Service Center The name of the Service Center to which you are connected (if known). Name Gateway ID Your gateway ID. Subscription will The date on which your subscription to services will end. end on Service The services available in your service plan.
PAGE 171
Refreshing Your Service Center Connection This field… Displays… Information The mode to which each service is set. If you are subscribed to Dynamic DNS, this field displays your gateway's domain name. For further information, see Web Filtering on page 537, Virus Scanning on page 521, and Automatic and Manual Updates on page 546.
PAGE 172
Configuring Your Account Configuring Your Account This option allows you to access your Service Center's Web site, which may offer additional configuration options for your account. Contact your Service Center for a user ID and password. To configure your account 1. Click Services in the main menu, and click the Account tab. The Account page appears. 2. In the Service Account area, click Configure. Note: If no additional settings are available from your Service Center, this button will not appear.
PAGE 173
Disconnecting from Your Service Center 3. Clear the Connect to a Service Center check box. 4. Click Next. The Done screen appears with a success message. 5. Click Finish. The following things happen: 560 • You are disconnected from the Service Center. • The services to which you were subscribed are no longer available on your Safe@Office appliance.
PAGE 174
Overview Chapter 19 Working With VPNs This chapter describes how to use your Safe@Office appliance as a Remote Access VPN Client, server, or gateway. This chapter includes the following topics: Overview ..................................................................................................561 Setting Up Your Safe@Office Appliance as a VPN Server .....................567 Adding and Editing VPN Sites ................................................................
PAGE 175
Overview • SecuRemote Internal VPN Server. SecuRemote can also be used from your internal networks, allowing you to secure your wired or wireless network with strong encryption and authentication. • L2TP VPN Server. Makes a network available to authorized users who connect from the Internet or from your internal networks using an L2TP client such as the Microsoft L2TP IPSec VPN Client. • Site-to-Site VPN Gateway.
PAGE 176
Overview Site-to-Site VPNs A Site-to-Site VPN consists of two or more Site-to-Site VPN Gateways that can communicate with each other in a bi-directional relationship. The connected networks function as a single network. You can use this type of VPN to mesh office branches into one corporate network.
PAGE 177
Overview To create a Site-to-Site VPN with two VPN sites 1. On the first VPN site’s Safe@Office appliance, do the following: a. Define the second VPN site as a Site-to-Site VPN Gateway, using the procedure Adding and Editing VPN Sites on page 581. b. 2. Enable a Remote Access VPN Server using the procedure Setting Up Your Safe@Office Appliance as a VPN Server on page 567. On the second VPN site’s Safe@Office appliance, do the following: a.
PAGE 178
Overview Remote Access VPNs A Remote Access VPN consists of one Remote Access VPN Server or Site-to-Site VPN Gateway, and one or more Remote Access VPN Clients. You can use this type of VPN to make an office network remotely available to authorized users, such as employees working from home, who connect to the office Remote Access VPN Server with their Remote Access VPN Clients.
PAGE 179
Overview To create a Remote Access VPN with two VPN sites 1. On the remote user VPN site's Safe@Office appliance, add the office Remote Access VPN Server as a Remote Access VPN site. See Adding and Editing VPN Sites on page 581. The remote user's Safe@Office appliance will act as a Remote Access VPN Client. 2. On the office VPN site's Safe@Office appliance, enable a Remote Access VPN Server. See Setting Up Your Safe@Office Appliance as a VPN Server on page 567.
PAGE 180
Setting Up Your Safe@Office Appliance as a VPN Server Setting Up Your Safe@Office Appliance as a VPN Server You can make your network available to authorized users connecting from the Internet or from your internal networks, by setting up your Safe@Office appliance as a VPN Server. When the SecuRemote Remote Access VPN Server or SecuRemote Internal VPN Server is enabled, users can connect to the server via Check Point SecuRemote/SecureClient or via a Safe@Office appliance in Remote Access VPN mode.
PAGE 181
Setting Up Your Safe@Office Appliance as a VPN Server To set up your Safe@Office appliance as a VPN Server 1. Configure the VPN Server in one or more of the following ways: • To accept SecuRemote/SecureClient or Safe@Office remote access connections from the Internet. See Configuring the SecuRemote Remote Access VPN Server on page 569. • To accept SecuRemote/SecureClient connections from your internal networks. See Configuring the Internal VPN Server on page 571. • 2.
PAGE 182
Setting Up Your Safe@Office Appliance as a VPN Server Configuring the SecuRemote Remote Access VPN Server To configure the SecuRemote Remote Access VPN Server 1. Click VPN in the main menu, and click the VPN Server tab. The VPN Server page appears. 2. Select the Allow SecuRemote users to connect from the Internet check box.
PAGE 183
Setting Up Your Safe@Office Appliance as a VPN Server New check boxes appear. 3. To allow authenticated users connecting from the Internet to bypass NAT when connecting to your internal network, select the Bypass NAT check box. 4. To allow authenticated users connecting from the Internet to bypass the default firewall policy and access your internal network without restriction, select the Bypass default firewall policy check box. User-defined rules will still apply to the authenticated users. 5.
PAGE 184
Setting Up Your Safe@Office Appliance as a VPN Server Configuring the Internal VPN Server To configure the internal VPN Server 1. Click VPN in the main menu, and click the VPN Server tab. The SecuRemote VPN Server page appears. 2. Select the Allow SecuRemote users to connect from my internal networks check box. New check boxes appear. 3.
PAGE 185
Setting Up Your Safe@Office Appliance as a VPN Server Note: Bypass NAT is always enabled for the internal VPN Server, and cannot be disabled. 4. Click Apply. The internal VPN Server is enabled for the specified connection types. Configuring the L2TP VPN Server To configure the L2TP VPN Server 1. Click VPN in the main menu, and click the VPN Server tab. The VPN Server page appears. 2. Select the Allow L2TP clients to connect check box. New check boxes appear.
PAGE 186
Setting Up Your Safe@Office Appliance as a VPN Server 3. In the Preshared Secret field, type the preshared secret to use for secure communications between the L2TP clients and the VPN Server. The secret can contain spaces and special characters. It is used to secure L2TP connections for all users. In addition to entering this secret, each L2TP user will have to authenticate with a username and password.
PAGE 187
Setting Up Your Safe@Office Appliance as a VPN Server For information on using SecureClient/SecuRemote, see the User Help. To access SecureClient/SecuRemote User Help, right-click on the VPN Client icon in the taskbar, select Settings, and then click Help. Configuring L2TP VPN Clients If you configured the L2TP VPN Server, you must configure the L2TP VPN Client on all computers that should be allowed to remotely access your network via L2TP connections.
PAGE 188
Setting Up Your Safe@Office Appliance as a VPN Server The New Connection Wizard opens displaying the Welcome to the New Connection Wizard screen. 4. Click Next. The Network Connection Type dialog box appears. 5. Choose Connect to the network at my workplace. 6. Click Next.
PAGE 189
Setting Up Your Safe@Office Appliance as a VPN Server 7. The Network Connection dialog box appears. 8. Choose Virtual Private Network connection. 9. Click Next. The Connection Name dialog box appears. 10. In the Company Name field, type your company's name. 11. Click Next.
PAGE 190
Setting Up Your Safe@Office Appliance as a VPN Server The Public Network dialog box appears. 12. Choose Do not dial the initial connection. 13. Click Next. The VPN Server Selection dialog box appears. 14. In the field, type the Safe@Office appliance's IP address.
PAGE 191
Setting Up Your Safe@Office Appliance as a VPN Server The Completing the New Connection Wizard screen appears. 15. Click Finish. 16. In the Network and Dial-up Connections window, right-click on the L2TP connection, and click Properties in the popup menu. The connection's Properties dialog box opens. 17. In the Security tab, choose Advanced (custom settings). 18. Click Settings.
PAGE 192
Setting Up Your Safe@Office Appliance as a VPN Server The Advanced Security Settings dialog box opens. 19. In the Data encryption drop-down list, select Optional encryption. 20. Choose Allow these protocols. 21. Select the Unencrypted password (PAP) check box, and clear all other check boxes. 22. Click OK. 23. In Properties dialog box's Security tab, click IPSec Settings. The IPSec Settings dialog box opens. 24. Select the Use pre-shared key for authentication check box. 25.
PAGE 193
Setting Up Your Safe@Office Appliance as a VPN Server 28. In the Type of VPN drop-down list, select L2TP IPSec VPN. 29. Click OK.
PAGE 194
Adding and Editing VPN Sites Adding and Editing VPN Sites To add or edit VPN sites 1. Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears with a list of VPN sites. 2. Do one of the following: • To add a VPN site, click New Site. • To edit a VPN site, click Edit in the desired VPN site’s row.
PAGE 195
Adding and Editing VPN Sites The Safe@Office VPN Site Wizard opens, with the Welcome to the VPN Site Wizard dialog box displayed. 3. Do one of the following: • Select Remote Access VPN to establish remote access from your Remote Access VPN Client to a Remote Access VPN Server. • 4. 582 Select Site-to-Site VPN to create a permanent bi-directional connection to another Site-to-Site VPN Gateway. Click Next.
PAGE 196
Adding and Editing VPN Sites Configuring a Remote Access VPN Site If you selected Remote Access VPN, the VPN Gateway Address dialog box appears. 1. Enter the IP address of the Remote Access VPN Server to which you want to connect, as given to you by the network administrator. 2. To allow the VPN site to bypass the default firewall policy and access your internal network without restriction, select the Bypass default firewall policy check box. User-defined rules will still apply to the VPN site. 3.
PAGE 197
Adding and Editing VPN Sites The VPN Network Configuration dialog box appears. 4. Specify how you want to obtain the VPN network configuration. Refer to VPN Network Configuration Fields on page 593. 5. Click Next.
PAGE 198
Adding and Editing VPN Sites • If you chose Specify Configuration, a second VPN Network Configuration dialog box appears. Complete the fields using the information in VPN Network Configuration Fields on page 593 and click Next. • If you chose Specify Configuration or Route All Traffic, the Backup Gateway dialog box appears.
PAGE 199
Adding and Editing VPN Sites In the Backup Gateway IP field, type the name of the VPN site to use if the primary VPN site fails, and then click Next. • The Authentication Method dialog box appears. 6. Complete the fields using the information in Authentication Methods Fields on page 595. 7. Click Next.
PAGE 200
Adding and Editing VPN Sites Username and Password Authentication Method If you selected Username and Password, the VPN Login dialog box appears. 1. Complete the fields using the information in VPN Login Fields on page 596. 2. Click Next. • If you selected Automatic Login, the Connect dialog box appears.
PAGE 201
Adding and Editing VPN Sites Do the following: 1) To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels to this site will be terminated. 2) Click Next. If you selected Try to Connect to the VPN Gateway, the Connecting… screen appears, and then the Contacting VPN Site screen appears. • 3.
PAGE 202
Adding and Editing VPN Sites The VPN Site Created screen appears. 5. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list.
PAGE 203
Adding and Editing VPN Sites Certificate Authentication Method If you selected Certificate, the Connect dialog box appears. 1. To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels to this site will be terminated. 2. Click Next.
PAGE 204
Adding and Editing VPN Sites The Site Name dialog box appears. 3. Enter a name for the VPN site. You may choose any name. 4. Click Next. The VPN Site Created screen appears.
PAGE 205
Adding and Editing VPN Sites 5. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list. RSA SecurID Authentication Method If you selected RSA SecurID, the Site Name dialog box appears. 1. Enter a name for the VPN site. You may choose any name. 2. 592 Click Next.
PAGE 206
Adding and Editing VPN Sites The VPN Site Created screen appears. 3. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list. Table 119: VPN Network Configuration Fields In this field… Do this… Download Click this option to obtain the network configuration by downloading it from Configuration the VPN site.
PAGE 207
Adding and Editing VPN Sites In this field… Do this… Specify Click this option to provide the network configuration manually. Configuration Route All Traffic Click this option to route all network traffic through the VPN site. For example, if your VPN consists of a central office and a number of remote offices, and the remote offices are only allowed to access Internet resources through the central office, you can choose to route all traffic from the remote offices through the central office.
PAGE 208
Adding and Editing VPN Sites In this field… Do this… Destination network Type up to three destination network addresses at the VPN site to which you want to connect. Subnet mask Select the subnet masks for the destination network addresses. Note: Obtain the destination networks and subnet masks from the VPN site’s system administrator. Table 120: Authentication Methods Fields In this field… Do this… Username and Select this option to use a user name and password for VPN Password authentication.
PAGE 209
Adding and Editing VPN Sites Table 121: VPN Login Fields In this field… Do this… Manual Login Click this option to configure the site for Manual Login. Manual Login connects only your computer to the VPN site, and only when the appropriate user name and password have been entered. For further information on Automatic and Manual Login, see, Logging in to a VPN Site on page 616. Automatic Login Click this option to enable the Safe@Office appliance to log in to the VPN site automatically.
PAGE 210
Adding and Editing VPN Sites Configuring a Site-to-Site VPN Gateway If you selected Site-to-Site VPN, the VPN Gateway Address dialog box appears. 1. Complete the fields using the information in VPN Gateway Address Fields on page 611. 2. Click Next.
PAGE 211
Adding and Editing VPN Sites The VPN Network Configuration dialog box appears. 3. Specify how you want to obtain the VPN network configuration. Refer to VPN Network Configuration Fields on page 593. 4. Click Next. • 598 If you chose Specify Configuration, a second VPN Network Configuration dialog box appears.
PAGE 212
Adding and Editing VPN Sites Complete the fields using the information in VPN Network Configuration Fields on page 593, and then click Next. • If you chose Specify Configuration or Route All Traffic, the Backup Gateway dialog box appears. In the Backup Gateway IP field, type the name of the VPN site to use if the primary VPN site fails, and then click Next.
PAGE 213
Adding and Editing VPN Sites • If you chose Route Based VPN, the Route Based VPN dialog box appears. Complete the fields using the information in Route Based VPN Fields on page 611, and then click Next. • 5. 600 The Authentication Method dialog box appears. Complete the fields using the information in Authentication Methods Fields on page 612.
PAGE 214
Adding and Editing VPN Sites 6. Click Next. Shared Secret Authentication Method If you selected Shared Secret, the Authentication dialog box appears. If you chose Download Configuration, the dialog box contains additional fields.
PAGE 215
Adding and Editing VPN Sites 1. Complete the fields using the information in VPN Authentication Fields on page 612 and click Next. The Security Methods dialog box appears. 2. To configure advanced security settings, click Show Advanced Settings. New fields appear.
PAGE 216
Adding and Editing VPN Sites 3. Complete the fields using the information in Security Methods Fields on page 613 and click Next. The Connect dialog box appears. 4. To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels to this site will be terminated. 5. Click Next.
PAGE 217
Adding and Editing VPN Sites • 6. The Site Name dialog box appears. Type a name for the VPN site. You may choose any name. 7. To keep the tunnel to the VPN site alive even if there is no network traffic between the Safe@Office appliance and the VPN site, select Keep this site alive. 8. Click Next.
PAGE 218
Adding and Editing VPN Sites • If you selected Keep this site alive, and previously you chose Download Configuration, the "Keep Alive" Configuration dialog box appears. Do the following: 1) Type up to three IP addresses which the Safe@Office appliance should ping in order to keep the tunnel to the VPN site alive. 2) Click Next. 9. • The VPN Site Created screen appears. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list.
PAGE 219
Adding and Editing VPN Sites Certificate Authentication Method If you selected Certificate, the following things happen: • If you chose Download Configuration, the Authentication dialog box appears. Complete the fields using the information in VPN Authentication Fields on page 612 and click Next.
PAGE 220
Adding and Editing VPN Sites • 1. The Security Methods dialog box appears. To configure advanced security settings, click Show Advanced Settings. New fields appear. 2. Complete the fields using the information in Security Methods Fields on page 613 and click Next.
PAGE 221
Adding and Editing VPN Sites The Connect dialog box appears. 3. To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels to this site will be terminated. 4. Click Next. • If you selected Try to Connect to the VPN Gateway, the following things happen: The Connecting… screen appears.
PAGE 222
Adding and Editing VPN Sites • 5. The Site Name dialog box appears. Enter a name for the VPN site. You may choose any name. 6. To keep the tunnel to the VPN site alive even if there is no network traffic between the Safe@Office appliance and the VPN site, select Keep this site alive. 7. Click Next.
PAGE 223
Adding and Editing VPN Sites • If you selected Keep this site alive, and previously you chose Download Configuration, the "Keep Alive" Configuration dialog box appears. Do the following: 1) Type up to three IP addresses which the Safe@Office appliance should ping in order to keep the tunnel to the VPN site alive. 2) Click Next. 8. • The VPN Site Created screen appears. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list.
PAGE 224
Adding and Editing VPN Sites Table 122: VPN Gateway Address Fields In this field… Do this… Gateway Address Type the IP address of the Site-to-Site VPN Gateway to which you want to connect, as given to you by the network administrator. Bypass NAT Select this option to allow the VPN site to bypass NAT when connecting to your internal network. This option is selected by default.
PAGE 225
Adding and Editing VPN Sites Table 124: Authentication Methods Fields In this field… Do this… Shared Secret Select this option to use a shared secret for VPN authentication. A shared secret is a string used to identify VPN sites to each other. Certificate Select this option to use a certificate for VPN authentication. If you select this option, a certificate must have been installed.
PAGE 226
Adding and Editing VPN Sites Table 126: Security Methods Fields In this field… Do this… Phase 1 Security Methods Select the encryption and integrity algorithm to use for IKE negotiations: • Automatic. The Safe@Office appliance automatically selects the best security methods supported by the site. This is the default. • A specific algorithm Diffie-Hellman Select the Diffie-Hellman group to use: group • Automatic. The Safe@Office appliance automatically selects a group. This is the default.
PAGE 227
Adding and Editing VPN Sites In this field… Do this… Perfect Forward Specify whether to enable Perfect Forward Secrecy (PFS), by selecting Secrecy one of the following: • Enabled. PFS is enabled. The Diffie-Hellman group field is enabled. • Disabled. PFS is disabled. This is the default. Enabling PFS will generate a new Diffie-Hellman key during IKE Phase 2 and renew the key for each key exchange. PFS increases security but lowers performance.
PAGE 228
Viewing and Deleting VPN Sites Viewing and Deleting VPN Sites To view or delete a VPN site 1. Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears, with a list of all VPN sites. 2. To delete a VPN site, do the following. a. In the desired VPN site's row, click the Erase icon. A confirmation message appears. b. Click OK. The VPN site is deleted. Enabling/Disabling a VPN Site You can only connect to VPN sites that are enabled. To enable/disable a VPN site 1.
PAGE 229
Logging in to a Remote Access VPN Site 3. To disable a VPN site, do the following: Note: Disabling a VPN site eliminates the tunnel and erases the network topology. a. Click the icon in the desired VPN site’s row. A confirmation message appears. b. Click OK. The icon changes to , and the VPN site is disabled. Logging in to a Remote Access VPN Site You need to manually log in to Remote Access VPN Servers configured for Manual Login.
PAGE 230
Logging in to a Remote Access VPN Site Logging in through the Safe@Office Portal Note: You can only log in to sites that are configured for Manual Login. To manually log in to a VPN site through the Safe@Office Portal 1. Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears. 2. Next to the desired VPN site, click Login. The VPN Status dialog box appears. 3. Type your user name and password in the appropriate fields. 4. Click Login.
PAGE 231
Logging in to a Remote Access VPN Site Logging in through the my.vpn page Note: You do not need to know the my.firewall page administrator’s password in order to use the my.vpn page. To manually log in to a VPN site through the my.vpn page 1. Direct your Web browser to http://my.vpn The VPN Login screen appears. 2. In the Site Name list, select the site to which you want to log in. 3. Enter your user name and password in the appropriate fields. 4. Click Login.
PAGE 232
Logging Out of a Remote Access VPN Site • If when adding the VPN site you specified a network configuration, the Safe@Office appliance attempts to create a tunnel to the VPN site. • The VPN Login Status box appears. The Status field tracks the connection’s progress. • Once the Safe@Office appliance has finished connecting, the Status field changes to “Connected”. • The VPN Login Status box remains open until you manually log out of the VPN site.
PAGE 233
Using Certificates Using Certificates A digital certificate is a secure means of authenticating the Safe@Office appliance to other Site-to-Site VPN Gateways. The certificate is issued by the Certificate Authority (CA) to entities such as gateways, users, or computers. The entity then uses the certificate to identify itself and provide verifiable information.
PAGE 234
Using Certificates Note: To use certificates authentication, each Safe@Office appliance should have a unique certificate. Do not use the same certificate for more than one gateway. Note: If your Safe@Office appliance is centrally managed, a certificate is automatically generated and downloaded to your appliance. In this case, there is no need to generate a self-signed certificate. Generating a Self-Signed Certificate To generate a self-signed certificate 1.
PAGE 235
Using Certificates The Safe@Office Certificate Wizard opens, with the Certificate Wizard dialog box displayed. 3. Click Generate a self-signed security certificate for this gateway. The Create Self-Signed Certificate dialog box appears. 4. Complete the fields using the information in the following table. 5. Click Next.
PAGE 236
Using Certificates The Safe@Office appliance generates the certificate. This may take a few seconds. The Done dialog box appears, displaying the certificate's details. 6. Click Finish. The Safe@Office appliance installs the certificate. If a certificate is already installed, it is overwritten. The Certificate Wizard closes.
PAGE 237
Using Certificates • 624 The starting and ending dates between which the gateway's certificate and the CA's certificate are valid Check Point Safe@Office User Guide
PAGE 238
Using Certificates Table 127: Certificate Fields In this field… Do this… Country Select your country from the drop-down list. Organization Type the name of your organization. Name Organizational Unit Type the name of your division. Gateway Name Type the gateway's name. This name will appear on the certificate, and will be visible to remote users inspecting the certificate. This field is filled in automatically with the gateway's MAC address.
PAGE 239
Using Certificates Importing a Certificate To install a certificate 1. Click VPN in the main menu, and click the Certificate tab. The Certificate page appears. 2. Click Install Certificate. The Safe@Office Certificate Wizard opens, with the Certificate Wizard dialog box displayed. 3. Click Import a security certificate in PKCS#12 format. The Import Certificate dialog box appears. 4. Click Browse to open a file browser from which to locate and select the file.
PAGE 240
Using Certificates The Import-Certificate Passphrase dialog box appears. This may take a few moments. 6. Type the pass-phrase you received from the network security administrator. 7. Click Next. The Done dialog box appears, displaying the certificate's details. 8. Click Finish. The Safe@Office appliance installs the certificate. If a certificate is already installed, it is overwritten. The Certificate Wizard closes.
PAGE 241
Using Certificates • The starting and ending dates between which the gateway's certificate and the CA's certificate are valid Uninstalling a Certificate If you uninstall the certificate, no certificate will exist on the Safe@Office appliance, and you will not be able to connect to the VPN if a certificate is required. You cannot uninstall the certificate if there is a VPN site currently defined to use certificate authentication.
PAGE 242
Using Certificates Exporting Certificates The Safe@Office appliance allows you to export the following certificates: • The device certificate Exporting the device certificate is useful for backup purposes. Note: If your Safe@Office appliance is centrally managed, there is no need to back up the device certificate, as it can be downloaded from the Service Center as needed. • The device Certificate Authority (CA) certificate When using the Safe@Office EAP authenticator with WPA-Enterprise or 802.
PAGE 243
Using Certificates The certificate is exported as a *.p12 file and saved to the specified directory. Note: This file contains the gateway's private key, which is confidential and must not be passed to unauthorized users. Exporting the CA Certificate To export the CA certificate 1. Click VPN in the main menu, and click the Certificate tab. The Certificate page appears with the name of the currently installed certificate. 2. Click Export CA Certificate. A standard File Download dialog box appears. 3.
PAGE 244
Viewing VPN Tunnels Viewing VPN Tunnels You can view a list of currently established VPN tunnels. VPN tunnels are created and closed as follows: • Remote Access VPN sites configured for Automatic Login and Site-to-Site VPN Gateways A tunnel is created whenever your computer attempts any kind of communication with a computer at the VPN site. The tunnel is closed when not in use for a period of time.
PAGE 245
Viewing VPN Tunnels 2. To resize a column, drag the relevant column divider right or left. 3. To refresh the table, click Refresh. Table 128: VPN Tunnels Page Fields This field… Displays… Type The currently active security protocol (IPSEC). Source The IP address or address range of the entity from which the tunnel originates. The entity's type is indicated by an icon. See VPN Tunnel Icons on page 633. Destination The IP address or address range of the entity to which the tunnel is connected.
PAGE 246
Viewing VPN Tunnels This field… Displays… Established The time at which the tunnel was established.
PAGE 247
Viewing IKE Traces for VPN Connections Viewing IKE Traces for VPN Connections If you are experiencing VPN connection problems, you can save a trace of IKE (Internet Key Exchange) negotiations to a file, and then use the free IKE View tool to view the file. The IKE View tool is available for the Windows platform. Note: Before viewing IKE traces, it is recommended to do the following: • The Safe@Office appliance stores traces for all recent IKE negotiations.
PAGE 248
Viewing VPN Topology The Save As dialog box appears. 5. Browse to a destination directory of your choice. 6. Type a name for the *.elg file and click Save. The *.elg file is created and saved to the specified directory. This file contains the IKE traces of all currently-established VPN tunnels. 7. Use the IKE View tool to open and view the *.elg file, or send the file to technical support.
PAGE 249
Viewing VPN Topology The VPN Topology page appears displaying a tree of VPN sites to which the appliance is connected. 3. To view topology information for a VPN site, in the tree, click the VPN site's name. The right pane displays the information described in the following table.
PAGE 250
Viewing VPN Topology Table 130: VPN Topology Page Fields This field… Displays… Split DNS The VPN site's split DNS mappings. When split DNS is configured for a VPN site, certain domain suffixes are mapped to corporate DNS servers. This means that requests for these domain suffixes are sent to the specific DNS servers to which they are mapped, while all other requests are sent to the ISP's DNS servers. For example, a VPN site's split DNS mappings might indicate that all requests for the domain suffix ".
PAGE 251
PAGE 252
Changing Your Login Credentials Chapter 20 Managing Users This chapter describes how to manage Safe@Office appliance users. You can define multiple users, set their passwords, and assign them various permissions. This chapter includes the following topics: Changing Your Login Credentials............................................................639 Adding and Editing Users ........................................................................643 Adding Quick Guest HotSpot Users.........................
PAGE 253
Changing Your Login Credentials The Internal Users page appears. 2. 640 In the row of your username, click Edit.
PAGE 254
Changing Your Login Credentials The Account Wizard opens displaying the Set User Details dialog box. 3. Edit the Username field. 4. Edit the Password and Confirm password fields. Note: Use 5 to 25 characters (letters or numbers) for the new password. 5. Click Next.
PAGE 255
Changing Your Login Credentials The Set User Permissions dialog box appears. 6. Click Finish. Your changes are saved.
PAGE 256
Adding and Editing Users Adding and Editing Users This procedure explains how to add and edit users. For information on quickly adding guest HotSpot users via a shortcut that the Safe@Office appliance provides, see Adding Quick Guest HotSpot Users on page 647. To add or edit a user 1. Click Users in the main menu, and click the Internal Users tab. The Internal Users page appears. 2. Do one of the following: • To create a new user, click New User. next to the desired user.
PAGE 257
Adding and Editing Users 4. Click Next. The Set User Permissions dialog box appears. The options that appear on the page are dependant on the software and services you are using. 5. Complete the fields using the information in Set User Permissions Fields on page 645. 6. Click Finish. The user is saved. Table 131: Set User Details Fields In this field… Do this… Username Enter a username for the user. Password Enter a password for the user.
PAGE 258
Adding and Editing Users In this field… Do this… Expires On To specify an expiration time for the user, select this option and specify the expiration date and time in the fields provided. When the user account expires, it is locked, and the user can no longer log in to the Safe@Office appliance. If you do not select this option, the user will not expire. Table 132: Set User Permissions Fields In this field... Do this... Administrator Level Select the user’s level of access to the Safe@Office Portal.
PAGE 259
Adding and Editing Users Web Filtering Select this option to allow the user to override the Web Filtering service Override and Web rules. This option cannot be changed for the “admin” user. HotSpot Access Select this option to allow the user to log in to the My HotSpot page. For information on Secure HotSpot, see Configuring Secure HotSpot on page 380. This option only appears in Safe@Office 500 with Power Pack. Remote Desktop Select this option to allow the user to log in to the my.
PAGE 260
Adding Quick Guest HotSpot Users Adding Quick Guest HotSpot Users The Safe@Office appliance provides a shortcut for quickly adding a guest HotSpot user. This is useful in situations where you want to grant temporary network access to guests, for example in an Internet café. The shortcut also enables printing the guest user's details in one click. By default, the quick guest user has the following characteristics: • Username in the format guest, where is a unique three-digit number.
PAGE 261
Adding Quick Guest HotSpot Users The Account Wizard opens displaying the Save Quick Guest dialog box. 3. In the Expires field, click on the arrows to specify the expiration date and time. 4. To print the user details, click Print. 5. Click Finish. The guest user is saved. You can edit the guest user's details and permissions using the procedure Adding and Editing Users on page 643.
PAGE 262
Viewing and Deleting Users Viewing and Deleting Users Note: The “admin” user cannot be deleted. To view or delete users 1. Click Users in the main menu, and click the Internal Users tab. The Internal Users page appears with a list of all users and their permissions. The expiration time of expired users appears in red. 2. To delete a user, do the following: a) In the desired user’s row, click . A confirmation message appears. b) Click OK. 3. The user is deleted.
PAGE 263
Setting Up Remote VPN Access for Users Setting Up Remote VPN Access for Users If you are using your Safe@Office appliance as a SecuRemote Remote Access VPN Server, as an internal VPN Server, or as an L2TP VPN Server, you can allow users to access it remotely through their Remote Access VPN Clients (a Check Point SecureClient, Check Point SecuRemote, an L2TP VPN Client, or another Embedded NGX appliance). To set up remote VPN access for a user 1.
PAGE 264
Using RADIUS Authentication Vendor-Specific Attribute (VSA) with a set of attributes containing permission information for specific users. If the VSA is configured for a user, then the RADIUS server passes the VSA to the Safe@Office appliance as part of the response to the authentication request, and the gateway assigns the user permissions as specified in the VSA. If the VSA is not returned by the RADIUS server for a specific user, the gateway will use the default permission set for this user.
PAGE 265
Using RADIUS Authentication The RADIUS page appears. 2. Complete the fields using the following table. 3. Click Apply. 4. To restore the default RADIUS settings, do the following: a) Click Default. A confirmation message appears. b) Click OK. The RADIUS settings are reset to their defaults. For information on the default values, refer to the following table.
PAGE 266
Using RADIUS Authentication 5. If desired, configure user permissions and/or the HotSpot session timeout on the RADIUS server. See Configuring RADIUS Attributes on page 657. Table 133: RADIUS Page Fields In this field… Do this… Primary/Secondary Configure the primary and secondary RADIUS servers. RADIUS Server By default, the Safe@Office appliance sends a request to the primary RADIUS server first.
PAGE 267
Using RADIUS Authentication In this field… Do this… Realm If your organization uses RADIUS realms, type the realm to append to RADIUS requests. The realm will be appended to the username as follows: @ For example, if you set the realm to “myrealm”, and the user "JohnS" attempts to log in to the Safe@Office Portal, the Safe@Office appliance will send the RADIUS server an authentication request with the username “JohnS@myrealm”. This field is optional.
PAGE 268
Using RADIUS Authentication In this field… Do this… Administrator Level Select the level of access to the Safe@Office Portal to assign to all users authenticated by the RADIUS server. The levels are: • No Access: The user cannot access the Safe@Office Portal. • Read Only: The user can log in to the Safe@Office Portal, but cannot modify system settings or export the appliance configuration via the Setup>Tools page.
PAGE 269
Using RADIUS Authentication In this field… Do this… Remote Desktop Select this option to allow all users authenticated by the RADIUS server Access to log in to the my.firewall portal, view the Active Computers page, and remotely access computers' desktops, using the Remote Desktop feature. Note: Authenticated users can perform these actions, even if their level of administrative access is "No Access". For information on Remote Desktop, see Using Remote Desktop on page 661.
PAGE 270
Configuring RADIUS Attributes Configuring RADIUS Attributes To define a timeout for Secure HotSpot sessions • Set the Session-Timeout Attribute (attribute 27) to the number of seconds after which users should be automatically logged out from the hotspot. To assign permissions to specific RADIUS-authenticated users 1. Create a remote access policy as follows: a) Assign the policy’s VSA (attribute 26) the SofaWare vendor code (6983).
PAGE 271
Configuring RADIUS Attributes Table 134: VSA Syntax Permission Admin Description Indicates the Attribute Attribute Number Format 1 String Attribute Values none. The user administrator’s cannot access the level of access to Safe@Office the Safe@Office Portal. Portal Notes readonly. The user can log in to the Safe@Office Portal, but cannot modify system settings. users-manager. The user can log in to the Safe@Office Portal and add, edit, or delete "No Access"-level users.
PAGE 272
Configuring RADIUS Attributes Permission VPN Description Attribute Values Notes true. The user can This permission the user can remotely access is only relevant if access the the network via the Safe@Office network from a VPN. Remote Access Indicates whether Attribute Attribute Number Format 2 String Remote Access false. The user VPN Client. cannot remotely access the network via VPN. Hotspot VPN Server is enabled. The gateway must have a certificate. true.
PAGE 273
Configuring RADIUS Attributes Permission Description Attribute Attribute Number Format 5 String Attribute Values Notes true. The user can This permission is RemoteDe Indicates whether sktop the user can log in to the only relevant if remotely access my.firewall portal, the Remote computers' view the Active Desktop feature is desktops, using Computers page, enabled. the Remote and remotely Desktop feature.
PAGE 274
Overview Chapter 21 Using Remote Desktop This chapter describes how to remotely access the desktop of each of your computers, using the Safe@Office appliance's Remote Desktop feature. This chapter includes the following topics: Overview ..................................................................................................661 Workflow..................................................................................................662 Configuring Remote Desktop...................................
PAGE 275
Workflow Workflow To use Remote Desktop 1. Configure Remote Desktop. See Configuring Remote Desktop on page 663. 2. Enable the Remote Desktop server on computers that authorized users should be allowed to remotely access. See Configuring the Host Computer on page 666. 3. Grant Remote Desktop Access permissions to users who should be allowed to remotely access desktops. See Adding and Editing Users on page 643. 4. The authorized users can access remote computers' desktops as desired.
PAGE 276
Configuring Remote Desktop Configuring Remote Desktop To configure Remote Desktop 1. Click Setup in the main menu, and click the Remote Desktop tab. The Remote Desktop page appears. 2. Do one of the following: • To enable Remote Desktop, select the Allow remote desktop access check box.
PAGE 277
Configuring Remote Desktop New fields appear. • To disable Remote Desktop, clear the Allow remote desktop access check box. 3. Fields disappear. Complete the fields using the information in the following table. 4. Click Apply.
PAGE 278
Configuring Remote Desktop Table 135: Remote Desktop Options In this field… Do this… Sharing Share local drives Select this option to allow the host computer to access hard drives on the client computer. This enables remote users to access their local hard drives when logged in to the host computer. Share local printers Select this option to allow the host computer to access printers on the client computer. This enables remote users to access their local printer when logged in to the host computer.
PAGE 279
Configuring the Host Computer Configuring the Host Computer To enable remote users to connect to a computer, you must enable the Remote Desktop server on that computer. Note: The host computer must have one of the following operating systems installed: • Microsoft Windows Server 2003 • Microsoft Windows XP Professional • Microsoft Windows XP Media Center • Microsoft Windows XP Tablet PC 2005 To enable users to remotely connect to a computer 1. Log on to the desired computer as an administrator.
PAGE 280
Configuring the Host Computer The Remote tab appears. 5. Select the Allow users to connect remotely to this computer check box. 6. Click Select Remote Users. The Remote Desktop Users dialog box appears. 7. Do the following for each remote user who should be allowed to access this computer: a. Click Add.
PAGE 281
Configuring the Host Computer The Select Users dialog box appears. b. Type the desired user's username in the text box. The Check Names button is enabled. c. Click Check Names. d. Click OK. The Remote Desktop Users dialog box reappears with the desired user's username. 8. Click OK. 9. Click OK.
PAGE 282
Accessing a Remote Computer's Desktop Accessing a Remote Computer's Desktop Note: The client computer must meet the following requirements: • Microsoft Internet Explorer 6.0 or later • A working Internet connection To access a remote computer's desktop 1. Click Reports in the main menu, and click the My Computers tab. The My Computers page appears. 2. Next to the desired computer, click Remote Desktop.
PAGE 283
Accessing a Remote Computer's Desktop 3. • If you are prompted to install the Remote Desktop Active X Control, then install it. • The Remote Desktop Connection Security Warning dialog box appears. Select the desired connection options. The available options depend on your Remote Desktop configuration. See Configuring Remote Desktop on page 663. 4. Click OK. The Log On to Windows dialog box appears. 5. Type your username and password for the remote computer.
PAGE 284
Accessing a Remote Computer's Desktop You can use the following keyboard shortcuts during the Remote Desktop session: Table 136: Remote Desktop Keyboard Shortcuts This shortcut… Does this… ALT+INSERT Cycles through running programs in the order that they were started ALT+HOME Displays the Start menu CTRL+ALT+BREAK Toggles between displaying the session in a window and on the full screen CTRL+ALT+END Opens the Windows Security dialog box Chapter 21: Using Remote Desktop 671
PAGE 285
PAGE 286
Overview Chapter 22 Controlling the Appliance via the Command Line This chapter describes various ways of controlling your Safe@Office appliance through the command line. This chapter includes the following topics: Overview ..................................................................................................673 Using the Safe@Office Portal ..................................................................674 Using the Serial Console ............................................................
PAGE 287
Using the Safe@Office Portal Using the Safe@Office Portal You can control your appliance via the Safe@Office Portal's command line interface. To control the appliance via the Safe@Office Portal 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. 674 Click Command.
PAGE 288
Using the Safe@Office Portal The Command Line page appears. 3. In the upper field, type a command. You can view a list of supported commands using the command help. For information on all commands, refer to the Embedded NGX CLI Reference Guide. 4. Click Go. The command is implemented.
PAGE 289
Using the Serial Console Using the Serial Console You can connect a console to the Safe@Office appliance, and use the console to control the appliance via the command line. Note: Your terminal emulation software and your Safe@Office appliance's Serial port must be configured for the same speed. By default, the appliance's Serial port's speed is 57600 bps. For information on changing the Serial port's speed, refer to the Embedded NGX CLI Reference Guide. To control the appliance via a console 1.
PAGE 290
Using the Serial Console The Ports page appears. 3. Next to the Serial port, click Edit.
PAGE 291
Using the Serial Console The Port Setup page appears. 4. In the Assign to drop-down list, select Console. 5. In the Port Speed drop-down list, select the Serial port's speed (in bits per second). The Serial port's speed must match that of the attached serial console. The default value is 57600. 6. In the Flow Control drop-down list, select the method of flow control supported by the attached device: • 7. RTS/CTS. Hardware-based flow control, using the Serial port's RTS/CTS lines. • XON/XOFF.
PAGE 292
Configuring SSH Configuring SSH Safe@Office appliance users can control the appliance via the command line, using the SSH (Secure Shell) management protocol. You can enable users to do so via the Internet, by configuring remote SSH access. You can also integrate the Safe@Office appliance with SSH-based management systems. Note: The Safe@Office appliance supports SSHv2 clients only. The SSHv1 protocol contains security vulnerabilities and is not supported.
PAGE 293
Configuring SSH If you selected Internal Networks + IP Range, additional fields appear. 3. If you selected Internal Networks + IP Range, enter the desired IP address range in the fields provided. 4. Click Apply. The SSH configuration is saved. If you configured remote SSH access, you can now control the Safe@Office appliance from the Internet, using an SSHv2 client. For information on all supported commands, refer to the Embedded NGX CLI Reference Guide.
PAGE 294
Configuring SSH Table 137: SSH Access Options Select this To allow access from… option… Internal Networks The internal network only. This disables remote access capability. This is the default. Internal Networks + The internal network and your VPN. VPN Internal Networks + A particular range of IP addresses. IP Range Additional fields appear, in which you can enter the desired IP address range. ANY Any IP address. Disabled Nowhere. This disables both local and remote access capability.
PAGE 295
PAGE 296
Viewing Firmware Status Chapter 23 Maintenance This chapter describes the tasks required for maintenance and diagnosis of your Safe@Office appliance. This chapter includes the following topics: Viewing Firmware Status .........................................................................683 Upgrading Your Software Product ...........................................................685 Configuring a Gateway Hostname ...........................................................
PAGE 297
Viewing Firmware Status The Firmware page appears. The Firmware page displays the following information: Table 138: Firmware Status Fields This field… Displays… For example… WAN MAC Address The MAC address used for 00:80:11:22:33:44 the Internet connection Firmware Version The current version of the 7.
PAGE 298
Upgrading Your Software Product This field… Displays… For example… Uptime The time that elapsed from 01:21:15 the moment the unit was turned on Hardware Type The type of the current SBox-200 Safe@Office appliance hardware Hardware Version The current hardware 1.0 version of the Safe@Office appliance Upgrading Your Software Product You can upgrade your Safe@Office 500 appliance by adding the Safe@Office 500 Power Pack.
PAGE 299
Upgrading Your Software Product The Safe@Office Licensing Wizard opens, with the Install Product Key dialog box displayed. 3. Click Enter a different Product Key. 4. In the Product Key field, enter the new Product Key. 5. Click Next. The Installed New Product Key dialog box appears.
PAGE 300
Configuring a Gateway Hostname 6. Click Finish. Configuring a Gateway Hostname You can define a gateway hostname for the Safe@Office appliance. The gateway hostname is used to identify the Safe@Office appliance and appears in the following places: • The Safe@Office Portal’s title bar • The Safe@Office appliance's SNMP hostname • Syslog messages sent by the Safe@Office appliance • The command line prompt By default, the Safe@Office appliance's MAC address is used as the gateway hostname.
PAGE 301
Configuring a Gateway Hostname The Gateway Name page appears. 3. In the Gateway Name field, type the desired hostname. 4. To reset the gateway hostname to the default value (the appliance's MAC address), click Default. 5. Click Apply.
PAGE 302
Configuring Syslog Logging Configuring Syslog Logging You can configure the Safe@Office appliance to send event logs to a Syslog server residing in your internal network or on the Internet. The logs detail the date and the time each event occurred. If the event is a communication attempt that was rejected by the firewall, the event details include the source and destination IP address, the destination port, and the protocol used for the communication attempt (for example, TCP or UDP).
PAGE 303
Configuring Syslog Logging The Logging page appears. 2. Complete the fields using the information in the following table. 3. Click Apply. Table 139: Logging Page Fields In this field… Do this… Syslog Server Type the IP address of the computer that will run the Syslog service (one of your network computers), or click This Computer to allow your computer to host the service. Clear Click to clear the Syslog Server field. Syslog Port Type the port number of the Syslog server.
PAGE 304
Configuring HTTPS Configuring HTTPS You can enable Safe@Office appliance users to access the Safe@Office Portal from the Internet. To do so, you must first configure HTTPS. Note: Configuring HTTPS is equivalent to creating a simple Allow rule, where the destination is This Gateway. To create more complex rules for HTTPS, such as allowing HTTPS connections from multiple IP address ranges, define Allow rules for TCP port 443, with the destination This Gateway. For information, see Using Rules on page 360.
PAGE 305
Configuring HTTPS 2. Specify from where HTTPS access to the Safe@Office Portal should be granted. See Access Options on page 693 for information. Warning: If remote HTTPS is enabled, your Safe@Office appliance settings can be changed remotely, so it is especially important to make sure all Safe@Office appliance users’ passwords are difficult to guess. Note: You can use HTTPS to access the Safe@Office Portal from your internal network, by surfing to https://my.firewall.
PAGE 306
Configuring HTTPS Table 140: Access Options Select this To allow access from… Internal Networks The internal network only. option… This disables remote access capability. This is the default. Internal Networks + The internal network and your VPN. VPN Internal Networks + A particular range of IP addresses. IP Range Additional fields appear, in which you can enter the desired IP address range. ANY Any IP address. Disabled Nowhere. This disables both local and remote access capability.
PAGE 307
Configuring SNMP Configuring SNMP The Safe@Office appliance users can monitor the Safe@Office appliance, using tools that support SNMP (Simple Network Management Protocol). You can enable users to do so via the Internet, by configuring remote SNMP access. The Safe@Office appliance supports the following SNMP MIBs: • SNMPv2-MIB • RFC1213-MIB • IF-MIB • IP-MIB All SNMP access is read-only. Note: Configuring SNMP is equivalent to creating a simple Allow rule, where the destination is This Gateway.
PAGE 308
Configuring SNMP The Community field and the Advanced link are enabled. 3. If you selected Internal Networks + IP Range, enter the desired IP address range in the fields provided. 4. In the Community field, type the name of the SNMP community string. SNMP clients uses the SNMP community string as a password, when connecting to the Safe@Office appliance. The default value is "public". It is recommended to change this string. 5. To configure advanced SNMP settings, do the following: a. Click Advanced.
PAGE 309
Configuring SNMP The SNMP Configuration page appears. b. 696 Complete the fields using the following table.
PAGE 310
Configuring SNMP If you selected the Send SNMP Traps check box, additional fields appear. 6. Click Apply. The SNMP configuration is saved. 7. Configure the SNMP clients with the SNMP community string. Table 141: Advanced SNMP Settings In this field... Do this… System Location Type a description of the appliance's location. This information will be visible to SNMP clients, and is useful for administrative purposes. System Contact Type the name of the contact person.
PAGE 311
Configuring SNMP In this field... Do this… SNMP Port Type the port to use for SNMP. The default port is 161. Send SNMP Traps Select this option to enable sending SNMP traps. An SNMP trap is a notification sent from one application to another. Send Traps On: Indicates that SNMP traps will automatically be sent upon Startup / Shutdown startup/shutdown events. This option is always selected.
PAGE 312
Setting the Time on the Appliance Setting the Time on the Appliance You set the time displayed in the Safe@Office Portal during initial appliance setup. If desired, you can change the date and time using the procedure below. To set the time 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Set Time. The Safe@Office Set Time Wizard opens displaying the Set the Safe@Office Time dialog box. 3.
PAGE 313
Setting the Time on the Appliance • If you selected Specify date and time, the Specify Date and Time dialog box appears. Set the date, time, and time zone in the fields provided, then click Next. • If you selected Use a Time Server, the Time Servers dialog box appears. Complete the fields using the information in Time Servers Fields on page 702, then click Next.
PAGE 314
Setting the Time on the Appliance • 5. The Date and Time Updated screen appears. Click Finish. Table 142: Set Time Wizard Fields Select this option… To do the following… Your computer's clock Set the appliance time to your computer’s system time. Your computer’s system time is displayed to the right of this option. Keep the current setting Do not change the appliance’s time. The current appliance time is displayed to the right of this option.
PAGE 315
Using Diagnostic Tools Table 143: Time Servers Fields In this field… Do this… Primary Server Type the IP address of the Primary NTP server. Secondary Server Type the IP address of the Secondary NTP server. This field is optional. Clear Clear the field. Select your time zone Select the time zone in which you are located. Using Diagnostic Tools The Safe@Office appliance is equipped with a set of diagnostic tools that are useful for troubleshooting Internet connectivity.
PAGE 316
Using Diagnostic Tools Use this To do this… For information, see... WHOIS Display the name and contact information Using IP Tools on page 703 tool… of the entity to which a specific IP address or DNS name is registered. This information is useful in tracking down hackers. Packet Sniffer Capture network traffic. This information is Using Packet Sniffer on page useful troubleshooting network problems. 706 Using IP Tools To use an IP tool 1.
PAGE 317
Using Diagnostic Tools The IP Tools window opens and displays the percentage of packet loss and the amount of time it took each packet to reach the specified host and return (roundtrip) in milliseconds. • If you selected Traceroute, the following things happen: The Safe@Office appliance connects to the specified IP address or DNS name. The IP Tools window opens and displays a list of routers used to make the connection.
PAGE 318
Using Diagnostic Tools • If you selected WHOIS, the following things happen: The Safe@Office appliance queries the Internet WHOIS server. A window displays the name of the entity to which the IP address or DNS name is registered and their contact information.
PAGE 319
Using Diagnostic Tools Using Packet Sniffer The Safe@Office appliance includes the Packet Sniffer tool, which enables you to capture packets from any internal network or Safe@Office port. This is useful for troubleshooting network problems and for collecting data about network behavior. If desired, you can configure Packet Sniffer to capture each packet twice: once before firewall processing and once after firewall processing.
PAGE 320
Using Diagnostic Tools The Packet Sniffer window opens. 3. Complete the fields using the information in the following table. 4. Click Start. The Packet Sniffer window displays the name of the interface, the number of packets collected, and the percentage of storage space remaining on the appliance for storing the packets. 5. Click Stop to stop collecting packets. A standard File Download dialog box appears. 6. Click Save. The Save As dialog box appears. 7.
PAGE 321
Using Diagnostic Tools Table 145: Packet Sniffer Fields In this field… Do this… Interface Select the interface from which to collect packets. The list includes the primary Internet connection, the Safe@Office appliance ports, and all defined networks. Filter String Type the filter string to use for filtering the captured packets. Only packets that match the filter condition will be saved. For a list of basic filter strings elements, see Filter String Syntax on page 709.
PAGE 322
Using Diagnostic Tools Filter String Syntax The following represents a list of basic filter string elements: • and on page 709 • dst on page 710 • dst port on page 710 • ether proto on page 711 • host on page 712 • not on page 712 • or on page 713 • port on page 713 • src on page 714 • src port on page 714 • tcp on page 715 • udp on page 716 For detailed information on filter syntax, refer to http://www.tcpdump.org.
PAGE 323
Using Diagnostic Tools EXAMPLE The following filter string saves packets that both originate from IP address is 192.168.10.1 and are destined for port 80: src 192.168.10.1 and dst port 80 dst PURPOSE The dst element captures all packets with a specific destination. SYNTAX dst destination PARAMETERS destination IP Address or String. The computer to which the packet is sent.
PAGE 324
Using Diagnostic Tools PARAMETERS port Integer. The port to which the packet is sent. EXAMPLE The following filter string saves packets that are destined for port 80: dst port 80 ether proto PURPOSE The ether proto element is used to capture packets of a specific ether protocol type. SYNTAX ether proto \protocol PARAMETERS protocol String. The protocol type of the packet. This can be the following: ip, ip6, arp, rarp, atalk, aarp, dec net, sca, lat, mopdl, moprc, iso, stp, ipx, or netbeui.
PAGE 325
Using Diagnostic Tools host PURPOSE The host element captures all incoming and outgoing packets for a specific computer. SYNTAX host host PARAMETERS host IP Address or String. The computer to/from which the packet is sent. This can be the following: • An IP address • A host name EXAMPLE The following filter string saves all packets that either originated from IP address 192.168.10.1, or are destined for that same IP address: host 192.168.10.
PAGE 326
Using Diagnostic Tools or PURPOSE The or element is used to alternate between string elements. The filtered packets must match at least one of the filter string elements. SYNTAX element or element [or element...] element || element [|| element...] PARAMETERS element String. A filter string element. EXAMPLE The following filter string saves packets that either originate from IP address 192.168.10.1 or IP address 192.168.10.10: src 192.168.10.1 or src 192.168.10.
PAGE 327
Using Diagnostic Tools EXAMPLE The following filter string saves all packets that either originated from port 80, or are destined for port 80: port 80 src PURPOSE The src element captures all packets with a specific source. SYNTAX src source PARAMETERS source IP Address or String. The computer from which the packet is sent. This can be the following: • An IP address • A host name EXAMPLE The following filter string saves packets that originated from IP address 192.168.10.1: src 192.168.10.
PAGE 328
Using Diagnostic Tools PARAMETERS port Integer. The port from which the packet is sent. EXAMPLE The following filter string saves packets that originated from port 80: src port 80 tcp PURPOSE The tcp element captures all TCP packets. This element can be prepended to port-related elements. Note: When not prepended to other elements, the tcp element is the equivalent of ip proto tcp. SYNTAX tcp tcp element PARAMETERS element String.
PAGE 329
Using Diagnostic Tools EXAMPLE 1 The following filter string captures all TCP packets: tcp EXAMPLE 2 The following filter string captures all TCP packets destined for port 80: tcp dst port 80 udp PURPOSE The udp element captures all UDP packets. This element can be prepended to port-related elements. Note: When not prepended to other elements, the udp element is the equivalent of ip proto udp. SYNTAX udp udp element PARAMETERS element String.
PAGE 330
Backing Up and Restoring the Safe@Office Appliance Configuration EXAMPLE 1 The following filter string captures all UDP packets: udp EXAMPLE 2 The following filter string captures all UDP packets destined for port 80: udp dst port 80 Backing Up and Restoring the Safe@Office Appliance Configuration The Safe@Office appliance provides the following ways of backing up and restoring its configuration: • Backup and restore on your computer You can export the Safe@Office appliance configuration to a *.
PAGE 331
Backing Up and Restoring the Safe@Office Appliance Configuration Backing Up the Appliance Configuration Exporting the Appliance Configuration to Your Computer To export the Safe@Office appliance configuration to your computer 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Export. A standard File Download dialog box appears. 3. Click Save. The Save As dialog box appears. 4. Browse to a destination directory of your choice. 5.
PAGE 332
Backing Up and Restoring the Safe@Office Appliance Configuration Backing Up the Appliance Configuration to a USB Flash Drive The USB flash drive must have at least 64MB of free space. Note: Some USB flash drives may not be supported by the appliance. To backup the appliance configuration to a USB flash drive 1. Connect a USB flash drive to one of your Safe@Office appliance's USB ports. For information on locating the USB ports, see Introduction on page 1. 2.
PAGE 333
Backing Up and Restoring the Safe@Office Appliance Configuration The Safe@Office appliance creates the folder on the USB flash drive, where is the appliance's MAC address, and writes the following files to this folder: • embeddedngx.cfg • embeddedngx.p12 The Step 2: Backup Complete screen appears. 6. Click Finish. You can now restore the configuration from the USB flash drive as needed. See Restoring the Appliance Configuration from a USB Flash Drive on page 723.
PAGE 334
Backing Up and Restoring the Safe@Office Appliance Configuration Restoring the Appliance Configuration Importing the Appliance Configuration from Your Computer To import the appliance configuration from your computer 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Import. The Import Settings page appears. 3. Do one of the following: • In the Import Settings field, type the full path to the configuration file.
PAGE 335
Backing Up and Restoring the Safe@Office Appliance Configuration 4. • Click Browse, and browse to the configuration file. Click Upload. A confirmation message appears. 5. Click OK. The Safe@Office appliance settings are imported. The Import Settings page displays the configuration file's content and the result of implementing each configuration command.
PAGE 336
Backing Up and Restoring the Safe@Office Appliance Configuration Restoring the Appliance Configuration from a USB Flash Drive To restore the appliance configuration from a USB flash drive 1. Connect a USB flash drive to one of your Safe@Office appliance's USB ports. For information on locating the USB ports, see Introduction on page 1. 2. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 3. Click Backup/Restore.
PAGE 337
Backing Up and Restoring the Safe@Office Appliance Configuration The Step 2: Restore Complete screen appears displaying the configuration file's content and the result of implementing each configuration command. Note: If the appliance's IP address changed as a result of the configuration import, your computer may be disconnected from the network; therefore you may not be able to see the results. 6. 724 Click Finish.
PAGE 338
Using Rapid Deployment Using Rapid Deployment Safe@Office appliances are shipped with a specific firmware and group of settings that represent the appliance's default state. When installing a new appliance, you can configure different settings and install new firmware versions as needed; however, this can be timeconsuming.
PAGE 339
Using Rapid Deployment Preparing the USB Flash Drive for Rapid Deployment Before performing a rapid deployment, you must load the USB flash drive with the files you want to install on the appliance(s). To prepare the USB flash drive 1. For each appliance you want to deploy, create a folder named , where is the appliance’s MAC address, and the colons are replaced by underscores.
PAGE 340
Using Rapid Deployment This file... Should be named... The configuration file embeddedngx.cfg The default configuration file preset.cfg The certificate embeddedngx.p12 Performing a Rapid Deployment You must perform the following procedure on each Safe@Office appliance you want to deploy. To perform a rapid deployment 1. Reset the Safe@Office appliance to its default settings. See Resetting the Safe@Office Appliance to Defaults on page 728. 2.
PAGE 341
Resetting the Safe@Office Appliance to Defaults • 3. If an error occurs during the rapid deployment process, the PWR/SEC LED blinks quickly in red, the errors are logged to the Event Log, and rapid deployment continues. • When rapid deployment is complete, the PWR/SEC LED is a constant green. To check the results of rapid deployment, in the USB flash drive's root folder, open the file results-.log.
PAGE 342
Resetting the Safe@Office Appliance to Defaults To reset the Safe@Office appliance to factory defaults via the Web interface 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Factory Settings. A confirmation message appears. 3. To revert to the firmware version that shipped with the appliance, select the check box. 4. Click OK. • The Please Wait screen appears. • The Safe@Office appliance returns to its factory defaults.
PAGE 343
Resetting the Safe@Office Appliance to Defaults • The Safe@Office appliance is restarted. This may take a few minutes. • The Login page appears. To reset the Safe@Office appliance to factory defaults using the Reset button 1. Make sure the Safe@Office appliance is powered on. 2. Using a pointed object, press the RESET button on the back of the Safe@Office appliance steadily for seven seconds and then release it. 3. Allow the Safe@Office appliance to boot-up until the system is ready.
PAGE 344
Running Diagnostics Running Diagnostics You can view technical information about your Safe@Office appliance’s hardware, firmware, license, network status, and Service Center. This information is useful for troubleshooting. You can export it to an *.html file and send it to technical support. To view diagnostic information 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Diagnostics. Technical information about your Safe@Office appliance appears in a new window.
PAGE 345
Rebooting the Safe@Office Appliance Rebooting the Safe@Office Appliance If your Safe@Office appliance is not functioning properly, rebooting it may solve the problem. To reboot the Safe@Office appliance 1. Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. 2. Click Restart. A confirmation message appears. 3. Click OK. • The Please Wait screen appears. • The Safe@Office appliance is restarted. This may take a few minutes. • 732 The Login page appears.
PAGE 346
Overview Chapter 24 Using Network Printers This chapter describes how to set up and use network printers. This chapter includes the following topics: Overview ..................................................................................................733 Setting Up Network Printers.....................................................................734 Configuring Computers to Use Network Printers.....................................737 Viewing Network Printers ......................................
PAGE 347
Setting Up Network Printers Setting Up Network Printers To set up a network printer 1. Connect the network printer to the Safe@Office appliance. See Connecting the Appliance to Network Printers on page 63. 2. Turn the printer on. 3. In the Safe@Office Portal, click Network in the main menu, and click the Ports tab. The Ports page appears. 4. 734 Next to USB, click Edit.
PAGE 348
Setting Up Network Printers The USB Devices page appears. If the Safe@Office appliance detected the printer, the printer is listed on the page. If the printer is not listed, check that you connected the printer correctly, then click Refresh to refresh the page. 5. Next to the printer, click Edit.
PAGE 349
Setting Up Network Printers The Printer Setup page appears. 6. Write down the port number allocated to the printer. The port number appears in the Printer Server TCP Port field. You will need this number later, when configuring computers to use the network printer. 7. To change the port number, do the following: a. Type the desired port number in the Printer Server TCP Port field. Note: Printer port numbers may not overlap, and must be high ports. b. Click Apply.
PAGE 350
Configuring Computers to Use Network Printers See Configuring Computers to Use Network Printers on page 737. Configuring Computers to Use Network Printers Perform the relevant procedure on each computer from which you want to enable printing via the Safe@Office print server to a network printer. Windows Vista This procedure is relevant for computers with a Windows Vista operating system. To configure a computer to use a network printer 1.
PAGE 351
Configuring Computers to Use Network Printers The Control Panel window opens. 3. 738 Under Hardware and Sound, click Printer.
PAGE 352
Configuring Computers to Use Network Printers The Printers screen appears. 4. Click Add a printer. The Add Printer wizard opens displaying the Choose a local or network printer screen. 5. Click Add a local printer. 6. Click Next.
PAGE 353
Configuring Computers to Use Network Printers The Choose a printer port dialog box appears. 7. Click Create a new port. 8. In the Type of port drop-down list, select Standard TCP/IP Port. 9. Click Next. The Type a printer hostname or IP address dialog box appears. 10. In the Device type drop-down list, select Autodetect. 11. In the Hostname or IP address field, type the Safe@Office appliance's LAN IP address, or "my.firewall".
PAGE 354
Configuring Computers to Use Network Printers 12. In the Port name field, type the port name. 13. Select the Query the printer and automatically select the driver to use check box. 14. Click Next. The following things happen: • If Windows cannot identify your printer, the Additional Port Information Required dialog box appears. Do the following: 1) Click Custom. 2) Click Settings.
PAGE 355
Configuring Computers to Use Network Printers The Configure Standard TCP/IP Port Monitor dialog box opens. 3) In the Protocol area, make sure that Raw is selected. 4) In the Port Number field, type the printer's port number, as shown in the Printers page. 5) Click OK. 6) Click Next. • The Install the printer driver dialog box displayed. 15. Do one of the following: • 742 Use the lists to select the printer's manufacturer and model.
PAGE 356
Configuring Computers to Use Network Printers • If your printer does not appear in the lists, insert the CD that came with your printer in the computer's CD-ROM drive, and click Have Disk. 16. Click Next. 17. Complete the remaining dialog boxes in the wizard as desired, and click Finish. The printer appears in the Printers and Faxes window. 18. Right-click the printer and click Properties in the popup menu. The printer's Properties dialog box opens. 19.
PAGE 357
Configuring Computers to Use Network Printers Windows 2000/XP This procedure is relevant for computers with a Windows 2000/XP operating system. To configure a computer to use a network printer 1. If the computer for which you want to enable printing is located on the WAN, create an Allow rule for connections from the computer to This Gateway. See Adding and Editing Rules on page 364. 2. Click Start > Settings > Control Panel. The Control Panel window opens. 3. Click Printers and Faxes.
PAGE 358
Configuring Computers to Use Network Printers The Local or Network Printer dialog box appears. 6. Click Local printer attached to this computer. Note: Do not select the Automatically detect and install my Plug and Play printer check box. 7. Click Next. The Select a Printer Port dialog box appears. 8. Click Create a new port. 9. In the Type of port drop-down list, select Standard TCP/IP Port. 10. Click Next.
PAGE 359
Configuring Computers to Use Network Printers The Add Standard TCP/IP Port Wizard opens with the Welcome dialog box displayed. 11. Click Next. The Add Port dialog box appears. 12. In the Printer Name or IP Address field, type the Safe@Office appliance's LAN IP address, or "my.firewall". You can find the LAN IP address in the Safe@Office Portal, under Network > My Network. The Port Name field is filled in automatically. 13. Click Next.
PAGE 360
Configuring Computers to Use Network Printers The Add Standard TCP/IP Printer Port Wizard opens, with the Additional Port Information Required dialog box displayed. 14. Click Custom. 15. Click Settings. The Configure Standard TCP/IP Port Monitor dialog box opens. 16. In the Port Number field, type the printer's port number, as shown in the Printers page. 17. In the Protocol area, make sure that Raw is selected. 18. Click OK. The Add Standard TCP/IP Printer Port Wizard reappears.
PAGE 361
Configuring Computers to Use Network Printers 19. Click Next. The Completing the Add Standard TCP/IP Printer Port Wizard dialog box appears. 20. Click Finish. The Add Printer Wizard reappears, with the Install Printer Software dialog box displayed. 21. Do one of the following: • Use the lists to select the printer's manufacturer and model. • If your printer does not appear in the lists, insert the CD that came with your printer in the computer's CD-ROM drive, and click Have Disk. 22. Click Next.
PAGE 362
Configuring Computers to Use Network Printers 23. Complete the remaining dialog boxes in the wizard as desired, and click Finish. The printer appears in the Printers and Faxes window. 24. Right-click the printer and click Properties in the popup menu. The printer's Properties dialog box opens. 25. In the Ports tab, in the list box, select the port you added. The port's name is IP_. 26. Click OK.
PAGE 363
Configuring Computers to Use Network Printers MAC OS-X This procedure is relevant for computers with the latest version of the MAC OS-X operating system. Note: This procedure may not apply to earlier MAC OS-X versions. To configure a computer to use a network printer 1. If the computer for which you want to enable printing is located on the WAN, create an Allow rule for connections from the computer to This Gateway. See Adding and Editing Rules on page 364. 2. Choose Apple -> System Preferences.
PAGE 364
Configuring Computers to Use Network Printers The Print & Fax window appears. 5. In the Printing tab, click Set Up Printers. The Printer List window appears. 6. Click Add.
PAGE 365
Configuring Computers to Use Network Printers New fields appear. 7. In the first drop-down list, select IP Printing. 8. In the Printer Type drop-down list, select Socket/HP Jet Direct. 9. In the Printer Address field, type the Safe@Office appliance's LAN IP address, or "my.firewall". You can find the LAN IP address in the Safe@Office Portal, under Network > My Network. 10. In the Queue Name field, type the name of the required printer queue.
PAGE 366
Configuring Computers to Use Network Printers A list of models appears. 12. In the Model Name list, select the desired model. 13. Click Add. The new printer appears in the Printer List window. 14. In the Printer List window, select the newly added printer, and click Make Default.
PAGE 367
Viewing Network Printers Viewing Network Printers To view network printers 1. Click Network in the main menu, and click the Ports tab. The Ports page appears. 2. Next to USB, click Edit. The USB Devices page appears, displaying a list of connected printers. For each printer, the model, serial number, and status is displayed. A printer can have the following statuses: • Initialize. The printer is initializing. • Ready. The printer is ready. • Not Ready. The printer is not ready.
PAGE 368
Changing Network Printer Ports Changing Network Printer Ports When you set up a new network printer, the Safe@Office appliance automatically assigns a port number to the printer. If you want to use a different port number, you can easily change it, as described in Setting Up Network Printers on page 734. However, you may sometimes need to change the port number after completing printer setup.
PAGE 369
Resetting Network Printers Resetting Network Printers You can cause a network printer to restart the current print job, by resetting the network printer. You may want to do this if the print job has stalled. To reset a network printer 1. Click Network in the main menu, and click the Ports tab. The Ports page appears. 2. Next to USB, click Edit. The USB Devices page appears, displaying a list of connected printers. 3. Next to the desired printer, click Reset Server.
PAGE 370
Connectivity Chapter 25 Troubleshooting This chapter provides solutions to common problems you may encounter while using the Safe@Office appliance. Note: For information on troubleshooting wireless connectivity, see Troubleshooting Wireless Connectivity on page 302. This chapter includes the following topics: Connectivity ............................................................................................ 757 Service Center and Upgrades.............................................................
PAGE 371
Connectivity • Check if you have defined firewall rules which block your Internet connectivity. • Check with your ISP for possible service outage. • Check whether you are exceeding the maximum number of computers allowed by your license, by viewing the My Computers page. I cannot access my DSL broadband connection. What should I do? DSL equipment comes in two flavors: bridges (commonly known as DSL modems) and routers. Some DSL equipment can be configured to work both ways.
PAGE 372
Connectivity I cannot access http://my.firewall or http://my.vpn. What should I do? • Verify that the Safe@Office appliance is operating. • Check if the LED for the LAN port used by your computer is green. If not, check if the network cable linking your computer to the Safe@Office appliance is connected properly. • By default, unencrypted HTTP access is not allowed from the wireless LAN to http://my.firewall or http://my.vpn.
PAGE 373
Connectivity I am using the Safe@Office appliance behind another NAT device, and I am having problems with some applications. What should I do? By default, the Safe@Office appliance performs Network Address Translation (NAT). It is possible to use the Safe@Office appliance behind another device that performs NAT, such as a DSL router or Wireless router, but the device will block all incoming connections from reaching your Safe@Office appliance. To fix this problem, do ONE of the following.
PAGE 374
Service Center and Upgrades I cannot connect to the LAN network from the DMZ or primary WLAN network. What should I do? By default, connections from the DMZ or primary WLAN network to the LAN network are blocked. To allow traffic from the DMZ or primary WLAN to the LAN, configure appropriate firewall rules. For instructions, see Using Rules on page 360. Service Center and Upgrades I have exceeded my node limit.
PAGE 375
Other Problems Other Problems I have forgotten my password. What should I do? Reset your Safe@Office appliance to factory defaults using the Reset button as detailed in Resetting the Safe@Office Appliance to Defaults on page 728. Why are the date and time displayed incorrectly? You can adjust the time on the Setup page's Tools tab. For information, see Setting the Time on the Appliance on page 699. I cannot use a certain network application. What should I do? Look at the Event Log page.
PAGE 376
Technical Specifications Chapter 26 Specifications This chapter includes the following topics: Technical Specifications.......................................................................... 763 CE Declaration of Conformity................................................................. 770 Federal Communications Commission Radio Frequency Interference Statement .................................................................................................
PAGE 377
Technical Specifications Table 147: Safe@Office ADSL Models Attributes Attribute Safe@Office 500 ADSL Safe@Office 500W ADSL SBXD-166LHGE-5 SBXWD-166LHGE-5 Dimensions 200 x 33 x 122 mm 200 x 33 x 130 mm (width x height x depth) (7.87 x 1.3 x 4.8 inches) (7.87 x 1.3 x 5.12 inches) Physical Attributes (incl. antenna connectors) Weight 660 g (1.46 lbs) 694 g (1.53 lbs) Retail Box Dimensions 290 x 250 x 80 mm 290 x 250 x 80 mm (width x height x depth) (11.42 x 9.84 x 3.15 inches) (11.42 x 9.
PAGE 378
Technical Specifications Humidity: 10 ~ 95% / 10 ~ 90% 10 ~ 95% / 10 ~ 90% (non-condensed) (non-condensed) Safety cULus, CB, LVD cULus, CB, LVD Quality ISO9001, ISO 14001, TL9000 ISO9001, ISO 14001, TL9000 EMC CE . FCC 15B.VCCI CE . FCC 15B.VCCI Reliability EN 300 019 - 1, 2, 3 EN 300 019 - 1, 2, 3 Environment RoHS & WEEE RoHS & WEEE ADSL Part 68.CS03 Part 68.CS03 RF N/A R&TTE .
PAGE 379
Technical Specifications 5V Power Supply Unit Power Supply Nominal In: 100~240VAC @ 0.5A In: 100~240VAC @ 0.5A 9VAC @ 1.5 A 12VDC @ 1.5 A Input Power Supply Nominal Output OR: 12VDC @ 1.5 A Max. Power 4.5W 6.5W Consumption 11.
PAGE 380
Technical Specifications MTBF (hours) 68,000 hours at 30ºC 68,000 hours at 30ºC RF N/A R&TTE .FCC15C,TELCO Table 149: Safe@Office Non-ADSL Models Attributes Attribute Safe@Office 500 Safe@Office 500W Dimensions 200 x 32 x 128 mm 200 x 32 x 128 mm (width x height x depth) (7.87 x 1.26 x 5.04 inches) (7.87 x 1.26 x 5.04 inches) Weight 675 g (1.49 lbs) 685 g (1.51 lbs) Retail Box Dimensions 290 x 250 x 80 mm 290 x 250 x 80 mm (width x height x depth) (11.42 x 9.84 x 3.15 inches) (11.
PAGE 381
Technical Specifications Environmental Conditions Temperature: -20ºC ~ 65ºC -20ºC ~ 65ºC 0ºC ~ 40ºC 0ºC ~ 40ºC 10% ~ 85% 10% ~ 85% (non-condensed) (non-condensed) Safety EN 60950 EN 60950 Quality ISO 9001, 9002, 14001 ISO 9001, 9002, 14001 EMC FCC part 15B FCC Part 15 B & C VCCI V-3/V-4 AS/NZS 4268: 2003 A1 Storage/Transport Temperature: Operation Humidity: Storage/Operation Applicable Standards DGT Reliability EN 300 019 - 1, 2, 3 EN 300 019 - 1, 2, 3 Environment RoHS & WEEE Ro
PAGE 382
Technical Specifications Wireless Attributes Table 150: Safe@Office Wireless Attributes Attribute All Wireless Models Operation Frequency 2.412-2.484 MHz Transmission Power 79.
PAGE 383
CE Declaration of Conformity CE Declaration of Conformity SofaWare Technologies Ltd., 3 Hilazon St., Ramat-Gan Israel, hereby declares that this equipment is in conformity with the essential requirements specified in Article 3.1 (a) and 3.
PAGE 384
CE Declaration of Conformity Attribute Safe@Office 500 SBX-166LHGE-5 Safe@Office 500 SBX-166LHGE-6 / Safe@Office 500W SBXW166LHGE-6 EN 61000-4-8 EN 61000-4-2 EN 61000-4-11 EN 61000-4-3 ENV50204 EN 61000-4-4 EN 61000-4-5 EN 61000-4-6 EN 61000-4-7 EN 61000-4-8 EN 61000-4-9 EN 61000-4-10 EN 61000-4-11 EN 61000-4-12 Safety EN 60950 EN 60950 IEC 60950 IEC 60950 The "CE" mark is affixed to this product to demonstrate conformance to the R&TTE Directive 99/05/EEC (Radio Equipment and Telecommunica
PAGE 385
Federal Communications Commission Radio Frequency Interference Statement Federal Communications Commission Radio Frequency Interference Statement This equipment complies with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.
PAGE 386
Glossary of Terms Glossary of Terms A ADSL Modem A device connecting a computer to the Internet via an existing phone line. ADSL (Asymmetric Digital Subscriber Line) modems offer a high-speed 'always-on' connection. C CA The Certificate Authority (CA) issues certificates to entities such as gateways, users, or computers. The entity later uses the certificate to identify itself and provide verifiable information.
PAGE 387
Glossary of Terms D DHCP Any machine requires a unique IP address to connect to the Internet using Internet Protocol. Dynamic Host Configuration Protocol (DHCP) is a communications protocol that assigns Internet Protocol (IP) addresses to computers on the network. DHCP uses the concept of a "lease" or amount of time that a given IP address will be valid for a computer. DMZ A DMZ (demilitarized zone) is an internal network defined in addition to the LAN network and protected by the Safe@Office appliance.
PAGE 388
Glossary of Terms HTTPS Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL. A protocol for accessing a secure Web server. It uses SSL as a sublayer under the regular HTTP application. This directs messages to a secure port number rather than the default Web port number, and uses a public key to encrypt data HTTPS is used to transfer confidential user information. Hub A device with multiple ports, connecting several PCs or network devices on a network.
PAGE 389
Glossary of Terms M MAC Address The MAC (Media Access Control) address is a computer's unique hardware number. When connected to the Internet from your computer, a mapping relates your IP address to your computer's physical (MAC) address on the LAN. Mbps Megabits per second. Measurement unit for the rate of data transmission.
PAGE 390
Glossary of Terms PPTP The Point-to-Point Tunneling Protocol (PPTP) allows extending a local network by establishing private “tunnels” over the Internet. This protocol it is also used by some DSL providers as an alternative for PPPoE. R RJ-45 The RJ-45 is a connector for digital transmission over ordinary phone wire. Router A router is a device that determines the next network point to which a packet should be forwarded toward its destination. The router is connected to at least two networks.
PAGE 391
Glossary of Terms At the other end (the client program in your computer), TCP reassembles the individual packets and waits until they have arrived to forward them to you as a single file. TCP/IP TCP/IP (Transmission Control Protocol/Internet Protocol) is the underlying communication protocol of the Internet. U UDP UDP (User Datagram Protocol) is a communications protocol that offers a limited amount of service when messages are exchanged between computers in a network that uses the Internet Protocol (IP).
PAGE 392
Index Index 8 802.
PAGE 393
Index certificate Packet Sniffer • 706 explained • 620 Ping • 702 exporting • 629 Traceroute • 702 exporting CA • 630 using • 702 exporting device • 629 WHOIS • 702 generating self-signed • 621 importing • 626 installing • 620 uninstalling • 628 diagnostics running • 731 dialup connection • 125 Checksum Verification • 436 RS232 modem • 137 Cisco IOS DOS • 433 USB modem • 141 command line interface controlling the appliance via • 673 Content Based Antispam engine direct ADSL connection • 97
PAGE 394
Index Email Antispam • 521 types • 364 Email Antivirus • 521 using • 360 enabling/disabling • 522 firmware selecting protocols for • 523 explained • 774 snoozing • 525 updating • 545 temporarily disabling • 525 updating by using Software Updates • 546 EoA configuring a connection • 85 Event Log viewing • 339 exposed host defining a computer as • 357 explained • 774 F File and Print Sharing • 453 firewall about • 351 levels • 354 rule types • 362 setting security level • 354 technologies • 37 f
PAGE 395
Index configuring • 239 configuring backup • 149 explained • 239 enabling/disabling • 148 Host Port Scan • 444 establishing quick • 148 HTTPS terminating • 149 configuring • 691 troubleshooting • 757 explained • 774 viewing information • 145 using • 77 hub • 59, 149, 239, 757, 775 Internet Setup using • 102 Internet Wizard I IGMP • 455 IKE traces viewing • 634 installation ADSL models • 60 cable type • 59 network • 59 non-ADSL models • 59 software requirements • 9 Instant Messengers • 461 int
PAGE 396
Index configuring • 572 LAN cable • 59 configuring a connection • 85 configuring High Availability for • 239 explained • 775 ports • 59 LAND • 422 licenses upgrading • 685 link configurations modifying • 214 load balancing about • 150 configuring • 150 login MTU explained • 776 N NAT rules about • 386 adding and editing • 389 types • 387 using • 386 viewing and deleting • 393 NetBIOS explained • 776 network changing internal range of • 156 configuring • 153 configuring a DMZ • 169 initial • 71 configur
PAGE 397
Index Network Interface Monitor viewing bridge statistics • 331 viewing general network statistics • 321 viewing Internet connection statistics • 322 viewing wired network statistics • 326 viewing wireless network statistics • 329 network objects adding and editing • 187 using • 185 viewing and deleting • 195 Network Quota • 431 network service objects filter string syntax • 709 using • 706 password changing • 639 setting up • 71 Peer to Peer • 459 Ping of Death • 421 Port-based VLAN about • 174 adding an
PAGE 398
Index configuring • 263 about • 725 defined • 778 performing • 727 printers changing ports • 755 configuring computers to use • 737 resetting • 756 preparing for • 726 Remote Access VPN Clients Remote Access VPN Clients • 561 Remote Access VPN Servers setting up • 734 configuring • 567 using • 733 explained • 561 viewing • 754 Q QoS classes • 251 explained • 251 QoS classes adding and editing • 256 assigning services to • 360 deleting • 260 explained • 251 predefined • 254 restoring defaults • 2
PAGE 399
Index firewall • 360 NAT • 386 rear panel • 16 Safe@Office 500W ADSL VStream Antispam • 510 front panel • 28 VStream Antivirus • 471 network requirements • 26 Web • 529 package contents • 25 S Safe Senders adding • 518 deleting • 519 Safe@Office 500 front panel • 13 network requirements • 10 package contents • 10 rear panel • 11 Safe@Office 500 ADSL front panel • 23 network requirements • 21 package contents • 20 rear panel • 21 Safe@Office 500 series about • 1 features • 2 product family • 2 Safe@
PAGE 400
Index setting the time • 699 setting up • 67 explained • 561 security status • 305 about • 31 technical specifications • 763 configuring port-based security • 374 Safe@Office appliance configuration configuring servers • 357 backing up to a USB flash drive • 719 creating firewall rules • 360 exporting • 718 defining a computer as an exposed host • 357 importing • 721 restoring from a USB flash drive • 723 Safe@Office Portal elements • 79 initial • 71 logging in • 74 logging out • 619 remotely a
PAGE 401
Index Service Center connecting to • 551 explained • 199 Spanning Tree Protocol disconnecting from • 559 explained • 222 refreshing a connection to • 558 with WDS • 265 service routing explained • 199 services Email Filtering • 521 SSH configuring • 679 explained • 679 Stateful Inspection software updates • 546 explained • 777 Web Filtering • 537 technology • 39 Setup Wizard • 71, 86 SIP • 457 Site-to-Site VPN gateways Static IP configuring a connection • 93 Static NAT explained • 561 explai
PAGE 402
Index explained • 551 starting • 551 viewing information • 557 Sweep Scan • 444 SynDefender • 440 Syslog logging viewing reports • 312 traffic reports exporting • 315 viewing • 312 Traffic Shaper advanced • 251 configuring • 689 enabling • 251 explained • 689 explained • 251 T Tag-based VLAN about • 174 adding and editing • 180 deleting • 181 TCP TCP, explained • 777 TCP/IP setting up for MAC OS • 55 setting up for Windows XP/2000 • 50 Teardrop • 420 technical support contacting • 30 Telstra Telstra
PAGE 403
Index about • 650 deleting • 615 configuring • 471 enabling/disabling • 615 virtual access points (VAPs) logging in • 616 about • 174 logging out • 619 adding and editing • 294 types • 561 deleting • 181 VLAN VPN tunnels creation and closing of • 631 adding and editing • 177 establishing • 616 configuring • 13 explained • 778 configuring port-based • 178 viewing • 631 configuring tag-based • 180 VStream Antispam configuring virtual access points • 294 about • 487 deleting • 181 confi
PAGE 404
Index enabling/disabling • 516 configuring • 298 reordering • 516 explained • 265 types • 511 VStream Antivirus Web content filtering solutions about • 527 about • 467 comparison of • 527 configuring • 467 Web Filtering • 537 configuring advanced settings • 482 Web rules • 529 configuring policy • 471 default policy • 469 enabling/disabling • 469 rules • 473 updating • 486 viewing database information • 470 VStream Antivirus rules adding and editing • 473 deleting • 481 enabling/disabling • 480
PAGE 405
Index viewing statistics for • 329 wireless protocols supported • 269 wireless stations viewing • 329 Worm Catcher • 452 X XBox LIVE • 463 792 Check Point Safe@Office User Guide