Check Point Safe@Office Internet Security Appliance User Guide Version 6.
COPYRIGHT & TRADEMARKS Copyright © 2006 SofaWare, All Rights Reserved. No part of this document may be reproduced in any form or by any means without written permission from SofaWare. Information in this document is subject to change without notice and does not represent a commitment on part of SofaWare Technologies Ltd. SofaWare, Safe@Home and Safe@Office are trademarks, service marks, or registered trademarks of SofaWare Technologies Ltd.
running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License.
countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. When installing the appliance, ensure that the vents are not blocked. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.
Contents Contents About This Guide .................................................................................................................................xi Chapter 1: Introduction .......................................................................................................................1 About Your Check Point Safe@Office Appliance..............................................................................1 Safe@Office 500 Product Family ............................................
Contents Wall Mounting the Appliance ...........................................................................................................32 Securing the Appliance against Theft ...............................................................................................34 Network Installation..........................................................................................................................37 Setting Up the Safe@Office Appliance ...............................................
Contents Using a Dialup Connection ...........................................................................................................77 Using No Connection....................................................................................................................79 Setting Up a Dialup Modem .............................................................................................................86 Viewing Internet Connection Information ..................................................
Contents Modifying Port Assignments ......................................................................................................149 Modifying Link Configurations ..................................................................................................151 Resetting Ports to Defaults..........................................................................................................152 Chapter 6: Using Traffic Shaper ....................................................................
Contents Viewing Computers ........................................................................................................................196 Viewing Connections ......................................................................................................................199 Viewing Wireless Statistics.............................................................................................................200 Chapter 9: Setting Your Security Policy.......................................
Contents Updating VStream Antivirus...........................................................................................................281 Chapter 11: Using Subscription Services........................................................................................283 Connecting to a Service Center.......................................................................................................283 Viewing Services Information ....................................................................
Contents Adding and Editing VPN Sites .......................................................................................................314 Configuring a Remote Access VPN Site.....................................................................................316 Configuring a Site-to-Site VPN Gateway ...................................................................................329 Deleting a VPN Site ...............................................................................................
Contents Registering Your Safe@Office Appliance......................................................................................387 Configuring Syslog Logging...........................................................................................................388 Controlling the Appliance via the Command Line..........................................................................390 Using the Safe@Office Portal.....................................................................................
Contents Resetting Network Printers .............................................................................................................440 Chapter 16: Troubleshooting ...........................................................................................................441 Connectivity ....................................................................................................................................442 Service Center and Upgrades ..............................................
About Your Check Point Safe@Office Appliance About This Guide To make finding information in this manual easier, some types of information are marked with special symbols or formatting. Boldface type is used for command and button names. Note: Notes are denoted by indented text and preceded by the Note icon. Warning: Warnings are denoted by indented text and preceded by the Warning icon.
About Your Check Point Safe@Office Appliance Chapter 1 Introduction This chapter introduces the Check Point Safe@Office appliance and this guide. This chapter includes the following topics: About Your Check Point Safe@Office Appliance .......................................1 Safe@Office 500 Product Family ................................................................2 Safe@Office Features and Compatibility.....................................................
Safe@Office 500 Product Family allows teleworkers and road warriors to securely connect to the office network, and enables secure interconnection of branch offices.
Safe@Office Features and Compatibility • LAN ports: 4-ports 10/100 Mbps Fast Ethernet switch • WAN port: • Either: a. 10/100 Mbps Fast Ethernet OR: b.
Safe@Office Features and Compatibility • Wireless LAN interface with dual diversity antennas supporting up to 108 Mbps (Super G) and Extended Range (XR) • Integrated USB print server • Wireless QoS (WMM) Firewall The Safe@Office 500 series includes the following features: • Check Point Firewall-1 Embedded NGX firewall with Application Intelligence • Intrusion Detection and Prevention using Check Point SmartDefense • Network Address Translation (NAT) • Three preset security policies • Anti-spoofing • Voice
Safe@Office Features and Compatibility • Remote Access VPN Server with OfficeMode and RADIUS support • Remote Access VPN Client • Site to Site VPN Gateway • IPSEC VPN pass-through • Algorithms: AES/3DES/DES, SHA1/MD5 • Hardware Based Secure RNG (Random Number Generator) • IPSec NAT traversal (NAT-T) • Route-based VPN • Backup VPN gateways Management The Safe@Office 500 series includes the following features: • Management via HTTP, HTTPS, SSH, SNMP, Serial CLI • Central Management: SMP • NTP automatic time
Safe@Office Features and Compatibility Optional Security Services The following subscription security services are available to Safe@Office owners by connecting to a Service Center: • Firewall Security and Software Updates • Web Filtering • Email Antivirus and Antispam Protection • VStream Embedded Antivirus Updates • Dynamic DNS Service • VPN Management • Security Reporting • Vulnerability Scanning Service Power Pack Features The table below describes the differences between the standard Safe@Office 500
Safe@Office Features and Compatibility Safe@Office 500/500W with Feature Safe@Office 500/500W Secure Hotspot — VLAN (Port/Tag-based) — VPN Throughput 20 Mbps 30 Mbps Site-to-Site VPN 2 tunnels 15 tunnels 10 tunnels 100 tunnels 5 users 25 users Site-to-Site VPN (Managed) * Power Pack Included VPN-1 SecuRemote client Licenses * When managed by SofaWare Security Management Portal (SMP).
Safe@Office Features and Compatibility The Safe@Office 500W also includes: • Two antennas • Wall mounting kit, including two plastic conical anchors and two crosshead screws • USB extension cable Network Requirements • A broadband Internet connection via cable or DSL modem with Ethernet interface (RJ-45) • 10BaseT or 100BaseT Network Interface Card installed on each computer • TCP/IP network protocol installed on each computer • Internet Explorer 5.0 or higher, or Netscape Navigator 4.
Getting to Know Your Safe@Office 500 Appliance Getting to Know Your Safe@Office 500 Appliance Rear Panel All physical connections (network and power) to the Safe@Office appliance are made via the rear panel of your Safe@Office appliance. Figure 1: Safe@Office 500 SBX-166LHGE-2 Appliance Rear Panel Items Figure 2: Safe@Office 500 SBX-166LHGE-4 Appliance Rear Panel Items The following table lists the Safe@Office 500 appliance's rear panel elements.
Getting to Know Your Safe@Office 500 Appliance Label Description RESET A button used for rebooting the Safe@Office appliance or resetting the Safe@Office appliance to its factory defaults. You need to use a pointed object to press this button. • Short press. Reboots the Safe@Office appliance • Long press (7 seconds). Resets the Safe@Office appliance to its factory defaults, and resets your firmware to the version that shipped with the Safe@Office appliance.
Getting to Know Your Safe@Office 500 Appliance Front Panel The Safe@Office 500 appliance includes several status LEDs that enable you to monitor the appliance’s operation. Figure 3: Safe@Office 500 Appliance Front Panel For an explanation of the Safe@Office 500 appliance’s status LEDs, see the table below.
Getting to Know Your Safe@Office 500W Appliance LED State Explanation LINK/ACT On, 100 On 100 Mbps link established for the corresponding port LNK/ACT Flashing Data is being transmitted/received VPN Flashing (Green) VPN port in use Serial Flashing (Green) Serial port in use Getting to Know Your Safe@Office 500W Appliance Rear Panel All physical connections (network and power) to the Safe@Office appliance are made via the rear panel of your Safe@Office appliance.
Getting to Know Your Safe@Office 500W Appliance Label Description RESET A button used for rebooting the Safe@Office appliance or resetting the Safe@Office appliance to its factory defaults. You need to use a pointed object to press this button. • Short press. Reboots the Safe@Office appliance • Long press (7 seconds). Resets the Safe@Office appliance to its factory defaults, and resets your firmware to the version that shipped with the Safe@Office appliance.
Getting to Know Your Safe@Office 500W Appliance Front Panel The Safe@Office 500W appliance includes several status LEDs that enable you to monitor the appliance’s operation. Figure 5: Safe@Office 500W Appliance Front Panel For an explanation of the Safe@Office 500W appliance’s status LEDs, see the table below.
Contacting Technical Support LED State Explanation LINK/ACT On, 100 On 100 Mbps link established for the corresponding port LNK/ACT Flashing Data is being transmitted/received VPN Flashing (Green) VPN port in use Serial Flashing (Green) Serial port in use USB Flashing (Green) USB port in use WLAN Flashing (Green) WLAN in use Contacting Technical Support If there is a problem with your Safe@Office appliance, see http://www.sofaware.com/support.
Before You Install the Safe@Office Appliance Chapter 2 Installing and Setting up the Safe@Office Appliance This chapter describes how to properly set up and install your Safe@Office appliance in your networking environment. This chapter includes the following topics: Before You Install the Safe@Office Appliance .........................................17 Wall Mounting the Appliance ....................................................................32 Securing the Appliance against Theft..................
Before You Install the Safe@Office Appliance Windows 2000/XP Note: While Windows XP has an "Internet Connection Firewall" option, it is recommended to disable it if you are using a Safe@Office appliance, since the Safe@Office appliance offers better protection. Checking the TCP/IP Installation 2. Click Start > Settings > Control Panel. The Control Panel window appears. 3. Double-click the Network and Dial-up Connections icon.
Before You Install the Safe@Office Appliance The Network and Dial-up Connections window appears. 4. Right-click the opens.
Before You Install the Safe@Office Appliance The Local Area Connection Properties window appears. 5. In the above window, check if TCP/IP appears in the components list and if it is properly configured with the Ethernet card, installed on your computer. If TCP/IP does not appear in the Components list, you must install it as described in the next section.
Before You Install the Safe@Office Appliance Installing TCP/IP Protocol 1. In the Local Area Connection Properties window click Install…. The Select Network Component Type window appears. 2. Choose Protocol and click Add. The Select Network Protocol window appears. 3. Choose Internet Protocol (TCP/IP) and click OK. TCP/IP protocol is installed on your computer.
Before You Install the Safe@Office Appliance TCP/IP Settings 1. In the Local Area Connection Properties window double-click the Internet Protocol (TCP/IP) component, or select it and click Properties. The Internet Protocol (TCP/IP) Properties window opens. 2. Click the Obtain an IP address automatically radio button. Note: Normally, it is not recommended to assign a static IP address to your PC but rather to obtain an IP address automatically.
Before You Install the Safe@Office Appliance Windows 98/Millennium Checking the TCP/IP Installation 1. Click Start > Settings > Control Panel. The Control Panel window appears. 2. Double-click the icon.
Before You Install the Safe@Office Appliance The Network window appears. 3. In the Network window, check if TCP/IP appears in the network components list and if it is already configured with the Ethernet card, installed on your computer. Installing TCP/IP Protocol Note: If TCP/IP is already installed and configured on your computer skip this section and move directly to TCP/IP Settings. 1. In the Network window, click Add.
Before You Install the Safe@Office Appliance The Select Network Component Type window appears. 2. Choose Protocol and click Add. The Select Network Protocol window appears. 3. In the Manufacturers list choose Microsoft, and in the Network Protocols list choose TCP/IP. 4. Click OK. If Windows asks for original Windows installation files, provide the installation CD and relevant path when required (e.g. D:\win98) 5. Restart your computer if prompted.
Before You Install the Safe@Office Appliance TCP/IP Settings Note: If you are connecting your Safe@Office appliance to an existing LAN, consult your network manager for the correct configurations. 1. In the Network window, double-click the TCP/IP service for the Ethernet card, which has been installed on your computer ). (e.g. The TCP/IP Properties window opens. 2. Click the Gateway tab, and remove any installed gateways.
Before You Install the Safe@Office Appliance 3. Click the DNS Configuration tab, and click the Disable DNS radio button.
Before You Install the Safe@Office Appliance 4. Click the IP Address tab, and click the Obtain an IP address automatically radio button. Note: Normally, it is not recommended to assign a static IP address to your PC but rather to obtain an IP address automatically. If for some reason you need to assign a static IP address, select Specify an IP address, type in an IP address in the range of 192.168.10.129-254, enter 255.255.255.0 in the Subnet Mask field, and click OK to save the new settings.
Before You Install the Safe@Office Appliance 1. Choose Apple Menus -> Control Panels -> TCP/IP. The TCP/IP window appears. 2. Click the Connect via drop-down list, and select Ethernet. 3. Click the Configure drop-down list, and select Using DHCP Server. 4. Close the window and save the setup.
Before You Install the Safe@Office Appliance Mac OS-X Use the following procedure for setting up the TCP/IP Protocol. 1. Choose Apple -> System Preferences. The System Preferences window appears. 2. Click Network. The Network window appears.
Before You Install the Safe@Office Appliance 3. Click Configure.
Wall Mounting the Appliance TCP/IP configuration fields appear. 4. Click the Configure IPv4 drop-down list, and select Using DHCP. 5. Click Apply Now. Wall Mounting the Appliance If desired, you can mount your Safe@Office 500W appliance on the wall. To mount the Safe@Office appliance on the wall 1. Decide where you want to mount your Safe@Office appliance. 2. Decide on the mounting orientation. You can mount the appliance on the wall facing up, down, left, or right.
Wall Mounting the Appliance Note: Mounting the appliance facing downwards is not recommended, as dust might accumulate in unused ports. 3. Mark two drill holes on the wall, in accordance with the following sketch: 4. Drill two 3.5 mm diameter holes, approximately 25 mm deep. 5. Insert two plastic conical anchors into the holes. Note: The conical anchors you received with your Safe@Office appliance are suitable for concrete walls.
Securing the Appliance against Theft 7. Align the holes on the Safe@Office appliance's underside with the screws on the wall, then push the appliance in and down. Your Safe@Office appliance is wall mounted. You can now connect it to your computer. See Network Installation on page 37. Securing the Appliance against Theft The Safe@Office 500W features a security slot to the rear of the right panel, which enables you to secure your appliance against theft, using an anti-theft security device.
Securing the Appliance against Theft While these parts may differ between devices, all looped security cables include a bolt with knobs, as shown in the diagram below: Figure 7: Looped Security Cable Bolt The bolt has two states, Open and Closed, and is used to connect the looped security cable to the appliance's security slot. To install an anti-theft device on the Safe@Office appliance 1.
Securing the Appliance against Theft 4. Insert the bolt into the Safe@Office appliance's security slot, then slide the bolt to the Closed position until the the bolts holes are aligned. 5. Thread the anti-theft device's pin through the bolt’s holes, and insert the pin into the main body of the anti-theft device, as described in the documentation that came with your device.
Network Installation Network Installation 1. Verify that you have the correct cable type. For information, see Network Requirements. 2. Connect the LAN cable: • Connect one end of the Ethernet cable to one of the LAN ports at the back of the unit. • Connect the other end to PCs, hubs, or other network devices. 3. Connect the WAN cable: • Connect one end of the Ethernet cable to the WAN port at the back of the unit. • Connect the other end of the cable to a Cable Modem, xDSL modem or office network. 4.
Setting Up the Safe@Office Appliance 6. In wireless models, prepare the Safe@Office appliance for a wireless connection: a. Connect the antennas that came with your Safe@Office appliance to the ANT1 and ANT2 antenna connectors in the appliance's rear panel. b. Bend the antennas at the hinges, so that they point upwards. 7. In models with a print server, you can connect network printers as follows: a. Connect one end of a USB cable to a USB port at the back of the unit.
Setting Up the Safe@Office Appliance Logging on to the Safe@Office Portal and setting up your password Initial Login to the Safe@Office Portal on page 41 Configuring an Internet connection Using the Internet Wizard on page 56 Setting the Time on your Safe@Office appliance Setting the Time on the Appliance on page 401 Setting up a wireless network (500W only) Configuring a Wireless Network on page 163 Installing the Product Key Upgrading Your Software Product on page 383 Registering your Safe@Office ap
Setting Up the Safe@Office Appliance To access the Setup Wizard 1. Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. 2. Click Safe@Office Setup Wizard. The Safe@Office Setup Wizard opens with the Welcome page displayed.
Initial Login to the Safe@Office Portal Chapter 3 Getting Started This chapter contains all the information you need in order to get started using your Safe@Office appliance. This chapter includes the following topics: Initial Login to the Safe@Office Portal......................................................41 Logging on to the Safe@Office Portal .......................................................44 Accessing the Safe@Office Portal Remotely Using HTTPS .....................
Initial Login to the Safe@Office Portal The initial login page appears. 2. Type a password both in the Password and the Confirm Password fields. Note: The password must be five to 25 characters (letters or numbers). Note: You can change your password at any time. For further information, see Changing Your Password. 3. Click OK.
Initial Login to the Safe@Office Portal The Safe@Office Setup Wizard opens, with the Welcome page displayed. 4. Configure your Internet connection using one of the following ways: • Internet Wizard The Internet Wizard is the first part of the Setup Wizard, and it takes you through basic Internet connection setup, step by step. For information on using the Internet Wizard, see Using the Internet Wizard on page 56.
Logging on to the Safe@Office Portal Logging on to the Safe@Office Portal Note: By default, HTTP and HTTPS access to the Safe@Office Portal is not allowed from the WLAN, unless you do one of the following: • Configure a specific firewall rule to allow access from the WLAN. See Using Rules on page 211. Or • Enable HTTPS access from the Internet. See Configuring HTTPS on page 394. To log on to the Safe@Office Portal 1. Do one of the following: • Browse to http://my.firewall.
Logging on to the Safe@Office Portal The login page appears. 2. Type your username and password. 3. Click OK.
Accessing the Safe@Office Portal Remotely Using HTTPS The Welcome page appears. Accessing the Safe@Office Portal Remotely Using HTTPS You can access the Safe@Office Portal remotely (from the Internet) through HTTPS. HTTPS is a protocol for accessing a secure Web server. It is used to transfer confidential user information. If desired, you can also use HTTPS to access the Safe@Office Portal from your internal network.
Accessing the Safe@Office Portal Remotely Using HTTPS Note: Your browser must support 128-bit cipher strength. To check your browser's cipher strength, open Internet Explorer and click Help > About Internet Explorer. To access the Safe@Office Portal from your internal network • Browse to https://my.firewall. (Note that the URL starts with “https”, not “http”.) The Safe@Office Portal appears. To access the Safe@Office Portal from the Internet • Browse to https://:981.
Using the Safe@Office Portal The Security Alert dialog box reappears. h. Click Yes. The Safe@Office Portal appears. Using the Safe@Office Portal The Safe@Office Portal is a Web-based management interface, which enables you to manage and configure the Safe@Office appliance operation and options. The Safe@Office Portal consists of three major elements. Table 5: Safe@Office Portal Elements Element Description Main menu Used for navigating between the various topics (such as Reports, Security, and Setup).
Using the Safe@Office Portal Figure 9: Safe@Office Portal Main Menu The main menu includes the following submenus. Table 6: Main Menu Submenus This Does this… Welcome Displays general welcome information. Reports Provides reporting capabilities in terms of event logging, traffic submenu… monitoring, active computers, and established connections. Security Provides controls and options for setting the security of any computer in the network.
Using the Safe@Office Portal This Does this… Network Allows you to manage and configure your network settings and Internet submenu… connections. Setup Provides a set of tools for managing your Safe@Office appliance. Allows you to upgrade your license and firmware and to configure HTTPS access to your Safe@Office appliance. Users Allows you to manage Safe@Office appliance users. VPN Allows you to manage, configure, and log on to VPN sites. Help Provides context-sensitive help.
Using the Safe@Office Portal Table 7: Status Bar Fields This field… Displays this… Internet Your Internet connection status. The connection status may be one of the following: • Connected. The Safe@Office appliance is connected to the Internet. • Connected – Probing OK. Connection probing is enabled and has detected that the Internet connectivity is OK. • Connected – Probing Failed. Connection probing is enabled and has detected problems with the Internet connectivity. • Not Connected.
Using the Safe@Office Portal This field… Displays this… Service Displays your subscription services status. Center Your Service Center may offer various subscription services. These include the firewall service and optional services such as Web Filtering and Email Antivirus. Your subscription services status may be one of the following: 52 • Not Subscribed. You are not subscribed to security services. • Connection Failed. The Safe@Office appliance failed to connect to the Service Center.
Logging off Logging off Logging off terminates your administration session. Any subsequent attempt to connect to the Safe@Office Portal will require re-entering of the administration password. To log off of the Safe@Office Portal • Do one of the following: • If you are connected through HTTP, click Logout in the main menu. The Logout page appears. • If you are connected through HTTPS, the Logout option does not appear in the main menu. Close the browser window.
Overview Chapter 4 Configuring the Internet Connection This chapter describes how to configure and work with an Safe@Office Internet connection. This chapter includes the following topics: Overview ....................................................................................................55 Using the Internet Wizard ..........................................................................56 Using Internet Setup ...................................................................................
Using the Internet Wizard • Enable Traffic Shaper for traffic flowing through the connection. For information on Traffic Shaper, see Using Traffic Shaper on page 153. • Configure a dialup Internet connection. Before configuring the connection, you must first set up the modem. For information, see Setting Up a Dialup Modem on page 86.
Using the Internet Wizard The Internet Wizard opens with the Welcome page displayed. 3. Click Next. The Internet Connection Method dialog box appears. 4. Select the Internet connection method you want to use for connecting to the Internet.
Using the Internet Wizard Note: If you selected PPTP or PPPoE dialer, do not use your dial-up software to connect to the Internet. 5. Click Next. Using a Direct LAN Connection No further settings are required for a direct LAN (Local Area Network) connection. The Confirmation screen appears. 1. Click Next. The system attempts to connect to the Internet via the selected connection. The Connecting… screen appears.
Using the Internet Wizard At the end of the connection process the Connected screen appears. 2. Click Finish.
Using the Internet Wizard Using a Cable Modem Connection If you selected the Cable Modem connection method, the Identification dialog box appears. 1. If your ISP requires a specific hostname for authentication, type it in the Host Name field. The ISP will supply you with the proper hostname, if required. Most ISPs do not require a specific hostname. 2. A MAC address is a 12-digit identifier assigned to every network device.
Using the Internet Wizard 3. Click Next. The Confirmation screen appears. 4. Click Next. The system attempts to connect to the Internet. The Connecting… screen appears. At the end of the connection process the Connected screen appears. 5. Click Finish. Using a PPTP or PPPoE Dialer Connection If you selected the PPTP or PPPoE dialer connection method, the DSL Connection Type dialog box appears. 1. Select the connection method used by your DSL provider. Note: Most xDSL providers use PPPoE.
Using the Internet Wizard Using PPPoE If you selected the PPPoE connection method, the DSL Configuration dialog box appears. 1. Complete the fields using the information in the table below. 2. Click Next. The Confirmation screen appears. 3. Click Next. The system attempts to connect to the Internet via the DSL connection. The Connecting… screen appears. At the end of the connection process the Connected screen appears. 4. Click Finish.
Using the Internet Wizard Table 8: PPPoE Connection Fields In this field… Do this… Username Type your user name. Password Type your password. Confirm password Type your password again. Service Type your service name. This field can be left blank. Using PPTP If you selected the PPTP connection method, the DSL Configuration dialog box appears. 1. Complete the fields using the information in the table below. 2. Click Next. The Confirmation screen appears.
Using the Internet Wizard 3. Click Next. The system attempts to connect to the Internet via the DSL connection. The Connecting… screen appears. At the end of the connection process the Connected screen appears. 4. Click Finish. Table 9: PPTP Connection Fields In this field… Do this… Username Type your user name. Password Type your password. Confirm password Type your password again. Service Type your service name. Server IP Type the IP address of the PPTP modem.
Using Internet Setup Using Internet Setup Internet Setup allows you to manually configure your Internet connection. To configure the Internet connection using Internet Setup 1. Click Network in the main menu, and click the Internet tab. 2. Next to the desired Internet connection, click Edit.
Using Internet Setup The Internet Setup page appears. 3. From the Connection Type drop-down list, select the Internet connection type you are using/intend to use. The display changes according to the connection type you selected. The following steps should be performed in accordance with the connection type you have chosen.
Using Internet Setup Using a LAN Connection 1. Complete the fields using the relevant information in Internet Setup Fields on page 79.
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
Using Internet Setup Using a Cable Modem Connection 1. Complete the fields using the relevant information in Internet Setup Fields on page 79.
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
Using Internet Setup Using a PPPoE Connection 1. Complete the fields using the relevant information in Internet Setup Fields on page 79.
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
Using Internet Setup Using a PPTP Connection 1. Complete the fields using the relevant information in Internet Setup Fields on page 79.
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds.
Using Internet Setup Once the connection is made, the Status Bar displays the Internet status “Connected”. Using a Telstra (BPA) Connection Use this Internet connection type only if you are subscribed to Telstra® BigPond™ Internet. Telstra BigPond is a trademark of Telstra Corporation Limited. 1. Complete the fields using the relevant information in Internet Setup Fields on page 79.
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
Using Internet Setup Using a Dialup Connection To use this connection type, you must first set up the dialup modem. For information, see Setting Up a Dialup Modem on page 86. 1. Complete the fields using the relevant information in Internet Setup Fields on page 79.
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
Using Internet Setup Using No Connection If you do not have an Internet connection, set the connection type to None. • Click Apply. Table 10: Internet Setup Fields In this field… Do this… Username Type your user name. Password Type your password. Confirm password Type your password. Service Type your service name. If your ISP has not provided you with a service name, leave this field empty. Server IP If you selected PPTP, type the IP address of the PPTP server as given by your ISP.
Using Internet Setup In this field… Do this… Connect on Select this option if you do not want the dialup modem to be constantly demand connected to the Internet. The modem will dial a connection only under certain conditions. This option is useful when configuring a dialup backup connection. For information, see Setting Up a Dialup Backup Connection on page 94.
Using Internet Setup In this field… Do this… Default Gateway Type the IP address of your ISP’s default gateway. Name Servers Obtain Domain Clear this option if you want the Safe@Office appliance to obtain an IP Name Servers address automatically using DHCP, but not to automatically configure automatically DNS servers.
Using Internet Setup In this field… Do this… Shape Select this option to enable Traffic Shaper for incoming traffic. Then type Downstream: Link a rate (in kilobits/second) slightly lower than your Internet connection's Rate maximum measured downstream speed in the field provided. It is recommended to try different rates in order to determine which one provides the best results.
Using Internet Setup In this field… Do this… MAC Cloning A MAC address is a 12-digit identifier assigned to every network device. If your ISP restricts connections to specific, recognized MAC addresses, you must select this option to clone a MAC address. Note: When configuring MAC cloning for the secondary Internet connection, the DMZ/WAN2 port must be configured as WAN2; otherwise this field is disabled. For information on configuring ports, see Managing Ports on page 147.
Using Internet Setup In this field… Do this… Probe Next Hop Select this option to automatically detect loss of connectivity to the default gateway. If you selected LAN, this is done by sending ARP requests to the default gateway. If you selected PPTP, PPPoE, or Dialup, this is done by sending PPP echo reply (LCP) messages to the PPP peer. By default, if the default gateway does not respond, the Internet connection is considered to be down.
Using Internet Setup In this field… Do this… Connection Probing While the Probe Next Hop option checks the availability of the next hop Method router, which is usually at your ISP, connectivity to the next hop router does not always indicate that the Internet is accessible. For example, if there is a problem with a different router at the ISP, the next hop will be reachable, but the Internet might be inaccessible. Connection probing is a way to detect Internet failures that are more than one hop away.
Setting Up a Dialup Modem In this field… Do this… 1, 2, 3 If you chose the Ping Addresses connection probing method, type the IP addresses or DNS names of the desired servers. If you chose the Probe VPN Gateway (RDP) connection probing method, type the IP addresses or DNS names of the desired VPN gateways. You can clear a field by clicking Clear. Setting Up a Dialup Modem You can use a dialup modem as a primary or secondary Internet connection method.
Setting Up a Dialup Modem The Ports page appears. 3. In the RS232 drop-down list, select Dialup. 4. Click Apply. 5. Next to the RS232 drop-down list, click Setup.
Setting Up a Dialup Modem The Dialup page appears. 6. Complete the fields using the information in the table below. 7. Click Apply. 8. To check that that the values you entered are correct, click Test. The Dialup page displays a message indicating whether the test succeeded. 9. Configure a Dialup Internet connection using the information in Using Internet Setup on page 65. Table 11: Dialup Fields In this field… Do this… Modem Type Select the modem type.
Viewing Internet Connection Information In this field… Do this… Dial Mode Select the dial mode the modem uses. Port Speed Select the modem's port speed (in bits per second). Viewing Internet Connection Information You can view information on your Internet connection(s) in terms of status, duration, and activity. To view Internet connection information 1. Click Network in the main menu, and click the Internet tab. The Internet page appears.
Enabling/Disabling the Internet Connection Table 12: Internet Page Fields Field Description Status Indicates the connection’s status. Duration Indicates the connection duration, if active. The duration is given in the format hh:mm:ss, where: hh=hours mm=minutes ss=seconds IP Address Your IP address. Enabled Indicates whether or not the connection is enabled.
Enabling/Disabling the Internet Connection To enable/disable an Internet connection 1. Click Network in the main menu, and click the Internet tab. The Internet page appears. 2. Next to the Internet connection, do one of the following: • To enable the connection, click The button changes to and the connection is enabled. • To disable the connection, click The button changes to . . and the connection is disabled.
Using Quick Internet Connection/Disconnection Using Quick Internet Connection/Disconnection By clicking the Connect or Disconnect button (depending on the connection status) on the Internet page, you can establish a quick Internet connection using the currently-selected connection type. In the same manner, you can terminate the active connection. The Internet connection retains its Connected/Not Connected status until the Safe@Office appliance is rebooted.
Configuring a Backup Internet Connection Setting Up a LAN or Broadband Backup Connection Using the Safe@Office Appliance's WAN Port To set up a LAN or broadband backup Internet connection 1. Connect a hub or switch to the WAN port on your appliance's rear panel. 2. Connect your two modems or routers to the hub/switch. 3. Configure two Internet connections. For instructions, see Using Internet Setup on page 65. Important: The two connections can be of different types.
Configuring a Backup Internet Connection Setting Up a Dialup Backup Connection If desired, you can use a dialup modem as the secondary Internet connection method. The Safe@Office appliance automatically dials the modem if the primary Internet connection fails. To set up a dialup backup Internet connection 1. Setup a dialup modem. For instructions, see Setting Up a Dialup Modem on page 86. 2. Configure a LAN or broadband primary Internet connection. For instructions, see Using Internet Setup on page 65.
Configuring Network Settings Chapter 5 Managing Your Network This chapter describes how to manage and configure your network connection and settings. This chapter includes the following topics: Configuring Network Settings....................................................................95 Configuring High Availability..................................................................121 Using Static Routes ..................................................................................
Configuring Network Settings Configuring a DHCP Server By default, the Safe@Office appliance operates as a DHCP (Dynamic Host Configuration Protocol) server. This allows the Safe@Office appliance to automatically configure all the devices on your network with their network configuration details. Note: The DHCP server only serves computers that are configured to obtain an IP address automatically.
Configuring Network Settings Enabling/Disabling the Safe@Office DHCP Server You can enable and disable the Safe@Office DHCP Server for internal networks. Note: Enabling and disabling the DHCP Server is not available for the OfficeMode network. To enable/disable the Safe@Office DHCP server 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. In the desired network's row, click Edit.
Configuring Network Settings The Edit Network Settings page appears. 3. From the DHCP Server list, select Enabled or Disabled. 4. Click Apply. A warning message appears. 5. Click OK. A success message appears 6. If your computer is configured to obtain its IP address automatically (using DHCP), and either the Safe@Office DHCP server or another DHCP server is enabled, restart your computer. If you enabled the DHCP server, your computer obtains an IP address in the DHCP address range.
Configuring Network Settings Configuring the DHCP Address Range By default, the Safe@Office DHCP server automatically sets the DHCP address range. The DHCP address range is the range of IP addresses that the DHCP server can assign to network devices. IP addresses outside of the DHCP address range are reserved for statically addressed computers. If desired, you can set the Safe@Office DHCP range manually. Note: Setting the DHCP range manually is not available for the OfficeMode network.
Configuring Network Settings The DHCP IP range fields appear. b. In the DHCP IP range fields, type the desired DHCP range. 4. To allow the DHCP server to set the IP address range, select the Automatic DHCP range check box. 5. Click Apply. A warning message appears. 6. Click OK. A success message appears 7. If your computer is configured to obtain its IP address automatically (using DHCP), and either the Safe@Office DHCP server or another DHCP server is enabled, restart your computer.
Configuring Network Settings Configuring DHCP Relay You can configure DHCP relay for internal networks. Note: DHCP relay will not work if the appliance is located behind a NAT device. Note: Configuring DHCP options is not available for the OfficeMode network. To configure DHCP relay 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. In the desired network's row, click Edit. The Edit Network Settings page appears. 3. In the DHCP Server list, select Relay.
Configuring Network Settings The Automatic DHCP range check box is disabled, and the Relay to IP field appears. 4. In the Relay to IP field, type the IP address of the desired DHCP server. 5. Click Apply. A warning message appears. 6. Click OK. A success message appears 7. If your computer is configured to obtain its IP address automatically (using DHCP), and either the Safe@Office DHCP server or another DHCP server is enabled, restart your computer.
Configuring Network Settings Configuring DHCP Server Options If desired, you can configure the following custom DHCP options for an internal network: • Domain suffix • DNS servers • WINS servers • NTP servers • VoIP call managers • TFTP server and boot filename Note: Configuring DHCP options is not available for the DMZ or VLANs. To configure DHCP options 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. In the desired network's row, click Edit.
Configuring Network Settings The DHCP Server Options page appears. 4. Complete the fields using the relevant information in the table below.
Configuring Network Settings New fields appear, depending on the check boxes you selected. 5. Click Apply. 6. If your computer is configured to obtain its IP address automatically (using DHCP), restart your computer. Your computer obtains an IP address in the DHCP address range. Table 13: DHCP Server Options Fields In this field… Do this… Domain Name Type a default domain suffix that should be passed to DHCP clients.
Configuring Network Settings In this field… Do this… Name Servers Automatically assign Clear this option if you do not want the gateway to act as a DNS relay DNS server server and pass its own IP address to DHCP clients. (recommended) Normally, it is recommended to leave this option selected. The DNS Server 1 and DNS Server 2 fields appear. DNS Server 1, 2 Type the IP addresses of the Primary and Secondary DNS servers to pass to DHCP clients instead of the gateway.
Configuring Network Settings In this field… Do this… TFTP Server Trivial File Transfer Protocol (TFTP) enables booting diskless computers over the network. To assign a TFTP server to the DHCP clients, type the IP address of the TFTP server. TFTP Boot File Type the boot file to use for booting DHCP clients via TFTP. Changing IP Addresses If desired, you can change your Safe@Office appliance’s internal IP address, or the entire range of IP addresses in your internal network.
Configuring Network Settings Note: The internal network range is defined both by the Safe@Office appliance’s internal IP address and by the subnet mask. For example, if the Safe@Office appliance’s internal IP address is 192.168.100.7, and you set the subnet mask to 255.255.255.0, the network’s IP address range will be 192.168.100.1 – 192.168.100.254. The default internal network range is 192.168.10.*. 5. Click Apply. A warning message appears. 6. Click OK.
Configuring Network Settings Enabling/Disabling Hide NAT Hide Network Address Translation (Hide NAT) enables you to share a single public Internet IP address among several computers, by “hiding” the private IP addresses of the internal computers behind the Safe@Office appliance’s single Internet IP address. Note: If Hide NAT is disabled, you must obtain a range of Internet IP addresses from your ISP. Hide NAT is enabled by default. Note: Static NAT and Hide NAT can be used together.
Configuring Network Settings Configuring a DMZ Network In addition to the LAN network, you can define a second internal network called a DMZ (demilitarized zone) network. For information on default security policy rules controlling traffic to and from the DMZ, see Default Security Policy on page 205. To configure a DMZ network 1. Connect the DMZ computer to the DMZ port.
Configuring Network Settings 3. In the DMZ drop-down list, select DMZ. 4. Click Apply. 5. Click Network in the main menu, and click the My Network tab. The My Network page appears. 6. In the DMZ network's row, click Edit. The Edit Network Settings page appears. 7. In the Mode drop-down list, select Enabled. The fields are enabled. 8. If desired, enable or disable Hide NAT. See Enabling/Disabling Hide NAT on page 109. 9. If desired, configure a DHCP server. See Configuring a DHCP Server on page 96. 10.
Configuring Network Settings Configuring the OfficeMode Network By default, VPN Clients connect to the VPN Server using an Internet IP address locally assigned by an ISP. This may lead to the following problems: • VPN Clients on the same network will be unable to communicate with each other via the Safe@Office Internal VPN Server. This is because their IP addresses are on the same subnet, and they therefore attempt to communicate directly over the local network, instead of through the secure VPN link.
Configuring Network Settings 4. In the IP Address field, type the IP address to use as the OfficeMode network's default gateway. Note: The OfficeMode network must not overlap other networks. 5. In the Subnet Mask text box, type the OfficeMode internal network range. 6. If desired, enable or disable Hide NAT. See Enabling/Disabling Hide NAT on page 109. 7. If desired, configure DHCP options. See Configuring DHCP Server Options on page 103. 8. Click Apply. A warning message appears. 9. Click OK.
Configuring Network Settings you can easily transfer a member of one division to another division without rewiring your network, by simply reassigning them to the desired VLAN. The Safe@Office appliance supports the following VLAN types: • Tag-based In tag-based VLAN you use one of the gateway’s ports as a 802.1Q VLAN trunk, connecting the appliance to a VLAN-aware switch. Each VLAN behind the trunk is assigned an identifying number called a “VLAN ID”, also referred to as a "VLAN tag".
Configuring Network Settings • Port-based Port-based VLAN allows assigning the appliance's LAN ports to VLANs, effectively transforming the appliance's four-port switch into up to four firewallisolated security zones. You can assign multiple ports to the same VLAN, or each port to a separate VLAN. Figure 11: Port-based VLAN Port-based VLAN does not require an external VLAN-capable switch, and is therefore simpler to use than tag-based VLAN.
Configuring Network Settings Adding and Editing Port-Based VLANs To add or edit a port-based VLAN 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. Do one of the following: • To add a VLAN site, click Add VLAN. • To edit a VLAN site, click Edit in the desired VLAN’s row. The Edit Network Settings page for VLAN networks appears. 3. In the Network Name field, type a name for the VLAN. 4. In the Type drop-down list, select Port Based VLAN.
Configuring Network Settings 5. In the IP Address field, type the IP address of the VLAN network's default gateway. Note: The VLAN network must not overlap other networks. 6. In the Subnet Mask field, type the VLAN's internal network range. 7. If desired, enable or disable Hide NAT. See Enabling/Disabling Hide NAT on page 109. 8. If desired, configure a DHCP server. See Configuring a DHCP Server on page 96. 9. Click Apply. A warning message appears. 10. Click OK. A success message appears. 11.
Configuring Network Settings Adding and Editing Tag-Based VLANs To add or edit a tag-based VLAN 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. Do one of the following: • To add a VLAN site, click Add VLAN. • To edit a VLAN site, click Edit in the desired VLAN’s row. The Edit Network Settings page for VLAN networks appears. 3. In the Network Name field, type a name for the VLAN. 4. In the Type drop-down list, select Tag Based VLAN.
Configuring Network Settings 10. Click Apply. A warning message appears. 11. Click OK. A success message appears. 12. Click Network in the main menu, and click the Ports tab. The Ports page appears. 13. In the DMZ/WAN2 drop-down list, select VLAN Trunk. 14. Click Apply. The DMZ/WAN2 port now operates as a VLAN Trunk port. In this mode, it will not accept untagged packets. 15. Configure a VLAN trunk (802.1Q) port on the VLAN-aware switch, according to the vendor instructions.
Configuring Network Settings Deleting VLANs To delete a VLAN 1. If the VLAN is port-based, do the following: a. Click Network in the main menu, and click the Ports tab. The Ports page appears. b. Remove all port assignments to the VLAN, by selecting other networks in the drop-down lists. c. Click Apply. 2. Click Network in the main menu, and click the My Network tab. The My Network page appears. 3. In the desired VLAN’s row, click the Erase icon. A confirmation message appears. 4. Click OK.
Configuring High Availability Configuring High Availability You can create a High Availability (HA) cluster consisting of two or more Safe@Office appliances. For example, you can install two Safe@Office appliances on your network, one acting as the “Master”, the default gateway through which all network traffic is routed, and one acting as the “Backup”. If the Master fails, the Backup automatically and transparently takes over all the roles of the Master.
Configuring High Availability priority by a user-specified amount, if its Internet connection goes down. If the Active Gateway's priority drops below another gateway's priority, then the other gateway becomes the Active Gateway. Note: You can force a fail-over to a passive Safe@Office appliance. You may want to do this in order to verify that HA is working properly, or if the active Safe@Office appliance needs repairs. To force a fail-over, switch off the primary box or disconnect it from the LAN network.
Configuring High Availability • You must have at least two identical Safe@Office appliances. • The appliances must have identical firmware versions and firewall rules. • The appliances' internal networks must be the same. • The appliances must have different real internal IP addresses, but share the same virtual IP address. • The appliances' synchronization interface ports must be connected either directly, or via a hub or a switch.
Configuring High Availability Configuring High Availability on a Gateway The following procedure explains how to configure HA on a single gateway. You must perform this procedure on each Safe@Office appliance that you want to include in the HA cluster. To configure HA on a Safe@Office appliance 1. Set the appliance’s internal IP addresses and network range. Each appliance must have a different internal IP address. See Changing IP Addresses on page 107. 2.
Configuring High Availability The fields are enabled. 4. Next to each network for which you want to enable HA, select the HA check box. 5. In the Virtual IP field, type the default gateway IP address. This can be any unused IP address in the network, and must be the same for all gateways. 6. Click the Synchronization radio button next to the network you want to use as the synchronization interface. You can choose any network listed except the WLAN.
Configuring High Availability Note: The synchronization interface must be the same for all gateways, and must always be connected and enabled on all gateways. Otherwise, multiple appliances may become active, causing unpredictable problems. 7. Complete the fields using the information the table below. 8. Click Apply. A success message appears. 9. If desired, configure WAN HA for both the primary and secondary Internet connection. This setting should be the same for all gateways.
Configuring High Availability In this field… Do this… Internet - Secondary Type the amount to reduce the gateway's priority if the secondary Internet connection goes down. This must be an integer between 0 and 255. Note: This value is only relevant if you configured a backup connection. For information on configuring a backup connection, see Configuring a Backup Internet Connection on page 92. LAN1/2/3/4 Type the amount to reduce the gateway's priority if the LAN port's Ethernet link is lost.
Configuring High Availability Sample Implementation on Two Gateways The following procedure illustrates how to configure HA for the following two Safe@Office gateways, Gateway A and Gateway B: Table 15: Gateway Details Gateway A Gateway B Internal Networks LAN, DMZ LAN, DMZ Internet Connections Primary and secondary Primary only LAN Network IP Address 192.169.100.1 192.169.100.2 LAN Network 255.255.255.0 255.255.255.0 DMZ Network IP Address 192.169.101.1 192.169.101.2 DMZ Network 255.
Configuring High Availability 2. Connect the DMZ port of Gateways A and B to hub 2. 3. Connect the LAN network computers of Gateways A and B to hub 1. 4. Connect the DMZ network computers of Gateways A and B to hub 2. 5. Do the following on Gateway A: a. Set the gateway's internal IP addresses and network range to the values specified in the table above. See Changing IP Addresses on page 107. b. Click Setup in the main menu, and click the High Availability tab. The High Availability page appears. c.
Configuring High Availability Gateway A will reduce its priority by 30, if its secondary Internet connection goes down. l. Click Apply. A success message appears. 6. Do the following on Gateway B: a. Set the gateway's internal IP addresses and network range to the values specified in the table above. See Changing IP Addresses on page 107. b. Click Setup in the main menu, and click the High Availability tab. The High Availability page appears. c. Select the Gateway High Availability check box.
Configuring High Availability Gateway A's priority is 100, and Gateway B's priority is 60. So long as one of Gateway A's Internet connections is up, Gateway A is the Active Gateway, because its priority is higher than that of Gateway B. If both of Gateway A's Internet connections are down, it deducts from its priority 20 (for the primary connection) and 30 (for the secondary connection), reducing its priority to 50.
Configuring High Availability Note: The Safe@Office appliance supports Proxy ARP (Address Resolution Protocol). When an external source attempts to communicate with such a computer, the Safe@Office appliance automatically replies to ARP queries with its own MAC address, thereby enabling communication. As a result, the Static NAT Internet IP addresses appear to external sources to be real computers connected to the WAN interface.
Configuring High Availability To add or edit a network object via the Network Objects page 7. Click Network in the main menu, and click the Network Objects tab. The Network Objects page appears with a list of network objects. 8. Do one of the following: • To add a network object, click New. • To edit an existing network object, click Edit next to the desired computer in the list.
Configuring High Availability The Safe@Office Network Object Wizard opens, with the Step 1: Network Object Type dialog box displayed. 9. Do one of the following: • To specify that the network object should represent a single computer or device, click Single Computer. • To specify that the network object should represent a network, click Network. 10. Click Next.