Configuring High Availability The Step 2: Computer Details dialog box appears. If you chose Single Computer, the dialog box includes the Perform Static NAT option. If you chose Network, the dialog box does not include this option. 11. Complete the fields using the information in the tables below. 12. Click Next.
Configuring High Availability The Step 3: Save dialog box appears. 13. Type a name for the network object in the field. 14. Click Finish. To add or edit a network object via the Active Computers page 1. Click Reports in the main menu, and click the Active Computers tab.
Configuring High Availability The Active Computers page appears. If a computer has not yet been added as a network object, the Add button appears next to it. If a computer has already been added as a network object, the Edit button appears next to it. 2. Do one of the following: • To add a network object, click Add next to the desired computer. • To edit a network object, click Edit next to the desired computer.
Configuring High Availability • To specify that the network object should represent a network, click Network. 4. Click Next. The Step 2: Computer Details dialog box appears. The computer's IP address and MAC address are automatically filled in. 5. Complete the fields using the information in the tables below. 6. Click Next. The Step 3: Save dialog box appears with the network object's name. If you are adding a new network object, this name is the computer's name. 7.
Configuring High Availability Table 16: Network Object Fields for a Single Computer In this field… Do this… IP Address Type the IP address of the local computer, or click This Computer to specify your computer. Reserve a fixed IP Select this option to assign the network object's IP address to a MAC address for this address, and to allow the network object to connect to the WLAN computer when MAC Filtering is used. For information about MAC Filtering, see Configuring a Wireless Network on page 163.
Configuring High Availability Table 17: Network Object Fields for a Network In this field… Do this… IP Range Type the range of local computer IP addresses in the network. Perform Static NAT Select this option to map the network's IP address range to a range of (Network Address Internet IP addresses of the same size. Translation) External IP Range You must then fill in the External IP Range field. Type the Internet IP address range to which you want to map the network's IP address range.
Using Static Routes Using Static Routes A static route is a setting that explicitly specifies the route for packets originating in a certain subnet and/or destined for a certain subnet. Packets with a source and destination that does not match any defined static route will be routed to the default gateway. To modify the default gateway, see Using a LAN Connection on page 67.
Using Static Routes The Static Routes page appears, with a list of existing static routes. 2. Do one of the following: • To add a static route, click New Route. • To edit an existing static route, click Edit next to the desired route in the list.
Using Static Routes The Static Route Wizard opens displaying the Step 1: Source and Destination dialog box. 3. To select a specific source network (source routing), do the following: a) In the Source drop-down list, select Specified Network. New fields appear. b) In the Network field, type the IP address of the source network.
Using Static Routes c) In the Netmask drop-down list, select the subnet mask. 4. To select a specific destination network, do the following: a) In the Destination drop-down list, select Specified Network. New fields appear. b) In the Network field, type the IP address of the destination network. c) In the Netmask drop-down list, select the subnet mask. 5. Click Next.
Using Static Routes The Step 2: Next Hop and Metric dialog box appears. 6. In the Next Hop IP field, type the IP address of the gateway (next hop router) to which to route the packets destined for this network. 7. In the Metric field, type the static route's metric. The gateway sends a packet to the route that matches the packet's destination and has the lowest metric. The default value is 10. 8. Click Next.
Using Static Routes The new static route is saved. Viewing and Deleting Static Routes Note: The “default” route cannot be deleted. To delete a static route 1. Click Network in the main menu, and click the Routes tab. The Static Routes page appears, with a list of existing static routes. 2. In the desired route row, click the Erase icon. A confirmation message appears. 3. Click OK. The route is deleted.
Managing Ports Managing Ports The Safe@Office appliance enables you to quickly and easily assign its ports to different uses, as shown in the table below. Furthermore, you can restrict each port to a specific link speed and duplex setting. Table 18: Ports and Assignments You can assign this port... To these uses...
Managing Ports Viewing Port Statuses You can view the status of the Safe@Office appliance's ports on the Ports page, including each Ethernet connection's duplex state. This is useful if you need to check whether the appliance's physical connections are working, and you can’t see the LEDs on front of the appliance. Note: In the Safe@Office 500 model SBX-166LHG-2, status information is only available for the WAN and DMZ ports, and not for LAN ports 1-4. To view port statuses 1.
Managing Ports • Assign To. The port's current assignment. For example, if the DMZ/WAN2 port is currently used for the DMZ, the drop-down list displays "DMZ". • Link Configuration. The configured link speed (10 Mbps or 100 Mbps) and duplex (Full Duplex or Half Duplex) configured for the port. Automatic Detection indicates that the port is configured to automatically detect the link speed and duplex. • Status. The detected link speed and duplex.
Managing Ports To assign a port See... WAN2 Setting Up a LAN or Broadband Backup Connection on page 93 DMZ Configuring a DMZ Network Console Using a Console on page 392 Modem Setting Up a Dialup Modem on page 86 to... To modify a port assignment 1. Click Network in the main menu, and click the Ports tab. The Ports page appears. In the Assigned To drop-down list to the right of the port, select the desired port assignment. 2. Click Apply.
Managing Ports Modifying Link Configurations By default, the Safe@Office automatically detects the link speed and duplex. If desired, you can manually restrict the Safe@Office appliance's ports to a specific link speed and duplex. Note: In the Safe@Office 500 model SBX-166LHG-2, restricting the link speed and duplex is available for the WAN and DMZ ports, and not for LAN ports 1-4. To modify a port's link configuration 1. Click Network in the main menu, and click the Ports tab. The Ports page appears.
Managing Ports Resetting Ports to Defaults You can reset the Safe@Office appliance's ports to their default link configurations ("Automatic Detection") and default assignments (shown in the table below). Table 20: Default Port Assignments Port Default Assignment 1-4 LAN DMZ / WAN2 DMZ WAN This port is always assigned to the WAN. RS232 Modem To reset ports to defaults 1. Click Network in the main menu, and click the Ports tab. The Ports page appears. 2. Click Default.
Overview Chapter 6 Using Traffic Shaper This chapter describes how to use Traffic Shaper to control the flow of communication to and from your network. This chapter includes the following topics: Overview ..................................................................................................153 Setting Up Traffic Shaper.........................................................................155 Predefined QoS Classes............................................................................
Overview bandwidth, and the FTP connection will receive 25% (10/40) of the leftover bandwidth. If the Web connection closes, the FTP connection will receive 100% of the bandwidth. Each class has a bandwidth limit, which is the maximum amount of bandwidth that connections belonging to that class may use together. Once a class has reached its bandwidth limit, connections belonging to that class will not be allocated further bandwidth, even if there is unused bandwidth available.
Setting Up Traffic Shaper Setting Up Traffic Shaper To set up Traffic Shaper 1. Enable Traffic Shaper for the Internet connection, using the procedure Using Internet Setup on page 65. You can enable Traffic Shaper for incoming or outgoing connections. • When enabling Traffic Shaper for outgoing traffic: Specify a rate (in kilobits/second) slightly lower than your Internet connection's maximum measured upstream speed.
Predefined QoS Classes 3. Use Allow or Allow and Forward rules to assign different types of connections to QoS classes. For example, if Traffic Shaper is enabled for outgoing traffic, and you create an Allow rule associating all outgoing VPN traffic with the Urgent QoS class, then Traffic Shaper will handle outgoing VPN traffic as specified in the bandwidth policy for the Urgent class. See Adding and Editing Rules on page 215.
Adding and Editing Classes Class Weight Delay Sensitivity Useful for Important 20 Medium Normal traffic (Normal Traffic) Low Priority 5 Low Traffic that is not sensitive to long delays. For (Bulk Traffic) example, SMTP traffic (outgoing email). In Simplified Traffic Shaper, these classes cannot be changed. Adding and Editing Classes To add or edit a QoS class 1. Click Network in the main menu, and click the Traffic Shaper tab. The Quality of Service Classes page appears. 2. Click Add.
Adding and Editing Classes The Safe@Office QoS Class Editor wizard opens, with the Step 1 of 3: Quality of Service Parameters dialog box displayed. 3. Complete the fields using the relevant information in the table below. 4. Click Next. The Step 2 of 3: Advanced Options dialog box appears. 5. Complete the fields using the relevant information in the table below.
Adding and Editing Classes Note: Traffic Shaper may not enforce guaranteed rates and relative weights for incoming traffic as accurately as for outgoing traffic. This is because Traffic Shaper cannot control the number or type of packets it receives from the Internet; it can only affect the rate of incoming traffic by dropping received packets. It is therefore recommended to enable traffic shaping for incoming traffic only if necessary.
Adding and Editing Classes Table 22: QoS Class Fields In this field… Do this… Relative Weight Type a value indicating the class's importance relative to the other defined classes. For example, if you assign one class a weight of 100, and you assign another class a weight of 50, the first class will be allocated twice the amount of bandwidth as the second when the lines are congested.
Deleting Classes In this field… Do this… Incoming Traffic: Select this option to limit the rate of incoming traffic belonging to this Limit rate to class. Then type the maximum rate (in kilobits/second) in the field provided. DiffServ Code Select this option to mark packets belonging to this class with a DiffServ Point Code Point (DSCP), which is an integer between 0 and 63. Then type the DSCP in the field provided.
Restoring Traffic Shaper Defaults Restoring Traffic Shaper Defaults If desired, you can reset the Traffic Shaper bandwidth policy to use the four predefined classes, and restore these classes to their default settings. For information on these classes and their defaults, see Predefined QoS Classes on page 156. Note: This will delete any additional classes you defined in Traffic Shaper and reset all rules to use the Default class.
Overview Chapter 7 Configuring a Wireless Network This chapter describes how to set up a wireless internal network. This chapter includes the following topics: Overview ..................................................................................................163 About the Wireless Hardware in Your Safe@Office 500W Appliance ...164 Wireless Security Protocols......................................................................165 Manually Configuring a WLAN.........................................
About the Wireless Hardware in Your Safe@Office 500W Appliance About the Wireless Hardware in Your Safe@Office 500W Appliance Your Safe@Office 500W appliance features a built-in 802.11b/g access point that is tightly integrated with the firewall and hardware-accelerated VPN. Safe@Office 500W supports the latest 802.11g standard (up to 54Mbps) and is backwards compatible with the older 802.11b standard (up to 11Mbps), so that both new and old adapters of these standards are interoperable.
Wireless Security Protocols Wireless Security Protocols The Safe@Office wireless security appliance supports the following security protocols: Table 23: Wireless Security Protocols Security Description None No security method is used. This option is not recommended, because it Protocol allows unauthorized users to access your WLAN network, although you can still limit access from the WLAN by creating firewall rules. This method is suitable for creating public access points.
Wireless Security Protocols Security Description WPA: RADIUS The WPA (Wi-Fi Protected Access) security method uses MIC (message authentication, integrity check) to ensure the integrity of messages, and TKIP (Temporal Key encryption Integrity Protocol) to enhance data encryption. Protocol Furthermore, WPA includes 802.1x and EAP authentication, based on a central RADIUS authentication server.
Manually Configuring a WLAN Note: For increased security, it is recommended to enable the Safe@Office internal VPN Server for users connecting from your internal networks, and to install SecuRemote on each computer in the WLAN. This ensures that all connections from the WLAN to the LAN are encrypted and authenticated. For information, see Internal VPN Server on page 308 and Setting Up Your Safe@Office Appliance as a VPN Server on page 309.
Manually Configuring a WLAN The Edit Network Settings page appears. 5. In the Mode drop-down list, select Enabled. The fields are enabled. 6. If desired, enable or disable Hide NAT. See Enabling/Disabling Hide NAT on page 109. 7. If desired, configure a DHCP server. See Configuring a DHCP Server on page 96.
Manually Configuring a WLAN 8. Complete the fields using the information in Basic WLAN Settings Fields on page 170. 9. To configure advanced settings, click Show Advanced Settings and complete the fields using the information in Advanced WLAN Settings Fields on page 174. New fields appear. 10. Click Apply. A warning message appears, telling you that you are about to change your network settings.
Manually Configuring a WLAN 11. Click OK. A success message appears. 12. Prepare the wireless stations. See Preparing the Wireless Stations on page 184. Table 24: WLAN Settings Fields In this field… Do this… IP Address Type the IP address of the WLAN network's default gateway. Note: The WLAN network must not overlap other networks. Subnet Mask Type the WLAN’s internal network range. Wireless Settings Network Name Type the network name (SSID) that identifies your wireless network.
Manually Configuring a WLAN In this field… Do this… Operation Mode Select an operation mode: • 802.11b (11Mbps). Operates in the 2.4 GHz range and offers a maximum theoretical rate of 11 Mbps. When using this mode, only 802.11b stations will be able to connect. • 802.11g (54 Mbps). Operates in the 2.4 GHz range, and offers a maximum theoretical rate of 54 Mbps. When using this mode, only 802.11g stations will be able to connect. • 802.11b/g (11/54 Mbps). Operates in the 2.
Manually Configuring a WLAN In this field… Do this… Channel Select the radio frequency to use for the wireless connection: • Automatic. The Safe@Office appliance automatically selects a channel. This is the default. • A specific channel. The list of channels is dependent on the selected country and operation mode. Note: If there is another wireless network in the vicinity, the two networks may interfere with one another.
Manually Configuring a WLAN In this field… Do this… Require WPA2 Specify whether you want to require wireless stations to connect using (802.11i) WPA2, by selecting one of the following: WEP Keys • Enable. Only wireless stations using WPA2 can access the WLAN network. • Disable. Wireless stations using either WPA or WPA2 can access the WLAN network. This is the default. If you selected WEP encryption, you must configure at least one WEP key.
Manually Configuring a WLAN In this field… Do this… Key 1, 2, 3, 4 text Type the WEP key, or click Random to randomly generate a key matching box the selected length. The key is composed of hexadecimal characters 0-9 and A-F, and is not case-sensitive. Table 25: Advanced WLAN Settings Fields In this field… Do this… Advanced Security Hide the Network Specify whether you want to hide your network's SSID, by selecting one of Name (SSID) the following: • Yes. Hide the SSID.
Manually Configuring a WLAN In this field… Do this… MAC Address Specify whether you want to enable MAC address filtering, by selecting one Filtering of the following: • Yes. Enable MAC address filtering. Only MAC addresses that you added as network objects can connect to your network. For information on network objects, see Using Network Objects on page 131. • No. Disable MAC address filtering. This is the default.
Manually Configuring a WLAN In this field… Do this… Antenna Selection Multipath distortion is caused by the reflection of Radio Frequency (RF) signals traveling from the transmitter to the receiver along more than one path. Signals that were reflected by some surface reach the receiver after non-reflected signals and distort them. Safe@Office appliances avoid the problems of multipath distortion by using an antenna diversity system.
Manually Configuring a WLAN In this field… Do this… RTS Threshold Type the smallest IP packet size for which a station must send an RTS (Request To Send) before sending the IP packet. If multiple wireless stations are in range of the access point, but not in range of each other, they might send data to the access point simultaneously, thereby causing data collisions and failures. RTS ensures that the channel is clear before the each packet is sent.
Using the Wireless Configuration Wizard Using the Wireless Configuration Wizard The Wireless Configuration Wizard provides a quick and simple way of setting up your basic WLAN parameters for the first time. To configure a WLAN using the Wireless Configuration Wizard 1. Prepare the appliance for a wireless connection as described in Network Installation on page 37. 2. Click Network in the main menu, and click the My Network tab. The My Network page appears. 3. In the WLAN network's row, click Edit.
Using the Wireless Configuration Wizard The fields are enabled. 6. Complete the fields using the information in Basic WLAN Settings Fields on page 170. 7. Click Next. 8. The Wireless Security dialog box appears. 9. Do one of the following: • Click WPA-PSK to use the WPA-PSK security mode. WPA-PSK periodically changes and authenticates encryption keys.
Using the Wireless Configuration Wizard • Click No Security to use no security to create a public, unsecured access point. Note: You cannot configure WPA and 802.1x using this wizard. For information on configuring these modes, see Manually Configuring a WLAN on page 167. 10. Click Next. WPA-PSK If you chose WPA-PSK, the Wireless Configuration-WPA-PSK dialog box appears. Do the following: 1.
Using the Wireless Configuration Wizard The Wireless Security Confirmation dialog box appears. 3. Click Next. 4. The Wireless Security Complete dialog box appears. 5. Click Finish. The wizard closes. 6. Prepare the wireless stations.
Using the Wireless Configuration Wizard See Preparing the Wireless Stations on page 184. WEP If you chose WEP, the Wireless Configuration-WEP dialog box appears. Do the following: 1. Choose a WEP key length. The possible key lengths are: • 64 Bits - The key length is 10 hexadecimal characters. • 128 Bits - The key length is 26 hexadecimal characters. • 152 Bits - The key length is 32 hexadecimal characters. Some wireless card vendors call these lengths 40/104/128, respectively.
Using the Wireless Configuration Wizard 3. Click Next. The Wireless Security Confirmation dialog box appears. 4. Click Next. The Wireless Security Complete dialog box appears. 5. Click Finish. The wizard closes. 6. Prepare the wireless stations. See Preparing the Wireless Stations on page 184. No Security The Wireless Security Complete dialog box appears. • Click Finish. The wizard closes.
Preparing the Wireless Stations Preparing the Wireless Stations After you have configured a WLAN, the wireless stations must be prepared for connection to the WLAN. To prepare the wireless stations 1. If you selected the WEP security mode, give the WEP key to the wireless stations' administrators. 2. If you selected the WPA-PSK security mode, give the passphrase to the wireless stations' administrator. 3.
Troubleshooting Wireless Connectivity Troubleshooting Wireless Connectivity I cannot connect to the WLAN from a wireless station. What should I do? • Check that the SSID configured on the station matches the Safe@Office appliance's SSID. The SSID is case-sensitive. • Check that the encryption settings configured on the station (encryption mode and keys) match the Safe@Office appliance's encryption settings.
Troubleshooting Wireless Connectivity • Check the Transmission Power parameter in the WLAN's advanced settings (see Manually Configuring a WLAN on page 167). • Make sure that you are not using two access points in close proximity and on the same frequency. For minimum interference, channel separation between nearby access points must be at least 25 MHz (5 channels). • The Safe@Office appliance supports XR (Extended Range) technology.
Troubleshooting Wireless Connectivity In addition, try setting the Fragmentation Threshold parameter in the WLAN's advanced settings (see Manually Configuring a WLAN on page 167) to a lower value. This will cause stations to fragment IP packets of a certain size into smaller packets, thereby reducing the likeliness of collisions and increasing network speed. Note: Reducing the RTS Threshold and the Fragmentation Threshold too much can have a negative impact on performance.
Viewing the Event Log Chapter 8 Viewing Reports This chapter describes the Safe@Office Portal reports. This chapter includes the following topics: Viewing the Event Log.............................................................................189 Using the Traffic Monitor ........................................................................193 Viewing Computers..................................................................................196 Viewing Connections ....................................
Viewing the Event Log An event marked in Indicates… Green Traffic accepted by the firewall. this color… By default, accepted traffic is not logged. However, such traffic may be logged if specified by a security policy downloaded from your Service Center, or if specified in user-defined rules. You can create firewall rules specifying that certain types of connections should be logged, whether the connections are incoming or outgoing, blocked or accepted. For information, see Using Rules on page 211.
Viewing the Event Log To view the event log 1. Click Reports in the main menu, and click the Event Log tab. The Event Log page appears. 2. If an event is highlighted in red, indicating a blocked attack on your network, you can display the attacker’s details, by clicking on the IP address of the attacking machine. The Safe@Office appliance queries the Internet WHOIS server, and a window displays the name of the entity to whom the IP address is registered and their contact information.
Viewing the Event Log A standard File Download dialog box appears. b. Click Save. The Save As dialog box appears. c. Browse to a destination directory of your choice. d. Type a name for the configuration file and click Save. The *.xls file is created and saved to the specified directory. 5. To clear all displayed events: a. Click Clear. A confirmation message appears. b. Click OK. All events are cleared.
Using the Traffic Monitor Using the Traffic Monitor You can view incoming and outgoing traffic for selected network interfaces and QoS classes using the Traffic Monitor. This enables you to identify network traffic trends and anomalies, and to fine tune Traffic Shaper QoS class assignments. The Traffic Monitor displays separate bar charts for incoming traffic and outgoing traffic, and displays traffic rates in kilobits/second.
Using the Traffic Monitor The Traffic Monitor page appears. 2. In the Traffic Monitor Report drop-down list, select the network interface for which you want to view a report. The list includes all currently enabled networks. For example, if the DMZ network is enabled, it will appear in the list. If Traffic Shaper is enabled, the list also includes the defined QoS classes. Choose All QoS Classes to display a report including all QoS classes.
Using the Traffic Monitor Configuring Traffic Monitor Settings You can configure the interval at which the Safe@Office appliance should collect traffic data for network traffic reports. To configure Traffic Monitor settings 1. Click Reports in the main menu, and click the Traffic Monitor tab. The Traffic Monitor page appears. 2. Click Settings. The Traffic Monitor Settings page appears. 3.
Viewing Computers Exporting General Traffic Reports You can export a general traffic report that includes information for all enabled networks and all defined QoS classes to a *.csv (Comma Separated Values) file. You can open and view the file in Microsoft Excel. To export a general traffic report 1. Click Reports in the main menu, and click the Traffic Monitor tab. The Traffic Monitor page appears. 2. Click Export. A standard File Download dialog box appears. 3. Click Save.
Viewing Computers The Active Computers page appears. If you configured High Availability, both the master and backup appliances are shown. If you configured OfficeMode, the OfficeMode network is shown. If you are using Safe@Office 500W, the wireless stations are shown. For information on viewing statistics for these computers, see Viewing Wireless Statistics on page 200.
Viewing Computers • Authenticated. The computer is logged on to My HotSpot. • Not Authenticated. The computer is not logged on to My HotSpot. • Excluded from HotSpot. The computer is in an IP address range excluded from HotSpot enforcement. To enforce HotSpot, you must edit the network object. See Adding and Editing Network Objects on page 132. Note: Computers that did not communicate through the firewall are not counted for node limit purposes, even though they are protected by the firewall.
Viewing Connections Viewing Connections This option allows you to view the currently active connections between your network and the external world. To view the active connections 1. Click Reports in the main menu, and click the Active Connections tab. The Active Connections page appears. The page displays the information in the table below. 2. To refresh the display, click Refresh. 3. To view information on the destination machine, click its IP address.
Viewing Wireless Statistics 4. To view information about a port, click the port. A window opens displaying information about the port. Table 28: Active Connections Fields This field… Displays… Protocol The protocol used (TCP, UDP, etc.
Viewing Wireless Statistics The Wireless page appears. The page displays the information in the table below. 2. To refresh the display, click Refresh.
Viewing Wireless Statistics This field… Displays… Security The security mode used by the WLAN Connected The number of wireless stations currently connected to the WLAN Stations Frames OK The total number of frames that were successfully transmitted and received Errors The total number of transmitted and received frames for which an error occurred Discarded/ The total number of discarded or dropped frames transmitted and received Dropped Frames Unicast Frames The number of unicast frames transm
Viewing Wireless Statistics 3. To refresh the display, click Refresh.
Viewing Wireless Statistics This field… Displays… Cipher The security protocol used for the connection with the wireless client. For more information, see Wireless Security Protocols on page 165.
Default Security Policy Chapter 9 Setting Your Security Policy This chapter describes how to set up your Safe@Office appliance security policy. You can enhance your security policy by subscribing to services such as Web Filtering and Email Filtering. For information on subscribing to services, see Using Subscription Services on page 283. This chapter includes the following topics: Default Security Policy.............................................................................
Setting the Firewall Security Level • Access is blocked from the WAN (Internet) to all internal networks (LAN, DMZ, WLAN, VLANs, and OfficeMode). • Access is allowed from the internal networks to the WAN, according to the firewall security level (Low/Medium/High). • Access is allowed from the LAN network to the other internal networks (DMZ, WLAN, VLANs, and OfficeMode). • Access is blocked from the DMZ, WLAN, VLAN, and OfficeMode networks to the other internal networks, (including between different VLANs).
Setting the Firewall Security Level Table 31: Firewall Security Levels This Does this… Further Details Enforces basic control on All inbound traffic is blocked to the external incoming connections, Safe@Office appliance IP address, except for while permitting all ICMP echoes ("pings"). level… Low outgoing connections. All outbound connections are allowed. Medium Enforces strict control on All inbound traffic is blocked. all incoming connections, while permitting safe outgoing connections.
Setting the Firewall Security Level Note: The definitions of firewall security levels provided in this table represent the Safe@Office appliance’s default security policy. Security updates downloaded from a Service Center may alter this policy and change these definitions. To change the firewall security level 1. Click Security in the main menu, and click the Firewall tab. The Firewall page appears. 2. Drag the security lever to the desired level.
Configuring Servers Configuring Servers Note: If you do not intend to host any public Internet servers (Web Server, Mail Server etc.) in your network, you can skip this section. Using the Safe@Office Portal, you can selectively allow incoming network connections into your network. For example, you can set up your own Web server, Mail server or FTP server.
Configuring Servers 2. Complete the fields using the information in the table below. 3. Click Apply. A success message appears, and the selected computer is allowed to run the desired service or application. Table 32: Servers Page Fields In this Do this… Allow Select the desired service or application. VPN Only Select this option to allow only connections made through a VPN.
Using Rules Using Rules The Safe@Office appliance checks the protocol used, the ports range, and the destination IP address, when deciding whether to allow or block traffic. User-defined rules have priority over the default security policy rules and provide you with greater flexibility in defining and customizing your security policy.
Using Rules For example, if you want to block all outgoing FTP traffic, except traffic from a specific IP address, you can create a rule blocking all outgoing FTP traffic and move the rule down in the Rules table. Then create a rule allowing FTP traffic from the desired IP address and move this rule to a higher location in the Rules table than the first rule. In the figure below, the general rule is rule number 2, and the exception is rule number 1.
Using Rules Table 33: Firewall Rule Types Rule Description Allow and This rule type enables you to do the following: Forward • Permit incoming access from the Internet to a specific service in your internal network. • Forward all such connections to a specific computer in your network. • Redirect the specified connections to a specific port. This option is called Port Address Translation (PAT). • Assign traffic to a QoS class.
Using Rules Rule Description Allow This rule type enables you to do the following: • Permit outgoing access from your internal network to a specific service on the Internet. Note: You can allow outgoing connections for services that are not permitted by the default security policy. • Permit incoming access from the Internet to a specific service in your internal network. • Assign traffic to a QoS class.
Using Rules Adding and Editing Rules To add or edit a rule 1. Click Security in the main menu, and click the Rules tab. The Rules page appears. 2. Do one of the following: • To add a new rule, click Add Rule. • To edit an existing rule, click the Edit icon next to the desired rule.
Using Rules The Safe@Office Firewall Rule wizard opens, with the Step 1: Rule Type dialog box displayed. 3. Select the type of rule you want to create. 4. Click Next. The Step 2: Service dialog box appears. The example below shows an Allow rule. 5. Complete the fields using the relevant information in the table below.
Using Rules 6. Click Next. The Step 3: Destination & Source dialog box appears. 7. Complete the fields using the relevant information in the table below. The Step 4: Done dialog box appears. 8. Click Finish. The new rule appears in the Firewall Rules page.
Using Rules Table 34: Firewall Rule Fields In this field… Do this… Any Service Click this option to specify that the rule should apply to any service. Standard Click this option to specify that the rule should apply to a specific standard Service service. You must then select the desired service from the drop-down list. Custom Service Click this option to specify that the rule should apply to a specific nonstandard service. The Protocol and Port Range fields are enabled. You must fill them in.
Using Rules In this field… Do this… Destination Select the destination of the connections you want to allow or block. To specify an IP address, select Specified IP and type the desired IP address in the text box. To specify an IP address range, select Specified Range and type the desired IP address range in the fields provided. This option is not available in Allow and Forward rules. To specify the Safe@Office IP address, select This Gateway. This option is not available in Allow and Forward rules.
Using Rules In this field… Do this… Redirect to port Select this option to redirect the connections to a specific port. You must then type the desired port in the field provided. This option is called Port Address Translation (PAT), and is only available when defining an Allow and Forward rule. Enabling/Disabling Rules You can temporarily disable a user-defined rule. To enable/disable a rule 1. Click Security in the main menu, and click the Rules tab. The Rules page appears. 2.
Using Rules Changing Rules' Priority To change a rule's priority 1. Click Security in the main menu, and click the Rules tab. The Rules page appears. 2. Do one of the following: • Click next to the desired rule, to move the rule up in the table. • Click next to the desired rule, to move the rule down in the table. The rule's priority changes accordingly. Deleting Rules To delete an existing rule 1. Click Security in the main menu, and click the Rules tab. The Rules page appears. 2.
Using SmartDefense Using SmartDefense The Safe@Office appliance includes Check Point SmartDefense Services, based on Check Point Application Intelligence.
Using SmartDefense Configuring SmartDefense For convenience, SmartDefense is organized as a tree, in which each branch represents a category of settings. When a category is expanded, the settings it contains appear as nodes. For information on each category and the nodes it contains, see SmartDefense Categories on page 226. Each node represents an attack type, a sanity check, or a protocol or service that is vulnerable to attacks.
Using SmartDefense To configure a SmartDefense node 1. Click Security in the main menu, and click the SmartDefense tab. The SmartDefense page appears. The left pane displays a tree containing SmartDefense categories. • To expand a category, click the icon next to it. • To collapse a category, click the icon next to it. 2. Expand the relevant category, and click on the desired node.
Using SmartDefense The right pane displays a description of the node, followed by fields. 3. To modify the node's current settings, do the following: a) Complete the fields using the relevant information in SmartDefense Categories on page 226. b) Click Apply. 4. To reset the node to its default values: a) Click Default. A confirmation message appears. b) Click OK. The fields are reset to their default values, and your changes are saved.
Using SmartDefense SmartDefense Categories SmartDefense includes the following categories: • Denial of Service on page 226 • IP and ICMP on page 231 • TCP on page 241 • Port Scan on page 244 • FTP on page 247 • Microsoft Networks on page 251 • IGMP on page 253 • Peer to Peer on page 254 • Instant Messengers on page 256 Denial of Service Denial of Service (DoS) attacks are aimed at overwhelming the target with spurious data, to the point where it is no longer able to respond to legitimate service requests.
Using SmartDefense You can configure how Teardrop attacks should be handled. Table 35: Teardrop Fields In this field… Do this… Action Specify what action to take when a Teardrop attack occurs, by selecting one of the following: Track • Block. Block the attack. This is the default. • None. No action. Specify whether to log Teardrop attacks, by selecting one of the following: • Log. Log the attack. This is the default. • None. Do not log the attack.
Using SmartDefense You can configure how Ping of Death attacks should be handled. Table 36: Ping of Death Fields In this field… Do this… Action Specify what action to take when a Ping of Death attack occurs, by selecting one of the following: Track • Block. Block the attack. This is the default. • None. No action. Specify whether to log Ping of Death attacks, by selecting one of the following: • Log. Log the attack. This is the default. • None. Do not log the attack.
Using SmartDefense You can configure how LAND attacks should be handled. Table 37: LAND Fields In this field… Do this… Action Specify what action to take when a LAND attack occurs, by selecting one of the following: Track • Block. Block the attack. This is the default. • None. No action. Specify whether to log LAND attacks, by selecting one of the following: • Log. Log the attack. This is the default. • None. Do not log the attack.
Using SmartDefense You can protect against Non-TCP Flooding attacks by limiting the percentage of state table capacity used for non-TCP connections. Table 38: Non-TCP Flooding Fields In this field… Do this… Action Specify what action to take when the percentage of state table capacity used for non-TCP connections reaches the Max. percent non TCP traffic threshold. Select one of the following: Track • Block. Block any additional non-TCP connections. • None. No action. This is the default.
Using SmartDefense IP and ICMP This category allows you to enable various IP and ICMP protocol tests, and to configure various protections against IP and ICMP-related attacks. It includes the following: • Packet Sanity on page 231 • Max Ping Size on page 233 • IP Fragments on page 234 • Network Quota on page 236 • Welchia on page 237 • Cisco IOS DOS on page 238 • Null Payload on page 240 Packet Sanity Packet Sanity performs several Layer 3 and Layer 4 sanity checks.
Using SmartDefense Table 39: Packet Sanity Fields In this field… Do this… Action Specify what action to take when a packet fails a sanity test, by selecting one of the following: Track • Block. Block the packet. This is the default. • None. No action. Specify whether to issue logs for packets that fail the packet sanity tests, by selecting one of the following: • Log. Issue logs. This is the default. • None. Do not issue logs.
Using SmartDefense Max Ping Size PING (ICMP echo request) is a program that uses ICMP protocol to check whether a remote machine is up. A request is sent by the client, and the server responds with a reply echoing the client's data. An attacker can echo the client with a large amount of data, causing a buffer overflow. You can protect against such attacks by limiting the allowed size for ICMP echo requests.
Using SmartDefense In this field… Do this… Max Ping Size Specify the maximum data size for ICMP echo response. The default value is 1500. IP Fragments When an IP packet is too big to be transported by a network link, it is split into several smaller IP packets and transmitted in fragments. To conceal a known attack or exploit, an attacker might imitate this common behavior and break the data section of a single packet into several fragmented packets.
Using SmartDefense Table 41: IP Fragments Fields In this field… Do this… Forbid IP Fragments Specify whether all fragmented packets should be dropped, by selecting one of the following: • True. Drop all fragmented packets. • False. No action. This is the default. Under normal circumstances, it is recommended to leave this field set to False. Setting this field to True may disrupt Internet connectivity, because it does not allow any fragmented packets.
Using SmartDefense Network Quota An attacker may try to overload a server in your network by establishing a very large number of connections per second. To protect against Denial Of Service (DoS) attacks, Network Quota enforces a limit upon the number of connections per second that are allowed from the same source IP address. You can configure how connection that exceed that limit should be handled.
Using SmartDefense In this field… Do this… Max. Type the maximum number of network connections allowed per second Connections/Second from the same source IP address. from Same Source IP The default value is 100. Set a lower threshold for stronger protection against DoS attacks. Note: Setting this value too low can lead to false alarms. Welchia The Welchia worm uses the MS DCOM vulnerability or a WebDAV vulnerability.
Using SmartDefense Table 43: Welchia Fields In this field… Do this… Action Specify what action to take when the Welchia worm is detected, by selecting one of the following: Track • Block. Block the attack. This is the default. • None. No action. Specify whether to log Welchia worm attacks, by selecting one of the following: • Log. Log the attack. This is the default. • None. Do not log the attack.
Using SmartDefense You can configure how Cisco IOS DOS attacks should be handled. Table 44: Cisco IOS DOS In this field… Do this… Action Specify what action to take when a Cisco IOS DOS attack occurs, by selecting one of the following: Track • Block. Block the attack. This is the default. • None. No action. Specify whether to log Cisco IOS DOS attacks, by selecting one of the following: Number of Hops to Protect • Log. Log the attack. This is the default. • None. Do not log the attack.
Using SmartDefense In this field… Do this… Action Protection for Specify what action to take when an IPv4 packet of the specific SWIPE - Protocol 53 / protocol type is received, by selecting one of the following: IP Mobility - Protocol 55 / • Block. Drop the packet. This is the default. SUN-ND - Protocol 77 / • None. No action. PIM - Protocol 103 Null Payload Some worms, such as Sasser, use ICMP echo request packets with null payload to detect potentially vulnerable hosts.
Using SmartDefense In this field… Do this… Track Specify whether to log null payload ping packets, by selecting one of the following: • Log. Log the packets. This is the default. • None. Do not log the packets. TCP This category allows you to configure various protections related to the TCP protocol. It includes the following: • Strict TCP on page 241 • Small PMTU on page 243 Strict TCP Out-of-state TCP packets are SYN-ACK or data packets that arrive out of order, before the TCP SYN packet.
Using SmartDefense You can configure how out-of-state TCP packets should be handled. Table 46: Strict TCP In this field… Do this… Action Specify what action to take when an out-of-state TCP packet arrives, by selecting one of the following: Track • Block. Block the packets. • None. No action. This is the default. Specify whether to log null payload ping packets, by selecting one of the following: 242 • Log. Log the packets. This is the default. • None. Do not log the packets.
Using SmartDefense Small PMTU Small PMTU (Packet MTU) is a bandwidth attack in which the client fools the server into sending large amounts of data using small packets. Each packet has a large overhead that creates a "bottleneck" on the server. You can protect against this attack by specifying a minimum packet size for data sent over the Internet.
Using SmartDefense In this field… Do this… Minimal MTU Type the minimum value allowed for the MTU field in IP packets sent by a Size client. An overly small value will not prevent an attack, while an overly large value might degrade performance and cause legitimate requests to be dropped. The default value is 300. Port Scan An attacker can perform a port scan to determine whether ports are open and vulnerable to an attack.
Using SmartDefense Table 48: Port Scan Fields In this field… Do this… Number of ports SmartDefense detects ports scans by measuring the number of ports accessed accessed over a period of time. The number of ports accessed must exceed the Number of ports accessed value, within the number of seconds specified by the In a period of [seconds] value, in order for SmartDefense to consider the activity a scan.
Using SmartDefense In this field… Do this… In a period of SmartDefense detects ports scans by measuring the number of ports [seconds] accessed over a period of time. The number of ports accessed must exceed the Number of ports accessed value, within the number of seconds specified by the In a period of [seconds] value, in order for SmartDefense to consider the activity a scan.
Using SmartDefense FTP This category allows you to configure various protections related to the FTP protocol. It includes the following: • FTP Bounce on page 247 • Block Known Ports on page 248 • Block Port Overflow on page 249 • Blocked FTP Commands on page 250 FTP Bounce When connecting to an FTP server, the client sends a PORT command specifying the IP address and port to which the FTP server should connect and send data.
Using SmartDefense Table 49: FTP Bounce Fields In this field… Do this… Action Specify what action to take when an FTP Bounce attack occurs, by selecting one of the following: Track • Block. Block the attack. This is the default. • None. No action. Specify whether to log FTP Bounce attacks, by selecting one of the following: • Log. Log the attack. This is the default. • None. Do not log the attack. Block Known Ports You can choose to block the FTP server from connecting to well-known ports.
Using SmartDefense Table 50: Block Known Ports Fields In this field… Do this… Action Specify what action to take when the FTP server attempts to connect to a well-known port, by selecting one of the following: • Block. Block the connection. • None. No action. This is the default. Block Port Overflow FTP clients send PORT commands when connecting to the FTP sever. A PORT command consists of a series of numbers between 0 and 255, separated by commas.
Using SmartDefense Table 51: Block Port Overflow In this field… Do this… Action Specify what action to take for PORT commands containing a number greater than 255, by selecting one of the following: • Block. Block the PORT command. This is the default. • None. No action. Blocked FTP Commands Some seldom-used FTP commands may compromise FTP server security and integrity. You can specify which FTP commands should be allowed to pass through the security server, and which should be blocked.
Using SmartDefense To disable FTP command blocking • In the Action drop-down list, select None. All FTP commands are allowed, including those in the Blocked commands box. To block a specific FTP command 1. In the Allowed commands box, select the desired FTP command. 2. Click Block. The FTP command appears in the Blocked commands box. 3. Click Apply. When FTP command blocking is enabled, the FTP command will be blocked. To allow a specific FTP command 1.
Using SmartDefense You can configure how CIFS worms should be handled. Table 52: File Print and Sharing Fields In this field… Do this… Action Specify what action to take when a CIFS worm attack is detected, by selecting one of the following: Track • Block. Block the attack. • None. No action. This is the default. Specify whether to log CIFS worm attacks, by selecting one of the following: • • CIFS worm patterns list 252 Log. Log the attack. None. Do not log the attack. This is the default.
Using SmartDefense IGMP This category includes the IGMP protocol. IGMP is used by hosts and routers to dynamically register and discover multicast group membership. Attacks on the IGMP protocol usually target a vulnerability in the multicast routing software/hardware used, by sending specially crafted IGMP packets. You can configure how IGMP attacks should be handled.
Using SmartDefense In this field… Do this… Enforce IGMP to According to the IGMP specification, IGMP packets must be sent to multicast addresses multicast addresses. Sending IGMP packets to a unicast or broadcast address might constitute and attack; therefore the Safe@Office appliance blocks such packets. Specify whether to allow or block IGMP packets that are sent to nonmulticast addresses, by selecting one of the following: • Block. Block IGMP packets that are sent to non-multicast addresses.
Using SmartDefense In each node, you can configure how peer-to-peer connections of the selected type should be handled, using the table below. Table 54: Peer to Peer Fields In this field… Do this… Action Specify what action to take when a connection is attempted, by selecting one of the following: Track • Block. Block the connection. • None. No action. This is the default. Specify whether to log peer-to-peer connections, by selecting one of the following: • Log. Log the connection. • None.
Using SmartDefense Instant Messengers SmartDefense can block instant messaging applications that use VoIP protocols, by identifying the messaging application's fingerprints and HTTP headers. This category includes the following nodes: • Skype • Yahoo • ICQ Note: SmartDefense can detect instant messaging traffic regardless of the TCP port being used to initiate the session. In each node, you can configure how instant messaging connections of the selected type should be handled, using the table below.
Using SmartDefense Table 55: Instant Messengers Fields In this field… Do this… Action Specify what action to take when a connection is attempted, by selecting one of the following: Track • Block. Block the connection. • None. No action. This is the default. Specify whether to log instant messenger connections, by selecting one of the following: • Log. Log the connection. • None. Do not log the connection. This is the default.
Using Secure HotSpot Using Secure HotSpot You can enable your Safe@Office appliance as a public Internet access hotspot for specific networks. When users on those networks attempt to access the Internet, they are automatically re-directed to the My HotSpot page http://my.hotspot. On this page, they must read and accept the My HotSpot terms of use, and if My HotSpot is configured to be password-protected, they must log on using their Safe@Office username and password. The users may then access the Internet.
Using Secure HotSpot You can choose to exclude specific network objects from HotSpot enforcement. For information, see Using Network Objects on page 131. Important: SecuRemote VPN software users who are authenticated by the Internal VPN Server are automatically exempt from HotSpot enforcement. This allows, for example, authenticated employees to gain full access to the corporate LAN, while guest users are permitted to access the Internet only.
Using Secure HotSpot Enabling/Disabling Secure HotSpot To enable/disable Secure HotSpot 1. Click Security in the main menu, and click the My HotSpot tab. The My HotSpot page appears. 2. In the HotSpot Networks area, do one of the following: • To enable Secure HotSpot for a specific network, select the check box next to the network. • To disable Secure HotSpot for a specific network, clear the check box next to the network. 3. Click Apply.
Using Secure HotSpot Customizing Secure HotSpot To customize Secure HotSpot 1. Click Security in the main menu, and click the My HotSpot tab. The My HotSpot page appears. 2. Complete the fields using the information in the table below. Additional fields may appear. 3. To preview the My HotSpot page, click Preview. A browser window opens displaying the My HotSpot page.
Using Secure HotSpot 4. Click Apply. Your changes are saved. Table 56: My HotSpot Fields In this field… Do this… My HotSpot Type the title that should appear on the My HotSpot page. Title The default title is "Welcome to My HotSpot". My HotSpot Type the terms to which the user must agree before accessing the Internet. Terms You can use HTML tags as needed. My HotSpot is Select this option to require users to enter their username and password password before accessing the Internet.
Defining an Exposed Host Defining an Exposed Host The Safe@Office appliance allows you to define an exposed host, which is a computer that is not protected by the firewall. This is useful for setting up a public server. It allows unlimited incoming and outgoing connections between the Internet and the exposed host computer. The exposed host receives all traffic that was not forwarded to another computer by use of Allow and Forward rules.
Defining an Exposed Host 2. In the Exposed Host field, type the IP address of the computer you wish to define as an exposed host. Alternatively, you can click This Computer to define your computer as the exposed host. 3. Click Apply. The selected computer is now defined as an exposed host. To clear the exposed host 1. Click Security in the main menu, and click the Exposed Host tab. The Exposed Host page appears. 2. Click Clear. 3. Click Apply. No exposed host is defined.
Overview Chapter 10 Using VStream Antivirus This chapter explains how to use the VStream Antivirus engine to block security threats before they reach your network. This chapter includes the following topics: Overview ..................................................................................................265 Enabling/Disabling VStream Antivirus....................................................267 Viewing VStream Signature Database Information .................................
Overview Table 57: VStream Antivirus Actions If a virus if found in VStream Antivirus does this... this protocol... on this port...
Enabling/Disabling VStream Antivirus If you are subscribed to the VStream Antivirus subscription service, VStream Antivirus virus signatures are automatically updated, so that security is always upto-date, and your network is always protected.
Viewing VStream Signature Database Information The VStream Antivirus page appears. 2. Drag the On/Off lever upwards or downwards. VStream Antivirus is enabled/disabled for all internal network computers. Viewing VStream Signature Database Information VStream Antivirus maintains two databases: a daily database and a main database. The daily database is updated frequently with the newest virus signatures.
Configuring VStream Antivirus Table 58: Account Page Fields This field… Displays… Main database The date and time at which the main database was last updated, followed by the version number. Daily database The date and time at which the daily database was last updated, followed by the version number. Next update The next date and time at which the Safe@Office appliance will check for updates. Status The current status of the database.
Configuring VStream Antivirus For example, if you want to scan all outgoing SMTP traffic, except traffic from a specific IP address, you can create a rule scanning all outgoing SMTP traffic and move the rule down in the Antivirus Policy table. Then create a rule passing SMTP traffic from the desired IP address and move this rule to a higher location in the Antivirus Policy table than the first rule. In the figure below, the general rule is rule number 2, and the exception is rule number 1.
Configuring VStream Antivirus Rule Description Scan This rule type enables you to specify that VStream Antivirus should scan traffic matching the rule. If a virus is found, it is blocked and logged. Adding and Editing Rules To add or edit a rule 1. Click Antivirus in the main menu, and click the Policy tab. The Antivirus Policy page appears. 2. Do one of the following: • To add a new rule, click Add Rule. • To edit an existing rule, click the Edit icon next to the desired rule.
Configuring VStream Antivirus The VStream Policy Rule Wizard opens, with the Step 1: Rule Type dialog box displayed. 3. Select the type of rule you want to create. 4. Click Next. The Step 2: Service dialog box appears. The example below shows a Scan rule. 5. Complete the fields using the relevant information in the table below.
Configuring VStream Antivirus 6. Click Next. The Step 3: Destination & Source dialog box appears. 7. Complete the fields using the relevant information in the table below. The Step 4: Done dialog box appears. 8. Click Finish. The new rule appears in the Firewall Rules page.
Configuring VStream Antivirus Table 60: VStream Rule Fields In this field… Do this… Any Service Click this option to specify that the rule should apply to any service. Standard Click this option to specify that the rule should apply to a specific standard Service service. You must then select the desired service from the drop-down list. Custom Service Click this option to specify that the rule should apply to a specific nonstandard service. The Protocol and Port Range fields are enabled.
Configuring VStream Antivirus In this field… Do this… And the Select the destination of the connections you want to allow or block. destination is To specify an IP address, select Specified IP and type the desired IP address in the text box. To specify an IP address range, select Specified Range and type the desired IP address range in the fields provided. This option is not available in Allow and Forward rules. To specify the Safe@Office Portal and network printers, select This Gateway.
Configuring VStream Antivirus 2. Next to the desired rule, do one of the following: • To enable the rule, click The button changes to • To disable the rule, click The button changes to . and the rule is enabled. . and the rule is disabled. Changing Rules' Priority To change a rule's priority 1. Click Antivirus in the main menu, and click the Policy tab. The Antivirus Policy page appears. 2. Do one of the following: • Click next to the desired rule, to move the rule up in the table.
Configuring VStream Antivirus 3. Click OK. The rule is deleted. Configuring VStream Advanced Settings To configure VStream Antivirus advanced settings 1. Click Antivirus in the main menu, and click the Advanced tab. The Advanced Antivirus Settings page appears. 2. Complete the fields using the table below. 3. Click Apply. 4. To restore the default VStream Antivirus settings, do the following: a) Click Default. A confirmation message appears. b) Click OK.
Configuring VStream Antivirus The VStream Antivirus settings are reset to their defaults. For information on the default values, refer to the table below. Table 61: Advanced Antivirus Settings Fields In this field… Do this… File Types Block potentially unsafe Select this option to block all emails containing potentially unsafe file types in email attachments.
Configuring VStream Antivirus In this field… Do this… Pass safe file types Select this option to accept common file types that are known to without scanning be safe, without scanning them. Safe files types are: • MPEG streams • RIFF Ogg Stream • MP3 • PDF • PostScript • WMA/WMV/ASF • RealMedia • JPEG - only the header is scanned, and the rest of the file is skipped Selecting this option reduces the load on the gateway by skipping safe file types. This option is selected by default.
Configuring VStream Antivirus In this field… Do this… Maximum compression Fill in the field to complete the maximum compression ratio of ratio 1:x files that VStream Antivirus should scan. For example, to specify a 1:150 maximum compression ratio, type 150. Setting a higher number allows the scanning of highly compressed files, but creates a potential for highly compressible files to create a heavy load on the appliance.
Updating VStream Antivirus Updating VStream Antivirus When you are subscribed to the VStream Antivirus updates service, VStream Antivirus virus signatures are automatically updated, keeping security up-to-date with no need for user intervention. However, you can still check for updates manually, if needed. To update the VStream Antivirus virus signature database 1. Click Antivirus in the main menu, and click the Antivirus tab. The VStream Antivirus page appears. 2. Click Update Now.
Connecting to a Service Center Chapter 11 Using Subscription Services This chapter explains how to start subscription services, and how to use Software Updates, Web Filtering, and Email Filtering services. Note: Check with your reseller regarding availability of subscription services, or surf to www.sofaware.com/servicecenters to locate a Service Center in your area. This chapter includes the following topics: Connecting to a Service Center ................................................................
Connecting to a Service Center The Account page appears. 2. In the Service Account area, click Connect.