Cyberguard Sg565 User manual

FCC ID: SZD-990186 (IC: 5746A-990186) Report No. M050109_Cert_WMIR-103G

This document must not be copied or reproduced, except in full without the written permission of

the Manager, EMC Technologies Pty Ltd. The certificate on page 3 may be reproduced in full.

www.emctech.com.au

APPENDIX N

USER MANUAL - PART 1

User Manual

Quick Setup

Warranty

Contact Details

Product Registration

Quick Setup

This guide walks you through the installation of your CyberGuard SG

appliance. Installing the CyberGuard SG appliance into a well planned

network is quick and easy. However, network planning and design is

outside the scope of this guide. Please take some time to plan your

network prior to installing your CyberGuard SG appliance.

To add the CyberGuard SG appliance to your local area network (LAN),

the basic steps are:

Unpack your CyberGuard SG appliance

Set up a PC to connect to the Web Management Console

Set up your CyberGuard SG appliance’s password and LAN

connection settings

Set up your CyberGuard SG appliance’s Internet connection

settings

Set up the PCs on your LAN to access the Internet

Occasionally you will see a box like the following, which contains

important technical information:

Note: Example.

System Requirements

These steps assume that you have a PC running Microsoft Windows

(95/98/Me/2000/XP) with an Ethernet network interface card installed.

You may need to be logged in with administrator privileges.

For a more a thorough description of configuring the CyberGuard SG

appliance, please refer to the User Manual on your CyberGuard SG CD

(\doc\UserManual.pdf).

For troubleshooting and answers to frequently asked questions, contact

your network administrator or consult the Knowledge Base at:

http://www.cyberguard.com/snapgear/knowledgebase.html

For product compliance information, please refer to the CyberGuard SG

CD (\doc\Compliance.pdf).

STEP 1 Unpack the CyberGuard SG appliance

Check the following items were included with your CyberGuard SG

appliance:

Power adapter

CyberGuard SG CD

2 Ethernet cables (1 blue straight through cable and 1 gray or

red crossover cable or 2 blue straight through cables)

2 Antenna

Step 1a Assemble the antenna onto the SG565

Before powering on the SG565 the antenna must be fitted.

Screw the two antenna onto the terminals ANT A and ANT B at the rear

of the device

Warning: To comply with the FCC and ANSI C95.1 RF exposure limits, it is recommended for the

Cyberguard SG565 device be installed so as to provide a separation distance of at least 20 cm (8 inches)

from all persons and that the antenna must not be co-located or operating in conjunction with any other

antenna or radio transmitter. It is recommended that the user limit exposure time if the antenna is

positioned closer than 20 cm (8 inches).

Step 1b Power on the SG565

On the rear panel of the CyberGuard SG appliance you will see network

(LAN 4 ports), Internet (Internet/WAN) and serial ports, a Reset/Erase

button, antenna outlets and a power inlet.

The front panel of the CyberGuard SG appliance contains activity LEDs

(lights) that vary slightly between models. These provide information on

the operating status of your CyberGuard SG appliance.

Note: Power is ON when power is applied (use only the power adapter packaged with the

unit).

System/Heart Beat/TST flashes when the CyberGuard SG appliance is running.

The SG565 may also initially have all other front panel LEDs flashing.

If these LEDs do not behave in this manner before your CyberGuard SG appliance has been

attached to the network, you may need to perform a factory reset. Press the black

Reset/Erase button on rear panel twice within two seconds to restore factory default

settings. If the LEDs are still not flashing after 30 seconds, you may need to contact

customer support.

STEP 2 Set up a PC to connect to the Web

Management Console

The CyberGuard SG appliance ships with initial, static IP settings of:

LAN IP address: 192.168.0.1

LAN subnet mask: 255.255.255.0

Note: The Internet/WAN and DMZ interfaces are by default inactive,

i.e. there are no network services such as DHCP in operation, and no IP

address is configured.

If you attach the CyberGuard SG unit’s LAN port directly to a LAN with

an existing DHCP server, or a PC running a DHCP service, before

performing the initial setup steps described below, it will automatically

obtain an additional address. Your CyberGuard SG appliance will still

be reachable at 192.168.0.1.

However, it is strongly recommended that you perform the initial setup

steps 2, 3 and 4 before connecting your CyberGuard SG appliance to

your LAN.

Your CyberGuard SG appliance will need an IP address suitable for your

LAN before it is connected. You may choose to use the CyberGuard SG

appliance’s initial network settings as a basis for your LAN settings.

Connect the supplied power adapter to the CyberGuard SG appliance.

Connect the CyberGuard SG appliance’s LAN Ethernet port directly to

your PC’s network interface card using the crossover cable (red or gray).

Next, you must modify your PC’s network settings to enable it to

communicate with the CyberGuard SG appliance.

Click Start -> (Settings ->) Control Panel and double click Network

Connections (or in 95/98/Me, double click Network).

Right click on Local Area Connection and select Properties.

Note: If there is more than one existing network connection, select the

one corresponding to the network interface card to which the

CyberGuard SG appliance is attached.

Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me,

TCP/IP -> your network card name if there are multiple entries) and

click Properties.

Select Use the following IP address and enter the following details:

IP address: 192.168.0.100

Subnet mask: 255.255.255.0

Default gateway: 192.168.0.1

Select Use the following DNS server addresses and enter:

Preferred DNS server: 192.168.0.1

Note: If you wish to retain your existing IP settings for this network

connection, click Advanced and Add the secondary IP address of

192.168.0.100, subnet mask 255.255.255.0.

STEP 3 Set up the CyberGuard SG appliance’s

password and LAN connection settings

Launch Internet Explorer (or your preferred web browser) and navigate

to 192.168.0.1.

The Web Management Console will display.

Select Quick Setup Wizard from the center of the page.

You will be prompted to log in. Enter the initial user name and password

for the CyberGuard SG appliance:

User name: root

Password: default

Note: If you are unable to connect to the Management Console at

192.168.0.1, or the initial username and password are not accepted,

press the black Reset button on the CyberGuard SG appliance’s rear

panel twice, wait 20 – 30 seconds, and try again. Pressing this button

twice within 2 seconds returns the CyberGuard SG appliance to its

factory default settings.

Enter and confirm a password for your CyberGuard SG appliance. This

is the password for the user root, the main administrative user account

on the CyberGuard SG appliance. It is therefore important that you

choose a password that is hard to guess, and keep it safe.

The new password will take effect immediately, and you will be prompted

to enter it when completing the next step.

The Quick Setup Wizard will display.

Hostname: You may change the name your CyberGuard SG appliance

knows itself by. This is not generally necessary.

Manual configuration: Select this to manually specify your CyberGuard

SG appliance’s LAN connection settings.

Skip: LAN already configured: Select this if you wish to use the

CyberGuard SG appliance’s initial network settings (IP address

192.168.0.1 and subnet mask 255.255.255.0) as a basis for your LAN

settings. You may skip to STEP 4.

Obtain LAN IP address from a DHCP server on LAN: It is

recommended that you statically configure your CyberGuard SG

appliance’s LAN connection settings rather than rely on an existing

DHCP server. However, you may select this if you have an existing

DHCP server that you wish to have automatically configure your

CyberGuard SG appliance’s LAN connection settings. You may skip to

STEP 4.

Click Next.

Note: This page will only display if you previously selected Manual

configuration. Otherwise skip to STEP 4.

Enter an IP address and Subnet mask for your CyberGuard SG

appliance’s LAN connection. You may choose to use the CyberGuard

SG appliance’s initial network settings if you are sure no other PC or

network device already has the address of 192.168.0.1.

The IP address will later be used as the gateway address for the PCs

on your LAN. To gain access through this gateway, the PCs on your

LAN must have an IP address within the bounds of the subnet described

by the CyberGuard SG appliance’s IP address and subnet mask (e.g.

using the CyberGuard SG appliance’s initial network settings,

192.168.0.2 – 192.168.0.254).

Take note of this IP address and subnet mask, as you will need them

later on.

Click Next.

STEP 4 Set up the CyberGuard SG appliance’s Internet

connection settings

First, attach your CyberGuard SG appliance to your modem device or

Internet connection medium. If necessary, give the modem device some

time to power up.

Select your Internet connection type and click Next.

If connecting using a cable modem, select the appropriate ISP. Choose

Generic cable modem provider if unsure.

If connecting using a regular analog modem, enter the details provided

by your ISP.

If connecting using an ADSL modem, select Auto detect ADSL

connection type and enter the details provided by your ISP. If auto

detection fails and you are unsure of your ADSL connection type,

contact your ISP.

If you have a direct connection to the Internet (e.g. a leased line), enter

the IP settings provided by your ISP.

Note: For detailed help for each of these options, please refer to the

User Manual.

Once the CyberGuard SG appliance’s Internet connection has been set

up, click Next, select Reboot and click Next again.

Note: If you changed the CyberGuard SG appliance’s LAN connection

settings in STEP 3, it may become uncontactable at this point. The next

step describes how to set up the PCs on your network to access the

CyberGuard SG appliance and the Internet.

STEP 5 Set up the PCs on your LAN to access the

Internet

If you haven’t already, connect your CyberGuard SG appliance’s LAN

port directly to your LAN hub using the straight through Ethernet cable

(blue).

Note: if you are setting up the SG565, you may also connect PCs

directly to its LAN switch.

To access the Internet, the PCs on your LAN must all be set up to use

the CyberGuard SG appliance as their default gateway. This can be

done a number of different ways depending on how your LAN is set up.

If your LAN has a DHCP server already, proceed to STEP 5A.

If your LAN does not have a DHCP server, proceed to STEP 5B.

If you are not sure, you probably want STEP 5B.

STEP 5A LAN with a DHCP server

Add a lease to your existing DHCP server to reserve an IP address for

the CyberGuard SG appliance’s LAN connection.

If you chose to set the CyberGuard SG appliance’s LAN connection

settings using Manual configuration, you may simply remove this

address from the pool of available addresses.

Enter this same IP address as the gateway IP address to be handed out

by the DHCP server.

Enter this same IP address as the DNS server IP address to be handed

out by the DHCP server.

Restart all the PCs on the network (this will reset their gateway and DNS

addresses).

Note: The purpose of restarting the PCs is to force them to gain a new

DHCP lease. Alternatively you can use a utility such as ipconfig to

release then renew a lease, or disable and re-enable the network

connection.

STEP 5B LAN with no DHCP server

A DHCP server allows PCs to automatically obtain network settings

when they start up. If your network does not have a DHCP server, you

may either manually set up each PC on your network, or set up the

CyberGuard SG appliance's DHCP server.

Note: If you only have several PCs, we suggest manually setting up

your network. If you have more PCs, enabling the CyberGuard SG

appliance’s DHCP server is more scalable.

To manually set up each Windows PC on your network:

Click Start -> (Settings ->) Control Panel and double click Network

Connections (or in 95/98/Me, double click Network).

If presented with multiple connections, right click on Local Area

Connection (or appropriate network connection) and select Properties.

Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me,

TCP/IP -> [your network card name] if there are multiple entries).

Enter the following details:

IP address is an IP address that is part of the same subnet range

as the CyberGuard SG appliance’s LAN connection (e.g. if using

the default settings, 192.168.0.2 – 192.168.0.254).

Subnet mask is the subnet mask of the CyberGuard SG

appliance’s LAN connection.

Default gateway is the IP address of the CyberGuard SG

appliance’s LAN connection.

Preferred DNS server is the IP address of the CyberGuard SG

appliance’s LAN connection.

Click OK (or in 95/98/Me, Add then OK, reboot the PC if prompted to do

so).

Perform these steps for each PC on your network.

You are now finished.

Alternatively, to activate your CyberGuard SG appliance's DHCP server:

Launch Internet Explorer (or your preferred web browser) and navigate

to the IP address of the CyberGuard SG appliance’s LAN connection.

Note: If you changed your CyberGuard SG appliance’s LAN connection

settings from its default settings in STEP 3, it may be uncontactable at

this point. If so, manually set up a single PC as described at the

beginning of STEP 5B before continuing.

The Web Management Console will display.

Select DHCP Server from the Networking menu.

Click Add Server and configure the DHCP server with the following

details:

Gateway Address is the IP address of the CyberGuard SG

appliance’s LAN connection, or leave it blank.

DNS Address is the IP address of the CyberGuard SG

appliance’s LAN connection, or leave it blank.

WINS Address (optional) is the IP address of any existing WINS

server on your LAN.

Default Lease Time and Maximum Lease Time should generally

be left at their default values.

Initial Dynamic IP Address Range is a range of free IP

addresses on your LAN’s subnet for the CyberGuard SG

appliance to hand out to PCs on your LAN.

Note: For a detailed description of configuring DHCP Server Settings,

please refer to the User Manual.

Each PC on your LAN must now be set up to use DHCP. For each PC

on your LAN:

Click Start -> (Settings ->) Control Panel and double click Network

Connections (or in 95/98/Me, double click Network).

If presented with multiple connections, right click on Local Area

Connection (or appropriate network connection) and select Properties.

Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me,

TCP/IP -> [your network card name] if there are multiple entries) and

click Properties (in 95/98/Me, you may also have to click the IP Address

tab).

Check Obtain an IP address automatically, check Obtain DNS server

address automatically and click OK (in 95/98/Me, reboot the PC if

prompted to do so).

You are now finished.

Common VPN Scenarios

Generally there are two common scenarios in which you will want to set

up your CyberGuard SG appliance(s):

•LAN-to-LAN: Linking two branch offices across the Internet. For this

case we recommend using IPSec. The VPN connection can operate

with both static and dynamic public (Internet) IP addresses.

For the example below we assume that CyberGuard SG appliances are

installed at either end, and that both have a static public IP address, or

one is static and one is dynamic. The example tunnel will be using pre-

shared keys for authentication, aggressive mode for keying, and be

established going out through the default gateway interface. Proceed to

CyberGuard SG to CyberGuard SG VPN (IPSec).

Please refer to the IPSec section of the User Manual if you are

trying to set up something more complex, and for a detailed

description of all available options.

•Roaming: Connecting to your CyberGuard SG appliance, installed at

your home or office, from a single PC at a remote location. For this

case we recommend using PPTP because the client is standard in

Windows and other operating systems, and it is quite simple to set up.

Proceed to Remote Workstation to CyberGuard SG VPN (PPTP).

CyberGuard SG to CyberGuard SG VPN (IPSec)

Perform these steps for either end of the connection. Unless instructed

otherwise, leave all options at their default settings.

STEP 1 Enable IPSec

Select IPSec from the VPN menu.

Underneath IPSec General Settings select This end has a static IP

address IPSec endpoint, or This end has a dynamic IP address

IPSec endpoint as appropriate. This is referring to the public (Internet)

IP address of this CyberGuard SG appliance. Check with your ISP if

unsure.

Check Enable IPSec, and click Apply.

STEP 2 Add a New IPSec Connection

Select the Add New Tunnel tab at the top of the window.

Enter a descriptive name for the connection in Tunnel name.

Select This tunnel will be using Aggressive mode Automatic Keying

(IKE).

Select The remote party has a static IP address or The remote party

has a dynamic IP address as appropriate. This is referring to the

public (Internet) IP address of the other CyberGuard SG appliance.

Check with your ISP if unsure.

Click Continue.

STEP 3 Local Endpoint Settings

If you selected This end has a dynamic IP address IPSec endpoint,

enter snap@branch as the Required Endpoint ID.

Click Continue.

STEP 4 Remote Endpoint Settings

If you selected The remote party has a static IP address, enter the

other CyberGuard SG appliance's public (Internet) IP address in The

remote party's IP address.

If you selected The remote party has a dynamic IP address, enter

snap@branch as the Required Endpoint ID.

Note: Please note again that this example is not suitable for setting up a

connection where both ends have dynamic IP address, for this scenario

please refer to the IPSec section of the User Manual.

Click Continue.

STEP 5 Phase 1 Settings

You must choose a Preshared Secret to authenticate the connection.

This passphrase can be any character string you like (recommended at

least 24 characters), it may contain spaces, and must be entered

identically on both CyberGuard SG appliances.

Note: It is important that you keep this information secret, much like a

password. The preshared secret is fundamental to IPSec encryption.

Click Continue.

STEP 6a Phase 2 Settings

Enter the network address and network mask for the Local Network

(this CyberGuard SG appliance) and the Remote Network (the other

CyberGuard SG appliance). You can check this by opening

Diagnostics in a new browser window and looking under LAN

Interface, e.g. if the IP Address is 192.168.1.1 and Netmask is

255.255.255.0, enter 192.168.1.0/255.255.255.0.

Note: The two LANs being connected by the IPSec connection must

have network addresses that are different to each other, e.g.

192.168.1.0/255.255.255.0 and 192.168.2.0/255.255.255.0.

Click Apply and you're done.

STEP 6b Repeat

Your CyberGuard SG appliance is now activated for IPSec VPN. Once

you have completed the steps at each end you will be up and running.

STEP 7 Verify

Under Tunnel List in the General Settings tab, check Status to see

whether the connection is Down or Running. Status will display

Negotiating Phase 1 then Negotiating Phase 2 as the connection is

being established.

Remote Workstation to CyberGuard SG VPN (PPTP)

STEP 1 Enable PPTP Server

Select PPTP VPN Server from the Networking menu. The table below

describes the fields in the PPTP VPN Server Setup page and the

options in enabling and configuring VPN access.

Enable PPTP Check this box to enable the establishment of

PPTP connections to your CyberGuard SG

appliance.

IP Address(es) to

Assign VPN Clients

Enter a range of free IP addresses on your

LAN to assign to the remote connections.

Authentication

Scheme

MSCHAPv2 is the most secure and

recommended. It uses encrypted passwords.

CHAP is less secure, and similarly PAP is

even less secure, but more common. In some

cases you may have to choose them if the

default does not work.

Authentication

Database

Leave this as Local unless you wish to use

another server to authenticate PPTP VPN

clients. Refer to the User Manual if this is the

case.

Table of contents

Other CyberGuard Firewall manuals

CyberGuard

CyberGuard 2.0.1 User manual

CyberGuard

CyberGuard SnapGear User manual

Popular Firewall manuals by other brands

Fortinet

Fortinet FSM-500F Configuration guide

Cisco

Cisco Meraki MX100 installation guide

Cisco

Cisco S190 quick start guide

Fortinet

Fortinet FortiGate Voice Series install guide

SecureLogix

SecureLogix ETM System installation guide

Huawei

Huawei USG6000 Series Upgrade guide

NETGEAR

NETGEAR ProSafe FVX538 Reference manual

Lanner

Lanner FW-8877 user manual

Nexcom

Nexcom DNA 1150 user manual

Cisco

Cisco 3110 Hardware installation guide

Fortinet

Fortinet FortiGate-60 series install guide

ADTRAN

ADTRAN NetVanta 2300 Specifications

Swisscom

Swisscom Internet Backup manual

SonicWALL

SonicWALL NSa 5700 quick start guide

DPtech

DPtech FW1000 SERIES Maintenance manual

FEITIAN

FEITIAN MultiPass FIDO product manual

Trend Micro

Trend Micro Deep Edge quick start guide

Smoothwall

Smoothwall S10 Appliance Getting started guide

CyberGuard SG565 User manual

Popular Firewall manuals by other brands