Sangfor Iam11.2 User manual

IAM 11.2 User Manual

www.sangfor.com

SANGFOR IAM11.2

User Manual

2016 January

IAM 11.2 User Manual

www.sangfor.com

IAM 11.2 User Manual

www.sangfor.com

Table of Content

Table of Content.........................................................................................................................................3

Declaration................................................................................................................................................. 8

About This Document................................................................................................................................ 9

Organization....................................................................................................................................... 9

Conventions....................................................................................................................................... 9

Symbol Conventions........................................................................................................................ 10

Technical Support.............................................................................................................................10

Acknowledgment............................................................................................................................. 10

Chapter 1 IAM Installation.......................................................................................................................11

1.1 Environment Requirement........................................................................................................ 11

1.2 Power......................................................................................................................................... 11

1.3 Product Appearance.................................................................................................................. 11

1.4 Configuration and Management............................................................................................... 13

1.5 Wiring Method of Standalone................................................................................................... 13

1.6 Wiring Method of Redundant System....................................................................................... 16

Chapter 2 IAM Console............................................................................................................................ 17

2.1 Web UI Login..............................................................................................................................17

2.1.1 Log into the Web Console...............................................................................................17

2.1.2 Remove the Certificate Alert Dialog............................................................................... 18

2.2 Configuration............................................................................................................................. 20

Chapter 3 Functions.................................................................................................................................22

3.1 System........................................................................................................................................ 22

3.1.1 Status.............................................................................................................................. 22

3.1.1.1 Dashboard............................................................................................................22

3.1.1.2 Online users......................................................................................................... 29

3.1.1.3 Connection Quality..............................................................................................32

3.1.1.4 Traffic Statistics.................................................................................................... 40

3.1.1.5 Internet Activities................................................................................................ 47

3.1.1.6 Locked Users........................................................................................................ 49

3.1.1.7 DHCP Status......................................................................................................... 50

3.1.1.8 Security Events.....................................................................................................51

3.1.2 Firewall............................................................................................................................51

3.1.2.1 Firewall Rules....................................................................................................... 51

3.1.2.2 IPv4 SNAT............................................................................................................. 53

3.1.2.3 IPv4 DNAT............................................................................................................ 59

3.1.2.4 IPv6 NAT............................................................................................................... 63

3.1.3 Network.......................................................................................................................... 65

3.1.3.1 Deployment......................................................................................................... 65

3.1.3.2 Network Interface Configuration........................................................................ 92

3.1.3.3 Static Routes........................................................................................................ 99

3.1.3.4 Policy-Based Routing......................................................................................... 101

3.1.3.5 High Availability................................................................................................. 106

3.1.3.6 HOSTS.................................................................................................................115

3.1.3.7 DHCP.................................................................................................................. 116

IAM 11.2 User Manual

www.sangfor.com

3.1.3.8 Protocol Extension.............................................................................................118

3.1.3.9 Optical Bypass Module...................................................................................... 120

3.1.4 General..........................................................................................................................122

3.1.4.1 Licensing............................................................................................................ 122

3.1.4.2 Administrator.....................................................................................................123

3.1.4.3 Date/Time.......................................................................................................... 134

3.1.4.4 Update............................................................................................................... 135

3.1.4.5 Alarm Options....................................................................................................137

3.1.4.6 Global Exclusion.................................................................................................141

3.1.4.7 Backup/Restore................................................................................................. 143

3.1.4.8 Custom Webpage.............................................................................................. 144

3.1.4.9 Report Center.................................................................................................... 146

3.1.4.10 Advanced Settings........................................................................................... 148

3.1.5 Diagnostics....................................................................................................................157

3.1.5.1 System Logs....................................................................................................... 157

3.1.5.2 Capture Packets................................................................................................. 158

3.1.5.3 Web Console......................................................................................................160

3.1.5.4 Troubleshooting.................................................................................................161

3.1.5.5 Shutdown...........................................................................................................163

3.2 Proxy .......................................................................................................................................164

3.2.1 Proxy Services............................................................................................................... 164

3.2.2 Proxies...........................................................................................................................166

3.2.2.1 HTTP Proxy.........................................................................................................166

3.2.2.2 SOCKS4 Proxy.....................................................................................................169

3.2.2.3 SOCKS5 Proxy.....................................................................................................170

3.2.3 ICAP Server Groups.......................................................................................................171

3.2.4 Cascading Proxy Servers............................................................................................... 174

3.2.5 Forward......................................................................................................................... 175

3.3 Object.......................................................................................................................................177

3.3.1 Application Signature....................................................................................................178

3.3.1.1 Viewing the Application Signature.................................................................... 179

3.3.1.2 Enabling/Disabling Application Identification Rules.........................................182

3.3.2 Advanced App Signature.............................................................................................. 183

3.3.2.1 Enabling/Disabling Advanced App Signature....................................................184

3.3.2.2 Editing P2P Behavior Identification Rules......................................................... 184

3.3.2.3 Editing Ultrasurf/Freegate Identification Rules................................................ 186

3.3.2.4 Editing Web Online Proxy Identification Rules..................................................187

3.3.3 Custom Application.......................................................................................................188

3.3.3.1 Adding Custom Application Rules..................................................................... 188

3.3.3.2 Enabling, Disabling, and Deleting Custom Application Rules........................... 190

3.3.3.3 Importing and Exporting Custom Application Rules.........................................190

3.3.4 URL Database................................................................................................................190

3.3.4.1 URL Database List.............................................................................................. 191

3.3.5 Ingress Rule Database...................................................................................................195

3.3.5.1 Ingress Rules...................................................................................................... 195

3.3.5.2 Combined Ingress Rule...................................................................................... 206

3.3.6 Service...........................................................................................................................210

3.3.7 IP Group........................................................................................................................ 212

3.3.8 ISP..................................................................................................................................213

3.3.9 Schedule........................................................................................................................215

IAM 11.2 User Manual

www.sangfor.com

3.3.10 Keyword Group........................................................................................................... 217

3.3.11 File Type Group...........................................................................................................218

3.3.12 Location.......................................................................................................................219

3.4 Users.........................................................................................................................................222

3.4.1 Working Principle..........................................................................................................222

3.4.1.1 Users Type..........................................................................................................222

3.4.1.2 User Authentication.......................................................................................... 224

3.4.2 Authentication.............................................................................................................. 225

3.4.2.1 Authentication Policy.........................................................................................225

3.4.2.2 External Auth Server..........................................................................................240

3.4.2.3 Single Sign-On....................................................................................................260

3.4.2.4 Custom Webpage.............................................................................................. 273

3.4.3 Users............................................................................................................................. 278

3.4.3.1 Local Users......................................................................................................... 278

3.4.3.2 User Import........................................................................................................302

3.4.3.3 User Binding.......................................................................................................306

3.4.3.4 IP&MAC Binding................................................................................................ 310

3.4.4 Advanced...................................................................................................................... 312

3.4.4.1 Authentication Options..................................................................................... 313

3.4.4.2 USB Key User..................................................................................................... 316

3.4.4.3 Custom Attributes..............................................................................................319

3.4.4.4 MAC Filtering Across L3 Switch......................................................................... 321

3.5 Access Mgt............................................................................................................................... 324

3.5.1 Policies.......................................................................................................................... 324

3.5.1.1 Introduction to Policies......................................................................................325

3.5.1.2 Adding Object for Access Control......................................................................330

3.5.1.3 Viewing Network Access Policies of Users........................................................ 336

3.5.1.4 Matching Network Access Policies....................................................................339

3.5.1.5 Adding Policies...................................................................................................340

3.5.1.6 Adding a Policy Using a Template......................................................................390

3.5.1.7 Deleting an Ingress Policy..................................................................................392

3.5.1.8 Editing Policies in Batches................................................................................. 392

3.5.1.9 Enabling or Disabling a Policy............................................................................393

3.5.1.10 Changing the Policy Order...............................................................................394

3.5.1.11 Importing/Exporting a Policy.......................................................................... 395

3.5.2 Advanced Policy Options.............................................................................................. 397

3.5.2.1 Logging...............................................................................................................397

3.5.2.2 Web Access Options.......................................................................................... 399

3.5.2.3 Policy Troubleshooting...................................................................................... 400

3.5.2.4 Excluded Application......................................................................................... 400

3.6 Traffic Management.................................................................................................................402

3.6.1 Overview.......................................................................................................................402

3.6.2 Bandwidth Management..............................................................................................403

3.6.3 Bandwidth Channel Configuration............................................................................... 403

3.6.3.1 Line Bandwidth..................................................................................................404

3.6.3.2 Limited Channel.................................................................................................412

3.6.3.3 Traffic Sub-Channel............................................................................................421

3.6.3.4 Penalty Channel................................................................................................. 428

3.6.3.5 Adding a Channel Using a Template..................................................................438

3.6.3.6 Exclusion Policy..................................................................................................438

IAM 11.2 User Manual

www.sangfor.com

3.6.4 Line Bandwidth Configuration......................................................................................440

3.6.5 Virtual Line Configuration.............................................................................................441

3.7 Endpoint Device Connection Management............................................................................ 445

3.7.1 Shared Connection Management.................................................................................445

3.7.2 Mobile Endpoint Management.................................................................................... 449

3.8 Security Protection.................................................................................................................. 452

3.8.1 Anti-DoS Attack............................................................................................................. 453

3.8.2 ARP Protection..............................................................................................................454

3.8.3 Antivirus........................................................................................................................456

3.9 VPN Configuration................................................................................................................... 458

3.9.1 DLAN Operating Status................................................................................................. 458

3.9.2 Basic Settings................................................................................................................ 459

3.9.3 User Management........................................................................................................ 461

3.9.4 Connection Management.............................................................................................469

3.9.5 Virtual IP Address Pool................................................................................................. 471

3.9.6 Multi-Line Settings........................................................................................................477

3.9.7 Multi-Line Route Selection Policy.................................................................................479

3.9.8 Local Subnet List........................................................................................................... 481

3.9.9 Inter-channel Routing Settings..................................................................................... 482

3.9.10 Third party connection............................................................................................... 485

3.9.10.1 Phase I..............................................................................................................485

3.9.10.2 Phase II.............................................................................................................491

3.9.10.3 Security Options.............................................................................................. 495

3.9.11 Object..........................................................................................................................497

3.9.11.1 Schedule.......................................................................................................... 497

3.9.11.2 Algorithm List Settings.....................................................................................498

3.9.12 Advanced Settings...................................................................................................... 498

3.9.12.1 Intranet Service Settings..................................................................................498

3.9.12.2 VPN Interface Settings.....................................................................................501

3.9.12.3 Multicast Service............................................................................................. 503

3.9.12.4 LDAP Server Settings....................................................................................... 505

3.9.12.5 Radius Server Settings..................................................................................... 506

3.9.12.6 Dynamic Routing Settings................................................................................507

Chapter 4 Use Cases.............................................................................................................................. 508

4.1 SSO Configuration.................................................................................................................... 508

4.1.1 SSO Configuration for the AD Domain......................................................................... 508

4.1.1.1 SSO Implemented by Delivering a Login Script Through Domains................... 508

4.1.1.2 Obtaining Login Information Using a Program (SSO Without a Plug-in).......... 521

4.1.1.3 SSO Implemented Using IWA............................................................................ 535

4.1.1.4 SSO Implemented in Monitoring Mode............................................................ 535

4.1.2 Proxy SSO Configuration...............................................................................................539

4.1.2.1 4 SSO in Monitoring Mode................................................................................ 539

4.1.2.2 SSO in ISA Mode................................................................................................ 543

4.1.3 POP3 SSO Configuration............................................................................................... 547

4.1.4 Web SSO Configuration................................................................................................ 551

4.1.5 Configuration of SSO Implemented with Third-Party Devices.....................................555

4.1.5.1 SSO Implemented with Ruijie SAM................................................................... 555

4.1.5.2 SSO Implemented with Devices Supporting the HTTP SSO Interface...............563

4.1.5.3 SSO Implemented with H3C CAMS................................................................... 565

4.1.5.4 SSO Implemented with Dr. COM....................................................................... 566

IAM 11.2 User Manual

www.sangfor.com

4.1.5.5 SSO Implemented with H3C IMC.......................................................................568

4.1.6 SSO Implemented with Another SANGFOR Device......................................................569

4.1.7 SSO Implemented with a Database System................................................................. 571

4.2 Configuration That Requires No User Authentication............................................................ 574

4.3 Configuration That Requires Password Authentication.......................................................... 580

4.3.1 SMS Authentication...................................................................................................... 580

4.3.1.1 Sending SMS Messages Through an SMS Modem............................................580

4.3.1.2 Sending an SMS Message Using an SMS Modem Installed on an External Server585

4.3.2 WeChat and QR Code Authentication..........................................................................592

4.3.3 Password Authentication..............................................................................................603

4.4 Other Configuration Cases.......................................................................................................611

4.5 CAS Server Authentication Case..............................................................................................624

4.6 Policy Configuration Cases.......................................................................................................628

4.6.1 Configuring a Policy for Blocking P2P and P2P Streaming Media Data for a User Group628

4.6.2 Configuring an IM Monitoring Policy for a User Group............................................... 632

4.6.3 Enabling the Audit Function for a User Group............................................................. 636

4.7 Endpoint Device Management Configuration Cases...............................................................639

4.7.1 Configuring the Sharing Prevention Function.............................................................. 639

4.7.2 Mobile Endpoint Management Configuration Cases...................................................641

4.8 Comprehensive Configuration Cases.......................................................................................642

4.8.1 Customer Network Environment and Requirement.................................................... 642

4.8.2 Configuration Idea........................................................................................................ 643

4.8.3 Configuration Process...................................................................................................644

Appendix: Usage of SANGFOR Device Upgrade System........................................................................665

Product Upgrade Procedure.......................................................................................................... 668

IAM 11.2 User Manual

www.sangfor.com

Declaration

No part of the information contained in this document shall be extracted,

reproduced or transmitted in any form or by any means, without prior written

permission of SANGFOR.

SANGFOR, SANGFOR Technologies and the SANGFOR logo are the trademarks

or registered trademarks of SANGFOR Technologies Co. Ltd. All other trademarks used

or mentioned herein belong to their respective owners.

This manual shall only be used as usage guide, and no statement, information, or

suggestion in it shall be considered as implied or express warranties of any kind, unless

otherwise stated. This manual is subject to change without notice. To obtain the latest

version of this manual, please contact the Customer Service of SANGFOR Technologies

CO. Ltd

IAM 11.2 User Manual

www.sangfor.com

About This Document

Organization

Part I Describe the hardware server and software server requirement in order to install External

Data Center. Step of Installation included.

Part II Describe the interface and each of the function such as generate report, check online

behavior and system management. Justify overall configuration, setting and precaution.

This document takes SANGFOR IAM M5100 as an example. Equipment of different models

differs in both hardware and software specifications. Therefore, confirm with SANGFOR about

problems involving product specifications.

Conventions

GUI Conventions

Item

Sign

Example

Button

Frame+shadow+

shading

The OK button can be simplified as OK.

Menu item

{}

The menu item System Setup can be simplified as

System Setup.

Choose cascading menu

items

→

Choose System Setup > Interface Configuration.

Drop-down list, option

button, check box

[ ]

The Enable User check box can be simplified as

Enable User.

Window name

Bold Font

Open the New User window.

Prompt

“”

The prompt “Succeed in saving configuration. The

configuration is modified. You need to restart the

DLAN service for the modification to take effect.

Restart the service now?” is displayed.

IAM 11.2 User Manual

www.sangfor.com

Symbol Conventions

The symbols that may be found in this document are defined as follows:

Caution: alerts you to a precaution to be observed during operation. Improper operation may

cause setting validation failure, data loss, or equipment damage.

Warning: alerts you to pay attention to the provided information. Improper operation may

cause bodily injuries.

Note or tip: provides additional information or a tip to operations.

Technical Support

Email: tech.support@sangfor.com.hk

International Service Centre: +60 12711 7129 (7511) Malaysia: 1700817071

Website: www.sangfor.com

Acknowledgment

Thanks for choosing our product and user manual. For any suggestions on our product or user

manual, provide your feedback to us by phone or email.

Table of contents

Other Sangfor Gateway manuals

Sangfor

Sangfor IAM 2.1 User manual

Popular Gateway manuals by other brands

Telecom FM

Telecom FM onestream gfx Programming guide

UfiSpace

UfiSpace LoRa GPE810U Quick setup guide

Merak

Merak MMk-736F Quick setup guide

Robustel

Robustel R3010 user guide

turck

turck BL20-PG-EN-V3 user manual

IBM

IBM Security Web Gateway Appliance quick start guide

SSS Siedle

SSS Siedle Smart Gateway Commissioning instructions

ADTRAN

ADTRAN 424RG Installation

Chorus

Chorus Hyperfibre XGS-250WX-A user guide

Dragino

Dragino G308 user manual

Data Domain

Data Domain DD690g Installation and setup guide

Raritan

Raritan Laptop Release notes

Haivision

Haivision Torpedo quick start guide

ATCOM

ATCOM AG-268 user manual

LST

LST M500RFE-AS Specification sheet

Vega

Vega VEGA BS-3 user manual

Kinnex

Kinnex Media Gateway quick start guide

2N Telekomunikace

2N Telekomunikace 2N StarGate user manual

Sangfor IAM11.2 User manual

Popular Gateway manuals by other brands