Sangfor M5100 User manual

SANGFOR Technologies Co., Ltd.

International Service Centre: +60 12711 7129 (7511)

Malaysia: 1700817071

Email: tech.support@sangfor.com.hk

RMA: rma@sangfor.com.hk

SSLM6.8EN User Manual

FEB2015

SANGFOR SSL M6.8EN User Manual

Table of Contents

Table of Contents..........................................................................................................................................................1

Declaration..................................................................................................................................................................10

Preface ........................................................................................................................................................................11

About This Manual.............................................................................................................................................11

Document Conventions.......................................................................................................................................12

Graphic Interface Conventions ...........................................................................................................................12

Symbol Conventions...........................................................................................................................................13

CLI Conventions.................................................................................................................................................13

Technical Support...............................................................................................................................................14

Acknowledgements.............................................................................................................................................14

Chapter 1 KnowingYour Sangfor Device...................................................................................................................15

OperatingEnvironment........................................................................................................................................15

Product Appearance............................................................................................................................................15

ConnectingSangfor Device.................................................................................................................................16

Chapter 2 InitialLogin to Admin Console ..................................................................................................................19

Logging in to Admin Console ............................................................................................................................19

Modifying Administrator Password....................................................................................................................21

Chapter 3 System and Network Settings ....................................................................................................................23

Viewing Status....................................................................................................................................................24

Viewing SSL VPN Status...........................................................................................................................24

Viewing Online Users.................................................................................................................................27

ViewingAlarm Logs ...................................................................................................................................28

SANGFOR SSL M6.8EN User Manual

Viewing Remote Application .....................................................................................................................30

System Settings...................................................................................................................................................33

Configuring System Related Settings .........................................................................................................33

Configuring License of Device and Function Modules..............................................................................33

Modifying System Date and Time..............................................................................................................35

Configuring Console Options .....................................................................................................................35

Generating Certificate for Sangfor Device .................................................................................................37

ConfiguringSMTP Server...........................................................................................................................39

Network Settings ................................................................................................................................................40

Device Deployment ....................................................................................................................................40

Scenario 1: Deploying Device in Gateway Mode...............................................................................43

Scenario 2: Deploying Device in Single-Arm Mode..........................................................................45

Setting Multiline Options............................................................................................................................46

Configuring Route ......................................................................................................................................50

Configuring Host Mapping Rule (HOSTS) ................................................................................................51

Configuring IP Assignment Options (DHCP) ............................................................................................53

Configuring Local Subnet...........................................................................................................................55

Schedules............................................................................................................................................................57

Administrator......................................................................................................................................................61

Adding Administrator Group......................................................................................................................61

Adding Administrator.................................................................................................................................63

SSL VPN Options...............................................................................................................................................65

General Settings..........................................................................................................................................65

Configuring UserLogin Options .........................................................................................................65

SANGFOR SSL M6.8EN User Manual

Configuring Client Related Options ...................................................................................................67

Scenario3:Enabling Automatic Access Using SSL VPN Client.................................................77

Configuring Virtual IP Pool................................................................................................................80

Configuring Local DNS Server ..........................................................................................................81

Configuring SSO Options...................................................................................................................84

Configuring ResourceOptions ............................................................................................................86

Web App Resource Options........................................................................................................87

TCP App Resource Options........................................................................................................88

Background Knowledge: What is Smart Recursion?..................................................................90

L3VPN Resource Options...........................................................................................................91

Other ResourceOptions...............................................................................................................92

Network Optimization Related Settings .....................................................................................................94

Data Transfer Optimization ................................................................................................................95

Webpage Access Optimization...........................................................................................................97

Web Cache........................................................................................................................................100

User Logging in ........................................................................................................................................102

ConfiguringLogin Policy..................................................................................................................102

Configuring LoginPage.....................................................................................................................105

Scenario 5: Assigning Login Page to Specific User or Group..................................................109

Uploading Icon to Device.................................................................................................................111

Clustering..................................................................................................................................................112

Terminology......................................................................................................................................112

Main Features of Cluster...................................................................................................................112

Deploying Clustered Sangfor Devices..............................................................................................115

SANGFOR SSL M6.8EN User Manual

Deploying Clustered Device in Single-Arm Mode...................................................................115

Deploying Clustered Device in Gateway Mode........................................................................116

Deploying Clustered Device with Multiple Lines.....................................................................117

Viewing ClusteredNode Status.........................................................................................................120

Viewing Cluster Online Users ..........................................................................................................120

Scenario 7:Configuring ClusteredSangfor Device............................................................................122

Configuring Clustered Device in Gateway Mode.....................................................................122

Configuring Clustered Device in Single-Arm Mode ................................................................123

Configuring Clustered Device in Gateway Mode (Multiple Lines)..........................................125

Configuring Clustered Device in Single-Arm Mode (Multiple Lines).....................................126

Distributed Nodes .............................................................................................................................129

Distributed Deployment............................................................................................................129

Viewing Status of Distributed Nodes........................................................................................130

Chapter 4 SSL VPN..................................................................................................................................................131

SSL VPN Users ................................................................................................................................................131

Adding User Group...................................................................................................................................132

Adding User..............................................................................................................................................138

Searching for Users...................................................................................................................................143

Managing Hardware IDs...........................................................................................................................144

Importing User to Device..........................................................................................................................146

Importing Users from File ................................................................................................................147

Importing Users from LDAP Server.................................................................................................150

Moving Users to Another Group ..............................................................................................................152

Exporting Users ........................................................................................................................................152

SANGFOR SSL M6.8EN User Manual

Associating Roles with User.....................................................................................................................153

Configuring SSO User Account................................................................................................................154

Generating Multiple Certificates for Users...............................................................................................155

Creating Multiple USB Keys for Users ....................................................................................................157

Viewing Associated Resources of User....................................................................................................159

Scenario 8: AddingUser Loggingin withLocal Password.................................................................160

Scenario 9: Adding User Logginginwith Certificate ........................................................................160

Resources..........................................................................................................................................................163

Adding/Editing Resource Group...............................................................................................................163

Background Knowledge: Load-Balanced Resource Access.............................................................165

Adding/Editing Web Application .............................................................................................................166

Scenario 10: Adding Web Application.............................................................................................171

Scenario 11: Masquerading Resource Address.................................................................................174

Scenario 12: AddingFile Share Type of Web Resource ...................................................................175

Adding/Editing TCP Application .............................................................................................................177

Scenario 13: Adding TCP Application .............................................................................................182

Scenario 14: Configuring URL Access Control Feature...................................................................185

Adding/Editing L3VPN............................................................................................................................186

Scenario 15: Adding L3VPN............................................................................................................190

Adding/Editing Remote Application ........................................................................................................192

Scenario 16: Adding Remote Application ........................................................................................193

Exporting Resources.................................................................................................................................198

Importing Resources.................................................................................................................................199

Sorting Resources .....................................................................................................................................200

SANGFOR SSL M6.8EN User Manual

Roles.................................................................................................................................................................201

Adding Role..............................................................................................................................................201

Getting Privilege Report ...........................................................................................................................203

Authentication Options.....................................................................................................................................206

Primary Authentication Methods..............................................................................................................207

Local Password Based Authentication..............................................................................................207

LDAP Authentication .......................................................................................................................208

Configuring LDAP Server ........................................................................................................208

RADIUS Authentication...................................................................................................................216

Configuring RADIUS Server....................................................................................................216

Certificate/USB Key Based Authentication......................................................................................219

Local CA (RSA Encryption Standard Based)...........................................................................220

External CA ..............................................................................................................................222

Configuring USB Key Model ...................................................................................................227

Scenario 17: Using ExternalCA Root Certificate to GenerateDevice Certificate.....................228

Scenario 18: Mapping User to Local Group Based on External Certificate .............................230

Secondary Authentication Methods..........................................................................................................235

SMS Authentication..........................................................................................................................235

Using Built-in SMS Module to Send SMS Message ................................................................236

Using External SMS Module to Send SMS Message...............................................................238

Using SMS Gateway of ISP to Send SMS Message.................................................................241

Hardware ID Based Authentication..................................................................................................241

Dynamic Token Based Authentication.............................................................................................242

Other Authentication Options...................................................................................................................243

SANGFOR SSL M6.8EN User Manual

Priority of LDAP and RADIUS Servers...........................................................................................243

Password Security Options...............................................................................................................244

Anonymous Login ............................................................................................................................245

Policy Sets ........................................................................................................................................................247

Adding Policy Set.....................................................................................................................................248

Scenario19: Configuring Secure Desktop.........................................................................................252

Remote Servers.................................................................................................................................................258

Adding Remote Application Server..........................................................................................................259

Adding Remote Storage Server ................................................................................................................261

Endpoint Security .............................................................................................................................................264

Security Rules...........................................................................................................................................264

Predefining Basic Rule .....................................................................................................................265

Predefining Combined Rule..............................................................................................................272

Configuring Security Rule................................................................................................................274

Security Policy..........................................................................................................................................275

Adding User-Level Policy ................................................................................................................278

Adding Role-level Policy..................................................................................................................280

Configuring Advanced Policy Settings.............................................................................................283

Built-in Rules Update ...............................................................................................................................284

Chapter 5 Firewall………………………………………………………………………………………………….287

Defining Firewall Service……………………………………………………………………………………..287

Defining IP Group…………………………………………………………………………………………….288

Defining Filter Rule…………………………………………………………………………………………...289

Rule on Access to Local Device…………………………………………………………………………289

SANGFOR SSL M6.8EN User Manual

Rule on Access among Sangfor Device's Interfaces……………………………………………….289

Scenario 20: Configuring LAN <-> DMZ Filter Rules……………………………………….290

Scenario 21: Configuring LAN <-> VPN Filter Rules .............................................................293

Configuring NAT Rule…………………………………………………………………………………..296

Configuring SNAT Rule…………………………………………………………………………....296

Scenario 22: Adding SNAT Rule……………………………………………………………...296

Configuring DNAT Rule...................................................................................................................298

Scenario 23: Adding DNAT Rule……………………………………………………………..299

Configuring IP/MAC Binding...........................................................................................................300

Configuring HTTP Port.....................................................................................................................302

Defining URL Group….....................................................................................................................302

Defining WAN Service…..................................................................................................................304

Configuring Access Right of Local Users.........................................................................................306

Real-time Monitoring…....................................................................................................................310

Viewing Real-time Traffic.........................................................................................................310

Vieweing URLAccess Logs......................................................................................................310

Configuring Anti-Dos…....................................................................................................................311

Configuring QoS Priority...................................................................................................................313

Configuring QoS Outbound Rule......................................................................................................313

Configuring QoS Inbound.................................................................................................................314

Chapter 6 System Maintenance ................................................................................................................................316

View Logs.........................................................................................................................................................316

Viewing System Logs……………………………………………………………………………………316

Viewing Operation Logs…………………………………………………………………………………317

SANGFOR SSL M6.8EN User Manual

Backing Up/Restoring Configurations..............................................................................................................318

Restarting/Shutting Down Device or Services..................................................................................................320

System Automatic Update................................................................................................................................320

Appendix A: End Users AccessingSSL VPN...........................................................................................................322

Required Environment......................................................................................................................................322

Configuring Browser and Accessing SSL VPN ...............................................................................................322

Configuring Browser ................................................................................................................................322

Using Account to Log In to SSL VPN......................................................................................................326

Using USB Key to Log In to SSL VPN....................................................................................................328

Appendix B: Sangfor Firmware Updater 6.0............................................................................................................330

Updating YourSangfor Device .........................................................................................................................330

SANGFOR SSL M6.8EN User Manual

Declaration

No part of the contents of this document shall be extracted, reproduced or transmitted in any form or by any means

without prior written permission of SANGFOR.

SINFOR, SANGFOR and the Sangfor logo are the trademarks or registered trademarks of Sangfor Inc. All

other trademarks used or mentioned herein belong to their respective owners.

This manual shall only be used as usage guide, and no statement, information, or suggestion in it shall be

considered as implied or express warranty of any kind, unless otherwise stated. This manual is subject to change

without notice. To obtain the latest version of this manual, please contact the Customer Service of Sangfor.

SANGFOR SSL M6.8EN User Manual

Preface

About This Manual

SSLVPN M5.8ENuser manual includes the following chapters:

Chapter

Describe…

Chapter 1Knowing Your Sangfor Device

The product appearance, function features and

performance parameters of SSL VPN M5.3EN,

wiring and cautions before installation.

Chapter 2Initial Login to Admin Console

How administrator logs in to SSL VPN

M5.3ENadministrator console for the first time

and change initial administrator password.

Chapter 3System and Network Settings

How administrator configures each function

module. The settings include system and

network related settings, global settings of SSL

VPN, as well as other system objects such as

schedule and administrator.

Chapter 4SSL VPN

How administrator configures SSL VPN

related setting, including users, resources,

roles, user authentication methods, policy sets,

remote servers, endpoint security.

Chapter 6System Maintenance

Maintenance options of this SSL VPN

hardware device.

Appendix A: End Users Accessing SSL VPN

How endusers configure browser and log in to

SSLVPN.

Appendix B: Sangfor Firmware Updater 6.0

How administrator uses Sangfor Firmware

Updater 6.0 to update the current Sangfor

device.

SANGFOR SSL M6.8EN User Manual

Document Conventions

Graphic Interface Conventions

This manual uses the following typographical conventions for special terms and instructions:

Convention

Meaning

Example

boldface

Page title,

parameter,

menu/submenu,

button,

key press,

link,

other highlighted

keyword or item

Page/tab name example:

Navigate to System>Administrator to enter the

Administrator Management page.

Parameter example:

IPAddress: Specifies the IP address that you want

to reserve for certain computer

Menus/submenus example:

The basic (SSLVPN related) settings are under

System>SSLVPN Options > General.

Button example:

Click the Save button to save the settings.

Key press example:

Press Enter key to enter the administrator console

of the Sangfor device.

Link example:

Once the certificate-signing request is generated,

click the Download link to download the request.

Highlighted keyword/item example:

The user name and password are Admin by default.

italics

Directory, URL

Enter the following address in the IE address

bar:http://10.254.254.254:1000

Multilevel menu and

Navigate to System>Network Interface to configure

SANGFOR SSL M6.8EN User Manual

submenu

the network interfaces.

“ ”

Prompt

The browser may pop up the prompt “Install ActiveX

control”.

Symbol Conventions

This manual also adopts the following symbols to indicate the parts, which need special attention to be paid during

the operation:

Convention

Meaning

Description

Caution

Indicates actions that could cause setting error, loss of data

or damage to the device

Warning

Indicates actions that could cause injury to human body

Note

Indicates helpful suggestion or supplementary information

CLI Conventions

Command syntax on Command Line Interface (CLI) applies the following conventions:

Content in brackets ([ ]) is optional

Content in {} is necessary

If there is more than one option, use vertical bar (|) to separate each option, for example,

ip wccp60redirect { in | out }

CLI command appears in bold, for example:

Configure terminal

Variables appear in italic, for example:

Interface e0/1

SANGFOR SSL M6.8EN User Manual

Technical Support

For technical support, please contact us through the following:

Website:http://data.sangfor.net/feedback.html

MSN, Email:tech.support@sangfor.com.hk

Tel:+60 12711 7129 (7511)

Acknowledgements

Thanks for using our product and user manual. If you have any suggestion about our product or user manual, please

provide feedback to us through phone call or email. Your suggestion will be much appreciated.

SANGFOR SSL M6.8EN User Manual

Chapter 1 Knowing Your Sangfor Device

This chapter introduces the Sangfor device and the way of connecting Sangfor device. After proper hardware

installation, you can configure and debug the system.

Operating Environment

Voltage input:110V/230V (AC, alternating current)

Temperature:0-45°C

Humidity: 5%-90%

To ensure endurance and stability of the Sangfor device, pleaseensure the following:

The power supply is well grounded

Dustproof measures are taken

Working environment iswell ventilated

Indoor temperature is kept stable

This product conforms to the requirements on environment protection. The placement, usage and discard of the

product should comply with the relevant national laws and regulations of the countrywhere it is applied.

Product Appearance

Above is the front panel of a SSL VPN hardware device (M5100). The interfaces from left to right are described in

the table followed:

Interface

Description

CONSOLE

Network interface used for high availability (HA) feature or used by device

supplier to debug system.

SANGFOR SSL M6.8EN User Manual

USB

Standard USB port, connecting to peripheral device

ETH0

LAN interface, connecting to the LAN network segment; orange LED on the left

side indicates link status, while green LED on the right side indicates data flow.

ETH1

DMZ interface, connecting to the DMZ network segment; orange LED on the

left side indicates link status, while green LED on right side indicates data flow.

ETH2

WAN1 interface, connecting to the first Internet line; orange LED on the left

side indicates link status, while green LED on the right side indicates data flow.

ETH3

WAN2 interface, connecting to the second Internet line; orange LED on the left

side indicates link status, while green LED on the right side indicates data flow.

POWER

Power LED

ALARM

Alarm LED

The picture above (M5100) is just for reference. The actual product you purchased and received may vary.

Connecting Sangfor Device

1. Deploy the Sangfor device in your network. Sangfor device can be deployed in either Single-arm mode or

Gateway mode. For details, please refer to the Device Deployment section in Chapter 3.

2. Plug the power cable into the power interface on the rear panel of the device. Attach and turn on power supply,

and then watch the LEDs on the front panel of the Sangfor device.

When the device starts up, ALARM LED will turn on and keep on for 1 to 2 minutes, then turn off; POWER

LED (in green) will turn on; ETH2/3 and ETH0 connection status LEDs (in orange) will turn on.

After successful boot up, POWER LED (in green), ETH2/3 and ETH0 connection status LEDs (in orange)

will stay on. If data are being transferred through a port, the data flow LED (in green, beside connection status

LED) will blink.

SANGFOR SSL M6.8EN User Manual

If ALARM LED stays on always, please switch off the power supply and reboot the device. If ALARM LED

still keeps on after reboot, please contact SANGFOR Customer Service.

If the corresponding LED indicates normal working status, turn off and unplug the power supply, and perform

the following steps.

3. Use RJ-45 straight-through Ethernet cable to connect the LAN interface (ETH0) to the internal network

(LAN).

4. Use RJ-45 Ethernet crossover cable to connect the WAN interface (ETH2) to the external network, (i.e.,

router, optical fiber transceiver or ADSLModem for external network).

Multi-line function allows multiple Internet lines to be connected to Sangfor device. When deploy multiple

lines, please connect the second Internet line to WAN2 interface (ETH3) and the third Internet line to WAN3

interface (ETH4), and so on.

5. If you want the Sangfor device to provide secure protection for DMZ (Demilitarized Zone), use RJ-45

Ethernet cable to connect ETH1 interface to the devices such as Web server, SNMP Server that provides

services to external networks.

Use crossover cable to connect WAN interface (ETH2/3)to the external network.

Use straight-through cable to connect LAN interface (ETH0) to the internal network.

For direct access to administrator Web console, use crossover cable to connect LAN (ETH0) interface to

the computer.

In case, session cannot be established. However, the corresponding LED indicates normal working status,

please check whether the right type of cables are being used. The differences between straight-through cable

and crossover cable are shown in the figures below:

SANGFOR SSL M6.8EN User Manual

Chapter 2 Initial Login to Admin Console

SANGFOR SSL VPN system provides Web-based administration through HTTPS port 4430. The initial URL for

administrator console access is https://10.254.254.254:4430.

Before logging in to administrator console of SSL VPN, please ensure the following:

Deploy a computer in the subnet where the Sangfor device resides.

Connect the PC’s network interface card (NIC) and the Sangfor device’s ETH0 interface to a same layer-2

switch, or connect the PC’s NIC to Sangfor device’s ETH0 interface directly with a network cable.

Ensure any IE browser is installed on the PC. Non-IE browsers Opera, Firefox, Safari and Chrome are not

supported.

Logging in to Admin Console

1. Turn on the PC and Sangfor device.

2. Add an IP address on the PC, an IP address that resides in the network segment 10.254.254.X (for instance,

10.254.254.100) with subnet mask 255.255.255.0, as shown below:

Table of contents

Popular Network Router manuals by other brands

Aztech

Aztech HW550-RT4 Specifications

D-Link

D-Link DIR-300S Quick installation guide

Trango Systems

Trango Systems TrangoLink-45 user manual

LevelOne

LevelOne FBR-1406TX user manual

3Com

3Com USB Network Interface datasheet

Westell

Westell VersaLink 327 user guide

Edimax

Edimax 3G-6200nL V2 Declaration of conformity

Edimax

Edimax CV-7438nDM user manual

D-Link

D-Link DSL-560I user guide

Allied Telesis

Allied Telesis WebSmart AT-FS750/16 datasheet

SMC Networks

SMC Networks FS1601 user guide

Juniper

Juniper ERX-310 About manual

D-Link

D-Link DSL-G2452GR user manual

Avaya

Avaya ERS 5600 Technical configuration guide

Cisco

Cisco NCS 4216 Installing

Linksys

Linksys Smart Switch LGS3XX user guide

Fortinet

Fortinet FortiWAN Handbook

Korenix

Korenix JetNet 6528Gf-AC Quick installation guide