Sangfor M5100 User manual

SANGFOR Technologies Co., Ltd.

International Service Centre: +60 12711 7129 (7511)

Malaysia: 1700817071

Email: tech.support@sangfor.com.hk

RMA: rma@sangfor.com.hk

SSLM6.8EN User Manual

FEB2015

SANGFOR SSL M6.8EN User Manual

Table of Contents

Table of Contents..........................................................................................................................................................1

Declaration..................................................................................................................................................................10

Preface ........................................................................................................................................................................11

About This Manual.............................................................................................................................................11

Document Conventions.......................................................................................................................................12

Graphic Interface Conventions ...........................................................................................................................12

Symbol Conventions...........................................................................................................................................13

CLI Conventions.................................................................................................................................................13

Technical Support...............................................................................................................................................14

Acknowledgements.............................................................................................................................................14

Chapter 1 KnowingYour Sangfor Device...................................................................................................................15

OperatingEnvironment........................................................................................................................................15

Product Appearance............................................................................................................................................15

ConnectingSangfor Device.................................................................................................................................16

Chapter 2 InitialLogin to Admin Console ..................................................................................................................19

Logging in to Admin Console ............................................................................................................................19

Modifying Administrator Password....................................................................................................................21

Chapter 3 System and Network Settings ....................................................................................................................23

Viewing Status....................................................................................................................................................24

Viewing SSL VPN Status...........................................................................................................................24

Viewing Online Users.................................................................................................................................27

ViewingAlarm Logs ...................................................................................................................................28

SANGFOR SSL M6.8EN User Manual

Viewing Remote Application .....................................................................................................................30

System Settings...................................................................................................................................................33

Configuring System Related Settings .........................................................................................................33

Configuring License of Device and Function Modules..............................................................................33

Modifying System Date and Time..............................................................................................................35

Configuring Console Options .....................................................................................................................35

Generating Certificate for Sangfor Device .................................................................................................37

ConfiguringSMTP Server...........................................................................................................................39

Network Settings ................................................................................................................................................40

Device Deployment ....................................................................................................................................40

Scenario 1: Deploying Device in Gateway Mode...............................................................................43

Scenario 2: Deploying Device in Single-Arm Mode..........................................................................45

Setting Multiline Options............................................................................................................................46

Configuring Route ......................................................................................................................................50

Configuring Host Mapping Rule (HOSTS) ................................................................................................51

Configuring IP Assignment Options (DHCP) ............................................................................................53

Configuring Local Subnet...........................................................................................................................55

Schedules............................................................................................................................................................57

Administrator......................................................................................................................................................61

Adding Administrator Group......................................................................................................................61

Adding Administrator.................................................................................................................................63

SSL VPN Options...............................................................................................................................................65

General Settings..........................................................................................................................................65

Configuring UserLogin Options .........................................................................................................65

SANGFOR SSL M6.8EN User Manual

Configuring Client Related Options ...................................................................................................67

Scenario3:Enabling Automatic Access Using SSL VPN Client.................................................77

Configuring Virtual IP Pool................................................................................................................80

Configuring Local DNS Server ..........................................................................................................81

Configuring SSO Options...................................................................................................................84

Configuring ResourceOptions ............................................................................................................86

Web App Resource Options........................................................................................................87

TCP App Resource Options........................................................................................................88

Background Knowledge: What is Smart Recursion?..................................................................90

L3VPN Resource Options...........................................................................................................91

Other ResourceOptions...............................................................................................................92

Network Optimization Related Settings .....................................................................................................94

Data Transfer Optimization ................................................................................................................95

Webpage Access Optimization...........................................................................................................97

Web Cache........................................................................................................................................100

User Logging in ........................................................................................................................................102

ConfiguringLogin Policy..................................................................................................................102

Configuring LoginPage.....................................................................................................................105

Scenario 5: Assigning Login Page to Specific User or Group..................................................109

Uploading Icon to Device.................................................................................................................111

Clustering..................................................................................................................................................112

Terminology......................................................................................................................................112

Main Features of Cluster...................................................................................................................112

Deploying Clustered Sangfor Devices..............................................................................................115

SANGFOR SSL M6.8EN User Manual

Deploying Clustered Device in Single-Arm Mode...................................................................115

Deploying Clustered Device in Gateway Mode........................................................................116

Deploying Clustered Device with Multiple Lines.....................................................................117

Viewing ClusteredNode Status.........................................................................................................120

Viewing Cluster Online Users ..........................................................................................................120

Scenario 7:Configuring ClusteredSangfor Device............................................................................122

Configuring Clustered Device in Gateway Mode.....................................................................122

Configuring Clustered Device in Single-Arm Mode ................................................................123

Configuring Clustered Device in Gateway Mode (Multiple Lines)..........................................125

Configuring Clustered Device in Single-Arm Mode (Multiple Lines).....................................126

Distributed Nodes .............................................................................................................................129

Distributed Deployment............................................................................................................129

Viewing Status of Distributed Nodes........................................................................................130

Chapter 4 SSL VPN..................................................................................................................................................131

SSL VPN Users ................................................................................................................................................131

Adding User Group...................................................................................................................................132

Adding User..............................................................................................................................................138

Searching for Users...................................................................................................................................143

Managing Hardware IDs...........................................................................................................................144

Importing User to Device..........................................................................................................................146

Importing Users from File ................................................................................................................147

Importing Users from LDAP Server.................................................................................................150

Moving Users to Another Group ..............................................................................................................152

Exporting Users ........................................................................................................................................152

SANGFOR SSL M6.8EN User Manual

Associating Roles with User.....................................................................................................................153

Configuring SSO User Account................................................................................................................154

Generating Multiple Certificates for Users...............................................................................................155

Creating Multiple USB Keys for Users ....................................................................................................157

Viewing Associated Resources of User....................................................................................................159

Scenario 8: AddingUser Loggingin withLocal Password.................................................................160

Scenario 9: Adding User Logginginwith Certificate ........................................................................160

Resources..........................................................................................................................................................163

Adding/Editing Resource Group...............................................................................................................163

Background Knowledge: Load-Balanced Resource Access.............................................................165

Adding/Editing Web Application .............................................................................................................166

Scenario 10: Adding Web Application.............................................................................................171

Scenario 11: Masquerading Resource Address.................................................................................174

Scenario 12: AddingFile Share Type of Web Resource ...................................................................175

Adding/Editing TCP Application .............................................................................................................177

Scenario 13: Adding TCP Application .............................................................................................182

Scenario 14: Configuring URL Access Control Feature...................................................................185

Adding/Editing L3VPN............................................................................................................................186

Scenario 15: Adding L3VPN............................................................................................................190

Adding/Editing Remote Application ........................................................................................................192

Scenario 16: Adding Remote Application ........................................................................................193

Exporting Resources.................................................................................................................................198

Importing Resources.................................................................................................................................199

Sorting Resources .....................................................................................................................................200

SANGFOR SSL M6.8EN User Manual

Roles.................................................................................................................................................................201

Adding Role..............................................................................................................................................201

Getting Privilege Report ...........................................................................................................................203

Authentication Options.....................................................................................................................................206

Primary Authentication Methods..............................................................................................................207

Local Password Based Authentication..............................................................................................207

LDAP Authentication .......................................................................................................................208

Configuring LDAP Server ........................................................................................................208

RADIUS Authentication...................................................................................................................216

Configuring RADIUS Server....................................................................................................216

Certificate/USB Key Based Authentication......................................................................................219

Local CA (RSA Encryption Standard Based)...........................................................................220

External CA ..............................................................................................................................222

Configuring USB Key Model ...................................................................................................227

Scenario 17: Using ExternalCA Root Certificate to GenerateDevice Certificate.....................228

Scenario 18: Mapping User to Local Group Based on External Certificate .............................230

Secondary Authentication Methods..........................................................................................................235

SMS Authentication..........................................................................................................................235

Using Built-in SMS Module to Send SMS Message ................................................................236

Using External SMS Module to Send SMS Message...............................................................238

Using SMS Gateway of ISP to Send SMS Message.................................................................241

Hardware ID Based Authentication..................................................................................................241

Dynamic Token Based Authentication.............................................................................................242

Other Authentication Options...................................................................................................................243

SANGFOR SSL M6.8EN User Manual

Priority of LDAP and RADIUS Servers...........................................................................................243

Password Security Options...............................................................................................................244

Anonymous Login ............................................................................................................................245

Policy Sets ........................................................................................................................................................247

Adding Policy Set.....................................................................................................................................248

Scenario19: Configuring Secure Desktop.........................................................................................252

Remote Servers.................................................................................................................................................258

Adding Remote Application Server..........................................................................................................259

Adding Remote Storage Server ................................................................................................................261

Endpoint Security .............................................................................................................................................264

Security Rules...........................................................................................................................................264

Predefining Basic Rule .....................................................................................................................265

Predefining Combined Rule..............................................................................................................272

Configuring Security Rule................................................................................................................274

Security Policy..........................................................................................................................................275

Adding User-Level Policy ................................................................................................................278

Adding Role-level Policy..................................................................................................................280

Configuring Advanced Policy Settings.............................................................................................283

Built-in Rules Update ...............................................................................................................................284

Chapter 5 Firewall………………………………………………………………………………………………….287

Defining Firewall Service……………………………………………………………………………………..287

Defining IP Group…………………………………………………………………………………………….288

Defining Filter Rule…………………………………………………………………………………………...289

Rule on Access to Local Device…………………………………………………………………………289

SANGFOR SSL M6.8EN User Manual

Rule on Access among Sangfor Device's Interfaces……………………………………………….289

Scenario 20: Configuring LAN <-> DMZ Filter Rules……………………………………….290

Scenario 21: Configuring LAN <-> VPN Filter Rules .............................................................293

Configuring NAT Rule…………………………………………………………………………………..296

Configuring SNAT Rule…………………………………………………………………………....296

Scenario 22: Adding SNAT Rule……………………………………………………………...296

Configuring DNAT Rule...................................................................................................................298

Scenario 23: Adding DNAT Rule……………………………………………………………..299

Configuring IP/MAC Binding...........................................................................................................300

Configuring HTTP Port.....................................................................................................................302

Defining URL Group….....................................................................................................................302

Defining WAN Service…..................................................................................................................304

Configuring Access Right of Local Users.........................................................................................306

Real-time Monitoring…....................................................................................................................310

Viewing Real-time Traffic.........................................................................................................310

Vieweing URLAccess Logs......................................................................................................310

Configuring Anti-Dos…....................................................................................................................311

Configuring QoS Priority...................................................................................................................313

Configuring QoS Outbound Rule......................................................................................................313

Configuring QoS Inbound.................................................................................................................314

Chapter 6 System Maintenance ................................................................................................................................316

View Logs.........................................................................................................................................................316

Viewing System Logs……………………………………………………………………………………316

Viewing Operation Logs…………………………………………………………………………………317

SANGFOR SSL M6.8EN User Manual

Backing Up/Restoring Configurations..............................................................................................................318

Restarting/Shutting Down Device or Services..................................................................................................320

System Automatic Update................................................................................................................................320

Appendix A: End Users AccessingSSL VPN...........................................................................................................322

Required Environment......................................................................................................................................322

Configuring Browser and Accessing SSL VPN ...............................................................................................322

Configuring Browser ................................................................................................................................322

Using Account to Log In to SSL VPN......................................................................................................326

Using USB Key to Log In to SSL VPN....................................................................................................328

Appendix B: Sangfor Firmware Updater 6.0............................................................................................................330

Updating YourSangfor Device .........................................................................................................................330