Add an Active Directory server, import groups, and set the primary authentication method. You want to configure and deploy a connection to allow remote users to access a local network.
You can get help in various ways. When SSL clients sign in, they're assigned an address from the range specified here. You must use a private address range. The group specifies a surfing quota and access time. Users in the group are allowed unlimited access. The local subnet defines the network resources that remote clients can access.
You need the IP host for the remote clients to create a firewall rule. These users are allowed to access resources on the local subnet. To establish the connection and ensure that users have access to the connection, you must turn on device access for SSL VPN and the user portal. In Windows 7 and 8, network operations are an administrator privilege. The domain name is used to distinguish the AAA server. Repeat the above steps to add more AAA servers. The options are: Interface 1 : Select the interface from the drop-down list.
Interface 2 : Select the interface from the drop-down list. This interface is needed when the optimal path detection function is enabled. The options are: Tunnel interface : Use one of the following ways to specify the tunnel interface: Select the configured tunnel interface from the drop-down list. Click New from the drop-down list, and in the Interface Configuration dialog, configure a new tunnel interface.
Select a configured tunnel interface from the drop-down list, and then click Modify to edit the selected tunnel interface in the Interface Configuration dialog.
Zone : Shows the zone of the selected tunnel interface. IP address : Shows the IP address of the selected tunnel interface. Netmask : Shows the netmask of the selected tunnel interface. The options are: Address pool : Use one of the following ways to specify the address pool: Select a configured address pool from the drop-down list. Select New from the drop-down list, and in the Address Pool Configuration dialog, create a new address pool.
Select a configured address pool from the drop-down list, and then click Modify to edit the selected address pool in the Address Pool Configuration dialog.
Netmask : Shows the natmask of the selected address pool. Take the following steps: Type the destination IP address, the netmask of the destination IP address, and the metric value into the IP , Netmask , and Metric boxes respectively. Click Add. Repeat the above steps to add more routes.
To delete a tunnel route, select the route you want to delete from the list, and then click Delete. The actions include: Set - Permits packet fragmentation. Copy - Copies the DF value from the destination of the packet. This section uses the access to the intranet Windows file server as an example. Figure illustrates the interactive process.
You need to run an ActiveX control on the client as the port convertor to monitor the connections to the specified port. Use a telnet connection from a user to the intranet server as an example. Figure illustrates the interactive process of port forwarding.
Figure shows the service interaction process of remote users' access to intranet resources using SSL network extension. The virtual gateway delivers routes to remote users based on network extension configurations. After receiving the response packet, the remote user decapsulates the packet to obtain required information. Figure shows the packet encapsulation in reliable transmission mode.
Exchanged packets reach the communication parties after being encrypted and decrypted. In the inner packet sent by the remote user to the SIP server, the source port is random , the destination port is , and the transport protocol is UDP. Figure shows the packet encapsulation in quick transmission mode. The encapsulation mechanism in quick transmission mode is the same as that in reliable transmission mode, except that the transmitted by UDP. SecoClient is a VPN client software launched by Huawei to provide secure and convenient access services for mobile users to remotely access enterprise network resources.
The SecoClient has the following characteristics:. Powerful access ability. The enterprise does not need to purchase diversified terminal software for different VPN access scenarios, reducing investment costs. Flexible tunnel splitting. The SecoClient enables mobile users to access enterprise network resources and Internet and LAN resources at the same time using different tunnels. The traffic of different services is not mutually affected. Preferential gateway selection.
A large enterprise usually provides multiple VPN gateways for external users to access. If one of the VPN gateways has a large number of access users, the system resources of the gateway may become exhausted, users' access may be delayed, and excess users may be forced to log out, affecting user experience. If the SecoClient is installed, the VPN gateway with the highest response speed is automatically selected for mobile users.
When the preferential gateway selection function is used, gateways may be selected randomly for mobile users, and the users' access requests are distributed to different VPN gateways, which effectively alleviate the performance bottleneck of a single VPN gateway from massive user access. In addition, this function improves user access speed and success rate. You can define schedules, access time, and quotas for surfing and data transfer. Network address translation allows you to specify public IP addresses for internet access.
You can specify levels of access to the firewall for administrators based on work roles. Hosts and services allows defining and managing system hosts and services. Administration allows you to manage device licenses and time, administrator access, centralized updates, network bandwidth and device monitoring, and user notifications. Certificates allows you to add certificates, certificate authorities and certificate revocation lists.
The firewall provides extensive logging capabilities for traffic, system activities, and network protection. Logs include analyses of network activity that let you identify security issues and reduce malicious use of your network. You can send logs to a syslog server or view them through the log viewer.
With the policy test tool, you can apply and troubleshoot firewall and web policies and view the resulting security decisions. For example, you can create a web policy to block all social networking sites for specified users and test the policy to see if it blocks the content only for the specified users.
The results display the details of the action taken by the firewall, including the relevant rules and content filters. This is a private address range. When SSL clients log on, they are assigned an address from the range. The group specifies a surfing quota and access time. Users in the group are allowed unlimited access. The local subnet defines the network resources that remote clients will be able to access. These users are allowed to access resources on the local subnet. To be able to deploy the connection and to ensure that users have access to the connection, device access for SSL VPN and the user portal must be enabled.
Install an authentication client and connect to the internal network using the VPN connection. If you enable the user portal on WAN interfaces, we recommend you set up two-factor authentication. See Configuring two-factor authentication. All rights reserved. Legal details. XG Firewall. User assistance. Contact Sophos Support. Reports Reports provide a unified view of network activity for the purpose of analyzing traffic and threats and complying with regulatory bodies.
Diagnostics This menu allows checking the health of your device in a single shot. Firewall Firewall rules implement control over users, applications, and network objects in an organization. Intrusion prevention With intrusion prevention, you can examine network traffic for anomalies to prevent DoS and other spoofing attacks. Web Web protection keeps your company safe from attacks that result from web browsing and helps you increase productivity. Applications Application protection helps keeps your company safe from attacks and malware that result from application traffic exploits.
Wireless Wireless protection lets you define wireless networks and control access to them. Email With email protection, you can manage email routing and relay and protect domains and mail servers.
Web server You can protect web servers against Layer 7 application vulnerability exploits. Advanced threat Advanced threat protection allows you to monitor all traffic on your network for threats and take appropriate action, for example, drop the packets.
Central synchronization By synchronizing with Sophos Central, you can use Security Heartbeat to enable devices on your network to share health information.
0コメント