Using SmartDefense In this field… Do this… Max. Type the maximum number of network connections allowed per second Connections/Second from the same source IP address. from Same Source IP The default value is 100. Set a lower threshold for stronger protection against DoS attacks. Note: Setting this value too low can lead to false alarms. Welchia The Welchia worm uses the MS DCOM vulnerability or a WebDAV vulnerability.
Using SmartDefense Table 43: Welchia Fields In this field… Do this… Action Specify what action to take when the Welchia worm is detected, by selecting one of the following: Track • Block. Block the attack. This is the default. • None. No action. Specify whether to log Welchia worm attacks, by selecting one of the following: • Log. Log the attack. This is the default. • None. Do not log the attack.
Using SmartDefense You can configure how Cisco IOS DOS attacks should be handled. Table 44: Cisco IOS DOS In this field… Do this… Action Specify what action to take when a Cisco IOS DOS attack occurs, by selecting one of the following: Track • Block. Block the attack. This is the default. • None. No action. Specify whether to log Cisco IOS DOS attacks, by selecting one of the following: Number of Hops to Protect • Log. Log the attack. This is the default. • None. Do not log the attack.
Using SmartDefense In this field… Do this… Action Protection for Specify what action to take when an IPv4 packet of the specific SWIPE - Protocol 53 / protocol type is received, by selecting one of the following: IP Mobility - Protocol 55 / • Block. Drop the packet. This is the default. SUN-ND - Protocol 77 / • None. No action. PIM - Protocol 103 Null Payload Some worms, such as Sasser, use ICMP echo request packets with null payload to detect potentially vulnerable hosts.
Using SmartDefense In this field… Do this… Track Specify whether to log null payload ping packets, by selecting one of the following: • Log. Log the packets. This is the default. • None. Do not log the packets. TCP This category allows you to configure various protections related to the TCP protocol. It includes the following: • Strict TCP on page 239 • Small PMTU on page 241 Strict TCP Out-of-state TCP packets are SYN-ACK or data packets that arrive out of order, before the TCP SYN packet.
Using SmartDefense You can configure how out-of-state TCP packets should be handled. Table 46: Strict TCP In this field… Do this… Action Specify what action to take when an out-of-state TCP packet arrives, by selecting one of the following: Track • Block. Block the packets. • None. No action. This is the default. Specify whether to log null payload ping packets, by selecting one of the following: 240 • Log. Log the packets. This is the default. • None. Do not log the packets.
Using SmartDefense Small PMTU Small PMTU (Packet MTU) is a bandwidth attack in which the client fools the server into sending large amounts of data using small packets. Each packet has a large overhead that creates a "bottleneck" on the server. You can protect against this attack by specifying a minimum packet size for data sent over the Internet.
Using SmartDefense In this field… Do this… Minimal MTU Type the minimum value allowed for the MTU field in IP packets sent by a Size client. An overly small value will not prevent an attack, while an overly large value might degrade performance and cause legitimate requests to be dropped. The default value is 300. Port Scan An attacker can perform a port scan to determine whether ports are open and vulnerable to an attack.
Using SmartDefense Table 48: Port Scan Fields In this field… Do this… Number of ports SmartDefense detects ports scans by measuring the number of ports accessed accessed over a period of time. The number of ports accessed must exceed the Number of ports accessed value, within the number of seconds specified by the In a period of [seconds] value, in order for SmartDefense to consider the activity a scan.
Using SmartDefense In this field… Do this… In a period of SmartDefense detects ports scans by measuring the number of ports [seconds] accessed over a period of time. The number of ports accessed must exceed the Number of ports accessed value, within the number of seconds specified by the In a period of [seconds] value, in order for SmartDefense to consider the activity a scan.
Using SmartDefense FTP This category allows you to configure various protections related to the FTP protocol. It includes the following: • FTP Bounce on page 245 • Block Known Ports on page 246 • Block Port Overflow on page 247 • Blocked FTP Commands on page 248 FTP Bounce When connecting to an FTP server, the client sends a PORT command specifying the IP address and port to which the FTP server should connect and send data.
Using SmartDefense Table 49: FTP Bounce Fields In this field… Do this… Action Specify what action to take when an FTP Bounce attack occurs, by selecting one of the following: Track • Block. Block the attack. This is the default. • None. No action. Specify whether to log FTP Bounce attacks, by selecting one of the following: • Log. Log the attack. This is the default. • None. Do not log the attack. Block Known Ports You can choose to block the FTP server from connecting to well-known ports.
Using SmartDefense Table 50: Block Known Ports Fields In this field… Do this… Action Specify what action to take when the FTP server attempts to connect to a well-known port, by selecting one of the following: • Block. Block the connection. • None. No action. This is the default. Block Port Overflow FTP clients send PORT commands when connecting to the FTP sever. A PORT command consists of a series of numbers between 0 and 255, separated by commas.
Using SmartDefense Table 51: Block Port Overflow In this field… Do this… Action Specify what action to take for PORT commands containing a number greater than 255, by selecting one of the following: • Block. Block the PORT command. This is the default. • None. No action. Blocked FTP Commands Some seldom-used FTP commands may compromise FTP server security and integrity. You can specify which FTP commands should be allowed to pass through the security server, and which should be blocked.
Using SmartDefense To disable FTP command blocking • In the Action drop-down list, select None. All FTP commands are allowed, including those in the Blocked commands box. To block a specific FTP command 1. In the Allowed commands box, select the desired FTP command. 2. Click Block. The FTP command appears in the Blocked commands box. 3. Click Apply. When FTP command blocking is enabled, the FTP command will be blocked. To allow a specific FTP command 1.
Using SmartDefense You can configure how CIFS worms should be handled. Table 52: File Print and Sharing Fields In this field… Do this… Action Specify what action to take when a CIFS worm attack is detected, by selecting one of the following: Track • Block. Block the attack. • None. No action. This is the default. Specify whether to log CIFS worm attacks, by selecting one of the following: • • CIFS worm patterns list 250 Log. Log the attack. None. Do not log the attack. This is the default.
Using SmartDefense IGMP This category includes the IGMP protocol. IGMP is used by hosts and routers to dynamically register and discover multicast group membership. Attacks on the IGMP protocol usually target a vulnerability in the multicast routing software/hardware used, by sending specially crafted IGMP packets. You can configure how IGMP attacks should be handled.
Using SmartDefense In this field… Do this… Enforce IGMP to According to the IGMP specification, IGMP packets must be sent to multicast addresses multicast addresses. Sending IGMP packets to a unicast or broadcast address might constitute and attack; therefore the Safe@Office appliance blocks such packets. Specify whether to allow or block IGMP packets that are sent to nonmulticast addresses, by selecting one of the following: • Block. Block IGMP packets that are sent to non-multicast addresses.
Using SmartDefense In each node, you can configure how peer-to-peer connections of the selected type should be handled, using the table below. Table 54: Peer to Peer Fields In this field… Do this… Action Specify what action to take when a connection is attempted, by selecting one of the following: Track • Block. Block the connection. • None. No action. This is the default. Specify whether to log peer-to-peer connections, by selecting one of the following: • Log. Log the connection. • None.
Using SmartDefense Instant Messengers SmartDefense can block instant messaging applications that use VoIP protocols, by identifying the messaging application's fingerprints and HTTP headers. This category includes the following nodes: • Skype • Yahoo • ICQ Note: SmartDefense can detect instant messaging traffic regardless of the TCP port being used to initiate the session. In each node, you can configure how instant messaging connections of the selected type should be handled, using the table below.
Using SmartDefense Table 55: Instant Messengers Fields In this field… Do this… Action Specify what action to take when a connection is attempted, by selecting one of the following: Track • Block. Block the connection. • None. No action. This is the default. Specify whether to log instant messenger connections, by selecting one of the following: • Log. Log the connection. • None. Do not log the connection. This is the default.
Using Secure HotSpot Using Secure HotSpot You can enable your Safe@Office appliance as a public Internet access hotspot for specific networks. When users on those networks attempt to access the Internet, they are automatically re-directed to the My HotSpot page http://my.hotspot. On this page, they must read and accept the My HotSpot terms of use, and if My HotSpot is configured to be password-protected, they must log on using their Safe@Office username and password. The users may then access the Internet.
Using Secure HotSpot You can choose to exclude specific network objects from HotSpot enforcement. For information, see Using Network Objects on page 129. Important: SecuRemote VPN software users who are authenticated by the Internal VPN Server are automatically exempt from HotSpot enforcement. This allows, for example, authenticated employees to gain full access to the corporate LAN, while guest users are permitted to access the Internet only.
Using Secure HotSpot Enabling/Disabling Secure HotSpot To enable/disable Secure HotSpot 1. Click Security in the main menu, and click the My HotSpot tab. The My HotSpot page appears. 2. In the HotSpot Networks area, do one of the following: • To enable Secure HotSpot for a specific network, select the check box next to the network. • To disable Secure HotSpot for a specific network, clear the check box next to the network. 3. Click Apply.
Using Secure HotSpot Customizing Secure HotSpot To customize Secure HotSpot 1. Click Security in the main menu, and click the My HotSpot tab. The My HotSpot page appears. 2. Complete the fields using the information in the table below. Additional fields may appear. 3. To preview the My HotSpot page, click Preview. A browser window opens displaying the My HotSpot page.
Using Secure HotSpot 4. Click Apply. Your changes are saved. Table 56: My HotSpot Fields In this field… Do this… My HotSpot Type the title that should appear on the My HotSpot page. Title The default title is "Welcome to My HotSpot". My HotSpot Type the terms to which the user must agree before accessing the Internet. Terms You can use HTML tags as needed. My HotSpot is Select this option to require users to enter their username and password password before accessing the Internet.
Defining an Exposed Host Defining an Exposed Host The Safe@Office appliance allows you to define an exposed host, which is a computer that is not protected by the firewall. This is useful for setting up a public server. It allows unlimited incoming and outgoing connections between the Internet and the exposed host computer. The exposed host receives all traffic that was not forwarded to another computer by use of Allow and Forward rules.
Defining an Exposed Host 2. In the Exposed Host field, type the IP address of the computer you wish to define as an exposed host. Alternatively, you can click This Computer to define your computer as the exposed host. 3. Click Apply. The selected computer is now defined as an exposed host. To clear the exposed host 1. Click Security in the main menu, and click the Exposed Host tab. The Exposed Host page appears. 2. Click Clear. 3. Click Apply. No exposed host is defined.
Overview Chapter 10 Using VStream Antivirus This chapter explains how to use the VStream Antivirus engine to block security threats before they reach your network. This chapter includes the following topics: Overview ..................................................................................................263 Enabling/Disabling VStream Antivirus....................................................265 Viewing VStream Signature Database Information .................................
Overview Table 57: VStream Antivirus Actions If a virus if found in VStream Antivirus does this... this protocol... on this port...
Enabling/Disabling VStream Antivirus If you are subscribed to the VStream Antivirus subscription service, VStream Antivirus virus signatures are automatically updated, so that security is always upto-date, and your network is always protected.
Viewing VStream Signature Database Information The VStream Antivirus page appears. 2. Drag the On/Off lever upwards or downwards. VStream Antivirus is enabled/disabled for all internal network computers. Viewing VStream Signature Database Information VStream Antivirus maintains two databases: a daily database and a main database. The daily database is updated frequently with the newest virus signatures.
Configuring VStream Antivirus Table 58: Account Page Fields This field… Displays… Main database The date and time at which the main database was last updated, followed by the version number. Daily database The date and time at which the daily database was last updated, followed by the version number. Next update The next date and time at which the Safe@Office appliance will check for updates. Status The current status of the database.
Configuring VStream Antivirus For example, if you want to scan all outgoing SMTP traffic, except traffic from a specific IP address, you can create a rule scanning all outgoing SMTP traffic and move the rule down in the Antivirus Policy table. Then create a rule passing SMTP traffic from the desired IP address and move this rule to a higher location in the Antivirus Policy table than the first rule. In the figure below, the general rule is rule number 2, and the exception is rule number 1.
Configuring VStream Antivirus Rule Description Scan This rule type enables you to specify that VStream Antivirus should scan traffic matching the rule. If a virus is found, it is blocked and logged. Adding and Editing Rules To add or edit a rule 1. Click Antivirus in the main menu, and click the Policy tab. The Antivirus Policy page appears. 2. Do one of the following: • To add a new rule, click Add Rule. • To edit an existing rule, click the Edit icon next to the desired rule.
Configuring VStream Antivirus The VStream Policy Rule Wizard opens, with the Step 1: Rule Type dialog box displayed. 3. Select the type of rule you want to create. 4. Click Next. The Step 2: Service dialog box appears. The example below shows a Scan rule. 5. Complete the fields using the relevant information in the table below.
Configuring VStream Antivirus 6. Click Next. The Step 3: Destination & Source dialog box appears. 7. Complete the fields using the relevant information in the table below. The Step 4: Done dialog box appears. 8. Click Finish. The new rule appears in the Firewall Rules page.
Configuring VStream Antivirus Table 60: VStream Rule Fields In this field… Do this… Any Service Click this option to specify that the rule should apply to any service. Standard Click this option to specify that the rule should apply to a specific standard Service service. You must then select the desired service from the drop-down list. Custom Service Click this option to specify that the rule should apply to a specific nonstandard service. The Protocol and Port Range fields are enabled.
Configuring VStream Antivirus In this field… Do this… And the Select the destination of the connections you want to allow or block. destination is To specify an IP address, select Specified IP and type the desired IP address in the text box. To specify an IP address range, select Specified Range and type the desired IP address range in the fields provided. This option is not available in Allow and Forward rules. To specify the Safe@Office Portal and network printers, select This Gateway.
Configuring VStream Antivirus 2. Next to the desired rule, do one of the following: • To enable the rule, click The button changes to • To disable the rule, click The button changes to . and the rule is enabled. . and the rule is disabled. Changing Rules' Priority To change a rule's priority 1. Click Antivirus in the main menu, and click the Policy tab. The Antivirus Policy page appears. 2. Do one of the following: • Click next to the desired rule, to move the rule up in the table.
Configuring VStream Antivirus 3. Click OK. The rule is deleted. Configuring VStream Advanced Settings To configure VStream Antivirus advanced settings 1. Click Antivirus in the main menu, and click the Advanced tab. The Advanced Antivirus Settings page appears. 2. Complete the fields using the table below. 3. Click Apply. 4. To restore the default VStream Antivirus settings, do the following: a) Click Default. A confirmation message appears. b) Click OK.
Configuring VStream Antivirus The VStream Antivirus settings are reset to their defaults. For information on the default values, refer to the table below. Table 61: Advanced Antivirus Settings Fields In this field… Do this… File Types Block potentially unsafe Select this option to block all emails containing potentially unsafe file types in email attachments.
Configuring VStream Antivirus In this field… Do this… Pass safe file types Select this option to accept common file types that are known to without scanning be safe, without scanning them. Safe files types are: • MPEG streams • RIFF Ogg Stream • MP3 • PDF • PostScript • WMA/WMV/ASF • RealMedia • JPEG - only the header is scanned, and the rest of the file is skipped Selecting this option reduces the load on the gateway by skipping safe file types. This option is selected by default.
Configuring VStream Antivirus In this field… Do this… Maximum compression Fill in the field to complete the maximum compression ratio of ratio 1:x files that VStream Antivirus should scan. For example, to specify a 1:150 maximum compression ratio, type 150. Setting a higher number allows the scanning of highly compressed files, but creates a potential for highly compressible files to create a heavy load on the appliance.
Updating VStream Antivirus Updating VStream Antivirus When you are subscribed to the VStream Antivirus updates service, VStream Antivirus virus signatures are automatically updated, keeping security up-to-date with no need for user intervention. However, you can still check for updates manually, if needed. To update the VStream Antivirus virus signature database 1. Click Antivirus in the main menu, and click the Antivirus tab. The VStream Antivirus page appears. 2. Click Update Now.
Connecting to a Service Center Chapter 11 Using Subscription Services This chapter explains how to start subscription services, and how to use Software Updates, Web Filtering, and Email Filtering services. Note: Check with your reseller regarding availability of subscription services, or surf to www.sofaware.com/servicecenters to locate a Service Center in your area. This chapter includes the following topics: Connecting to a Service Center ................................................................
Connecting to a Service Center The Account page appears. 2. In the Service Account area, click Connect.
Connecting to a Service Center The Safe@Office Services Wizard opens, with the Service Center dialog box displayed. 3. Make sure the Connect to a different Service Center check box is selected. 4. Do one of the following: • To connect to the SofaWare Service Center, choose usercenter.sofaware.com. • To specify a Service Center, choose Specified IP and then in the Specified IP field, enter the desired Service Center’s IP address, as given to you by your system administrator. 5. Click Next.
Connecting to a Service Center • If the Service Center requires authentication, the Service Center Login dialog box appears. Enter your gateway ID and registration key in the appropriate fields, as given to you by your service provider, then click Next. • The Connecting… screen appears. • The Confirmation dialog box appears with a list of services to which you are subscribed.
Connecting to a Service Center 6. Click Next. The Done screen appears with a success message. 7. Click Finish. The following things happen: • If a new firmware is available, the Safe@Office appliance may start downloading it. This may take several minutes. Once the download is complete, the Safe@Office appliance restarts using the new firmware. • The Welcome page appears.
Connecting to a Service Center • The services to which you are subscribed are now available on your Safe@Office appliance and listed as such on the Account page. See Viewing Services Information on page 287 for further information. • The Services submenu includes the services to which you are subscribed.
Viewing Services Information Viewing Services Information The Account page displays the following information about your subscription. Table 62: Account Page Fields This field… Displays… Service Center The name of the Service Center to which you are connected (if known). Name Gateway ID Your gateway ID. Subscription will The date on which your subscription to services will end. end on Service The services available in your service plan.
Refreshing Your Service Center Connection This field… Displays… Information The mode to which each service is set. If you are subscribed to Dynamic DNS, this field displays your gateway's domain name. For further information, see Web Filtering on page 290, Virus Scanning on page 294, and Automatic and Manual Updates on page 298.
Disconnecting from Your Service Center To configure your account 1. Click Services in the main menu, and click the Account tab. The Account page appears. 2. In the Service Account area, click Configure. Note: If no additional settings are available from your Service Center, this button will not appear. Your Service Center's Web site opens. 3. Follow the on-screen instructions. Disconnecting from Your Service Center If desired, you can disconnect from your Service Center.
Web Filtering • The services to which you were subscribed are no longer available on your Safe@Office appliance. Web Filtering When the Web Filtering service is enabled, access to Web content is restricted according to the categories specified under Allow Categories. Authorized users will be able to view Web pages with no restrictions, only after they have provided the administrator password via the Web Filtering pop-up window.
Web Filtering The Web Filtering page appears. 2. Drag the On/Off lever upwards or downwards. Web Filtering is enabled/disabled. Selecting Categories for Blocking You can define which types of Web sites should be considered appropriate for your family or office members, by selecting the categories. Categories marked with will remain visible, while categories marked with will be blocked and will require the administrator password for viewing.
Web Filtering To allow/block a category • In the Allow Categories area, click or next to the desired category. Temporarily Disabling Web Filtering If desired, you can temporarily disable the Web Filtering service. To temporarily disable Web Filtering 1. Click Services in the main menu, and click the Web Filtering tab. The Web Filtering page appears. 2. Click Snooze. • Web Filtering is temporarily disabled for all internal network computers.
Web Filtering • The Snooze button changes to Resume. • The Web Filtering Off popup window opens. 3. To re-enable the service, click Resume, either in the popup window, or on the Web Filtering page. • The service is re-enabled for all internal network computers. • If you clicked Resume in the Web Filtering page, the button changes to Snooze.
Email Filtering • If you clicked Resume in the Web Filtering Off popup window, the popup window closes. Email Filtering There are two Email Filtering services: • Email Antivirus When the Email Antivirus service is enabled, your email is automatically scanned for the detection and elimination of all known viruses and vandals. If a virus is detected, it is removed and replaced with a warning message.
Email Filtering Enabling/Disabling Email Filtering Note: If you are remotely managed, contact your Service Center to change these settings. To enable/disable Email Filtering 1. Click Services in the main menu, and click the Email Filtering tab. The Email Filtering page appears. 2. Next to Email Antivirus, drag the On/Off lever upwards or downwards. Email Antivirus is enabled/disabled. 3. Next to Email Antispam, drag the On/Off lever upwards or downwards. Email Antispam is enabled/disabled.
Email Filtering Selecting Protocols for Scanning If you are locally managed, you can define which protocols should be scanned for viruses and spam: • Email retrieving (POP3). If enabled, all incoming email in the POP3 protocol will be scanned. • Email sending (SMTP). If enabled, all outgoing email will be scanned. Protocols marked with will be scanned, while those marked with will not. Note: If you are remotely managed, contact your Service Center to change these settings.
Email Filtering • The Snooze button changes to Resume. • The Email Filtering Off popup window opens. 3. To re-enable Email Antivirus and Email Antispam, click Resume, either in the popup window, or on the Email Filtering page. • The services are re-enabled for all internal network computers. • If you clicked Resume in the Email Filtering page, the button changes to Snooze. • If you clicked Resume in the Email Filtering Off popup window, the popup window closes.
Automatic and Manual Updates Automatic and Manual Updates The Software Updates service enables you to check for new security and software updates. Note: Software Updates are only available if you are connected to a Service Center and subscribed to this service. Checking for Software Updates when Remotely Managed If your Safe@Office appliance is remotely managed, it automatically checks for software updates and installs them without user intervention.
Automatic and Manual Updates The system checks for new updates and installs them. Checking for Software Updates when Locally Managed If your Safe@Office appliance is locally managed, you can set it to automatically check for software updates, or you can set it so that software updates must be checked for manually. To configure software updates when locally managed 1. Click Services in the main menu, and click the Software Updates tab. The Software Updates page appears. 2.
Automatic and Manual Updates Note: When the Software Updates service is set to Automatic, you can still manually check for updates. 3. To set the Safe@Office appliance so that software updates must be checked for manually, drag the Automatic/Manual lever downwards. The Safe@Office appliance does not check for software updates automatically. 4. To manually check for software updates, click Update Now. The system checks for new updates and installs them.
Overview Chapter 12 Working With VPNs This chapter describes how to use your Safe@Office appliance as a Remote Access VPN Client, server, or gateway. This chapter includes the following topics: Overview ..................................................................................................301 Setting Up Your Safe@Office Appliance as a VPN Server .....................307 Adding and Editing VPN Sites ................................................................312 Deleting a VPN Site .........
Overview Check Point SecuRemote VPN Client, provided for free with your Safe@Office, or from another Safe@Office. • Internal VPN Server. SecuRemote can also be used from your internal networks, allowing you to secure your wired or wireless network with strong encryption and authentication. • Site-to-Site VPN Gateway. Can connect with another Site-to-Site VPN Gateway in a permanent, bi-directional relationship. • Remote Access VPN Client.
Overview networks function as a single network. You can use this type of VPN to mesh office branches into one corporate network.
Overview To create a Site-to-Site VPN with two VPN sites 1. On the first VPN site’s Safe@Office appliance, do the following: a. Define the second VPN site as a Site-to-Site VPN Gateway, or create a PPPoE tunnel to the second VPN site, using the procedure Adding and Editing VPN Sites on page 312. b. Enable the Remote Access VPN Server using the procedure Setting Up Your Safe@Office Appliance as a Remote Access VPN Server on page 307. 2. On the second VPN site’s Safe@Office appliance, do the following: a.
Overview Remote Access VPNs A Remote Access VPN consists of one Remote Access VPN Server or Site-to-Site VPN Gateway, and one or more Remote Access VPN Clients. You can use this type of VPN to make an office network remotely available to authorized users, such as employees working from home, who connect to the office Remote Access VPN Server with their Remote Access VPN Clients.
Overview To create a Remote Access VPN with two VPN sites 1. On the remote user VPN site's Safe@Office appliance, add the office Remote Access VPN Server as a Remote Access VPN site. See Adding and Editing VPN Sites on page 312. The remote user's Safe@Office appliance will act as a Remote Access VPN Client. 2. On the office VPN site's Safe@Office appliance, enable the Remote Access VPN Server. See Setting Up Your Safe@Office Appliance as a Remote Access VPN Server on page 307.
Setting Up Your Safe@Office Appliance as a VPN Server Using the internal VPN Server, along with a strict security policy for non-VPN users, can enhance security both for wired networks and for wireless networks, which are particularly vulnerable to security breaches. The internal VPN Server can be used in the Safe@Office 500W wireless appliance, regardless of the wireless security settings. It also can be used in wired appliances, both for wired stations and for wireless stations.
Setting Up Your Safe@Office Appliance as a VPN Server To set up your Safe@Office appliance as a VPN Server 1. Configure the VPN Server in one or more of the following ways: • To accept remote access connections from the Internet. See Configuring the Remote Access VPN Server on page 309. • To accept connections from your internal networks. See Configuring the Internal VPN Server on page 310. 2. If you configured the internal VPN Server, install SecuRemote on the desired internal network computers.
Setting Up Your Safe@Office Appliance as a VPN Server Configuring the Remote Access VPN Server To configure the Remote Access VPN Server 1. Click VPN in the main menu, and click the VPN Server tab. The SecuRemote VPN Server page appears. 2. Select the Allow SecuRemote users to connect from the Internet check box.
Setting Up Your Safe@Office Appliance as a VPN Server New check boxes appear. 3. To allow authenticated users connecting from the Internet to bypass NAT when connecting to your internal network, select the Bypass NAT check box. 4. To allow authenticated users connecting from the Internet to bypass the firewall and access your internal network without restriction, select the Bypass the firewall check box. 5. Click Apply. The Remote Access VPN Server is enabled for the specified connection types.
Setting Up Your Safe@Office Appliance as a VPN Server 2. Select the Allow SecuRemote users to connect from my internal networks check box. New check boxes appear. 3. To allow authenticated users connecting from internal networks to bypass the firewall and access your internal network without restriction, select the Bypass the firewall check box. Bypass NAT is always enabled for the internal VPN server, and cannot be disabled. 4. Click Apply.
Adding and Editing VPN Sites To install SecuRemote 1. Click VPN in the main menu, and click the VPN Server tab. The SecuRemote VPN Server page appears. 2. Click the Download SecuRemote VPN client link. The VPN-1 SecuRemote for Safe@Office page opens in a new window. 3. Follow the online instructions to complete installation. SecuRemote is installed. For information on using SecuRemote, see the User Help.
Adding and Editing VPN Sites The VPN Sites page appears with a list of VPN sites. 2. Do one of the following: • To add a VPN site, click New Site. • To edit a VPN site, click Edit in the desired VPN site’s row. The Safe@Office VPN Site Wizard opens, with the Welcome to the VPN Site Wizard dialog box displayed.
Adding and Editing VPN Sites 3. Do one of the following: • Select Remote Access VPN to establish remote access from your Remote Access VPN Client to a Remote Access VPN Server. • Select Site-to-Site VPN to create a permanent bi-directional connection to another Site-to-Site VPN Gateway. 4. Click Next. Configuring a Remote Access VPN Site If you selected Remote Access VPN, the VPN Gateway Address dialog box appears. 1.
Adding and Editing VPN Sites The VPN Network Configuration dialog box appears. 4. Specify how you want to obtain the VPN network configuration. Refer to VPN Network Configuration Fields on page 323. 5. Click Next. The following things happen in the order below: • If you chose Specify Configuration, a second VPN Network Configuration dialog box appears.
Adding and Editing VPN Sites Complete the fields using the information in VPN Network Configuration Fields on page 323 and click Next. • The Authentication Method dialog box appears. 6. Complete the fields using the information in Authentication Methods Fields on page 325. 7. Click Next.
Adding and Editing VPN Sites Username and Password Authentication Method If you selected Username and Password, the VPN Login dialog box appears. 1. Complete the fields using the information in VPN Login Fields on page 325. 2. Click Next. • If you selected Automatic Login, the Connect dialog box appears.
Adding and Editing VPN Sites Do the following: 1) To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated. 2) Click Next. If you selected Try to Connect to the VPN Gateway, the Connecting… screen appears, and then the Contacting VPN Site screen appears. • The Site Name dialog box appears. 3.
Adding and Editing VPN Sites The VPN Site Created screen appears. 5. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list. Certificate Authentication Method If you selected Certificate, the Connect dialog box appears.
Adding and Editing VPN Sites 1. To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated. 2. Click Next. If you selected Try to Connect to the VPN Gateway, the Connecting… screen appears, and then the Contacting VPN Site screen appears. The Site Name dialog box appears. 3.
Adding and Editing VPN Sites The VPN Site Created screen appears. 5. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list. RSA SecurID Authentication Method If you selected RSA SecurID, the Site Name dialog box appears.
Adding and Editing VPN Sites 1. Enter a name for the VPN site. You may choose any name. 2. Click Next. The VPN Site Created screen appears. 3. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list.
Adding and Editing VPN Sites Table 63: VPN Network Configuration Fields In this field… Do this… Download Click this option to obtain the network configuration by downloading it from Configuration the VPN site. This option will automatically configure your VPN settings, by downloading the network topology definition from the Remote Access VPN Server. Note: Downloading the network configuration is only possible if you are connecting to a Check Point VPN-1 or Safe@Office Site-to-Site VPN Gateway.
Adding and Editing VPN Sites In this field… Do this… Route Based VPN Click this option to create a virtual tunnel interface (VTI) for this site, so that it can participate in a route-based VPN. Route-based VPNs allow routing connections over VPN tunnels, so that remote VPN sites can participate in dynamic or static routing schemes. This improves network and VPN management efficiency for large networks.
Adding and Editing VPN Sites Table 64: Authentication Methods Fields In this field… Do this… Username and Select this option to use a user name and password for VPN Password authentication. In the next step, you can specify whether you want to log on to the VPN site automatically or manually. Certificate Select this option to use a certificate for VPN authentication. If you select this option, a certificate must have been installed.
Adding and Editing VPN Sites Table 65: VPN Login Fields In this field… Do this… Manual Login Click this option to configure the site for Manual Login. Manual Login connects only the computer you are currently logged onto to the VPN site, and only when the appropriate user name and password have been entered. For further information on Automatic and Manual Login, see, Logging on to a VPN Site on page 344.
Adding and Editing VPN Sites Configuring a Site-to-Site VPN Gateway If you selected Site-to-Site VPN, the VPN Gateway Address dialog box appears. 1. Complete the fields using the information in VPN Gateway Address Fields on page 338. 2. Click Next. The VPN Network Configuration dialog box appears.
Adding and Editing VPN Sites 3. Specify how you want to obtain the VPN network configuration. Refer to VPN Network Configuration Fields on page 323. 4. Click Next. • If you chose Specify Configuration, a second VPN Network Configuration dialog box appears. Complete the fields using the information in VPN Network Configuration Fields on page 323, and then click Next.
Adding and Editing VPN Sites • If you chose Route Based VPN, the Route Based VPN dialog box appears. Complete the fields using the information in Route Based VPN Fields on page 339, and then click Next. • The Authentication Method dialog box appears. 5. Complete the fields using the information in Authentication Methods Fields on page 340. 6. Click Next.
Adding and Editing VPN Sites Shared Secret Authentication Method If you selected Shared Secret, the Authentication dialog box appears. If you chose Download Configuration, the dialog box contains additional fields. 1. Complete the fields using the information in VPN Authentication Fields on page 340 and click Next.
Adding and Editing VPN Sites The Security Methods dialog box appears. 2. To configure advanced security settings, click Show Advanced Settings. New fields appear. 3. Complete the fields using the information in Security Methods Fields on page 340 and click Next.
Adding and Editing VPN Sites The Connect dialog box appears. 4. To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated. 5. Click Next. • If you selected Try to Connect to the VPN Gateway, the Connecting… screen appears, and then the Contacting VPN Site screen appears.
Adding and Editing VPN Sites • The Site Name dialog box appears. 6. Enter a name for the VPN site. You may choose any name. 7. To keep the tunnel to the VPN site alive even if there is no network traffic between the Safe@Office appliance and the VPN site, select Keep this site alive. 8. Click Next.
Adding and Editing VPN Sites • If you selected Keep this site alive, and previously you chose Download Configuration, the "Keep Alive" Configuration dialog box appears. Do the following: 1) Type up to three IP addresses which the Safe@Office appliance should ping in order to keep the tunnel to the VPN site alive. 2) Click Next. • The VPN Site Created screen appears. 9. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list.
Adding and Editing VPN Sites • If you chose Download Configuration, the Authentication dialog box appears. Complete the fields using the information in VPN Authentication Fields on page 340 and click Next. • The Security Methods dialog box appears. 1. To configure advanced security settings, click Show Advanced Settings.
Adding and Editing VPN Sites New fields appear. 2. Complete the fields using the information in Security Methods Fields on page 340 and click Next. The Connect dialog box appears. 3. To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection.
Adding and Editing VPN Sites Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated. 4. Click Next. • If you selected Try to Connect to the VPN Gateway, the following things happen: The Connecting… screen appears. • The Contacting VPN Site screen appears. • The Site Name dialog box appears. 5. Enter a name for the VPN site. You may choose any name. 6.
Adding and Editing VPN Sites • If you selected Keep this site alive, and previously you chose Download Configuration, the "Keep Alive" Configuration dialog box appears. Do the following: 1) Type up to three IP addresses which the Safe@Office appliance should ping in order to keep the tunnel to the VPN site alive. 2) Click Next. • The VPN Site Created screen appears. 8. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list.
Adding and Editing VPN Sites Table 66: VPN Gateway Address Fields In this field… Do this… Gateway Address Type the IP address of the Site-to-Site VPN Gateway to which you want to connect, as given to you by the network administrator. Bypass NAT Select this option to allow the VPN site to bypass NAT when connecting to your internal network. This option is selected by default.
Adding and Editing VPN Sites Table 68: Authentication Methods Fields In this field… Do this… Shared Secret Select this option to use a shared secret for VPN authentication. A shared secret is a string used to identify VPN sites to each other. Certificate Select this option to use a certificate for VPN authentication. If you select this option, a certificate must have been installed.
Adding and Editing VPN Sites Table 70: Security Methods Fields In this field… Do this… Phase 1 Security Methods Select the encryption and integrity algorithm to use for IKE negotiations: • Automatic. The Safe@Office appliance automatically selects the best security methods supported by the site. This is the default. • A specific algorithm Diffie-Hellman Select the Diffie-Hellman group to use: group • Automatic. The Safe@Office appliance automatically selects a group. This is the default.
Adding and Editing VPN Sites In this field… Do this… Perfect Forward Specify whether to enable Perfect Forward Secrecy (PFS), by selecting Secrecy one of the following: • Enabled. PFS is enabled. The Diffie-Hellman group field is enabled. • Disabled. PFS is disabled. This is the default. Enabling PFS will generate a new Diffie-Hellman key during IKE Phase 2 and renew the key for each key exchange. PFS increases security but lowers performance.
Deleting a VPN Site Deleting a VPN Site To delete a VPN site 1. Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears, with a list of VPN sites. 2. In the desired VPN site’s row, click the Erase icon. A confirmation message appears. 3. Click OK. The VPN site is deleted. Enabling/Disabling a VPN Site You can only connect to VPN sites that are enabled. To enable/disable a VPN site 1. Click VPN in the main menu, and click the VPN Sites tab.
Logging on to a Remote Access VPN Site 3. To disable a VPN site, do the following: Note: Disabling a VPN site eliminates the tunnel and erases the network topology. a. Click the icon in the desired VPN site’s row. A confirmation message appears. b. Click OK. The icon changes to , and the VPN site is disabled. Logging on to a Remote Access VPN Site You need to manually log on to Remote Access VPN Servers configured for Manual Login.
Logging on to a Remote Access VPN Site Logging on through the Safe@Office Portal Note: You can only login to sites that are configured for Manual Login. To manually log on to a VPN site through the Safe@Office Portal 1. Click VPN in the main menu, and click the VPN Login tab. The VPN Login page appears. 2. From the Site Name list, select the site to which you want to log on. Note: Disabled VPN sites will not appear in the Site Name list. 3. Type your user name and password in the appropriate fields.
Logging on to a Remote Access VPN Site • If the Safe@Office appliance is configured to automatically download the network configuration, the Safe@Office appliance downloads the network configuration. • If when adding the VPN site you specified a network configuration, the Safe@Office appliance attempts to create a tunnel to the VPN site. • Once the Safe@Office appliance has finished connecting, the VPN Login Status box appears. The Status field displays “Connected”.
Logging on to a Remote Access VPN Site The VPN Login screen appears. 2. In the Site Name list, select the site to which you want to log on. 3. Enter your user name and password in the appropriate fields. 4. Click Login. • If the Safe@Office appliance is configured to automatically download the network configuration, the Safe@Office appliance downloads the network configuration.
Logging off a Remote Access VPN Site Logging off a Remote Access VPN Site You need to manually log off a VPN site, if it is a Remote Access VPN site configured for Manual Login. To log off a VPN site • In the VPN Login Status box, click Logout. All open tunnels from the Safe@Office appliance to the VPN site are closed, and the VPN Login Status box closes. Note: Closing the browser or dismissing the VPN Login Status box will also terminate the VPN session within a short time.
Installing a Certificate The Safe@Office appliance supports certificates encoded in the PKCS#12 (Personal Information Exchange Syntax Standard) format, and enables you to install such certificates in the following ways: • By generating a self-signed certificate. See Generating a Self-Signed Certificate on page 349. • By importing a certificate. The PKCS#12 file you import must have a ".p12" file extension. If you do not have such a PKCS#12 file, obtain one from your network security administrator.
Installing a Certificate The Certificate page appears. 2. Click Install Certificate. The Safe@Office Certificate Wizard opens, with the Certificate Wizard dialog box displayed. 3. Click Generate a self-signed security certificate for this gateway.
Installing a Certificate The Create Self-Signed Certificate dialog box appears. 4. Complete the fields using the information in the table below. 5. Click Next. The Safe@Office appliance generates the certificate. This may take a few seconds. The Done dialog box appears, displaying the certificate's details. 6. Click Finish.
Installing a Certificate The Safe@Office appliance installs the certificate. If a certificate is already installed, it is overwritten. The Certificate Wizard closes.
Installing a Certificate Table 71: Certificate Fields In this field… Do this… Country Select your country from the drop-down list. Organization Type the name of your organization. Name Organizational Unit Gateway Name Type the name of your division. Type the gateway's name. This name will appear on the certificate, and will be visible to remote users inspecting the certificate. This field is filled in automatically with the gateway's MAC address.
Installing a Certificate The Import Certificate dialog box appears. 4. Click Browse to open a file browser from which to locate and select the file. The filename that you selected is displayed. 5. Click Next. The Import-Certificate Passphrase dialog box appears. This may take a few moments. 6. Type the pass-phrase you received from the network security administrator.
Uninstalling a Certificate 7. Click Next. The Done dialog box appears, displaying the certificate's details. 8. Click Finish. The Safe@Office appliance installs the certificate. If a certificate is already installed, it is overwritten. The Certificate Wizard closes.
Viewing VPN Tunnels To uninstall a certificate 1. Click VPN in the main menu, and click the Certificate tab. The Certificate page appears with the name of the currently installed certificate. 2. Click Uninstall. A confirmation message appears. 3. Click OK. The certificate is uninstalled. A success message appears. 4. Click OK. Viewing VPN Tunnels You can view a list of currently established VPN tunnels.
Viewing VPN Tunnels To view VPN tunnels 1. Click Reports in the main menu, and click the VPN Tunnels tab. The VPN Tunnels page appears with a table of open tunnels to VPN sites. The VPN Tunnels page includes the information described in the table below. 2. To refresh the table, click Refresh. Table 72: VPN Tunnels Page Fields This field… Displays… Type The currently active security protocol (IPSEC). Source The IP address or address range of the entity from which the tunnel originates.
Viewing VPN Tunnels This field… Displays… Destination The IP address or address range of the entity to which the tunnel is connected. The entity's type is indicated by an icon. See VPN Tunnel Icons on page 358. Security The type of encryption used to secure the connection, and the type of Message Authentication Code (MAC) used to verify the integrity of the message.
Viewing IKE Traces for VPN Connections This icon… Represents… A network for which an IKE Phase-2 tunnel was negotiated A Remote Access VPN Server A Site-to-Site VPN Gateway A remote access VPN user Viewing IKE Traces for VPN Connections If you are experiencing VPN connection problems, you can save a trace of IKE (Internet Key Exchange) negotiations to a file, and then use the free IKE View tool to view the file. The IKE View tool is available for the Windows platform.
Viewing IKE Traces for VPN Connections To view the IKE trace for a connection 1. Establish a VPN tunnel to the VPN site with which you are experiencing connection problems. For information on when and how VPN tunnels are established, see Viewing VPN Tunnels on page 356. 2. Click Reports in the main menu, and click the VPN Tunnels tab. The VPN Tunnels page appears with a table of open tunnels to VPN sites. 3. Click Save IKE Trace. A standard File Download dialog box appears. 4. Click Save.
Changing Your Password Chapter 13 Managing Users This chapter describes how to manage Safe@Office appliance users. You can define multiple users, set their passwords, and assign them various permissions. This chapter includes the following topics: Changing Your Password .........................................................................361 Adding and Editing Users ........................................................................363 Adding Quick Guest HotSpot Users.............................
Changing Your Password The Internal Users page appears. 2. In the row of your username, click Edit. The Account Wizard opens displaying the Set User Details dialog box. 3. Edit the Password and Confirm password fields.
Adding and Editing Users Note: Use 5 to 25 characters (letters or numbers) for the new password. 4. Click Next. The Set User Permissions dialog box appears. 5. Click Finish. Your changes are saved. Adding and Editing Users This procedure explains how to add and edit users. For information on quickly adding guest HotSpot users via a shortcut that the Safe@Office appliance provides, see Adding Quick Guest HotSpot Users on page 367. To add or edit a user 1.
Adding and Editing Users The Internal Users page appears. 2. Do one of the following: • To create a new user, click New User. • To edit an existing user, click Edit next to the desire user. The Account Wizard opens displaying the Set User Details dialog box. 3. Complete the fields using the information in Set User Details Fields on page 365. 4. Click Next.
Adding and Editing Users The Set User Permissions dialog box appears. The options that appear on the page are dependant on the software and services you are using. 5. Complete the fields using the information in Set User Permissions Fields on page 366. 6. Click Finish. The user is saved. Table 74: Set User Details Fields In this field… Do this… Username Enter a username for the user. Password Enter a password for the user. Use five to 25 characters (letters or numbers) for the new password.
Adding and Editing Users In this field… Do this… Expires On To specify an expiration time for the user, select this option and specify the expiration date and time in the fields provided. When the user account expires, it is locked, and the user can no longer log on to the Safe@Office appliance. If you do not select this option, the user will not expire. Table 75: Set User Permissions Fields In this field... Do this... Administrator Level Select the user’s level of access to the Safe@Office Portal.
Adding Quick Guest HotSpot Users Web Filtering Select this option to allow the user to override Web Filtering. Override This option only appears if the Web Filtering service is defined. This option cannot be changed for the “admin” user. HotSpot Access Select this option to allow the user to log on to the My HotSpot page. For information on Secure HotSpot, see Configuring Secure HotSpot on page 256. This option only appears in Safe@Office 500 with Power Pack.
Adding Quick Guest HotSpot Users To quickly create a guest user 1. Click Users in the main menu, and click the Internal Users tab. The Internal Users page appears. 2. Click Quick Guest. The Account Wizard opens displaying the Save Quick Guest dialog box. 3. In the Expires field, click on the arrows to specify the expiration date and time. 4. To print the user details, click Print. 5. Click Finish. The guest user is saved.
Viewing and Deleting Users Viewing and Deleting Users Note: The “admin” user cannot be deleted. To view or delete users 1. Click Users in the main menu, and click the Internal Users tab. The Internal Users page appears with a list of all users and their permissions. The expiration time of expired users appears in red. 2. To delete a user, do the following: a) In the desired user’s row, click the Erase icon. A confirmation message appears. b) Click OK. The user is deleted. 3.
Using RADIUS Authentication Remote Access VPN Clients (a Check Point SecureClient, Check Point SecuRemote, or another Embedded NGX appliance). To set up remote VPN access for a user 1. Enable your VPN Server, using the procedure Setting Up Your Safe@Office Appliance as a VPN Server on page 307. 2. Add or edit the user, using the procedure Adding and Editing Users on page 363. You must select the VPN Remote Access option.
Using RADIUS Authentication server for a specific user, the gateway will use the default permission set for this user. To use RADIUS authentication 1. Click Users in the main menu, and click the RADIUS tab. The RADIUS page appears. 2. Complete the fields using the table below. 3. Click Apply. 4. To restore the default RADIUS settings, do the following: a) Click Default.
Using RADIUS Authentication A confirmation message appears. b) Click OK. The RADIUS settings are reset to their defaults. For information on the default values, refer to the table below. 5. To use the RADIUS VSA to assign permissions to users, configure the VSA. See Configuring the RADIUS Vendor-Specific Attribute on page 374. Table 76: RADIUS Page Fields In this field… Do this… Primary/Secondary Configure the primary and secondary RADIUS servers.
Using RADIUS Authentication In this field… Do this… Realm If your organization uses RADIUS realms, type the realm to append to RADIUS requests. The realm will be appended to the username as follows: @ For example, if you set the realm to “myrealm”, and the user "JohnS" attempts to log on to the Safe@Office Portal, the Safe@Office appliance will send the RADIUS server an authentication request with the username “JohnS@myrealm”. This field is optional.
Configuring the RADIUS Vendor-Specific Attribute In this field… Do this… Web Filtering Select this option to allow all users authenticated by the RADIUS server Override to override Web Filtering. This option only appears if the Web Filtering service is defined. HotSpot Access Select this option to allow the user to access the My HotSpot page. This option only appears in Safe@Office 500 with Power Pack.
Configuring the RADIUS Vendor-Specific Attribute Table 77: VSA Syntax Permission Description Attribute Number Attribute Format Attribute Values Admin Indicates the 1 String none. The user administrator’s cannot access the level of access to Safe@Office the Embedded Portal. Notes NGX Portal readonly. The user can log on to the Safe@Office Portal, but cannot modify system settings. readwrite. The user can log on to the Safe@Office Portal and modify system settings. VPN true.
Configuring the RADIUS Vendor-Specific Attribute Permission Description Attribute Number Attribute Format Attribute Values Notes Hotspot Indicates whether 3 String true. The user can This permission the user can log access the Internet is only relevant if on via the My via My HotSpot. the Secure HotSpot page. HotSpot feature false. The user is enabled. cannot access the Internet via My HotSpot. UFP true.
Viewing Firmware Status Chapter 14 Maintenance This chapter describes the tasks required for maintenance and diagnosis of your Safe@Office appliance. This chapter includes the following topics: Viewing Firmware Status .........................................................................377 Updating the Firmware.............................................................................379 Upgrading Your Software Product ...........................................................
Viewing Firmware Status To view the firmware status • Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. The Firmware page displays the following information: Table 78: Firmware Status Fields This field… Displays… For example… WAN MAC Address The MAC address used for 00:80:11:22:33:44 the Internet connection Firmware Version The current version of the 6.
Updating the Firmware This field… Displays… For example… Uptime The time that elapsed from 01:21:15 the moment the unit was turned on Hardware Type The type of the current Sbox-500 Safe@Office appliance hardware Hardware Version The current hardware 1.0 version of the Safe@Office appliance Updating the Firmware If you are subscribed to Software Updates, firmware updates are performed automatically. These updates include new product features and protection against new security threats.
Updating the Firmware The Firmware Update page appears. 3. Click Browse. A browse window appears. 4. Select the image file and click Open. The Firmware Update page reappears. The path to the firmware update image file appears in the Browse text box. 5. Click Upload. Your Safe@Office appliance firmware is updated. Updating may take a few minutes, during which time the PWR/SEC LED may start flashing red or orange. Do not power off the appliance.
Upgrading Your Software Product Upgrading Your Software Product You can upgrade your Safe@Office 500 appliance by adding the Safe@Office 500 Power Pack. After purchasing the Power Pack, you will receive a new Product Key that enables you to use the Power Pack on the same Safe@Office appliance you have today. There is no need to replace your hardware. You can also purchase node upgrades, as needed. Note: To purchase the Power Pack or node upgrades, contact your Safe@Office appliance provider.
Upgrading Your Software Product The Safe@Office Licensing Wizard opens, with the Install Product Key dialog box displayed. 3. Click Enter a different Product Key. 4. In the Product Key field, enter the new Product Key. 5. Click Next. The Installed New Product Key dialog box appears. 6. Click Next.
Upgrading Your Software Product The first Registration dialog box appears. 7. Do one of the following: • To register your Safe@Office appliance later on, clear the I want to register my product check box and then click Next. • To register your Safe@Office appliance now, do the following: 1) Click Next.
Upgrading Your Software Product A second Registration dialog box appears. 2) Enter your contact information in the appropriate fields. 3) To receive email notifications regarding new firmware versions and services, select the check box. 4) Click Next. The Registration… screen appears. The third Registration dialog box appears.
Registering Your Safe@Office Appliance 8. Click Finish. Your Safe@Office appliance is restarted and the Welcome page appears. Registering Your Safe@Office Appliance If you want to activate your warranty and optionally receive notifications of new firmware versions and services, you must register your Safe@Office appliance. Privacy Statement: Check Point is committed to protecting your privacy. We use the information we collect about you to process orders and to improve our ability to serve your needs.
Configuring Syslog Logging 9. Click Next. The Registration… screen appears. The third Registration dialog box appears. 10. Click Finish. Your Safe@Office appliance is restarted and the Welcome page appears. Configuring Syslog Logging You can configure the Safe@Office appliance to send event logs to a Syslog server residing in your internal network or on the Internet. The logs detail the date and the time each event occurred.
Configuring Syslog Logging The Logging page appears. 2. Complete the fields using the information in the table below. 3. Click Apply. Table 79: Logging Page Fields In this field… Do this… Syslog Server Type the IP address of the computer that will run the Syslog service (one of your network computers), or click This Computer to allow your computer to host the service. Clear Click to clear the Syslog Server field. Syslog Port Type the port number of the Syslog server.
Controlling the Appliance via the Command Line Controlling the Appliance via the Command Line Depending on your Safe@Office model, you can control your appliance via the command line in the following ways: • Using the Safe@Office Portal's command line interface. See Using the Safe@Office Portal on page 388. • Using a console connected to the Safe@Office appliance. For information, see Using the Serial Console on page 390. • Using an SSH client. See Configuring SSH on page 394.
Controlling the Appliance via the Command Line The Tools page appears. 2. Click Command. The Command Line page appears.
Controlling the Appliance via the Command Line 3. In the upper field, type a command. You can view a list of supported commands using the command help. For information on all commands, refer to the Embedded NGX CLI Reference Guide. 4. Click Go. The command is implemented. Using the Serial Console You can connect a console to the Safe@Office appliance, and use the console to control the appliance via the command line. Note: Your terminal emulation software must be set to 57600 bps, N-8-1.
Controlling the Appliance via the Command Line The Ports page appears. 3. In the RS232 drop-down list, select Console. 4. Click Apply. You can now control the Safe@Office appliance from the serial console. For information on all supported commands, refer to the Embedded NGX CLI Reference Guide.
Configuring HTTPS Configuring HTTPS You can enable Safe@Office appliance users to access the Safe@Office Portal from the Internet. To do so, you must first configure HTTPS. To configure HTTPS 1. Click Setup in the main menu, and click the Management tab. The Management page appears. 2. Specify from where HTTPS access to the Safe@Office Portal should be granted. See Access Options on page 393 for information.
Configuring HTTPS Note: You can use HTTPS to access the Safe@Office Portal from your internal network, by surfing to https://my.firewall. If you selected IP Address Range, additional fields appear. 3. If you selected IP Address Range, enter the desired IP address range in the fields provided. 4. Click Apply. The HTTPS configuration is saved.
Configuring SSH Select this To allow access from… option… Internal Network and The internal network and your VPN. VPN IP Address Range A particular range of IP addresses. Additional fields appear, in which you can enter the desired IP address range. ANY Any IP address. Disabled Nowhere. This completely disables access. This option is only available for SNMP.
Configuring SSH See Access Options on page 393 for information. Warning: If remote SSH is enabled, your Safe@Office appliance settings can be changed remotely, so it is especially important to make sure all Safe@Office appliance users’ passwords are difficult to guess. If you selected IP Address Range, additional fields appear. 3. If you selected IP Address Range, enter the desired IP address range in the fields provided. 4. Click Apply. The SSH configuration is saved.
Configuring SNMP Configuring SNMP The Safe@Office appliance users can monitor the Safe@Office appliance, using tools that support SNMP (Simple Network Management Protocol). You can enable users can do so via the Internet, by configuring remote SNMP access. The Safe@Office appliance supports the following SNMP MIBs: • SNMPv2-MIB • RFC1213-MIB • IF-MIB • IP-MIB All SNMP access is read-only. To configure SNMP 1. Click Setup in the main menu, and click the Management tab. The Management page appears. 2.
Configuring SNMP The Community field and the Advanced link are enabled. 3. If you selected IP Address Range, enter the desired IP address range in the fields provided. 4. In the Community field, type the name of the SNMP community string. SNMP clients uses the SNMP community string as a password, when connecting to the Safe@Office appliance. The default value is "public". It is recommended to change this string. 5. To configure advanced SNMP settings, click Advanced.
Configuring SNMP The SNMP Configuration page appears. 6. Complete the fields using the table below. 7. Click Apply. The SNMP configuration is saved. 8. Configure the SNMP clients with the SNMP community string. Table 81: Advanced SNMP Settings In this field... Do this… System Location Type a description of the appliance's location. This information will be visible to SNMP clients, and is useful for administrative purposes. System Contact Type the name of the contact person.
Setting the Time on the Appliance In this field... Do this… SNMP Port Type the port to use for SNMP. The default port is 161. Setting the Time on the Appliance You set the time displayed in the Safe@Office Portal during initial appliance setup. If desired, you can change the date and time using the procedure below. To set the time 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Set Time.
Setting the Time on the Appliance 3. Complete the fields using the information in Set Time Wizard Fields on page 402. 4. Click Next. The following things happen in the order below: • If you selected Specify date and time, the Specify Date and Time dialog box appears. Set the date, time, and time zone in the fields provided, then click Next.
Setting the Time on the Appliance • If you selected Use a Time Server, the Time Servers dialog box appears. Complete the fields using the information in Time Servers Fields on page 402, then click Next. • The Date and Time Updated screen appears. 5. Click Finish.
Setting the Time on the Appliance Table 82: Set Time Wizard Fields Select this option… To do the following… Your computer's clock Set the appliance time to your computer’s system time. Your computer’s system time is displayed to the right of this option. Keep the current time Do not change the appliance’s time. The current appliance time is displayed to the right of this option. Use a Time Server Synchronize the appliance time with a Network Time Protocol (NTP) server.
Using Diagnostic Tools Using Diagnostic Tools The Safe@Office appliance is equipped with a set of diagnostic tools that are useful for troubleshooting Internet connectivity. Table 84: Diagnostic Tools Use this To do this… For information, see... Check that a specific IP address or DNS Using IP Tools on page 404 tool… Ping name can be reached via the Internet.
Using Diagnostic Tools Using IP Tools To use an IP tool 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. In the IP Tools drop-down list, select the desired tool. 3. In the Address field, type the IP address or DNS name for which to run the tool. 4. Click Go. • If you selected Ping, the following things happen: The Safe@Office appliance sends packets to the specified the IP address or DNS name.
Using Diagnostic Tools The IP Tools window opens and displays a list of routers used to make the connection. • If you selected WHOIS, the following things happen: The Safe@Office appliance queries the Internet WHOIS server. A window displays the name of the entity to which the IP address or DNS name is registered and their contact information.
Using Diagnostic Tools Using Packet Sniffer The Safe@Office appliance includes the Packet Sniffer tool, which enables you to capture packets from any internal network or Safe@Office port. This is useful for troubleshooting network problems and for collecting data about network behavior. The Safe@Office appliance saves the captured packets to a file on your computer. You can use a free protocol analyzer, such as Ethereal, to analyze the file, or you can send it to technical support.
Using Diagnostic Tools The Packet Sniffer window displays the name of the interface, the number of packets collected, and the percentage of storage space remaining on the appliance for storing the packets. 5. Click Stop to stop collecting packets. A standard File Download dialog box appears. 6. Click Save. The Save As dialog box appears. 7. Browse to a destination directory of your choice. 8. Type a name for the configuration file and click Save. The *.
Using Diagnostic Tools Table 85: Packet Sniffer Fields In this field… Do this… Interface Select the interface from which to collect packets. The list includes the primary Internet connection, the Safe@Office appliance ports, and all defined networks. Filter String Type the filter string to use for filtering the captured packets. Only packets that match the filter condition will be saved. For a list of basic filter strings elements, see Filter String Syntax on page 409.
Using Diagnostic Tools Filter String Syntax The following represents a list of basic filter string elements: • and on page 409 • dst on page 410 • dst port on page 410 • ether proto on page 411 • host on page 412 • not on page 412 • or on page 413 • port on page 413 • src on page 414 • src port on page 414 • tcp on page 415 • udp on page 416 For detailed information on filter syntax, refer to http://www.tcpdump.org. and PURPOSE The and element is used to concatenate filter string elements.
Using Diagnostic Tools PARAMETERS element String. A filter string element. EXAMPLE The following filter string saves packets that both originate from IP address is 192.168.10.1 and are destined for port 80: src 192.168.10.1 and dst port 80 dst PURPOSE The dst element captures all packets with a specific destination. SYNTAX dst destination PARAMETERS destination IP Address or String. The computer to which the packet is sent.
Using Diagnostic Tools Note: This element can be prepended by tcp or udp. For information, see tcp on page 415 and udp on page 416. PARAMETERS port Integer. The port to which the packet is sent. EXAMPLE The following filter string saves packets that are destined for port 80: dst port 80 ether proto PURPOSE The ether proto element is used to capture packets of a specific ether protocol type. SYNTAX ether proto \protocol PARAMETERS protocol String. The protocol type of the packet.
Using Diagnostic Tools host PURPOSE The host element captures all incoming and outgoing packets for a specific computer. SYNTAX host host PARAMETERS host IP Address or String. The computer to/from which the packet is sent. This can be the following: • An IP address • A host name EXAMPLE The following filter string saves all packets that either originated from IP address 192.168.10.1, or are destined for that same IP address: host 192.168.10.
Using Diagnostic Tools EXAMPLE The following filter string saves packets that are not destined for port 80: not dst port 80 or PURPOSE The or element is used to alternate between string elements. The filtered packets must match at least one of the filter string elements. SYNTAX element or element [or element...] element || element [|| element...] PARAMETERS element String. A filter string element. EXAMPLE The following filter string saves packets that either originate from IP address 192.168.10.
Using Diagnostic Tools PARAMETERS port Integer. The port from/to which the packet is sent. EXAMPLE The following filter string saves all packets that either originated from port 80, or are destined for port 80: port 80 src PURPOSE The src element captures all packets with a specific source. SYNTAX src source PARAMETERS source IP Address or String. The computer from which the packet is sent.
Using Diagnostic Tools Note: This element can be prepended by tcp or udp. For information, see tcp on page 415 and udp on page 416. PARAMETERS port Integer. The port to which the packet is sent. EXAMPLE The following filter string saves packets that originated from port 80: src port 80 tcp PURPOSE The tcp element captures all TCP packets. This element can be prepended to portrelated elements. Note: When not prepended to other elements, the tcp element is the equivalent of ip proto tcp.
Using Diagnostic Tools EXAMPLE 1 The following filter string captures all TCP packets: tcp EXAMPLE 2 The following filter string captures all TCP packets destined for port 80: tcp dst port 80 udp PURPOSE The udp element captures all UDP packets. This element can be prepended to portrelated elements. Note: When not prepended to other elements, the udp element is the equivalent of ip proto udp. SYNTAX udp udp element PARAMETERS element String.
Backing Up the Safe@Office Appliance Configuration udp EXAMPLE 2 The following filter string captures all UDP packets destined for port 80: udp dst port 80 Backing Up the Safe@Office Appliance Configuration You can export the Safe@Office appliance configuration to a *.cfg file, and use this file to backup and restore Safe@Office appliance settings, as needed. The file includes all your settings. The configuration file is saved as a textual CLI script. If desired, you can edit the file.
Backing Up the Safe@Office Appliance Configuration 4. Browse to a destination directory of your choice. 5. Type a name for the configuration file and click Save. The *.cfg configuration file is created and saved to the specified directory. Importing the Safe@Office Appliance Configuration In order to restore your Safe@Office appliance’s configuration from a configuration file, you must import the file. To import the Safe@Office appliance configuration 1.
Backing Up the Safe@Office Appliance Configuration • In the Import Settings field, type the full path to the configuration file. Or • Click Browse, and browse to the configuration file. 4. Click Upload. A confirmation message appears. 5. Click OK. The Safe@Office appliance settings are imported. The Import Settings page displays the configuration file's content and the result of implementing each configuration command.
Resetting the Safe@Office Appliance to Defaults Resetting the Safe@Office Appliance to Defaults You can reset the Safe@Office appliance to its default settings. When you reset your Safe@Office appliance, it reverts to the state it was originally in when you purchased it. You can choose to keep the current firmware or to revert to the firmware version that shipped with the Safe@Office appliance. Warning: This operation erases all your settings and password information.
Resetting the Safe@Office Appliance to Defaults A confirmation message appears. 3. To revert to the firmware version that shipped with the appliance, select the check box. 4. Click OK. • The Please Wait screen appears. • The Safe@Office appliance returns to its factory defaults. • The Safe@Office appliance is restarted (the PWR/SEC LED flashes quickly). This may take a few minutes. • The Login page appears.
Resetting the Safe@Office Appliance to Defaults To reset the Safe@Office appliance to factory defaults using the Reset button 1. Make sure the Safe@Office appliance is powered on. 2. Using a pointed object, press the RESET button on the back of the Safe@Office appliance steadily for seven seconds and then release it. 3. Allow the Safe@Office appliance to boot-up until the system is ready (PWR/SEC LED flashes slowly or illuminates steadily in green light).
Running Diagnostics Running Diagnostics You can view technical information about your Safe@Office appliance’s hardware, firmware, license, network status, and Service Center. This information is useful for troubleshooting. You can export it to an *.html file and send it to technical support. To view diagnostic information 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Diagnostics. Technical information about your Safe@Office appliance appears in a new window. 3.
Rebooting the Safe@Office Appliance Rebooting the Safe@Office Appliance If your Safe@Office appliance is not functioning properly, rebooting it may solve the problem. To reboot the Safe@Office appliance 1. Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. 2. Click Restart. A confirmation message appears. 3. Click OK. • The Please Wait screen appears. • The Safe@Office appliance is restarted (the PWR/SEC LED flashes quickly). This may take a few minutes.
Overview Chapter 15 Using Network Printers This chapter describes how to set up and use network printers. This chapter includes the following topics: Overview ..................................................................................................425 Setting Up Network Printers.....................................................................426 Configuring Computers to Use Network Printers.....................................427 Viewing Network Printers ......................................
Setting Up Network Printers Setting Up Network Printers To set up a network printer 1. Connect the network printer to the Safe@Office appliance. See Network Installation on page 35. 2. Turn the printer on. 3. In the Safe@Office Portal, click Setup in the main menu, and click the Printers tab. The Printers page appears. If the Safe@Office appliance detected the printer, the printer is listed on the page. 4.
Configuring Computers to Use Network Printers The port number appears in the Printer Server TCP Port field. You will need this number later, when configuring computers to use the network printer. 6. To change the port number, do the following: a. Type the desired port number in the Printer Server TCP Port field. Note: Printer port numbers may not overlap, and must be high ports. b. Click Apply.
Configuring Computers to Use Network Printers 2. Click Start > Settings > Control Panel. The Control Panel window opens. 3. Click Printers and Faxes. The Printers and Faxes window opens. 4. Right-click in the window, and click Add Printer in the popup menu. The Add Printer Wizard opens with the Welcome dialog box displayed. 5. Click Next. The Local or Network Printer dialog box appears. 6. Click Local printer attached to this computer.
Configuring Computers to Use Network Printers Note: Do not select the Automatically detect and install my Plug and Play printer check box. 7. Click Next. The Select a Printer Port dialog box appears. 8. Click Create a new port. 9. In the Type of port drop-down list, select Standard TCP/IP Port. 10. Click Next. The Add Standard TCP/IP Port Wizard opens with the Welcome dialog box displayed. 11. Click Next.
Configuring Computers to Use Network Printers The Add Port dialog box appears. 12. In the Printer Name or IP Address field, type the Safe@Office appliance's LAN IP address, or "my.firewall". You can find the LAN IP address in the Safe@Office Portal, under Network > My Network. The Port Name field is filled in automatically. 13. Click Next. The Add Standard TCP/IP Printer Port Wizard opens, with the Additional Port Information Required dialog box displayed. 14. Click Custom. 15. Click Settings.
Configuring Computers to Use Network Printers The Configure Standard TCP/IP Port Monitor dialog box opens. 16. In the Port Number field, type the printer's port number, as shown in the Printers page. 17. In the Protocol area, make sure that Raw is selected. 18. Click OK. The Add Standard TCP/IP Printer Port Wizard reappears. 19. Click Next. The Completing the Add Standard TCP/IP Printer Port Wizard dialog box appears. 20. Click Finish.
Configuring Computers to Use Network Printers The Add Printer Wizard reappears, with the Install Printer Software dialog box displayed. 21. Do one of the following: • Use the lists to select the printer's manufacturer and model. • If your printer does not appear in the lists, insert the CD that came with your printer in the computer's CD-ROM drive, and click Have Disk. 22. Click Next. 23. Complete the remaining dialog boxes in the wizard as desired, and click Finish.
Configuring Computers to Use Network Printers The port's name is IP_. 26. Click OK. MAC OS-X This procedure is relevant for computers with the latest version of the MAC OS-X operating system. Note: This procedure may not apply to earlier MAC OS-X versions. To configure a computer to use a network printer 1. If the computer for which you want to enable printing is located on the WAN, create an Allow rule for connections from the computer to This Gateway.
Configuring Computers to Use Network Printers The System Preferences window appears. 3. Click Show All to display all categories. 4. In the Hardware area, click Print & Fax. The Print & Fax window appears. 5. In the Printing tab, click Set Up Printers.
Configuring Computers to Use Network Printers The Printer List window appears. 6. Click Add. New fields appear. 7. In the first drop-down list, select IP Printing. 8. In the Printer Type drop-down list, select Socket/HP Jet Direct. 9. In the Printer Address field, type the Safe@Office appliance's LAN IP address, or "my.firewall". You can find the LAN IP address in the Safe@Office Portal, under Network > My Network. 10. In the Queue Name field, type the name of the required printer queue.
Configuring Computers to Use Network Printers 11. In the Printer Model list, select the desired printer type. A list of models appears. 12. In the Model Name list, select the desired model. 13. Click Add. The new printer appears in the Printer List window. 14. In the Printer List window, select the newly added printer, and click Make Default.
Viewing Network Printers Viewing Network Printers To view network printers 1. Click Setup in the main menu, and click the Printers tab. The Printers page appears, displaying a list of connected printers. For each printer, the model, serial number, port, and status is displayed. A printer can have the following statuses: • Initialize. The printer is initializing. • Ready. The printer is ready. • Not Ready. The printer is not ready. For example, it may be out of paper. • Printing.
Resetting Network Printers computers. To do this, you must change the replacement printer's port number to the malfunctioning printer's port number, as described below. Note: Each printer port number must be different, and must be a high port. To change a printer's port 1. Click Setup in the main menu, and click the Printers tab. The Printers page appears. 2. In the printer's Printer Server TCP Port field, type the desired port number. 3. Click Apply.
Resetting Network Printers Chapter 16 Troubleshooting This chapter provides solutions to common problems you may encounter while using the Safe@Office appliance. Note: For information on troubleshooting wireless connectivity, see Troubleshooting Wireless Connectivity on page 183. This chapter includes the following topics: Connectivity ............................................................................................ 440 Service Center and Upgrades...............................................
Connectivity Connectivity I cannot access the Internet. What should I do? • Check if the PWR/SEC LED is green. If not, check the power connection to the Safe@Office appliance. • Check if the WAN LINK/ACT LED is green. If not, check the network cable to the modem and make sure the modem is turned on. • Check if the LAN LINK/ACT LED for the port used by your computer is green. If not, check if the network cable linking your computer to the Safe@Office appliance is connected properly.
Connectivity • If you connect to your ISP using a PPPoE or PPTP dialer defined in your operating system, your equipment is most likely configured as a DSL bridge. Configure a PPPoE or PPTP type DSL connection. • If you were not instructed to configure a dialer in your operating system, your equipment is most likely configured as a DSL router. Configure a LAN connection, even if you are using a DSL connection. For instructions, see Configuring the Internet Connection on page 53.
Connectivity • Check your TCP/IP configuration according to Installing and Setting up the Safe@Office Appliance on page 15. • Restart your Safe@Office appliance and your broadband modem by disconnecting the power and reconnecting after 5 seconds. • If your Web browser is configured to use an HTTP proxy to access the Internet, add "my.firewall" or "my.vpn" to your proxy exceptions list. My network seems extremely slow. What should I do? • The Ethernet cables may be faulty.
Connectivity • Consider whether you really need the router. The Safe@Office appliance can be used as a replacement for your router, unless you need it for some additional functionality that it provides, such as Wireless access. • If possible, disable NAT in the router. Refer to the router’s documentation for instructions on how to do this. • If the router has a “DMZ Computer” or “Exposed Host” option, set it to the Safe@Office appliance’s external IP address.
Service Center and Upgrades Service Center and Upgrades I purchased an advanced Safe@Office model, but I only have the functionality of a simpler Safe@Office model. What should I do? Your have not installed your product key. For further information, see Upgrading Your Software Product on page 381. I have exceeded my node limit. What does this mean? What should I do? Your Product Key specifies a maximum number of nodes that you may connect to the Safe@Office appliance.
Other Problems Other Problems I have forgotten my password. What should I do? Reset your Safe@Office appliance to factory defaults using the Reset button as detailed in Resetting the Safe@Office Appliance to Defaults on page 420. Why are the date and time displayed incorrectly? You can adjust the time on the Setup page's Tools tab. For information, see Setting the Time on the Appliance on page 399. I cannot use a certain network application. What should I do? Look at the Event Log page.
Technical Specifications Chapter 17 Specifications This chapter includes the following topics: Technical Specifications.......................................................................... 447 CE Declaration of Conformity................................................................. 451 Federal Communications Commission Radio Frequency Interference Statement .................................................................................................
Technical Specifications Attribute Safe@Office 500 Safe@Office 500 SBX-166LHGE-6 SBX-166LHGE-6 / Safe@Office 500W SBXW-166LHGE-6 Power supply nominal US Model: 90~132 VAC, All Models: 100~240VAC, input voltage, frequency 50~60Hz 50~60Hz Japan Model: 100VAC, 50~60Hz EU Model: 200~265 VAC, 50~60Hz Power supply nominal All Models: 9VAC, 1.5A All Models: 5VDC, 3A 7.5W 8W (1.6A w/o external USB output voltage Max. Power Consumption devices) 13W (2.
Technical Specifications Attribute Safe@Office 500 Safe@Office 500 SBX-166LHGE-6 SBX-166LHGE-6 / Safe@Office 500W SBXW-166LHGE-6 Humidity: 5%~90% at 25°C/ 5%~90% at 25°C/ Storage/Operation None condensed None condensed ETSI 300 019-2-3 CLASS 3.1 CNS1219 C6343 Applicable Standards Shock & Vibration & Bellcore GR 63 (NEBS) Safety Quality EN60950/ EN60950/ IEC60950/ IEC60950/ UL60950 cTUVus 60950 ISO9001 ISO9001:2000 TL9000-HW R3.
Technical Specifications Table 87: Safe@Office Wireless Attributes Attribute Safe@Office 500W series Operation Frequency 2.412-2.484 MHz Transmission Power 79.
CE Declaration of Conformity CE Declaration of Conformity SofaWare Technologies Ltd., 3 Hilazon St., Ramat-Gan Israel, hereby declares that this equipment is in conformity with the essential requirements specified in Article 3.1 (a) and 3.
CE Declaration of Conformity Attribute Safe@Office 500 Safe@Office 500 SBX-166LHGE-6 SBX-166LHGE-6 / Safe@Office 500W SBXW166LHGE-6 EN 61000-4-8:1993 EN 61000-4-2:1995 EN 61000-4-11:1994 EN 61000-4-3:1996/A2:2001 ENV50204:1995 EN 61000-4-4:1995 EN 61000-4-5:1995 EN 61000-4-6:1996 EN 61000-4-7:1993 EN 61000-4-8:1993 EN 61000-4-9:1993 EN 61000-4-10:1993 EN 61000-4-11:1994 EN 61000-4-12:1995 Safety EN 60950: 2000 EN 60950: 2000 IEC 60950:1999 IEC 60950:1999 The "CE" mark is affixed to this pro
Federal Communications Commission Radio Frequency Interference Statement Federal Communications Commission Radio Frequency Interference Statement This equipment with limits for a Class B digital device, pursuant •This equipment has complies been tested andthe found to comply with the limits for a Class B digital to device, Part 15 the15FCC Rules. These limits designed to provide reasonable pursuant to of Part of the FCC Rules.
Glossary of Terms Glossary of Terms A ADSL Modem A device connecting a computer to the Internet via an existing phone line. ADSL (Asymmetric Digital Subscriber Line) modems offer a high-speed 'always-on' connection. C CA The Certificate Authority (CA) issues certificates to entities such as gateways, users, or computers. The entity later uses the certificate to identify itself and provide verifiable information.
Glossary of Terms anyone knowing about it. Sometimes, tiny programs are 'planted' on the computer that are designed to watch out for, seize and then transmit to another computer, specific types of data. Domain Name System Domain Name System. The Domain Name System (DNS) refers to the Internet domain names, or easy-toremember "handles", that are translated into IP addresses. An example of a Domain Name is 'www.sofaware.com'.
Glossary of Terms other ways intentionally breaches computer security. The end result is that whatever resides on the computer can be viewed and sensitive data can be stolen without anyone knowing about it. Sometimes, tiny programs are 'planted' on the computer that are designed to watch out for, seize and then transmit to another computer, specific types of data. HTTPS Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL. A protocol for accessing a secure Web server.
Glossary of Terms IPSEC IPSEC is the leading Virtual Private Networking (VPN) standard. IPSEC enables individuals or offices to establish secure communication channels ('tunnels') over the Internet. ISP An ISP (Internet service provider) is a company that provides access to the Internet and other related services.
Glossary of Terms NetBIOS NetBIOS is the networking protocol used by DOS and Windows machines. P Packet A packet is the basic unit of data that flows from one source on the Internet to another destination on the Internet. When any file (e-mail message, HTML file, GIF file etc.) is sent from one place to another on the Internet, the file is divided into "chunks" of an efficient size for routing. Each of these packets is separately numbered and includes the Internet address of the destination.
Glossary of Terms level of security by examining every layer within a packet, unlike other systems of inspection. Stateful Inspection extracts information required for security decisions from all application layers and retains this information in dynamic state tables for evaluating subsequent connection attempts. In other words, it learns! Subnet Mask A 32-bit identifier indicating how the network is split into subnets.
Glossary of Terms TCP, however, UDP does not provide the service of dividing a message into packets (datagrams) and reassembling it at the other end. UDP is often used for applications such as streaming data. W WLAN A WLAN is a wireless local area network protected by the Safe@Office appliance. URL A URL (Uniform Resource Locator) is the address of a file (resource) accessible on the Internet. The type of resource depends on the Internet application protocol.
Index Index 8 802.
Index diagnostics • 423 dialup connection • 75, 92 modem • 84 F File and Print Sharing • 249 firewall levels • 204 dialup modem, setting up • 84 rule types • 211 DMZ setting security level • 204 configuring • 108 firmware configuring High Availability for • 119 explained • 377, 456 explained • 108, 456 updating manually • 379 DNS • 90, 403, 456 Dynamic DNS • 5, 287 E Email Antispam, see Email Filtering • 294 viewing status • 377 FTP Bounce • 245 G gateways Email Antivirus, see Email Filteri
Index Host Port Scan • 242 HTTPS IP address changing • 105 configuring • 392 explained • 457 explained • 457 hiding • 107 using • 44 hub • 35, 90, 119, 440, 457 IP Fragments • 232 IPSEC VPN mode • 457 I IGMP • 251 IKE traces, viewing • 359 initial login • 39 installation ISP, explained • 458 L LAN cable • 35 cable type • 35 configuring High Availability for • 119 network • 35 connection • 54, 56, 65 Instant Messengers • 254 explained • 458 internal VPN Server ports • 35 configuring • 310
Index MTU, explained • 77, 458 N NetBIOS, explained • 458 network changing internal range of • 105 O OfficeMode about • 110 configuring • 110 P configuring • 93 packet • 87, 139, 403, 457, 459 configuring a DMZ • 108 Packet Sanity • 229 configuring a VLAN • 111 Packet Sniffer configuring a WLAN • 161 filter string syntax • 409 configuring DHCP options • 101 using • 406 configuring high availability • 119 Pass rules, explained • 268 configuring the OfficeMode network • 110 password enablin
Index connection • 61, 71 rebooting • 424 explained • 459 registering • 385 print server • 425 printers changing ports • 437 configuring computers to use • 427 resetting • 438 setting up • 426 using • 425 viewing • 437 Remote Access VPN Clients, explained • 301 Remote Access VPN Servers configuring • 307, 309 explained • 301 Remote Access VPN sites • 314 reports active computers • 194 active connections • 197 Q QoS event log • 187 node limit • 194 classes • 151 traffic • 191 explained • 151 view
Index about • 1 Secure HotSpot features • 2 customizing • 259 product family • 2 enabling/disabling • 258 Safe@Office 500W quick guest users • 367 front panel • 13 setting up • 257 rear panel • 11 using • 256 Safe@Office appliance SecuRemote backing up • 417 explained • 306 changing internal IP address of • 105 installing • 311 configuring Internet connection • 53 security exporting configuration • 417 configuring servers • 207 importing configuration • 418 creating rules • 209 inst
Index controlling appliance via • 390 using • 390 servers configuring • 207 explained • 396 software updates checking for manually • 298 explained • 298 explained • 459 source routing, about • 139 Remote Access VPN • 301, 307 SSH Web • 129, 207, 440 Service Center configuring • 394 explained • 394 connecting to • 281 Stateful Inspection • 458, 459 disconnecting from • 289 Static NAT refreshing a connection to • 288 services Email Filtering • 294 explained • 129 using • 130 static routes softw
Index T Tag-based VLAN about • 111 adding and editing • 116 TCP, explained • 460 TCP/IP explained • 460 setting up for MAC OS • 26 setting up for Windows 95/98 • 21 setting up for Windows XP/2000 • 16 Teardrop • 224 technical support • 14 Telstra • 73 setting up • 153 simplified • 151 using • 151 troubleshooting • 439 U UDP, explained • 460 URL, explained • 461 users adding and editing • 363 adding quick guest HotSpot • 367 managing • 361 setting up remote VPN access for • 369 viewing and deleting • 369
Index Site-to-Site • 302, 312 tunnnels • 301, 344, 356 viewing IKE traces • 359 VPN sites types • 268 W WAN cable • 35 adding and editing using Safe@Office • 312 connections • 209 deleting • 343 ports • 35, 90 enabling/disabling • 343 logging on • 344 VPN tunnels Web Filtering enabling/disabling • 290 selecting categories for • 291 creation and closing of • 356 snoozing • 292 establishing • 344 temporarily disabling • 292 explained • 301, 461 Welchia • 235 viewing • 356 WEP • 161, 163 VStr
Index WPA-PSK • 161, 163 472 Check Point Safe@Office User Guide