InstantKey User Manual
Contents
1. 192 168 10 X 192 168 11 X 192 168 12 X O TT a U Gs NE ga A 2 Client User 192 168 10 10 24 Client User 192 168 11 10 24 Client User 192 168 12 10 24 Gateway 192 168 10 254 Gateway 192 168 11 254 Gateway 192 168 12 254 1 5 3 Users are NOT in the same networks as Firewall LAN If users are NOT in the same network as Firewall LAN interface we are required to configure routing for the SSL proxy to know the internal subnet and the internal gateway so as to forward the HTTPS response back to the correct client PC L7 Networks Inc 9 User Manual Chapter 1 Product Overview The device is connected between the core switch and the firewall Label A indicates that the bridge IP should be set in the network of the Firewall Switch segment say 172 1 1 251 with gateway set to 172 1 1 254 However the SSL proxy needs to know there are 192 168 10 X 192 168 11 X and 192 168 12 X subnets are below the L3 core switch 172 1 1 253 So you need to configure three routing rules for the device as 192 168 10 0 24 172 1 1 253 and 192 168 11 0 24 172 1 1 253 and 192 168 12 0 24 172 1 1 253 Label B in the figure indicates the management IP of the device say 192 168 10 199 Note that HTTPS traffic will still use its original IP to connect to the HTTPS server in stead of using the bridge IP However the system requires to lookup DNS through the management port 172 1 1 254 24 Bridge ip 172 1 1 251 24 Core Switch Routing table B2. TRUE i hime e E eee PR HAJEN 3e nnl ogin rar tT K S eta oe B 3S 48 login rar 12ER fH sel lC MP tee tA Ty ERO BA p Pm SIM id Mars CA S A E L7 Networks Inc 101 User Manual Chapter 1 1 Configure APP Content with AD Single Sign On Step 10 Paste the script to B login vbs 2354 E ini x the file BRO REO RO MAR BKH Right click on the Paste to paste the script to the file FIELD EA fe BALA BATE A 88a Unicode JERUSFIT S IBA Unicode ERFT gt Step 11 Confirm the scrip a Lec a E ARRE Q Aum o Confirm that the script content foption Explicit should be filled with correct AD pin gbinetwork objshell objexec Servers IP and correct Create the network object objNetwork management server s IP f Set objNetwork Createobject wScript Network Get the user name they are all correct please Anticipate that on windows 98 the user may not be logged on save the file strUser objNetwork UserName Here is the Do while Loop Do while struser wscript sleep 2000 Two Seconds struser objNetwork Username Loop Note the concatenation of struser with ampersand Wscript Echo user name amp struser Set objshell CreateobjectC wscript shell Set objExec objshell xec R 192 168 18 200 fet logon adclient exe 192 168 18 111 amp struser Do while gt ita E 0 wscript sleep 100 Your AD server Y
3. a P2P GoBoogy KUGDOO Rule 1 P2P Kugoo 3 PIGO Rule 1 EN P2P Pigo Pigo 100Bao 8 Always POCO Rule 1 Say Bm F P2P Poco Poco PP Point Allow l High 8 Always QQDOWNLOAD So Bev P2P QQDownload L7 Networks Inc 57 User Manual Chapter 8 App Policy Step 5 Select security profile Functions Content Manager App Policy policy On the toolbar of Secuirty Profile select the Status Policy Block to block all P2P applications us on Fsccurty to istes Status iti Action Schedule Rule Name Security Profile Pipe BE Allow bed P2P Kuro Allow a P2P DirrectConnect DirectConnect DC Allow i3 P2P OpenF T Crazaa Kice asy Allow P2P Ares Allow we P2P SoulSeek Allow Allow 3 Always KUGOD_Rule_1 Boss EF any P2P Kugoo Allow Always PIGO Rule 1 Boss GP any f P2P Pigo Pigo 100Bao Allow Always POCO_Rule_1 ge ger P2P Poco Poco PP Point Allow y Y P2P QQDomnload Allow Y P2p vagaa Allow X9 P2P Maze Allow gt P2P ClubBox ClubBoxGoGoBox Allow ls P2P Fs2You Allow NO P2P HuntMine Allow Always P2PDATA_Rule_1 Boss any 9 P2P P2pData Step 6 Select traffic profile Functions gt Content Manager gt App Policy gt policy On the toolbar of the Traffic Profile select the Status Policy profile Low to the P2P categ
4. an Chat MSN MSN Trillian Miranda G aim Allow default_pipe Y J PIP ule 1 SA any Se any Chat AOL AOL AIM Triton ICO Trillian Miranda S Allow default pipe PAR E amp 9 Tun oop XUNLEI BITTORRENT EDONKEY WINNY EZPEERPLUS aus GR aetaut pipe Allow l detault pipe Allow el default_pipe E Always Allow el default_pipe i Always R 2 j FOU Shared Files Allow l default_pipe T i Always GADU Rule 1 gt S any i Chat Gadu Gadu Gadu Kadu Miranda G aim Allow el default_pipe 19 Always UC Rule 1 S2 any ag ChatUC Sina UC Allow l detault_pipe amp Always POPO Rule 1 S any e ChatPOPO popo163 Allow l default pipe i Always TIRAS Sr any e ChatALiWangWang Taobao ALiWangWang Allow l default_pipe P 8 Always FETION_Rule_1 E any 3 Chat Fetion Chinamobile Fetion Allow amp default pipe B Always DOSHOW Rule 1 any 9 Chat DoShow Allow El default pipe 9 Always WEBIM Rule 1 any ChatWEBIM MSN Webmessenger eBuddy e M HE Allow l detault_pipe I 4 i Always X HTTP Rule 1 any E Web HTTP Allow l default_pipe LL Always HTTPDOWNLOA E2 any any Web Http Download zip rar exe isoAurmw rmwb w S Allow l default pipe mn 18 Always HTTPVIDEG_Ru any E Web Http Video flv mp swf Allow l default pipe L7 Networks Inc 56 User Manual Chapter 8 A
5. Status Please Input Your ID and Password L7 Networks Inc 19 User Manual Chapter 3 3 tier Architecture 3 3 4 1 Creating Devices Groups Step 1 Adding device group File gt Device Group Manager After you successfully enter the system please File Update Tools Help click the item Device Group Manager to add a new device or group y New Project ew Proje f Open Project Ctrl O 24 Edit Project Ctr E Close Project Ctrl C 9 Delete Project Ctrl D Exit Ctrl X Step 2 Adding a group File Device Group Manager New Group Right click at the Devices item and select the Device Group Manager New Group Delete Device Step 3 Input the Group name File gt Device Group Manager gt New Group Input the name of the group and then click the OK Hew Group button to continue After that the group name will display on the screen You can right click the item ca and select Rename Group or Delete Group to y Ea WU oet modify or delete the group A AS hears erus n ia A A Cancel ae _ L7 Networks Inc 20 User Manual Step 4 Creating New Device Right click on the existing group Group 1 and select New Device to add a new device Step 5 Edit related device information Input the device name and select an IP address which is previously registered by the ip set command of the device Click the OK button to store the settings Note You must setup the
6. Eus clickthe the OK button to continue Select a Project Select a Project from the list below Project information Step 3 Start managing the product File gt Open Project Now you can start managing your product dsc cia ariba ci A single project can control multiple device belonging to different groups Move the cursor to the device you want to manage and double click it the system will connect to the device and load the configuration to the management console screen L7 Networks Inc 26 Chapter 3 3 tier Architecture Part 2 Design Philosophy User Manual Chapter 4 Internal Data Processing Flow Chapter 4 Internal Data Processing Flow This chapter introduces the basic design principle and the steps to achieve the principle 4 1 Technology Nowadays many Internet users have installed IM and P2P applications which apply port hopping and HTTP tunnelling to avoid being checked or blocked To help MIS to overcome the issues 5 step Content Management is proposed to maximize the productivity security and minimize the threats TCO Total Cost of Ownership 5 Step Content Management Maximize Productivity Security Minimize Theats TCO Step 3 Behavior Mgmt O IM Game IM Chat File Recording Chat Recording Q9 messencer LETIN Keyword block le P2P Bandwidt qa Mgmt SKYDE in Ha dieti T S S C AN J Y Y Y Y Y Realtime Layer 7 to Layer 4 Interactive Deep
7. InstantKey User Manual L7 Networks Secure Networks at Layer 7 Copyright Copyright created on 2015 by L7 Networks Inc The copyright of the contents of the manual belongs to L7 Networks Any forms of reproducing the contents are not allowed If you want to transfer or copy the contents of this document you must get any approval from L7 Networks Trademarks All trademarks and registered trademarks are the property of their respective owners Technical Support This manual provides you a detailed installation amp setup guide of the product You can also download the documents from our website at http www l7 networks com L7 2005 products download html If you have any technical problems or suggestions please contact our technical support center Please prepare the following information to save the time when communicating Product model serial number where you can get it from CLI command sys ver Purchasing time amp maintainence contract When you get this product Briefly describe the problems amp the steps you have already tried service OL7 D 3F NO 289 Sinhu 3rd Rd Neihu District servic 886 3 666 8896 10F NO 25 MinZu Rd Hsinchu Taiwan Shanghai e 86 21 5434 9678 L7 Networks Inc R amp D Shanghai office Beijing service L 86 21 5434 9678 Alphasolutions Co Ltd Networks com Singapore SONCU 65 31503660 L7 Networks Inc Indonesia Networks com service L7 1 408 844 8850 Thailand ars
8. Yahoo ICQ AOL GoogleTalk Webim will equal to 32 of the outbound traffic 0 64 Mbps or inbound traffic 32 Mbps L7 Networks Inc 48 User Manual Chapter 7 Traffic Manager 7 3 Steps Step 1 Start the Traffic Manager Functions Traffic Manager Traffic Manager Check the Enable Traffic Management 4 Status 83 Policy amp amp Options Enable App Policy Description 1 Policy order Per IP Policy gt App Policy 2 App policy order top down first match Static Exempt Source Destination Enable Exempt Sources Exclude g Bypass v from App policy Dynamic Exempt Source Destination Enable Exempt Sources Exclude g any v from App policy Default Traffic Pipe Put unmatched traffic into E default_pipe v Step 2 Setup outbound bandwidth Functions gt Traffic Manager gt QoS Policy Input 2 at the Outbound Traffic field and then Step1 Define the default link sharing tree Step2 Create scheduled pipe policies from the default tree drag and drop the mouse for the bandwidth Description partitioning line You can drag it to allow High to Rightclicking the tree node allows you to create children occupy 50 of the total bandwidth Middle to Children can be setto borrow bandwidth from its parent node occupy 18 of the total bandwidth and Low to Note Any existing Pipe Policy will disallow you to edit the default tree hierachy occupy 32 of the total bandwid
9. amp subnetPQA amp amp SubnetRD L7 Networks Inc 64 User Manual Step 7 Editing group Enter the name and select host objects from the left column Click the gt gt to move the address object from the left to the right If you want to remove some address objects from the current group select the object in the right column and click the button Click the Finish button to finish the settings r a Add new IP Address group Chapter 9 Address amp Schedule Objects Function gt Management gt Object Manager gt Address gt Groups This is Group Editor Please enter your Group hame Hame All Hosts E Object HostPresident E Object HostChairman Selected Hosts m OhjectHastCEO Object HostC To E Object HostvicePresident E Object HostViceChairman Object HostCMO m Ohbject HostCEO m Object HostCFO Object HosiCTO Object SubnetMARKETING Object SubnetMANUFACTUR Step 8 Display existing address groups After you click the Finish button all groups will be shown on the screen Function gt Management gt Object Manager gt Address gt Groups Objects Groups E e GroupEmployee 3 amp GroupManager amp GroupServer m amp amp HostCEO E E2 Hostomo 82 HostCTO a amp ServerFTP m amp ServerHTTP 3 amp ServerMYSQL E ServersaL f E SubnetADM m amp amp SubnetFINANCE E2 SubnetMANUFACTURE m amp
10. 172 1 1 253 24 ore Switch 192 168 10 X 192 A X 192 168 12 X CC Switch 0 p Client User 192 168 10 10 24 Client User 192 168 11 10 24 Client User 192 168 12 10 24 Gateway 192 168 10 254 Gateway 192 168 11 254 Gateway 192 168 12 254 1 5 4 Users connects to internal proxy first If users are configured to use proxy to go to the Internet and the firewall limits that only the proxy IP 172 17 1 100 can go to the Internet we usually configure the deivce also in proxy mode to intercept SSL connections L7 Networks Inc 10 User Manual Chapter 1 Product Overview The device can sit as a standalone proxy only INT1 interface is needed to be connected or be connected between the core switch and the firewall In the latter case Label A indicates that the bridge IP should be set in the network of the Firewall Switch segment say 172 17 1 199 with gateway set to 172 1 1 254 However the SSL proxy needs to know there are 192 168 10 X 192 168 11 X and 192 168 12 X subnets are below the L3 core switch 172 1 1 253 So you need to configure three routing rules for the device as 192 168 10 0 24 172 1 1 253 and 192 168 11 0 24 172 1 1 253 and 192 168 12 0 24 172 1 1 253 Label B in the figure indicates the management IP of the device say 192 168 10 199 Note that HTTPS traffic will still use its original IP to connect to the HTTPS server in stead of using the bridge IP However the system requires to lookup DNS through the management port
11. 3 Tier Architecture Maximize the Performance Availability and Functionality Layer 7 network egipments often do computing extensive tasks and require better architecture to maximize the performance availability and functionality The product incorporates the 3 tier architecture to boost the performance for every purpose Denied P2P Tur bi iz ProxylM VolP St gt Y lt A 2 1 Tier 1 Device The device should aim at rapidly and accurately doing content inspection In such a way the device which is installed inline at the network will not influence the network performance 2 Tier 2 Management Server The management server takes the responsibility to centralize the management to multiple devices while accepting event logs into database for further reporting amp analysis 3 Tier 3 Management Client The management client can be any PC with a java enabled browser As long as he she can connect to the management server he she can control all the devices under the server L7 Networks Inc 14 User Manual Chapter 3 3 tier Architecture 3 2 Installing Management Server 3 2 1 Requirements v Operatiing System must be at least Windows 2000 2003 or Windows XP If your operating system is in English version please install your preferred language pack For example the Chinese Traditional language pack is prompted when you are installing the management server Click the Install button to start installa
12. Game IM NEWS P2P Photo Pornography Sports Stocks WebHD Chatroom Bronze Audio Video Drugs Gamble Hack WebMail Violent WebIM Blog Discuss Game IM Job NEWS P2P Photo Pornography Portal Proxy Social Sports Spyware Stocks Trade NewUser Tunnel Warez WebHD Chatroom Enable URL database to block Enable URL Database URLs Enable Diable Enable Log Only Log amp Block Log amp Block Block Only Action to take when the URL Action matches the URL database L7 Networks Inc 121 User Manual Chapter 12 Web Manager Categories Enable all categories Enable Diable Disable Block URLs that match anyone of l Block all categories the URL categories Enable Diable Advertisements Audio Vid Check the URL categories to be Enable Diable Enable eo Drugs etc enforced FIGURE 12 2 URL Web filtering fields Step 5 URL keyword blocking Functions Content Manager Web Global Policy URL Keywords Check the Enable URL Keyword blocking Categories to block any URL containing the keywords Status Web Profiles 8 Global Policy listed in the settings The product has preset amp Web Sites web Contents 5 Web Messages E Web Alert keywords You can change the keywords by 8 URL Keywords Categories Excluded Full Domains 5 Excluded URL Keywords right clicking the item Description Step 1 Edit the URL keywords and thei
13. Modify the keyword settings here Step 2 Goto Web Policy to add Custom into some permission I Step 3 Go to Content Policy to set some objectto the permission level s Sa iS E X E f 3 e J mp3 7 music J song 3 sing 5 movie s S s s Drugs Gambling 7 Hacking 7 Webmail 7 Pornography 2 Violence T WeblM un a 4 24 9 s s s Es s s Step 8 Assign Web Profiles Functions gt Content Manager Web gt Web Profiles You can define a new web profile by yourself to choose your preferred categories listed in our built in URL database L7 Networks Inc 112 User Manual Step 9 Setup John s Policy Go to Content Policy gt Policy and right click on that area to add a new user by clicking the New User Input John at the Name field and select the web profile rule john which was just created in the previous step Check the URL Rec to record the visted URLs by John Chapter 11 Configure APP Content with AD Single Sign On t Sal c veo Froles g Clozel Policy NO Nae Racked Catzqurzs Finin V rar lidan Ar Chad nm Neve 4e oh Bored Calzgo ies Peman sche 4853 Porta esha Pr ae Ana Redirect Soda CI Eras orks RN Trad ure wd Ul la cz Wares leven HO Rew User Create a new user Schedule Always v Virtual Group Others Basic Rule name rule 1 The Name fiel
14. ez Frotiz w k isxd D Ecred le wv Cc une nm lA Frofle sdo Prosi is num O Sihsdue RieNans Caturt sar Wua Go pz alas GAD Beck Irport OP Pie Iepect E Fils Bogert Please select ine accounts and groups v Objects 3 iv Pl Accounts 9 amp Administrator Administrator 4 amp Guest Guest 4 amp John John Y A Groups lu 42 Account Operalors v 5 Adminisirators 7 44 Backup Operators vi 4 Cert Publishers ui 24 Distributed COM Users 2 4 DnsAdmins fv DnsUadateProwy v 22 Domain Admins lu 24 Domain Computers 3 4 Domain Controllers Domain Guests Ok Cancel Fig 1 Functions Content Manager Content Policy Policy 107 User Manual Chapter 1 1 Configure APP Content with AD Single Sign On f Ets TA Ply A acion biel v hun ddp wo M up we A i Apps ihe nme wo dab nma wl nt Pr Tine mala Cn ano Echezxlz Rui ime ore la Frafiz b tinatsi Figs Male i vum b His mm halny L aho Jorn FIx1 m Fkinun b RDI RD Fladom lina trnu d cp Fiuieam Malin b Odeimsrst Pies mn binu Cr Pudlz FIx1 m Fkinun Fizd m isI ru SS nemine Hiram bybnurn DnzUpzsls Hmm hinun A Dorais Flad rm l Inu E Doral c Fiaim is num s Lura Le BETERI brun Domain Us Fg m lelnrum b Entzn fiz lzInu he z m p ni ar tr ln Chere 3E Beck Import PP Tile Tapert File Eg
15. men eP Enangute2368129598 eles 207 46 95 153 i 1 1 4 Fig 2 10 3 2 2 Manually assign web login account names in content policy rules Step 1 Add a new rule Functions gt Content Manager gt Content Policy gt Policy Here we want to audit the IM conversation file transfers L7 Networks Inc 75 User Manual Chapter 10 Configure APP Content with WebLogin URL access of the RD group f Status fb Polos g actos First right click on the policy iSt m s Grup HMernfie v Jah Ponia area and select the New User apor amp checui S vrtual sroap w Prchle w WebPratle Y liec to add a rule Fill in the Name I TE A ii E Conditor Acien gt field with RD and check the GChadule Rule Name Mama Ik Profile Wee rofle Vidual Groups Enable of the MSG Rec and the E mm File Hec Upload the configuration DotauilLiser Lo J zi nii Schedule Always w VirtualGroup Others Basic Rule name rule RD Name RD The Name field could be AD account AD group or Web Login account Ih MSG Rec Enable C3 Disable File Rec Enable O Disable MSN Account Allow Yahoo Account AOL Account Allow ICQ Account Allow IM Service fp atinim Yad URL Rec Enable O Disable Web POST Allow Yeb Service Platinum Finish Cancel 10 3 2 3 Import web login users into content policy
16. version of the management server Please click EV MM gt gt e i the About to check for version LS ES L7 Networks Inc 32 User Manual Chapter 4 Internal Data Processing Flow Step 2 Version display Help About After the About is invoked the Figure will show About WE you the version in details Note The version consistency between the yz A etw device and the management server lies in the first E EE EA two segment of a version number For example in this example the management server is in version 2 2 01 This software will apply to all 2 2 based devices Namely devices ranging from version 2 2 0 to 2 2 13 can use this management software Only 2 2 matters The following numbers L7 Networks Management Console do not count Version5 0 01 20140226 Copyright C reserved L7 Networks Inc Copyright c L7 Networks Inc All Rights Reserved L7 Networks Inc 33 User Manual Chapter 4 Internal Data Processing Flow L7 Networks Inc 34 User Manual Chapter 4 Internal Data Processing Flow Part 3 Network Monitoring L7 Networks Inc 35 User Manual Chapter 5 Traffic Discovery Chapter 5 Traffic Discovery This chapter shows you how to catch internal thieves to further setup policy rules to manage them 5 1 What Is On Your Networks The often heard advice to know your network is needed by broadband and WAN operators more than ever before Being able to identify the applications and use
17. 7 days for you to trial After that periold the function will not work anymore but just bypass the in out traffic It will not interrupt your network but just disable each function After you have decided to purchase the product your system intetrator will give you a deal license key to make permanent effectiveness of each purchased function Step 1 Enter license Update License Click the License item to enter the license key Update Tools Help y Upload configuration Update pattern E Update URL database 2 License Status Option L7 Networks Inc 138 User Manual Step 2 Input License Key Enter the license key and click the OK button Step 3 Update license successfully After you successfully update the license the dialog will pop up Click the OK button to continue Chapter 15 oystem Maintainence Update License License Key Please input Lincense Key License Key BL 4041 a D 5E8A 5B824 3 540C DB5C81 C Cancel Cancel Information Update license succeffuly 15 6 Upgrading Patterns URL DB 15 6 1 Auto Upgrading Patterns URLDB Step 1 Auto Upgrade Configuration Click the Option L7 Networks Inc Update Option Update Tools Help Upload configuration Update pattern Update URL database y License 25 License Status Option de 139 User Manual Chapter 15 oystem Maintainence Step 2 Input Update Center Informati
18. Admin are nearly unlimited in session count and bandwidth The members in group Sales are limited to have 200 sessions and 1Mbps upload bandwidth and 1Mbps download bandwidth What is more each IP should have a limited P2P usage only allowed to occupy 100 sessions of the total 200 sessions o 5Mbps of the 1Mbps upload bandwidth and 0 5 Mbps of the download bandwidth ADSL Router DMZ Router Firewa EXT MGT SYS Product Device w p Core Switch Admin Sales Guest L7 Networks Inc 41 User Manual Chapter 6 Per IP Manager 6 2 Methodology The product should first setup a default policy for all IP address to have an initial limit for the session count upload bandwidth and the download bandwidth as follows Then define the general limits for the members in the group Admin Then define the general limits for the members in the group Sales Finally you will have to define the sub rule for the group oales Add a per ip app policy rule for the group sales as follows Upload 1000Mbps any Upload 1 Mbps Sales 00 Upload 0 5 Mbp Sales P 100 6 3 Steps Step 1 Start the Per IP Manager Management gt Per IP Limit Manager gt Status 2 om Upload 1000Mbps Admin Any my me 2P Status Policy Quota Profile Check the Enable Per IP Manager If you want to add some IPs in the excluding list click the Exclude radio box and select the interested group v Enab 2 Far IF Wansger
19. Description Police onder Far gt LT gt L4 2 Par lP aolicy order to9 6o0om last malc Exempt Source Destination Exclude a any v ftam e Per IP Limit Policy Step 2 Edit the Default Rule Management gt Per IP Limit Manager gt Policy 1 Status Policy Quota Profile Right click the Any ruleand select the Edit Policy Description Note Packets are top down matched with the policy Only the last matched policy takes effects Note Bandwidth policy priority Per IP gt L gt L4 Block policy priority L4 Per IP gt L7 Status Condition Action 2nd level Actiontwhen exceeding qu i Rule Name Src Service Session Upload Download Quota Session Upload Download 1000 Mbps 1000 Mbps Add Per IP policy Add Per IP app policy Edit policy L7 Networks Inc 42 User Manual Chapter 6 Per IP Manager Step 3 Edit the Default Rule Management gt Per IP Limit Manager gt Policy Right click the Any ruleand select the Edit Policy Edit your Per IP policy Rule name Default rule Per IP Internal IP Session limit Upload limit 1000 Mbps Download limit 1000 Mbps Note Zero means no limit Quota Use Quota Quota policy Reduced Policy Session limit Upload limit Download limit SSS Step 4 Edit the Default Rule Management gt Per IP Limit Manager gt Policy Right click the Any ruleand select th
20. GODOWNLOAD M pos 2 Y P2P Q0Download O Block amp log l High G A _ gt lt _ _ _ ________ AA e gt L7 Networks Inc 58 User Manual Chapter 8 App Policy 8 4 3 Setup VoIP policy by App Policy Rules Step 1 Enable the App Policy Functions gt Content Manager gt App Policy gt Status Check the Enable App Policy Status Policy Enable L Manager Description 1 Policy order Per IP L gt L4 2 L policy order top down first match 3 Set needless policy to Never to avoid performace drop rExempt Source Destination Rove C3 Exclude E2 HostCTO w fromthe L7 policy Z ul p e r Default Traffic Pipe Put unmatched traffic into High w Step 2 List VolP group Functions Content Manager App Policy policy Select the VoIP in the List field then all VoIP Status Policy policy rules will be displayed on the screen List category gt Protoco Apply Schedule w security Trafic to listed Category Condition Action Dst Protocol Security Profile Pipe E any B Chat MSN MSN Trillian Miranda G aim Allow l High e any ChatYahoo Yahoo Trillian Miranda G aim Allow El High E any A Chat AOL AOL AIM Triton IC Q Trillian Miranda Allow El High T IS T Y e any D ChatXMPP Google Talk G aim amp Allow l High QQ Rule 1 e
21. H323 NetMeeting i Allow l High A Working VOIPBUSTER R Boss Q VolP VolPBuster Allow l High List 9 vor IM Protocol M Apply Schedule w Security iM Policy E NO Status Condition Schedule Rule Name sre Dst Protocol A Working SKYPE Rule 1 La Boss E any B volP Skype 4 Working BKYPEFILE Rut Boss Eg any VoIP Skype File Transfer Action Pipe El High Block amp log l High 4 Working F SKYPEOUT_Rul Boss E any o WolP SkypeQut Block amp log l High 4 Working SIP Rule 1 La Boss E any KT VoIP SIP MSN Voice Yahoo VoiceMWagaley Te Block amp log l High A Working H323 Rule 1 a Boss amp any QU VolP H323 NetMeeting Block amp log l High 4 Working VOIPBUSTER_R Y Boss E any Q VoIP VoIPBuster Block amp log l High Functions Content Manager App Policy policy Status Policy List var M Protocal It Apply Schedule Security x Traffic M to listed NO Status Condition Action Schedule Rule Name Src Dst Protocol Security Profile L 4 Working SKYPE Rule 1 La Boss E any BS vorP Skype Pipe 4 Working l SKYPEFILE_
22. Java applet technology So you need to install Java virtual machine in your browser When you first connect to the management server with IE you will be prompt to install the Java plug in into your PC After that when you first login to the system it requires a relatively long waiting time to download and run the program Please be patient 18 User Manual Chapter 3 3 tier Architecture Step 1 Connecting to Mgt Server Connect to http 10 1 1 10 Select an IP address for the management server s to control the product ex 192 168 168 1 Open bsec your IE browser and enter http lt management B server IP For example enter http 10 1 1 10 to connect to the management server When the security alert window pops up click OK to trust our java applet Only when you click OK can the program successfully run on your system Secure WEIWO S PEMAI Note If make your management server locate in the same subnet of your device Step 2 Choose the language The product currently offers several languages You can select your favorite one to control the interface Plezse seiect your language Language Setting Dialog Note After you have entered the login page you have to go to Tools gt Language Setting to change the language settings Step 3 Login Enter the username and password default admin admin After that you will enter the system Networks SOCO NOORE AL Umm ID admin Password ee eee
23. Panlo System MaintalfieriCB A iunuundurnauyeinmareyionuunedusnaeentuunueds 131 Chapter 14 Mangement Server Maintainence oocccccccncccccncccncnccnnnncnnnnnononononnononnnnnonarnnnnnnnnnnnenoss 132 14 1 Introduction to Management Servet tiie cordance eel Se eee a ee eee ee 132 14 2 Configuring the Management Servel ccccccccccssssececcceessececceeeusececeseaeeeessseuseceeessuegeeeeessaaeeeeessaaaeeees 132 Chapter 15 System Maintain iG cisma dioere id A A AAA 136 15 1 SOO 136 15 2 Upgrade Firmware through TET iia land 136 15 3 BACKUP CONIO e XP PP DE ER 137 15 4 ROSOR Cle al 6 ramen HD Lm 138 15 5 Enabling Optional Module eb ish terere edad ada 138 15 6 Upgrading Patterns 7 URLE DB at obedit cas o nt A AOS 139 15 6 1 Auto Upgrading Patters JU REBB i utn Vit tia ds 139 15 6 2 Manually Upgrade Application PatternS ccccooonncnnccccconnonncnnnancnnnonnnancnnnnnnonncnnonononncnnnnonnnnrnnnnnnnos 141 15 6 3 Manually Upgrading URLDB occccccoccnncccccccccnnccccoccnnnonononononononancnnnnonnnncnnnonnnnnrnnnnonnnnrnnnnonnnnrnnnnnnnas 142 15 6 4 Restore to Factory Default AE GL Iis ies do dut Eon ato aea acus queo tex pex To M opea ad Reve een N 143 15 6 5 Restore to Factory Default in CLI Emergency Mode ooccccccoccnccccnccnccnoccncononcnnconanonconancnnononcnnnnnas 143 15 6 6 SONME CONTO pr PPS 143 Chapter 16 Advan
24. Policy gt QoS Policy E Content Manager S Content Policy a SIM Ka Web E Webmail d Data Leakage Preven S DLP Policy M IM 3 EMail 3 FileTransfer amp WebiM WebHD BPA sarees Toolbar L7 Networks Inc 1 35 bittorrent H 192 168 18 48 Eric MJ TCP Me UDP Mr UDP iel UDP Bel UDP fit UDP fie UDP Me UDP e UDP fit UDP Meel UDP Je UDP ie UDP 155087 128 39 165 17229688 2 unli 804 unli 1365529 109 201 133 19 27104 unli 1 36552mb 77 166 106 133643354 unli 136552m gt 79 177 138 27 2467444 unli 1 36552m 89 151 215 18640306 2 unli 76 29 81 2862504 4 unli 136552 85 68 20 25251413 2 unli 1 36552 75 103 220 10624874 2 unli 136552mb 36 69 40 10965535 2 unli 136552 85 243 255 20352885 9 unli 136552mb 71 46 115 16950533 4 unli 136552 202 65 201 6614016 4 unli M i 1365528 31 172 63 225 136552mbp AL ad nnm s 1 1 1 1 1 1 1 1 1 1 1 1 1 26 74 M 159 98 26 74 M 159 98 A 57 419 124 577 57 419 124 577 27 817 25975 Foooaaaooooou 1 35M 14 57 M 1 35M 14 57M 1 1M 822 84 Refresh every 3s Ib aal lalalala lalalala is 4 30 User Manual Chapter 4 Internal Data Processing Flow Display Hide the status area Upload config E2 Group object Inverse of the selected group object Inverse of the selected host object Management g 7 Date options f
25. Professional Copyright i 1985 2001 Microsoft Corporation HPA QD sao ARAL TEST h E 1 8 SS ee jae jie f Windows TBFHELT IS REP RER SU PHRASE PU Kitchen Computer A Mary s Computer CERTAIN microsof b5c4Bl test com IA ede DA et Gu a A wo ge Go q 15 2 LL ike LD o zt Sora bv SL SEL AGES Sr BO TE RUBEZSE A e TS Bm E 2 95 User Manual Chapter 1 1 Configure APP Content with AD Single Sign On 11 3 1 4 Setup AD Import at Management Server Step 1 Setup AD Import Information Windows 2003 Server IP 192 168 18 190 Mgt Server IP 192 168 18 45 Mgt Server OS Windows XP Professional Device IP 192 168 18 92 Netmask 255 255 225 0 Go to Object Manager gt Dynamic Dynamic Objects and click te AD import button Fill in the AD server s IP and port then click the Auto Fetch User DN and Base DN You will find that the following field are automatically filled up with parameters Enter the password for the administrator of the AD server and click the Next button Step 2 Select Import options As Fig 1 shows it has found 31 groups and 10 users Now the system will prompt to ask for import options The first is to delete all existing objects and then import The second is to preserve existing objects and replace it if duplicated The third is to preserve existing objects without importing any objects Select one of the
26. Server Service on at TCP 6565 L7 Networks Inc 132 User Manual Chapter 14 Mangement Server Maintainence Step 2 Setup Email Server Monitor Server Status Click the Edit button and select the the By Local Server option Input the IP address of the DNS Server If you want to alert the administrator by SMTP email please check the By SMTP Server option Either the two ways of sending the email should be tested to verify that if it really works with your preferred server You can test it by clicking the Test button If it works you can then decide to enable the email alerts or not by checking the Enable Disable Mail Alert If enabled input the Check Period min field so that the program will check if there are any message it should alert every that periold Step 3 Customized Email Monitor Server Status Message Move the cursor at the text input area and click it You can use the variables Date App Action User to compose your email contents Variable Description Example FIGURE 14 1Alert email variables Step 4 FTP Setup Monitor gt Server Status At the FTP Setup page you can use FTP to do backup Check the Enable FTP Backup and check the Backup only option You can then choose the FTP backup schedule by a daily basis weekly basis or monthly basis Input your exact time to backup the data in the pop up dialog For example click the Daily button then select 15 00 to ask the system
27. Terminal Type Hyper Terminal 115200 L7 Networks Inc 17 User Manual FIGURE 3 2 HyperTerminal settings Step 1 Login system The default ID and Password is admin admin After logging you can use CLI commands to change the password Step 2 Configure management port IP Type en to enter Privilege Mode Type ip set command to configure the MGT interface and the Management Server related IP information Step 3 Assign management server IP Type sys mgtserver to start assigning the device s management server 3 3 4 Connecting to Device e COM1 PuTTY scan login login login admin gt en nf ip set lease enter the IP IP Address 192 Netmask 255 255 Default Gateway Primary DNS 168 95 1 0 0 0 0 Secondary DNS Your configuration is conf ig guration for this device 17 93 192 168 17 93 E 255 255 0 17 951 192 gt 168 O94 7 68 168 17 251 Gateway Primary Secondary DNS Management Server DOWN UP UP EXT DOWN want to apply and save setting Do you really Waiting for system Instantscan sys mgtserver Choose met server mode 2 3 system time Tue Jan 20 12 35 56 2009 want to adjust device system time Y ag server 192 168 17 192 166 you really want to apply an list successfu Do x Update filter done InstantScs ing Chapter 3 3 tier Architecture DOWN n The product s management system uses
28. amp SubnetMARKETING rj E amp SubnetPQA m E SubnetRD Step 9 Upload config to the device Check the Upload Configuration item or click the icon to upload the current configuration to the device Update Upload Configuration Update Tools Help 2 Upload configuration Update pattern Update URL database License 55 License Status Option A If some object is referred by some group or some policy rule before you delete this object you have to delete the policy or group first Otherwise you will not be able to delete the object L7 Networks Inc 65 User Manual 9 3 2 Schedule Control Step 1 Deleting the default schedule The product has provided two default schedules for you If they cannot meet your needs you can modify the schedule or delete it immediately In the following examples we will delete default schedules and add a new schedule to demonstrate the process Note Please note that before you can delete a schedule you must make sure there is no rule referring to the schedule to be deleted The example at the top right one is to delete a group You must delete the schedule inside the group so as to delete the whole group Step 2 Right click the schedule Right click at the schedule area and select the Add Schedule option Step 3 Adding a new schedule Enter the name of the schedule Click the OK button to close the dialog otep 4 Editing time Rig
29. any E2 any A chaton Allow l High 18 Always QOQCHATROOM E any e any 9 chat QQChatRoom Allow l High 1 l 9 Always QOMEDIA Rule 1E any E2 any Q chat 00 Media File TranstenVoice Video Allow El High i Always QOSHARE Rule e Chat QQ Shared Files Allow l High Always GADU Rule 1 i Chat Gadu Gadu Gadu Kadu Miranda G aim Allow el High 18 Always UC Rule 1 ue ChatUC Sina UC Allow l High i9 Always POPO Rule 1 E any e ChatPOPO popo163 Allow l High H 1 T a Always ALIWANGWANS E any e ChatALiWangWang Taobao ALiWangiWang dE Allow e High d Always FETION Rule 1 g any E2 any E Chat Fetion Chinamobile Fetion Allow l High i9 Always DOSHOW Rule 4 S2 any E any 9 Chat DoShow Allow l High 4 E Always W EBIM Rule 1 an E any 9 ChatWEBIM MSN WebmessengereBuddyfe M Allow el High 18 Always HTTP_Rule1 ea E2 any e Web HTTP Allow l High gt Always HTTPDOWNLOA o Step 3 Choose schedule Functions Content Manager App Policy policy On the quick configuration toolbar select the Polar WorkingHours item in the Apply field All the us ano Scheaule T to listed n listed policy rules will be set to the same Tum Schedule m schedule Of course you can setup each rule Schedule Rule Name Sre Dst 9 Always Protocol Security Profile Pipe z 5 M one by one too SKYPE Ru
30. can choose to new Ob Web Promes edit copy delete the service profile Chapter 13 Encryption Web Manager Encryption Recorder gt Web gt Web Profiles wo ame Custom URLDB Categories Built in URLDB Categories Excluded websites l Pam 9 Ld New Service Edit Service Copy Service Delete Service Delete All Bronze NewUser L L7 Networks Inc 126 Block FullDomaims URL Keywords WebMail WebIM Discuss IM Chatroom WebMail WebIM Blog Discuss Game IM NEWS Photo Pornography Sports Stocks Chatroom Audio Video WebMail WebIM Blog Discuss Game IM NEWS P2P Photo Pornography Sports Stocks WebHD Chatroom Audio Video Drugs Gamble Hack WebMail Violent WebIM Blog Discuss Game IM Job NEWS P2P Photo Pornography Portal Proxy Social Sports Spyware Stocks Trade Tunnel Warez WebHD Chatroom User Manual Step 4 Edit service profile Choose Block from the Built in Website Categories in the leftmost tree You can see a lot of categories of the built in URL Chapter 13 Encryption Web Manager Encryption Recorder Web Web Profiles 2 08 _ Ll Edit web profile Service Name 7 Edit Service dy O Custom Web Edit here to help define Service Name database Select the categories you want to block For those categories already selected to the left side they are in grey disable state at the right sid
31. complete sys tcpdump commands are listed as below Sys tcpdump external Dump external port packets External Sys tcpdump external Dump external port packets interactive interactively Sys tcpdump sys tcpdump internal montones dump Sys tcpdump internal Dump internal port packets interactive interactively L7 Networks Inc 151 Product User Manual Appendix A Sys tcpdump Dump management port Interactive management packets interactively Interactive FIGURE A 6 sys tcpdump A 2 CLI Commands Emergency Mode If the system accidentally crashes and requires you to enter the emergency mode press Ctrl e when the prompt shows to you Enter admin without any password to enter the emergency mode Non privileged mode Command Emm Deseo 3 ET fenabie en Embe Emere priviedoeamoas lem SCR ecm O oo O Seo Pares related sings e ip ping 202 11 22 33 Sending ICMP for network debugging ip traceroute Tracing the routes for network debugging Lo o Site related settings Display the current time FIGURE A 7Non Priviledged Mode in Emergency CLI Privileged mode Seti o Preta configuration EN e ms SemoupiPadressiriedeies EN EE ip tftp upgrade image FILENAME Upgrade firmware from the TFTP server upgrade 192 168 168 170 ip traceroute 202 11 22 33 Tracing the routes for network debugging m Ste setings 0 am ye Sempmecwenimedae O mi ratio Surco es
32. defined Chat MSN Security Profile Action of the policy allow or block Allow Block Traffic Profile del of the policy the bandwidth class the traffic belongs oo Middle Middle Figure 8 2 Field description of the App Policy policy L7 Networks Inc 55 User Manual Chapter 8 App Policy 8 4 2 Setup P2P policy by App Policy Rules Step 1 Enable the App Policy Functions gt Traffic Manager gt App Policy gt Status Check the Enable App Policy 4 Status g Policy Options Enable App Policy Description 1 Policy order Per IP Policy gt App Policy 2 App policy order top down first match r Static Exempt Source Destination v Enable Exempt Sources Exclude amp amp Bypass from App policy r Dynamic Exempt Source Destination Enable Exempt Sources Exclude amp any y from App policy r Default Traffic Pipe Put unmatched trafficinto l default pipe v Step 2 List the P2P group Functions Content Manager App Policy policy Select the P2P in the Group listbox as a filter Policy to only show P2P policy rules List Category w Protocol w Apply Schedule v Securiby w Traffit w tolisted Condition Action Sre T Protocol Security Profile Pipe ule 1 e any i Rule 1 B2 any S any y ChatYahoo Yahoo Trillian Miranda G aim dE Allow El default pipe M
33. enforcement Iter enforcement Exclude Functions Content Policy Action fh Status fb Poiry BA Acton us Grouse NO Gmup srme Desnmnn W Frotie eb Frefta he Fem Iso EE NT Lars saut gow nans lo users reg strapon hewtisa ev ser Fig 1 Functions gt Content Policy gt Policy la Status n uc An Lg must Grout v HPT v ed Frofls izb Pte e lolskd 530 HP cite Wa 1018 rua Sroucs Aph Schidue Ws Suu w MWP fe v Donation Figivum iadi Lens gue Fizxi um 2 izk D Pilky 9A Action Let unusiGro p w ly Pte w wacbP cflc a AEN iha ETNE Cina a Pi ni wl parti M de a alt a Echzdue RucNare Co dtzn Arion Home Dzfzuk se Dz s Hizer Pa Fyiwm Duer Uzzr Dele t 115 User Manual Chapter 1 1 Configure APP Content with AD Single Sign On ust Enable the MSG Rec to Edit enable the recording of chat messages as shown in Fig 4 Schedule O Always w Virtual Group AE Basic Rule name rule 1 Name John The Name field couid be AD account AD aroup or Web Login account IM MSG Rec Enable Disable File Rec O Enable Disable r EX MSN Account Allow y AOL Account Allow v Yahoo Account Allow w ICQ Account Allow B IM Service Platinum Web URL Rec Enable O Disable Web POST Web Service Relogin the AD client John to Fig 4 the AD domain and use the l account to logi
34. from different Account Manager people You can setup the accounts and their Authority Manager Group Description corresponding permissions di User admi Admin Administrator Group t e i MIS MIS Audit Audit E N Field Description The account name of the user who can enter the system Admin the most powerful user who can do anything in the device You should strictly disallow the IT member to own this permission except for the initial stage of the deployment of this device MIS This level s permission includes the configuration of any policy rules without touching any recorded data or reports Audit This level s permission includes browsing of chat contents URL access logs and reports m test Description Detailed description of an account FIGURE 16 1 Account Manager Step 3 Edit an account Tool Account Manager User Add User Input the name of the account and input the E u description of the account Enter the password and its confirmation After that click the OK button to finish the settings User Information Name Group Description test account Password Confirm L7 Networks Inc 146 User Manual Chapter 16 Advanced Multi Layer Architecture Step 4 Successfully created Information When you successfully create an account you will be notified a dialog as in the right figure Click the OK butto
35. login script to the AD server tery PR gt aak aS AA 3 Windows Eds 11192 168 18 200 metlogon BR REO WAC eA LAT AH O 0O Pre paar 5 x9 XO E A nse mopem 152 KB Qu FARRAR L Active Directory Users and Computers lt 3 File Action View Window Help e Gm SAR em i dn ve Soa amp Active Directory EH 2888 Mail Nom 3 8 Ty a m 3 Builtin SEWER builtinDomain C Computers AES Sh 3 Domain Cont MAREFA rollers ABB ER fur J ForeignSecur HARAN ityPrincipals SE amp 3 L7 Taipei 1e HINES AR A p e SE y J Users PRES HEM Slt New All Tasks Default container For upar Default container For dom Default container For secu Default container for upgr View New Window from Here Refresh Export List Help 4 Displays Help for the current selection 98 User Manual Chapter 1 1 Configure APP Content with AD Single Sign On Step 4 Edit group policy In the Properties page select ere PAFA the Group Policy tab and click the Default Domain EE BEBE AEH gt RARA AE PES PMC Policy Then click the Edit button to edit the default domain policy EE CP BERE B EAB Eg Be ae ae SII Fis BE BES Mail taipei I com tw pan Sis Ln imm Ai E A RET PIERE ar p uus PERERA RID Step 5 Assign login script I mi Group Policy Object Editor Use the Group Policy O
36. mgtserver in CLI to explicit tell the device where to send the logs otep 2 Is there any personal firewall or antivirus system installed in your management server If yes turn it off Step 3 Open 4 ports in your personal firewall TCP 80 TCP 1080 TCP 3306 and UDP 514 Step 4 Check if the LogServer service has been started 4 Why can t I see anything at the console Ans Please make sure that the baud rate and parameters are 115200 8 N 1 L7 Networks Inc 154 Product User Manual Appendix C Appendix C Syslog Format System Log Format Product time 2005 01 10 12 57 27 mod SYS sev lt 1 2 3 4 5 gt tier2 TIER lid lt LID gt msg lt Message gt by lt user system gt from lt IP console system gt Download configuration Upload configuration Database is full Database is cleanup Backup database to 192 168 17 130 Send report to user yourCompany com Information Restore database from 192 168 1 1 Send alert to user yourCompany com M01 Change Report Center setting Change Syslog setting Login success Login fail miss password Change E Mail Alert setting Change FTP Backup setting sDevice tier23z L7 Networks Inc 155 P roduct User Manual Appendix C S11 S11 tt nop Policy patem updated to version 0000x Waring tt Ae Policy patem upore nastea om A VDB update has failed 29 ss O L7 Networks Inc 156 P roduct User Manual Appendix C Ss hep Potoy pan
37. options and click the Next button L7 Networks Inc Server setting ServeriP 192162 18 190 Port 389 Auto Fetch User DE and Da User DN cnzAdminististor en Users DCz lesLDC z cor Base DN DC 1est DC com Password ew e Server Type OAD 2000 AD 2003 5 OpenLDAP Advanced Detecting Found 31 groupis Found 10 user s ay Import options Delete existing objects and then Import C5 Preserve existing objects and replace it if duplicated O Preserve exisbng objects Dont import User Manual As Fig 2 depicts the system has shown the users and the groups from the AD server Click the Download login vbs and adclient exe to download the needed files to your disk Please copy these files to the AD server for later use Click the Finish to finsifh the AD import Now you can see many users and groups in the dynamic objects as shown in Fig 3 L7 Networks Inc Chapter 11 Configure APP Content with AD Single Sign On AD Import Step 3 3 ES Detecting Created 31 group s Skipped 1 groupis Created 9 user s Skipped 1 user s Install login ybs and adclient exe on AD server Read installation guide Download login vbs and adclient exe lt Back Fig 2 Finish m rolexInbun Somer Sets name Gps Malta cn usn zou pms sas cri m enh nes hp do Arms tee Tam 1 Misr Arina nal hara VAL Satu nw aie ey
38. or join a domain click Change Change carcel top 86 User Manual Chapter 1 1 Configure APP Content with AD Single Sign On 11 3 1 2 51 AD HP L Active Directory Users and Computers Step 1 Add an AD account at the AD Server For security reasons it is not suggested to use administrator so oftenly So we create a new account first Login to the DC and run the program dsa msc There will be a AD Users and Computers management console as Fig 1 shows We use this console to create a new account lt 3 File Action View Window Help m A gg m n dar dc e Active Directory Users and Computer Active Directory Users and Computers allot test com 2 objects Saved Queries E 3 test com pe Description L Saved Queries Folder to store your Favor gg test com Domain First expand the test com and right click on the Users Choose Create gt User as Fig 2 shows L Active Directory Users and Computers EM Fille Action View Window Help 7 m ABE pm e NE a e e 6 Active Directory Users and Computer PASCO ipf sr 2 Saved Queries B E tesE com A a 0 88 Builtin 5aved Queries Folder to store your Favor Lf Computers cam Domain BREA Domain Controllers Delegate Control Find Mi Computer All Tasks Contact Leen oD New Window From Here O JnekorgPersan Properties MSM Queue Alias Printer Help Shared Folder Create a
39. parameters 3 3 1 Starting the System Turn on the power of the device after the booting process the system will prompt you with the user name and password The default settings of the user name and password are admin amp admin After you have entered the system you can use CLI command to change the password Detailed CLI commands are listed in Appendix L7 Networks Inc 16 User Manual Chapter 3 3 tier Architecture 3 3 2 System Architecture The product is transparently installed at the network exist without changing any existing network architecture The management server together with the management system and reporting system will provide you a very easy to use interface for policy management Administrators can setup a series of policy rules according to existing network architectures or companies policy A single management server can control multiple devices and can accept events logs from multiple devices As long as you understand the basic installation steps you can follow your network architecture to install the product Detailed installation example is listed in the below figure y ADSL Router Management Client connects to the Management Server and then connect to the Device Figure 3 3 3 tier architecture example scenario 3 3 3 System Parameters Use the RS 232 console cable to connect the device to the desktop PC Please refer to the following HyperTerminal settings to setup the HyperTerminal 115200
40. project click the gt gt button to remove your selected devices Select the devices into the project Select Mode a General gt Group Project information Name Selected Devices All Devices E ta Group_1 em Device 1 em Device 2 Cancel Project Mode If you want each of your devices has individual settings choose this mode If you want each of your devices has the same settings choose this mode Moreover when rol you use this mode all data will be integrated into the same report system No matter which p device you have modified the settings will be updated to the Base Device configuration Other devices will refer to the Base Device as its configuration FIGURE 3 3 Project mode L7 Networks Inc 22 User Manual Chapter 3 3 tier Architecture General Mode Step 1 Creating a new project File New Project Select General as the project mode This mode New Project is suiFigure for most cases Enter the project name and select devices from the right column runs hee DUR E Click the lt lt to move the device from right to left If ON i 7 Enter the name of this project New a group device by right click the objects you want to remove some devices from the current project select the device in the left Select the devices into the project column and click the gt gt button Click the OK button to finish the settings Select Mode General Gro
41. server To change an option click Back To begin the operation click Nest Back Cancel Fig 10 L7 Networks Inc 84 User Manual Chapter 1 1 Configure APP Content with AD Single Sign On Active Directory Installation Wizard The wizard is configuring Active Directory This process can take several minutes ar Once you click the Next button considerably longer depending on the options you have selected the AD server is being installed with the software as Fig 11 shows A few minutes later the installation process will complete Sometimes it requires more time especially when it configures the DNS service Creating the System Volume C SwINDUVVSSSSSVEL Cancel Fig 1 1 Active Directory Installation Wizard E4 Completing the Active Directory Installation Wizard The software is finally installed as Fig 12 shows clive Directory is now installed on this computer For the a domain test cor This domain controller ig assigned to the site D efault First Site M ame Sites are managed with the chive Directory Sites and Services administrative tool DNS was nat configured for the domain After restarting the computer you should complete configuration of DNS for the new demain To close this wizard click Finish Back Cancel Fig 12 Active Directory Installation Wizard After you click the Finish button it will prompt you to reboot immediately Click th
42. setting up the network properties of the Windows XP as Fig shows IP Hip QD FAB W BUR W 482 rm o 2H CORE MOLAR EBzhdsUK IP We EM Lc m RS MASS SA IP RE Computer Name MyName IP 192 168 18 72 Netmask 255 255 225 0 BR Fa ms SSA Bix os RES e 192 gA ms Bess A DNS Server 192 168 18 190 51 L7 Networks Inc 93 User Manual Chapter 1 1 Configure APP Content with AD Single Sign On Step 2Switch to domain users Right click on the My Computer TOL T 4 Ju and select Properties fill in the BIET Ap ESL KS SE FUE EZ computer name field AMENA Sl At the PEE FIRE H HEUS Actest WEE E 2 BE microsof b5c461 eua ram E3 ENE RADERA LS at ERNE Micron ad af o AIR I Administrator gt HE M ANC MRE REF ALABAMA Y gt OH GENERE BA HERMS OK f OI s E gis fal 2 HAD A PY MA A TIL LESER PRADA PASADA a HP D Administrator Sra p FoR E 4 L7 Networks Inc 94 User Manual Step 3 Login to AD domain As shown in Fig 1 you can choose to login to the PC itself or to login to the domain TEST After logging in right click on the My Computer and select Properties Click the Computer Name to verify if the domain is at the test com L7 Networks Inc Chapter 11 Configure APP Content with AD Single Sign On a KA Windows Microsoft d Windows ME
43. settings Since the Product can recognized the detailed behaviors of each application the MIS can setup individual policies The user s information can be easily integrated with enterprises user database such as LDAP Active Directory POP3 S IMAP S and RADIUS L7 Networks Inc 28 User Manual Chapter 4 Internal Data Processing Flow 4 Step 4 Deep Content Inspection The MIS may also want to do advanced filtering of the contents In the Figure the Product can detect block viruses in compressed files and worms spread in IM windows For extreme security the conversations can be recorded And if the users violate the policy to say forbidden keywords the Product will instantly inform the users the company s IM policy 5 Step 5 Offline Report Analysis Finally reporting and analysis can help the MIS to find out the problem Tens of graphical reports are presented including daily weekly monthly bandwidth usage IM behavior conversation recording and policy violation Reports can be customized searched and emailed with PDF HTML attachment by user defined schedule 4 2 Procedures The product can control the most popular Instant Messengers IM Peer to Peer P2P Remote control VoIP applications and Web contents You can make use of these tool to manage your network to prevent information leakage or wake up the productivity of some employees It can not only block those applications but can manage them by behavior or contents In t
44. the Mame Sun NE Tue wed Thu Fri Sat StartTime Stop Time area and click you will get an icon like 4 HE wi Morning 00 00 Step 7 Browse the results Functions Content Manager Object Manager Schedule Objects Now we have two schedule objects We can j Groups start grouping them into a schedule group ESOO ciet Op epepeeel Step 8 Creating a new group Functions Content Manager Object Manager Schedule Groups Since the working hours for company ABC objects Groups include 8 30 12 00 and 13 00 17 30 we 9 eme TE have to group them into a group object so as Lc to facilitate management of policy rules Right Derete roui S click on the area and select the Add Group Edit Entry item Step 9 Input the group name Functions Content Manager Object Manager Schedule Groups Input the group name and click the OK button to continue Add Group Please input Group name Hame WorkingHours L7 Networks Inc 67 User Manual Chapter 9 Address amp Schedule Objects Step 10 Open the schedule group Functions Content Manager Object Manager Schedule Groups Right click on the schedule group object Objects Grouss WorkingHours and select the Edit Entry EN Name Schedules item WorkingHours Empty set Add Group otep 11 Edit the schedule group Functions Content Manager Object Manager Schedule Gr
45. the report of all statistics is ON Edit settings here to help define your new project aggregated from all the devices in this project Click the OK button to finish the settings Group Setting Base Device E Beso Lo Group 1 Device 1 Back Step C9 Cancel L7 Networks Inc 24 User Manual Chapter 3 3 tier Architecture 3 3 4 3 Deleting a Project Step 1 Click the Delete Project File Delete Project Check the Delete Project option ew Device Group Manager c 7 5 New Project Ctri P f Open Project Ctrl O 24 Edit Project Close Project gt Delete Project Step 2 Deleting a project File Delete Project Select the project you want to delete and uage click the OK button to continue Select a Project Note 1 Once you click the OK button the project will be immediately removed from the system 2 Running project cannot be removed Project_1 You must close the project first and then remove the project select a Project from the list below Project information CUA SIA 3 3 4 4 Open an Existing Project Step 1 Open project File gt Open Project Click the Open Project item File Update Tools Help ew Device Group Manager c 7 5 New Project Ctrl P Open Project 4 Edit Project b Close Project 2 Delete Project L7 Networks Inc 25 User Manual Chapter 3 3 tier Architecture Step 2 Select a project to open File gt Open Project Select a project you want to open and
46. the screws inside the packing to lock the L shape lockers with the device Finally lock the device to the chassis Please check if the following network equipments are ready or not 1 Device 2 Swich Hub 3 Desktop or notebook PC with copper network interface L7 Networks Inc 4 User Manual Chapter 1 Product Overview 1 3 Wiring 1 Power Connect the power to the power socket and turn on the power switch 2 Console Use RS 232 console cable to wire between the console port and the desktop PC Set up the HyperTerminal of your PC into 115200 N 8 1 and no hardware flow control 3 MGMT Interface the management interface is used for uploading configuration or accepts logs from the device The management server must be in the same subnet of the management interface 4 Internal Interface this interface connects to the internal network switch at your LAN side 3 External Interface this interface connects to the external network device such as ADSL modem or router firewall at your WAN side 6 HA Interface this interface connects to another same product to provide high availability function so as to make sure that the function will still work even hardware failure occurs 1 4 System Defaults amp Examples In the following Figure you can lookup the default value of the device Remember the the INT amp EXT interfaces do not need any IP address when they are operating in bridge mode The order of each interface in differen
47. 1 User Manual Chapter 8 App Policy Step 4 Upload config Update Upload Configuration Check the Upload Configuration item or click File Update Tools Help i pr the _ icon to upload the current Te Upload configuration configuration to the device EA ie Update pattern E Update URL database y License 25 License Status Option Step 5 Skype File Events Functions Reports App Policy Event View From the right figure we can see that the RD Functional view Policy View Personal View Event View whose IP is 192 168 17 58 attemps to use Skype to transfer files However it was blocked P goo60501 v OK E i4 by the product Application Description Protocol Src Port Dst Port 2006 05 18 13 59 38 skypefile BLOCK skypefile DP 192 168 17 58 25991 192 168 17 56 A Tips 1 If you want to select or deselect some rule you can use Ctrl left click to adjust the selected policy rules 2 Ifthe background color of some rule appears as light yellow it means that you have already selected the rule If you want to quickly adjust settings to all the selected rules just select the appropriate options in the toolbar You can even drag amp drop the mouse to select multiple rules at a time L7 Networks Inc 62 User Manual Chapter 9 9 1 Address amp Schedule Objects Chapter 9 Address amp Schedule Objects Th
48. 1 14 Scenario 1 Generate reports with IP addresses mapped to AD user group names 2 Configure APP Content policy rules by matching AD user group names 11 2 Methodology 1 1 Map IP addresses in reports to AD user account names _b _b bo bo bo bh 4 4 4 4 4 4 4 C 1 1 1 1 1 2 Con 2 2 2 2 L7 Networks Inc 1 Adda Domain Controller DC in Windows 2003 Server 2 Add an AD user account in a Windows 2003 Server 3 Use the newly added accout at Windows client PC to login to the AD Server 4 Execute AD Import 5 Install AD logon script into the AD Server 6 Configure device to accept AD login events 7 Relogin from Windows client PC and check sys ad show to see if the PC appears figure policy rules to match AD user accounts for filtering 1 Go to Object Manager gt Dynamic Objects Import all user account names from the AD server 2 Assign AD user accounts AD groups in App Policy rules 3 Assign AD user accounts AD groups in content policy rules 4 Import all AD user accounts into content policy rules 78 User Manual 11 3 Steps Chapter 11 Configure APP Content with AD Single Sign On 11 3 1 Map AD User Accounts to IP in Reports 11 3 1 1 Add a Domain Controller DC in Windows 2003 Server Step 1 Add components As an example if the AD server is Windows 2003 Server with client PC using Windows XP Professional Windows XP Home does not support AD DC Name www f4b3ffe209b IP address 192 1
49. 2 168 1 199 Note that HTTPS traffic will still use its original IP to connect to the HTTPS server in stead of using the bridge IP However the system requires to lookup DNS through the management port 1 5 2 Users are in the same networks as Firewall LAN Multiple Subnets If users are in the same network as Firewall LAN interface but the interface is binded with multiple IPs for multiple subnets say 192 168 10 254 192 168 11 254 and 192 168 12 254 Only one physical port of the Firewall s LAN interface is logically segmented into three subnets The device is connected between the core switch and the firewall Label A indicates that the bridge IP should be set in the network of the Firewall Switch segment with multiple IP addresses say 192 168 10 251 192 168 11 251 and L7 Networks Inc 8 User Manual Chapter 1 Product Overview 192 168 12 251 And these three bridge IPs should be assigned with three different gateways say 192 168 10 254 192 168 11 254 and 192 168 12 254 Label B in the figure indicates the management IP of the device say 192 168 10 199 Note that HTTPS traffic will still use its original IP to connect to the HTTPS server in stead of using the bridge IP However the system requires to lookup DNS through the management port Gateway 192 168 10 254 24 Gateway 192 168 12 254 24 Gateway 192 168 11 254 24 External Bridge ip 192 168 10 251 24 Bridge ip 192 168 11 251 24 Bridge ip 192 168 12 251 24
50. 3 if the r x l l environment has no operating Permissions compatible with pre Wwindowe 000 server operating systems svstems older than Windows select this option if you ran server programs on pre Windows 000 server operating sa systems ar on Windows 2000 or Windows Server 2003 operating systems that are members of pre indewis 000 domains PN Anonymous users can read information en this domain Permissions compatible only with Windows 2000 or windows Server 2003 operating systems Select this option if vau run server programe only on Windows 2000 or des Server 003 operating systems that are members of Active Director domains Orly authenticated users can read information an this domain Next we have to setup the restore password Please remember this password very carefully lt Back Cancel Fig 9 Active Directory Installation Wizard E Summary Review and confirm the options you selected Fig 10 is to confirm all the above settings Tou chose to Configure this server as the first domain controller in a new forest of domain trees a The new domain name is testicom This is also the name of the new forest The NetBl05 name of the domain is TEST Database folder C AWINDOWS NTOS Log file folder CAWINDOMW SANTOS STYSYOL folder CAAWINDOWS VS S V0L The ONS service will be installed and configured on this computer This computer will be configured ta use this ONS server as its preferred ONS
51. 68 18 190 Netmask 255 255 255 0 Gateway 192 168 18 1 DNS 192 168 18 190 this machine itself is to be a DNS server By default DNS Server component is not installed So we need to add the component by ourselves Go to Control Panel gt Add or Remove Programs click the Add or Remove Windows Components you will see the Windows Components Wizard as in Fig 1 By default all network services are added Click the Details to choose the componets by yourself Check only the DNS Server and uncheck all the others as Fig 2 shows Finally click the OK and continue to step next to finish the DNS Server installation Please make sure that the CD of Windows Server 2003 is available Otherwise it will prompt you with a file not found alert and require manually setup the path L7 Networks Inc Windows Components Wizard El Windows Components au can add or remove components of windows To add ar remove a component click the checkbos 4 shaded box means that only part of the component will be installed To see what s included in a component click Details Components lt lt Microsoft NET Framework 2 0 a2 Other Network File and Print Services HB Security Configuration Wizard CI Bil Subhsustem for HIME hased Annlicatinns Description Contains a variety of specialized network related services and protocols Total disk space required 17 5 MB space available on disk Tfl l 2 ME ees
52. 72 63 225 8064 unli 1 123K 150B 3 3 Ob Ob ir UDP 136552m 109 201 133 19 2710 unli 1 712B 3228 0b Ob e UDP 136552m 77 166 106 13364335 4 unli 0B 67B 0b Ob e UDP 136552m 79 177 138 2724674 4 unli 0B 67B 0b Ob ite UDP 136552m 89 151 215 18640306 4 unli 0B 67B 0b Ob Mee UDP 136552mb 76 29 812862504 4 unli 0B 67B 0b Ob ir UDP 136552mp 85 68 20 25251413 4 unli 49B 67B 0b 0b Me UDP 136552m 75 103 220 10624874 unli 68B 67B 0b Ob Te UDP 136552mp 36 69 40 10965535 unli 95B 67B 0b Ob ir UDP 136552mp 85 243 255 2035288562 unli 0B 67B 0b Ob ir UDP 136552mb 71 46 115 16950533 4 unli 0B 67B 0b Ob ite UDP 136552mp 202 65 201 6614016 4 unli 0B 67B 0b Ob Fed ein came FIGURE 5 1Realtime traffic discovery fields All Filter Internal IP 132 Port Directi Pipe v Application Update External IP 132 w Port Protoc Bridge v Bandwidth bps 000444000000 bl ol o e e e e e OD L7 Networks Inc 36 User Manual Step 2 Display supported applications You can go to our official website and click the release note of each pattern release There will be a support list hyperlink to describe the protocol application that is supported in that version of pattern L7 Networks Inc LT Werworks Application Feel muppar protocol E warchne 2 087 108 Support Ligi saaksin Pra LEL LI Em Epermep 9 5 BREL TE D c ora d Id
53. ATRA E Update URL database y License 25 License Status Option Step 2 Upgrade patterns Update Update pattern Click the OK button to start updating application patterns Current pattern version is 2 1 01 150 The latest version is 2 1 01 151 Do you want to upgrade pattern now L7 Networks Inc 141 User Manual Step 3 Upgrade patterns from CLI Enter privileged mode in CLI and then input sys module update pattern or sys module update all to check for any update Chapter 15 oystem Maintainence InstantScan sys module update all ud im engine version 2 0 02 is the latest one on the device No upgrade is nee e ls parten version 2 1 01 151 is the latest one on the device No upgrade is n eeded A new version 1 0 00 003 is issued Please upgrade the newest av database versi on to the device Do you really want to continue upgrade V N1 N y Upgrade av database from 192 168 17 97 This process may take a long time so please be patient Successfully update the av database new version 1 0 00 903 A new version 2 0 00 002 is issued Please upgrade the newest url database vers ion to the device Do you really want to continue upgrade V N1 N y Upgrade url database from 192 168 17 97 This process may take a long time so please be patient Successfully update the url database new version 2 0 00 002 InstantScant 15 6 3 Manually Upgrading URLDB Step 1 Upgrade URLDB from UI C
54. After you have configured the system you can backup the configuration in case you need to restore the settings 15 2 Upgrade Firmware through TFTP FIGURE 15 1 Upgade firmware from TFTP server Step 6 Setup a TFTP server Place a TFTP server program at the root directory such as CX Place firmware file with extension bin at the root directory of the TFTP server Setup the PC to be at the same subnet of the device management port Enter en to enter the priviledged mode otep 7 Upgrade firmware InstantScan ip tftp upgrade image IS 50 2 0 02 bin 192 168 168 170 l l Fetching from 192 168 168 170 or IS 50 2 0 02 bin Enter the ip tfto upgrade image lt FILENAME gt 192 168 168 170 After that the device will reboot Upgrading right away However make sure the upgrade is 9YStem will reboot now successful without any errors such as checksum error After reboot enter the CLl and use sys ver to check the version of the system Press ctrl e in 5 secs to start with emergency kernel Booting Checking Initial Key of this device InstantScan login L7 Networks Inc 136 User Manual Chapter 15 oystem Maintainence Step 8 Check version after upgrade InstantScan login admin Password After rebooting the system please check if all Welcome to InstantScan version amp settings are correct InstantScan en InstantScan ip show Gateway 192 165 166 254 Primary DNS 168 25 1 1 secondary DNS 0 0 0 0
55. Back Cancel Help Fig 1 Networking Services To add or remove a component click the check bos 4 shaded bas means that only part of the component will be installed To see what s included in a component click Details acomponents of Metworking Services Internet Authentication Service Remote Access Quarantine Service a PPC over HTTP Proxy mi Simple TCPAP Services L 3 Windows Internet Mame Service WINS Description Sets up a DNS server that answers query and update requests For DNS names Total disk space required 16 5 MB Mee Space available on disk 17171 3 MB m 19 User Manual Chapter 1 1 Configure APP Content with AD Single Sign On ee Foz Step 2 Install AD Active Directory Installation Wizard Ea After installing DNS Server we can start to install Active Directory Go to Start Run to enter dcpromo you will see the Active Directory Installation Guide Click the Next button in Fig 1 There will be a compatibility requirement that PCs versions must be newer than Windows 95 and NT 4 SP3 cannot logon to the DC of Windows Server 2003 We suggest to at least use Windows 2000 or newer versions of Windows to be the AD client machines Welcome to the Active Directory Installation Wizard This wizard helps pon install Active Directory services on this server making the server a domain controller IF this is the first time vau have installed Active Directory it is recommended that yo
56. Chat QOChatRoom Allow QOMEDIA_Rule_1 QOSHARE_Rule GADU Rule 1 SF any EP any O Chat QO Media File TransferVoice Video m E any 0 Chat 00 Shared Files Allow i Chat Gadu G adu Gadu Kadu Miranda G aim Allow UC Rule 1 E Allow FOPO Rule 1 Allow LIWANSWANS Allow FETION Rule 1 Allow DOSHOW Rule 1 Allow EBIM Rule 1 Allow EE Lu Ma Step 4 Select the Source IP Function Management App Policy policy CEO amp CTO shoud has the complete Sts Poicy permission to access the Internet We have List Chat w Protocol Apply Schedule w Security w Traffic w to listed created a group Boss HostCEO HostCTO status Condition Action Schedule Rule Name Protocol Security Profile Pipe in the last chapter Selecting the the icon E Boss means that all users except the Boss will apply to the App Policy rule 1 e Working MSN Rule 1 J ChatMSN MSN Trillian Miranda G aim Allow EJ High gt Chat Y ahoo Y ahoo Trillian Miranda Gaim Allow Chat AOL AOL AIM TritonfICO Trillian Miranda He Allow gt ChatXMPP Google Talk G aim Allow A chatoo Allow Chat QQChatRoom Allow QI Chat Q0 Media File TransterVoice Video dE Allow QI chat Qo Shared Files Allow ing GADU_Rule_1 i C
57. Com 1 408 844 8841 Solution One Ltd Remote support Launch your SSLVPN client tunnel exe which has already accompanied with the management server software Select a tunnel for our support team to connect to your live place to solve the problem for you Or you can use TeamViewer to setup a remote desktop for us to do the troubleshooting for you About This Manual This manual use the web based user interface WBI of the product to describe how to setup the product In order to help you how to use the product you must understand the how to use WBI Who should read this manual This manual teaches you the detailed configuration of the product Any one who are responsible to setup monitor decide the content policy or receive the report should read this manual Related Documents e Product CD Refer to the documents inside the CD e Quick Installation Guide QIG QIG can assit you to quickly install the hardware and software e Online support Online support gives you MSN Skype amp SSLVPN connectivity that allows our support team to contact you and to see your desktop without opening your firewall settings e Web site support Refer to the website information including the most updated firmware pattern release note or the most upcoming features that will be release in the future Contact The methodologies provided in this manual has already been tested and verifed If you have found any functions that has already bee
58. Content Offline Report Learning Normalization Behavior Mgmt Inspection Analysis 1 Step 1 Plug amp Play Real time Discovery Learning To help the network administrators solve the above problems Product provides the Plug amp Play Discovery as the step 1 procedure Just plug in the wire and the Product will replay the network traffic in real time You can see how many MSN tunnelled in the HTTP and see how many IM peers are chatting The chatting process will automatically be learned by Product and can be further imported to your configuration 2 Step 2 Layer 7 to Layer 4 Normalization After discovering for a while if you decide to manage the traffic you can start to block something using the App Policy In the Figure the Product has normalize the traffic The MIS can easily control the Product just like what layer 4 firewalls can do Furthermore the Product can help you stop non standard IM connection For example the MSN will automatically detect the firewall settings If the MSN cannot find a way out through standard port 1863 it will try to connect to an HTTP proxy However anyone can manually conFigure his her MSN settings to use any HTTP SOCKS4 SOCKS5 proxies in the world including those in your company What is WOrSe users can connect to many WebIM pages to chat with their browsers The Product can help you handle those situations 3 Step 3 Interactive Behavior Management Nevertheless the MIS would like to do individual policy
59. DIS zen P bier WeTih le CEN ARR wnaem s Ins dae Fray mms m darme zoman Conul Wine n Commins aman Guess aman Uses et se adie DECEDERE Assign AD user in the Policy Rules Functions gt Traffic Manager gt L4 Policy gt Policy Eh Sn A PON Api eile s n AARS UAR a nni ecred de w Simio w clon R vw Misius Pond rinn R Ir Hav Encma F Src nit Prodi 3 oho fdor Functions gt Traffic Manager gt L7 Policy gt Policy 104 User Manual Chapter 1 1 Configure APP Content with AD Single Sign On SA 3tzluz f amp Foley Fher Chet v 15 HEN mph ahon doom nz mb is sd ncn Kisar wwe ai S hcdue feudo v Pr wx Gn DEL n al AA nomm AA c Acheul Ruk Nime f imema F FED Procal 11 3 2 3 Assign AD users groups in Content Policy Rules Step 1 Insert a new rule Functions gt Content Manager gt Content Policy gt Policy Right click on the empty area b Linus Sh POY fg lun of the rules Select New User Lisl via BME tr Frofle ul web Prae z to add a new rule for a new An cha la wo it Dp MPa wo Sean Fifa w Y inka user group DA f Contan a cduc Sula Haz ars IAPAA L7 Networks Inc 105 User Manual Step 2 Manually assign AD user in the rule Input the AD account in the Name field For example we input John in that field Below the field is the permission settings for this account as shown in Fig 1 Click Finish to finish adding a content policy
60. E 4 Working QQSHARE_Rule Boss L Boss any SE any chat QOChatRoom QI chat OO Media File Transfer Voice Video Qt chat00 Shared Files Allow Allow Allow El High l High El High 4 Working GADU_Rule_1 e Boss pa E any 1 Chat Gadu G adu G adu Kadu Miranda Gaim Allow l High 4 Working UC_Rule_1 e Boss Sr any H ue Chat UC Sina UC Allow e High 4 Working POPO Rule 1 any ls Boss Er G Chat POPO popo153 Allow l High A Working ALIWANGWANG 4 Working FETION Rule 1 Boss Ez A Working DOSHOW_Rule_1 e Boss 2 any any any La Boss 3 ChatDoShow Chat ALiW angWang Taobao ALiWangWang 3 Chat Fetion Chinamobile Fetion Allow Allow Allow El High l High e High A Working WEBIM Rule 1 k Boss 52 any Chat WEBIM MSN Webmessenger eBuddy e M Allow l High Step 6 Select the Traffic Profile Select the Middle in the Traffic listbox to apply the middle bandwidth policy to all listed Function gt Management gt App Policy gt policy us son csm y EE MM to listed Chat applications Status Trafic Condition Action Schedule 4 Working Rule Name MSN_Rule_1 Protocol 4 Working YAHOO Rule 1 La Boss any B v ey Chat MSN MSN Trillian Miranda G e Low lock amp log gt Chat Y ahoo Y ahoo Tr
61. Functions Content Manager App Policy policy List VoIP IY Protocol Apply Schedule w Security L Traffic w to listed Policy S tatus Condition Action Schedule 4 Working Rule Name SKYPE_Rule_1 SKYPEFILE Rul 4 Working Sre n up SKYPEOUT_Rul E 4 Working SIP Rule 1 4 Working H323_Rule_1 Working VOIPBUSTER R ff Policy cf any Protocol VoIP Skype File Transfer security Profile dE Allow Pipe VolP SkypeQut Allow IT VelP SIP MSN Voice Yahoo Voice Wagaley Te Allow QP VolP H323 NetMeeting Allow S volP VolPBuster Allow List 9 voir y Protocol ha Apply Schedule w NO Status Condition Schedule Rule Name Src Dst 4 Working SKYPE_Rule_1 e Boss B any B volP Skype 4 Working SKYPEFILE_Rul 1 Boss le B VoIP Skype File Transfer to listed Action Security Profile Pipe lock amp lo 32 Allow l High Allow l High 4 Working SKYPEOUT_Rul I Boss E any C volP StypeOut Allow l High 4 Working SIP_Rule_1 La Boss T VelP SIP MSN VoicerYahoo VoicefWagaley Te Allow l High A Working H323_Rule_1 a Boss Qj VoIP
62. IP address from the device first before you can add a new device After you have added a device with the right Figure the IP address will not appear again when you add another new device L7 Networks Inc Chapter 3 3 tier Architecture File Device Group Manager New Device Device Group Manager Devices fa Hew Group Rename Group Hew Device is Delete Device File gt Device Group Manager gt New Device New Device ON Enter an unique name and related information for the device Device imformation 21 192 168 168 201 Content Management Firewall LF Networks InstantScan 100 Cos cae User Manual Chapter 3 3 tier Architecture 3 3 4 2 Creating a Project Step 1 Creating a new project File New Project Select New Project to create a new project File Update Tools Help ew Device Group Manager Ctri T New Project Ctr P f Open Project Ctrl O jM 4 Edit Project Ctil E y Close Project Ctrl C Delete Project Ctrl D i Exit Ctrl X Step 2 Creating a new project File gt New Project gt New Project First please check the Project Mode Project Eius Name and select the wanted devices from the All Devices tree like field Then click the lt lt button to vucECHTdLUIN add youl chosen devices to the Selected Devices Cy Enter the name of this project New a group device by right click the objects field If you want to remove some devices from the current
63. In proxy mode users are required to manually assign https proxy server to 172 17 1 199 3129 This can also be done by using Active Directory settings to force all users to have such settings The device will use the IP 172 17 1 199 to go to the Internet The Firewall should allow 172 17 1 199 to go out to outside port 443 servers If needed port 53 should also be opened for that IP 172 17 1 254 24 CA External Bridge ip 172 17 1 199 24 172 17 1 253 24 Proxy 172 17 1 100 192 168 10 X 192 168 11 X 192 168 12 X ES T PES ea IE set to proxy Client User 192 168 10 10 24 Client User 192 168 11 10 24 Client User 192 168 12 10 24 Gateway 192 168 10 254 Gateway 192 168 11 254 Gateway 192 168 12 254 L7 Networks Inc 11 User Manual Chapter 2 2 tier Architecture Chapter 2 2 tier Architecture This chapter introduce to you how to install the management server software to control the system 2 1 Installing Management Client 2 1 1 Requirements Y Operatiing System must be at least Windows 2000 2003 or Windows XP If your operating system is in English version please install your preferred language pack For example the Chinese Traditional language pack is prompted when you are installing the management server Click the Install button to start installation Language pack installation Ta display language characters correctly you need to install the following lanquage pack Chinese Traditional Never install any l
64. L7 Mbps for the upload limit In this way those IP in the UnlimitedGroup will have a max 100Mbps Status Condition Action 2nd level Action when exceeding qu bidirectionally Rule Name Src Service Session Upload Download Quota Session Upload Download Default rule e any any o 1000 Mbps 1000 Mbps Admin ER Admin w any 1000 Mbps 1000 Mbps Add Per IP policy Add Per IP app policy Edit policy Delete policy Step 9 Edit the new rule Management gt Per IP Limit Manager gt Policy Select the UnlimitedGroup and enter 100 Mbps for the download limit 100 Mbps for the upload limit In this way those IP in the UnlimitedGroup will have a max 100Mbps bidirectionally L7 Networks Inc 45 User Manual Chapter 6 Per IP Manager Edit your application policy Description Sales 2 App Service P2P Session limit 100 Upload limit 05 Mbps Download limit 0 5 Mbps Note Zero means no limit Step 10 Edit the new rule Management Per IP Limit Manager Policy imi Status Policy QuotaProfile Select the UnlimitedGroup and enter 100 Mbps s MES CUM for the download limit 100 Mbps for the upload Description limit In this Way those IP in the UnlimitedGroup Note Packets are top down matched with the policy Only the last matched policy takes effects will have a max 1 00Mbps bidirectionally Note Bandwidth policy priority Per IP L7 gt L4 Block poli
65. M Rule 1 La Boss any ChatWEBIM mMSN Webmessenger eBuddy e M Block amp log El High Step 7 Browse the policy Browse the Chat policy rules to make sure that all your settings are properly set L7 Networks Inc 54 Function Management App Policy policy User Manual Chapter 8 LLL App Policy Status Policy List e Chat M Protocol M Apply 8chedule MI L Security ly Traffic N to listed status Condition Action Schedule Rule Name sre l Protocol Security Profile Pipe Working MSN_Rule_1 e Boss any y Gc Chat MSN MSN Tirillian Miranda G aim 9 E Block amp log amp Middle Working YAHOO Rule 1 re any le Chat Y ahoo Y ahoo Trillian Miranda G aim le Block amp log a Middle A Working AOL Rule 1 e Boss E any A Chat AOL AOL AIM Triton ICO Trillian Miranda e Block amp log a Middle A Working XMPP_ Rule 1 Boss a any E Chat XMPP Google Talk G aim F Block amp log amp Middle 3 Working 2Q_Rule_1 e Boss 2 any a ChatQQ le Block amp log a Middle A Working QQCHATROOM je Boss E any Chat QOQChatRoom le Block amp log e Middle A Wosing a IQQMEDIA Rule 18 Boss e any m Chat QQ Media File VANER EVO lOANE 1 0 Block amp log amp Middle P Working laasuanE Rule e Boss y E amy e Chat QQ Shared Files lo Bio Block amp log a Middle 4 Working GADU_Rule_1 e Boss E any E Chat Gadu Gadu Gadu Kadu Miranda G aim B
66. Management Server 10 1 1 10 INTERNAL EXTERNAL MGT 192 166 166 201 255 255 255 0 InstantS3canf 15 3 Backup Config Step 1 Backup configuration Tools Config Backup Click the Tools in the menu and check the Config Tools Help Backup a 2A Account Manager 3 Change Password E gt Language Setting 2 SNMP Control amp Config Backup gt Config Restore Step 2 Store the backup config Tools Config Backup Select the directory you want to store the backup Backup x file Input the filename and click the Backup to nah the backup LII a RI File Name O50 705 Files of Type CBC Backup Config File bef C c L7 Networks Inc 137 User Manual Chapter 15 oystem Maintainence 15 4 Restore Config Step 1 Restore configuration Tools Config Restore Click the Tools in the menu and check the Config Tools Help Restore SS Account Manager 28 Change Password Language Setting 2 SNMP Control Config Backup Config Restore _ Step 2 Select the config to restore Tools gt Config Restore and click the Restore to finish the restore cn ala BE File Hame Hir gs Ber Files of Type CBC Backup Config File bcf 15 5 Enabling Optional Module When you have not purchased the product the default license key in the product are trial license This means that all the functions are valid for a given period say
67. Manual Chapter 9 Address amp Schedule Objects 9 3 1 Address Settings Step 1 Adding an address object Function Management Object Manager Address Objects Right click on the item of HostCEO and select Objects Groups Edit you can start editing the content of the amp objects object The product has already provided you several objects You can edit them directly or delete them all HostPresident HostViceChairman HostvicePresident ServerFTP 9 ServerHTTP ServerMY SQL ServerSQL SubnetADM SubnetFINANCE SubnetMANUFACTURE SubnetMARKETING SubnetPQA SubnetRD Step 2 Editing the HostCEO object Change the IP address of HostCEO into 192 168 168 2 if your CEO has an IP address of that xt HostCEO IP Address Subnet Range Host IP 192 168 168 2 IPAddress Description Range Format Example Subnet He ess of the subnet__ XXXX __192 168 168 0 pangs Host IP__ IP address of an host address object FIGURE 9 1 Definition of an address object otep 6 Adding object group Function Management Object Manager Address Groups Right click on the group item and select the co Groups Add item e TTE c B i H amp amp Hobo E amp amp HostCMO E EL HostCTO E amp amp ServerFTP a amp ServerHTTP m amp SererMYSQL j amp amp ServersQL 2 GubnetADM S2 SubnetFINANCE E amp amp SubnetMANUFACTURE E E SubnetMARKETING
68. P2P GoBoogy x P2P Kugoo T PIGO Rule 1 x m P2P Pigo Pigo 100Bao le Allow POCO_Rule_1 P2P Poco Poco PP Point Allow E Allow Allow QODOWNLOAD 2 P2P QOD ownload MAGAA Rule 1 Y p2p vagaa Step 4 Select source IP Since CEO and CTO has full permission to access the internet resource we use the group Boss HostCEO HostCTO created in the last chapter We select the the Icon 88ss to apply Security Profile all users to the App Policy except the group E Ad xD puc dae TEL Boss E Always BITTORRENT R a D P2P Bittorrent Bittorrent Bite omet uT orrent Bits Allow l High Y P2P eDonkey eDonkey Owernet eMule agaa el High id P2P Winny l High P2P ezPeerPlus amp High El High l High El High l High Functions gt Content Manager gt App Policy gt policy Staus Policy eee Condition Action Protocol Status Rule Name Pipe Always unlei XunleiFlashGet D S Lite Allow EZPEERPLUS Allow FASTTRACK R Allow a P2P F asttrack Kazaa Grokster iMesh GNUTELLA_Rul i P2P Gnutella Foxy ezPeer Bearshare Gnucleus Allow Tes ER any e P2P Kuro E any KURO_Rule_1 DIRECTCONNE a P2P DirrectConnect DirectConnect DC dE Allow 9 P2P OpenF T Crazaa Kce asy P2P Ares OPENFT Rule 1 SOULSEEK Rul Se Y P2P SoulSeek GOBOOGY Rul
69. Rul BB Boss T E any 2 VoIP Skype File Transfer e Working T SKYPEOUT_Rul B Boss E any e VolP SkypeOut 4 Working SIP_Rule_1 La Boss E any R WolP SIPIMSN Voice Yahoo VoicefWagaley Te O Block amp log 4 Working H323 Rule 1 Boss e any Qj VoIP H323 NetMeeting Block log 4 Working I VOIPBUSTER R Boss Ez any K VolP VolPBuster Block log 60 olP olPBuste Chapter 8 App Policy User Manual 8 4 4 Blocking VolP Skype File Transfer Step 1 Edit the Object Manager Since the R amp D department is not allowed to Functions Content Manager Object Manager Address Objects Objects Groups use Skype File Transfer we must include the IP address of the R amp D department 192 168 17 1 192 168 17 254 Right click the SubnetRD and select the Edit Button Step 2 Setup the IP of the R amp D The address object can be a subnet range or host We can setup the SubnetRD to be a range object of 192 168 17 1 192 168 17 254 or a subnet object of 192 168 17 0 24 Click the OK button to finish the setting Step 3 Block Skype File Transfer of RD during office hour According to the company s policy all VoIP software packages are blocked except the Skype However all R amp D members are not allowed to transfer files through Skype during office hours In the last chapter we ha
70. Security Group In n Guests Security Group ain Users Security Group erprise 4 Security Group up Policy Security Group User El E Administrator User cert Publishers User ema Admins Security Group PORT 38 User Security Group Security Group Security Group Security Group Description Built in account For admini Chapter 11 Configure APP Content with AD Single Sign On Members of this group are Designated administrators All workstations and serve All domain controllers in th All domain quests All domain users Designated administrators Members in this group can Built in account For guest Group For the Help and Su Servers in this group can Designated administrators This is a vendor s account Members of this group ha Delegates control of objects in this Folder Delegation of Control Wizard 89 Fig 1 Welcome to the Delegation of Control Wizard This wizard helps vau delegate control of Active Directory objects You can grant users permission to manage users groups computers organizational units and other objects stored in Active Directory To continue click Mest Cancel User Manual Chapter 1 1 Configure APP Content with AD Single Sign On Delegation of Control Wizard Click the Add button to add the previously created Users or Groups account John as Fig 3 and Select o
71. Setting SNMP Control gt Config Backup Config Restore Tools SNMP Control 143 User Manual Chapter 15 oystem Maintainence r Ensteo HIM Natum Iran ind mt ican Sytem incom FICE Contact info Das Coman pub See commmmty i 4 frusit host Irae commu Pol ras desthation 17 ea een Eme L7 Networks Inc 144 User Manual Chapter 16 Advanced Multi Layer Architecture Chapter 16 Advanced Multi Layer Architecture This chapter introduces the advanced multi layer architecture for management 16 1 Scenario A company should have its architecture The hierarchy of the architecture includes different divisions to facilitate the responsibility If the device is used to collect the content of the networks the data is very sensitive to the hierarchy of the company s architecture If an IT member who is managing the product has the full permissions to access the recorded contents it would be very dangerous If he or she can read the data of another divisioin or the data of his her boss the one who is under the management of his her boss will have larger permission than his her boss Actually auditing belongs to the department of auditing not the IT member The system should have a mechanism to separate the data and control of the system 16 2 Objectives oince a content recorder is related to personal privacy the data should be kept confidentially The product s advanced l
72. US a a io a alo aus ls a pl Do a a 12 2 1 Installing Management Clear NAAA a edad 12 2 1 1 Requirements a ie 12 2 1 2 e r ee ee 12 Chapter 3 SNE AICMILG CIRC stedoniadiiii ELTE 14 3 1 ada is 3 ler isedeif taee T ccc M 14 3 2 installing Management Servers aces onte es teo egt ve tte bs ee ue t A eue a tum DEA epo us 15 3 2 1 giso icf M e S 15 3 2 2 A 19 3 2 3 IristallingaJava TRUTIITIC soe situs nc e tle eet tabe seus te Dae dai tb Neq dient ko uc So demus ERE 16 3 9 C nng rnng Prod UCi DEREN TL E 16 3 3 1 Starting ne ys DAR EET T mum 16 3 3 2 SVSIGm ATChlte CIUNG ecce ums des papae equo het o v cte ao 17 3 3 3 System Parametros ae 17 3 3 4 HA RM EET 18 Palta Design PMO SOO NY ooi a a elas ipea A rufa medir Sauf afe 27 Chapter 4 Internal Data Processing FIOW scsi 28 4 1 TECNO e E 28 4 2 miser Oc cer M UN OE MES 29 4 3 OES adh Ugh 1 as C TU SU MTM 30 4 4 ICONS genet RC ee 30 4 5 FOGDA mc 32 4 6 Miciien fq c 32 Part NetWork MONRNON O ooo oooe dria AND 35 chapter o ramie DISCOVET T 36 5 1 What Is on Your NS o 36 Pata Tranoc Managel uidi iiis eu do 40 Chapter 6 PeriP Manager uioisesoc iain oc me qen LI ees a qund isum ends 41 6 1 wie gebcpc 2 ee ee eR em ne e
73. al v 3 Sexy v Love s Functions gt Content Manager Content Policy gt Policy Now User Schedule Always Virtual Group Others Basic Rule name rule 1 RDGROUP The Name field could be AD account AD gre IM MSG Rec Enable O Disable File Rec O Enable Disable MSN Account Allow Yahoo Account Allow AOL Account Allow ICO Account Allawe IM Service Platinum Web URL Rec O Enable Disable Web POST Allow Web Service lt Platinum Step 6 Enable Web Manager Functions gt Content Manager Web gt Status L7 Networks Inc 111 User Manual Chapter 1 1 Configure APP Content with AD Single Sign On Check the Enable Web 84 Status 89 Web Profilas 3 Global Policy Manger checkbox Enable Web Manager rDescripilor Web Manager allows you to Mier urmanteo sites Curing the ofice ours Exempt Source Destination TJ Enedle Exempt Sources Exclude amp R HostCEO w from the web filter enforcement O Include amp amp HostCTO inthe web filter enforcement Step 7 Add custom Functions gt Content Manager gt Web gt Global Policy gt Web site gt Custom Keywords Status f Web Profiles f amp Global Policy In the Custom tab you can add delete modify the igi Web Sites 5 Web Contents S Web Messages keywords Custom amp Trusted Dest Description Step 1
74. anguage packs Install Cancel FIGURE 2 1 Language pack installation screen v A Hard disk space at least 80GB available space but we strongly suggest to have 120GB available space v CPU at least Pentium 4 v Memory atleast 256MB but we strongly suggest to at least have 512MB v f your operating system is Windows XP service pack 2 with built in Firewall enabled you must follow the steps below to open the ports UDP 514 TCP 1080 and TCP 3306 In this way all packets from or to the management server will not be blocked 1 Goto Start Settings Network Connection 2 Right click the Local Area Network and select Content 3 Goto Advance gt Settings gt Exception and click the Connection Ports 4 Enter the name and the port number to allow the following network ports Name Port Number Protocol Database Server 3306 TCP HTTP Server 80 TCP FIGURE 2 1 Firewall settings of management server 2 1 2 Procedures 1 Install the Management Server 2 Install the AD Log Server 3 Upgraing the Management Server 4 Browsing the CD L7 Networks Inc 12 User Manual Chapter 2 2 tier Architecture 5 Uninstall Management Server Management Client connects to the Device directly L7 Networks Inc 13 User Manual Chapter 3 3 tier Architecture Chapter 3 3 tier Architecture This chapter introduce to you how to install the management server software to control the system 3 1 What is 3 tier Architecture
75. any one of the item in the function list this area will show the details of the function 5 Status Any messages will be put into this area for you to know the status of the configuration You can push the icon to hide the status area amp Management Console DefaultProject File Update Tools Report Help 3 amp Server kt 192 168 18 120 Project DefaultProject PREMIERES 2 Project 1 Toolbar x 3 Upload Config LEA Summary 8 App View 22 IP View 22 User View 2 Policy View 22 Pipe View All Internal IP Session Bytes Packets Bandwidth bps Internal IP Name Count Port ExemallP Port Pipe in Out In Out in Out 434 734 95 PF Applications 3 56G 4 897 4046 1 35M 14 57M a ww Chat 3 114 22 1121K 2273 198 E E Enterprise 2T 25 41K 102 69 266 1 130 ki dhcp 2 300B 300B 1 1 9 dns 25 12K 10 86 K 265 265 4A snmp 0B 91 54K 0 864 es FileTransfer 7041M 3 39 G 4 825 3 842 ve Game 22K 268K 37 60 Legacy 318 83 267 92 1 000 755 EA P2P 26 77M160 05 58 021 126 169 Filter 132 Port Directi Pipe v Application External IP 132 Port Protoc Bridge v O Functions Monitor 0 8 System Status Report Center E File Search Object Manager tH Static Dynamic un n Login 4 Management 1 35M 14 57 M d Traffic Manager 2 Per IP Policy 24 IPv6 Policy tA App
76. ate idi Functions gt Content Manager IM gt Status f Status f IM Profiles 2 Global Policy fi amp Options Enable IM Manager Description IM Manager allows you to manage IM behaviorsi contents peers Matching priority 1 Explicitly specified IM account 2 AD name 3 AD group Users out of the schedule will apply the their IM Groups chosen IM Service Enable Exempt Sources Exclude rule 1 w fromthe IM Manage enforcement IM over oroxy v Filtertrecord IM over HTTP SOCKS4 SOCKSS proxy servers Functions gt Content Manager Web gt Status 114 User Manual Step 12 Use OU to store the private data in AD tree As long as you assign the AD group or your manually created virtual group in the OU field users private logs will be put under the OU First right click on the Organization Units and select Add Group to create a virtual group In this example we add a virtual group named AE as shown in Fig 1 Next select the AE in the OU field in the rule rule 1 as shown in Fig 2 Next right click on the rule and select Edit User to enter the dialogue as shown in Fig 3 L7 Networks Inc Chapter 11 Configure APP Content with AD Single Sign On 2 Status f Web Profiles 4 Global Policy Iv Enable Web Manager Desctcrption Web Manager allows you to filter unwanted sites durina the office hours v Enable Exempt Sources i y from the web Fiter
77. ayered management and auditing mechanism can define multiple accounts with different permissions Hence IT member can set policy rules but cannot see the recorded data Auditing department can only see the recorded data but they cannot set policy rules Administrators can see all the data and can also control all the policy rules 16 3 Methodology Currently the device has 3 permissions including 1 Admin the most powerful user who can do anything in the device You should strictly disallow the IT member to own this permission except for the initial stage of the deployment of this device 2 MIS This level s permission includes the configuration of any policy rules without touching any recorded data or reports 3 Audit This level s permission includes browsing of chat contents URL access logs and reports 16 4 Steps When you first login into the product you can go to the Account Manager to edit the users and passwords that will access the device 16 4 1 Creating a New User Account Step 1 Setup user account Tool Account Manager Click the Account Manager item Tools Help Account Manager A Change Password Language Setting 2 SNMP Control gt Config Backup Config Restore L7 Networks Inc 145 User Manual Chapter 16 Advanced Multi Layer Architecture Step 2 Adding new user account Tool Account Manager User Add User The product allows multiple logins
78. b page which comes from forbidden web site will be filtered out WebServer3 140 112 1 4 di Internet FIGURE 12 2 Denying access to illegal websites through web filtering 2 As described in FIGURE 12 2 the user PC1 1 is browsing websites that contains stock information violence or even sex Some websites may contain video or audio which may waste the Internet bandwidth of the company What is worse the contents may lower the productivity of your employees 12 2 Objectives 1 Block HTTP objects such as cookies Java applet and ActiveX from web pages 2 Disallow employees from visting illegal websites 12 3 Methodology 1 Setup web objects to filter cookies or Java applets 2 Setup the web filter to block websites by URL The URL filter can be setup to analyze by URL keywords or built in URL database Traffic matching the URL will be blocked L7 Networks Inc 119 User Manual 12 4 Steps Chapter 12 Web Manager Step 1 Enable Web Filter Check the Enable Web Filter to enable the web filter Functions gt Content Manager gt Web gt Status 2 Status 4 Web Profiles 2 Global Policy 4 Enable Web Manager Note that when you enable the function all port 80 http requests will be processed by the web filter The HTTP responses are not processed becaused of performance and compatibility Issues Step 2 Define exempt sources You can define the IP range to apply the web filter function By de
79. bject File Action View ES Editor to select Users gt e amp mim mem Big E Login Logout script Right gt atx click on the Login and select ee the Properties O SRA E Ra J Windows E amp 3E eee ternet Explorer 4 O RAET gt Extended L7 Networks Inc 99 User Manual Chapter 1 1 Configure APP Content with AD Single Sign On un y EE 3 xl Choose Add and then click the Browse button Step 6 Assign login script TA ERR E Default Domain Policy t FH E 1 8 meis 1815248 00 Ame Step 7 Assign login script III Right click on the blank area and select the New gt Text file Fe er ERNST Sse LTD EME Tui s BEC ge BEBE gt RE APE Ctrl z HA osse ar 4 BE HATE NE E cma S BARE BE al WordPad 2214 ads FASS Re BELO m ms es L7 Networks Inc 100 User Manual Chapter 1 1 Configure APP Content with AD Single Sign On Step 8 Assign login script BE xj IV BD Onm c 7 EE we T Change the file name as i m OP login vbs q i llogin vbs sumant FE BEZI gr NBN Lm fans LATEA 83 QD riesco ba E PRO Tai S ee Th PRES f 4 d Step 9 Edit login script Right click on the login vbs and select Edit to edit the content of the file seen Es Open with Command Prompt m8 Print 1 Add to HFS BETTER ARCH
80. c contains illegal contents or activities All famous IM such as MSN Yahoo AIM ICQ will automatically cheat the firewall with port hopping behavior The IM Manager will stop their port hopping traffic and only allow them to use their standard ports Their standard ports are 1863 5050 5190 and 5190 correspondingly So once you enable the IM Manager for example MSN over HTTP will be blocked L7 Networks Inc 29 Chapter 4 Internal Data Processing Flow by the IM Manager As a result the MSN will be force to go in its standard port 1863 The device then just needs to check for standard ports This is a balance between performance and convenience If your Firewall does not open outbound port 1863 you need to open that to let the MSN traffic pass through its standard way If you really don t want to open any other outbound ports except for port 80 you need to start the Encapsulation Manager which allows you to manage the IM Web contents even the IM Web traffic goes in HTTP SOCKS tunnels through proxies 4 3 User Interface The system contains 5 windows area User Manual 1 Toolbar This area includes menu items and quick configuration buttons 2 Project This area lists the devices in the opened project 3 Function After you double click one device this area will show you the available functions of the device The functions are categorized into Monitor Management and Report groups 4 Management After you single click on
81. ced Multi Layer Architecture o ccccconccncoconcncononnnnononenonnnncnnononcnnnnnaronconanincnnnos 145 16 1 o A T 145 16 2 Sun PP rade Gabsinacesma a dead snesamsesasuuatnedbiaunaupiauale E 145 16 3 MEIN OCOIOGY pasmado 145 16 4 lo m 145 16 4 1 Creating a New User Accor 145 16 4 2 MOI Pas elfe M A eae eee 148 ADDE NAIK avt E ee ete Eee etn een ee ee eee eee eee 149 Appendix A Command Line Interface ooooocccccooccnconoccncnnnncncnnoncnnononononnnncnnnnoncnnnnnnnons 150 A 1 CLI Commands Non Priviledged Mode cccssccccccccceeeesseeeeeeeeeeeaeesseeeeeeeeseaaaaeeeeeeeessaaaseeeeeeeessnaas 150 A 2 GLI Commands Emergency Moldes ii eee 152 Appendix B Troubleshooting occcooocccooccoconccnconcononnnonnoncnnonnconnnncnnnnnrnnnnnrnnonnrnnnnnrnnnnnnnns 154 APRENDES SUSIOS Formal rn 155 Part 1 Overview User Manual OAbout This Manual New Release 5 0 01 L7 Networks Inc 3 User Manual Chapter 1 Product Overview Chapter 1 Product Overview This chapter briefly introduces to you how to quickly install the product What are employees doing at work Employees often use Outlook to receive emails Internet Explorer to browse websites Instant Messengers IM such as MSN Skype to chat with friends and P2P software such as BT eDonkey Xunl
82. cncnnas 71 10 1 A eo dI o DE Lei el lese lodi eee 71 10 2 Methodology rc 71 10 3 wil 71 10 3 1 All members are required to login via captive portal page every 8 hours except the boss 71 10 3 2 Match rules using Web Login account names eessssessessseseeee nennen nennen nnne nnns 74 Chapter 11 Configure APP Content with AD Single Sign On cccoccncccoccncccconococonococononacnnnnacnnnnannnnnas 78 11 1 Jo A c tboaeSuacnnsauateoasanteunes 78 11 2 MENO RR tm 78 11 3 vi 79 11 3 1 Map AD User Accounts to PIM FHeDOFIS c3 etiani atit cho Diae is 79 11 3 2 Map IP addresses In Reports lo AD NAMES cai 103 11 4 A mealxatnplesse errada 108 11 4 1 Manage RD People s ACUVIUGS 25 5 e Ltbud me UD sua PUN Geh a 108 11 4 2 rn a steed Alene ak ae eae Sd tea A 108 Chapter 12 Web Manada AAA 118 12 1 Scena Okse a a a hunateuan tdi atutieuaatady 118 12 2 elle CER A UL A E E A T E T A E E EOT 119 12 3 Vifsipiere o e o inisee a a a eee ae 119 12 4 E21 01S EAA N A A E EENE A A AE AAA AAE Nee EE N E A AE EA AE E Ne ee 120 Chapter 13 Encryption Web Managel ccccccseccceeseeceeeeeeeeeceeeeeeeseeeeeseeeeeseeesseeeessaeeessaeeesaeeeeas 124 13 1 SIN MIR RR 124 13 2 Seen e TET A cn pes 124 13 3 MENOS arini ERN ERR 124 13 4 corr ULP Mente cnet eee 125
83. cy Policy Sh Statue S Polity Filter Me Cal w 18 MSN apty actions in selactedrules at once Venen Seteuuie e LM Action Securty Ponie Conditori Dern Sous Schedule Rula Name riernal P Prose nk KESA Sule 1 A UE E Functions gt Content Manager gt IM gt Status B Status 4 IM Profiles Global Policy 4 Options v Enable IM Manager Descriptor IM Manager allows you lo manage IM vehamorsicontante peers Malcning priority 1 Explicitly specified IM account 2 AD name 3 4D group Users out of the schedule will apo the their IM Groups chosen IM Service Evermot Source f Destination Enable Exempt Sources Exclude WM rule 1 w fromthe IM Manager enforcement Include WM SemerHTTP w Inthe It Manager enforcement I over proxy Functions gt Content Manager IM gt Global Policy gt IM Content gt Chat 110 User Manual 5 3 Create Content Policy Go to Content Policy gt Policy and right click on the area to choose New User In the Name field we select the RDGROUP and select the Enable in the MSG Rec field to record the MSN messages Click the Finish to confirm Chapter 11 Configure APP Content with AD Single Sign On f Status BA IM Profiles f Global Policy 4 Options fa IM Peers E IM Contents Ea IM Security a IM Messages E Chat E File Enable keyword filtering S Keywords v 3 Dirty Words v Name v 3 Confidenti
84. cy priority L4 Per IP gt L7 NO ES Rule Name Sre Service Session Upload Download Guota Session Upload Download 1 Default rule g any oe any E 1000 Mbps 1000 Mbps Admin E2 Admin any 1000 Mbps 1000 Mbps Sales e Sales any 1 Mbps 1 Mbps Sales 2 amp sales P2P 0 5 Mbps 0 5 Mbps L7 Networks Inc 46 User Manual Chapter 7 Traffic Manager Chapter 7 Traffic Manager This chapter introduces how the Traffic Manager works for your needs People often use Outlook to receive emails Internet Explorer to browse websites IM such as MSN Skype to communicate with friends and P2P such as KaZaA BitTorrent eMule to download files With effective management IM P2P can be a very good communication medium However P2P often consumes a huge amount of bandwidth Eat all you can eat style of bandwidth consumption makes internal networks and external networks face the challenges Bandwidth at external networks is occupied by P2P so mission critical applications cannot obtain adequate bandwidth Internal subscribers compete for the limited bandwidth at external networks causing unfairness among the internal subscribers For telecom operators and campus network administrators simutaneously solving internal and external bandwidth problems becomes the most critical demand Organizations that emphasize network performance may have deployed L4 bandwidth management systems BT Xunlei FlashGet MSN Yahoo ICQ AOL Skyp
85. d could be AD account AD git Id MSG Rec Enable Disable File Rec Enable Disable MSN Account Allow Yahoo Account Allow AOL Account Allow ICQ Account Allows IM Service Platinum Web URL Rec Enable C5 Disable Web POST Allow Web Semice rule john Step 10 Create IP Groups Functions gt Object Manger static Address gt Static Object L7 Networks Inc 113 User Manual Go to Object Manger gt Static gt Address Static Objects and right click on the tree root or any tree node of the tree Select the Add in the pop up meu and give a meaningful name in the Name field Select the Range and input 192 168 18 20 in the Start IP field and input the 192 168 18 30 in the End IP field Click the OK button Step 11 Exclude Specific IPs Check the Exempt Source Destination option and select the Exclude option to enter the host rule 1 L7 Networks Inc Chapter 11 Configure APP Content with AD Single Sign On f Ail x Lab PS mr DATAN 3l Liste Gips Dzsrrnzlon iplmdt TSN here v nitidis th dad Ho zloz W Hasita Ae aa da m 2 nans mca edd A OOO EN 8 hocico M W Hosiisanrar Rave me Multa Ps A Suina E Hoce Sram W Hostica reside rm Hoz BInitiF 122102 13 20 rrr isin 0 SK Curcel amp bct DM Sheet inance rabe de Oe ee A E ALDANA TH amp h sl 24 t
86. e Google Talk can emulate themselves to behave like web or email to cheat firewalls tunnel through proxy servers or even encrypt themselves with SSL Network administrators cannot manage them completely 7 1 Scenario In order to manage the bandwidth of FTP administrators hope to put FTP service into the Middle class and limit the Middle class to occupy only 18 of the inbound and outbound bandwidth individually InstantScan ex p Firewall e sae FTP Server 140 113 179 4 High SC y Mbps Middle I KY n i exci DID 0 36 Mbps Low 3264 0 64 Mbps FIGURE 7 1 Outbound bandwidth management L7 Networks Inc 47 User Manual Chapter 7 Traffic Manager FTP Server 130 115 179 4 High 541 SOMbps Middle ie 18 Mbps Low 92 32 Mbps FIGURE 7 2 Inbound bandwidth management 7 2 Methodology The product can separate the inbound outbound traffic into at least 3 classes as in the below Figure The total bandwidth of the outbound traffic is 2Mbps and the total inbound traffic is 100 Mbps Inbound 100 Mbps Middle 1896 18 Mbps Low 3296 32 Mbps According to the Figure if some applications are classified into the class Low the maximum outbound bandwidth will be 0 64 Mbps and the maximum inbound bandwidth will be 32 Mbps For example if MSN Yahoo ICQ AOL GoogleTalk are classified into class Low the bandwidth of MSN
87. e Restart Now to reboot the system Windows must be restarted before the changes made by the Active Directory Installation wizard take effect Don t Restart How Fig 13 L7 Networks Inc 85 User Manual After the reboot we will check what are the differences First of all we will find that the speed for booting or shutdown the system becomes slower And we can see that the login user interface contains a new field Log on to Choose the TEST domain to login then we will be login to the TEST AD domain After we have successfully logged into the system we can check the My Computer gt Properties Click the Computer Name tab Fig 15 you will be seeing that the domain is test com In this way we have make a normal Windows 2003 Server become a Domain Controller DC L7 Networks Inc Chapter 11 Configure APP Content with AD Single Sign On Log On to Windows tr de f Windows Se Standard Edition Copyright E 2005 Microsof Corporalion User name Administrator Password Log on Fa TEST Cancel Shut Dawn Options lt lt Fig 14 System Properties Advanced Remote General Hardware Windows uses the following information to identity your computer on the network Computer description For example IIS Production Server or Accounting Server Full computer name allot test com Domair test com To rename this computer
88. e Edit Policy 9 5 Pale ustaProtte Description Note Packets are top down matched with the policy Only the last matched policy takes effects Note Bandwidth policy priority Per IP gt L gt L4 Block policy priority L4 gt Per IP gt L7 Status Condition Action 2nd level AUF ARFON exceeding qu Rule Name Sre Service Session Upload Download Quota Session Upload jefault rule EP any any 1000 Mbps 1000 Mbps Add Pe erlPpolicy Add Per IP app policy Edit policy Delete policy L7 Networks Inc 43 User Manual Chapter 6 Per IP Manager Step 5 Limit the session bandwidth Management Per IP Limit Manager Policy Change the session limit to O unlimited and that 0 means unlimited Rule name Admin r Ber IP mma mn le Session limit f Upload limit 1000 Download limit 000 Mbps Mote Zero means no limit r Quota Use Quota uota policy Reduced Policy Session limit Upload limit Download limit Step 6 Add a new rule Functions Traffic Manager App Policy Right click to add a new rule for UnLimitedGroup Status Policy Quota Profile rDescription Note Packets are top down matched with the policy Only the last matched policy takes effects Note Bandwidth policy priority Per IP gt L7 gt L4 Block policy priority L4 Per IP gt L7 Condition Acti
89. e and cannot be selected again When users visit the websites in those selected categories they will be blocked However the built in database of custom URL keywords may accidentally block the wrong websites You can edit the Excluded websites by editing the Full Domain Groups or URL Keyword Groups L7 Networks Inc fg Block H Bulit in Websi Block 1 4 Excluded web igi Full Doma fp URL Keyw Name Silver This name can be appointed in the Content Policy All users one group of groups appointed as this service name the service will be limited to this authority established of tactics fp Service Name Custom Webs p Block id Bulit in Websi 0 EmA 1 4 Excluded web Full Doma y URL Keyw if Service Nam a Custom Webs p Block Bulit in Websi fip Block E Excluded we off URL Keyw Edit web profile Bulit in Website Categories Block Please select the listed list of right side into the left side Be blocked by websites chosen Blocked Categories WebMail WeblM Blog Discuss Game IM NEWS Photo Pornography Sports pama All Page 1 Child Care E Prostitution Crime Drugs ga ri Bad mm pm Gamble Violent i Non Office 1 Friends rjj pem rm Edit web profile Excluded Full Domain Groups Please selectthe listed list of right side into the left side These URL will not be blocked and traff
90. e no other P2P applications during the office hours During the office hours R amp D members are not allowed to transfer files through Skype n 8 3 Methodology 1 Allow all traffic from CEO and CTO 2 Aside from CEO and CTO employees can only use MSN Other IMs are all blocked 3 Aside from CEO and CTO employees are allowed to use Skype other P2P or VoIP software are strictly forbidden 4 During the working hours R amp D members are not allowed to transfer files through Skype 8 4 Steps 1 Enable the App Policy Setup the scheduling of the working hours and permit all traffic from the Boss group Allow MSN but block all other IM software Allow Skype but deny all other P2P VoIP software During the office hours block R amp D s Skype File Transfer activities w N Note The default action of the device is Allow So if you don t set it to block but leave it as allow it is better to set it to never because that would greatly improve the throughput 2 Ifthe product is deployed outside the NAT firewall all the discovered traffic will be from the same IP address b L7 Networks Inc 51 User Manual Chapter 8 App Policy 8 4 1 Setup IM Policy by App Policy Rules Step 1 Enable the App Policy Function Management App Policy Check the Enable App Policy Status 4 Policy 4 Options Enable App Policy Description 1 Policy order Per IP Policy gt App Policy 2 App polic
91. efWagaley Te S Allow H323 Rule 1 e any Y VoIP H323 NetMeeting Allow VOIPBUSTER_R any CQ VoIP VoIPBuster Allow i l E ELE Rue E any E P2P Xunlei Xunlei FlashGet D S Lite Allow E 4 BITTORRENT R ER any E 5 P2P Bittorrent Bittorrent Biteomet uTorrent Bits S Allow EDONKEY Rule E any S Y P2P eDonkey eDonkey Owernet ehule agaa 2 Allow 4 4 WINNY Rule 1 2 any E il P2P Winny Allow Step 3 Select the Schedule group Function gt Management gt App Policy gt policy Select the WorkingHours schedule group to apply that schedule to all the rules regarding to the Chat group You may also consider to manually select the schedule for individual applications L7 Networks Inc 52 User Manual Chapter 8 App Policy List Chat y Protocol Schedule Security w L Traffc w to listed Schedule Status Rule Name Src MSN Rule 1 ER any EZ any gl Schedule Always Action J Security Profile Pipe rillian Miranda G aim AHOO_Rule_1 S any E any Allow l High o Trillian Miranda G aim OL Rule 1 any E any MPP Rule 1 E any E any poe QQ Rule 1 g any e any Allow l High Triton IC Q Trillian Miranda Allow l High AI Allow A chat oo Allow QOCHATROOM e any e any
92. ei KaZaA Kuro ezPeer to download ilegal data Among them Email and IM are the channel for information leakage or virus intrusion while P2Ps are the bandwidth killers and may contain many spyware What is worse IM wastes employee s productivity by friends interrupt during the office hours However IM can save communication cost and even make communications more efficient so that many enterprises are willing to allow IM Tough IM P2P Tunneling Through Firewall Enterprises that emphasize network security may have deployed Email Web auditing management systems In comparison IM and P2P lack the auditing recording behavior management content management bandwidth management because IM P2P software are optimized to tunnel through Firewalls MSN Yahoo ICQ AOL Skype Google Talk can tunnel themselves to behave like Web Email to cheat Firewalls tunnel through proxy servers or even encrypt themselves Network administrators cannot manage them completely 1 1 Packing Please check your packing and make sure you have the following accessories If you have questions please ask your local dealers m Quantity dl _ E RdHHE 3 shape chassis locker E E K screw RJ 45 network cable AC power cable ES 232 console cable FIGURE 1 1 Items included in the package 1 2 Hardware Installation The product can be locked onto a standard 19 inch chassis or placed on any Figures Please use
93. ept the name shown or type a new name named test Back Cancel Fig 5 Next we need to assign the path t store th AD database Active Directory Installation Wizard E4 and the event logs If the space Database and Log Folders in drive C is sufficient enough Specify the folders to contain the Active Directory database and log files keep the default setting as shown in Fig 6 For best performance and recoverability store the database and the log on separate hard disks Where do vau want to stare the Active Director database Database folder EXAMINANDO SANTOS Browse Where do vou want to store the Active Directory log Log folder C0WINDOWSANTDS Browse Back Cancel Fig 6 L7 Networks Inc 82 User Manual Chapter 1 1 Configure APP Content with AD Single Sign On Active Directory Installation Wizard E Next we need to setup the Shared System Volume We Shared System Volume suggest to leave the default Specify the folder to be shared as the system volume path as shown in Fig 7 The SYSV L folder stores the server s copy of the domain s public files The contents of the SYSYOL folder are replicated to all domain controllers in the domain The SYSWDOL folder must be located on an NTFS volume Enter a location for the ST SVEUL folder Folder location Browse Back Cancel Fig 7 NM l Active Directory Installation Wizard E4 Noted t
94. er Fig 2 11 4 AReal Example 11 4 1 Manage RD People s Activities e For AD users in the RDGROUP no MSN at office hours They can MSN during non office hours but all chats will be recorded and filtered with keywords e X Forthe AD user account John his web browsing of news sports and some URLs will be blocked all the time e For users located at the IP range of 192 168 18 20 to 192 168 18 30 will not be filtered Use the organization unite to group the recorded data 11 4 2 Detailed Steps Step 1 Setup Functions Objects Manager Static Objects Schedule Object Check the original schedule BA c drezz EB s ned fe BA Se ace Oharts cap NS Rams ju A tee t 38 im irn thes bine Mutin j gt wud ta He con d 1300 7 30 L7 Networks Inc 108 User Manual Chapter 1 1 Configure APP Content with AD Single Sign On Step 2 Add a schedule Functions gt Static gt Schedule gt Object Here we add a schedule B Address B Schecale g Sandre worktime for the office hours E Otiects El Sroups Ho Name Saar Time Stop Time Morag gt d j DO 3C anemoca Step 3 Import AD accounts Functions gt Object Manager gt Dynamic Object gt AD Import Go to Object Manager gt 9 Senate deee E Dessmk Qnae Dynamic Objects gt AD weno Import to import all AD Waima car usa fareni oc gi op az accnd Tania anne the pais ainur sn Tam accou nts and AD groups 1 AA uzcrs ops rl hezhz
95. er IP address and click the OK button Step 2 Add Web Login rules In the Policy tab there is a default rule Guest This rule applies to all users We want to exclude BOSS for Web Login in the following setup Right click on the policy area and click the Insert policy to insert a new policy named rule BOSS and select the object BOSS in the IP address field Choose Allow at the ACL field Select the Guest policy rule and choose Web Auth at the ACL field and double click the System Logout field to enter 8 hours Click the OK button and then upload the configuration L7 Networks Inc Chapter 10 Configure APP Content with WebLogin Add Web Login rules Functions gt Object Manager gt Static gt Address gt Static Object n Slate Objects 5 Static Guas Jesctuiton Applied H 1 284 calars fo do nct read to sudanticata MAT M Losicco Add new hozi E baste M Easton B osito LE posithaimer OB rostPresitert MEI Eaztacscharma Mame 2 IP Tynn O Buba O Ranga Host IP 192 38 1 69 L E BeroamA Su MA Serersar B8 Subnet 4 L E SubnatFINANCE LE subnet ANU ACITURE M Subnieslk 2HETING l E SuEnalP2A E A ce j tura Subrat 19778581 0774 wy GR 774 162 186 C24 162 156 2 0724 1n 3E Tres 15 Status f amp Policy BA arion Descriptor sessions are lop down matched ec the pole rty ihe fist matchec police takes eteris Condition Fula hane
96. er updated o verson Xxxx Wammg sar App Policy pater update nas alerce omea s ese for tre ig son AvDR updatea o version x000 mg son AVB update ras tatederor cose Jome sos URLDB update to version XXX wema sos URLDB update has falesleror codex me sas engine updatea to version O amg EN ES EN EN EN EN EN IM engine has failed error code XX App Policy engine updated to version X X XX S3 S31 S31 S32 S33 33 S34 S34 S35 S35 S36 i 936 i i S38 S39 i s resonedtoriuweusing SSS S43 S43 S44 S44 945 945 946 946 S47 i 948 S48 S49 S49 S50 S51 S52 reserved for future using BEEN URLDB restored to version X X XX XXX IM engine restored to version X X XX XXX App Policy engine restored to version X X XX EN EN EN EN sas sas EN sas APyengneresrelasisdemorcndei Oen ES sie EN sao sie EN Antivirus database engine updated to version X X XX Warning AVDB restored to version X X XX XXX Warning IM engine restore has failed error code XX reserved for future using Warn App Policy pattern restore has failed error code XX URL database engine restored to version X X XX URL database engine restore has failed error code XX Critical reserved for future using SWID Update Successfully Update database and then respond a new SWID NS S5 sew SEEK XX XX URL database engine update has failed error code XX XX XX URLDB restore has failed er
97. fault the function will Description Web Manager allows you to filter unwanted sites during the office hours Static Exempt Source Destination 4 Enable Exempt Sources Exclude E Bypass from the web filter enforcement Include ER any inthe web filter enforcement Dynamic Exempt Source Destination Enable Exempt Sources Exclude e any fromthe web filter enforcement apply on all computers Encrypted Https Website Enable Https Website Filtering Select Boss in the Exclude to Exclude Boss from web filter enforcement This function enables Https website filtering For example when connecting to https www facebook com the device will check its URL database and learn that itis a Social website Then it will match the policy rules to allow it or not Note Blocking an Https website will not display the custom warning page e Exempt Enable the exempt source function Enable Disable ources Exclude the selected users to apply the from the web filtering functions All other computers are enforced to do web filtering Exclude web filter enforcement Enable Disable Enable Boss Include the selected users to apply the Include inthe web web filtering functions All other filter enforcement computers are not enforced to do web filtering Enable Disable FIGURE 12 1 Exempt source fields L7 Networks Inc 120 User Manual Chapter 12 Web Manager Step 3 Define Excluded Domains Funct
98. ften require to authenticate users to know the exact identity of each users The Web Login function in the product can achieve this by the following steps 1 Force the subnet of R amp D employees to authenticate by web login Non login users are not allowed 2 Make the reports tagged with the authenticated Web Login user names 3 Configure APP Content policy rules to use the Web Login user names 10 2 Methodology 1 1 All members should authenticate every 8 hours except the boss 1 1 1 Enable Web Login 1 1 2 Add Web Login user names and password 1 1 38 Add Web Login rules 1 2 Setup rules using Web Login names for filtering 1 2 1 Assign Web Login user names in App Policy rules 1 2 2 Assign Web Login user names in Content policy rules 1 2 8 Import Web Login user accounts into content policy rules 10 3 Steps 10 3 1 All members are required to login via captive portal page every 8 hours except the boss 10 3 1 1 Enable Web Login Step 1 Enable Web Login Functions Object Manager Web Login Status Click the Web login status BR Stats Fasc Por M aco Select the Enable Web a M y 63 login gt and upload the configuration Enable Web Login rDescription Web Login allows you to authenticate users at their web browsers Upon login users will be notified with his time quota E 1 L7 Networks Inc 71 User Manual 10 3 1 2 Step 1 Add a Web Login account and its password In the Account field fill in
99. hat Gadu Gadu Gadu Kadu Miranda Gaim Allow ing UC_Rule_1 ad Chat UC Sina UC 8 Allow ing POPO_Rule_1 ChatPOPO popo163 8 Allow ChatALiWangWang Taobao ALiWangWang E Allow ing FETION_Rule_1 amp 2 Chat Fetion Chinamobile Fetion Allow ing DOSHOW_Rule_1 E Chat DoShow Allow ChatWEBIM MSN Webmessenger eBuddy e M Allow Step 5 Select the Security Profile Select the Block in the Security listbox to apply the block policy to all listed Chat applications Subsequently remember to choose Allow at the MSN policy rule since the company allows MSN during office Function Management App Policy policy hours L7 Networks Inc 53 User Manual Chapter 8 p Policy Ap Status Schedule Rule Name Sre 4 Working MSN Rule 1 4 Working YAHOO Rule 1 e Boss La Boss Action security Profile Pipe AIR d D gt Chat Y ahoo Y ahoo Trillian Miranda G aim Allow Allow l High El High 4 Working AOL Rule 1 La Boss amp Chat AOL AOL AIM Triton ICO Trillian Miranda 1 Allow l High 4 Working e Chat XMPP Google Talk G aim js Allow amp High d X A Miorking QQ Rule 1 MPP Rule 1 e Boss A chat oo 8 Boss Allow l High A Working QQCHATROOM 4 Working QQMEDIA Rule 1 Boss
100. hat the first installation always encounters the DNS DHS Registration Diagnostics failed problem Although we Verfu DNS support ar install ONS on this computer have installed the DNS server but we have not configured it so there is no DNS server to Diagnostic Failed respond Here we are to The registration diagnostic has been run 1 time configure the DNS server and make this server as the first Warming Domain Controller functions like joining a domain logging onto a domain and Active Director replication will not be available until the DNS infrastructure hor DNS server Fig 8 Active Directory is correctly configured The wizard encountered an erar while trying to determine it the ONS server with which this domain controller will register supports dynamic updates For more information includina steps to correct this prablem see Help hd C have corrected the problem Perform the ONS diagnostic test again Back Cancel Fig 8 L7 Networks Inc 83 User Manual Chapter 1 1 Configure APP Content with AD Single Sign On Active Directory Installation Wizard Permissions Next MUS choose default Select default permissions For user and group objects permissions for user and group objects Fig 9 We choose the second option that only Some server programe such as Windows NT Remote Access Service read information compatible with Windows 2000 stored on domain controllers or Windows Server 200
101. he following sections we will focus on how to overcome the problems in your networks IM Manager managed by H occat is A T T n 7 a a s e Ru pa i ca BO port gt lt Well knawn part s la i a E M oa ve fro a t A Packets in Tra fic Application Pa Te Yes P d n bw l i Firewall lt Allow trafic p Jp Discovery m i application Anal ba IP Area Ti a E UU FIGURE 4 1 Traffic flow in the device As displayed in FIGURE 4 1 the traffic flow through the device will be first enter the Traffic Discovery module Monitor gt Realtime to do layer 7 deep packet inspection followed by the App Policy module to block unwanted applications No matter the application use HTTP SOCKS tunnels to cheat IT experts all packets are analyzed by the layer 7 packet inspection engine Subsequently the App Policy will judge the final result by the source destination IP addresses and the real application name instead of port number When you enable the Web Manager all web traffic will be analyzed to see if the content of the traffic should be blocked or not A built in URL database can quickly check for unwanted websites and return warning message to the user immediately Moreover the URL access history of each person can be fully recorded for further investigation If you enable the IM Manager the traffic will be anaylized to see if the IM traffi
102. ht click on the area of the WH Morning rule and select the Edit Entry item L7 Networks Inc Chapter 9 Address amp Schedule Objects Functions Content Manager Object Manager Schedule Objects Objects Groups Name schedules pe orning Afternoon AA Objects Groups Name Start Time Stop Time Morning 08 30 12 00 13 00 17 30 uen gt Functions gt Content Manager gt Object Manager gt Schedule gt Objects Objects Groups NO Name Sun Mon Tue Wed Thu Fri Sat StartTime Stop Time a Add New Schedule Please input schedule name E eee Functions gt Content Manager gt Object Manager gt Schedule gt Objects Objects Groups Name oun Mon Tue Wed Thu Fri sal 1 WH Morning DO D 66 stop Time Add Schedule Delete Schedule LIN EI UNA EE pu E User Manual Chapter 9 Address amp Schedule Objects Step 5 Pick the start time Functions Content Manager Object Manager Schedule Objects Select the Start Time and click the OK button 4 2 Edit Start Time to close the dialog Time Hour 8 idi y Min 30 5i The settings for Stop Time are the same Step 6 Weekday schedules Functions gt Content Manager gt Object Manager gt Schedule gt Objects The office hours for company ABC are from j Groups Monday to Friday Move your mouse over
103. ibus TE m ns dez TR DEL QO IPNEHCI MAME Treo AI iAH kvail Hi Pa XO Paal Bill ro ii ra A SED Degli BECAS six Mirra Ud la s Xi Silla rule hi eagle ia bea Rare belie eer ek gel eh dee PE E him iki mima md bk inlimrimg cibi yi mazo ee mlki J 2 Bik Talfal 2 0 5 2 Aail 015 0 0 4 ed Pelee 7 5 Tikes Toon TL R23 Preta TUI a 1 rid a Thi Eaim a dad E Chapter 5 Traffic Discovery 3 RU a Diet Se Hiligleit 4 7 mala D Y OE a E AA Be EFF Elia Tasio Et Pimkv ini giis EP Rests ina Paria Tram Trend erro ta Wios Mere Cee zi B rada E EDT kii liri EKralPFl mh Gai iia M6 Bee Ri him mass error Bc arar Era Becr iz posti Fila Macia ZIH r ll FIF Trivial File Tawe Ter Free RC mmi 37 User Manual Chapter 5 Traffic Discovery L7 Networks Inc 38 User Manual Chapter 5 Traffic Discovery L7 Networks Inc 39 User Manual Chapter 5 Traffic Discovery Part 4 Traffoc Manager L7 Networks Inc 40 User Manual Chapter 6 Per IP Manager Chapter 6 Per IP Manager This chapter introduces how the Per IP Manager works for your needs Per IP Manager can setup many limits for each internal IP addresses such as session count upload rate download rate and hourly daily weekly quota 6 1 Scenario John and Marry belong to the group Admin Paul Zakk and Eric belong to the group Sales The members in group
104. ic limited Exceptional URL AII URL default 127 Bak ies OK Com User Manual Chapter 13 Encryption Web Manager Enable URL Database Dod URL database to block Enable Diable Acti to tak h the URL is dd l ction to take when the Action marches the LIBI dieta sees Log amp Block Log amp Block Block Only Enable all categories Enable Diable Block all categories E that match SUYO Enable Diable Disable the URL categories Advertisements Audio Vid Check the URL categories to be Enable Diable Enable eo Drugs etc enforced FIGURE 13 2 URL Web filtering fields Step 5 URL keyword blocking Functions gt Content Manager gt Web gt Global Policy gt URL Keywords Check the Enable URL Keyword blocking Categories to block any URL containing the keywords Status Web Profiles 8 Global Policy listed in the settings The product has preset amp Web Sites web Contents 5 Web Messages 5 Web Alert keywords You can change the keywords by E URL Keywords Categories 2 Excluded Full Domains 5 Excluded URL Keywords right clicking the item Description Step 1 Edit the URL keywords and their Categories here Step 2 Goto Web Web Profiles to add URL keyword groups into some permission level Step 3 Goto Content Policy to set some objectto the permission level Noted that keywords are partially matched against URLs For example keyword se
105. ierachy Upload bandwidth Download bandwidth High 50 0 50 0 Mb s Middle 18 0 18 0 Mb s 5 Low 32 0 32 0 Mb s Functions Traffic Manager App Policy Status Condition Action comm Name Dst Protocol Security Profile Pipe 4 Web Http Downlo ad zip rar exe iso wmwv rmwbaw Me Allow l High ES Web Htp Videofilm piant Allow l High Schedule Always Always ve E 18 Always laTTPVIDEO Ru ame praec Br Bam Denetrors ctw Bh ee A a NN Y FileTranster FTP ee eS Middle Alto amp volP Skype Allow l High O VoIP Skype File Transfer Allow l High Allow olP Skype File Trans FTP Rule 1 any ze any m Always E Always SKYPE Rule 1 SKYPEFILE Rul S OTEGUTRU t a Es Be Allow RE 9 VoIP VolP Buster e Allow 3 Always UNLEI_Rule_1 E E P2P Xunlei Xunlei FlashGet D S Lite Allow 31 E Always BITTORRENT R Bay any O P2P Bittorrent Bittorrent Bitcomet uTorrent Bits Allow el High 32 E Always EDONKEY Rule Ese P2P eDonkey eDonkey COwernet eMule agaa Allow l High Always WINNY Rule 1 P2P Winny Allow El High SIP Rule 1 H323 Rule 1 OIPBUSTER S any Se any amp Update Tools Help S gt lt li Upload configuration Update pattern i Update URL database y License 25 License Status Option 50 User Manual Chapter 8 App Policy Chapter 8 App P
106. illian Miranda G aim pes purity Profile Pipe Block amp log El High El High ES 4 Working AOL_Rule_1 La Boss E any A Chat AOL AOL AIM Triton ICQ Trillian Miranda Block amp log l High 4 Working XMPP_Rule_1 e Boss e any T D ChatXMPP Google Talk Gaim Block amp log amp High 4 Working QQ_Rule_1 any A Chat QQ Es Boss ER Block log l High 4 Working QQCHATROOM 4 Working QOMEDIA_Rule_18 Boss any 4 Working QOSHARE_Rule e Boss any 8 Chat QQChatRoom 0 chat QO Media File Transfer voice Video Y sos E2 any m Chat QQ Shared Files 44 Working GADU Rule 1 Block amp log Block log Block amp log El High El High El High Boss gt any 4 Woning UC Rule 4 i Chat Gadu Gadu Gadu IKadu Miranda G aim Block amp log l High La Boss Sr any ag ChatUC Sina UC Block amp log El High 4 Working POPO_Rule_1 La Boss any Chat POPO popo163 Block log l High 4 Working ALIWANGWANG LES er any e ChatALiWangWang Taobao ALiWangWang Block log e High 4 Working FETION Rule 1 La Boss Er any 3 Chat Fetion Chinamobile Fetion Block amp log l High 4 Working IDOSHOW Rule 1 us any ie Chat DoShow La Boss Block amp log fo 4 Working WEBI
107. ions gt Content Manager gt Web gt Global Policy gt Web Sites gt Edit the Excluded Full Domains to add Excluded Full Domains trusted domains and their groups Bs Status f amp Web Profiles 4 Global Policy Input the trusted domain by right clicking the e Stes LE wen Contents E wen messages 5 wen Atn group name Note that entering too many 5 URL Keywords Categories E Excluded Full Domains 3 Excluded URL Keywords domains will slow down the network Description perfo rmance Step 1 Edit the full domains and their groups here Step 2 Goto Web gt Web Profiles to add Excluded Full Domain Groups into some permission level Step 3 Goto ContentPolicy to set some objectto the permission level Search keyword 4 Excluded Full Domain Groups H E default File Import File Export Step 4 Enable URL database Functions Content Manager Web Web Profiles Check the Enable URL Database to use Status B Web Profiles 84 Global Policy the built in URL database You can select the categories of the URLs and the actions m l APP y NGA AE POUE MACE hat moa ue fas f a SsS Faroe JOR WebMail WeblM Blog Discuss Game IM NEWS Photo Pornography Sports Stocks Chatroom Silver Audio Video WebMail WebIM Blog Discuss
108. is chapter shows you how to setup objects for use with managing policy rules Scenario Company ABC hopes to manage all the permissions of all the IP address in the company However CEO amp CTO has the complete permission to access all the Internet resources Company ABC s working hours are from Monday to Friday 8 30 to 17 30 12 00 13 00 at noon is employee s free time to do anything According to the company s policy some IM or P2P applications are not allowed touse furing the office hours Objects of the same nature should be grouped together to facilitate the configuration of the policy rules Manage Depart 192 168 168 2 192 168 168 200 lastaniScan A gt Marketing M Firewall Department SS 2d 192 168 16 1 192 168 16 254 d gt o LR Le e Router 4 4 a ve v o la Lj e MCGMT Port e 192 168 168 201 Switched Huh e RD fF Department E Se iu d T8 gt f 192 168 17 1 192 168 17 254 A pat Cable Connection 9 Message Passing Management Client Se ent Server 10 1 1 1 9 2 Methodology 1 Assign CEO s IP address as 192 168 168 2 and CTO s IP address as 192 168 168 10 Then group CEO and CTO into a group object named boss 2 Assign several timeslots of the company s office hours Then group the timeslot schedule objects into a schedule group object named WorkingHours 9 3 Steps L7 Networks Inc 63 User
109. le 1 EZ any a Allow l High SKYPEFILE_Rul 52 an le Transfer Allow High Ru EE any Morin El Hig SKYPEOUT_Rul E any E any A Afternoon It Allow El High Pz SIP_Rule_1 E any E any e WorkingHou Voice Yahoo VoiceAfl agaley Te S Allow el High H323_Rule_1 e any E any VoIP H323 NetMeeting Allow l High VOIPBUSTER_R E2 any ER any e VolP VolPBuster Allow l High any EZ any e Web Http Download zip rav exe isoAumw rmvb w SE Allow El High L7 Networks Inc 59 User Manual Step 4 Choose source IP Since CEO amp CTO should have full permission to access the Internet resources we can assign the address object Boss setup in the last chapter to exclude them from being managed Select the Icon Boss to exclude them Step 5 Choose security profile In the quick configuration toolbar select Block to apply Deny policy to all listed rules Step 6 Choose the bandwidth class In the quick configuration toolbar select Low at the Traffic Profile field to limit all P2P applications in the Low traffic pipe Step 7 Adjust security profile of Skype According the policy of the company we allow the employees to use Skype So you have to adjust the security profile of Skype to the Allow state In this way the Skype traffic can pass through the product L7 Networks Inc Chapter 8 App Policy
110. lick the Update URL database Step 2 Upgrading URLDB Click the OK button to start updating the URLDB Step 3 Upgrading URLDB from CLI Enter privileged mode in CLI and then input sys module update url or sys module update all to check for any update L7 Networks Inc Update gt Update URL database y License 25 License Status Update Update URL database Current URL database version is 2 0 00 001 The latest version is 20 00 0607 Do you want to upgrade URL database now Con cmn InstantScan sys module update all hd im engine version 2 0 02 is the latest one on the device No upgrade is nee e n Baron version 2 1 01 151 is the latest one on the device No upgrade is n eede A new version 1 0 00 003 is issued Please upgrade the newest av database versi on to the device Do you really want to continue upgrade V N1 N y Upgrade av database from 192 168 17 97 This process may take a long time so please be patient Successfully update the av database new version 1 0 00 903 A new version 2 0 00 002 is issued Please upgrade the newest url database vers ion to the device Do you really want to continue upgrade V N1 N y Upgrade url database from 192 168 17 97 his process may take a long time so please be patient Successfully update the url database new version 2 0 00 902 InstantScant 142 User Manual 15 6 4 Step 4 Restore to factory default In CLI enter sys resetconf
111. lock amp log e Middle 4 Working UC Rule 1 e Boss e any m Chat UC Sina UC le Block amp log El Middle P Working Foro Rule 1 Be Boss g any ES ChatPOPO popo163 1 Block amp log a Middle 4 Working ALIWANGWANG s Boss E any la ChatALiWangWang Taobao ALiWangWang le 1 0 Block log e Middle 4 Working FETION_ Rule_1 gt Boss any s Chat Fetion Chinamobile Fetion O Block amp log l Middle 4 Working DOSHOW Rule 1 e Boss e any O Chat DoShow C Block amp log a Middle 4 Working WEBIM_ Rule_1 Boss 1 any E Chat WEBIM mMSN WebmessengereBuddy e M G Block amp log amp Middle E Description Range Format List all policy rules whose schedule field contains User defined Schedule the selected schedule item OI RIOUS Apply l to O il e zd rules whose security field contains Allow Block listed rofile the selected security item Traffic Profile List all policy rules whose traffic field contains the High Middle Middle selected bandwidth item Low FIGURE 8 1 Quick configuration toolbar for App Policy The internal IP address of the policy Note that the icon Subnet Range E Boss means inverse of the Boss address group Host The external IP address of the policy Note that the icon Subnet Range amp Boss means inverse of the Boss address group Host The applications of the passing traffic to be managed Pre
112. lock Java objects 4 Block cookies Fed Besmpton Filter web pages with Cookies objects Enable Disable FIGURE 12 4 Web object filtering Enable Keyword Blocking Enable URL keyword blocking Enable Diable adv advertise Keywords Input the keyword that may appear in the URL Keyword pattern adsrv banner splash FIGURE 12 5 URL keyword blocking fields L7 Networks Inc 123 User Manual Chapter 13 Encryption Web Manager Chapter 13 Encryption Web Manager This chapter introduces how to use Encryption Web Manager to manage your employee s HTTPS traffic 13 1 Scenario The web page which comes from forbidden web site will be filtered out WebServer3 140 112 1 4 pee Internet PC1 1 PC1 2 192 168 168 2 192 168 168 3 FIGURE 13 1 Denying access to illegal websites through web filtering 1 Asdescribed in FIGURE 12 2 the user PC1 1 is browsing websites that contains stock information violence or even sex Some websites may contain video or audio which may waste the Internet bandwidth of the company What is worse the contents may lower the productivity of your employees 13 2 Objectives 3 Disallow employees from visting illegal websites 13 3 Methodology 1 Setup the web filter to block websites by URL The URL filter can be setup to analyze by URL keywords or built in URL database Traffic matching the URL will be blocked L7 Networks Inc 124 User Man
113. n modified in the software hardware please email your suggested directions to our support email address service I7 networks com You can use email address to tell us your messages If you want to subscribe our e paper you can also email your address to the following email address service L7 Networks com You can visit our website to search for any advanced progress of this manual or information http www L7 Networks com Table of Contents PP e e PEE A Tecna SUDDO Meersen ir inniinn atc Conn mc T T ee li ADOUL TIS Wana ests sosa daa andina alada aaa lii wc OVEIVICW 22 5232 nena R P eee 2 NEW Release MP M 3 Gliapter 1 Product OVEIVICW ven ssi screg eines to senen ddnde odit niai den od cubes edet nip dq deno deena dudas D edcdedened 4 1 1 mici lo S 4 1 2 prarduaredascallcll o SEEK 4 1 3 A cr MEN 5 1 4 System Delatlts amp Examples isis didas 5 1 5 Setup IPC ROUES adela Eo 7 1 5 1 Users are in the same networks as Firewall LAN oonccccccncnnccccncococononncconcnnocoonnnnononcnnononcnnnonanenoss 7 1 5 2 Users are in the same networks as Firewall LAN Multiple Subnets esses 8 1 5 3 Users are NOT in the same networks as Firewall LAN oococconncnccccccnncccccnnccconnnnonononnononcnnconanenoss 9 1 5 4 Users connects to internal Proxy TS isa 10 Ghapler2 2 Ver AFGhIte
114. n to continue The user is added successfully Step 5 Display all accounts After you have finishing adding an account you Account Manager can see what you have entered in the Account 4 authority manager Manager window amp User y Group Step 6 Delete an account If you want to delete an account you only need Account Manager to select the Delete User item amp Authority Manager Group Description di User Admin Administrator Eg Group L7 Networks Inc 147 User Manual Chapter 16 Advanced Multi Layer Architecture 16 4 2 Modify Passwords Step 1 Change the passowrd Tool gt Change Password Click the Change Password item Tools Help 2 Account Manager lt A Change Password gt gt Language Setting 2 SNMP Control gt Config Backup Config Restore Step 2 Enter new password Tool Change Password Enter the Old Password and the New Change Password Password and enter the new password again in the Confirm field Click the OK button to finish Enter your old password and new password the settings Password Old Password pom New Password des Confirm mes mm L7 Networks Inc 148 Product User Manual Appendix L7 Networks Inc 149 Product User Manual Appendix A Appendix A Command Line Interface You can use Management Client to setup your product Besides you can also use console ssh
115. n to his MSN account to chat Then we can Functions gt Recoder gt IM see that all John s chat Peke DUE messages are logged into the woh 200207 Dare 30030719 p 02 o 20000725 WF 22 9 OU AE as shown in Fig 5 ues NAAA watea wpe M ar F unaye l v Sl Ey al gg Joni mzntzL C1 3423 cm 3 113774530 etu ed ow 7 on I4 Users b gt me textes wos melu tes IM n MA H se no_GEESGhztmrilcom iHn M se zi Fig 5 L7 Networks Inc 116 User Manual Chapter 1 1 Configure APP Content with AD Single Sign On L7 Networks Inc 117 User Manual Chapter 12 Web Manager Chapter 12 Web Manager This chapter introduces how to use Web Manager to manage your employee s HTTP traffic 12 1 Scenario The downloaded web page will be filtered with Active X Java Java Script Cookies components P WebServer3 140 112 1 4 is Internet PC1_1 y 192 168 168 1 192 168 168 2 LAN 1 22 108 108 2 20b FIGURE 12 1 Prevent employees from accessing illegal websites 1 As described in FIGURE 12 1 the user PC1 1 is browsing the website located at the WebServer3 The content of the website contains cookies Java applets and ActiveX objects These contents may contain malicious code that may steal the private information of the user So the administrator decides to disallow users to download the objects to PC1 1 L7 Networks Inc 118 User Manual Chapter 12 Web Manager The we
116. ne or more users or groups to whom you want to delegate control Fig 4 show Selected users and groups Remove Hert gt Cancel Delegation of Control Wizard E Users or Groups Select ane or more users or groups to whom you want ta delegate control Select Users Computers or Groups Select this object type Users Groups or Built in securite principals Object Types From this location test com Locations Enter the object names to select examples Johri Check Mames Advanced Cancel 2 Back ext gt Cancel Fig 4 L7 Networks Inc 90 User Manual Chapter 1 1 Configure APP Content with AD Single Sign On Delegation of Control Wizard Here John is added into the list for delegation of control Users or Groups Select one or mare users or groups to whom you want to delegate control Selected users and groups E Jahn Johniitest com Next we choose to allow Delegation of Control Wizard John to have the permission to Create delete and Tasks to Delegate manage inetOrgPerson You can select common tasks or customize your own accounts Click the Next button to proceed as Fig 6 shows Delegate the following common tasks C Create delete and manage user accounts O Reset user passwords and force password change at next logon C Read all user information ie Create delete and manage inetU
117. new object Fig 2 L7 Networks Inc 87 User Manual Chapter 1 1 Configure APP Content with AD Single Sign On There will be a new wizard New Object User We create a new name called John and set the password as Never expired as shown C Create in test com Users in Fig 3 and Fig 4 Click the Next button to proceed to finish the creation of the user First name John Initials Last name Full name John User logon name l oh test com pr User logon name pre windows zL rJ TESTS ohr x Back Cancel Fig 3 Mew Object User C Create in test comUsers Password eseesees Confirm password eee ee eee User must change password at next logon User cannot change password vw Password never expires Account is disabled Back Lancel Fig 4 L7 Networks Inc 88 User Manual Step 2 Delegate Control Right click on the test com and select the Delegate control as Fig 1 shows There will be a Delegation of Control Wizard running as Fig 2 shows L7 Networks Inc E Active Directory Users and Computers amp File Action view Help m amp mox E B BIS mimm vt Active Directory Users and Computer ers E objects i Li Saved Queries Mew Help All Tasks Vie New Window From Here Refresh Export List Properties ff Domain Admins Security Group ff Domain Com Security Group Fig Domain Cont
118. now system will reboot and restore to factory default Chapter 15 oystem Maintainence Restore to Factory Default in CLI InstantScan gt en InstantScan sys resetconf now Config Modules reset to default Config reset done System will reboot now Press ctrl e in 5 secs to start with emergency kernel Booting Checking Initial Kev of this device InstantScan login 15 6 5 Step 1 Enter boot loader If your firmware accidentally encounters critical damage and cannot enter normal CLI your can enter emergency mode to restore the firmware back to factory default You must press ctrl e during the boot up countdown 5 seconds 15 6 6 SNMP Control Step 1 Enable SNMP Control Check the SNMP Control in the menu Step 2 Setup SNMP Control After you setup SNMP parameters you can monitor system and network status from the remote L7 Networks Inc Restore to Factory Default in CLI Emergency Mode Press ctrl e in 5 secs to start with emergency kernel Enter emergency mode Emergency Mode login as admin no password EMERGENCY login admin EMERGENCY 1 gt en EMERGENCY disable Turn off privileged mode command exit Exit command shell m Configure Display IP related settings Configure system parameters EMERGENCY 1 sys resetconf now Config reset to default System will reboot now Tools gt SNMP Control Tools Help 5 Account Manager 289 Change Password E gt Language
119. olicy This chapter introduces how to conFigure the App Policy functions 8 1 Introduction to App Policy Employees often use Outlook to receive emails Internet Explorer to browse websites Instant Messengers IM such as MSN Skype to chat with friends and P2P software such as BT eDonkey Xunlei KaZaA Kuro ezPeer to download ilegal data Among them Email and IM are the channel for information leakage or virus intrusion while P2Ps are the bandwidth killers and may contain many spyware What is worse IM wastes employee s productivity by friends interrupt during the office hours However IM can save communication cost and even make communications more efficient so that many enterprises are willing to allow IM Enterprises that emphasize network security may have deployed Email Web auditing management systems In comparison IM and P2P lack the auditing recording behavior management content management bandwidth management because IM P2P software are optimized to tunnel through Firewalls MSN Yahoo ICQ AOL Skype Google Talk can tunnel themselves to behave like Web Email to cheat Firewalls tunnel through proxy servers or even encrypt themselves Network administrators cannot manage them completely 8 2 Scenario CEO and CTO of the company should have full permission to access the Internet resources Except for MSN no other instant messenger software packages are allowed to use during office hours Besides Skype there must b
120. on 2nd level Action when exceeding qu Rule Name Sre Service Session Upload Download Quota Session Upload Download Default rule g any o 1000 Mbps 1000 Mbps 1000 Mbps Ac Per Pu lic X Add Per IP app policy Edit policy Delete policy L7 Networks Inc 44 User Manual Chapter 6 Per IP Manager Step 7 Edit the new rule Management Per IP Limit Manager Policy Select the UnlimitedGroup and enter 100 Mbps e for the download limit 100 Mbps for the upload Edit your Per IP policy limit In this way those IP in the UnlimitedGroup will have a max 100Mbps bidirectionally Rule name sales r Per IP Internal IP E Sales y Session limit 200 Upload limit 1 Download limit f Mote Zero means no limit Quota C Use Quota Quota policy j Reduced Policy Session limit Upload limit Download limit Cancel Step 8 Add a per app rule Management gt Per IP Limit Manager gt Policy Right click the UnlimitedGroup rule and select States AR Quota Prarie the add per app policy You can setup extra limits Description for the applications Select the UnlimitedGroup Note Packets are top down matched with the policy Only the last matched policy takes effects and enter 100 Mbps for the download limit 100 Note Bandwidth policy priority Per IP gt L gt L4 Block policy priority L4 Per IP gt
121. on Update gt Option gt General Enter the IP or FQDN of the update center You can click the default to restore to the default update center If your company has proxies click af aaa Manual Proxy Configuration and enter the Me parameters such as IP port username password General Update Center ne D poste IMAN DIO Nes df Ceememjuedeeircomiw Advanced Update Option Connection e Direct Connect to Internet O Manual Proxy Configuration Proxy 192 168 17 255 Port 3128 User name yUserName Password posses Step 3 Enable Auto Update Update gt Option gt Advanced Check the Enable auto update and the functions you want to auto update Click the Schedule button to setup the periodical time to upgrade af Advanced Update Option General Auto update enable auto update Pattern IM engine Virus DB URL DB a scheduling update L7 Networks Inc 140 User Manual Chapter 15 oystem Maintainence Step 4 Setup Update Schedule Update gt Option gt Advanced gt Schedule Select Weekly and choose the time you want to Schedule Dialog update the patterns Click the the OK to finish the paity settings C Daly set update time Hour 5 gt Min Weekly set update time Hour Min 15 6 2 Manually Upgrade Application Patterns Step 1 Upgrade pattern from UI Update Update pattern Click the Update pattern Update Tools Help y Upload configuration Pig raii s ERTS ES s
122. onitor Server Status Check the Edit button to start editing related settings Check the Enable Disable Send Syslog By E mail and input your email address in the field Drag the mouse to the level you want know There are five levels 1 Alert 2 Critical 3 Warning 4 Notification 5 Information If you want to receive alerts only in the Alert level you can drag the bar to the Alert However if you want to receive all the system logs you must position the bar to the Information Click the Test button to test the email address Click Save to save all the settings Step 9 Version Monitor Server Status Here you can refer many version information Step 10 Clear Store system logs Monitor Server Status Right clicking the status area makes you store the records to the disk L7 Networks Inc 134 User Manual Chapter 14 Mangement Server Maintainence L7 Networks Inc 135 User Manual Chapter 15 oystem Maintainence Chapter 15 System Maintainence This chapter describes how to upgrade firmware and backup restore configurations 15 1 Scenario 1 The device allows you to upgrade firmware and pattern URL database This chapter introduces you how to upgrade the firmware through the TFTP server 2 When the configuration is damaged you can reset the system back to factory defaults at the CLI interface When you forget the password you are only allowed to enter the emergency mode to reset the configuration 3
123. or you to select the date Advanced search function that can customize the search criteria Setup the refresh period Settings for report export FIGURE 4 1 Description of all icons L7 Networks Inc 31 User Manual Chapter 4 Internal Data Processing Flow 4 5 Toolbar Wem Subitem Description Device Group Manager Create new devices or groups New Project Create a new project url virus database you must register first Enter the trial or deal license here By default several functions are Update in trial mode and will disfunction after 5 days After that the device goes into bypass mode to only forward the traffic You must reboot it make it function in another 5 days You can request a longer trial License license from your reseller Input the license here to make it effective Once you have purchase the product your reseller will offer you a permanent deal license that will make the device function permanently without reboot Note that you must register first before you can enter any license here Settings for the update center Support list The application patterns that is supported in the current device Account Manager Setup for the permission of each login account to the system Open Project Open a new project Display the version information 4 6 Versions otep 1 Lookup the version of mgt server Help About The firmware of the product must match the File Update Tools Help
124. ory to limit all P2P List rar w Protocot v Apply Schedule v secu Tal E aan to listed traffic in the traffic pipe Low Status Condition Action Schedule Rule Name Protocol a Middle ity Profile Pipe E Always UNLEI Rule 1 E P2P Xunlei Xunlei FlashGet D S Lite E Low 7j Jk amp log l High E Always BITTORRENT R jp P2P BittorrentBittorrent Bitcomet uTorrent Bits Block amp log el High i Always eo Y P2P eDonkey eDonkey Chwernet eMule agaa Block amp log l High Always WINNY Rule 1 8f 2 m P2P Winny O Block amp log l High 19 Always EZPEERPLUS_ amp P2P ezPeerPlus Block amp log l High FASTTRACK_R zr P2P F asttrack Kazaa Grokster iMesh O Block amp log l High GNUTELLA_Rul E P2P Gnutella F oxy ezPeerBearshare Gnucleus OG Block amp log KURO Rule 1 ici P2P Kuro Block amp log DIRECTCONNE a P2P DirrectConnect DirectConnectDC Block amp log OPENFT Rule 1 Lj P2P OpenF T Crazaa Kceasy Block amp log ARES If P2P Ares O Block amp log El High SOULSEEK Rul Y P2P SoulSeek O Block amp log l High GOBOOGY Rul a P2P GoBoogy O Block amp log a High KUGOO_Rule_1 GE P2P Kugoo O Block amp log ER High PIGO Rule 1 IQ P2P Pigo Pigo 100Ba0 Block amp log El High POCO_Rule_1 a P2P Poco Poco PP Point Block amp log l High Maso Always
125. oup name nnamic Groups Name RD rAll Objects 2 Selected Objects amp gejia gejia b aeiia gejis oot root p shaopeng shaopena amp shaopeng shaopeng _ amp zhanguun zhangxun zhangxun i zhancxun Finish Cancel Step 2 Assign Web Login Functions gt Traffic Manager gt L7 Policy gt Policy names in APP rules 15 Stats 84 Foroy We can assign the objects Filter 4H Chat Protocol Apply cliors t selected ules al arce groups in the dymanic objects Keyword Search next Schadue w hrton w Fipa to any App Policy rules For i EL example we don t want the jn Curditon group RD to use MSN we can Schedule ule Mame Protocol assign the group RD in the T avars KSN Rule RD any de Sb3MENOUSITRIT trand am MSN policy rule Upload the configuration We can see that zhangxun belonging to the list Functions gt Reports gt Traffic APP A iiy has been blocked and M Fuaricnal view Mg Policia Mg Personal Um i Evert view ogged RO ceja gejia shaupeno t shaopens 35h 3ngxun t anar TEE 2 Ragors L7 Lt Evante v mee sw EE 1 n 39 Da 2009 08 13 Data 2008 06 13 w pa wo o0 3009 08 13 me 23 59 sa H A User Probral Internal IP Esternsl IP Mracton Al Fridge All v Dale Aoplitaz Description Proc User intemal P ore External IP DEL 200 0212 15 43 51 Fnzn IEBLCCK
126. oups Select schedules from the left column Click E za the gt gt to move the schedule object from the left to the right If you want to remove some schedule objects from the current group All Schedules Selected Schedules select the object in the right column and click 9 WH Morning 4 WH Morning the lt lt button Click the Finish button to finish PEO did the settings Please select schedules Step 12 Display the current policy Functions gt Content Manager gt Object Manager gt Schedule gt Groups After the settings check your objects to see Objects Groups if your inputs are really updated to the screen Schedules 1 WorkingHours Morning WH Afternoon Step 13 Upload config Update gt Upload Configuration Check the Upload Configuration item or click the icon to upload the current configuration to the device A If some object is already used by some policy you must chage or delete the policy before you can delete the object Otherwise you can never erase the object L7 Networks Inc 68 User Manual Chapter 9 Address amp Schedule Objects L7 Networks Inc 69 User Manual Chapter 9 Address amp Schedule Objects Part 5 Content Manager L7 Networks Inc 70 User Manual Chapter 10 Configure APP Content with WebLogin Chapter 10 Configure APP Content with WebLogin This chapter introduces how WebLogin gets users identity for policy enforcement in APP Content 10 1 Scenario Enterprieses o
127. our management server Loop wscript quit L7 Networks Inc 102 User Manual Chapter 1 1 Configure APP Content with AD Single Sign On Step 12 Refresh policy to cx Lommand Prompt Al ES make it effective right away Microsoft Windows Version 5 2 3790 KC Copyright 1985 2003 Microsoft Corp After saving the login vbs enter the command A and Settinas fdminictrat GPUPDATE FORCE in the A A LLL DOS window If you are using User Policy Refresh has completed Windows 7 please be sure that Computer Policy Refresh has completed the DOS window must be run To check for errors in policy processing review the event log IGsDocuments and Settings Administrator dsa msc with administrator You should right click on the DOS icon and C Documents and Settings Adminlstrator select Run with administrator 11 3 1 6 Relogin the AD User and Check with sys ad show Step 1 Verify if the newly logged in user is recognized Suppose the AD client has the IP address of 192 168 18 72 Device IP 192 168 18 92 Log out the AD user and re login to the AD domain Use Console SSH Telnet to connect to the CLI and enter the command sys ad show as Fig 1 shows you can see the list of the registered AD clients 11 3 2 Map IP addresses in Reports to AD names 11 3 2 1 Import users names from Object Manager gt Dynamic Objects Step 1 Import all accounts Functions gt Objec
128. plisieli lee cae r9 iso Phe iih hein tn gt Jenn am ed recla Y h ew ke cage a tace odas deers with ha atrou banns m news coma fm 1 MErusarslozs nan hata VAL aaniu a coe d icgh ze ptis deli to se eg vhs I the accom heres M a nsn Cherie i F8 arcoiris 4 amp mimnizhamnr Ado s star b wert Gust itni ot amp togt i tagt b 4 Gros My Moz cum DI sdministranrs ha Jaar Oczernmrs h Lan P bisoers M ismb teo OTN 5e Y nsi s b ns dae moy SP oomen Anne b Toman Comoulors Y rt s RA Daman Guests b Soman Users M Srian sa dine fiu L paert Fig 3 97 User Manual 11 3 1 5 Step 1 Download files for AD server Suppose your AD server s IP address is 192 168 18 200 with login accouting using AD s administrator you will have the permission to open the network directory 192 168 18 200 netlogon Step 2 Copy adclient exe to the network directory Copy and paste the adclient exe to the network directory Please be noted that you must use AD s administrator to login to have this permission to copy the file into that directory Step 3 Configure AD login Group Policy At the AD server please run the dsa msc program The system will launch the Active Directory Users and Computers Right click on your domain eg test com and click the Properties L7 Networks Inc Chapter 11 Configure APP Content with AD Single Sign On Install the
129. pp Policy Functions Content Manager App Policy policy Policy wo Eee T Status Rule Name Sre Step 3 Apply schedules to listed Select the WorkingHours item in the Schedule listbox to apply the selected schedule to all listed policy rules You can also select the item in each policy rule Action Security Profile Allow Schedule i9 Always 3 Always Protocol Pipe l default pipe BITTORRENT R Ez orrent Bitcomet uTorrent Bits Me Allow e default_pipe EDONKEY Rule amp nkey Overnet eMule Vagaa Allow El default pipe e default pipe WUNLEI Rule 1 ifFlashG et D S Lite WINNY_Rule_1 Allow T T puse a 2t P2P ezPeerPlus Allow l default pipe Allow a default_pipe amp default pipe el default_pipe l default_pipe el default pipe amp default pipe el default_pipe amp default pipe a default_pipe l default_pipe a default_pipe l default_pipe e default_pipe Ge P F asttrack Kazaa Grokster ittesh E P2P Gnutella F oxy ezP eer Bearshare Gnucleus FASTTRACK R GNUTELLA Rul Allow KURO Rule 1 ed P2P Kuro Allow DIRECTCONNE a P2P DirrectConnect DirectConnect DC Allow i P2P OpenF T Crazaa Kceasy Y P2P Ares OPENFT Rule 1 ta ARES Allow Allow SOULSEEK_Rul S Allow le Allows Allow Y P2P SoulSeek GOBOOGY_Rul amp KUGOO Rule 1 a
130. r Categories here Step 2Goto Web Web Profiles to add URL keyword groups into some permission level Step 3 Goto ContentPolicy to set some objectto the permission level Noted that keywords are partially matched against URLs For example keyword sex will matched http www sexy com Please setthe keywords with care Search keyword Search next 3 URL Keywords Categories 3 Audio Video i3 mp3 i music 3 song 3 sing 3 movie 3 mp3 i3 ra 3 wma wmv File Import File Export Range Enable URL Keyword Enable the URL keyword blocking Enable Enable blocking Disable If you want to browse some URL which has adventista URL Keywords keywords in the list your browsing will be String ic i E a stopped banner splas FIGURE 12 3 URL keyword filtering L7 Networks Inc 122 User Manual Chapter 12 Web Manager Step 6 Web Objects Functions gt Content Manager gt Web gt Global Policy gt Web Contents Check the Enable Object Blocking and s status t web Pro ies Global Policy select the objects to block in all incoming web amp websites amp Web Contents web Messages 5 Web Alen objects Enable Object Blocking Description Some web objects may be harmful to you ifthey contains malicious code However blocking these objects usually make most web page difficult to read Objects 4 Block ActiveX objects 4 B
131. r Status Check the current status of the CPU amp memory and the on off status of each software modules such as MySQL database apache web server and their installation directory Email Alerts Setup the email server and customized email alert contents FTP Backup Setup the FTP server for the mailer to backup the data to Scheduled Reports Setup the time receiver and format for the scheduled email report System Alerts Setup the severity level of the system alerts V NN ON Detailed configuration descriptions are listed below 14 2 Configuring the Management Server After you have installed the management server and rebooted the server there will be a small icon at the right bottom corder of the management server Please double click the icon Step 1 System Information Monitor gt Server Status 1 Management Console test In this page you can see the E EET CPU memory usagestatus of the management server You can also find the directory of fi Status g4 Alen h software modul Proectiest ro e each software module a A CPU utilization Memory utilization Disk utilization 1 92 GB free 0f19 9 GB O Functions G Monitor D EE ener Status 64 46 GB free of 100 GB H Account amp Levels f Users Service Status tA Emails rip Tool DataBase Server service on at TCP 3306 22 Alert Policy a Report HTTP Server Service on at TCP 80 LE Disk Marr t m Log Server Service on at UDP 514 File
132. r nee ee ene re eee 41 6 2 MGEINOUOIOOY acc eet a ee A 42 6 3 A ERE uuu pub uUi MM 42 Chapter 7 Trafic ule T TITLED 47 7 1 lenem prm PP 47 7 2 Methodology am C RS 48 13 UCI S AE T E hate 49 Sucio ha uolo MEC ee nent acm ne nee een E e EA 51 8 1 WVtrOGUGCTION TO ADO IP ONC LE 51 8 2 veles MUR ONE TE Ee ee eee nee eee eee eee 51 8 3 We ThOGOIOG eec LT 51 8 4 SICDS sens M M HE 51 8 4 1 Setup IM Policy by App Policy RuU ES oooocccccccconcnocccononcnonoconancnnnocnnnncnnonononcnnnnnonanrnnnononanennnnss 52 8 4 2 oetup P2P policy by App Policy Rules occ 56 8 4 3 Setup VoIP policy by App Policy Rules ui De eiae nto gentes e aane cenae deno ue ora cc a exe nUES dace 59 8 4 4 Blocking VoIP Skype File Transfer nennen 61 Chapter 9 Address Schedule ODjectS ooccccoccccoconococononononononocnonononononononnnnnonannnonnrnnnncnononcncnnns 63 9 1 re 121 zione M A EE 63 9 2 MEDI e al 63 9 3 A USPS A A Se ee eee ee ee 63 9 3 1 Address Settings cm xit lesatsa to Sante eio n Rete Ot nsus interes inicia des assaeeededobencnaccoeaase thet 64 9 3 2 Schedule nn 66 Pato GContentManager ooo ceto ttu o A RE dad tutu Ltd Red diede detects 70 Chapter 10 Configure APP Content with WebLogQiN occccoccnccccnnccccnncconononocononanononaconnnannnnon
133. rgPerson accounts L Reset inetUngPerson passwords and force password change at ne Read all inetOrgPerson information C Create a custom task to delegate Back Cancel Fig 6 L7 Networks Inc 91 User Manual Click the Finish button to confirm that John IS authorized to control the computers to be added removed to the domain L7 Networks Inc Chapter 11 Configure APP Content with AD Single Sign On Delegation of Control Wizard 92 Completing the Delegation of Control Wizard You have successtully completed the Delegation of Control wizard ou chose to delegate control of objects In the following Active Directory Folder test com sers The groups users or computers to which you have given control are Jahn Jahncetest com ou chose to delegate the following tasks To close this wizard click Finish Cancel User Manual Chapter 1 1 Configure APP Content with AD Single Sign On 11 3 1 3 Make Windows 2000 XP 2003 Vista Windows7 PCs Login with newly added AD accounts to the AD domain Step 1 Setup network properties Internet HiX ICP IP Bt We use Windows XP as an example to show how to add itself into the new AD domain Other Windows systems are alike Please ao be noted that usually only Professional Server version of Windows have the feature Home versions cannot join the AD Bzh IP Hitt domain We start configuring this by FA FE IP Hiit 5
134. ror code XX XX Antivirus database engine restore has failed error code XX L7 Networks Inc 157 Product User Manual Appendix C mM Keep old license Don t need to update database and then respond the old MA SWID sm CamtcmmectdMaam S sw Cannotcomectiodeve SSS se Unable to lar dto Figaro sr Unmatnes atm versan O sra Software 1 was reetto al version o Sm Can noti actu SAL seme S FIGURE D 1 ID for each system log L7 Networks Inc 158
135. rs on the network and to quantify and analyze the traffic they generate is an essential first step to capacity planning to subscriber demographics and service optimization Without granular visibility into network traffic you are simply working blind Step 1 Monitor the network Function Monitor Realtime Double click the Protocol in the Traffic i summary 8 App View g4 iP view 8 User View f amp Policy View f amp Pipe View Discovery area you can easily track the network connections passing through the device Connections marked in red are non e en en we Ceres le mena ame Coum Foi Bema Pot Pe n oa in Ou m Ou tunnelled traffic That kind of traffic will be W oplications 734 95 3 56 G 4 897 4046 135M 14 57M H Chat 114 22 1121K 2273 198 Ob Ob blocked once you enable the IM Manager d i Enterprise 25 41K102 69 266 1130 0b 0b ki dhcp 300B 300B 1 1 Ob Ob 9 dns 2512K 1086K 265 265 0b 44 snmp 0B 9154K 0 864 0b a es FileTransfer 7041M 3 39G 4 825 3 842 0b Note The stand ports for IM are q AL OLIO eS I MSN 1863 H B Legacy 10 318 83 267 92 1 000 755 536 b cag P2P 73 26 77M160 05 58 021 126 169 1 35M 14 57 M d bittorrent 46 26 74M159 98 57 419 124 577 135M 14 57 M Yahoo 5050 c6 192 168 18 48 Eric 46 26 74M159 98 57 419 124 577 1 35M 14 57 M ME TCP 155087mp 128 39 165 17229688 4 unli 1 258M 267M 27 817 25975 11M82284 AIM ICQ 5190 ir UDP 136552m 31 1
136. rule for the AD user John as shown in Fig 2 It is the same for AD groups Fill in the AD group name in the Name field 11 3 2 4 Step 1 Click AD Import At the bottom of the Content Policy there is a AD Book Import Click it to import the AD accounts or AD groups Chapter 11 Configure APP Content with AD Single Sign On Edit user Schedule Always Y Virtual Group Others y Basic Rule name rule 1 The Name field couid be 4D account AD group or Web Login account Name IM MSG Rec Enable Disable File Rec O Enable Yanoo Account Allove v Disable MSN Account AOL Account Allow v ICO Account Allow v i IM Service Platinum Web URL Rec Enable C Disable Web POST Allow Web Service Gold LCcndpneon Pladur Platinur Vitia Guias Defaull User DefacitL ser Platinum Platinum Mhers Import all AD accounts from Dynamic Objects Functions gt Content Manager gt Content Policy gt Policy L7 Networks Inc 106 User Manual Step 3 Select AD accounts The pop up window allows you to select preferred AD accounts or AD groups as shown in Fig 1 After you select the items and click the OK button you can see all selected users and groups are imported as shown in Fig 2 L7 Networks Inc Chapter 11 Configure APP Content with AD Single Sign On a llus fs luly t Acer La malo Frofir Seared Iu 7rcup
137. rules Step 1 Import web login Functions gt Content Manager gt Content Policy gt Policy users We can import previously added web login user account names by clicking the AD Book Import Select those users you want to import and press OK to proceed L7 Networks Inc 76 User Manual L7 Networks Inc Chapter 10 Configure APP Content with WebLogin SEEEEMEXELSSLLLLLLOS SES ES Stulus P Pelie ga Artoa ist vinaal Group Sherer apot Sthadule SZ tihe socounts and neus NO om dos p X B mo Schedule pies wab Prenis Viduel Groups PS Accounts SN 1 ERES RES b eiia ge ls F Avars Si f x Pistrien Omara i amp rovl ruct amp shzoverg shscoeng Piarum amp tharsyun danger Pistrun Aways En Groups Pistrun EB Auges f Status Gb Policy f Actor List vitusi Groupe v f IMProfie w aah Pro e Aoply Schecuia Hal Croup x IK Profle w ad Profila wv bisli mo ias Cordtior actor Sthadule Rule kame Nene iki Profie Web Profe Virtual Groupe pm nie RI F Platinium Piatinury DA Ej Array Deal altar Platinurn Platinury e Cars EX Ermen Yay rmn cs OF aways angan i zair Platinum Platioury Chars 17 User Manual Chapter 11 Configure APP Content with AD Single Sign On Chapter 11 Configure APP Content with AD Single Sign On This chapter introduces how AD single sign on gets users identity for APP Content policy 1
138. s Psslocic Delete pelicy Stans 1 Palce f Actor Descriston Bassoons ara p Over mannan eth the poles Oriythe let max he anliy takas effects Stet s Candition Puls Nome Action Time Cuida roy 13 User Manual Step 3 Input account names At employees PCs when they open a browser and connect to somewhere their browsers will be redfirected to the Web Login page Employees are required to ask for user names and passwords from IT managers to login to the network 10 3 2 10 3 2 1 Step 1 Add Web Login accounts In Dynamie Objects add the accounts that are needed to authenticate such as shaopeng zhangxun gejia root Fig 1 We can also group the above accounts into a group such RD Fig 2 Upload the configuration L7 Networks Inc Chapter 10 Configure APP Content with WebLogin Authentication Login JSe marme zhangxun Match rules using Web Login account names Assign Web Login account names in App Policy rules Functions Dynamic Dynamic Objects Jvnamic Objects F3 Accounts gejia gejia amp root root shaopeng shaopeng amp zhangxun zhangxun A Groups Fig 1 Functions Dynamic Dynamic Groups 74 User Manual Chapter 10 Configure APP Content with WebLogin Dynamic Objects E Dynamic Groups Jescription Dynamic groups consist of dynamic objects Most rules can u Add Dynamic Group This is Group Editor Please enter your Gr
139. sem reno retro Rebootrgthesysiem sees ayaresetconinow Restore setings 1o ory des O resepe oysresetpasswd Chenga me password L7 Networks Inc 152 Product User Manual Appendix A FIGURE A 8 Priviledged mode in Emervency CLI L7 Networks Inc 153 Product User Manual Appendix B Appendix B Troubleshooting 1 Why can t use MSN or Yahoo Messengers after enabling the IM Manager Ans Since enabling the IM Manager will automatically filters non standard IM traffic through non standard ports your IM traffic may not get through the product A Goto Report gt App Policy to check if the logs contain any blocking of MSN B If your organization uses proxies through port 80 you should enable Encapsulation Manager to manage IM traffic over SOCKS HTTP Proxy Otherwise you should manually setup each client PC to not use proxy in their MSN settings C If you don t want to start the Encapsulation Manager neither changing the settings of each client PC you should at least open the outbound port 1863 for MSN or 5050 for Yahoo Messenger or 5190 for AOL ICQ in your firewall settings 2 How to upgrade the firmware Ans Contact your dealers to get the newest firmware Enter the command ip tftp upgrade image filename bin x x x x As for how to setup a tftp server please check the manual 3 Why my management server cannot receive any logs Ans Please follow the steps below to check Step 1 Have you config sys
140. t models is different When you first use the product enter the CLI to check the order of the interfaces In priviledge mode enter ip show to lookup the numbering of the interface and the function of the interface Default mema External MGT HA Managsment ENG FIGURE 1 2 Related System Defaults L7 Networks Inc 5 User Manual Chapter 1 Product Overview Management Client connects to the Device directly FIGURE 1 3 2 Tier Architecture L7 Networks Inc 6 User Manual Chapter 1 Product Overview ADSL Router RSS de t DMZ Management Client MN E connects to the nd Management Server and then connect to the Device Firewall Router FIGURE 1 3 3 Tier Architecture 1 5 Setup IP amp Routes 1 5 1 Users are in the same networks as Firewall LAN If users are in the same network as Firewall LAN interface the situation is the simplest PCs gateway are assigned to the Firewall s LAN interface for example 192 168 1 254 L7 Networks Inc 7 User Manual Chapter 1 Product Overview Gateway 192 168 1 254 24 192 168 1 199 24 dos Switch 192 168 1 X 192 168 1 X 192 168 1 X IA A Client User 192 168 1 10 24 Gateway 192 168 1 254 The device is connected between the core switch and the firewall Label A indicates that the bridge IP should be set in the network of the Firewall Switch segment say 192 168 1 251 Label B in the figure indicates the management IP of the device say 19
141. telnet to remotely configure or query the device CLI is necessary when you setup network addresses and the 2 3 tier architecture It also helps you to reset back to factory defaults or shutting down the system We arrange all supported CLI commands as follows A 1 CLI Commands Non Priviledged Mode When you connect to the product by console telnet SSH you need to use CLI commands to setup the product The default login user name and password pair is admin admin Non privileged mode Main m 9 uwaMeRm enabie en emi EmbeWeniedgdmod ww O m ERmeQd Ss tens ap ip ping 202 11 22 33 Diagnose the network by ping ip traceroute 202 11 22 33 Diagnose the network by traceroute A version ver Show the firmware pattern urldb version FIGURE A 1 Non Priviledged Mode AN Note If you don t know the parameters of a command you can type anytime after your current command For example type ip will list all possible parameters following the ip command L7 Networks Inc 150 Product User Manual Appendix A Privileged mode DENEN Sending ICMP for network debugging EE Setting up network addresses BEEN Display all network settings ip tftp upgrade image FILENAME Upgrade firmware by the tftp protocol 192 168 168 170 ip traceroute 202 11 22 33 sys date O TA EN AAA AA sys version Display system firmware patter versions Sys resetconf now Resetting the configuration The
142. th During your dragging of the line the exact number of the 5 Root 100 100 Mos ae Se bandwidth will show up in the left fields Ej default pipe 100 0 100 0 MH A High 50 0 50 0 Mb s A Middle 18 0 18 0 Mb s eN Low 32 0 32 0 Mbis L7 Networks Inc 49 User Manual Step 3 Setup inbound traffic Input 100 at the Inbound Traffic field and then drag and drop the mouse for the bandwidth partitioning line You can drag it to allow High to occupy 5096 of the total bandwidth Middle to occupy 18 of the total bandwidth and Low to occupy 3296 of the total bandwidth During your dragging of the line the exact number of the bandwidth will show up in the left fields Step 4 Enable App Policy Please check if the App Policy is enabled as in FigureFIGURE 7 1 and FIGURE 7 2 After that change the traffic profile of the FTP service to Middle and Allow in the security profile Step 5 Upload config Check the Upload Configuration item or click the icon to upload the current configuration to the device L7 Networks Inc Chapter 7 Traffic Manager Functions Traffic Manager QoS Policy Step1 Define the default link sharing tree E Step2 Create scheduled pipe policies from the default tree Description Right clicking the tree node allows you to create children Children can be setto borrow bandwidth from its parent node Note Any existing Pipe Policy will disallow you to edit the default tree h
143. the account name and its password and then press the Add button the account will then be added into the system Upload the configuration You can also use remote authentication with POP3 s IMAP s RADIUS LDAP servers Below are parameters for each authentication method Chapter 10 Configure APP Content with WebLogin Add Web Login user names and password Functions Object Manager Web Login Action Local r Stalus Policy F3 Action f Auth Server f Custom Pages 5 Remote E Local Description ifthe vweb login user rame does nol exists in ibe remole suthierticston server the system will lookup local Account shaopeng ront admin zhancxcur gejis Pop3 s server IP address 1 1 Pop3 s port number Usually POP3 is 110 and POPSS is 995 110 SSL is a stand encryption protocol POP3 s SSL version is call POP3S Disable yP IMAP s SSL version is called IMAPS IMAP s server IP address Pop3 s port number Usually POP3 is 143 and POP3S is 993 993 Eras SSL is a stand encryption protocol POP3 s SSL version is call POP3S yP IMAP s SSL version is called IMAPS Radius Fields LDAP server IP address 10 1 1 11 L7 Networks Inc User Manual 10 3 1 3 Step 1 Add Static Object BOSS Since the BOSS is not required to authenticate we first setup his her IP address in the static object Right click on any icon in this page and select Add a new host Fill in his h
144. tion Language pack installation Ta display language characters correctly you need to install the following lanquage pack Chinese Traditional Never install any language packs Install Cancel FIGURE 3 1 Language pack installation screen v Hard disk space at least 80GB available space but we strongly suggest to have 120GB available space v CPU at least Pentium 4 v Memory at least 256MB but we strongly suggest to at least have 512MB v f your operating system is Windows XP service pack 2 with built in Firewall enabled you must follow the steps below to open the ports UDP 514 TCP 1080 and TCP 3306 In this way all packets from or to the management server will not be blocked 5 Goto Start gt Settings gt Network Connection 6 Right click the Local Area Network and select Content 7 Goto Advance gt Settings gt Exception and click the Connection Ports 8 Enter the name and the port number to allow the following network ports Database Server 3306 TCP HTTP Server 80 TCP FIGURE 3 1 Firewall settings of management server 3 2 2 Procedures Install the Management Server Install the AD Log Server Upgraing the Management Server 9 Browsing the CD 10 Uninstall Management Server 11 Uninstall AD Log Server 12 Exitthe Installation pe ow 2 L7 Networks Inc 15 User Manual Chapter 3 3 tier Architecture Management Server Installation 2 2 T Setup Management Server Aetworks m SOCO Ar
145. tmarks IS Leer lt c ee r93 p c Upgrade Browse CD Uninstall All InstantScan Uninstall AD Log Server Exit Figure 3 2 Management server software installation user interface AN Note 1 When you reinstall or upgrade your management server please remember to reboot your computer Only after you reboot the system can the system work properly Detailed installation guide are shown in the QIG or User Manual 2 Ifyou have already installed any version of MySQL or Apache you must uninstall MySQL and Apache before you start to install the management server Please check Appendix for more details 3 2 3 Installing Java Runtime After you have installed the management server and plug in the wire you can use web browser to connect to the management server by inputting htip lt management server IP address gt When you first connect to the device the software will check if your browser is able to run Java programs If not a Java Plug in will pop up to remind you to install the Java runtime virtual machine onto your client system A Note When you first time connect to the management server due to the size of the java runtime the client must wait to download and install the Java Plug In program Please be patient 3 3 Configuring Product Before you start to manage the product please use the RS 232 console to connect your PC to the device You can also use SSH Telnet or other terminal program to change the system
146. to back the data every day at 15 00 L7 Networks Inc 133 User Manual Chapter 14 Mangement Server Maintainence Step 5 Choose Backup Type Monitor Server Status In the Backup Type area choose your preferred style of backup When you want to restore your data please click the Get Bakup List button and select the directory of the FTP server where the backup file is located Click the Restore to start restoring the data Step 6 FTP Server settings Monitor Server Status Check the Edit to start editing related settings Input X5 the IP address account and password of the FTP server Check the PSV if you want to use passive mode FTP Click the Test to test the connectivity of the FTP server Check the Save button to store related options As said in the above you can choose to back the log at 3 00 PM everyday The system will auto backup the log at that time All backup directory will be named by the date Step 7 Reporting system Monitor Server Status Check the Edit button to start editing related settings Select the the period to send the report daily weekly monthly Check the format you want to receive PDF HTML Excel and which devices you want to know Input the email address of the receiver and click the Save button to save all your inputs Note before you setup the report center please make sure that you have chosen the report items Otherwise you may get an empty report Step 8 Syslog record M
147. ts gt Dynamic Objects names Import all accounts names from the AD server to the UI for management Refer to previous sections about how to L7 Networks Inc 103 User Manual fill in the User DN and the Base DN fields After importing all AD accounts will be listed in the Accounts while all AD groups will be listed in the Group as Fig 1 shows 11 3 2 2 Step 1 Assign AD users in L4 Policy Rules Right click on the rule field and select Add to insert a new rule Select the preferred AD user from the Internal IP and the External IP fields Step 2 Assign AD users in L7 Policy Rules Right click on one of the L7 Policy rules select Insert to insert a rule before the chosen rule Select the AD users in the Internal IP and the External IP fields L7 Networks Inc Chapter 11 Configure APP Content with AD Single Sign On _ Sa D ym vc breeds P Umam Gaps 209 4 ilian Mosirules con se p n of mua 5 cod noe enicice He poto Accounts come Tom 1 Ni uais Harz nj fuerte val aminas in Rd ge mr plbilt E b mime im vui ihe imn a hn 2 cero are mdrecte Y he wee gr Sage ate amp e Ace toleline sees with IP he atcouIbeanzs m G wps comz f zm 1 Nis users luz nr eren val mcum inde Lyr m plio iH Fre cem ce sse ite cn bie tu dp na libera 53A nreourts b dmviztranr Ad inzt ato b Suns ol amp J2 ni 0h b ctr ati amp 0 RD 5 Gro pa SP Boru Demo mrlziraore laicas DX HIN
148. u first read the overview in Active Directory Help To continue click Hert Since it is the first domain controller we choose the first option DC for a new domain Click the Next button to proceed Fig 2 Cancel Fig 1 Active Directory Installation Wizard E Domain Controller Type Specify the rale you want this server to have Do you want this server to become a domain controller for a new domain or an additional domain controller For an existing domain Select this option to create a new child domain new domain tree or new forest This server will become the first domain controller in the new domain C Additional domain controller for an existing domain ity Proceeding with this option will delete all local accounts on this server All cryptographic keys will be deleted and should be exported before continuing All encrypted data such as EFS encrypted files or e mail should be decrypted before continuing ar iE will be permanently inaccessible Back Cancel Fig 2 L7 Networks Inc 80 User Manual Chapter 1 1 Configure APP Content with AD Single Sign On Since it is a new domain in a new forest we choose the first option as shown in Fig 3 Create New Domain Select which type of domain to create Active Directory Installation Wizard Create a new Domain in a new forest Ing M Ecc IM Select this option if this i the first domain in your organization or IF yo
149. u want the new domain to be completely independent of your current forest C Child domain in an existing domain tree IF you want the new domain to be a child of an existing domain select this option For example pou could create a new domain named headquarters example microsoft com as a child domain of the domain example microsoft com C Domain tree in an existing forest IF you don t want the new domain to be a child of an existing domain select this option This will create a new domain tree that is separate from any existing trees Back Cancel Fig 3 Next we need to assign a domain For example we assign test com as our New Domain Name domain name Fig 4 Specify a name for the new domain Active Directory Installation Wizard Type the full DNS name for the new domain for example headquarters example microsoft carm Full DAS name for new domain Back Lancel Fig 4 L7 Networks Inc 81 User Manual Chapter 1 1 Configure APP Content with AD Single Sign On Then enter your NetBIOS Po E name for example by default it gives a TEST as shown in NetBIOS Domain Name Fig 5 Please be noted that the Specity a MetBILIS name for the new domain name should never conflict with PC clients in the same m m domain Namely there This is the name that users of earlier versionis of Windows will use to identify the new should never be 3 PC client domain Click Nest to acc
150. ual Chapter 13 Encryption Web Manager 13 4 Steps Step 1 Enable Encryption Web Recorder Functions gt Encryption Recorder gt Web gt Status Check the Enable Encryption Web Recorder to 55m vus Freitas 28 Cinal les enable the SSL decryption over https ATTE F Crate fa Wer ayer stp yen Matye Eoo CU Oo oer unes alee dorngllie ulice lous inne Cesinaioy 1 nde Exempl Sunes mece GF Hosibev w trom the eet ttle enren 1 reud BE HITA Inthe sen filz entres Step 2 Define exempt sources You can define the IP range to apply the web filter function By default the function will apply on all computers You can include specific traffic into this manager or exclude specific traffic from this manager Select Boss in the Exclude to Exclude Boss from web filter enforcement Enable Exempt AME Enable the exempt source function Enable Disable Exclude the selected users to apply the Exclude fromthe web filtering functions All other Enable Disable Enabled Bess web filter enforcement computers are enforced to do web filtering Include the selected users to apply the Include inthe web web filtering functions All other l Enable Disable Disable filter enforcement computers are not enforced to do web filtering FIGURE 13 1 Exempt source fields L7 Networks Inc 125 User Manual Step 3 Define Web Profiles Edit the profile you want to apply to the users I Web Profil i Right click at the row you
151. up Project information Name Project 1 Selected Devices All Devices Group 1 Device 1 amp Devices Group 1 Device 2 ta Group_1 em Device 1 em Device 2 L7 Networks Inc 23 User Manual Chapter 3 3 tier Architecture Group Mode Step 1 Creat a group mode project File gt New Project Select Group as the project mode This mode is New Project suiFigure for someone who buys several device and puts them in different network edges Enter TOM ERAN pe the project name and select devices from the ON right column Click the lt lt to move the device Enter the name of this project New a group device by right click the objects from right to left lf you want to remove some Select the devices into the project devices from the current project select the device in the left column and click the gt gt button Select Mode Click the OK button to finish the settings o Genera e Grow gt rProject information Name Project 1 rSelected Devices 1 p Devices Group 1 Device 1 L4 Devices iGroup 1 Device 2 E ta Group_1 em Device 1 em Device 2 Step 2 Choose the base device File gt New Project gt Next Step Select a device as your Base Device When you Group Project Setting select the base device all other devices in this group will refer to the configuration of the base Specify Group project settings device Moreover
152. ve setup the rules for the VolP Now we need to adjust the policy Click the VoIP Skype File Transfer and select the SubnetRD option and then select the Block at the security profile field L7 Networks Inc amp Objects W HostCEO W HostCFO B HostCMO m HostCTO W HostChairman W HostPresident W HostviceChairman W HostvicePresident W ServerFTP Bi ServerHTTP W ServerMYSQL M ServerSQL SubnetADM Wi SubnetFINANCE WM SubnetMANUFACTURE SubnetMARKETING W SubnetPGA SubnetRD m Ex Functions Content Manager Object Manager Address Objects Edit IP Address object Functions gt Content Manager gt App Policy Status Policy List 5 VoIP M Protocol y Apply Schedule Security y Traffic M to listed Status Condition Action Schedule Rule Name Dst Protocol Security Profile Pipe Sre Boss any Allow cri Working SKYPEFILE Rul T any E any BS volP Skype EM VolP Skype File Transfer A Working SKYPE_Rule_1 SKYPEQUT_Rul 4 Boss E vorP SkypeDut Allow E Low el Low BIP Rule 1 e bos e any T VoIP SIP MSN Voice Yahoo VoiceMWagaley Te Block amp log amp Low H323 Rule 1 e Boss SP any E VolP H323 NetMeeting Block amp log L i u el Low E 1 MOIPBUSTER_R Boss E any KQ VoIP VoIPBuster O Block log e Low 6
153. w1Icsccultz a poyddzd opn acpi al he dedice vhi 5 I tho acro mbe on w I Jzersamrzdtzcediz te vebio inpaze ciths dz t z Iz 1zl pe ze ce whith the arcoirl eng Y b 2 ps coms tory 1 Xl r oaa ng n ALL hwslim m EE mo til wprirded ugninp el nia vei dte isum nns n Sy eman sanalar Y Soman Guests 4 eman ses Ke pr Anne bb wcup Polo 2 zatzr Oxer he AA 5 ncomngFo zzI Trust 3u hor CON ey akt in Patri Ds wees SA Potomac L29g 56 2 mars Won AAA be Pre and 2007 Czmpztizle acces E ad pa ator MP RE ad E Sewers LX ba demus Cesckp Users b picador Ke oce s Nimm s LA 3er Overs A eno foedum License Leto LA Jem A RA Zn L7 Networks Inc 109 User Manual Step 4 Setup policy rules for office hours Enable the L7 Policy and select Chat gt MSN and select the Worktime in the Schedule field and select the RDGROUP in the Internal IP field Finally select the Block or Block amp Log in the Security Profile field Step 5 Setup policy rules for Non office hours 5 1 Enable IM Manager Select the Enable IM Manager and select the Allow IM over Proxy Servers filter the IM inside the proxy 5 2 Enable keyword Click the Enable keyword filtering and choose your preferred keywords in the default settings You can add your keywords by yourself with right click on the field L7 Networks Inc Chapter 11 Configure APP Content with AD Single Sign On Functions Traffic Manager L7 Poli
154. x will matched http www sexy com Please set the keywords with care Search keyword Search next 5 URL Keywords Categories 5 Audio Video mp3 music song sing movie mp3 ra wma 3 c i ua x a m P Lal a Lal a E E x ua X La AZP File Import p File Export me Range Enable URL Keyword Enable the URL keyword blocking Enable l Enable blocking Disable If you want to browse some URL which has Adv advertise adsrv URL Keywords keywords in the list your browsing will be String neh stopped banner splas FIGURE 13 3 URL keyword filtering L7 Networks Inc 128 User Manual 0 Enable Keyword Blocking Enable URL keyword blocking Enable Disable adv advertise Keywords Input the keyword that may appear in the URL Keyword pattern adsrv banner splash FIGURE 13 4 URL keyword blocking fields L7 Networks Inc 129 User Manual L7 Networks Inc 130 System Maintainence User Manual Chapter 14 Mangement Server Maintainence Chapter 14 Mangement Server Maintainence This chapter introduces how to use mailer to achieve auto system maintainence amp alerts 14 1 Introduction to Management Server Management server is a software to do centralized configuration mangement and log server of many devices lt can be a standalone installation on a Windows based machine or a built in server software module of the gateway product gt Serve
155. y order top down first match r Static Exempt Source Destination 4 Enable Exempt Sources Exclude amp Bypass from App policy Dynamic Exempt Source Destination Enable Exempt Sources Exclude amp P any from App policy r Default Traffic Pipe Put unmatched trafficinto l default pipe Step 2 List the Chat Group Function Management App Policy policy Select the List Chat in the search toolbar to Status Policy list all rules regarding to the rules in Chat Apply Schedule w L Securty w Tratic to listed group Li Condition Action Protocol Security Prafile Pipe 4 web HTTP Allow El High KS Web Http Download zip rar exe isoAvumwv rmwbAwu S Allow l High Web Http Video flv mpd sf Allow e High T T ee E any 2 Web Http Proxwhttps proxify com https Awuw s He Allow l High SMTP_Rule_1 E any IS Email SMTP Allow El High POP3 Rule 4 E any amp SS Email POP3 Allow El High IMAP Rule 1 2 any E 43 Email IMAP Allow l High FTP Rule 1 any any FileTranster FTP 2 Allow eS Middle SKYPE_Rule_1 EZ any E amp voip skype Allow SKYPEFILE_Rul 52 any T VMoIP Skype File Transfer Allow SKYPEOUT_Rul E any C volP StypeDut Allow a SIP_Rule_1 E any VoIP SIP MSN Voice Yahoo Voic
Download Pdf Manuals
Related Search