SecureGUARD Communication Gateway 2015 User Guide Version 1.2

Transcription

1 SecureGUARD Communication Gateway 2015 User Guide Version 1.2 SecureGUARD GmbH Industriezeile Linz Austria 2016 Secureguard GmbH

2 Table of Contents Table of Contents Introduction Installation Software Requirements System Requirements Installation Procedure Initial Start-Up Uninstall and Repair General Information Architecture of GUI Infrastructure Features Commands Log files Feature Reference Gateway Rules Firewall Rules Publishing Rules NAT Rules Web Access Rules Rules Intrusion Detection/Intrusion Prevention (IDS/IPS) VPN Overview Client VPN Site 2 Site Network Interfaces Teaming Routing Table Toolbox Network Computers Protocols Page 2 of 101

3 4 IPS Actions Web Listeners URL Permission Sets Scan Rules Spam Rule Sets Monitoring Firewall Log System License Operation Settings Glossary Page 3 of 101

4 1. Introduction This document provides guidance for configuring and managing the Communication Gateway 2015 (thereafter called CG2015 ) by SecureGUARD (thereafter called SG ). CG2015 persists of the following components: SG Management System SG Firewall Engine The following features are included in the current version of the SG Management: IPv4/IPv6 stateful inspection engine Full NAT support Forward firewall functionality Publishing of web content and Microsoft Exchange Server Configuration of Client- and Site-to-Site-VPN Configuration of network interfaces Creation and configuration of NIC teams Web access restrictions Malware and SPAM filter for s Page 4 of 101

5 2. Installation 1 Software Requirements Make sure the system meets the following requirements before starting the installation of CG2015: Windows Server 2012 R2 Standard (EN) or Windows Server 2012 R2 Datacenter (EN) NOTE: Only Installation with GUI is supported for installation! Please update the system with the newest windows updates. If this is not possible, at least these updates are required for the installation of the CG2015. KB : (10.2 MB) KB : (10.3 MB) KB : (690 MB) NOTE: If an installation of the IKARUS gateway.security exists on the machine, the existing version will be replaced with the version used in the installer of the CG2015. The old securityproxy.conf File will be copied to the folder conf.old in the IKARUS installation folder. Based on Microsoft Windows Server dependencies a physical connected network adapter link is mandatory! Otherwise the system will enter an undefined system state and not work correctly! 2 System Requirements Processor: RAM: Disk Space: Network: min. 1.4 GHz 64-bit processor min. 4GB min. 64GB min. 1 Gigabit Ethernet Adapter NOTE: if the product is used in a Single NIC Adapter Scenario, only Web-Proxy capabilities are supported! 3 Installation Procedure To install CG2015 local administrative privileges are required. Page 5 of 101

6 Read carefully and accept the license terms and conditions. NOTE: The setup may take some time, please wait patiently for it to finish. 4 Initial Start-Up On the first install a 30 days evaluation license for the CG2015 is activated. For this activation, access via HTTPS to products.secureguard.at is necessary. Further the name products.secureguard.at has to be resolved. For the transfer of the data from the SG Management to the working units for each module port is used. 5 Uninstall and Repair It is possible to uninstall or repair the CG2015 Installation through the Programs and Features section in the Control Panel, or through starting the CG2015 Installer File again. Please note that the uninstall procedure is not uninstalling third-party software or roles and features which were installed by the CG2015 Installer. Also the windows settings performed by the CG2015 will not be reverted (e.g. entries in the Windows Firewall). Page 6 of 101

7 3. General Information 1 Architecture of GUI After finishing the installation the SG Management Software can be started with the SG Management shortcut from the desktop. The SG Management main window consists of three side bars and the main panel. The sidebars can be collapsed by clicking on the arrow in the vertical middle of the bar. In the left upper corner is a button bar. Depending on whether a server is connected or not, different buttons are shown. Adds a server to the infrastructure (this function is not available yet) Remove the selected server from the infrastructure Connect the server Refresh (reloads the entire configuration) Disconnect the server Export the actual configuration as XML file Import configuration from a previously exported XML file). 1 Infrastructure At startup the SG Management is not connected to a server. Connect A connection to a certain server can be established by selecting the server and either pressing the connect button or by selecting connect in the context menu of the server. For the communication between SG Management and the server TCP port is used. Page 7 of 101

8 Disconnect To disconnect an existing connection, either the disconnect button or the disconnect-item of the context menu can be used. 2 Features As soon as a connection is established, there is an entry for each available feature in this sidebar. By selecting a specific feature, the settings for the selected feature are shown in the main panel. A detailed explanation for each feature can be found in the chapter Feature Reference. 3 Commands This sidebar is only shown if a feature is selected and the feature has specific commands for the sidebar. The commands are split in command groups. Although there are different commands for each specific feature, similar commands are used in multiple features. Item Tasks Item Tasks are referred as Rule Tasks, Network Tasks, Computer Tasks, etc. depending on the selected feature. The object from the specific feature will be referred as item in the explanation below. Page 8 of 101

9 Create Item By pressing this button a dialog for creating the specific item appears. Edit Selected Item This button is enabled as soon as an item is selected. By clicking this button a dialog for editing the settings of the selected item appears. This dialog is filled with the data of the selected item. The data can be modified and saved in order to change settings. Delete Selected Item This button is enabled as soon as an item is selected. By pressing this button the selected item will be removed. If the selected is referred to from another feature, the deletion will be prevented and a warning appears. Order Tasks In some features the order of the items is important. So there are commands for changing the order and sort the ruleset. Move Selected Item Up This button is enabled if an item is selected which has an order number. By clicking this button the selected item will be moved upwards. Move Selected Item Down This button is enabled if an item is selected which has an order number. By clicking this button the selected item will be moved downwards. Create Separator By clicking this button a dialog for creating a separator appears. Enter the label for the separator. Delete Selected Separator This button is enabled as soon as a separator is selected. By clicking this button the selected separator will be removed. Misc Task Hide Full Rule Set Page 9 of 101

10 If this button is pressed only built-in items and items created by the user are shown. Items created by the SG Management for internal use are hidden. Show Full Rule Set If this button is clicked, all items, including built-in items, items created by the user and items created by the SG Management for internal use, are shown. 4 Log files The log files of the SG Management are stored in the PL subfolder of the SG Management installation directory. This log file is used for debugging and support cases only. For the directory of the firewall logs see chapter Edit Logging Settings. For the log directory of the snort intrusion detection see chapter Intrusion Detection. 4. Feature Reference In this chapter the different features with their specific functionalities are described 1 Gateway Rules 1 Firewall Rules In Firewall Rules rules for the SecureGUARD Firewall Engine (local and forward firewalling) can be created, modified and removed. Changes of the configuration outside the SG Managements (e.g. by creating or modifying local firewall rules using the Windows Firewall GUI) are not supported and may result in unexpected behavior. Page 10 of 101

11 Create Firewall rule By pressing this button a dialog for creating a firewall rule appears. Name Specifies the name of the rule. Description Specifies a description for the rule. Enabled Specifies whether the rule is enabled or not. Firewall Action Specifies whether the rule blocks or allows communication between source and destination. Source Specifies the source for the firewall rule. The source can be a computer, a computer set, a network or a network set. Destination Specifies the destination for the firewall rule. The destination can be a computer, a computer set, a network or a network set. Protocol conditions Page 11 of 101

12 Specifies the protocols, for which the rule applies. Application Filters Application Filters make it possible to inspect network traffic on OSI Layer 7 (Application Layer). The CG provides an API for intercepting, analyzing and modifying network traffic on this Layer. At the moment the following Application Filters are available on the CG and will be described in further detail in the following: FTP Application Filter DNS Application Filter For defining an Application Filter, the according protocol which references the Application Filter has to be added to a Firewall Rule s Protocol Condition. Then a new section appears, where the Application Filter can be configured. FTP Application Filter The FTP Application Filter Configuration is used to validate the FTP protocol. Only FTP commands that are listed in the corresponding RFC are allowed. The FTP Application Filter provides support for active and passive FTP. Instead of allowing "any" ports, only the FTP command channel (TCP port 21) must be allowed. Data connections will be added dynamically to the firewall ruleset. FTP Filter Type Here can be specified, if the FTP Application Filter should support active, passive or both types of FTP connections. Connection Timeout Page 12 of 101

13 The timeout for the FTP connection in seconds. DNS Application Filter The DNS Application Filter is used to validate and filter DNS packets by special criteria. Only UDP packets can be monitored at the moment with the DNS Application Filter. Black- and Whitelist In this list, filters for DNS packets can be defined with different criteria. Filter types can be Domains, RR Types and OpCodes. The selected values can either be blocked or allowed. Please note that the Default Actions (defined in the default settings ) will apply for not defined cases. Type Type of the filter. Type can be Domain, RR (Resource Record) Type or OpCode. Value Page 13 of 101

14 Value of the filter. Depends on selected Type. Action Choose if the filter should block or allow. Default Settings of Black- and Whitelist In the Default Black/Whitelist Settings the default actions for the different filter criteria can be set and in which order the Black/Whitelist will be processed for a decision. Black-/Whitelist Order The order in which the Black-/Whitelist is processed Default OpCode Action The default action for not white- and not blacklisted OpCodes Default RR Type Action The default action for not white- and not blacklisted Resource Record Types Default Domain Action The default action for not white- and not blacklisted Domains Mappings In the mappings, self-defined DNS answers can be generated. On a DNS request that matches, a host gets the defined answer directly from the gateway. Please note that the DNS packet must be allowed in the Black/Whitelist basically. Page 14 of 101

15 From The domain, which shall be mapped To The IP address, which shall be mapped Edit Selected Firewall Rule By pressing the button a dialog similar to the dialog for creating firewall rules will appear. The dialog is prefilled with the data from the selected rule, which can be edited. Delete Selected Firewall Rule By pressing this button the selected rule will be deleted. Firewall Settings Edit General Settings Dialog for modifying the general firewall settings. Keep-Alive Timeout After a connection is idle for the specified amount of time, the connection is reset. The value has to be between 1 and 60 seconds. Max. Connections Specifies the maximum amount of allowed connections. The value has to be between 1 and (2^64)-1. Edit Connection Settings Dialog for modifying the connection table settings of the firewall. Page 15 of 101

16 Cleanup Time Interval Specifies the time interval for cleaning unused resources and freeing up memory. The value has to be between 1 and (2^64)-1 seconds. Edit Logging Settings Dialog for modifying the logging settings of the firewall. Log Allowed Traffic Determines whether allowed connections are logged. Log Blocked Traffic Determines whether blocked connections are logged. Enable Audit Policy for firewall connections Audit logs for the Windows Filtering Platform (local firewall logs). Attention: A manual system reboot is required to activate changes of Audit Policy for firewall connections after the apply process. Enable Audit Policy for IPSEC connections Audit logs for IPSEC. Page 16 of 101

17 Attention: A manual system reboot is required to activate changes of Audit Policy for IPSEC connections after the apply process. Lower Element Threshold Resume logging if queued elements drop below this value. The value has to be between 1 and (2^64)-1. Upper Element Threshold Stop logging if logging queue contains more elements than this value. The value has to be between 1 and (2^64)-1. Local Log Directory Directory where the firewall logs are stored. Edit Timeout Settings TCP Connecting Timeout If an attempt for creating a new TCP connection is started, a SYN message is sent. This timeout specifies the maximum amount of time between the first SYN till the connection is fully established (after successful handshake). The value has to be between 1 and (2^64)-1 seconds. TCP Established Timeout This timeout specifies the maximum amount of time from the last successfully received / sent package before the connection is blocked. The value has to be between 1 and (2^64)-1 seconds. TCP Closed Timeout Specifies the maximum amount of time that transmitted data may remain unacknowledged before TCP will forcefully close the corresponding connection. Page 17 of 101

18 Specifies the maximum amount of time from the time a FIN package was sent until the connection is closed. The value has to be between 1 and (2^64)-1 seconds. UDP New Timeout If an attempt for creating a new UDP connection is started, the first package is sent. Because an answer is expected, the firewall needs to allow the connection for the answer for this specific amount of time. The value has to be between 1 and (2^64)-1 seconds. UDP Established Timeout Specifies the amount of time from the last successfully received/sent package, before the UDP connection is blocked. The value has to be between 1 and (2^64)-1 seconds. ICMP Reply Timeout Because ICMP isn t a stateful protocol, operations performed with ICMP have reply operations. If an echo message is sent via ICMP, the firewall allows the reply for the specified amount of time. The value has to be between 1 and (2^64)-1 seconds. PPTP Established Timeout Specifies the amount of time from the last successfully received/sent package, before the PPTP connection is blocked. The value has to be between 1 and (2^64)-1 seconds. IPSec Established Timeout Specifies the amount of time from the last successfully received/sent package, before the IPSec tunnel is closed. The value has to be between 1 and (2^64)-1 seconds. GENERAL New Timeout If an attempt for creating a new connection by any protocol (except those, in which a specific timeout is set) is started, the first package is sent. Because an answer is expected, the firewall needs to allow the connection for the answer for this specific amount of time. The value has to be between 1 and (2^64)-1 seconds. GENERAL Established Timeout Specifies the amount of time from the last successfully received/sent package, before the connection is blocked for any protocol (except those, in which a specific timeout is set). The value has to be between 1 and (2^64)-1 seconds. Page 18 of 101

19 Edit Fallback Configuration Fallback Mode Specifies the fallback configuration of the firewall in case of firewall services are down. Note that these settings only apply to routed traffic. Local traffic is still handled by the Windows Filtering Platform in fallback mode. Block all routed traffic All routed traffic will be blocked. Allow all routed traffic All routed traffic will be allowed. Please note that Network Address Translation (NAT) is not available in fallback mode. This setting is not recommended for security reasons. Edit Flood Mitigation Settings When the connection limit for connections of different protocols (TCP/UDP/ICMP or generic) for a sender IP address is reached, no additional connections of this protocol are allowed for this sender IP address. For a practical use of flood mitigation, the defined connection timeouts of the corresponding protocols are crucial. Also the cleanup interval of the connection table is important, because after the periodical cleanup new connections can be established. Flood Mitigation Mode Flood Mitigation Mode can be set. Enabled Enables Flood Mitigation mechanism in firewall engine. Settings below become effective. Disabled Page 19 of 101

20 Disables Flood Mitigation mechanism in firewall engine. Max Concurrent TCP Connections Concurrent TCP connections per source IP address. The value has to be between 1 and (2^64)-1. Max Concurrent UDP Connections Concurrent UDP connections per source IP address. The value has to be between 1 and (2^64)-1. Max Concurrent Generic Connections Concurrent Generic connections per source IP address. The value has to be between 1 and (2^64)-1. Max Concurrent ICMP Connections Concurrent ICMP connections per source IP address. The value has to be between 1 and (2^64)-1. Hide Full Rule Set If this button is pressed, only built-in firewall rules and firewall rules created by the user are shown. Firewall rules of the Windows Firewall and firewall rules created by the SG Management for internal use are hidden. Show Full Rule Set If this button is clicked all firewall rules, including built-in firewall rules, firewall rules of the Windows Firewall, firewall rules created by the user and firewall rules created by the SG Management for internal use, are shown. 2 Publishing Rules In this feature rules for publishing content can be created, modified or removed. Page 20 of 101

21 Changes of the configuration outside the SG Managements are not supported and may result in unexpected behavior. Create Web Publishing Rule For publishing web sites a web publishing rule is needed. By pressing this button a dialog for creating web publishing rules appears. Name Name of the Site / Farm to publish. Page 21 of 101

22 Enabled Specifies whether the rule is enabled or not. Web Listener The listener defines the binding for the site (see chapter Web Listeners). Rule Type The type of the publishing rule. This value cannot be changed. Source Specifies the sources the requests are coming from. Endpoint Specifies the endpoint for the site or service to be published. (e. g., IP address / FQDN of the webserver) Authentication Delegation Specifies how the authentication is handled and forwarded to the published site. Authentication Specifies whether form based authentication, basic authentication or no authentication is required from an external client. Authentication Delegation Specifies whether basic authentication or anonymous authentication is forwarded to the published site or service. Access Groups Specifies the user groups from Active Directory which are allowed to access the published site or service. Paths Specifies the assignment between the external and the internal paths, to modify the mappings of paths that may be specified in requests for the published Web site, to the paths on the published Web server. Example: Page 22 of 101

23 External path: /externalpath/* Internal path: /internalpath/* Path Restrictions Restricts access to endpoint URL paths (e.g. Block /admin ; Allow /public/.* ). Please note: Block entries will always be triggered before allow entries regardless of rule order. Link Translation By defining link translations absolute links on Web pages for defined MIME types are replaced. Map Define the string to be replaced. Typically this string contains the name of an internal site or server that is inaccessible to external clients. Replace With Define the string that will replace the string. Typically this text contains the name of a host that is accessible to external clients, such as fully qualified domain names (FQDN) of the CG machine. Content type Specifies the MIME type for which the mapped value should be replaced. Additional information After the publishing rule is created and configured the necessary firewall rules are created automatically. Attention: be careful, when modifying rules. Files in the inetpub/wwwroot directory of the IIS will be deleted during the apply process. Create Exchange Publishing Rules With an Exchange Publishing Rule internal Exchange Server or Server Farms can be published. Page 23 of 101

24 Name Name of the Site / Service Farm to publish. Enabled Specifies whether the rule is enabled or not. Web Listener The listener defines the binding for the site. Rule Type The type of the publishing rule. This value cannot be changed. Source Specifies the sources the requests are coming from. Endpoint Specifies the endpoint for the Exchange Server or Farm to be published. (e. g., IP address / FQDN of the webserver) Authentication Delegation Specifies how the authentication is handled and forwarded to the published site. Page 24 of 101

25 Authentication Specifies whether form based authentication, basic authentication, NTLM Pass-Through or no authentication is required from an external client. Authentication Delegation Specifies whether basic authentication, NTLM authentication or anonymous authentication is forwarded to the published site or service. This value is dependent on the Authentication, so not all options of authentication delegation are available for every authentication. Access Groups Specifies the user groups from Active Directory which are allowed to access the published site or service. Paths Specifies the assignment between the external and the internal paths, to modify the mappings of paths that may be specified in requests for the published Web site to the paths on the published Web server. Example: External path: /externalpath/* Internal path: /internalpath/* Path Restrictions Restricts access to endpoint URL paths (e.g. Block /admin ; Allow /public/.* ). Please note: Block entries will always be triggered before allow entries regardless of rule order. Link Translation By defining link translations absolute links on Web pages for defined MIME types are replaced. Map Define the string to be replaced. Typically this string contains the name of an internal site or server that is inaccessible to external clients. Replace With Define the string that will replace the string. Typically this text contains the name of a host that is accessible to external clients, such as fully qualified domain names (FQDN) of the CG machine. Content type Specifies the MIME type for which the mapped value should be replaced. Page 25 of 101

26 Additional information After the publishing rule is created and configured the necessary firewall rules are created automatically. Attention: be careful, when modifying rules. Files in the inetpub/wwwroot directory of the IIS will be deleted during the saving process. Edit Selected Publishing Rule By pressing this button a dialog similar to the dialog for creating the rule will appear. The dialog is prefilled with the data from the selected rule, which can be edited. Delete Selected Publishing Rule By pressing this button the selected rule will be deleted. Page 26 of 101

27 3 NAT Rules In this feature NAT rules can be created, modified or removed. Create NAT rule By pressing this button, a dialog for creating a NAT-Rule will appear. Network Address Translation (NAT) replaces IP addresses to protect the identity of a network and hide addresses from one to another network. Name Name of the NAT rule. Page 27 of 101

28 Description Specifies a description for the rule. Enabled Specifies if the rule is enabled / disabled. NAT Mode Specifies whether NAT, Hide NAT, route-based Hide NAT or proxy NAT is used. NAT If NAT is selected, the addresses and/or Ports are translated using static NAT. Hide NAT If Hide NAT is selected, the source address of outgoing packages is replaced with the external IP address of the Communication Gateway. The port is replaced with a dynamically assigned port and the assignment of the original source address and the dynamically added port is saved. If the reply for a package arrives, the destination address of the package will be replaced with the address, which is assigned to port. Hide NAT is used e.g. for Web Proxy capabilities. For Hide NAT at least one Translation Source Address is required. RouteBasedHideNAT Route based Hide NAT is an extended version of Hide NAT. If multiple internal interfaces are connected to the Communication Gateway, there may be interfering IP-ranges for the networks represented by those interfaces. Therefore the destination conditions of the NAT rules are interfered with the defined routes for each interface. For NICs with corresponding routes the routes are added to the NAT table beside the normal entry, to allow answer packets (answers from the external network) to be translated and sent back to the right interface. No Translation Source Addresses have to be specified, because they are chosen automatically. ProxyNAT If transparent proxy is configured, the traffic of a source network to a destination network should be routed via the integrated Web-Proxy. Therefore ProxyNAT replaces the destination IP address with the IP address of the Web-Proxy. Because browser resolve the domain name of a website to an IP address, but writes the domain name to HTTP host header, the proxy is able to redirect the traffic to the requested website. No Translation Destination Addresses have to be specified, because they are chosen automatically. Page 28 of 101

29 Network conditions Specifies for which connections the NAT rule should be applied. From Specifies the source network condition. To Specifies the destination network condition. Protocol conditions Specifies for which protocols the NAT rule should be applied. Network translation Translation Source Specifies how the source IP address is translated. Translation Destination Specifies how the destination IP address is translated. Protocol translation If protocol translation is enabled, the destination ports are translated for NAT. The defined ports of the selected protocol will be used as destination ports. Attention: Only TCP and UDP protocols can be used for protocol translation. Edit Selected NAT Rule By pressing this button a dialog similar to the dialog for creating the rule will appear. The dialog is prefilled with the data from the selected rule, which can be edited. Delete Selected NAT Rule By pressing this button the selected rule will be deleted. Hide Full Rule Set If this button is pressed, only NAT rules created by the user are shown. NAT rules created by the SG Management for internal use are hidden. Show Full Rule Set If this button is clicked all NAT rules, including NAT rules created by the user and NAT rules created by the SG Management for internal use, are shown. Page 29 of 101

30 4 Web Access Rules In this feature web access rules for allowing or blocking specific content can be created, modified or removed. Configuration Changes outside the SG Managements are not supported and may result in unexpected behavior. Create Web Access Rule By pressing this button a dialog for creating a web access rule appears. Name Name of the web access rule. Page 30 of 101

31 Enabled Specifies whether the rule is enabled or not. Rule Mode Specifies whether a proxy is used and if the firewall rules and NAT rules should be created by the SG Management or by the user. Manually create FW and NAT rules By selecting this mode, firewall rules and NAT rules have to be created by the user. Proxy Allow / block web access using an explicit proxy. Attention: If you are using an explicit proxy, all clients need to be configured properly in order for the web access rule to work. Transparent Allow / block web access using a transparent proxy. Firewall and NAT Rules will be generated automatically. Please note that HTTPS URL filtering is not supported with transparent mode. If necessary, please use proxy functionality for HTTPS URL filtering. Proxy and Transparent Allow / block both, transparent and explicit proxy. Firewall and NAT Rules will be generated automatically. Please note that HTTPS URL Filtering is not supported with transparent mode. If necessary, please use proxy functionality for HTTPS URL filtering. Action Specifies whether the web access is blocked or allowed. Authentication Method Specifies how users have to authenticate in order to gain web access. URL Permission Set Specifies the URL permission set for the web access rule. Source Determinates the source for the web access rules. The source can be a computer, a computer set, a network or a network set. Page 31 of 101

32 Destination Determinates the destination for the web access rule. The destination can be a computer, a computer set, a network or a network set. By default the built-in network External is selected. Protocol Conditions Specifies the protocols for the web access rule. By default the protocols HTTP and HTTPS are selected. Users/Groups Specifies for which users / groups the rule applies. Enable Anti Virus Enable / disable Anti-Virus. LDAP Authentication Specifies LDAP URL and user for authentication LDAP URL The LDAP URL as defined by RFC Authentication Depending whether Anonymous or Simple is selected, queries from anonymous or queries from a specific user will be allowed. DN for user Specifies the DN name to be used for authentication. Password Page 32 of 101

33 The password for LDAP authentication. HTTP Proxy Specifies the addresses and ports, where to listen for client requests. Address Specifies a local IP address, where to listen for client requests. Port Specifies the ports, where to listen for client requests. Next Proxy Settings for using a downstream proxy server HTTP Server Page 33 of 101

34 The IP address route downstream proxy to route HTTP requests to. HTTP Port The port that the downstream proxy s HTTP proxy runs on. FTP Server The IP address of the downstream proxy to route FTP requests to. FTP Port The port that the downstream proxy s FTP runs on. HTTPS Server The IP address of the downstream proxy to route HTTPS requests to. HTTPS Port The port that the downstream proxy s HTTPS proxy service runs on. Username Username, if the proxy server requires authentication. Password Password, if the proxy server requires authentication. Excluded Domains This list includes all domains that will not be routed to the downstream proxy. Edit Selected Web Access Rule By pressing this button a dialog similar to the dialog for creating the rule will appear. The dialog is prefilled with the data from the selected rule, which can be edited. Delete Selected Web Access Rule By pressing this button the selected rule will be deleted. Page 34 of 101

35 Edit Global Proxy Settings Enable Proxy Management Module Enables / disables the proxy management module in the SG Management. By disabling this checkbox, Web Proxy settings can t be configured via SG Management any longer. These have to be configured via the IKARUS Web GUI (can be found under Use the user root and the default password Secureguard1 to login. If you have changed IKARUS configuration manually and you want to use Proxy Management Module again, please consider to set the IKARUS management user back to root and password to Secureguard1 before you enable the module. GENERAL Communication Hostname Will be used for SMTP status messages (e.g. HELO answers). If not set, the hostname of the system will be used for this purpose. PATHS Quarantine Path Folder to store malicious mail attachments or SPAM mail. DB Files Path Folder for storing database files. Temporary Folder Temporary files folder. AUTOMATED S Sender Address Sender address used for automatic s. Page 35 of 101

36 Hide Permission Details If this button is pressed, only the name of a permission set of the web access rule is shown. Detailed information about the permission sets are hidden. Show Permission Details If this button is clicked detailed information about the permission sets are shown. These information contains allowed/blocked URLs, URL categories or a general block/allow. 5 Rules In this feature the settings for the mail proxy services can be configured. Changes of the configuration outside the SG Managements are not supported and may result in unexpected behavior. After configuring settings, please create all necessary firewall rules manually in feature Firewall Rules. SMTP Enable SMTP server Enable / disable the SMTP mail transfer agent. Queuing path Page 36 of 101

37 Queuing path Path to where is queued. Specify a path relative to the IKARUS gateway.security installation folder as value. SMTP Listener SMTP Listener Listen-on address The IP address of the SMTP service. Specifying the address will bind the service to all available network interfaces. Port The port that the SMTP service runs on (by default 25). Create SMTP Routes Routes are used to apply Scan Rules on traffic coming in from, or going out to a defined network. They are checked in order against the current connection. The first matching route is used and its settings are applied for the connection. Type There are several types of routes: Client IP, LDAP, Mailbox-File, Target-Domain / Client IP Page 37 of 101

38 Client IP address, or mask. LDAP Identify mailbox to be routed by an LDAP string. Example for with the password mypassword : ldap://cn=readonlyuser,cn=users,dc=test,dc=local:mypassword@dc.test.local/dc=test,dc=local?pr oxyaddresses?sub (proxyaddresses=smtp:*) Mailbox-File File containing a list of domains or addresses. The path can be either absolute or relative to application folder of the IKARUS gateway.security installation. Target-Domain / Valid domain or an address. Scan Rules Scan rules allow for handling content in an elaborate way to identify, mark and handle malicious mail content or SPAM. Direction Make a route inbound, outbound or standard (bidirectional). Greylisting For an inbound route Greylisting can be activated. SPF For an inbound route SPF (Sender Policy Framework) can be activated. SPF is validation system for to detect spoofing. Forwarding Determines how the is routed. Host: allows to specify either the target host IP address or a resolvable computer name. MX: tries to deliver message to the default mail exchanger based on the receiver indicating in the SMTP envelope. Host Specifies the target host IP address or resolvable computer name, the mails are routed through. Edit Selected Connection By pressing this button a dialog, similar to the dialog for creating a SMTP route will appear. This dialog is prefilled with the data from the selected SMTP route, which can be edited. Page 38 of 101

39 Delete Selected Connection By pressing this button, the selected SMTP route will be deleted. Edit Greylisting Settings By pressing this button a dialog will appear. This dialog presents the Greylisting Settings. Greylisting Global Settings The term greylisting denotes a method for detecting mail transfer agents (MTAs) who are used for delivering spam s. Mail traffic will only be forwarded if the MTA passes the greylisting check. Trustworthy MTAs are expected to work according to RFC821. This means that the sender tries to resend s within a certain time span in case they are rejected by the receiver. Delay [sec] The SMTP server will not accept a message for the specified amount of time. On ordinary SMTP server will try to resend the message, however SPAM will mostly not be resent. Therefore most SPAM can be filtered this way. The sender of the rejected message will be added to the greylist. Timeout [sec] Maximum time frame after which a greylisted message will not be accepted anymore. Timespan for temporary whitelisting If this parameter is set to a value greater than zero, temporary whitelisting is enabled. If a message passes the greylisting test, it is added to the temporary whitelist. Addresses added to this list remain on it for the timespan defined here. After this period of time has expired, connections from this address will be subjected to the greylisting check again. Greylisting Permanent Whitelist This list includes mail-server IP addresses, domain names and for which the greylisting function is never applied. Edit Incoming Settings By pressing this button a dialog will appear. This dialog presents the Incoming Settings. Page 39 of 101

40 Incoming Settings Max. incoming connections. The maximum number of concurrent incoming SMTP connections supported. When the number of connections specified here is exceeded, the proxy will send error messages to the surplus connections. Early talker rejection delay [sec] The number of seconds that the SMTP service waits before sending the SMTP banner. With this feature, SPAM bots can be blocked that send data in non-compliant way, without waiting for the banner that signal the server being ready. Edit Outgoing Settings By pressing this button a dialog will appear. This dialog presents the Outgoing Settings. Max. Outgoing connections The maximum number of concurrent outgoing SMTP connections. Retry Times Specifies the retry times in minutes of sending an if something goes wrong. This value can be a single integer or a comma-separated list of integers. The valid range of a single value is between 1 and Default value is 5,10,20,60,120,120,120,240,240,240. This means a resend will be triggered after 5 minutes. If it fails, a resend will be triggered after another 10 minutes. Then after another 20 minutes, Page 40 of 101

41 TSMTP Enable TSMTP Proxy If the TSMTP proxy is enabled, the mail proxy does not store s. Instead the data is exchanged between the TSMTP server and the client. If the TSMTP proxy is enabled, the incoming s are checked for viruses and SPAM. Scan Settings Scan Rule Select the Scan Rule Set for the TSMTP proxy. Default target server Specifies the alternate TSMTP server. This server will be used, when the user name does not include the TSMTP server. Server Specifies the IP address or the host name of the default target server. Port Specifies the port for connecting to the default target server. The default port is port 25. Listeners IP-Address and port, where the TSMTP proxy service listens for client requests. Specifying the IP address will bind the service to all available network interfaces. Page 41 of 101

42 POP3 Enable POP3 Proxy If the POP3 proxy is enabled, using a proxy for unencrypted POP3 traffic is allowed. For example messages locally requested by clients from Internet-based POP3 servers can be checked for viruses and/or SPAM. Scan Settings Select the Scan Rule Set for the POP3 proxy. Default target server Specifies Alternate POP3 server. Will be used when the user name does not include the POP3 server. Server Specifies the IP address or the host name of the default target server Port Specifies the port for connecting to the default target server. The default port is port 110. Listeners IP-Address and port, where the POP3 proxy service listens for client requests. Specifying the IP address will bind the service to all available network interfaces. How to Configure Clients If POP3 clients is used, the configuration settings have to be changed accordingly. Page 42 of 101

43 POP3 server: Enter the IP address or DNS name of the mail proxy instead of the POP3 server parameters to ensure the server contacts the mail proxy for POP3 requests. User name: Add and the computer name or IP address of the POP3 server to the user name of the POP3 mailbox. IMAP4 Enable IMAP4 Proxy If the IMAP4 proxy is enabled, proxying of unencrypted IMAP4 traffic is allowed. For example messages locally requested by clients from Internet-based IMAP4 servers can be checked for viruses and/or SPAM. Scan Settings Select the Scan Rule Set for the IMAP4 proxy. Default target server Specifies Alternate IMAP4 server. Will be used when the user name does not include the IMAP4 server. Server Specifies the IP address or hostname of the default target server. Port Specifies the port for connecting to the default target server. Per default the port is port 143. Listeners Page 43 of 101

44 IP-Address and port, where the IMAP4 proxy service listens for client requests. Specifying the IP address will bind the service to all available network interfaces. How to Configure Clients If IMAP4 clients is used, the configuration settings have to be changed accordingly. IMAP server: Enter the IP address or DNS name of the mail proxy instead of the IMAP4 server parameters to ensure the server contacts the mail proxy for IMAP4 requests. User name: Add and the computer name or IP address of the POP3 server to the user name of the POP3 mailbox. NNTP In addition to SMTP, POP3 and IMAP Network News Transfer Protocol (NNTP) is also available. Enable NNTP Proxy If the IMAP4 proxy is enabled, proxying of unencrypted NNTP traffic is allowed. For example messages locally requested by clients from Internet-based NNTP servers can be checked for viruses and/or SPAM. Scan Settings Select the Scan Rule Set for the NNTP proxy. Default target server Alternate NNTP server. Will be used when the user name does not include the NNTP server. Server Page 44 of 101

45 Specifies the IP address or hostname of the default target server. Port Specifies the port for connecting to the default target server. Per default the port is port 119. Listeners IP-Address and port, where the NNTP proxy service listens for client requests. Specifying the IP address will bind the service to all available network interfaces. 6 Intrusion Detection/Intrusion Prevention (IDS/IPS) For Intrusion Detection a free and open source tool named Suricata is used. Due to some major advantages it replaces the formerly (in Version 1.0) used tool Snort. The SG Management offers a GUI for defining actions which shall be performed on an intrusion detected by the tool according to the different IPS Categories. Changes of the configuration outside the SG Management are not supported and may result in unexpected behavior. Enable Intrusion Prevention System (IPS) If Intrusion Prevention System (IPS) is enabled, the IDS tool will be started with the given configuration. If IPS is enabled, the categories and according actions can be configured. At least one Listening Adapter must be configured for IPS to work. Edit Selected IPS Category The selected IPS Category will be opened. Page 45 of 101

46 The IPS Category cannot be edited itself, but the according list of actions for the category can be managed. Name The name of the IPS Category. Description Specifies the description of the IPS Category. Threat Level Specifies the threat level of the IPS Category (High, Medium, Low, Informational). IPS Actions This is the list of the corresponding IPS Actions to the currently selected IPS Category. The list of actions will be performed step-by-step when the IPS Category matches on a connection. If the list of actions is empty, no action will be performed. Edit IPS Listening Adapters Listening Adapters The selected interfaces will be inspected by IDS/IPS. All the adapters, which are not defined in the list, are excepted from IDS/IPS! Page 46 of 101

47 Edit IPS Whitelists In this window you can define Computers or Networks which shall be ignored by IDS/IPS. The whitelists consist of a Source Whitelist and a Destination Whitelist. If the source IP address of a connection matches the Source Whitelist OR the destination IP address of a connection matches the Destination Whitelist, IDS/IPS will not apply for this connection. Source Whitelist In this list, all the Computers and Networks can be defined, which shall be ignored for IDS/IPS, when they are matching the source IP address of the connection. Destination Whitelist In this list, all the Computers and Networks can be defined, which shall be ignored for IDS/IPS, when they are matching the destination IP address of the connection. Signature ID Whitelist In this list, all IPS Signature IDs can be defined, which shall be ignored for IDS/IPS, when they are matching the signature ID of the IDS/IPS threat. The signature ID can be read from the monitoring firewall log. ID The signature ID can be determined from the monitoring firewall log. Description This is a custom description for this whitelist entry. 2 VPN 1 Overview VPN allows to modify all settings concerning VPN. Page 47 of 101

48 VPN Operation Mode Set the operation mode of VPN. Enabled Enables VPN services. The features ClientVPN and S2SVPN come available and can be configured. Disabled Disables VPN services. The features ClientVPN and S2SVPN aren t available in this mode and can t be configured. 2 Client VPN In this feature ClientVPN can be enabled and configured. Changes of the configuration outside the SG Management are not supported and may result in unexpected behavior (excepted configuration of DirectAccess). Page 48 of 101

49 Enable ClientVPN Enable / disable ClientVPN. Allowed groups and remote access Select the Groups, for which the Client VPN access should be granted Authentication Use RADIUS for authentication Enable authentication using a RADIUS server. Host Name IP-Address (IPv4 or IPv6) or FQDN of the RADIUS server. Port Page 49 of 101

50 UDP port of the RADIUS server. The default value port 1812 is based on RFC For older RADIUS servers, set the port to port Message Authenticator Specifies whether a message authenticator based on the shared secret is sent with each RADIUS message. Extensible Authentication Protocol (EAP) messages are always sent with message authenticator. Make sure that the RADIUS server is capable of and configured to receive message authenticators. Select this option if the RADIUS server is running a Network Policy Server (NPS) and the RADIUS client that is configured for this server has the Request must contain the Message Authenticator attribute option selected. PreSharedKey Displays the obscured shared key that is used for the secure communication between the RRAS server and the RADIUS server. The same key has to be configured on the RADIUS server. The shared key is case-sensitive! Use Windows Authentication Use the windows authentication (formerly named NTLM). Extensible authentication protocol (EAP) with smart card or other certificate Specifies whether the server uses EAP to authenticate remote access and demand-dial connections. Select the EAP option if NAP (Network Access Protection) is used. Use NPS to configure all other NAP settings. Microsoft encrypted authentication version 2 (MS-CHAPv2) Specifies whether the server uses Microsoft Handshake Authentication Protocol (MS-CHAPv2) to authenticate remote access and demand-dial connections. MS-CHAPv2 provides mutual authentication and stronger encryption and is required for encrypted Point-to-Point (PPP) or Pointto-Point Tunneling Protocol (PPTP) connections. Encrypted authentication (CHAP) Specifies whether the server uses the MD5 Challenge Handshake Authentication Protocol (CHAP) to authenticate remote access and demand-dial connections. Unencrypted password (PAP) Specifies whether the server uses the Password Authentication Protocol (PAP) to authenticate remote access and demand-dial-connections. During a PAP authentication, passwords are sent in plaintext, or unencrypted, form. For using this authentication protocol PAP remote access client has to be supported. Page 50 of 101

51 Allow machine certificate authentication for IKEv2 Specifies whether the server allows unauthenticated connections. Unauthenticated connections do not require a user name or password. IP Address assignment method Static address pool Specify the networks, whose address ranges are used for the static address pool. Primary DNS Server & Backup DNS Server Specify the DNS servers. If no DNS servers are set, the DNS servers used by the Communication Gateways Ethernet Adapter are used. Dynamic host configuration protocol (DHCP) If DHCP is enabled, the network adapter can be set. If no adapter is set, RRAS will auto-select the adapter itself. Protocols Enable PPTP If PPTP (Point-to-Point Tunneling Protocol) is enabled the ports 1723 and 47 (for GRE) are unblocked. Enable L2TP/IPsec If L2TP/IPsec is enabled the port 1701 is unblocked for any IPv4-address. Enable SSTP If SSTP is enabled the port 443 is unblocked for any IPv4 address. The selected certificate will be assigned to SSTP server. Depending whether a specific IP-Address is set, the SSTP listener binding are either set to all or to the specific IP-Address. Enable IKEv2 IKEv2 enables the remote access VPN client to encrypt the tunnel, so that the communication is taken over an authenticated and encrypted connection. If IKEv2 is enabled the ports 500 (for ISAKMP) and 4500 (for NAT traversal) are unblocked for any IPv4-address. 3 Site 2 Site Page 51 of 101

52 In this feature Site 2 Site connections can be created, modified or removed. Changes of the configuration outside the SG Managements (e.g. by modifying the settings in the Routing and Remote Access Service) are not supported and may result in unexpected behavior. L2TP Create L2TP Connection By pressing this button a dialog for creating a L2TP (Layer 2 Tunneling Protocol) connection appears. Enabled Specifies whether the connection is enabled or not. Name Page 52 of 101

53 Defines the name of the connection. Remote Endpoint Hostname or IP address of the destination the connection is tunneling to. If an IPv4 address is entered, VPN over IPv4 is selected. If an IPv6 address is entered, VPN over IPv6 is selected. Persistent Specifies that the connection is always in a connected state. If the connection is marked as persistent the idle-disconnect-timeout will be ignored. Timeout Settings Specifies the timeout settings for establishing L2TP connections. Retry Interval Specifies the amount of time in seconds to pass, before another attempt to create a connection is made. Number of tries Specifies the maximum amount of tries for creating a connection. Authentication Method Specifies the authentication method. EAP Method Specifies which type of EAP is used. Responder Authentication Method Specifies whether a shared secret (pre shared key) or a machine certificate is used for authentication. Local User Defines the local user the remote router will use when connecting to this interface. A user account will be created with the entered credentials. Password Defines the password for the user. The password has to meet system requirements. Remote User Defines the credentials this interface will use, when connecting to the remote router. The credentials must match valid credentials configured on the remote router. User Name Page 53 of 101

54 Defines the user name of the remote user. Domain Defines the domain of the remote user. Password Defines the password of the remote user. The password has to meet system requirements. Remote Network Specifies the remote networks this interface will communicate with. IPv4 Network Specifies the network mask for the IPv4 network. Metric Specifies the metric for the network. The metric defines the cost that associated with the connection and can depend on speed, hop count or time delay. IPv6 Network Specifies the network mask for the IPv6 network. Metric Specifies the metric for the network. The metric defines the cost that associated with the connection and can depend on speed, hop count or time delay. Edit Selected Connection By pressing this button a dialog, similar to the dialog for creating a connection will appear. This dialog is prefilled with the data from the selected connection, which can be edited. Delete Selected Connection By pressing this button, the selected connection will be deleted. Page 54 of 101

55 IKEV2 S2S Create IKEV2 Connection By pressing this button a dialog for creating an IKEV2-Connection will appear. Enabled Specifies whether the connection is enabled or not. Name Defines the name of the connection. Remote Endpoint Page 55 of 101

56 Hostname or IP address of the destination the connection is tunneling to. If an IPv4 address is entered, VPN over IPv4 is selected. If an IPv6 address is entered, VPN over IPv6 is selected. Persistent Specifies that the connection is always in a connected state. If the connection is marked as persistent the idle-disconnect-timeout will be ignored. Timeout Settings Specifies the timeout settings for the IKEV2 connection. Idle Disconnect Defines the time the connection has to be idle, until a non-persistent connection is closed. Security Association Life Time Specifies the amount of time in seconds after which a SA (Security Association) is no longer valid. Retry Interval Specifies the amount of time in seconds to pass, before another attempt to create a connection is made. Number of tries Specifies the maximum amount of tries for creating a connection. Authentication Method Specifies whether EAP (Extensible Authentication Protocol), PSK Only (pre-shared key) or a Machine Certificate is used for authentication. EAP Method Specifies which type of EAP is used. Shared Secret Defines the shared secret (private key). Responder Authentication Method Specifies whether a shared secret (pre shared key) or a machine certificate is used for authentication by the responder. Local User Page 56 of 101

57 Defines the local user the remote router will use when connecting to this interface. A user account will be created with the entered credentials. Password Defines the password for the user. The password has to meet system requirements. Remote User Defines the credentials this interface will use, when connecting to the remote router. The credentials must match valid credentials configured on the remote router. User Name Defines the user name of the remote user. Domain Defines the domain of the remote user. Password Defines the password of the remote user. The password has to meet system requirements. Remote Network Specifies the remote networks this interface will communicate with. IPv4 Network Specifies the network mask for the IPv4 network. Metric Specifies the metric for the network. The metric defines the cost that associated with the connection and can depend on speed, hop count or time delay. IPv6 Network Specifies the network mask for the IPv6 network. Metric Specifies the metric for the network. The metric defines the cost that associated with the connection and can depend on speed, hop count or time delay. Page 57 of 101

58 Edit Selected Connection By pressing this button a dialog, similar to the dialog for creating an IKEV2-Connection, will appear. The dialog is prefilled with the data of the selected connection, which can be edited. Delete Selected Connection If this button is pressed, the selected connection will be deleted. IPSEC S2S Create IPsec Connection By pressing this button a dialog for creating an IPsec-Connection will appear. Enabled Specifies whether the connection is enabled or not. Page 58 of 101

59 Name Defines the name of the connection. Network Local Endpoint Hostname or IP address of the source the connection is tunneling from. If an IPv4 address is entered, VPN over IPv4 is selected. If an IPv6 address is entered, VPN over IPv6 is selected. Remote Endpoint Hostname or IP address of the destination the connection is tunneling to. If an IPv4 address is entered, VPN over IPv4 is selected. If an IPv6 address is entered, VPN over IPv6 is selected. Local Networks Specifies the local networks, a remote interface will communicate with. IPv4 Network Specifies the network mask for the IPv4 network in CIDR notation. IPv6 Network Specifies the network mask for the IPv6 network in CIDR notation. Remote Networks Specifies the remote networks this interface will communicate with. IPv4 Network Specifies the network mask for the IPv4 network in CIDR notation. Metric Specifies the metric for the network. The metric defines the cost that associated with the connection and can depend on speed, hop count or time delay. IPv6 Network Page 59 of 101

60 Specifies the network mask for the IPv6 network in CIDR notation. Metric Specifies the metric for the network. The metric defines the cost that associated with the connection and can depend on speed, hop count or time delay. Authentication and Phases Authentication Method Specifies whether a pre shared key or a computer certificate is used for authentication. Pre Shared Key Specifies whether a pre shared key or a computer certificate is used for authentication. Certificate Mapping Specifies whether the certificate is mapped to an account. Exclude CA Name Specifies whether the name of the CA is sent with the certificate request. Certificate Type Specifies the type of the certificate. Certificate Specifies the certificate used for authentication. Phase 1 In phase 1 credentials are exchanged between the two peers, in order to gain an IKE SA (Security Association). Integrity Specifies the hash algorithm used for verifying the received information is exactly the same as the information sent. Encryption Specifies the algorithm used for encrypting the data. DH Group Page 60 of 101

61 Specifies the Diffie-Hellman group (DH group) for phase 1. The DH group determines the strength of the key used in the key exchange process. Phase 2 In phase 2 the two peers agree on the configuration for communication. Therefore the IPsec SA is established. Integrity Specifies the hash algorithm used for verifying the received information is exactly the same as the information sent. Encryption Specifies the algorithm used for encrypting the data. Renew Timeout Specifies the amount of time in minutes after which an existing connections is reestablished. It has to be a number between 5 and Renew Size Specifies the amount of data in kilobytes after which an existing connections is reestablished. It has to be a number between and Advanced MainMode KeyLifetimeTimeout Specifies the time in minutes when a new key is generated. It has to be a number between 1 and KeyLifetimeSessions Specifies the amount of sessions a key can be used in. After this threshold is reached is new key is generated. It has to be a number between 0 and QuickMode PFS Specifies whether PFS (perfect forward secret) is used and which of DH-Group is used for the key generation. Page 61 of 101

62 Edit Selected Connection By pressing this button a dialog, similar to the dialog for creating an IKEV2-Connection, will appear. The dialog is prefilled with the data of the selected connection, which can be edited. Delete Selected Connection If this button is pressed, the selected connection will be deleted. 3 Network 1 Interfaces In this feature existing network interfaces can be edited. If an interface is part of a team, the interfaces of the team are grouped by the team name. The remaining interfaces are grouped to a group called Adapter. Edit Selected Interface By pressing this button, a dialog for editing the data of the selected interface appears. Page 62 of 101

63 Name Specifies the name of the interface. Enabled Specifies whether the interface is enabled or not. General IPv4 Defines the settings for IPv4. Metric Specifies the metric of the interface using IPv4. The metric defines the cost that associated with connection using this interface and can depend on speed, hop count or time delay. Enabled Specifies whether IPv4 is enabled or not. IPv6 Metric Page 63 of 101

64 Specifies the metric of the interface using IPv6. The metric defines the cost that associated with connection using this interface and can depend on speed, hop count or time delay. Enabled Specifies whether IPv6 is enabled or not. VLAN Since only one team interface, the primary team interface, can be in Default mode, all other team interfaces must have a specific VLAN ID. For interfaces, which are not part of a NIC team, these information is not available. Default Specifies whether the interface is the primary VLAN adapter (VLAN-ID = 0) of a team. Specific VLAN Specifies the VLAN ID of a VLAN. Address IPv4 Defines the IPv4 address of the localhost for the selected NIC. If DHCP is enabled, the address is assigned dynamically. Otherwise a static address can be set. DHCP Defines whether the IPv4 address is assigned via DHCP or not. Address Defines the static IPv4 address of the localhost for the selected NIC. Subnet Mask Defines the subnet mask of the localhosts IPv4 address for the selected NIC. IPv6 Defines the IPv6 address of the localhost for the selected NIC. If DHCP is enabled, the address is assigned dynamically. Otherwise a static address can be set. DHCP Defines whether the IPv6 address is assigned via DHCP or not. Address Defines the static IPv6 address of the localhost for the selected NIC. Page 64 of 101

65 Prefix Defines the prefix of the localhosts IPv6 address for the selected NIC. Gateway IPv4 Defines the default gateways for IPv4. Address Defines the static IPv4 address of the gateway Metric Specifies the metric of the gateway. The metric defines the cost that is associated with connections using this gateway and can depend on speed, hop count or time delay. IPv6 Defines the default gateways for IPv6. Address Defines the static IPv6 address of the gateway Metric Specifies the metric of the gateway. The metric defines the cost that is associated with connections using this gateway and can depend on speed, hop count or time delay. DNS IPv4 Defines the DNS server for IPv4. If the IPv4 of the localhost address of the selected NIC is assigned with DHCP, the IPv4 DNS server can be set. DHCP Defines whether the IPv4 address of the DNS server is assigned via DHCP. Address Defines the static IPv4 address of the DNS server. IPv6 Page 65 of 101

66 Defines the DNS server for IPv6. If IPv6 address of the localhost of the selected NIC is assigned with DHCP, the IPv6 DNS server can be set. DHCP Defines whether the IPv6 address of the DNS server is assigned via DHCP. Address Defines the static IPv6 address of the DNS server. WINS Specifies the WINS servers of the selected NIC. IPv4 DHCP Defines whether the IPv4 address of the WINS servers are assigned via DHCP or not. Address Specifies the static IPv4 address of a WINS servers. 2 Teaming Teaming, also known as load balancing / failover, places multiple NICs into a team. One or more physical NICs can be teamed into one or more team interfaces. Because an IP address can only be associated with a single MAC address for routing purposes the first team member becomes the primary member (default VLAN). Page 66 of 101

67 Create Team Opens a dialog for editing the selected NIC team. Name Specifies the name of the NIC team Teaming Mode Specifies the basic configuration of the NIC team. Static Teaming Using this mode, the switch needs to know about the team. You have to configure the team members on the switch in order to define the team. Because in this mode the teaming is configured statically, there is no possibility to identify incorrectly plugged cables or other errors causing the set configuration to fail. Switch Independent Using the switch independent mode, the switch is not involved in the teaming and does not know anything about the team. The teaming configuration will work with any Ethernet switch, because Windows Server 2012 handles all the teaming logic. With this configuration teams across separate switches can be created. LACP LACP stands for Link Aggregation Control Protocol. With LACP multiple ports are tunneled to a logical channel. Using this mode, both, the switch and the host need to be aware of the team members. The Page 67 of 101

68 connected switches use LACPDU packets to detect problems in the line. The physical switch has to be set up for LACP. Load balancing mode Defines how to spread the traffic across the members of the NIC team. Address Hash If address hash is used, an algorithm generates a hash using the address components of the packet. Packets with the same hash value are sent to the same adapter. Depending on the available data, there are different methods on how to generate the hash. The following methods are used: 4-tuple (default): The hash is generated using RRS on the TCP/IP ports. 2-tuple: If the TCP/IP ports are not available (e.g. encrypted traffic using IPsec) then it will go 2-tuple where the IP address is used for the generation of the hash. MAC address hash: If not IP traffic, the MAC addresses are hashed. Transport Port Hashes the port number on the Hyper-V switch the traffic is coming from. Using this mode a VM is mapped to a single NIC. Dynamic The dynamic load balancing mode is a combination of the transport port and address hash. VLANs are registered in switch independent mode, so received traffic can be balanced. But sending is balanced using address hash. Members Specifies the psychical NICs which are members of the NIC team. The team is formed by this physical NICs. Administrative Mode Specifies whether the NIC is used active or the NIC is in standby mode (passive). If an error occurs to an active team member, a standby team member will overtake its tasks and will replace it. Page 68 of 101

69 Network Adapter Select a physical adapter which is not used in another team to be part of this team. VLAN Specifies the VLANs connected to the team. These VLANs are called Team Interfaces. Edit Selected Team By pressing this button a dialog similar to the dialog for creating a NIC team will appear. This dialog is prefilled with the data from the selected element, which can be edited. Delete Selected Team By pressing this button the selected NIC team will be removed. 3 Routing Table Routing table shows all IPv4 and IPv6 routes configured. IP routing is the process of forwarding a packet based on the destination IP address. Routing occurs at TCP/IP hosts and at IP routers. The sending host or router determines where to forward the packet. To determine where to forward a packet, the host or router consults a routing table that is stored in memory. When TCP/IP starts, it creates entries in the routing table. IPv4 Routes Shows all IPv4 routes configured. Page 69 of 101

70 Create Persistent IPv4 Route Opens a dialog for editing a new persistent IPv4 route. Interface Specifies the network interface of the IP route. Destination Specifies the destination of the IP route. A value of /0 for IPv4 indicates that the value of the Next Hop parameter is a default gateway. Next-Hop Specifies the next hop value. A value of for IPv4 indicates that the route is on the local subnet. Metric Page 70 of 101

71 Specifies the IP route metric. To choose among multiple routes, the computer adds this value to the interface metric value. The computer selects the route with the lowest combined value. Edit Selected Persistent IPv4 Route By pressing this button a dialog similar to the dialog for creating a persistent IPv4 route will appear. This dialog is prefilled with the data from the selected element, which can be edited. Delete Selected Persistent IPv4 Route By pressing this button the selected persistent IPv4 route will be removed. IPv6 Routes Shows all IPv6 routes configured. Create Persistent IPv6 Route Opens a dialog for editing a new persistent IPv6 route. Interface Specifies the network interface of the IP route. Destination Page 71 of 101

72 Specifies the destination of the IP route. A value of :: and 0 for IPv6 indicates that the value of the Next Hop parameter is a default gateway. Next-Hop Specifies the next hop value. A value of :: for IPv6 indicates that the route is on the local subnet. Metric Specifies the IP route metric. To choose among multiple routes, the computer adds this value to the interface metric value. The computer selects the route with the lowest combined value. Edit Selected Persistent IPv6 Route By pressing this button a dialog similar to the dialog for creating a persistent IPv6 route will appear. This dialog is prefilled with the data from the selected element, which can be edited. Delete Selected Persistent IPv6 Route By pressing this button the selected persistent IPv6 route will be removed. Page 72 of 101

73 4 Toolbox 1 Network In this feature networks and network-sets can be created, modified and removed. Depending whether Networks or Network Sets is selected the sidebar on the right gives multiple options for creating, modifying and removed these objects. Networks If Networks is selected the sidebar gives the following options Create Network By pressing this button a dialog for creating a network appears. Name Page 73 of 101

74 Specifies the name for the network Description Specifies the description for the network. Localhost-Handling Specifies whether the localhost addresses are included or excluded from the defined ranges or not handled at all. None Localhost addresses are not handled separately. If they are inside in the specified ranges, the stay included. If they are outside the specified ranges, or inside the excluded ranges, they stay excluded. Include Localhost Includes the localhost addresses, if they are outside of the defined ranges. Exclude Localhost Excludes the localhost addresses, if they are inside the defined ranges. IPv4 Ranges The IPv4 ranges listed in this panel are the ranges, which define the network. With a click on the plus symbol a dialog appears, where a new IPv4 range can be added. Excluded IPv4 Ranges The IPv4 ranges listed in this panel are excluded from the ranges defined in the panel above. IPv6 Ranges The IPv6 ranges listed in this panel are the ranges, which define the network. With a click on the plus symbol a dialog appears, where a new IPv6 range can be added. Excluded IPv6 Ranges The IPv6 ranges listed in this panel are excluded from the ranges defined in the panel above. Edit Selected Network By clicking on this button a dialog similar to the dialog for creating networks will appear. This dialog is prefilled with the data from the selected network, which can be edited. Delete Selected Network If this button is click the selected network will be deleted. If the selected network is used in other features the deletion will be prevented and a warning appears. Page 74 of 101

75 Network Sets If Network Sets is selected the sidebar gives the following options Create Network Set By clicking on this button a dialog for creating Network Sets will appear. With a click on the plus symbol a dialog appears, where networks can be selected. The selected network is added to the network set. The minus-button is enabled whether a network is selected or not. A click on the minus button removes the selected network from the network set. Name Specifies the name of the network set. Description Page 75 of 101

76 Specifies the description of the network set. Networks Specifies the networks which the network set consists of. Edit Selected Network Set By clicking on this button a dialog similar to the dialog for creating network sets will appear. This dialog is prefilled with the data from the selected network set, which can be edited. Delete Selected Network Set If this button is clicked the selected network set will be deleted. If the selected network set is used in other features the deletion will be prevented and a warning appears. 2 Computers In this feature Computers and Computer Sets can be created, modified and removed. Depending whether Computers or Computer Sets is selected the sidebar on the right gives multiple options for creating, modifying and removed these objects. Computers A computer object represents a single IP-address of a network device. If Computers is selected the sidebar gives the following options Page 76 of 101

77 Create Computer (IPv4) By clicking this button a dialog for creating a new Computer object (IPv4) will appear. Name Specifies the name of the Computer object. Description Specifies the description of the Computer. IPv4 Address Specifies the IPv4 address of the Computer. Create Computer (IPv6) By clicking this button a dialog for creating a new IPv6 Computer object will appear, which looks similar to the dialog for creating an IPv4 computer object. Name Specifies the name of the computer. Description Specifies the description of the computer. IPv6 Address Specifies the IPv6 address of the computer. Edit Selected Computer By clicking this button a dialog similar to the dialog for creating Computer objects will appear. This dialog is prefilled with the data from the selected computer, which can be edited. Delete Selected Computer If this button is clicked, the selected computer will be deleted. If the selected computer is used in other features the deletion will be prevented and a warning appears. Page 77 of 101

78 Computer Sets A Computer Set is used for logical grouping of one or more Computer objects. If Computer Sets is selected the sidebar gives the following options Create Computer Set By clicking on this button a dialog for creating a new Computer Set will appear. With a click on the plus symbol a dialog appears, where computers can be selected. The selected computer is added to the computer set. The minus-button is enabled whether a computer is selected or not. A click on the minus button removes the selected computer from the network set. Name Specifies the name of the computer set. Description Specifies the description of the computer set. Computers Page 78 of 101

79 Specifies the computers the computer set consists of. Edit Selected Computer Set By clicking this button a dialog similar to the dialog for creating computer sets will appear. This dialog is prefilled with the data from the selected computer set, which can be edited. Delete Selected Computer Set If this button is clicked, the selected computer will be deleted. If the selected computer is used in other features the deletion will be prevented and a warning appears. 3 Protocols In this feature protocols and protocol sets can be created for further use in other features (e.g., Firewall Rules). Depending whether Protocols or Protocol Sets is selected the sidebar on the right gives multiple options for creating, modifying and removed these objects. Protocols A Protocol can contain one or more Protocol Conditions (TCP, UDP, ICMP and generic Conditions). If Protocols is selected the sidebar gives the following options Page 79 of 101

80 Create Protocol By clicking on this button a dialog for creating a new Protocol-Object will appear. Name Specifies the name for the protocol. Description Specifies the description for the protocol. Application Filter An application filter specifies how the firewall handles traffic. Application filters are for modifying and analyzing network traffic and for allowing responses. For defining an Application Filter, the according protocol which references the Application Filter has to be added to a Firewall Rule s Protocol Condition. Then a new section appears in the rule window, where the Application Filter can be configured. DNS Application Filter The DNS Application Filter is used to validate and filter DNS packets by special criteria. Only UDP packets can be monitored at the moment with the DNS Application Filter. FTP Application Filter Page 80 of 101

81 The FTP Application Filter Configuration is used to validate the FTP protocol. Only FTP commands that are listed in the corresponding RFC are allowed. The FTP Application Filter provides support for active and passive FTP. Instead of allowing "any" ports, only the FTP command channel (TCP port 21) must be allowed. Data connections will be added dynamically to the firewall ruleset. TCP Conditions Specifies the port ranges if the protocol is TCP based. UDP Conditions Specifies the port ranges if the protocol is UDP based. ICMP Conditions Specifies the IP version and ICMP types and codes. Version Specifies whether IPv4 or IPv6 is used. ICMP Type Allow any ICMP type or specific ICMP types. ICMP Code If specific ICMP types are selected, any ICMP Code or specific ICMP codes can be allowed. For detailed explanations of the ICMP types and codes visit Generic IP Protocol Condition Conditions For generic protocols one or more ranges of protocol numbers can be defined. Edit Selected Protocol By clicking this button a dialog similar to the dialog for creating protocols will appear. This dialog is prefilled with the data from the selected protocol, which can be edited. Delete Selected Protocol When this button is clicked, the selected protocol will be deleted. If the selected protocol is used in other features the deletion will be prevented and a warning appears. Protocol Sets A Protocol Set is used for logical grouping of one or more Protocols. Page 81 of 101

82 If Protocol Sets is selected the sidebar gives the following options Create Protocol Set By clicking on this button a dialog creating protocol sets will appear. With a click on the plus symbol a dialog appears, where protocols can be selected. The selected protocol is added to the protocol set. The minus-button is enabled whether a protocol is selected or not. A click on the minus-button removes the selected protocol from the protocol set. Name Specifies the name of the protocol set. Description Specifies the description of the protocol set. Protocols Page 82 of 101

83 Specifies the protocols the protocol set consists of. Edit Selected Protocol Set By clicking this button a dialog similar to the dialog for creating protocol sets will appear. This dialog is prefilled with the data from the selected protocol set, which can be edited. Delete Selected Protocol Set If this button is clicked, the selected protocol set will be deleted. If the selected protocol set is used in other features the deletion will be prevented and a warning appears. 4 IPS Actions In this feature IPS Actions can be defined for usage in the Intrusion Prevention Configuration. By default, there are three IPS Actions predefined (BuiltIn Objects): Default Alert: Write an alert to a log file Default Drop Connection: Write an alert and drop the current connection from the firewall connection table Default Block Source: Write an alert, drop the current connection and block source for 5 minutes. Please note: The source IP address will be completely blocked. All the connections are dropped and it and cannot make new connections for the given duration. The three default IPS Actions cannot be modified or deleted, but new custom IPS Actions can be added (Custom Objects). Create IPS Action By clicking on this button a dialog appears for creating a custom IPS Action. Page 83 of 101

84 Name Specifies the name of the IPS Action. Description Specifies the description of the IPS Action Action Type At the moment, these three types are available: Write alert log Writes an alert into the IDS log file (can be viewed in Monitoring). Write alert log, drop current connection Writes an alert into the IDS log file (can be viewed in Monitoring). Additionally current connection will be dropped from the firewall connection table. Write alert log, drop current connection and block source Writes an alert into the IDS log file (can be viewed in Monitoring). Additionally current connection will be dropped from the firewall connection table. Additionally the source IP will be completely blocked for the given duration. Duration Specifies how many minutes the source IP will be completely blocked. Possible values are 1 to minutes. Show/Edit IPS Action By clicking this button a dialog similar to the dialog for creating an IPS action will appear. Depending if the element is BuiltIn or Custom, you can either just show the IPS Action or also edit it. Delete IPS Action If this button is clicked, the selected IPS Action will be deleted. If the selected listener is currently used in an IPS Category, the deletion will be prevented and a warning appears. Deleting is only possible for Custom IPS Actions. Page 84 of 101

85 5 Web Listeners In this feature web listeners for the publishing rules can be defined, modified or removed. Changes of the configuration outside the SG Management are not supported and may result in unexpected behavior. Create Web Listener By clicking on this button a dialog for creating a listener appears. Name Specifies the name of the listener. Protocol Specifies whether HTTP or HTTPS is the protocol the listener is bound to. Certificate Specifies the certificate used for authentication if HTTPS is the selected protocol Page 85 of 101

86 Redirect HTTP to HTTPS Enables HTTP to HTTPS redirection Binding IP Specify an IP-Address for the binding. If Any is chosen, the binding will be set to the address Therefore the binding will accept connections on the specified port via any address, including the localhost addresses. Any should only be selected, if the website should accept connections on several IP addresses. IPv4 Specifies the IPv4 address the listener is bound to. IPv6 Specifies the IPv6 address the listener is bound to. Binding Port The default port for HTTP is 80, the default port for HTTPS is 443. Binding Hostname Specifies whether the listener is bound to a specific hostname or to any hostname. Hostname Specifies a specific hostname the listener is bound to. Edit Selected Web Listener By clicking this button a dialog similar to the dialog for creating a listener will appear. This dialog is prefilled with the data from the selected listener, which can be edited. Delete Selected Web Listener If this button is clicked, the selected listener will be deleted. If the selected listener is used in other features the deletion will be prevented and a warning appears. 6 URL Permission Sets In this feature URL permission sets for the web access rules can be created, modified and removed. Changes of the configuration outside the SG Managements are not supported and may result in unexpected behavior. Page 86 of 101

87 A permission set consists of rules to match a requested web source. If the rule matches, the permission set yields the result whether the resource may be accessed or blocked. Create URL Permission Set By pressing this button, a dialog for creating a new permission set appears. Name Specifies the name of the permission set Description Specifies a description for the permission set. Treat executable file as virus Tells whether an executable file is treated as malware by default. Treat encrypted file as virus Tells whether an encrypted file is treated as malware by default. Page 87 of 101

88 Permission Entries Specifies the permission entries (will be called PE in next sentences) of the URL permission set. The PEs apply in the specified order. The first matching PE applies. If no block PE is defined in a permission set, every URL is allowed (default behavior is allow all). If you want to define a whitelist be sure to add a block all PE after the allow URL or allow URL category PEs. If a specific URL in a blocked URL category should be allowed, the allow PE for the URL has to be above the block PE for the URL category. Action Specifies whether the rule blocks or allows. Filter Type Specifies whether a specific URL, a URL category or all traffic is handled by the rule. URL Category Specifies the URL category the rule is applied to. URL Defines a specific URL the rule is applied to. Edit Selected URL Permission Set By pressing this button a dialog similar to the dialog for creating a permission set will appear. The dialog is prefilled with the data from the selected permission set, which can be edited. Delete Selected URL Permission Set By pressing this button the selected permission set will be deleted. Edit Global Proxy Settings See chapter Edit Global Proxy Settings 7 Scan Rules This feature is for creating scan rules for the anti-virus scanner. Changes of the configuration outside the SG Managements are not supported and may result in unexpected behavior. Page 88 of 101

89 Create Scan Rule If this button is pressed a dialog for creating scan rules appears. Name Specifies the name of the scan rule. Description Specifies the description for the scan rule. Malware Detection Settings for classification and detection of malware. For s, both content and attachments are scanned. Page 89 of 101

90 Activate Malware Scanner Enable / Disable the malware detection. Action Determines what to do if malware is detected. If Delete attachment is selected, only the malicious attachment will be deleted. Otherwise the whole (including the attachment) will be dropped. Save to quarantine If this option is enabled, malicious files are stored in the server s quarantine directory. Treat executable files as malware If this option is set, executable files are treated as malware. Treat deeply recursive archives as malware Archives that are scanned for malware may contain other archives which, in turn, may also contain archives, etc. The maximum recursion depth allowed in this case is 8. If this number is exceeded, and the option is set, the archive is classified as malware. Treat encrypted archive as malware If this option is enabled, encrypted archives are considered malicious. Send warning to sender If this option is enabled, the sender of an infected message is notified about the incident by . Message Text Message that can be sent as reply to the sender of an infected . Insert warning to Inserts a warning text into the message if malware has been detected. Message Text Message that can be inserted at the bottom of an , if malicious content has been detected. Attachment Scanning Settings for filtering attachments based on the attachments filename. Activate Attachment Scanning Page 90 of 101

91 Enable / disable attachment scanning Insert warning, when attachment was blocked Insert a warning text to the if the attachment is blocked. Warning text to insert Text to be inserted to the if the attachment is blocked. Save to quarantine If enabled, malicious attachments are stored in the quarantine. Otherwise, they are deleted. Priority Set priority for either whitelist or blacklist. Whitelist List of file masks that are ignored by the attachment scanning. Blacklist List of file masks that are blocked. Spam Filter Settings for SPAM filter. The SPAM filter assigns a score for s depending on the subject, content, etc. by defining the level for SPAM and Possible SPAM, different actions can be performed depending on the score. Activate SPAM prevention Enable / disable SPAM filter. Always create x-spam header If set, an x-spam header is added to the message if SPAM is detected Level for possible SPAM An incoming message receives a score for specific features of SPAM (e. g., if the message includes the string V1@gr@.) The higher the score of an , the more probably it is SPAM. The value defines when a message is possible SPAM. A low threshold increases the possibility of false positives (i.e. legitimate message falsely been identified as SPAM). Level for SPAM Page 91 of 101

92 An incoming message receives a score for specific features of SPAM (e. g., if the message includes the string V1@gr@.) The higher the score of an , the more probably it is SPAM. The value defines when a message is SPAM. A low threshold increases the possibility of false positives (i.e. legitimate message falsely been identified as SPAM). SPAM Rule Set Select custom rules for SPAM detection. Based upon the value of several message fields, an can be considered SPAM, or possible SPAM. These rules can be created in the feature SPAM Rule Sets. Possible SPAM handling Determines the actions for possible SPAM. Add warning to subject The given text is added to the subject line of the message. Action Specifies the action if an will be classified as possible SPAM. Block Blocks the (i.e. will not be delivered). Redirect Redirects the to a specified address. This feature is supported for SMTP only. Only mark will be marked accordingly. SPAM handling Determines the actions for SPAM. Add warning to subject The given text is added to the subject line of the message. Action Specifies the action if an will be classified as SPAM. Only mark will be marked accordingly. Block Page 92 of 101

93 Blocks the (i.e. will not be delivered). Redirect Redirects the to a specified address. This feature is supported for SMTP only. Edit Selected Scan Rule By pressing this button a dialog similar to the dialog for creating scan rules will appear. This dialog is prefilled with the data of the selected rule which can be edited. Delete Selected Scan Rule By pressing this button the selected rule will be removed. Edit Global Proxy Settings See chapter Edit Global Proxy Settings 8 Spam Rule Sets In this feature custom rules for defining and handling spam can be created. These rules allow overriding filter actions and creating custom behavior. Changes of the configuration outside the SG Managements (e.g. by modifying SPAM rule sets in the IKARUS gateway.security web interface) are not supported and may result in unexpected behavior. Create Spam Rule Set By pressing this button a dialog for creating Spam Rule Sets appears. Page 93 of 101

94 Name Specifies the name for the rule set. Description Defines a description for the rule set. Spam Rule Specifies the Spam rules of the SPAM rule set. The rules are applied in the specified order. The first matching rule is applied. Criterion Defines the criterion for which the rule applies. Criterion / Field From From is empty Invalid From From missing To contains Invalid To Missing To header To equals From Subject contains Subject is empty Mail text Envelop: from Envelop: to Message HTML only Description From header item includes value Empty From header item Invalid From header From header is missing To header item includes value Invalid To header Empty To header item To and From header are the same Subject header contains value Subject header is empty The body contains the value SMTP-envelope sender is valid SMTP-envelope sender is value The body contains HTML only Page 94 of 101

95 Value Defines the value used for comparison for the selected criterion. Result Defines how to handle the , if the rule applies. Edit Selected Spam Rule Set By pressing this button a dialog similar to the dialog for creating an spam rule set will appear. This dialog is prefilled with the data of the selected rule set which can be edited. Delete Selected Spam Rule Set By pressing this button the selected rule set will be removed. Edit Global Proxy Settings See chapter Edit Global Proxy Settings 5 Monitoring 1 Firewall Log This features is for visualizing the firewall, IDS and IPS logs. These logs are separated in different tabs for better visualization. In this chapter only firewall log is explained (tab Firewall ), but the other tabs (IDS, IPS) work exactly the same. Page 95 of 101

96 In the main area all log entries can be seen. By selecting an entry, details of this entry will be shown in the lower panel. In the upper right corner of the main area two actions can be triggered. The text Filter has been applied! is only shown if a filter condition has been entered in the filter settings and therefore is active. If no filter condition has been entered, this text won t be shown. The reload button fetches the log entries again from the system, so all new logs will be viewed. The capture tail button activates live logging. By enabling live logging, the scrollbar scrolls to the bottom of the panel. New log entries are appended at the end in real time. Scrolling upwards will disable the live logging, as well as pressing the button again. Edit Log Filter Settings By pressing this button a dialog will appear. Filter Conditions Page 96 of 101