Copyright (C) 2006 PLANET Technology Corp. All rights reserved.
The products and programs described in this User’s Manual are licensed products of PLANET
Technology, This User’s Manual contains proprietary information protected by copyright, and this User’s
Manual and all accompanying hardware, software, and documentation are copyrighted.
No part of this User’s Manual may be copied, photocopied, reproduced, translated, or reduced to any
electronic medium or machine-readable form by any means by electronic or mechanical. Including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the
purchaser's personal use, and without the prior express written permission of PLANET Technology.
Disclaimer
PLANET Technology does not warrant that the hardware will work properly in all environments and
applications, and makes no warranty and representation, either implied or expressed, with respect to the
quality, performance, merchantability, or fitness for a particular purpose.
PLANET has made every effort to ensure that this User’s Manual is accurate; PLANET disclaims liability
for any inaccuracies or omissions that may have occurred.
Information in this User’s Manual is subject to change without notice and does not represent a
commitment on the part of PLANET. PLANET assumes no responsibility for any inaccuracies that may
be contained in this User’s Manual. PLANET makes no commitment to update or keep current the
information in this User’s Manual, and reserves the right to make improvements to this User’s Manual
and/or to the products described in this User’s Manual, at any time without notice.
If you find information in this manual that is incorrect, misleading, or incomplete, we would appreciate
your comments and suggestions.
CE mark Warning
This is a class A device, in a domestic environment, this product may cause radio interference, in which
case the user may be required to take adequate measures.
Trademarks
The PLANET logo is a trademark of PLANET Technology.
This documentation may refer to numerous hardware and software products by their trade names. In most,
if not all cases, these designations are claimed as trademarks or registered trademarks by their respective
companies.
To avoid the potential effects on the environment and human health as a result of the presence
of hazardous substances in electrical and electronic equipment, end users of electrical and
electronic equipment should understand the meaning of the crossed-out wheeled bin symbol.
Do not dispose of WEEE as unsorted municipal waste and have to collect such WEEE
separately.
1
Customer Service
For information on customer service and support for the VPN Security Gateway, please refer to the
following Website URL:
http://
www.planet.com.tw
Before contacting customer service, please take a moment to gather the following information:
♦ VPN Security Gateway serial number and MAC address
♦ Any error messages that displayed when the problem occurred
♦ Any software running when the problem occurred
♦ Steps you took to resolve the problem on your own
The innovation of the Internet has created a tremendous worldwide venue for Ebusiness and information sharing, but it also creates network security problems. The
security request will be the primary concerned for the enterprise. New model of Planet’s
VPN Security Gateway SG-1000, a special designed of VPN security gateway, provides
SSL, IPSec, and PPTP VPN. The SSL VPN function supports up to 50 SSL VPN
connection tunnels. The IPSec VPN feature provides IPSec VPN Trunk and IKE, SHA1, and MD5 Authentication. The PPTP VPN function supports PPTP server and client.
The SG-1000 provides Content Blocking feature to block specific URL, Script, IM, P2P,
and download file. Also, it is built-in Anomaly Flow IP function. This function supports
Hacker and Blaster Alert. An administrator could use this function to watch and track an
attacker.
This product is built-in two WAN ports. It supports WAN Load Balance and Fail-Over
Feature. Also, the QoS function provides Guaranteed Bandwidth and Priority
Bandwidth Utilization.
and PPTP server/client. The SSL VPN function supports up to 50 SSL VPN
connection tunnels. The IPSec VPN has DES, 3DES, and AES encryption and
SHA-1 / MD5 authentication. The network traffic over public Internet is secured.
♦VPN Trunk: VPN trunk function provides VPN load balance and VPN fail-over
feature to keep the VPN connection more reliable.
♦Content Filtering: The security gateway can block network connection based on
URLs, Scripts (The Pop-up, Java Applet, cookies and Active X), P2P (eDonkey,
Bit Torrent and WinMX), Instant Messaging (MSN, Yahoo Messenger, ICQ,
QQ and Skype) and Download. If there are new updated version of P2P or IM
6
software in client side, SG-1000 will detect the difference and update the
Content Filtering pattern to renew the filtering mechanism.
♦Policy-based Firewall: The built-in policy-based firewall prevent many known
hacker attack including SYN attack, ICMP flood, UDP flood, Ping of Death, etc.
The access control function allowed only specified WAN or LAN users to use
only allowed network services on specified time.
♦QoS: Network packets can be classified based on IP address, IP subnet and
TCP/UDP port number and give guarantee and maximum bandwidth with three
levels of priority.
♦Authentication: Web-based authentication allows users to be authenticated by
web browser. User database can be configured on the devices or through external
RADIUS server.
♦WAN Backup: The SG-1000 can monitor each WAN link status and
automatically activate backup links when a failure is detected. The detection is
based on the configurable target Internet addresses.
♦Outbound Load Balancing: The network sessions are assigned based on the
user configurable load balancing mode, including “Auto”, “Round-Robin”, “By
Traffic”, “By Session” and “By Packet”. User can also configure which IP or
TCP/UDP type of traffic use which WAN port to connect.
♦Multiple NAT: Multiple NAT allows local port to set multiple subnet works and
connect to the Internet through different WAN IP addresses.
1.1 Package Contents
SG-1000 x 1
Power Cord x 1
Quick Installation Guide x 1
User’s Manual CD x 1
Console cable x 1
RJ-45 cable
Rack-mount ear
7
1.2 Front View
- LED definition
LED Description
PWR Power is supplied to this device.
STATUS Blinks to indicate this devise is being turned
WAN1,
WAN2,
LAN, DMZ
1.3 Rear View
on and booting. After one minute, this LED
indicator will stop blinking, it means this
device is now ready to use.
Green Steady on indicates the port is
connected to other network device.
Blink to indicates there is traffic on
the port
Orange Steady on indicates the port is
connected at 100Mbps speed
1.4 Specification
Product VPN Security Gateway
Model SG-1000
Recommend concurrent
30 ~ 50
user
Hardware
Ethernet
LAN
WAN
DMZ
1 x 10/100 Based-TX RJ-45
2 x 10/100 Based-TX RJ-45
1 x 10/100 Based-TX RJ-45
Software
8
Management
Network Connection
Routing Mode
Concurrent Sessions
New session / second
WAN to LAN
Throughput
VPN Throughput
VPN 3DES Throughput
VPN Function
SSL VPN
IPSec VPN Trunk
VPN Connection
Tunnels / Allow to
Configure
Content Filtering
Firewall
QoS
User authentication
Logs
Accounting Report
Statistics
Others
Web
Transparent mode, NAT, Multi-NAT
Static Route, RIPv2
110,000
10,000
100Mbps
18Mbps
17Mbps
SSL, IPSec, PPTP server and client
DES, 3DES, and AES encrypting
SHA-1 / MD5 authentication algorithm
Remote access VPN (Client-to-Site) and Site to Site VPN
VPN Trunk
Internal Subnet of Server: 10
Connection Tunnels: 50
50
IPSec: 100 / 200
PPTP Serve: 32 / 32
PPTP Client: 16 / 16
URL Blocking
Blocks Popup, Java Applet, cookies and Active X
P2P Application Blocking
Instant Message Blocking
Download Blocking
Policy-based Firewall rule with schedule
NAT/ NAPT, SPI Firewall
Policy-based bandwidth management
Guarantee and maximum bandwidth with 3 priority levels
Classify traffics based on IP, IP subnet, TCP/UDP port
Built-in user database with up to 200 entries
Support local database, RADIUS and POP3 authentication
Log and alarm for event and traffic
Log can be saved from web, sent by e-mail or sent to syslog
server
Record inbound and outbound traffic’s utilization by Source
IP, Destination IP and Service
Traffic statistic for WAN interface and policies
Graphic display
Dynamic DNS, NTP, DHCP server, Virtual server,
9
Chapter 2
Administration
“System” is the managing of settings such as the privileges of packets that pass through
the SG-1000 and monitoring controls. The System Administrators can manage, monitor,
and configure SG-1000 settings. But all configurations are “read-only” for all users
other than the System Administrator; those users are not able to change any setting of
the SG-1000.
10
Define the required fields of Administrator
Administrator Name:
The username of Administrators and Sub Administrator for the SG-1000. The
admin user name cannot be removed; and the sub-admin user can be removed or
configure.
The default Account: admin; Password: admin
Privilege:
The privileges of Administrators (Admin or Sub Admin). The username of the
main Administrator is Administrator with reading / writing privilege.
Administrator also can change the system setting, log system status, and to increase
or delete sub-administrator. Sub-Admin may be created by the Admin by clicking
New Sub Admin
. Sub Admin have only read and monitor privilege and cannot
change any system setting value.
Configure:
Click Modify to change the “Sub-Administrator’s” password or click Remove to
delete a “Sub Administrator.”
11
2.1Adding a new Sub Administrator
STEP 1﹒In the Admin Web UI, click the New Sub Admin button to create a new
Sub Administrator.
STEP 2﹒In the Add New Sub Administrator Web UI and enter the following setting:
STEP 1﹒Add the following setting in Permitted IPs of Administration:
Name: Enter master
IP Address: Enter 163.173.56.11
Netmask: Enter 255.255.255.255
Service: Select Ping, HTTP, and HTTPS.
Click OK
Complete add new permitted IPs
Setting Permitted IPs Web UI
Complete Add New Permitted Ips
To make Permitted IPs be effective, it must cancel the Ping, HTTP, and HTTPS
selection in the Web UI of SG-1000 that Administrator enter. (LAN, WAN, or DMZ Interface)
Before canceling the HTTP and HTTPS selection of Interface, must set up the Permitted IPs
first, otherwise, it would cause the situation of cannot enter Web UI by appointed Interface.
14
2.3 Logout
STEP 1﹒Click Logout which locate in Browser’s above right to protect the system
while Administrator are away.
Confirm Logout Web UI
15
STEP 2﹒Click OK and the logout message will appear in Web UI.
Logout Web UI Message
16
2.4Software Update
STEP 1﹒Select Software Update in System, and follow the steps below:
To obtain the version number from Version Number and obtain the
latest version from Internet. And save the latest version in the hardware
of the PC, which manage the SG-1000
Click Browse and choose the latest software version file.
Click OK and the system will update automatically.
It takes 3 minutes to update software. The system will reboot after update. During the
updating time, please don’t turn off the PC or leave the Web UI. It may cause some unexpected
mistakes. (Strong suggests updating the software from LAN to avoid unexpected mistakes.)
17
Chapter 3
Configure
The Configure is according to the basic setting of the SG-1000. In this chapter the
definition is Setting, Date/Time, Multiple Subnet, Route Table, DHCP, Dynamic DNS,
Hosts Table, and Language settings.
18
Define the required fields of Settings
SG-1000 Configuration:
The Administrator can import or export the system settings. Click OK to import
the file into the SG-1000 or click Cancel to cancel importing. You also can revive
to default value here.
Email Settings:Select Enable E-mail Alert Notification under E-mail Settings. This function will
enable the SG-1000 to send e-mail alerts to the System Administrator when the
network is being attacked by hackers or when emergency conditions occur. (It can
be set from Settings-Hacker Alert in System to detect Hacker Attacks)
Web Management (WAN Interface):The System Manager can change the port number used by HTTP port anytime.
(Remote Web UI management)
After HTTP port has changed, if the administrator want to enter Web UI from WAN, will
have to change the port number of browser. (For example: http://61.62.108.172:8080)
MTU Setting:It provides the Administrator to modify the networking package length anytime. Its
default value is 1500 Bytes.
Link Speed / Duplex Mode:
By this function can set the transmission speed and mode of WAN Port when
connecting other device.
19
Administration Packet Logging:
After enable this function; the SG-1000 will record packet which source IP or
destination address is SG-1000. And record in Traffic Log for System Manager to
inquire about.
Define the required fields of Time Settings
Synchronize Time/Date:
Synchronizing the SG-1000 with the System Clock. The administrator can
configure the SG-1000’s date and time by either syncing to an Internet Network
Time Server (NTP) or by syncing to your computer’s clock.
GMT:
International Standard Time (Greenwich Mean Time)
Define the required fields of Multiple Subnet
Forwarding Mode:
To display the mode that Multiple Subnet use. (NAT mode or Routing Mode)
WAN Interface Address:
The IP address that Multiple Subnet corresponds to WAN.
LAN Interface Address/Subnet Netmask:
The Multiple Subnet range
20
NAT Mode:
It allows Internal Network to set multiple subnet address and connect with the
Internet through different WAN IP Addresses. For example:The lease line of a
company applies several real IP Addresses 168.85.88.0/24, and the company is
divided into R&D department, service, sales department, procurement department,
accounting department, the company can distinguish each department by different
subnet for the purpose of managing conveniently. The settings are as the
following:
1. R&D department subnet:192.168.1.1/24(LAN) ÅÆ 168.85.88.253(WAN)
2. Service department subnet: 192.168.2.1/24(LAN) ÅÆ 168.85.88.252(WAN)
3. Sales department subnet: 192.168.3.1/24(LAN) ÅÆ 168.85.88.251(WAN)
4. Procurement department subnet
192.168.4.1/24(LAN) ÅÆ 168.85.88.250(WAN)
5. Accounting department subnet
192.168.5.1/24(LAN) ÅÆ 168.85.88.249(WAN)
The first department (R&D department) had set while setting interface IP; the other four
ones have to be added in Multiple Subnet. After completing the settings, each
department uses the different WAN IP Address to connect to the Internet. The settings
of each department are as following:
Routing Mode:It is the same as NAT mode approximately but does not have to correspond to the
real WAN IP address, which let internal PC to access to Internet by its own IP.
(External user also can use the IP to connect with the Internet)
21
Define the required fields of DHCP
Subnet:
The domain name of LAN
NetMask:
The LAN Netmask
Gateway:
The default Gateway IP address of LAN
Broadcast IP:
The Broadcast IP of LAN
Define the required fields of DDNS
Domain Name:
The domain name that provided by DDNS
WAN IP Address:
The WAN IP Address, which the domain name corresponds to.
Define the required fields of Host T able
Domain Name:
It can be set by System Manager. To let the internal user to access to the
information that provided by the host by this domain name
Virtual IP Address:The virtual IP address respective to Host Table. It must be LAN or DMZ IP
address.
22
System Settings- Exporting
STEP 1﹒In System Setting Web UI, click on button next to Export
System Settings to Client.
STEP 2﹒When the File Download pop-up window appears, choose the destination
place where to save the exported file and click on Save. The setting value of
SG-1000 will copy to the appointed site instantly.
Select the Destination Place to Save the Exported File
23
3.1System Settings- Importing
STEP 1﹒In System Setting Web UI, click on the Browse button next to Import
System Settings from Client. When the Choose File pop-up window
appears, select the file to which contains the saved SG-1000 Settings, then
click OK.
STEP 2﹒Click OK to import the file into the SG-1000
Enter the File Name and Destination of the Imported File
Upload the Setting File Web UI
24
Restoring Factory Default Settings
STEP 1﹒Select Reset Factory Settings in SG-1000 Configuration Web UI
STEP 2﹒Click OK at the bottom-right of the page to restore the factory settings.
Reset Factory Settings
25
Enabling E-mail Alert Notification
STEP 1﹒Select Enable E-mail Alert Notification under E-Mail Settings.
STEP 2﹒Device Name: Enter the Device Name or use the default value.
STEP 3﹒Sender Address: Enter the Sender Address. (Required by some ISPs.)
STEP 4﹒SMTP Server IP: Enter SMTP server’s IP address.
STEP 5﹒E-Mail Address 1: Enter the e-mail address of the first user to be notified.
STEP 6﹒E-Mail Address 2: Enter the e-mail address of the second user to be notified.
(Optional)
STEP 7﹒Click OK on the bottom-right of the screen to enable E-mail Alert
Notification.
Enable E-mail Alert Notification
Click on Mail Test to test if E-mail Address 1 and E-mail Address 2 can receive the Alert
Notification correctly.
26
Reboot SG-1000
STEP 1﹒Reboot SG-1000:Click Reboot button next to Reboot SG-1000 Appliance.
STEP 2﹒A confirmation pop-up page will appear.
STEP 3﹒Follow the confirmation pop-up page; click OK to restart SG-1000.
Reboot SG-1000
27
3.2 Date/Time Settings
STEP 1﹒Select Enable synchronize with an Internet time Server
STEP 2﹒Click the down arrow to select the offset time from GMT.
STEP 3﹒Enter the Server IP / Name with which you want to synchronize.
STEP 4﹒Set the interval time to synchronize with outside servers.
System Time Setting
Click on the Sync button and then the SG-1000’s date and time will be synchronized to the
Administrator’s PC.
The value of Set Offset From GMT and Server IP / Name can be looking for from
Assist.
28
3.3 Multiple Subnet
Connect to the Internet through Multiple Subnet NAT or Routing Mode by the IP
address that set by the LAN user’s network card
Preparation
SG-1000 WAN1 (10.10.10.1) connect to the ISP Router (10.10.10.2) and the subnet that
provided by ISP is 162.172.50.0/24
To connect to Internet, WAN2 IP (211.22.22.22) connects with ATUR.
29
Loading...
+ 232 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.