Symantec 360R - Security Gateway SGS, 320, 360 Administration Manual

Symantec™ Gateway Security
300 Series Administrator’s
Guide

Supported models:

Models 320, 360, and 360R

Symantec™ Gateway Security 300 Series
Administrator’s Guide

The software described in this book is furnished under a license agreement and
may be used only in accordance with the terms of the agreement.

Documentation version 1.0
February 11, 2004

Copyright notice

Copyright  1998–2004 Symantec Corporation.
All Rights Reserved.
Any technical documentation that is made available by Symantec Corporation is

the copyrighted work of Symantec Corporation and is owned by Symantec
Corporation.

NO WARRANTY. The technical documentation is being delivered to you AS-IS
and Symantec Corporation makes no warranty as to its accuracy or use. Any use
of the technical documentation or the information contained therein is at the
risk of the user. Documentation may include technical or other inaccuracies or
typographical errors. Symantec reserves the right to make changes without
prior notice.

No part of this publication may be copied without the express written
permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA

95014.

Trademarks

Symantec, the Symantec logo, and Norton AntiVirus are U.S. registered
trademarks of Symantec Corporation. LiveUpdate, LiveUpdate Administration
Utility, Symantec AntiVirus, and Symantec Security Response are trademarks of
Symantec Corporation.

Other brands and product names mentioned in this manual may be trademarks
or registered trademarks of their respective companies and are hereby
acknowledged.

Printed in the United States of America.
10987654321

Technical support

As part of Symantec Security Response, the Symantec global Technical Support
group maintains support centers throughout the world. The Technical Support
group’s primary role is to respond to specific questions on product feature/
function, installation, and configuration, as well as to author content for our
Web-accessible Knowledge Base. The Technical Support group works
collaboratively with the other functional areas within Symantec to answer your
questions in a timely fashion. For example, the Technical Support group works
with Product Engineering as well as Symantec Security Response to provide

Alerting Services and Virus Definition Updates for virus outbreaks and security
alerts.

Symantec technical support offerings include:

■ A range of support options that give you the flexibility to select the right

amount of service for any size organization

■ Telephone and Web support components that provide rapid response and

up-to-the-minute information

■ Upgrade insurance that delivers automatic software upgrade protection

■ Content Updates for virus definitions and security signatures that ensure

the highest level of protection

■ Global support from Symantec Security Response experts, which is

available 24 hours a day, 7 days a week worldwide in a variety of languages
for those customers enrolled in the Platinum Support program

■ Advanced features, such as the Symantec Alerting Service and Technical

Account Manager role, offer enhanced response and proactive security
support

Please visit our Web site for current information on Support Programs. The
specific features available may vary based on the level of support purchased and
the specific product that you are using.

Licensing and registration

See “Licensing” on page 145 for information on the licenses for this product.

Contacting Technical Support

Customers with a current maintenance agreement may contact the Technical
Support group by phone or online at www.symantec.com/techsupp/.

Customers with Platinum support agreements may contact Platinum Technical
Support by the Platinum Web site at www-secure.symantec.com/platinum/.
When contacting the Technical Support group, please have the following:

■ Product release level

■ Hardware information

■ Available memory, disk space, NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description

■ Error messages/log files

■ Troubleshooting performed prior to contacting Symantec

■ Recent software configuration changes and/or network changes

Customer Service

To contact Enterprise Customer Service online, go to www.symantec.com/

techsupp/, select the appropriate Global Site for your country, then select the

enterprise Continue link. Customer Service is available to assist with the
following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information on product updates and upgrades

■ Information on upgrade insurance and maintenance contracts

■ Information on Symantec Value License Program

■ Advice on Symantec’s technical support options

■ Nontechnical presales questions

■ Missing or defective CD-ROMs or manuals

Contents

Chapter 1 Introducing the Symantec Gateway Security 300 Series

Intended audience ............................................................................................... 12

Where to get more information .........................................................................12

Chapter 2 Administering the security gateway

Accessing the Security Gateway Management Interface .............................. 13

Using the SGMI ............................................................................................15

Managing administrative access ....................................................................... 15

Setting the administration password .......................................................16

Configuring remote management ............................................................. 17

Managing the security gateway using the serial console .............................. 19

Chapter 3 Configuring a connection to the outside network

Network examples ...............................................................................................24

Understanding the Setup Wizard .....................................................................27

About dual-WAN port appliances .....................................................................27

Understanding connection types ...................................................................... 28

Configuring connectivity ....................................................................................30

DHCP .............................................................................................................. 30

PPPoE .............................................................................................................31

Static IP and DNS ......................................................................................... 34

PPTP ...............................................................................................................36

Dial-up accounts ..........................................................................................39

Configuring advanced connection settings ..................................................... 43

Advanced DHCP settings ............................................................................ 43

Advanced PPP settings ................................................................................44

Maximum Transmission Unit (MTU) .......................................................45

Configuring dynamic DNS ..................................................................................45

Forcing dynamic DNS updates ..................................................................47

Disabling dynamic DNS ..............................................................................48

Configuring routing ............................................................................................. 48

Enabling dynamic routing ..........................................................................48

Configuring static route entries ................................................................49

Configuring advanced WAN/ISP settings ........................................................50

High availability ...........................................................................................50

6 Contents

Load balancing .............................................................................................51

SMTP binding ............................................................................................... 52

Binding to other protocols .........................................................................52

Failover .......................................................................................................... 52

DNS gateway .................................................................................................53

Optional network settings .......................................................................... 54

Chapter 4 Configuring internal connections

Configuring LAN IP settings .............................................................................. 57

Configuring the appliance as DHCP server ..................................................... 58

Monitoring DHCP usage ............................................................................. 60

Configuring port assignments ...........................................................................60

Standard port assignment .......................................................................... 61

Chapter 5 Network traffic control

Planning network access .................................................................................... 63

Understanding computers and computer groups ..........................................64

Defining computer group membership .................................................... 65

Defining computer groups ......................................................................... 67

Defining inbound access ..................................................................................... 68

Defining outbound access .................................................................................. 69

Configuring services ........................................................................................... 72

Redirecting services ....................................................................................73

Configuring special applications ....................................................................... 74

Configuring advanced options ...........................................................................76

Enabling the IDENT port ............................................................................76

Disabling NAT mode ...................................................................................77

Enabling IPsec pass-thru ............................................................................ 77

Configuring an exposed host ..................................................................... 78

Managing ICMP requests ............................................................................ 79

Chapter 6 Establishing secure VPN connections

About using this chapter .................................................................................... 82

Creating security policies ................................................................................... 82

Understanding VPN policies ...................................................................... 82

Creating custom Phase 2 VPN policies ..................................................... 84

Viewing VPN Policies List ..........................................................................85

Identifying users .................................................................................................. 85

Understanding user types ..........................................................................86

Defining users ..............................................................................................86

Viewing the User List .................................................................................. 88

Configuring Gateway-to-Gateway tunnels ......................................................88

7Contents

Understanding Gateway-to-Gateway tunnels ......................................... 88

Configuring dynamic Gateway-to-Gateway tunnels .............................. 91

Configuring static Gateway-to-Gateway tunnels ...................................93

Sharing information with the remote gateway administrator ............. 96

Configuring Client-to-Gateway VPN tunnels .................................................. 96

Understanding Client-to-Gateway VPN tunnels .....................................97

Defining client VPN tunnels ...................................................................... 99

Setting global policy settings for Client-to-Gateway

VPN tunnels ................................................................................................101

Sharing information with your clients ...................................................101

Monitoring VPN tunnel status .........................................................................102

Chapter 7 Advanced network traffic control

How antivirus policy enforcement (AVpe) works .........................................104

Before you begin configuring AVpe ................................................................105

Configuring AVpe ..............................................................................................106

Enabling AVpe ............................................................................................107

Configuring the antivirus clients ............................................................109

Monitoring antivirus status .............................................................................109

Log messages ..............................................................................................110

Verifying AVpe operation ................................................................................110

About content filtering .....................................................................................111

Special considerations ..............................................................................111

Managing content filtering lists ......................................................................112

Special considerations ..............................................................................112

Enabling content filtering for LAN .........................................................113

Enabling content filtering for WAN .......................................................113

Monitoring content filtering ............................................................................114

Chapter 8 Preventing attacks

How intrusion detection and prevention works ...........................................115

Trojan horse protection ............................................................................116

Setting protection preferences ........................................................................116

Enabling advanced protection settings ..........................................................117

IP spoofing protection ...............................................................................117

TCP flag validation ....................................................................................118

Chapter 9 Logging, monitoring and updates

Managing logging ..............................................................................................119

Configuring log preferences .....................................................................120

Managing log messages ............................................................................124

Updating firmware ............................................................................................124

8 Contents

Automatically updating firmware ...........................................................125

Upgrading firmware manually ................................................................129

Checking firmware update status ...........................................................133

Backing up and restoring configurations ......................................................133

Resetting the appliance ............................................................................135

Interpreting LEDs ..............................................................................................136

LiveUpdate and firmware upgrade LED sequences .............................. 139

Appendix A Troubleshooting

About troubleshooting ......................................................................................141

Accessing troubleshooting information ........................................................143

Appendix B Licensing

Session licensing for Symantec Gateway Security 300 Series

Client-to-Gateway VPN functions ...................................................................145

Additive session licenses ..........................................................................145

SYMANTEC GATEWAY SECURITY APPLIANCE LICENSE AND

WARRANTY AGREEMENT ..............................................................................146

Appendix C Field descriptions

Logging/Monitoring field descriptions ..........................................................151

Status tab field descriptions ....................................................................152

View Log tab field descriptions ...............................................................154

Log Settings tab field descriptions ..........................................................155

Troubleshooting tab field descriptions .................................................. 156

Administration field descriptions ...................................................................157

Basic Management tab field descriptions ..............................................158

SNMP tab field descriptions .....................................................................158

LiveUpdate tab field descriptions ...........................................................159

LAN field descriptions ......................................................................................160

LAN IP & DHCP tab field descriptions ....................................................161

Port Assignment tab field descriptions ..................................................162

WAN/ISP field descriptions .............................................................................162

Main Setup tab field descriptions ...........................................................164

Static IP & DNS tab field descriptions ....................................................165

PPPoE tab field descriptions ....................................................................166

Dial-up Backup & Analog/ISDN tab field descriptions ........................167

PPTP tab field descriptions ......................................................................171

Dynamic DNS tab field descriptions .......................................................171

Routing tab field descriptions .................................................................174

Advanced tab field descriptions ..............................................................175

9Contents

Firewall field descriptions ................................................................................176

Computers tab field descriptions ............................................................177

Computer Groups tab field descriptions ................................................179

Inbound Rules field descriptions .............................................................180

Outbound Rules tab field descriptions ...................................................181

Services tab field descriptions .................................................................182

Special Application tab field descriptions .............................................183

Advanced tab field descriptions ..............................................................186

VPN field descriptions ......................................................................................187

Dynamic Tunnels tab field descriptions ................................................189

Static Tunnels tab field descriptions ......................................................193

Client Tunnels tab field descriptions ......................................................197

Client Users tab field descriptions ..........................................................199

VPN Policies tab field descriptions .........................................................200

Status tab field descriptions ....................................................................202

Advanced tab field descriptions ..............................................................203

IDS/IPS field descriptions ................................................................................204

IDS Protection tab field descriptions ......................................................205

Advanced tab field descriptions ..............................................................206

AVpe field descriptions .....................................................................................207

Content filtering field descriptions ................................................................210

Index

10 Contents

Chapter

1

Introducing the Symantec
Gateway Security 300
Series

This chapter includes the following topics:

■ Intended audience

■ Where to get more information

The Symantec Gateway Security 300 Series appliances are Symantec’s
integrated security solution for small business environments, with support for
secure wireless LANs.

The Symantec Gateway Security 300 Series provides integrated security by
offering six security functions in the base product:

■ Firewall

■ IPsec virtual private networks (VPNs) with hardware-assisted 3DES and AES

encryption

■ Antivirus policy enforcement (AVpe)

■ Intrusion detection

■ Intrusion prevention

■ Static content filtering

All features are designed specifically for the small business. These appliances
are perfect for stand-alone environments or as a complement to Symantec
Gateway Security 5400 Series appliances deployed at hub sites.

All of the Symantec Gateway Security 300 Series models are wireless-capable.
They have special wireless firmware and a CardBus slot that can accommodate

12 Introducing the Symantec Gateway Security 300 Series

Intended audience

an optional functional add-on, consisting of an integrated 802.11 transceiver
and antenna, to allow the highest possible integrated security for wireless LANs,
when used with clients running the Symantec Client VPN software. LiveUpdate
of firmware strengthens the Symantec Gateway Security 300 Series security
response, making it a perfect solution for small businesses.

Intended audience

This manual is intended for system managers or administrators responsible for
installing and maintaining the security gateway. It assumes that readers have a
solid base in networking concepts and an Internet browser.

Where to get more information

The Symantec Gateway Security 300 Series functionality is described in the
following manuals:

■ Symantec™ Gateway Security 300 Series Administrator’s Guide

The guide you are reading, this guide describes how to configure the
firewall, VPN, AntiVirus policy enforcement (AVpe), content filtering, IDS,
IPS, LiveUpdate, and all other features of the gateway appliance. It is
provided in PDF format on the Symantec Gateway Security 300 Series
software CD-ROM.

■ Symantec™ Gateway Security 300 Series Installation Guide

Describes in detail how to install the security gateway appliance and run the
Setup Wizard to get connectivity.

■ Symantec™ Gateway Security 300 Series Quick Start Card

This card provides abbreviated instructions for installing your appliance.

Chapter

2

Administering the security
gateway

This chapter includes the following topics:

■ Accessing the Security Gateway Management Interface

■ Managing administrative access

■ Managing the security gateway using the serial console

Accessing the Security Gateway Management
Interface

Symantec Gateway Security 300 Series management interface is called the
Security Gateway Management Interface (SGMI). The SGMI is a standalone
management console for locale management and log viewing. This guide
describes how to use the SGMI to manage Symantec Gateway Security 300
Series appliances. The SGMI is a browser-based console where you can create
configurations, view status, and access logs.

Online help is available for each tab when you click the blue circle with a
question mark in the top right corner of each screen.

The SGMI consists of the following features:

■ Left pane main menu options

■ Right pane menu tabs

■ Right pane content

■ Right pane command buttons (bottom)

■ Help buttons

14 Administering the security gateway

Accessing the Security Gateway Management Interface

The Main Menu items are located on the left side of the window at all times.

Figure 2-1 Security Gateway Management Console

Note: The wireless features do not appear in the SGMI until a compatible

Symantec Gateway Security WLAN Access Point option is properly installed. See
the Symantec Gateway Security 300 Series Wireless Implementation Guide for
more information.

Use one of the following supported Web browsers to connect to Security
Gateway Management Interface:

■ Microsoft Internet Explorer version 5.5 or 6.0 SP1

■ Netscape version 6.23 or 7.0

You may need to clear the proxy settings in the browser before connecting to the
SGMI.

Install the appliance according to the instructions in the Symantec Gateway
Security 300 Series Quick Start Card before connecting to the SGMI.

Command buttons

Right pane content

Left pane main menu options

Top menu tab options

Online help

15Administering the security gateway

Managing administrative access

The interface you see when you connect to the SGMI may vary slightly
depending on the model you are managing. Table 2-1 describes the ports on each
model.

To connect to the SGMI

1 Browse to the IP address of the appliance.

The default appliance IP address is 192.168.0.1.

2 On your keyboard, press Enter.

The Security Gateway Management Interface window displays.

Using the SGMI

The following list describes how to best work within the SGMI:

■ To submit a form, click the appropriate button in the user interface, rather

than pressing Enter on your keyboard.

■ If you submit a form and receive an error, click the Back button in your Web

browser. This retains the data you entered.

■ In IP address text boxes, press the Tab key on your keyboard to switch

between boxes.

■ If after you click a button to submit the form in the user interface the

appliance automatically restarts, wait approximately one minute before

attempting to access the SGMI again.

Managing administrative access

You manage administrative access by setting a password for the admin user, as
well as defining which IP addresses may access the appliance from the wide-area
network (WAN) side.

Note: You must set the administration password before you have remote access
to the SGMI.

Table 2-1 Interfaces by model

Model Number of WAN

ports

Number of LAN
ports

Number of serial
(modem) ports

320 1 4 1

360/360R 2 8 1

16 Administering the security gateway

Managing administrative access

Setting the administration password

The administration password provides secure access to the SGMI. Setting and
changing the password limits access to the SGMI to people who have been given
the password. You must have installed the appliance and connected your
browser to the SGMI to set the password. See the Symantec Gateway Security
300 Series Installation Guide for more information about setting up the
appliance.

You configure the administration password on the Administration > Basic
Management tab or in the Setup Wizard. You can also configure a range of IP
addresses from which you can remotely manage the appliance. The
administration user name is always admin.

Note: You should change the administration password on a regular basis to
maintain a high level of security.

To set the administration password

You set the administration password initially in the Setup Wizard. You can
change it in the SGMI, as well as perform a manual reset or reset the appliance
through the serial console, which resets the password completely.

Reflashing the appliance with the app.bin version of the firmware resets the
password.

See “Upgrading firmware manually” on page 129.

Warning: When you manually reset the password by pressing the reset button,
the LAN IP address is reset to the default value (192.168.0.1) and the DHCP
server is enabled.

See “Basic Management tab field descriptions” on page 158.

To configure a password

1 In the SGMI, in the left pane, click Administration.

2 In the right pane, on the Basic Management tab, under Administration

Password, in the Password text box, type the password.

3 In the Verify Password text box, type the password again.

4 Click Save.

17Administering the security gateway

Managing administrative access

To manually reset the password

1 On the back of the appliance, press the reset button for 10 seconds.

2 Repeat the configure a password procedure. See “To manually reset the

password” on page 17.

Configuring remote management

You can access the SGMI remotely from the WAN side using a computer with an
IP address that is within configured range of IP addresses. The range is defined
by a start and end IP address configured on the Remote Management section on
the Administration/Basic Management tab. You should configure the IP address
for remote management when you first connect to the SGMI. Remote
management is sent in MD5 hash.

Note: For security reasons, you should perform all external remote management
through a Gateway-to-Gateway or a Client-to-Gateway VPN tunnel. This
provides an appropriate level of confidentiality for your management session.

See “Establishing secure VPN connections” on page 81.

18 Administering the security gateway

Managing administrative access

Figure 2-2 shows a remote management configuration.

Figure 2-2 Remote management

To configure remote management, specify both a start and end IP address. If you
only want to remotely manage from only one IP address, type it as both the start
and end IP address. The start IP address would be the lower number in the range
of IP addresses and the end IP address would be the higher number in the range
of IP addresses. Leave these fields blank to deny remote access to the SGMI.

To configure for remote management

See “Basic Management tab field descriptions” on page 158.

1 In the SGMI, in the left pane, click Administration.

2 In the right pane, on the Basic Management tab, under Remote

Management, in the Start IP Address text boxes, type the first IP Address
(lowest in the range).

Internet

SGMI

Protected devices

Symantec Gateway Security
300 Series appliance

19Administering the security gateway

Managing the security gateway using the serial console

3 In the End IP Address text boxes, type the last IP Address (highest in the

range).

To permit only one IP address, type the same value in both text boxes.

4 To enable remote Trivial File Transfer Protocol (TFTP) upgrades to the

appliance’s firmware from the configured IP address range, check Allow

Remote Firmware Upgrade.

The default is disabled. See “Upgrading firmware manually” on page 129.

5 Click Save.

6 To access the SGMI remotely, browse to the <appliance IP address>:8088,

where <appliance IP address> is the WAN IP address of the appliance.

When you attempt to access the SGMI remotely, you must log in with the

administration user name and password.

Managing the security gateway using the serial
console

You can configure or reset the security gateway through the serial port using
the null modem cable that is included with the security gateway. Configuring
the security gateway in this way is useful for installing in an existing network
because it prevents the security gateway from interfering with the network
when it is connected.

You can configure a subset of settings through the serial console. These settings
include the following:

■ LAN IP address (IP address of the security gateway)

■ LAN network mask

■ Enable or disable the DHCP server

■ Range of IP addresses for the DHCP server to allocate

To manage the security gateway using the serial console

1 On the rear of the appliance, connect the null modem cable to the serial

port.

2 Connect the null modem cable to your computer’s COM port.

3 On the rear of the appliance, turn DIP switch 3 to the on position (up).

4 On your keyboard, ensure that the Scroll Lock is not on.

5 Run a terminal program, such as HyperTerminal.

20 Administering the security gateway

Managing the security gateway using the serial console

6 In the terminal program, set the program to connect directly to the COM

port on your computer to which the appliance is physically connected.

7 Set the communication settings as follows:

8 Connect to the appliance.

9 After the terminal has connected to the appliance, on the rear panel of the

appliance, quickly press the reset button.

10 At the prompt, do one of the following:

Baud (Bits per second) 9600

Data bits 8

Parity None

Stop bits 1

Flow control None

Local IP Address Type 1 to change the IP address of the appliance.

Local Network Mask Type 2 to change the netmask of the appliance.

DHCP Server Type 3 to enable or disable the DHCP server feature of the

appliance.

21Administering the security gateway

Managing the security gateway using the serial console

11 If you are changing local IP address, local network mask, DHCP server, start

IP address, or finish IP address, do the following:

■ Type the new value for the setting you are changing.

■ Press Enter.

12 If you are restoring the default values for the appliance, press Enter.

13 Type 7.

The appliance restarts.

14 On the rear of the appliance, turn DIP switch 3 to the off position (down).

15 On the rear of the appliance, quickly press the reset button.

Start IP Address Type 4 to type the first IP address in the range that the DHCP

server can allocate.

Finish IP Address Type 5 to type the last IP address in the range that the DHCP

server can allocate.

Restore to Defaults Type 6 to restore the appliance’s default settings for Local IP

address, local network mask, DHCP server, and DHCP range.

22 Administering the security gateway

Managing the security gateway using the serial console

Chapter

3

Configuring a connection
to the outside network

This chapter includes the following topics:

■ Understanding connection types

■ Configuring connectivity

■ Configuring advanced connection settings

■ Configuring dynamic DNS

■ Configuring routing

■ Configuring advanced WAN/ISP settings

The Symantec Gateway Security 300 Series WAN/ISP functionality provides
connections to the outside world. This can be the Internet, a corporate network,
or any other external private or public network. WAN/ISP functionality can also
be configured to connect to an internal LAN when the appliance is protecting an
internal subnet. Configure the WAN connections as soon as you install the
appliance.

You can configure or change the appliance’s connectivity on the WAN ports
using the WAN/ISP windows or using the Setup Wizard, which is run the first
time you access the appliance after you complete the hardware installation.

Before you start configuring a WAN connection, determine what kind of
connection you have to the outside network, and based on the connection type,
gather information to use during the configuration procedure. See the Symantec
Gateway Security 300 Series Installation Guide for worksheets to plan the
configuration.

Symantec Gateway Security 300 Series model 320 has one WAN port to
configure. Models 360 and 360R appliances have two WAN ports that you can

24 Configuring a connection to the outside network

Network examples

configure separately and differently depending on your needs. Some settings
apply to both WAN ports while other settings apply specifically to WAN1 or
WAN2.

Warning: After you reconfigure WAN connections and restart the appliance,
network traffic is temporarily interrupted. VPN connections are reestablished.

After you have established basic connectivity, you can configure advanced
settings, such as DNS, routing, and high availability/load balancing (HA/LB).

Network examples

Figure 3-1 shows a network diagram of a Symantec Gateway Security 300 Series

that is connected to the Internet. The termination point represents any network
termination type. This is a device that may be provided by your Internet Service
Provider (ISP), or a network switch. The computer used for appliance
management is connected directly to the appliance using one of the LAN ports
on the appliance, and uses a browser to connect to the Security Gateway

25Configuring a connection to the outside network

Network examples

Management Interface (SGMI). The protected network communicates through
the Symantec Gateway Security 300 Series appliance to the Internet.

Figure 3-1 Connection to the Internet

Internet

Termination point

Symantec Gateway
Security 300 Series

Protected network

SGMI

26 Configuring a connection to the outside network

Network examples

Figure 3-2 shows a network diagram of an appliance connecting to an Intranet.

In this scenario, the appliance protects an enclave of the larger internal network
from unauthorized internal users. Enclave traffic from the protected network
passes through the Symantec Gateway Security 300 Series and through the
Symantec Gateway Security 5400 Series to the Internet.

Figure 3-2 Connection to internal network

Internet

Symantec Gateway
Security 5400 Series

Router

Symantec Gateway
Security 300 Series

SGMI

Enclave network

Protected network

27Configuring a connection to the outside network

Understanding the Setup Wizard

Understanding the Setup Wizard

The Setup Wizard launches when you first browse to the appliance. The Setup
Wizard helps you configure basic connectivity to the Internet or your intranet.
If you have already successfully run the Setup Wizard and verified WAN
connectivity to the outside network, you do not need to do any additional setup
for WAN 1. For models 360 or 360R, use the SGMI to configure WAN 2. See the
Symantec Gateway Security 300 Series Installation Guide for more information
about using the Setup Wizard.

Note: To change the language in which the SGMI appears, rerun the Setup
Wizard and select a different language.

The Setup Wizard verifies the current status of the WAN 1 connection before
proceeding. If the WAN port (called WAN 1 on models 360 and 360R) is
connected to an active network, the Setup Wizard guides you through
configuring LiveUpdate and the administration password. If the WAN port is
not currently active, the Setup Wizard guides you through entering your ISP­specific connection parameters. Use the WAN/ISP tabs to configure advanced
connection settings or to configure WAN 2 port.

You can re-run the Setup Wizard at any time after the initial installation. To run
the Setup Wizard, on the WAN/ISP > Main Setup window, click Run Setup
Wizard. See the Symantec Gateway Security 300 Series Installation Guide for
more information.

Warning: Anything you type and save on the WAN/ISP tabs overwrites what you
entered previously in the Setup Wizard. This may cause loss of WAN
connectivity.

About dual-WAN port appliances

Symantec Gateway Security 300 Series models 360 and 360R appliances have
two WAN ports, WAN 1 and WAN 2. The model 360 and 360R appliances
support different types of network settings on each of its WAN ports. For
example, you may have a static IP account through your business as the primary
WAN connection and a secondary (and less expensive) dynamic IP account for a
backup connection. Each WAN port is treated as a completely different
connection.

Some configurations apply to both WAN ports and for other configurations you
must configure each WAN port separately. Table 3-1 indicates the configuration

28 Configuring a connection to the outside network

Understanding connection types

and whether it applies to both WAN ports or if you must configure each
separately.

Understanding connection types

To connect the appliance to an outside or internal network, you must
understand your connection type.

First, determine if you have a dial-up or broadband account. If you have a dial­up account, proceed to Dialup/ISDN. If you have a dedicated account, determine
the connection type by reading the following table, and then proceed to the
appropriate configuration section.

Table 3-1 WAN port configurations

Configuration Which WAN port?

Connection types Configure a connection type for each WAN port.

See “Understanding connection types” on page 28.

Backup account You can configure a primary connection for WAN1 and then

connect a modem to the serial port on the back of the
appliance for a backup connection. See “Dial-up accounts”
on page 39.

Optional network settings You can specify different configurations for each WAN port.

See “Optional network settings” on page 54.

Dynamic DNS Applies to both WAN1 and WAN2. See “Configuring

dynamic DNS” on page 45.

DN S Gatew a y App l ies t o bot h WAN1 a nd WA N 2. S e e “DNS gateway” on

page 53.

Alive Indicator Configure an alive indicator for each WAN port. “Dial-up

accounts” on page 39 or “Configuring advanced WAN/ISP
settings” on page 50.

Routing Configure routing for each WAN port. See “Configuring

routing” on page 48.

WAN port load balancing
and bandwidth aggregation

Set the percentage of traffic you want sent through WAN1;
the remainder goes through WAN2. See “Load balancing”
on page 51.

Bind SMTP Bind SMTP to either WAN1 or WAN2. See “SMTP binding”

on page 52.

High availability Specify whether high availability is used for each port.

See “High availability” on page 50.

29Configuring a connection to the outside network

Understanding connection types

Typical dial-up accounts are analog (through a normal phone line connected to
an external modem) and ISDN (through a special phone line). Typical broadband
accounts are broadband cable, DSL, T1/E1, or T3 connected to a terminal
adaptor.

Note: Connect only RJ-45 cables to the WAN ports.

The following tables describe the supported connection types. The Connection
type column is the option button you click on the Main Setup tab or in the Setup
Wizard. The Services column is the types of accounts or protocols that are
associated with the connection type. The Network termination types column
lists the physical devices that a particular connection type typically uses to
connect to the Internet or a network.

Table 3-2 lists the supported dial-up connection types and ways you can identify

them.

If you have a broadband account, refer to Table 3-3 to determine which
connection type you have.

Table 3-2 Dial-up connection types

Connection type Services Network termination types

Analog or ISDN Plain Old Telephone

Service (POTS)

Analog dial-up modem

Integrated Services
Digital Network (ISDN)

Digital dial-up modem

An ISDN modem is sometimes called a
terminal adaptor.

Table 3-3 Broadband connection types

Connection type Services Network termination types

DHCP Broadband cable Cable modem

Digital Subscriber Line
(DSL)

DSL modem with Ethernet cable

Direct Ethernet
connection

Ethernet Cable (usually an enclave
network)

PPPoE PPPoE ADSL modem with Ethernet cable

30 Configuring a connection to the outside network

Configuring connectivity

Your ISP or network administrator may also be able to help you determine your
connection type.

Configuring connectivity

Once you have determined which kind of connection you have, you can
configure the appliance to connect to the Internet or intranet using the settings
appropriate for that connection.

DHCP

Dynamic Host Configuration Protocol (DHCP) automates the network
configuration of computers. It enables a network with many clients to extract
configuration information from a single server (DHCP server). In the case of a
dedicated Internet account, the users are the clients extracting information
from the ISP’s DHCP server, and IP addresses are only assigned to connected
accounts.

The account you have with your ISP may use DHCP to allocate IP addresses to
you. Account types that frequently use DHCP are broadband cable and DSL. ISPs
may authenticate broadband cable connections using the MAC address or
physical address of your computer or gateway.

See “Configuring connectivity” on page 30 for information on configuring DHCP
to allocate IP addresses to your nodes.

Before configuring DHCP for your WAN ports, you must select DHCP (Auto IP)
as your connection type on the Main Setup window.

Static IP (Static IP &
DNS)

Broadband cable Cable modem

Digital Subscriber Line
(DSL)

DSL modem

T1 Channel Service Unit/Digital Service

Unit (CSU/DSU)

Direct Ethernet
connection

Ethernet cable (usually an enclave
network)

PPTP PPTP DSL modem with Ethernet cable

Table 3-3 Broadband connection types (Continued)

Connection type Services Network termination types

31Configuring a connection to the outside network

Configuring connectivity

To select DHCP as your connection type

See “Main Setup tab field descriptions” on page 164.

1 In the SGMI, in the left pane, click WA N/ I S P.

2 For model 320, do the following:

■ In the right pane, on the Main Setup tab, under Connection Type, click

DHCP.

■ Click Save.

3 For model 360 or 360R, do the following:

■ To select a connection type for WAN1, under WAN1 (External), in the

Connection Type drop-down list, click DHCP.

■ To select a connection type for WAN2, under WAN2 (External), in the

Connection Type drop-down list, click DHCP.

4 Click Save.

PPPoE

Point-to-Point Protocol over Ethernet (PPPoE) is used by many Asymmetrical
Digital Subscriber Line (ASDL) providers. It is a specification for connecting
many users on a network to the Internet through a single dedicated medium,
such as a DSL account.

You can specify whether you connect or disconnect your PPPoE account
manually or automatically. This is useful to verify connectivity.

You can configure the appliance to connect only when an Internet request is
made from a user on the LAN (for example, browsing to a Web site) and
disconnect when the connection is idle (unused). This feature is useful if your
ISP charges on a per-usage time basis.

You can use multiple logins (if your ISP account allows multi-session PPPoE) to
obtain additional IP addresses for the WAN. These are called PPPoE sessions.
The login may be the same user name and password as the main session or may
be different for each session, depending on your ISP. Up to five sessions or IP
addresses are allowed for model 320 and up to three sessions for each WAN port
on models 360 and 360R. LAN hosts are bound to a session on the Computers
tab. See “Configuring LAN IP settings” on page 57.

Note: Multiple IP addresses on a WAN port are only supported for PPPoE
connections.

32 Configuring a connection to the outside network

Configuring connectivity

By default, all settings are associated with Session 1. For multi-session PPPoE
Accounts, configure each session individually. If you have multiple PPPoE
accounts, assign each one to a different session in the SGMI.

Before configuring the WAN ports to use a PPPoE account, gather the following
information:

■ User name and password

All PPPoE accounts require user names and passwords. Get this
information from your ISP before configuring PPPoE.

■ Static IP address

You may have purchased or are assigned a static IP address for the PPPoE
account.

To configure PPPoE

See “PPPoE tab field descriptions” on page 166.

1 In the SGMI, in the left pane, click WA N/ I S P.

2 For model 320, do the following:

■ In the right pane, on the Main Setup tab, under Connection Type, click

PPPoE (xDSL).

■ Click Save.

3 For model 360 or 360R, do the following:

■ In the right pane, on the Main Setup tab, under WAN1 (External), in the

Connection Type drop-down list, click PPPoE (xDSL).

■ To use WAN 2, under WAN 2 (External), under HA Mode, click Norm al.

■ To use WAN2, under WAN2 (External), in the Connection Type drop-

down list, click PPPoE (xDSL).

■ Click Save.

■ In the right pane, on the PPPoE tab, in the right pane, on the PPPoE tab,

under WAN Port and Sessions, do one of the following:

■ On the WAN Port drop-down list, select a WAN port to configure.

4 If you have a multi-session PPPoE account, under WAN Port and Sessions,

on the PPPoE Session drop-down list, select the appropriate session.

5 If you have a single-session PPPoE account, leave the PPPoE session at

Session 1.

6 Under Connection, check Connect on Demand.

If you want to connect to a PPPoE session manually, uncheck Connect on
Demand, and then under Manual Control, click Connect.

33Configuring a connection to the outside network

Configuring connectivity

7 In the Idle Time-out text box, type the number of minutes of inactivity after

which you want the appliance to disconnect from the PPPoE account.

8 If you have a static IP PPPoE Internet account, in the Static IP Address text

box, type the IP address.

Otherwise, leave the value at 0.

9 Under Choose Service, click Query Services.

You must be disconnected from your PPPoE account to use this feature.

See “Connecting manually to your PPPoE account” on page 34.

10 From the Service drop-down list, select a PPPoE service.

You must click Query Services to select a service.

11 In the User Name text box, type your PPPoE account user name.

12 In the Password text box, type your PPPoE account password.

13 In the Verify Password text box, retype your PPPoE account password.

14 Click Save.

Verifying PPPoE connectivity

Once the appliance is configured to use the PPPoE account, verify that it
connects correctly.

To verify connectivity

See “PPPoE tab field descriptions” on page 166.

See “Status tab field descriptions” on page 152.

1 In the SGMI, in the left pane, click WA N/ I S P.

2 In the right pane, on the PPPoE tab, under Manual Control, click Connect.

3 In the left pane, click Logging/Monitoring.

In the right pane, on the Status tab, under WAN1 (External Port), the connection
status is displayed.

If you are not connected, verify the following items:

■ You typed your user name and password correctly. Some ISPs expect the

user name to be email address format, for example, johndoe@myisp.net.

■ Check that all the cables are firmly plugged in.

■ Your account information with your ISP and that your account is active.

34 Configuring a connection to the outside network

Configuring connectivity

Connecting manually to your PPPoE account

You can manually connect or disconnect from your PPPoE account. For model
360 or 360R, you can manually control the connection for either WAN port. This
is useful to troubleshoot the connection to the ISP.

To manually control your PPPoE account

You can manually control your PPPoE account through the SGMI.

See “PPPoE tab field descriptions” on page 166.

To manually connect to the PPPoE account

1 In the SGMI, in the left pane, click WA N/ I S P.

2 For model 320, in the right pane, on the PPPoE tab, under Manual Control,

click Connect.

3 For model 360 or 360R, do the following:

■ In the right pane, on the PPPoE tab, under WAN Port and Sessions, in

the WAN Port drop-down list, select the WAN port to connect.

■ In the Session drop-down list, select a PPPoE session.

■ Under Manual Control, click Connect.

To manually disconnect from the PPPoE account

1 In the SGMI, in the left pane, click WA N/ I S P.

2 For model 320, in the right pane, on the PPPoE tab, under Manual Control,

click Disconnect.

3 For model 360 or 360R, do the following:

■ In the right pane, on the PPPoE tab, under WAN Port and Sessions, in

the WAN Port drop-down list, select the WAN port to disconnect.

■ In the Session drop-down list, select a PPPoE session.

■ Under Manual Control, click Disconnect.

Static IP and DNS

When you get an account with an ISP, you may have the option to purchase a
static (permanent) IP address. This enables you to run a server, such as a Web or
FTP server, because the address remains the same, all the time. Any type
account (dial-up or broadband) can have a static IP address.

The appliance forwards any DNS lookup request to the specified DNS server for
name resolution. The appliance supports up to three DNS servers. When you

35Configuring a connection to the outside network

Configuring connectivity

specify multiple DNS servers, they are used in sequence. For example, after the
first server is used, the next request is forwarded to the second server and so on.

If you have a static IP address with your ISP or are using the appliance behind
another security gateway device, select Static IP and DNS for your connection
type. You can specify your static IP address and the IP addresses of the DNS
servers you want to use for name resolution.

Before configuring the appliance to connect with your static IP account, gather
the following information:

■ Static IP, netmask, and default gateway addresses

Contact your ISP or IT department for this information.

■ DNS addresses

You must specify the IP address for at least one, and up to three, DNS

servers. Contact your ISP or IT department for this information. You do not

need DNS IP address entries for dynamic Internet accounts or accounts

where a DHCP server assigns the IP addresses.

If you have a static IP address with PPPoE, configure the appliance for

PPPoE.

To configure static IP

You must specify the static IP address and the IP address for the DNS that you
want to use. You must enter at least one DNS if you have a static IP account.

See “Static IP & DNS tab field descriptions” on page 165.

To configure static IP

1 In the SGMI, in the left pane, click WA N/ I S P.

2 In the right pane, on the Main Setup tab, under Connection Type, click

Static IP.

3 Click Save.

4 For model 320, do the following:

■ In the right pane, on the Static IP & DNS tab, under WAN IP, in the IP

Address text boxes, type the desired IP address of the external (WAN)
side of the Symantec Gateway Security 300 Series appliance.

■ In the Network Mask text box, type the network mask.

Change this only if your ISP requires it.

■ In the Default Gateway text box, type the default security gateway.

■ In the Domain Name Servers text boxes, type the IP address for at least

one, and up to three, domain name servers.

■ Click Save.

36 Configuring a connection to the outside network

Configuring connectivity

5 For model 360 or 360R, do the following:

■ Under WAN1 (External), in the Connection Type drop-down list, click

Static IP.

■ To use WAN 2, under WAN 2 (External), under HA Mode, click Norm al.

■ To use WAN 2, under WAN2 (External), in the Connection Type drop-

down list, click Static IP.

■ Click Save.

■ In the right pane, on the Static IP & DNS tab, under either WAN 1 IP or

WAN2 IP, in the IP Address text boxes, type the desired IP address of

the external (WAN) side of the Symantec Gateway Security 300 Series

appliances.

■ In the Network Mask text box, type the network mask.

■ In the Default Gateway text box, type the default security gateway.

Symantec Gateway Security 300 Series sends any packet it does not

know how to route to the default security gateway.

■ In the Domain Name Servers text boxes, type the IP address for at least

one, and up to three, domain name servers.

6 Click Save.

PPTP

Point-to-Point-Tunneling Protocol (PPTP) is a protocol that enables a secure
data transfer from a client to a server by creating a tunnel over a TCP/IP-based
network. Symantec Gateway Security 300 Series appliances act as a PPTP access
client (PAC) when you connect to a PPTP Network Server (PNS), generally with
your ISP.

Before beginning PPTP configuration, gather the following information:

■ PPTP server IP address

IP address of the PPTP server at the ISP.

■ Static IP address

IP address assigned to your account.

■ Account information

User name and password to log in to the account.

To configure PPTP

See “PPTP tab field descriptions” on page 171.

1 In the SGMI, in the left pane, click WA N/ I S P.

37Configuring a connection to the outside network

Configuring connectivity

2 For model 320, do the following:

■ In the right pane, on the Main Setup tab, under Connection Type, click

PPTP.

■ Click Save.

3 For model 360 or 360R, do the following:

■ Under WAN1 (External), in the Connection Type drop-down list, click

PPTP.

■ To use WAN 2, under WAN 2 (External), under HA Mode, click Normal.

■ To use WAN 2, under WAN2 (External), in the Connection Type drop-

down list, click PPTP.

■ Click Save.

4 In the right pane, on the PPTP tab, under Connection, check Connect on

Demand.

5 In the Idle Time-out text box, type the number of minutes of inactivity after

which you want the appliance to disconnect the PPTP connection.

6 In the Server IP Address text box, type the IP address of the PPTP server.

7 If you have a static IP PPTP Internet account, in the Static IP Address text

boxes, type the IP address.

Otherwise, leave the value at 0.

8 Under User Information, in the User Name text box, type your ISP account

user name.

9 In the Password text box, type your ISP account password.

10 In the Verify text box, type your ISP account password.

11 Click Save.

Verifying PPTP connectivity

Once the appliance is configured to use the PPTP account, verify that it connects
correctly.

To verify PPTP connectivity

See “PPTP tab field descriptions” on page 171.

See “Status tab field descriptions” on page 152.

1 In the SGMI, in the left pane, click WA N/ I S P.

2 For model 320, in the right pane, on the PPTP tab, under Manual Control,

click Connect.

38 Configuring a connection to the outside network

Configuring connectivity

3 For model 360 and 360R, do the following:

■ In the right pane, on the PPTP tab, under WAN Port, in the WAN Port

drop-down list, select the WAN port to connect.

■ Under Manual Control, click Connect.

4 In the left pane, click Logging/Monitoring.

In the right pane, on the Status tab, under WAN1 (External Port), the connection
status is displayed.

If you are not connected, verify that you have typed your user name and
password correctly. If you are still not connected, call your ISP and verify your
account information and that your account is active.

Connecting manually to your PPTP account

You can manually connect to or disconnect from your PPTP account. For model
360 or 360R, you can manually control the connection for either WAN port. This
is helpful for troubleshooting connectivity.

To manually connect to your PPTP account

For model 320, you can connect or disconnect to your PPTP account. For model
360 or 360R, you select the WAN port to control, and then connect or
disconnect.

See “PPTP tab field descriptions” on page 171.

To manually connect your PPTP account

1 In the SGMI, in the left pane, click WA N/ I S P.

2 For model 320, in the right pane, on the PPTP tab, under Manual Control,

click Connect.

3 For model 360 or 360R, do the following:

■ In the right pane, on the PPTP tab, under WAN Port, in the WAN Port

drop-down list, select the WAN port to connect.

■ Under Manual Control, click Connect.

To manually disconnect your PPTP account

1 In the SGMI, in the left pane, click WA N/ I S P.

2 For model 320, in the right pane, on the PPTP tab, under Manual Control,

click Disconnect.

3 For model 360 or 360R, do the following:

39Configuring a connection to the outside network

Configuring connectivity

■ In the right pane, on the PPTP tab, under WAN Port, in the WAN Port

drop-down list, select the WAN port to connect.

■ Under Manual Control, click Disconnect.

Dial-up accounts

There are two basic types of dial-up accounts: analog and ISDN. Analog uses a
modem that connects to a regular telephone line (RJ-11 connector). ISDN is a
digital dial-up account type that uses a special telephone line.

On the appliance, you can use a dial-up account as your primary connection to
the Internet, or as a backup to your dedicated account. In backup mode, the
appliance automatically dials the ISP if the dedicated connection fails. The
appliance re-engages the dedicated account when it is stable; failover from the
primary connection to modem or from the modem to the primary connection
can take 30 to 60 seconds.

You can configure a primary dial-up account and a backup dial-up account. You
may configure a backup dial-up account if your primary dedicated account fails.
First, you must connect the modem to the appliance. Then, you use the SGMI to
configure the dial-up account.

You can also connect or disconnect your account manually at any time.

You must use an external modem for dial-up accounts. You connect the modem,
including ISDN modems, to the appliance through the serial port on the back of
the appliance. Figure 3-3 shows the serial port on the rear panel of the model
320 appliance.

Figure 3-3 Rear panel of Symantec Gateway Security model 320 appliance

Figure 3-4 shows the serial port on the rear panel of the model 360 and 360R

appliances.

Serial port

40 Configuring a connection to the outside network

Configuring connectivity

Figure 3-4 Rear panel of Symantec Gateway Security model 360 and 360R

appliances

Before configuring the appliance to use your dial-up account as either the
primary or backup connection, gather the following information and equipment:

To configure dial-up accounts

First, you must connect the modem to the appliance. Then, you use the SGMI to
configure the dial-up account.

Note: If your ISP gateway blocks ICMP requests such as PING, on the Main Setup
tab, if you leave the Alive Indicator Site IP or URL text box blank, the appliance
PINGs the default gateway to determine connectivity.

See “Dial-up Backup & Analog/ISDN tab field descriptions” on page 167.

To connect your modem

1 Plug one end of the serial cable into your modem.

2 Plug one end of the serial cable into the serial port on the back of the

appliance.

3 If it requires external power, plug the modem into a wall socket.

4 Turn on the modem.

Serial port

Account information User name, which may be different from your account

name, and password for the dial-up account.

Dial-up numbers At least one, and up to three, telephone numbers for the

dial-up account.

Static IP address Some ISPs assign static IP addresses to their accounts, or

you may have purchased a static IP address.

Modem/cables An external modem and a serial cable to connect the

modem to the serial port on the back of the appliance.

Modem
documentation

You may need to consult your modem’s documentation for
modem command or model information.

41Configuring a connection to the outside network

Configuring connectivity

To configure your primary dial-up account

1 In the SGMI, in the left pane, click WA N/ I S P.

2 In the right pane, on the Main Setup tab, under Connection Type, click

Analog/ISDN.

3 Click Save.

4 On the Dial-up Backup & Analog/ISDN tab, under ISP Account Information,

do the following:

5 Under Modem Settings, do the following:

6 Click Save.

After you click Save, the appliance restarts. Network connectivity is interrupted.

User Name Type the account user name.

Password Type the account password.

Verify Password Retype the account password.

Dial-up Telephone 1 Type the dial-up telephone number.

Dial-up Telephone 2 Optionally, type a backup dial-up telephone number.

Dial-up Telephone 3 Optionally, type a backup dial-up telephone number.

Model Select the model of your modem.

Line Speed Select the speed at which you want to connect.

Dial Type Select the dial type.

Redial String Type a redial string.

Initialization String Type an initialization string.

If you select a modem type other than Other, the initialization
string is provided. If you select Other, you must type an
initializatio nstring.

Line Type Select the type of telephone line.

Dial String Type a dial string.

Idle Time Out Type the amount of time, in minutes, after which the

connection is closed if idle.

42 Configuring a connection to the outside network

Configuring connectivity

To enable the backup dial-up account

1 In the SGMI, in the left pane, click WA N/ I S P.

2 On the Dial-up Backup and Analog/ISDN tab, under Backup Mode, do the

following:

■ Check Enable Backup Mode.

■ In the Alive Indicator Site IP or URL text box, type the IP address or

resolvable name of the site to check connectivity.

3 Under Modem Settings, click Save.

4 Follow the steps in “Dial-up accounts” on page 39.

Controlling your dial-up account manually

You can force the appliance to connect or disconnect from your dial-up account.
This is helpful for verifying connectivity.

To manually control the dial-up account

See “Dial-up Backup & Analog/ISDN tab field descriptions” on page 167.

1 In the SGMI, in the left pane, click WA N/ I S P.

2 To connect to the dial-up account, on the Dial-up Backup & Analog/ISDN

tab, under Manual Control, click Dial.

3 To disconnect from the dial-up account, on the Dial-up Backup & Analog/

ISDN tab, under Manual Control, click Hang Up.

Verifying dial-up connectivity

Once you have configured the appliance to use your dial-up account, verify that
it connects correctly.

To verify dial-up connectivity

See “Dial-up Backup & Analog/ISDN tab field descriptions” on page 167.

See “Status tab field descriptions” on page 152.

1 In the SGMI, in the left pane, click WA N/ I S P.

2 In the right pane, on the Dial-up Backup & Analog/ISDN tab, under Manual

Control, click Dial.

3 In the left pane, click Logging/Monitoring.

4 In the right pane, on the Status tab, under WAN1 (External Port), next to

Connection Status, your connection status is displayed.

43Configuring a connection to the outside network

Configuring advanced connection settings

If you are not connected, verify the following information:

■ You have typed your user name and password correctly.

■ Initialization string is correct for your model modem. Check your modem

documentation for more information.

■ Cables are securely plugged in.

■ Phone jack to which the modem is connected is functioning.

■ Verify your account information with your ISP and that your account is

active.

Monitoring dial-up account status

You can view and refresh the status of your dial-up account connection.

To monitor dial-up account status

See “Dial-up Backup & Analog/ISDN tab field descriptions” on page 167.

1 In the SGMI, in the left pane, click WA N/ I S P.

2 On the Dial-up Backup & Analog/ISDN tab, scroll to Analog Status.

3 To refresh the dial-up account status, on the Dial-up Backup & Analog/ISDN

tab, under Modem Settings, click Refresh.

Configuring advanced connection settings

Advanced connection settings let you control your connectivity parameters
more closely. If you have a DHCP connection, you can configure the renew
settings. For PPPoE accounts, you can configure echo requests. For all
connection types, you can specify packet size by setting the Maximum Transfer
Unit (MTU).

Advanced DHCP settings

If you selected DHCP as your connection type, you can tell the appliance when to
send a renew request, which tells the ISP to allocate a new IP address to the
appliance.

You can tell the appliance at any time to request a new IP address, by forcing a
DHCP renew. However, you should only do this if requested by Symantec
Technical Support.

44 Configuring a connection to the outside network

Configuring advanced connection settings

To configure advanced DHCP settings

You can configure the idle renew time and manually force a DHCP renew
request.

See “Advanced tab field descriptions” on page 175.

To configure idle renew

1 In the SGMI, in the left pane, click WA N/ I S P.

2 On the Advanced tab, under Optional Connection settings, in the Idle Renew

DHCP text box, type the number of minutes after which a renew lease
request is sent.

3 Click Save.

To force a DHCP renew

1 In the SGMI, in the left pane, click WA N/ I S P.

2 For model 320, on the Advanced tab, under Optional Connection settings,

click Force Renew.

3 For model 360 or 360R, do one of the following:

■ To renew WAN1, on the Advanced tab, under Optional Connection

Settings, click Renew WAN1.

■ To renew WAN2, on the Advanced tab, under Optional Connection

Settings, click Renew WAN2.

Advanced PPP settings

You can configure the echo requests that the appliance sends to verify that the
appliance is connected to the PPPoE account.

To configure PPP settings

See “Advanced tab field descriptions” on page 175.

1 In the SGMI, in the left pane, click WA N/ I S P.

2 On the Advanced tab, under PPP settings, do the following:

■ In the Time-out text box, type the number of seconds before trying

another echo request.

■ In the Retries text box, type the number of times for the appliance to

attempt to reconnect.

3 Click Save.

45Configuring a connection to the outside network

Configuring dynamic DNS

Warning: To reset the echo request settings, click Restore Defaults. This also
resets the MTU number and the DHCP Idle Renew settings to their default
values.

Maximum Transmission Unit (MTU)

You can specify the maximum size of the packets that arrive at and leave the
appliance through the WAN port you are configuring. This is useful if a
computer or another appliance along the transmission path requires a smaller
MTU. On models 360 and 360R, if you are configuring WAN1 and WAN2, you
can set a different MTU for each port.

To specify MTU size

See “Advanced tab field descriptions” on page 175.

1 In the SGMI, in the left pane, click WA N/ I S P.

2 In the right pane, on the Advanced tab, under Optional Connection Settings,

in the WAN port text box, type the MTU size.

3 Click Save.

Warning: To reset the MTU size, click Restore Defaults. This also resets the echo

request information and the DHCP Idle Renew settings to their default values.

Configuring dynamic DNS

The Symantec Gateway Security 300 Series can use a dynamic DNS service to
map dynamic IP addresses to a domain name to which users can connect.

If you receive your IP address dynamically from your ISP, dynamic DNS services
let you use your own domain name (mysite.com, for example) or to use their
domain name and your subdomain to connect to your services, such as a a VPN
gateway, Web site or FTP. For example, if you set up a virtual Web server and
your ISP assigns you a different IP address each time you connect the server,
your users can always access www.mysite.com.

The appliances support two types of dynamic DNS services: standard and TZO.
You can configure either service by specifying account information, or you can
disable dynamic DNS completely.

See the Symantec Gateway Security 300 Series Release Notes for the list of
supported services.

46 Configuring a connection to the outside network

Configuring dynamic DNS

When you create an account with TZO, they send you the following information
to log in and use your account: key (password), email (user name), and domain.
Gather this information before configuring the appliance to use TZO. For more
information about TZO dynamic DNS, go to http://www.tzo.com.

To use standard service DNS, gather the following information:

■ Account information

User name (which may be different from the account name) and password
for the dynamic DNS account.

■ Server

IP address or resolvable name of the dynamic DNS server. For example,
members.dyndns.org.

To configure dynamic DNS

For model 320, you can configure the WAN port to use dynamic DNS. For model
360 or 360R, you can configure WAN1, WAN2, or both ports to use dynamic
DNS.

See “Dynamic DNS tab field descriptions” on page 171.

See “Main Setup tab field descriptions” on page 164.

To configure TZO dynamic DNS

1 In the SGMI, in the left pane, click WA N/ I S P.

2 On the Dynamic DNS tab, under Service Type, click TZO.

3 Do one of the following:

■ For model 320, skip to step 4.

■ For model 360 and 360R, in the WAN Port drop-down list, select the

WAN port for which you are configuring TZO.

4 Under TZO Dynamic DNS Service, do the following:

■ In the Key text box, type the key that TZO sent when the account was

created.

■ In the Email text box, type the email address you specified when you

created the TZO account.

■ In the Domain text box, type the domain name that TZO handles. For

example, marketing.mysite.com.

5 Click Save.

To configure standard service DNS

1 In the SGMI, in the left pane, click WA N/ I S P.

47Configuring a connection to the outside network

Configuring dynamic DNS

2 On the Dynamic DNS tab, under Service Type, click Standard.

3 Do one of the following:

■ For model 320, skip to step 4.

■ For model 360 and 360R, in the WAN Port drop-down list, select the

WAN port for which you are configuring dynamic DNS.

4 Under Standard Service, do the following:

5 Optionally, under Standard Optional Settings, do the following:

■ To access your network with *.yourhost.yourdomain.com where * is a

CNAME like FTP or www, yourhost is the host name, and
yourdomain.com is your domain name, check Wil dcards.

■ To use a backup mail exchanger, check Backup MX.

■ In the Mail Exchanger text box, type the domain name of the mail

exchanger.

6 Click Save.

Forcing dynamic DNS updates

When you force a dynamic DNS update, the appliance sends its current IP
address, host name, and domain to the service. Do this only if requested by
Symantec Technical Support.

For model 320, you can force a dynamic DNS update for the WAN port. For
model 360 or 360R, you can force a dynamic DNS update for WAN1, WAN2, or
both ports.

To force a DN S u pd at e

See “Dynamic DNS tab field descriptions” on page 171.

1 In the SGMI, in the left pane, click WA N/ I S P.

2 For model 320, on the Dynamic DNS tab, under Service Type, click Update.

3 For model 360 or 360R, do the following:

User Name Type the dynamic DNS account user name.

Password Type the dynamic DNS account password.

Verify Password Retype the dynamic DNS account password.

Server Type the IP address or DNS-resolvable name for the

dynamic DNS server.

Host Name Type the host name that you want to use.

48 Configuring a connection to the outside network

Configuring routing

■ On the Dynamic DNS tab, under Service Type, in the WAN Port drop-

down list, select the WAN port for which you are configuring TZO.

■ Click Update.

Disabling dynamic DNS

You can disable dynamic DNS if you are hosting your own domain. On model 360
or 360R, you can disable dynamic DNS for both WAN ports.

To disable dynamic DNS

See “Dynamic DNS tab field descriptions” on page 171.

1 In the SGMI, in the left pane, click WA N/ I S P.

2 For model 320, on the Dynamic DNS tab, under Service Type, click Disable.

3 For model 360 or 360R, do the following:

■ On the Dynamic DNS tab, under Service Type, in the WAN Port drop-

down list, select the WAN port to disable.

■ Click Disable.

4 Click Save.

Configuring routing

If you install Symantec Gateway Security 300 Series appliances on a network
with more than one directly connected router, you must specify to which router
to send traffic. The appliance supports two types of routing: dynamic and static.
Dynamic routing chooses the best route for packets and sends the packets to the
appropriate router. Static routing sends packets to the router you specify.
Routing information is maintained in a routing table.

Dynamic routing is administered using the RIP v2 protocol. When it is enabled,
the appliance listens and sends RIP requests on both the internal (LAN) and
external (WAN) interfaces. RIP v2 updates the routing table based on
information from untrusted sources, so you should only use dynamic routing for
intranet or department gateways where you can rely on trusted routing updates.

Routing helps the flow of traffic when you have multiple routers on a network.
Configure dynamic or static routing to fit your needs.

Enabling dynamic routing

You do not need routing information to use dynamic routing.

49Configuring a connection to the outside network

Configuring routing

To enable dynamic routing

See “Routing tab field descriptions” on page 174.

1 In the SGMI, in the left pane, click WA N/ I S P.

2 On the Routing tab, under Dynamic Routing, check Enable RIP v2.

3 Click Save.

Configuring static route entries

Before adding static routing entries to the routing table, gather the destination
IP, netmask, and gateway addresses for the router to which you want traffic to
be routed. Contact your IT department for this information.

You can add new route entries, edit existing entries, delete entries, or view a
table of entries.

Note: If NAT is enabled, only six routes display in Routing List. When NAT is
disabled, all configured routes appear in the list.

To configure static route entries

You can add, edit, or delete a static routing entry, or view the list of existing
entries.

See “Routing tab field descriptions” on page 174.

To add a r ou te e nt ry

1 In the SGMI, in the left pane, click WA N/ I S P.

2 On the Routing tab, under Static Routes, do the following:

3 Click Add.

Destination IP Type the IP address to which to send packets.

Netmask Type the net mask of the router to which to send packets.

Gateway Type the IP address of the interface to which packets are sent.

Interface Select the interface from which traffic is sent.

Metric Type a number to represent the order in which you want the

entry evaluated. For example to evaluate the entry third type

3.

50 Configuring a connection to the outside network

Configuring advanced WAN/ISP settings

To edit a route entry

1 In the SGMI, in the left pane, click WA N/ I S P.

2 On the Routing tab, under Static Routes, in the Route Entry drop-down list,

select a route entry.

3 Under Static Routes, change information in any of the fields.

4 Click Update.

To delete a route entry

1 In the SGMI, in the left pane, click WA N/ I S P.

2 On the Routing tab, under Static Routes, in the Route Entry drop-down list,

select an entry.

3 Click Delete.

To view the routing list table

1 In the SGMI, in the left pane, click WA N/ I S P.

2 On the Routing tab, scroll to the bottom of the page.

Configuring advanced WAN/ISP settings

You can set advanced connectivity settings such as a DNS gateway, HA/LB,
SMTP binding, and failover. You can also set optional network settings, which
identify the appliance to a network.

Note: Model 320 appliances have one WAN port and do not support high
availability, load balancing, and bandwidth aggregation.

High availability

You can configure high availability for each WAN port in one of three ways:
Normal, Off, or Backup. Table 3-4 describes each mode.

Table 3-4 High availability modes

Mode Description

Normal Load balancing settings apply to the port when it is enabled and

operational.

Off WAN port is not used at all.

51Configuring a connection to the outside network

Configuring advanced WAN/ISP settings

By default, WAN1 is set to Normal and WAN2 is set to Off.

Bandwidth aggregation lets you combine the amount of traffic that goes over
WAN1 and WAN2 to increase the amount of bandwidth your clients can use. For
WAN data transfer, data aggregation can provide up to double the WAN
throughput, depending on traffic characteristics.

To configure high availability

See “Main Setup tab field descriptions” on page 164.

1 In the SGMI, in the left pane, click WA N/ I S P.

2 On the Main Setup tab, do the following:

■ To configure the WAN1 port, under WAN1, select a high availability

mode.

■ To configure the WAN2 port, under WAN2, select a high availability

mode.

3 Click Save.

Load balancing

Symantec Gateway Security 300 Series model 360 and 360R appliances each
have two WAN ports. On these appliances, you can configure high availability
and load balancing (HA/LB) between the two WAN ports.

You can set the percentage of packets that is sent over WAN1 or WAN2. You
enter a percentage only for WAN1; the remainder of the packets are then sent
over WAN2. If you have a slower connection, use a lower value for that WAN
port for best performance.

To configure load balancing

See “Advanced tab field descriptions” on page 175.

1 In the SGMI, in the left pane, click WA N/ I S P.

2 On the Advanced tab, under Load Balancing, in the WAN 1 Load text box,

type the percentage of traffic to pass through WAN 1.

3 Click Save.

Backup WAN port only passes traffic if the other WAN port is not

functioning.

Table 3-4 High availability modes

Mode Description

52 Configuring a connection to the outside network

Configuring advanced WAN/ISP settings

SMTP binding

Use SMTP binding when you have two different Internet connections with
different ISPs used over different WAN ports. It ensures that email sent by a
client goes over the WAN port associated with your email server.

If the SMTP server is on the same subnet as one of the WAN ports, the security
gateway automatically binds the SMTP server to that WAN port, and you do not
have to specify the bind information.

To configure SMTP binding

See “Advanced tab field descriptions” on page 175.

1 In the SGMI, in the left pane, click WA N/ I S P.

2 On the Advanced tab, under Load Balancing, in the Bind SMTP with WAN

Port drop-down list, select a binding option.

3 Under DNS Gateway, click Save.

Binding to other protocols

You can use the routing functionality of the firewall to bind other traffic. You
add a a static route to route traffic for the IP address of the destination server to
a specific WAN port.

See “Configuring routing” on page 48.

Failover

You can configure the appliance to periodically test the connectivity to ensure
that your connection is available to your clients. After the amount of time that
you specify (for example, 10 seconds), the appliance issues a PING command to
the URL you specify as the Alive Indicator. If you do not specify an Alive
Indicator, the default gateway is used.

Note: When selecting a URL to check, choose a DNS name or IP address that you
are sure will respond to a request, or you may receive a false positive when the
connection is actually available.

When the WAN port on model 320 fails, the security gateway fails over to the
serial port, which is connected to a modem. On model 360 or 360R, if one of the
WAN ports fails, the security gateway fails over to the other WAN port. If both
WAN ports fail, the security gateway fails over to the serial port.

53Configuring a connection to the outside network

Configuring advanced WAN/ISP settings

If a line is physically disconnected, then the line is considered disconnected and
the appliance attempts to route traffic to the serial port or the other WAN port.

If the cable is not physically disconnected, the appliance performs line checking
every few seconds to determine if a line is active. If the line fails, it is shown as
disconnected on the Logging/Monitoring > Status tab and an alternate route for
traffic is attempted.

See “Dial-up accounts” on page 39 to configure failover for a dial-up account.
See “Connecting manually to your PPPoE account” on page 34 to configure a
echo request for accounts that use PPP.

To configure failover

See “Main Setup tab field descriptions” on page 164.

1 In the SGMI, in the left pane, click WA N/ I S P.

2 To configure an alive indicator for WAN1, on the Main Setup tab, under

WAN1 (External), in the Alive Indicator Server text box, type the IP address

or DNS-resolvable name of a server to which to send packets.

3 To configure an alive indicator for WAN2, on the Main Setup tab, under

WAN2 (External), in the Alive Indicator Server text box, type the IP address

or DNS-resolvable name of a server to which to send packets.

4 Click Save.

DNS gateway

You can specify a DNS gateway for local and remote name resolution over your
VPN. For local and remote name resolution over VPN (Gateway-to-Gateway or
Client-to-Gateway), the appliance can use a DNS gateway.

A backup DNS gateway can be specified. The DNS gateway handles name
resolution, but should it become unavailable, the backup (generally a DNS
gateway through your ISP) can take over.

To con figure a DNS g at eway

You can configure a primary and backup DNS gateway.

See “Advanced tab field descriptions” on page 175.

To configure a DNS gateway

1 In the SGMI, in the left pane, click WA N/ I S P.

2 On the Advanced tab, under DNS Gateway, in the DNS Gateway text boxes,

type the IP address of the DNS gateway.

54 Configuring a connection to the outside network

Configuring advanced WAN/ISP settings

3 Click Save.

To configure DNS gateway backup

1 In the SGMI, in the left pane, click WA N/ I S P.

2 On the Advanced tab, under DNS Gateway, check Enable DNS Gateway

Backup.

3 Click Save.

Optional network settings

Optional network settings identify your appliance to the rest of your network. If
you plan to connect to or refer to your appliance by name, you must configure
these settings.

Some ISPs authenticate by the physical (MAC) address of your Ethernet port.
This is common with broadband cable (DHCP) services. You can clone your
computer’s adapter address to connect to your ISP with the Symantec Gateway
Security 300 Series. This is called MAC cloning or masking.

If the appliance is going to be a wireless access point, the optional network
settings must be set. See Symantec Gateway Security 300 Series Wireless
Implementation Guide.

For model 320, you configure the settings for the WAN port. For model 360 or
360R, you can configure the network settings for one or both WAN ports.

Before you configure optional network settings, gather the following
information:

To configure optional network settings

See “Advanced tab field descriptions” on page 175.

1 In the SGMI, in the left pane, click WA N/ I S P.

2 For model 320, do the following:

Host name Name of the appliance. For example, marketing.

Domain name Name by which you address the appliance over the Internet. For

example, mysite.com. If the host name is marketing, the appliance
would be marketing.mysite.com.

MAC address Physical address of the WAN of the appliance. If you are performing

MAC cloning, get the MAC address that your ISP is expecting to see
rather than the address of the appliance.

55Configuring a connection to the outside network

Configuring advanced WAN/ISP settings

■ In the right pane, on the Main Setup tab, under Optional Network

Settings, in the Host Name text box, type a host name.
The host and domain names are case-sensitive.

■ In the Domain Name text box, type domain name for the appliance.

■ In the MAC Address text boxes, type the WAN network adapter address

(MAC) that you are cloning.

3 For model 360 and 360R, do the following:

■ To configure WAN1 or WAN 2, in the right pane, on the Main Setup tab,

under Optional Network Settings, under WAN1 (External) or WAN 2
(External), do the following:

4 Click Save.

After you click Save, the appliance restarts. Network connectivity is interrupted.

Host Name text box Type a host name.

The host and domain names are case­sensitive.

Domain Name text box Type a domain name for the appliance

MAC Address text boxes Type the WAN network adapter address

(MAC) you are cloning.

56 Configuring a connection to the outside network

Configuring advanced WAN/ISP settings

Chapter

4

Configuring internal
connections

This chapter includes the following topics:

■ Configuring LAN IP settings

■ Configuring the appliance as DHCP server

■ Configuring port assignments

LAN settings let you configure your Symantec Gateway Security 300 Series
appliance to work in a new or existing internal network.

Each appliance is assigned an IP address and netmask by default. You can
change this IP address and netmask. This way, you can specify an IP address and
netmask for the appliance that fits your existing network.

You can also configure the appliance to work as a DHCP server for your LAN
clients. This assigns IP addresses to the clients dynamically so that you do not
have to configure each client to use a static IP address.

Note: Model 320 has four LAN ports. Models 360 and 360R have eight LAN ports.
For each port, you must specify the port settings using the port assignments.
These settings are used to configure secure wireless and wired LANs.

Configuring LAN IP settings

Each appliance has a default IP address of 192.168.0.1 with a default network
mask of 255.255.255.0. You can configure the appliance to use a different IP
address and netmask for the LAN. This is useful if you want to configure a LAN
to use a unique subnet for your network environment. For example, if your

58 Configuring internal connections

Configuring the appliance as DHCP server

network already uses 192.168.0.x, you can change the appliance’s IP address to

10.10.10.x, so you do not have to reconfigure your existing network.

You can change the appliance’s IP address and netmask at any time. The default
IP address is 192.168.0.1 and the default netmask is 255.255.255.0. Ensure that
the IP address you choose for the appliance does not have zero (0) as the last
octet.

You cannot set the appliance IP address to 192.168.1.0.

Warning: After you change the appliance’s LAN IP address, you must browse to
the new appliance IP address to use the SGMI. If you click the Back button in the
browser, it attempts to access the old IP address.

To change the appliance LAN IP address

See “LAN IP & DHCP tab field descriptions” on page 161.

1 In the SGMI, in the left pane, click LAN.

2 In the right pane, on the LAN IP & DHCP tab, under Unit LAN IP, in the IP

Address text boxes, type the new IP address.

3 In the Network Mask text box, type the new network mask.

4 Click Save.

Configuring the appliance as DHCP server

Dynamic Host Configuration Protocol (DHCP) allocates local IP addresses to
computers on the LAN without manually assigning each computer its own IP
address. This eliminates the need to have a static (permanent) IP address for
each computer on the LAN and is useful if you have a limited number of IP
addresses available. Each time a computer connected to the LAN is turned on,
DHCP assigns it an IP address from the range of available addresses.

Note: Each client computer that you want to use DHCP must have its network
configuration set to obtain its IP address automatically.

By default, the range of IP addresses that the appliance can assign is from

192.168.0.2 to 192.168.0.XXX, where XXX is the number of clients to support,
plus two. For example, if you support 50 clients on your appliance, the last IP
address in the range is 192.168.0.52. The DHCP server on the appliance serves IP
addresses to up to 253 computers connected to it. If you change the IP address of

59Configuring internal connections

Configuring the appliance as DHCP server

the appliance, adjust the DHCP IP address range appropriately. See “To change

the DHCP IP address range” on page 60.

Table 4-1 shows the default start and end IP addresses for each model. The

default range is based on the recommended number of concurrent clients for
each model. The number of clients you can support may vary depending on your
traffic characteristics.

The DHCP server only supports class C networks. Class C networks have
addresses from 192.0.0.0 through 223.255.255.0. The network number is the
first three octets, being from 192.0.0 through 223.255.255. Each class C network
can have one octet worth of hosts.

You can place the appliance in any class network, but the DHCP server does not
support this.

If you have a mix of clients that use DHCP and static IP addresses, the static IP
addresses must be outside the range of DHCP IP addresses. Also, you may want
to assign static IP addresses to some services. For example, if you have a Web
server on your site, you want to assign it a static address.

The DHCP server in the appliance is enabled by default. If you disable the DHCP
server, each client connecting to the LAN must be assigned an IP address that is
in the range. If you enable the roaming on the appliance as a secondary wireless
access point, the DHCP server is disabled.

To configure the appliance as a DHCP server

You can enable or disable DHCP, and you can set the range of IP addresses that
the appliance allocates to the clients.

See “LAN IP & DHCP tab field descriptions” on page 161.

To enable or disable DHCP

1 In the SGMI, in the left pane, click LAN.

2 In the right pane, on the LAN IP & DHCP tab, under DHCP, do one of the

following:

■ To enable the appliance as a DHCP server, check Enable.

■ To disable the appliance as a DHCP server, check Disable.

Table 4-1 Default DHCP IP address ranges

Model Number of Clients Start IP Address End IP Address

320 50 192.168.0.2 192.168.0.76

360 75 192.168.0.2 192.168.0.76

60 Configuring internal connections

Configuring port assignments

3 In the Range Start IP text boxes, type the first IP address.

4 In the End IP text boxes, type the last IP address.

5 Click Save.

To change the DHCP IP address range

1 In the SGMI, in the left pane, click LAN.

2 In the right pane, on the LAN IP & DHCP tab, under DHCP, do the following:

■ In the Range Start IP text boxes, type the first IP address.

■ In the End IP text boxes, type the last IP address.

3 Click Save.

Monitoring DHCP usage

The DHCP Table lists the addresses assigned to connected clients. You can view
the host name, IP address, physical address, and status for each client. This
table takes up to one hour to fully update after the appliance has been rebooted.

To view DHCP usage

See “LAN field descriptions” on page 160.

◆ In the SGMI, in the left pane, click LAN.

Configuring port assignments

Port assignments on the security gateway let you specify if the LAN port resides
on a trusted or untrusted network. Trusted ports are for networks not using
VPN authentication to connect to the LAN. Untrusted ports are for wireless or
wired networks using VPN clients to connect to LAN resources.

You can connect many network devices to the LAN ports: routers, switches,
client machines, or other Symantec Gateway Security 300 Series appliances. For
these options, select the Standard port assignment. If you are connecting a
Symantec Gateway Security 300 Series appliances configured as a wireless
access point to a LAN port, you can secure the wireless connection using VPN
technology. See the Symantec Gateway Security 300 Series Wireless
Implementation Guide.

Once a port assignment is set, the untrusted ports enable and enforce encrypted
VPN traffic, using global tunnels to the appliance or using IPsec pass-thru to
WAN-side endpoints.

61Configuring internal connections

Configuring port assignments

Standard port assignment

When LAN ports are designated as standard, the appliance acts as a typical
switch: it forwards traffic based on MAC address and traffic does not reach the
security gateway engine unless it was specifically designated for it.

This option does not support client VPN tunnels terminating at the LAN. When a
LAN port is set to Standard, it is not considered part of the VLAN.

When you select Standard, VPN traffic is not enforced at the switch, that is, a
trusted private network is assumed.

To configure port assignments

You can set a specific LAN port to use a port assignment, or you can restore the
default port settings.

See “Port Assignment tab field descriptions” on page 162.

To configure a port assignment

1 In the SGMI, in the left pane, click LAN.

2 In the right pane, on the Port Assignment tab, under Physical LAN Ports,

from the Port numbers drop-down list, select a port assignment.

3 Click Save.

The appliance reboots when the port settings are saved.

To restore port assignment default settings

1 In the SGMI, in the left pane, click LAN.

2 In the right pane, on the Port Assignment tab, under Physical LAN Ports,

click Restore Defaults.

The appliance reboots when the port settings are saved.

62 Configuring internal connections

Configuring port assignments

Chapter

5

Network traffic control

This chapter includes the following topics:

■ Planning network access

■ Understanding computers and computer groups

■ Defining inbound access

■ Defining outbound access

■ Configuring services

■ Configuring special applications

■ Configuring advanced options

The Symantec Gateway Security 300 Series appliance includes firewall
technology that let you configure the firewall component to meet your security
policy requirements. When configuring the firewall, identify all computers
(nodes) to be protected on your network.

Note: This chapter uses the terms computers. A computer is defined as anything
that has its own IP address; for example: a terminal server, network
photocopier, desktop PC, laptop, server, print server, and so on.

Planning network access

Developing a security policy helps you identify what you need to configure. See
the Symantec Gateway Security 300 Series Installation Guide.

Before configuring the security gateway, consider the following:

■ Learn about computers and computer groups. See “Understanding

computers and computer groups” on page 64.

64 Network traffic control

Understanding computers and computer groups

■ What kinds of users will be protected by the security gateway? Will all users

have the same access and privileges?

■ What types of services do you want to make available to internal users?

■ What standard application services do you want to make available to

external users?

■ What types of special application services do you want to allow for external

users and hosts?

Understanding computers and computer groups

Computers are all nodes behind the appliance. This includes permanent resident
laptops on the LAN, application servers, and any host or printer. You configure
the appliance to recognize the computer by its MAC (physical) address.

Computer groups let you create outbound rules and apply them to computers
who should have the same access. Instead of creating a traffic rule for each
individual computer in your network, you define computer groups, assign each
computer to a computer group, and then create rules for the group.

By default, all computers are part of the Everyone group and have no
restrictions on Internet use until they are assigned to another computer group
which has traffic rules configured. You can create rules that apply to the
Everyone group, or, for greater control, you can divide the computers into one of
four computer groups, and then assign each group different rules. If a computer
is not defined in the computers table, it belongs to the Everyone computer
group.

Note: The appliance has five computer groups: Everyone, Group 1, Group 2,
Group 3, and Group 4. You cannot add, delete, or rename computer groups.

Before you create inbound and outbound rules to govern traffic, perform the
following tasks in this order:

■ Define the computer groups.

See “Defining computer group membership” on page 65.

■ Define computers behind the appliance and assign them to computer

groups.
See “Defining computer group membership” on page 65.

65Network traffic control

Understanding computers and computer groups

Defining computer group membership

Configuring computers is the first step in configuring the firewall component of
the appliance.

When creating your security policy, assign the largest group of hosts to the
Everyone computer group to minimize the input and management of MAC
addresses. By default, all hosts belong to the Everyone computer group until you
configure them to one of the four other computer groups.

Review your security policy to determine how many computer groups you need
(if any) and which users should be assigned to each computer group.

The Computers tab lets you identify each computer by typing its MAC address,
assign a static IP address, assign it to a computer group, and bind it to a PPPoE
session (if your ISP offers multiple PPPoE sessions). See “PPPoE” on page 31.

Note: To find the MAC address of a Microsoft Windows-based computer, at a
DOS prompt, type ipconfig /all and look for the physical address.

On models 360 and 360R, you can restrict the computer to using only one of the
WAN ports. This is useful if you have two broadband accounts, one on each
WAN port, and you want a particular computer to use only one. This is useful for
servers or applications that must always use a specific WAN IP address such as
FTP. The default is disabled.

To configure computers

If you are using an ISP with PPPoE sessions, you bind a host to a session (WAN
IP) on this tab.

To stop the configuration process, you can click Cancel at anytime while
configuring computers. To clear all the information from the tab, you can click
Clear Form at any time.

Checking Reserve Host ensures that the DHCP server always offers the defined
IP address to the computer you are defining, or you can set this IP address as a
static address on the computer.

See “Computers tab field descriptions” on page 177.

To configure a new computer

1 In the left pane, click Firewall.

2 On the Computers tab, in the Host Name text box, type a host name.

3 In the Adapter (MAC) Address text box, type the address of the host’s

network interface card (NIC).

66 Network traffic control

Understanding computers and computer groups

4 If the computer is an application server to which you want to allow access to

an inbound rule, or to reserve an IP address for a computer that is not an
application server, under Application Server, check Reserve Host.

See “Defining inbound access” on page 68.

5 In the IP Address text box, type the IP address of the host.

6 Under Computer Group, on the Computer Group drop-down list, select a

group for your host to join.
The computer group properties are defined on the Firewall > Computer

Groups tab. See “Defining inbound access” on page 68.

7 Under Session Association, in the Bind with PPPoE Session drop-down list,

select the session to bind to this host.
You must have a multi-session PPPoE account with your ISP if you want to

bind a host to a PPPoE session. If you do not have an PPPoE account with
your ISP, leave the Bind with PPPoE Session drop-down list at Session 1.

8 Click Add.

To verify that a host has been configured, you can check the Host List displayed
at the bottom of the window. The fields in the list map to the fields entered when
you configured the host.

Once you have finished adding computers to an computer group, you can
configure the properties for each computer group.

To update an existing computer

1 In the left pane, click Firewall.

2 In the right pane, on the Computers tab, under Host Identity, in the Select

Host drop-down list, select a host.

3 Make the changes to the computers fields.

4 Click Update.

The updated computer is displayed in the Host List.

To delete an existing computer

1 In the left pane, click Firewall.

2 In the right pane, on the Computers tab, under Host Identity, in the Select

Host drop-down list, select a host.

3 Click Delete.

67Network traffic control

Understanding computers and computer groups

Defining computer groups

Computer groups are logical groups of network entities used for outbound rules.
You must configure and bind all local hosts (nodes) to the computer group they
are in by using the Computers tab. See “Defining computer group membership”
on page 65.

You can configure the following properties for an computer group:

■ Antivirus policy enforcement.

See “How antivirus policy enforcement (AVpe) works” on page 104.

■ Content filtering.

See “Advanced network traffic control” on page 103.

■ Access control.

See “Defining inbound access” on page 68.

To define computer group properties

See “Computer Groups tab field descriptions” on page 179.

1 In the left pane, click Firewall.

2 In the right pane, on the Computer Groups tab, under Security Policy, on the

Computer Group drop-down list, select the computer group you want to

configure.

3 To enable AVpe, Under Antivirus Policy Enforcement, check Enable

AntiVirus Policy Enforcement.

4 If you enabled AVpe, click one of the following:

■ Warn Only

■ Block Connections

5 Under Content Filtering, if you check Enable Content Filtering, you also

need to select one of the following:

■ Use Allow List

■ Use Deny List

6 Under Access Control (Outbound Rules) select one of the following:

■ No restrictions

■ Block ALL outbound access

■ Use rules defined in Outbound Rules Screen.

See “Defining outbound access” on page 69.

7 Click Save.

68 Network traffic control

Defining inbound access

Defining inbound access

Inbound rules control the type of traffic flowing into application servers on your
appliance-protected networks. The default state for inbound traffic is that all
traffic is denied (automatically blocked) until you configure inbound rules for
each kind of traffic you want to allow. If the inbound traffic contains a protocol
or application that is not part of an enabled rule, the connection request is
denied and logged. The appliance supports a maximum of 25 inbound rules.

When creating inbound rules, you must specify the applications server, the
service, protocols, and ports that the rule allows, and source and destination
information for each rule. When an inbound rule exists, any external host can
successfully pass inbound traffic matching the rule.

Inbound rules redirect traffic that arrives on the WAN ports to another internal
server on the protected LAN. For example, an inbound rule enabled for HTTP
results in all HTTP traffic arriving on the WAN port to be redirected to the
server specified as the HTTP application server. You must define the server
before using it in a rule.

Inbound rules are not bound to a computer group.

To define inbound access

To stop the configuration process, click Cancel at any time while configuring
computers.

To clear all the information from the tab, click Clear Form at any time.

See “Inbound Rules field descriptions” on page 180.

To define a new inbound rule

1 In the SGMI, in the left pane, click Firewall.

2 To create a new rule, in the right pane, on the Inbound Rules tab, under Rule

Definition, in the Name text box, type a unique name for the inbound rule.

3 Check Enable Rule.

4 In the Application Server drop-down list, select a defined computer.

Computers are defined on the Computers tab in the Firewall section.

5 On the Service drop-down list, select an inbound service.

6 Click Add.

The configured rule is displayed in the Inbound Rules List.

To update an existing inbound rule

1 In the left pane, click Firewall.

69Network traffic control

Defining outbound access

2 In the right pane, on the Inbound Rules tab, on the Rule drop-down list,

select an existing inbound rule.

3 Click Select.

4 Make the changes to the inbound rules fields.

5 Click Update.

The configured rule is displayed in the Inbound Rules List.

To delete an inbound rule

1 In the left pane, click Firewall.

2 In the right pane, on the Inbound Rules tab, on the Rule drop-down list,

select an existing inbound rule.

3 Click Delete.

Defining outbound access

By default, all computer groups are allowed outbound access. Also by default, all
computers that you protect are in the Everyone computer group. When you
define an outbound rule for a given computer group, and check the Use rules
defined in Outbound Rules Screen checkbox, then all other traffic is blocked
unless an outbound rule is defined to allow it. You must give each outbound rule
a unique name.

You must also specify the type of traffic the rule allows. Outbound rules let you
define traffic to permit, rather than specifying traffic to deny or block. Once an
outbound rule is added to the computer group, all other traffic is denied unless
there is a specific rule to let it pass.

The following list is the predefined outbound services:

■ DNS

■ FTP

■ HTTP

■ HTTPS

■ Mail (SMTP)

■ Mail (POP3)

■ RADIUS Auth

■ Telnet

■ VPN IPSec

70 Network traffic control

Defining outbound access

■ VPN PPTP

■ LiveUpdate

■ SESA Server

■ SESA Agent

■ RealAudio1

■ RealAudio2

■ RealAudio 3

■ PCA TCP

■ PCA UDP

■ TFTP

■ SNMP

If you have services that are not on this list, or a service that does not use its
default port, you can create your own custom services. You must create the
custom services before creating the outbound rule.

See “Configuring services” on page 72.

An outbound rule enabled for FTP service for computer group 2 allows the
members of computer group 2 outbound FTP service. An outbound rule enabled
for Mail (SMTP) service for the Everyone computer group lets all members of the
Everyone group to send outbound email. An outbound rule enabled for FTP
service for computer group 2 would allow the members of group 2 outbound FTP

71Network traffic control

Defining outbound access

service. If computer group 1 has no rules, all outbound traffic is allowed by
default. If Figure 5-1 shows a diagram of these examples.

Figure 5-1 Outbound rules example

To define outbound access

You can manage your outbound access by creating a rule, updating it when your
needs change, or deleting it when you no longer need it. You can also
temporarily disable outbound access for troubleshooting or controlling traffic.

See “Outbound Rules tab field descriptions” on page 181.

To define an outbound rule

1 In the SGMI, in the left pane, click Firewall.

2 In the right pane, on the Outbound Rules tab, under Computer Groups, on

the Computer Group drop-down list, select an computer group.

To see a list of rules for the selected computer group, click View.

3 In the Name text box, type a unique name for the outbound rule.

4 Check Enable Rule.

5 On the Service drop-down list, select an outbound service.

6 Click Add.

The configured rule is displayed in the Outbound Rules List.

Outbound rule

Name: E_Mail_1

Computer group:
Everyone

Service:
Mail(SMTP)

Outbound rule

Name: FTP_2

Computer group:
Group 2

Service: FTP

Everyone computer group

Computer group 2

Computer group 1

72 Network traffic control

Configuring services

To update an existing outbound rule

1 In the SGMI, in the left pane, click Firewall.

2 In the right pane, on the Outbound Rules tab, under Computer Groups, on

the Computer Group drop-down list, select an computer group.
To see a list of rules for the selected computer group, click View.

3 On the Rule drop-down list, select an existing outbound rule.

4 Make the changes to the outbound rules fields.

5 Click Update.

The configured rule is displayed in the Outbound Rules List.

To delete an outbound rule

1 In the SGMI, in the left pane, click Firewall.

2 In the right pane, on the Outbound Rules tab, under Computer Groups, on

the Computer Group drop-down list, select an computer group.
To see a list of rules for the selected computer group, click View.

3 In the right pane, on the Outbound Rules tab, on the Rule drop-down list,

select an existing outbound rule.

4 Click Delete.

Configuring services

The Firewall > Services tab lets you define additional service applications, used
in inbound rules and outbound rules for traffic to pass that are not already
covered by the predefined services. You must configure these services before
you can use them in any rules. The name of the service should identify the
protocol or type of traffic that the rule allows.

You must specify the type of traffic and the destination server for that traffic.
The type of traffic is selected from the list of predefined services and custom
services.

Note: On models 360 and 360R, FTP application servers must be bound to a WAN
port, WAN 1 or WAN 2. All other applications, such as HTTP, do not require
binding to a WAN port. See “Binding to other protocols” on page 52.

There are two types of protocols used by services: TCP and UDP. The port range
specifies which port filter can communicate on the appliance. For protocols that
allow for a port range, you must specify the listen on port starting and ending

73Network traffic control

Configuring services

port number. For protocols that use a single port number, the listen on port
starting and ending port number is the same.

Redirecting services

You can also configure services to be redirected from the ports they would
normally enter (Listen on Port) to another port (Redirect to Port). Service
redirection only applies to inbound rules. Outbound rules ignore this setting.

For example, to redirect inbound Web traffic entering on port 80 and using TCP
protocol, to an internal Web server listening for TCP on port 8080, you would
create a new service application called WEB_8080. Select TCP as the protocol,
and type 80 for both the start and end Listen to Ports. For both the start and end
Redirect To Ports, type 8080. Then create and enable an inbound rule for the
Web application server that uses WEB_8080 as a service.

Note: Redirection port range sizes must be the same as the Listen on port
ranges. For example, if the Listen on port range is 21 to 25, the redirection port
range must also be four ports.

To redirect inbound traffic to the original destination port, leave the redirect
fields blank.

To configure a service

Create a service before you add it to an inbound rule. Once you create a service,
you can update or delete it.

See “Services tab field descriptions” on page 182.

To configure a service

1 In the SGMI, in the left pane, click Firewall.

2 Under Application Settings, in the Name text box, type a name for the

service that represents the application.

3 In the Protocol drop-down list, select TCP or UDP.

4 In the Listen on Port(s): Start text box, type a port number.

5 In the Listen on Port(s): End text box, type a port number.

6 In the Redirect to Port(s): Start text box, type a port number.

Redirect only applies to inbound rules. If you are creating a service for an

outbound rule, leave the Redirect to Port(s) text boxes blank.

To redirect inbound traffic to the original destination port, leave the

Redirect text boxes blank.

74 Network traffic control

Configuring special applications

7 In the Redirect to Port(s): End text box, type a port number.

8 Click Add.

To update an existing service

1 In the SGMI, in the left pane, click Firewall.

2 In the right pane, on the Services tab, on the Application drop-down list,

select an existing service.

3 Make the changes to the services fields.

4 Click Update.

The configured Service is displayed in the Service List.

To delete a service

1 In the SGMI, in the left pane, click Firewall.

2 In the right pane, on the Services tab, on the Application drop-down list,

select an existing service.

3 Click Delete.

Configuring special applications

Special applications are used for dynamic port forwarding. To determine what
ports and protocols an application needs for operation, consult the application’s
documentation for information on firewall or NAT usage.

Some applications may need more than one entry defined and enabled; for
example, when they have multiple port ranges in use. Special applications are
global in scope and overwrites any computer group specific outbound rules or
inbound rules. When enabled, the traffic specified can pass in either direction
from any host.

Certain applications with two-way communication (such as games and video
conferencing) need ports open in the firewall. Normally, you open ports with the
Inbound Rules tab. But inbound rules only open ports for the application server
IP address defined in its settings, because firewalls using NAT can only open a
defined service for a single computer on the LAN (when using a single external
IP).

The Special Applications tab works around this limitation by letting you set port
triggers. The appliance listens for outgoing traffic on a range of ports from
computers on the LAN and if it sees traffic, it opens an incoming port range for
that computer. Once the communication is done, the appliance starts listening
again so that another computer can trigger the ports to be opened for it.

75Network traffic control

Configuring special applications

Port triggers can be used very quickly (milliseconds), but for only one computer
at a time. The speed with which port triggers are used gives the illusion of
allowing multiple computers having the same ports opened.

Special Applications entries work best with applications that require low
throughput. You may experience reduced performance with multiple computers
activating streaming media or a heavy incoming or outgoing volume.

The appliance only listens for traffic on the LAN. The computer on the LAN
activates the trigger, not traffic from the outside. The LAN application must
initiate traffic and you must know the ports or range of ports it uses to set up a
special applications entry. If traffic initiates from the outside, you must use an
inbound rule.

To configure a special application

Special applications help with dynamic packet forwarding. Configure a special
application for two-way communication. You can then edit it or delete it as your
needs change.

See “Special Application tab field descriptions” on page 183.

To configure a special application

1 In the SGMI, in the left pane, click Firewall.

2 In the right pane, on the Special Applications tab, under Select Applications,

in the Name text box, type a name that represents the application.

3 Check Enable.

4 On the Outgoing Protocol drop-down list, select TCP or UDP.

5 In the Outgoing Port Range Start text box, type the first port number of the

port range to listen on.

6 In the Outgoing Port Range End text box, type the last number of the port

range to listen on.

7 In the Incoming Port Range Start text box, type the first port number in the

range to open.

8 In the Incoming Port Range End text box, type the last port number in the

range to open.

9 Click Add.

To update an existing special application

1 In the SGMI, in the left pane, click Firewall.

76 Network traffic control

Configuring advanced options

2 In the right pane, on the Special Application tab, on the Special Application

drop-down list, select an existing special application.

3 Make the changes to the special applications fields.

4 Click Update.

The configured rule is displayed in the Special Application List.

To delete an special application

1 In the SGMI, in the left pane, click Firewall.

2 In the right pane, on the Special Applications tab, on the Application drop-

down list, select an existing special application.

3 Click Delete.

Configuring advanced options

The Symantec Gateway Security 300 Series has several advanced firewall
options for special circumstances.

Enabling the IDENT port

Queries to the IDENT port (113) normally result in the host name and company
name information being returned. However, this service poses a security risk
since attackers can use this information to hone in their attack methodology. By
default, the appliance sets all ports to stealth mode. This configures a computer
to appear invisible to those outside of the network. Some servers (like a certain
email or MIRC servers) use the IDENT port of the system accessing them.

You can configure the appliance to enable the IDENT port. Enabling this setting
makes port 113 closed (not open) and not stealth. You should enable this setting
only if there are problems accessing a server (server time-outs).

Note: If you experience time-outs when using your mail (SMTP) service,
enabling the IDENT port may correct this problem.

77Network traffic control

Configuring advanced options

To enable the IDENT Port

See “Advanced tab field descriptions” on page 186.

1 In the SGMI, in the left pane, click Firewall.

2 In the right pane, on the Advanced tab, under Optional Security Settings,

check Enable IDENT Port.

3 Click Save.

Disabling NAT mode

You can configure the security gateway to work as a standard network router to
separate different subnets on an internal network. Disabling NAT Mode disables
the firewall security functions. This setting should only be used for Intranet
deployments where the security gateway is used as a bridge on a protected
network. When the security gateway is configured for NAT mode, it behaves as a

802.1D (MAC bridge) device.

To disable NAT Mode

See “Advanced tab field descriptions” on page 186.

1 In the SGMI, in the left pane, click Firewall.

2 In the right pane, on the Advanced tab, under Optional Security Settings,

check Disable NAT Mode.

3 Click Save.

Enabling IPsec pass-thru

IPsec pass-thru is supported by the security gateway. If the VPN client used in
Exposed Host (DMZ) has problems connecting from behind the security gateway,
use the None setting.

The following list includes the supported IPsec types:

■ 1 SPI

ADI - Assured Digital

■ 2 SPI

Standard (Symantec, Cisco Pix, and Nortel Contivity) clients

■ 2 SPI-C

Cisco Concentrator 30X0 Series clients

78 Network traffic control

Configuring advanced options

■ Other

Redcreek Ravlin

■ None

Note: Only change the IPsec pass-thru setting if required to do so by Symantec
Technical Support.

To configure IPsec pass-thru settings

See “Advanced tab field descriptions” on page 186.

1 In the SGMI, in the left pane, click Firewall.

2 On the Advanced tab, under IPsec Passthru Settings,

3 Click Save.

Configuring an exposed host

Exposed Host opens all ports so that one computer on a LAN has unrestricted
two-way communication with Internet servers or users. This is useful for
hosting games or special server applications.

All traffic that is not specifically allowed by inbound rules is directed to the
exposed host.

Warning: Because of the security risk, only activate Exposed Host only when
required to do so.

To configure an exposed host

See “Advanced tab field descriptions” on page 186.

1 In the left pane, click Firewall.

2 In the right pane, on the Advanced tab, under Exposed Host, check Enable

Exposed Host.

3 In the LAN IP Address text boxes, type the IP address of the host you want to

expose.

4 Click Save.

79Network traffic control

Configuring advanced options

Managing ICMP requests

By default, the security gateway does not respond to external ICMP requests
sent to the WAN ports. You can also configure the security gateway to block or
allow ICMP requests on the WAN. LAN ICMP requests always respond.

To manage ICMP requests

See “Advanced tab field descriptions” on page 186.

1 In the SGMI, in the left pane, click Firewall.

2 In the right pane, on the Advanced tab, under Optional Security Settings, do

one of the following:

3 To block ICMP requests, click Enable.

4 To allow ICMP requests, click Disable.

5 Click Save.

80 Network traffic control

Configuring advanced options

Chapter

6

Establishing secure VPN
connections

This chapter includes the following topics:

■ About using this chapter

■ Creating security policies

■ Identifying users

■ Configuring Gateway-to-Gateway tunnels

■ Configuring Client-to-Gateway VPN tunnels

■ Monitoring VPN tunnel status

Virtual Private Networks (VPNs) let you securely extend the boundaries of your
internal network and use insecure communication channels (such as the
Internet) to safely transport sensitive data. VPNs are used to allow a single user
or remote network to access the protected resources of another network.

Symantec Gateway Security 300 Series appliances support three types of VPN
tunnels: Gateway-to-Gateway, Client-to-Gateway, and wireless Client-to­Gateway. To configure wireless Client-to-Gateway tunnels, see the Symantec
Gateway Security 300 Series Wireless Implementation Guide.

Securing your network connections using VPN technology is an important step
in ensuring the quality and integrity of your data. This section describes some
key concepts and components you need to understand to effectively configure
and use the appliance’s VPN feature.

VPN tunnels can also support dynamic and static Gateway-to-Gateway
configurations, where tunnel parameters are created at each security gateway.
Both ends must have the same parameters, including secret keys, security
parameter indexes (SPIs), authentication schemes, encryption methods.

82 Establishing secure VPN connections

About using this chapter

About using this chapter

Each section begins with an explanation of the feature it is describing (such as
what a VPN policy is, how it works, and how you use it). If you are an
experienced network or IT administrator, you may want to proceed directly to
the latter half of the section for configuration instructions.

If you do not have significant network or IT experience or have never configured
a security gateway (Symantec or otherwise), you should read the first half of
each section before configuring the feature.

At the end of “Configuring Gateway-to-Gateway tunnels” on page 88 and

“Configuring Client-to-Gateway VPN tunnels” on page 96, there are worksheets

for you to fill out with the information you entered so that you may easily share
connection information with your clients and remote gateway administrators.

Creating security policies

The VPN tunnel establishment negotiation occurs in two phases. In Phase 1, the
Internet Key Exchange (IKE) negotiation creates an IKE security association
with its peer to protect Phase 2 of the negotiation, which determines the
protocol security association for the tunnel. For Gateway-to-Gateway
connections, either security gateway can initiate Phase 1 or Phase 2
renegotiation at any time. Either security gateway can also specify intervals
after which to renegotiate. For Client-to-Gateway connections, only the client
can initiate Phase 1 or Phase 2 renegotiation. Phase 2 renegotiation is referred
to as quick mode renegotiation.

Note: Symantec Gateway Security 300 Series does not support VPN tunnel
compression. To create a Gateway-to-Gateway tunnel between an Symantec
Gateway Security 300 Series appliance and a remote Symantec Gateway
Security 5400 Series appliance or Symantec Enterprise Firewall, set the
compression to NONE on the remote gateway.

Understanding VPN policies

For each phase of negotiation, the appliance uses a policy, which is a predefined
set of parameters. The appliance supports two types of security policies, Global
IKE and VPN.

83Establishing secure VPN connections

Creating security policies

Global IKE Policy (Phase 1, non-configurable, except for SA
lifetime parameter)

The security gateway includes a predefined global IKE policy that automatically
applies to your IKE Phase 1 negotiations. This global IKE policy works in
conjunction with the VPN policy you configure for Phase 2 negotiations. The
Global IKE Policy provides the parameters that define Phase 1 negotiations of
the IKE tunnel, while the VPN policy you configure and select provides the
parameters for Phase 2 negotiations.

The only parameter in the Global IKE Policy whose setting can be changed is the
SA (security association) Lifetime, which specifies the period of time after which
the tunnel rekeys (in minutes). This parameter is located in VPN > Advanced >
Global IKE Settings (Phase 1 Rekey).

When two security gateways are negotiating Phase 1, the first security gateway
sends a list of proposals, called a transform proposal list. The security gateway
to which it is connecting then selects a proposal from the list that it likes best,
generally the strongest available option. You cannot change the transform
proposal list on the appliance; however this information may be useful to give to
the remote gateway administrator.Table 6-1 lists the order of the Symantec
Gateway Security 300 IKE proposals.

Some settings are configurable at a global level for Client-to-Gateway tunnels.
See “Setting global policy settings for Client-to-Gateway VPN tunnels” on
page 101.

VPN Policies (Phase 2, configurable)

The security gateway includes a set of four pre-defined, configurable VPN
policies that apply to Phase 2 tunnel negotiations. Rather than configuring data
privacy, data integrity, and data compression algorithms for every tunnel you
create, the security gateway lets you configure standard, reusable VPN policies

Table 6-1 IKE proposal order

Data Privacy Data Integrity Diffie-Hellman

3DES SHA1 Group 5

3DES MD5 Group 5

3DES SHA1 Group 2

3DES MD5 Group 2

DES SHA1 Group 1

DES MD5 Group 1

84 Establishing secure VPN connections

Creating security policies

and then later associate them with multiple secure tunnels. You can select a pre­defined policy, or you can create your own using the VPN Policies tab.

VPN policies group together common characteristics for tunnels, and allow
rapid setup of additional tunnels with the same characteristics. The security
gateway also includes a handful of commonly used VPN policies, for both static
and dynamic tunnels.

You can define more than one VPN policy, varying the components you select
for each one. If you do this, ensure that your naming conventions let you
distinguish between policies that use the same encapsulation mode. When you
are ready to create your secure tunnels, clearly defined naming conventions will
make selecting the correct VPN policy easier.

Note: You cannot delete pre-defined VPN policies.

Creating custom Phase 2 VPN policies

VPN Policies are pre-configured for typical VPN setups. If you require
customized settings (for compatibility with 3rd party equipment, for example)
then you can create a custom Phase 2 Policy on the VPN Policies tab.

A VPN policy groups together common characteristics for VPN tunnels. Rather
than configuring data privacy, data integrity, and data compression algorithms
for every tunnel that you create, you can configure standard, reusable VPN
policies and apply them to multiple secure tunnels.

Note: Configuring a VPN policy is optional for dynamic tunnels.

To create a custom Phase 2 VPN policy

See “VPN Policies tab field descriptions” on page 200.

1 In the SGMI, in the left pane, click VPN.

2 In the right pane, on the VPN Policies tab, under IPsec Security Association

(Phase 2) Parameters, in the Name text box, type a name for the VPN policy.

3 To edit an existing policy, from the VPN Policy drop-down list, select a VPN

policy.

4 On the Data Integrity (Authentication) drop-down list, select an

authentication.

5 On the Data Confidentiality (Encryption) drop-down list, select an

encryption type.

85Establishing secure VPN connections

Identifying users

6 In the SA Lifetime text box, type the number of minutes you want the

security association to stay alive before a rekey occurs.

The VPN tunnel is temporarily interrupted when rekeys occur.

7 In the Data Volume Limit text box, type the number of kilobytes of traffic to

allow before a rekey occurs.

8 In the Inactivity Timeout text box, type the number of minutes of inactivity

before a rekey occurs.

9 To use Perfect Forward Secrecy, do the following:

■ On the Perfect Forward Secrecy drop-down list, select a Diffie-Hellman

group.

■ Next to Perfect Forward Secrecy, click Enable.

10 Click Add.

Viewing VPN Policies List

The VPN Policies List section of the VPN Policies window displays a summary of
each VPN Policy that is configured on the appliance. Table 6-2 defines each field
in the VPN Policies List summary.

Identifying users

The appliance lets you configure two types of clients that use VPN: users and
users with extended authentication.

Table 6-2 VPN Policies List fields

Field Description

Name Displays the name of the VPN Policy.

Encryption Method Displays the encryption method selected for the VPN

Policy.

SA Lifetime Displays the configured SA Lifetime setting.

Data Volume Limit Displays the configured Data Volume Limit setting.

Inactivity Timeout Displays the configured inactivity timeout setting.

PFS Shows the Perfect Forward Secrecy setting.

86 Establishing secure VPN connections

Identifying users

Understanding user types

Users authenticate directly with the security gateway when connecting through
a VPN tunnel. Users are defined on the security gateway Client Users tab. Users
with extended authentication are not defined on the security gateway; they are
defined on a RADIUS authentication server. You must configure the appliance
to support remote administration of users with extended authentication.

Dynamic users

Dynamic users are not defined on the appliance; rather, they use extended
authentication with RADIUS to authenticate their tunnels. You define dynamic
users on the RADIUS server.

When a dynamic user attempts to authenticate, the appliance looks for that user
name in the defined users list.When it does not find the user there, the appliance
then uses the shared secret that he has entered in the client software. This
shared secret should match the secret on the Advanced screen for the security
gateway to which he is connecting. The appliance then starts extended
authentication and prompts him for whatever information the RADIUS server
requires (such as a user name or password).The RADIUS server authenticates
the user and returns the RADIUS group of the user to the security gateway. The
security gateway checks that the group matches one of the client tunnels and
that the group is allowed to connect to the WAN, LAN, or WLAN. If so, the user’s
tunnel is established.

Users

Users authenticate using a client ID (user name) and pre-shared key that you
assign to them. They enter the user name and password in their client software,
that information is sent when they attempt to create a VPN tunnel to the
security gateway.

Users are defined on the appliance, and may also use extended authentication.

Defining users

Ensure that you obtain all the pertinent authentication information from your
RADIUS administrator to pass on to your users with extended authentication.

To define users

Users must be defined on the appliance, and may also use extended
authentication. Dynamic users must use extended authentication and are not
defined on the appliance.

87Establishing secure VPN connections

Identifying users

To configure users

See “Client Users tab field descriptions” on page 199.

1 In the SGMI, in the left pane, click VPN.

2 In the right pane, on the Client Users tab, under VPN User Identity, in the

User Name text box, type the name of a new user.

3 To edit an existing user, in the User drop-down list, select a user.

4 Check Enable.

5 In the Pre-shared Key text box, type the pre-shared key.

6 From the VPN Group drop-down list, select a VPN group for the user to join.

7 Click Add.

To enable users with extended authentication

See “Advanced tab field descriptions” on page 203.

1 In the SGMI, in the left pane, click VPN.

2 On the Advanced tab, in the Dynamic VPN Client Settings section, do the

following:

■ Check Enable Dynamic VPN Client Tunnels.

■ In the Pre-shared Key text box, type a key that your dynamic users will

enter in their client software.

3 In the RADIUS Settings section, do the following:

4 Click Save.

5 On the Client Tunnels tab, in the VPN Group drop-down list select the VPN

group to which the users that use extended authentication belong.

6 Under Extended User Authentication, do the following:

■ Check Enable Extended User Authentication.

Primary RADIUS Server Type the IP address or fully qualified domain name of

the RADIUS server.

Secondary RADIUS Server Type the IP address or fully qualified domain name of

the RADIUS server that the security gateway uses for
authentication should the primary server become
unavailable.

Authentication Port (UDP) Type the port on the RADIUS server on which the

RADIUS service runs.

Shared Secret or Key Type the RADIUS server key.

88 Establishing secure VPN connections

Configuring Gateway-to-Gateway tunnels

■ In the RADIUS Group Binding text box, type the name of the user’s

RADIUS group.

The RADIUS group is assigned to the user on the RADIUS server. The

RADIUS server must return the value that you type in the RADIUS

Group Binding text box in the filterID attribute.

7 Click Save.

Viewing the User List

The User List section in the Client Users window displays a summary of each
static user that is configured on the appliance. Table 6-3 defines each field in the
summary.

Configuring Gateway-to-Gateway tunnels

Gateway-to-Gateway tunnels help secure your internal network by providing a
secure bridge to an external LAN. There are several tasks involved in
successfully securing the network with Gateway-to-Gateway tunnels. The
following section describes the Gateway-to-Gateway tunnels, and then provides
procedures for configuring the tunnels.

Understanding Gateway-to-Gateway tunnels

You might want to make your network resources available to an outside group,
such as another office of the company. Instead of requiring each user on the
second network to establish their own, private secure connection, you can create
one Gateway-to-Gateway tunnel, which makes resources on each network
available to the other. This type of tunnel is LAN-to-LAN, instead of user-to­LAN.

Table 6-3 User list fields

Field Description

User Name User name entered for the static VPN user.

Enable Indicates whether a particular user can establish VPN

tunnels to the security gateway.

Pre-Shared Key Displays the pre-shared key entered for the user.

VPN Group Lists the VPN Groups for which a user is configured.

89Establishing secure VPN connections

Configuring Gateway-to-Gateway tunnels

The appliance supports Gateway-to-Gateway tunnel configurations. A Gateway­to-Gateway configuration is created when two security gateways are connected,
through an internal network, or the Internet, from WAN port to WAN port.

Figure 6-1 Gateway-to-Gateway VPN tunnel configuration

This type of network configuration usually connects two subnets on the same
network, or as shown in Figure 6-1, two remote offices through the Internet.
Once a VPN tunnel is established, users protected by a security gateway at one
site can establish a tunneled connection to the security gateway protecting the
remotely located site. The remote user can connect to and access the resources
of the private network as if the remote workstation was physically located inside
the protected network.

The Symantec Gateway Security 300 Series can connect to another Symantec
Gateway Security 300 Series appliance or to one of the following appliances:

■ Symantec Gateway Security 5400 Series

■ Symantec Firewall/VPN Appliance

Symantec Gateway Security 300 Series security gateways support creating a
VPN tunnel to up to five remote subnets behind Symantec Enterprise Firewall or
Symantec Gateway Security 5400 Series appliances, but not to another
Symantec Gateway Security 300 Series appliance or Symantec Firewall/VPN
Appliance. Tunnels between two Symantec Gateway Security 300 Series
appliances are only made to the subnet on the LAN side of the appliance and
only support the first set (subnet/mask) of the five sets of fields, which you
define on the VPN > Dynamic Tunnels or VPN > Static Tunnels tabs.

90 Establishing secure VPN connections

Configuring Gateway-to-Gateway tunnels

If you have another (additional) subnet on the LAN side of the Symantec
Gateway Security 300 Series security gateway, VPN client tunnels to the LAN
side of the security gateway are not supported for computers on this separate
subnet. Only computers residing on the appliance subnet (found on the LAN IP
screen) are supported for LAN/WLAN-side VPN tunnels.

Note: Gateway-to-Gateway VPN tunnels are supported on the appliance’s WAN
ports; you cannot define Gateway-to-Gateway VPN tunnels on the appliance’s
LAN or WLAN ports.

Supported Gateway-to-Gateway VPN tunnels

The Symantec Gateway Security 300 Series appliance lets you configure two
types of Gateway-to-Gateway VPN tunnels:

See “Configuring Gateway-to-Gateway tunnels” on page 88. See “Configuring

static Gateway-to-Gateway tunnels” on page 93.

Gateway-to-gateway VPN tunnel persistence and high­availability

After the security gateway restarts, dynamic Gateway-to-Gateway VPN tunnels
are re-established. Dynamic Gateway-to-Gateway VPN tunnels are also re­established if the WAN port status changes from disconnected to connected.
This feature reduces management overhead by providing automatic
reconnection of tunnels.

If the VPN tunnel fails to establish after three times, the security gateway waits
between one and five minutes before attempting to reconnect. This process
continues until the VPN tunnel is re-established.

If there is a network failure, the security gateway automatically re-establishes
the VPN tunnel through a backup port (WAN port or serial port). If the IP

Dynamic The security gateway comes with a predefined global IKE policy that

automatically applies to your IKE Phase 1 negotiations. You can change the
setting of the SA Lifetime parameter in the Global IKE Policy. SA Lifetime
specifies the amount of time that the tunnel rekeys (in minutes). This
parameter is located in VPN > Advanced > Global IKE Settings (Phase 1
Rekey).

Static Static Gateway-to-Gateway configurations require you to manually enter

tunnel parameters at each security gateway. Both ends must have the same
parameters, including secret keys, security parameter indexes (SPIs),
authentication schemes, encryption methods.

91Establishing secure VPN connections

Configuring Gateway-to-Gateway tunnels

address of the security gateway changes, it re-establishes Gateway-to-Gateway
VPN tunnels with the remote gateway using the new IP address.

Gateway-to-Gateway VPN tunnel interoperability

When Symantec Gateway Security 5400 Series or Symantec Enterprise Firewall
initiates a Gateway-to-Gateway tunnel to a Symantec Gateway Security 300
Series appliance, it begins negotiation in Main Mode. The mode on the VPN
tunnel definition on the Symantec Gateway Security 300 Series VPN tunnel
definition must be Main Mode or the VPN tunnel will not establish.

Symantec Gateway Security 5400 Series and Symantec Enterprise Firewall
accept either Main Mode or Aggressive Mode Phase 1 negotiations from a
remote gateway. The Symantec Gateway Security 300 Series appliance can be
configured for Main or Aggressive Mode. The default is Main Mode. When
initiating a VPN tunnel to Symantec Gateway Security 5400 or Symantec
Enterprise Firewall, configure the Symantec Gateway Security 300 Series
appliance to use Main Mode so that if the remote end is the initiates the VPN
tunnel, it does not establish a connection.

When a non-Symantec gateway initiates a VPN tunnel to an Symantec Gateway
Security 300 Series appliance, the Symantec Gateway Security 300 Series
appliance accepts the mode set by the administrator on the tunnel definition.

When a Symantec Gateway Security 300 Series appliance initiates a VPN tunnel
to a non-Symantec security gateway, the Symantec Gateway Security 300 Series
appliance should use the mode set by the administrator on the tunnel definition;
the default setting is Main Mode. If Main Mode is not used, it may cause rekey
problems if the remote security gateway tries to rekey first.

Creating VPN tunnels to Symantec Gateway Security 5400
Series clusters

To create a VPN tunnel to a Symantec Gateway Security 5400 Series appliance
high-availability/load balancing cluster, define the VPN tunnel using the virtual
IP address of the cluster. Tunnels between Symantec Gateway 300 Series and
Symantec Gateway Security 5400 Series appliances are supported in high­availability only.

Configuring dynamic Gateway-to-Gateway tunnels

Dynamic tunnels, also known as IKE (Internet Key Exchange) tunnels,
automatically generate authentication and encryption keys. Typically, a long
password, called a pre-shared key (also known as a shared secret), is entered.
The target security gateway must recognize this key for authentication to

92 Establishing secure VPN connections

Configuring Gateway-to-Gateway tunnels

succeed. If the key matches, then Security Parameter Index (SPI),
authentication, and encryption keys are automatically generated and the tunnel
is created. The security gateway usually re-keys (generates a new key)
automatically at set intervals to ensure the continued integrity of the key.

Configuration tasks for dynamic Gateway-to-Gateway
tunnels

Table 6-4 summarizes the tasks that are required to configure dynamic

Gateway-to-Gateway VPN tunnels.

Note: Complete each step in Table 6-4 twice: first for the local security gateway
and then for the remote security gateway.

To add a dynamic Gateway-to-Gateway tunnel

See “Dynamic Tunnels tab field descriptions” on page 189.

1 In the left pane, click VPN.

2 On the Dynamic Tunnels tab, in the Name text box, type a name for the new

tunnel.

3 To edit an existing tunnel, from the VPN Tunnel drop-down list, select a

VPN tunnel.

4 Check Enable VPN Tunnel.

Table 6-4 Dynamic Gateway-to-Gateway configuration tasks

Task SGMI

Configure a VPN Policy (Phase 2 IKE
negotiation).

(Optional)

VPN > VPN Policies

Create a dynamic tunnel. VPN > Dynamic Tunnels

Define IPsec Security Association Parameters.

Select VPN Policy.

VPN > Dynamic Tunnels > IPsec
Security Association

Define the local security gateway. VPN > Dynamic Tunnels > Local

Security Gateway

Define the remote security gateway. VPN > Dynamic Tunnels > Remote

Security Gateway

Repeat the above steps for the remote security
gateway.

93Establishing secure VPN connections

Configuring Gateway-to-Gateway tunnels

5 On the VPN Policy drop-down list, select a VPN policy to which you want to

bind to the tunnel.

6 If you have a multi-session PPPoE ISP account, under Local Security

Gateway, in the PPPoE Session drop-down list, select a PPPoE session to

which you want to bind to the tunnel.

If you do not have a multi-session PPPoE ISP account, skip this step.

7 For model 360 or 360R, on the Local Endpoint drop-down list, select an

endpoint for the tunnel.

8 On the ID Type drop-down list, select a Phase 1 ID type.

9 In the Phase 1 ID text box, type the Phase 1 ID.

10 Under Remote Security Gateway, do the following:

■ In the Gateway Address text box, type the remote gateway address.

■ Optionally, in the ID Type drop-down list, select a Phase 1 ID type.

■ Optionally, in the Phase 1 ID text box, type the Phase 1 ID.

■ In the Pre-Shared Key text box, type a key.

■ In each Remote Subnet IP text box, type the IP address of the

destination network.
To create a global tunnel, type 0.0.0.0.

■ In each Mask text box, type the netmask of the destination network.

To create a global tunnel, type 255.0.0.0.

11 Click Add.

Configuring static Gateway-to-Gateway tunnels

Static tunnels do not use any information from the Global IKE Policy (Phase 1
negotiation). You must manually type all of the information necessary to
establish the tunnel. However, you can define a VPN Policy for Phase 2
negotiation.

When defining static tunnels, you must enter an authentication key, as well as
an encryption key (if encryption is used). The keys must match on both sides of
the VPN. In addition, a Security Parameter Index (SPI) is manually typed and
included with every packet transmitted between security gateways. The SPI is a
unique gateway identifier that indicates the set of keys that belongs to each
packet.

Encryption and authentication key lengths

When you define a static tunnel, you must type an encryption key and an
authentication key. Each key has a specific key length based on the method that

94 Establishing secure VPN connections

Configuring Gateway-to-Gateway tunnels

you chose. For each method, a key length is shown for both ASCII characters and
Hex characters. Table 6-5 defines encryption key lengths.

Table 6-6 defines authentication key lengths.

Configuration tasks for static Gateway-to-Gateway tunnels

Table 6-7 describes the tasks that are required to configure a static Gateway-to-

Gateway VPN tunnel.

Note: Complete each step in Table 6-7 twice: first for the local security gateway
and then for the remote security gateway.

Table 6-5 Encryption key lengths

Method Key length in character bytes Key length in Hex

DES 8 18 (0x + 16 hex digits)

3DES 24 50 (0x + 20 hex digits)

AES-128 16 18 (0x + 20 hex digits)

AES-192 24 50 (0x + 20 hex digits)

AES-256 32 66 (0x + 20 hex digits)

Table 6-6 Authentication key lengths

Method Key length in character bytes Key length in Hex

MD5 16 34 (0x + 16 hex digits)

SHA1 20 42 (0x + 20 hex digits)

Table 6-7 Static Gateway-to-Gateway configuration tasks

Task SGMI

Configure a VPN Policy (Phase 2 IKE
negotiation).

(Optional)

VPN > VPN Policies

Create a static tunnel VPN > Static Tunnels

Define IPsec Security Association Parameters VPN > Static Tunnels > IPsec Security

Association

95Establishing secure VPN connections

Configuring Gateway-to-Gateway tunnels

To add a static Gateway-to-Gateway tunnel

See “Static Tunnels tab field descriptions” on page 193.

1 In the SGMI, in the left pane, click VPN.

2 In the right pane, on the Static Tunnels tab, under IPsec Security

Association, in the Tunnel Name text box, type a name for the tunnel.

To edit an existing static tunnel, on the VPN Tunnel drop-down list, select a

VPN Tunnel.

3 Check Enable VPN Tunnel.

4 If you have a multi-session PPPoE ISP account, under Local Security

Gateway, in the PPPoE Session drop-down list, select a PPPoE session to

which you want to bind to the tunnel. If you do not have a multi-session

PPPoE ISP account, skip this step.

5 For model 360 and 360R, on the Local Endpoint drop-down list, select the

endpoint for the tunnel.

6 In the Incoming SPI text box, type the incoming SPI to match the remote

SPI.

7 In the Outgoing SPI text box, type the outgoing SPI to match the local SPI

from the remote side.

8 On the VPN Policy drop-down list, select a VPN policy to which you want to

bind to the tunnel.

Use an existing VPN policy or create a new one.

See “Understanding VPN policies” on page 82.

9 In the Encryption Key text box, type the encryption key to match the chosen

VPN policy.

Entry length must match the chosen VPN policy.

10 In the Authentication Key text box, type the authentication key to match the

chosen VPN policy.

11 Under Remote Security Gateway, in the Gateway Address text box, type the

gateway address to be the gateway address of the Symantec Enterprise VPN.

Define the remote security gateway VPN > Static Tunnels > Remote

Security Gateway

Repeat the previous steps for the remote
security gateway.

Table 6-7 Static Gateway-to-Gateway configuration tasks

Task SGMI

96 Establishing secure VPN connections

Configuring Client-to-Gateway VPN tunnels

12 Next to NetBIOS Broadcast, click Disable.

13 Next to Global Tunnel, click Disable.

14 In the Remote Subnet IP text boxes, type the IP address of the remote subnet

to the destination network.
To create a global tunnel, type 0.0.0.0.

15 In the Mask text boxes, type the mask to the netmask of the destination

network.
To create a global tunnel, type 255.0.0.0.

16 Click Add.

Sharing information with the remote gateway administrator

Table 6-8 lists the information you should provide to the administrator of the

appliance to which you are creating a Gateway-to-Gateway tunnel.

Configuring Client-to-Gateway VPN tunnels

Client-to-Gateway VPN tunnels let remote users running the Symantec Client
VPN software (or any IPsec-compliant VPN client software) to safely connect
over the Internet to a network secured by a Symantec security gateway.

Table 6-8 Information to give the remote gateway administrator

Information Value

IP address

Authentication key

(Static tunnel)

Encryption key

(Static tunnel)

SPI (Static tunnel)

Pre-shared key

Local subnet/mask

VPN policy encryption method

VPN policy authentication method

(Optional) Local phase 1 ID

97Establishing secure VPN connections

Configuring Client-to-Gateway VPN tunnels

Understanding Client-to-Gateway VPN tunnels

Symantec Gateway Security 300 Series supports Client-to-Gateway VPN tunnel
configurations. A Client-to-Gateway configuration is created when a
workstation, running Symantec Client VPN software, connects to the security
gateway from either inside the protected network or from a remote location
through the Internet.

Note: Wireless clients can use client-to-gateway tunnels to secure their
connections. See Symantec Gateway Security 300 Series Wireless Implementation
Guide.

Once a VPN tunnel is established, remote users can connect to and safely access
the resources of the private network, through the Internet, as if the remote
workstation was physically located inside the protected network (see Figure 6-

2).

Figure 6-2 Client-to-Gateway VPN tunnel configuration

In this diagram, there is a client that establishes a tunnel remotely (WAN) and
three internal clients establishing a tunnel internally (LAN).

For each VPN group, you can define network settings to download to the client
during Phase 1 configuration mode. The settings include the primary and
secondary DNS servers, the WINS servers, and the primary domain controller.
By pushing this information to the clients during configuration mode, each
client will not have to configure that on his or her own, saving management
time, and reducing the possibility of error.

Symantec Client VPN (WAN)

Internet

Symantec Client VPN (LAN)

Symantec Gateway
Security 300 Series

Symantec Client VPN (LAN)

Symantec Client VPN (LAN)

98 Establishing secure VPN connections

Configuring Client-to-Gateway VPN tunnels

For LAN-side VPN client tunnels, the only subnet that the client can access is the
one defined on the LAN IP screen.

See “Configuring LAN IP settings” on page 57.

Symantec Client-to-Gateway VPN tunnels require a client ID and a shared key.
You can also apply extended authentication using a RADIUS server to Client-to­Gateway VPN tunnels for additional authentication.

See “Defining users” on page 86.

You can configure two types of Client-to-Gateway users when configuring VPN
tunnels: dynamic and static.

See “Identifying users” on page 85.

Understanding global tunnels

When a client establishes a VPN tunnel on the LAN, a global tunnel (0.0.0.0) is
configured for the client. This forces all client traffic through the VPN tunnel
terminating at the appliance. This is useful for untrusted networks, such as
wireless, to keep traffic secure.

When establishing a tunnel on the WAN, the appliance’s subnet (192.168.0.0 by
default) is configured for the client allows a split tunnel so that the client can
still access the Internet directly and only traffic destined for the LAN is sent
through the VPN tunnel.

Configuration tasks for Client-to-Gateway VPN tunnels

Table 6-9 describes the tasks that are required to configure a Client-to-Gateway

VPN tunnel.

Table 6-9 Client-to-Gateway VPN tunnel configuration tasks

Task SGMI

Configure a VPN Policy (Phase 2 IKE
negotiation). This is optional.

VPN > VPN Policies

Identify remote users. VPN > Client Users > VPN User

Identity

Enable client tunnel for selected VPN Group. VPN > Client Tunnels > Group Tunnel

Definition

Optionally, configure VPN network parameters
(pushed to client during negotiations).

VPN > Client Tunnels > VPN Network
Parameters

99Establishing secure VPN connections

Configuring Client-to-Gateway VPN tunnels

Defining client VPN tunnels

This section describes how to define client VPN tunnels. Defining client VPN
tunnels consists of the following tasks:

■ Enabling client tunnels for selected VPN groups for WAN connections and/

or LAN/WLAN connections

■ Configuring VPN network parameters that are pushed to the Client VPN

during tunnel negotiations (optional)

■ Configuring RADIUS authentication (optional)

■ Configuring antivirus policy enforcement (optional)

■ Configuring content filtering (optional)

If you enable content filtering for remote WAN-side VPN clients, you must

have DNS servers on the local LAN. In Symantec Client VPN version 8.0, you

can define two different tunnels: one for WAN which uses the domain name,

and one for LAN, which uses the IP address. Then, put those tunnels in a

gateway group. This way, when you create the tunnel, if the first tunnel

fails (because the name cannot be resolved, for example) the IP address can

be used to connect.

See Symantec Client VPN User’s Guide.

To define client tunnels

See “Client Tunnels tab field descriptions” on page 197.

1 In the SGMI, in the left pane, click VPN.

2 In the right pane, on the Client Tunnels tab, under Group Tunnel Definition,

in the VPN Group drop-down list, select a VPN group.

3 To enable client VPNs for the chosen VPN Group on WAN or WLAN/LAN

connections, click one or both of the following:

Optionally, configure RADIUS authentication. VPN > Client Tunnels > Extended User

Authentication

VPN > Advanced > RADIUS Settings

Optionally, configure Antivirus Policy
Enforcement.

VPN > Client Tunnels > Antivirus
Policy

Select the VPN policy that applies to the tunnel. VPN > Advanced > Global VPN Client

Settings

Table 6-9 Client-to-Gateway VPN tunnel configuration tasks

Task SGMI

100 Establishing secure VPN connections

Configuring Client-to-Gateway VPN tunnels

■ Enable client VPNs on WAN side

■ Enable client VPNs on WLAN/LAN side

4 Optionally, under VPN Network Parameters, in the Primary DNS text box,

type the name of the primary DNS server.

5 Optionally, in the Secondary DNS text box, type the name of the secondary

DNS server.
Domain Name System or Service (DNS) is an Internet service that translates

domain names into IP addresses.

6 Optionally, in the Primary WINS text box, type the name of the primary

WINS server.
This is an optional step.Windows Internet Naming Service (WINS) is a

system that determines the IP address associated with a particular network
computer.

7 Optionally, in the Secondary WINS text box, type the name of the secondary

WINS server.

8 Optionally, in the Primary Domain Controller text box, type the name of the

primary domain controller.

9 (Optional) Under Extended User Authentication, check Enable Extended

User Authentication.

10 (Optional) In the RADIUS Group Binding text box, type the RADIUS Group

Binding name.
The RADIUS Group Binding name must match the filter ID parameter

returned from the RADIUS server.

11 To enable AVpe, under WAN Client Policy, do the following:

■ Check Enable Antivirus Policy Enforcement.

■ To log a warning to the Symantec Gateway Security log that a user is

connecting that is not compliant with AVpe policy, click War n On ly .

■ To stop the user’s traffic if they are not compliant with the AVpe

policy, click Block Connections.

12 To enable content filtering, under WAN Client Policy, do the following:

■ Check Enable Content Filtering.

■ To permit traffic and block other traffic, click Use Allow List.

■ To block traffic and permit other traffic, click Use Deny List.

13 Click Update.