Home » Netgear Manuals » Network Security & Firewall Devices » Netgear UTM10EW3-100NAS » Manual Viewer

Netgear UTM10EW3-100NAS Reference Manual 3.0.1-124 - Page 309

Con XAUTH for VPN Clients, To enable and con XAUTH, VPN > IPSec VPN, Apply

View all Netgear UTM10EW3-100NAS manuals

Add to My Manuals
Save this manual to your list of manuals

Page 309 highlights

ProSecure Unified Threat Management (UTM) Appliance Configure XAUTH for VPN Clients Once the XAUTH has been enabled, you need to establish user accounts in the user database to be authenticated against XAUTH, or you need to enable a RADIUS-CHAP or RADIUS-PAP server. Note: You cannot modify an existing IKE policy to add XAUTH while the IKE policy is in use by a VPN policy. The VPN policy needs to be disabled before you can modify the IKE policy.  To enable and configure XAUTH: 1. Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies screen in view (see Figure 179 on page 293). 2. In the List of IKE Policies table, click the Edit table button to the right of the IKE policy for which you want to enable and configure XAUTH. The Edit IKE Policy screen displays. This screen shows the same fields as the Add IKE Policy screen (see Figure 180 on page 295). 3. In the Extended Authentication section onscreen, complete the fields, select the radio buttons, and make your selections from the drop-down lists as explained in the following table: Table 75. Extended authentication settings Setting Description Select one of the following radio buttons to specify whether Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify user account information: • None. XAUTH is disabled. This the default setting. • Edge Device. The UTM functions as a VPN concentrator on which one or more gateway tunnels terminate. The authentication modes that are available for this configuration are User Database, RADIUS PAP, and RADIUS CHAP. • IPSec Host. The UTM functions as a VPN client of the remote gateway. In this configuration the, UTM is authenticated by a remote gateway with a user name and password combination. Authentication Type For an Edge Device configuration, from the drop-down list, select one of the following authentication types: • User Database. XAUTH occurs through the UTM's user database. You can add users on the Add User screen (see User Database Configuration on page 310). • Radius PAP. XAUTH occurs through RADIUS Password Authentication Protocol (PAP). The local user database is first checked. If the user account is not present in the local user database, the UTM connects to a RADIUS server. For more information, see RADIUS Client and Server Configuration on page 310. • Radius CHAP. XAUTH occurs through RADIUS Challenge Handshake Authentication Protocol (CHAP). For more information, see RADIUS Client and Server Configuration on page 310. Username Password The user name for XAUTH. The password for XAUTH. 4. Click Apply to save your settings. Virtual Private Networking Using IPSec, PPTP, or L2TP Connections 309

Section	Page
ProSecure Unified Threat Management (UTM) Appliance	1
Contents	5
1. Introduction	15
What Is the ProSecure Unified Threat Management (UTM) Appliance?	15
Key Features and Capabilities	16
Multiple WAN Port Models for Increased Reliability or Outbound Load Balancing	17
Wireless Features	18
DSL Features	18
Advanced VPN Support for Both IPSec and SSL	18
A Powerful, True Firewall	19
Stream Scanning for Content Filtering	19
Security Features	20
Autosensing Ethernet Connections with Auto Uplink	20
Extensive Protocol Support	21
Easy Installation and Management	21
Maintenance and Support	22
Model Comparison	22
Service Registration Card with License Keys	23
Package Contents	24
Hardware Features	24
Front Panel UTM5 and UTM10	25
Front Panel UTM25	26
Front Panel UTM50	26
Front Panel UTM150	27
Front Panel UTM9S and UTM25S and Network Modules	28
LED Descriptions, UTM5, UTM10, UTM25, UTM50, and UTM150	30
LED Descriptions, UTM9S, UTM25S, and their Network Modules	32
Rear Panel UTM5, UTM10, and UTM25	33
Rear Panel UTM50 and UTM150	34
Rear Panel UTM9S and UTM25S	35
Bottom Panels with Product Labels	36
Choose a Location for the UTM	39
Use the Rack-Mounting Kit	40
2. Use the Setup Wizard to Provision the UTM in Your Network	41
Steps for Initial Connection	41
Qualified Web Browsers	42
Requirements for Entering IP Addresses	42
Log In to the UTM	42
Web Management Interface Menu Layout	44
Use the Setup Wizard to Perform the Initial Configuration	47
Setup Wizard Step 1 of 10: LAN Settings	48
Setup Wizard Step 2 of 10: WAN Settings	51
Setup Wizard Step 3 of 10: System Date and Time	54
Setup Wizard Step 4 of 10: Services	55
Setup Wizard Step 5 of 10: Email Security	57
Setup Wizard Step 6 of 10: Web Security	58
Setup Wizard Step 7 of 10: Web Categories to Be Blocked	60
Setup Wizard Step 8 of 10: Email Notification	62
Setup Wizard Step 9 of 10: Signatures & Engine	63
Setup Wizard Step 10 of 10: Saving the Configuration	64
Register the UTM with NETGEAR	65
Use the Web Management Interface to Activate Licenses	65
Electronic Licensing	67
Automatic Retrieval of Licenses after a Factory Default Reset	67
Verify Correct Installation	68
Test Connectivity	68
Test HTTP Scanning	68
What to Do Next	68
3. Manually Configure Internet and WAN Settings	70
Internet and WAN Configuration Tasks	71
Automatically Detecting and Connecting the Internet Connections	71
Manually Configure the Internet Connection	75
Configure the WAN Mode	80
Overview of the WAN Modes	80
Configure Network Address Translation (All Models)	81
Configure Classical Routing (All Models)	82
Configure Auto-Rollover Mode and the Failure Detection Method (Multiple WAN Port Models)	82
Configure Load Balancing and Optional Protocol Binding (Multiple WAN Port Models)	85
Configure Secondary WAN Addresses	89
Configure Dynamic DNS	91
Set the UTM’s MAC Address and Configure Advanced WAN Options	94
Additional WAN-Related Configuration Tasks	97
4. LAN Configuration	98
Manage Virtual LANs and DHCP Options	98
Port-Based VLANs	99
Assign and Manage VLAN Profiles	100
VLAN DHCP Options	101
Configure a VLAN Profile	103
Configure VLAN MAC Addresses and Advanced LAN Settings	108
Configure Multihome LAN IP Addresses on the Default VLAN	109
Manage Groups and Hosts (LAN Groups)	111
Manage the Network Database	112
Change Group Names in the Network Database	115
Set Up Address Reservation	116
Configure and Enable the DMZ Port	117
Manage Routing	121
Configure Static Routes	121
Configure Routing Information Protocol	123
Static Route Example	126
5. Firewall Protection	127
About Firewall Protection	127
Administrator Tips	128
Overview of Rules to Block or Allow Specific Kinds of Traffic	128
Outbound Rules (Service Blocking)	129
Inbound Rules (Port Forwarding)	133
Order of Precedence for Rules	138
Configure LAN WAN Rules	139
Create LAN WAN Outbound Service Rules	140
Create LAN WAN Inbound Service Rules	141
Configure DMZ WAN Rules	142
Create DMZ WAN Outbound Service Rules	144
Create DMZ WAN Inbound Service Rules	144
Configure LAN DMZ Rules	145
Create LAN DMZ Outbound Service Rules	147
Create LAN DMZ Inbound Service Rules	147
Examples of Firewall Rules	148
Inbound Rule Examples	148
Outbound Rule Example	153
Configure Other Firewall Features	154
VLAN Rules	154
Attack Checks, VPN Pass-through, and Multicast Pass-through	157
Set Session Limits	160
Manage the Application Level Gateway for SIP Sessions and VPN Scanning	161
Create Services, QoS Profiles, Bandwidth Profiles, and Traffic Meter Profiles	162
Add Customized Services	163
Create Service Groups	165
Create IP Groups	167
Create Quality of Service Profiles	169
Create Bandwidth Profiles	171
Create Traffic Meter Profiles	174
Set a Schedule to Block or Allow Specific Traffic	177
Enable Source MAC Filtering	179
Set Up IP/MAC Bindings	181
Configure Port Triggering	183
Configure Universal Plug and Play	186
Enable and Configure the Intrusion Prevention System	187
6. Content Filtering and Optimizing Scans	192
About Content Filtering and Scans	192
Default Email and Web Scan Settings	193
Configure Email Protection	194
Customize Email Protocol Scan Settings	194
Customize Email Antivirus and Notification Settings	196
Email Content Filtering	199
Protect Against Email Spam	202
Configure Web and Services Protection	210
Customize Web Protocol Scan Settings	210
Configure HTTPS Smart Block	212
Configure Web Malware or Antivirus Scans	216
Configure Web Content Filtering	218
Configure Web URL Filtering	224
Configure HTTPS Scanning and SSL Certificates	228
How HTTPS Scanning Works	228
Configure the HTTPS Scan Settings	230
Manage SSL Certificates for HTTPS Scanning	231
Specify Trusted Hosts for HTTPS Scanning	235
Configure the SSL Settings for HTTPS Scanning	237
Configure FTP Scanning	238
Customize FTP Antivirus Settings	238
Configure FTP Content Filtering	239
Configure Application Control	240
Set Exception Rules for Web and Application Access	248
Create Custom Categories for Exceptions for Web and Application Access	258
Set Scanning Exclusions for IP Addresses and Ports	262
7. Virtual Private Networking Using IPSec, PPTP, or L2TP Connections	264
Considerations for Dual WAN Port Systems (Multiple WAN Port Models Only)	264
Use the IPSec VPN Wizard for Client and Gateway Configurations	266
Create Gateway-to-Gateway VPN Tunnels with the Wizard	266
Create a Client-to-Gateway VPN Tunnel	271
Test the Connection and View Connection and Status Information	287
Test the NETGEAR VPN Client Connection	287
NETGEAR VPN Client Status and Log Information	289
View the UTM IPSec VPN Connection Status	289
View the UTM IPSec VPN Log	290
Manage IPSec VPN and IKE Policies	291
Manage IKE Policies	292
Manage VPN Policies	300
Configure Extended Authentication (XAUTH)	308
Configure XAUTH for VPN Clients	309
User Database Configuration	310
RADIUS Client and Server Configuration	310
Assign IP Addresses to Remote Users (Mode Config)	312
Mode Config Operation	312
Configure Mode Config Operation on the UTM	312
Configure the ProSafe VPN Client for Mode Config Operation	319
Test the Mode Config Connection	326
Modify or Delete a Mode Config Record	327
Configure Keep-Alives and Dead Peer Detection	328
Configure Keep-Alives	328
Configure Dead Peer Detection	329
Configure NetBIOS Bridging with IPSec VPN	330
Configure the PPTP Server	331
View the Active PPTP Users	333
Configure the L2TP Server	334
View the Active L2TP Users	336
For More IPSec VPN Information	336
8. Virtual Private Networking Using SSL Connections	337
SSL VPN Portal Options	337
Build a Portal Using the SSL VPN Wizard	338
SSL VPN Wizard Step 1 of 6 (Portal Settings)	339
SSL VPN Wizard Step 2 of 6 (Domain Settings)	342
SSL VPN Wizard Step 3 of 6 (User Settings)	347
SSL VPN Wizard Step 4 of 6 (Client IP Addresses and Routes)	348
SSL VPN Wizard Step 5 of 6 (Port Forwarding)	350
SSL VPN Wizard Step 6 of 6 (Verify and Save Your Settings)	351
Access the New SSL VPN Portal	353
View the UTM SSL VPN Connection Status	356
View the UTM SSL VPN Log	357
Manually Configure and Modify SSL Portals	357
Manually Create or Modify the Portal Layout	359
Configure Domains, Groups, and Users	362
Configure Applications for Port Forwarding	363
Configure the SSL VPN Client	365
Use Network Resource Objects to Simplify Policies	369
Configure User, Group, and Global Policies	371
For More SSL VPN Information	377
9. Manage Users, Authentication, and VPN Certificates	378
Authentication Process and Options	378
Configure Authentication Domains, Groups, and Users	380
Login Portals	380
Active Directories and LDAP Configurations	384
Configure Domains	388
Configure Groups	394
Configure Custom Groups	397
Configure User Accounts	401
Set User Login Policies	404
Change Passwords and Other User Settings	408
DC Agent	409
Configure RADIUS VLANs	415
Configure Global User Settings	416
View and Log Out Active Users	417
Manage Digital Certificates for VPN Connections	419
VPN Certificates Screen	420
Manage CA Certificates	421
Manage Self-Signed Certificates	422
Manage the Certificate Revocation List	426
10. Network and System Management	428
Performance Management	428
Bandwidth Capacity	428
Features That Reduce Traffic	429
Features That Increase Traffic	432
Use QoS and Bandwidth Assignments to Shift the Traffic Mix	435
Monitoring Tools for Traffic Management	436
System Management	436
Change Passwords and Administrator and Guest Settings	436
Configure Remote Management Access	438
Use a Simple Network Management Protocol Manager	440
Manage the Configuration File	445
Update the Firmware	448
Update the Scan Signatures and Scan Engine Firmware	454
Configure Date and Time Service	456
Connect to a ReadyNAS and Configure Quarantine Settings	458
Log Storage	459
Connect to a ReadyNAS	459
Configure the Quarantine Settings	460
11. Monitor System Access and Performance	462
Enable the WAN Traffic Meter	462
Configure Logging, Alerts, and Event Notifications	466
Configure the Email Notification Server	466
Configure and Activate System, Email, and Syslog Logs	467
How to Send Syslogs over a VPN Tunnel between Sites	471
Configure and Activate Update Failure and Attack Alerts	473
Configure and Activate Firewall Logs	476
Monitor Real-Time Traffic, Security, and Statistics	477
Monitor Application Use in Real Time	483
View Status Screens	486
View the System Status	486
View the Active VPN Users	499
View the VPN Tunnel Connection Status	500
View the Active PPTP and L2TP Users	501
View the Port Triggering Status	502
View the WAN, xDSL, or USB Port Status	504
View Attached Devices and the DHCP Leases	505
Query and Manage the Logs	507
Overview of the Logs	508
Query and Download Logs	509
Example: Use the Logs to Identify Infected Clients	513
Log Management	514
Query and Manage the Quarantine Logs	514
Query the Quarantined Logs	515
View and Manage the Quarantined Spam Table	517
View and Manage the Quarantined Infected Files Table	518
Spam Reports for End Users	519
View, Schedule, and Generate Reports	520
Enable Application Session Monitoring	521
Report Filtering Options	522
Use Report Templates and View Reports Onscreen	524
Schedule, Email, and Manage Reports	529
Use Diagnostics Utilities	531
Use the Network Diagnostic Tools	532
Use the Real-Time Traffic Diagnostics Tool	533
Gather Important Log Information and Generate a Network Statistics Report	534
Perform Maintenance on the USB Device, Reboot the UTM, or Shut Down the UTM	536
12. Troubleshoot and Use Online Support	538
Basic Functioning	539
Verify the Correct Sequence of Events at Startup	539
Power LED Not On	539
Test LED Never Turns Off	539
LAN or WAN Port LEDs Not On	540
Troubleshoot the Web Management Interface	540
When You Enter a URL or IP Address, a Time-Out Error Occurs	541
Troubleshoot the ISP Connection	541
Troubleshoot a TCP/IP Network Using a Ping Utility	543
Test the LAN Path to Your UTM	543
Test the Path from Your Computer to a Remote Device	544
Restore the Default Configuration and Password	545
Problems with Date and Time	546
Use Online Support	546
Enable Remote Troubleshooting	546
Send Suspicious Files to NETGEAR for Analysis	547
Access the Knowledge Base and Documentation	548
A. xDSL Network Module for the UTM9S and UTM25S	549
xDSL Network Module Configuration Tasks	550
Configure the xDSL Settings	550
Automatically Detecting and Connecting the xDSL Internet Connection	553
Manually Configure the xDSL Internet Connection	556
Configure the WAN Mode	561
Overview of the WAN Modes	561
Configure Network Address Translation	562
Configure Classical Routing	563
Configure Auto-Rollover Mode and the Failure Detection Method	563
Configure Load Balancing and Optional Protocol Binding	566
Configure Secondary WAN Addresses	570
Configure Dynamic DNS	572
Set the UTM’s MAC Address and Configure Advanced WAN Options	574
Additional WAN-Related Configuration Tasks	577
B. Wireless Network Module for the UTM9S and UTM25S	578
Overview of the Wireless Network Module	579
Configuration Order	579
Wireless Equipment Placement and Range Guidelines	579
Configure the Basic Radio Settings	580
Operating Frequency (Channel) Guidelines	583
Wireless Data Security Options	584
Wireless Security Profiles	585
Before You Change the SSID, WEP, and WPA Settings	587
Configure and Enable Wireless Profiles	588
Restrict Wireless Access by MAC Address	593
View the Access Point Status and Connected Clients for a Wireless Profile	595
Configure a Wireless Distribution System	596
Configure Advanced Radio Settings	598
Configure WMM QoS Priority Settings	600
Test Basic Wireless Connectivity	602
For More Information About Wireless Configurations	602
C. 3G/4G Dongles for the UTM9S and UTM25S	603
3G/4G Dongle Configuration Tasks	603
Manually Configure the USB Internet Connection	604
Configure the 3G/4G Settings	608
Configure the WAN Mode	610
Overview of the WAN Modes	611
Configure Network Address Translation	612
Configure Classical Routing	613
Configure Load Balancing and Optional Protocol Binding	614
Configure Dynamic DNS	618
Additional WAN-Related Configuration Tasks	621
D. Network Planning for Dual WAN Ports (Multiple WAN Port Models Only)	622
What to Consider Before You Begin	622
Plan Your Network and Network Management and Set Up Accounts	622
Cabling and Computer Hardware Requirements	624
Computer Network Configuration Requirements	624
Internet Configuration Requirements	624
Overview of the Planning Process	626
Inbound Traffic	627
Inbound Traffic to a Single WAN Port System	628
Inbound Traffic to a Dual WAN Port System	628
Virtual Private Networks	629
VPN Road Warrior (Client-to-Gateway)	630
VPN Gateway-to-Gateway	633
VPN Telecommuter (Client-to-Gateway through a NAT Router)	635
E. ReadyNAS Integration	638
Supported ReadyNAS Models	638
Install the UTM Add-On on the ReadyNAS	639
Connect to the ReadyNAS on the UTM	641
F. Two-Factor Authentication	644
Why Do I Need Two-Factor Authentication?	644
What Are the Benefits of Two-Factor Authentication?	644
What Is Two-Factor Authentication?	645
NETGEAR Two-Factor Authentication Solutions	645
G. System Logs and Error Messages	648
System Log Messages	649
System Startup	649
Reboot	649
NTP	650
Login/Logout	650
Firewall Restart	651
IPSec Restart	651
WAN Status	651
Traffic Metering Logs	655
Unicast, Multicast, and Broadcast Logs	655
Invalid Packet Logging	656
Service Logs	658
Content-Filtering and Security Logs	658
Web Filtering and Content-Filtering Logs	659
Spam Logs	660
Traffic Logs	661
Malware Logs	661
Email Filter Logs	661
IPS Logs	662
Anomaly Behavior Logs	662
Application Logs	663
Routing Logs	663
LAN-to-WAN Logs	663
LAN-to-DMZ Logs	664
DMZ-to-WAN Logs	664
WAN-to-LAN Logs	664
DMZ-to-LAN Logs	665
WAN-to-DMZ Logs	665
H. Default Settings and Technical Specifications	666
Default Settings	666
Physical and Technical Specifications	673
I. Notification of Compliance (Wired)	677
J. Notification of Compliance (Wireless)	681

Match case Limit results 1 per page

Virtual Private Networking Using IPSec, PPTP, or L2TP Connections

309

ProSecure Unified Threat Management (UTM) Appliance

Configure XAUTH for VPN Clients

Once the XAUTH has been enabled, you need to establish user accounts in the user

database to be authenticated against XAUTH, or you need to enable a RADIUS-CHAP or

RADIUS-PAP server.

Note:

You cannot modify an existing IKE policy to add XAUTH while the

IKE policy is in use by a VPN policy. The VPN policy needs to be

disabled before you can modify the IKE policy.



To enable and configure XAUTH:

Select

VPN > IPSec VPN

. The IPSec VPN submenu tabs display with the IKE Policies

screen in view (see

Figure 179

on page 293).

In the List of IKE Policies table, click the

Edit

table button to the right of the IKE policy for

which you want to enable and configure XAUTH. The Edit IKE Policy screen displays. This

screen shows the same fields as the Add IKE Policy screen (see

Figure 180

on page 295).

In the Extended Authentication section onscreen, complete the fields, select the radio

buttons, and make your selections from the drop-down lists as explained in the following

table:

Click

Apply

to save your settings.

Table 75.

Extended authentication settings

Setting

Description

Select one of the following radio buttons to specify whether Extended Authentication (XAUTH) is enabled,

and, if enabled, which device is used to verify user account information:

•

None

. XAUTH is disabled. This the default setting.

•

Edge Device

. The UTM functions as a VPN concentrator on which one or more gateway tunnels

terminate. The authentication modes that are available for this configuration are User Database,

RADIUS PAP, and RADIUS CHAP.

•

IPSec Host

. The UTM functions as a VPN client of the remote gateway. In this configuration the, UTM

is authenticated by a remote gateway with a user name and password combination.

Authentication

Type

For an Edge Device configuration, from the drop-down list, select one of the following

authentication types:

•

User Database

. XAUTH occurs through the UTM’s user database. You can add

users on the Add User screen (see

User Database Configuration

on page 310).

•

Radius PAP

. XAUTH occurs through RADIUS Password Authentication Protocol

(PAP). The local user database is first checked. If the user account is not present

in the local user database, the UTM connects to a RADIUS server. For more

information, see

RADIUS Client and Server Configuration

on page 310.

•

Radius CHAP

. XAUTH occurs through RADIUS Challenge Handshake

Authentication Protocol (CHAP). For more information, see

RADIUS Client and

Server Configuration

on page 310.

Username

The user name for XAUTH.

Password

The password for XAUTH.