Documente Academic
Documente Profesional
Documente Cultură
0 User Manual
April, 2011
Table of Contents
TABLE OF CONTENTS..............................................................................................................1
ANNOUNCEMENT......................................................................................................................9
PREFACE....................................................................................................................................10
ABOUT THIS MANUAL...................................................................................................................10
DOCUMENT CONVENTIONS............................................................................................................10
Symbol Conventions......................................................................................................................10
Graphic Interface Conventions.....................................................................................................11
CLI Conventions...........................................................................................................................11
TECHNICAL SUPPORT.....................................................................................................................12
ACKNOWLEDGEMENTS..................................................................................................................12
CHAPTER 1 WAN ACCELERATOR INSTALLATION......................................................13
1.1
ENVIRONMENT REQUIREMENT.....................................................................................13
1.2
POWER..........................................................................................................................13
1.3
PRODUCT APPEARANCE................................................................................................13
1.4
1.5
WIRING METHOD..........................................................................................................14
GATEWAY MODE...........................................................................................................17
2.2
BRIDGE MODE..............................................................................................................17
2.3
2.4
WEB UI LOGIN.............................................................................................................21
3.2
MAIN MENUS................................................................................................................24
3.2.1
Maintenance.................................................................................................................24
3.2.1.1
License..........................................................................................................................24
3.2.1.2
Backup/Restore............................................................................................................26
3.2.1.2.1 System..........................................................................................................................26
3.2.1.2.2 WAN Optimization.......................................................................................................27
3.2.1.3
Reset/Restart/Shutdown...............................................................................................29
3.2.1.4
Web Console.................................................................................................................29
3.2.2
Status............................................................................................................................31
3.2.2.1
WAN Optimization.......................................................................................................31
Logs..............................................................................................................................35
3.2.2.3
Bandwidth Monitor......................................................................................................36
3.2.2.4
Flow Status...................................................................................................................37
VPN..............................................................................................................................39
3.2.2.6
3.2.2.7
Gateway Status.............................................................................................................40
3.2.3
Tools.............................................................................................................................41
3.2.3.1
Ping...............................................................................................................................41
3.2.3.2
Tracert...........................................................................................................................41
3.2.3.3
Show ARP....................................................................................................................42
3.2.4
Wizard...........................................................................................................................42
3.2.5
Data Center..................................................................................................................43
3.2.6
Help..............................................................................................................................44
3.3
HOME............................................................................................................................45
3.4
SYSTEM.........................................................................................................................45
3.4.1
System Settings.............................................................................................................45
3.4.1.1
General.........................................................................................................................46
3.4.1.2
NTP Settings.................................................................................................................46
3.4.1.3
Web UI Settings............................................................................................................47
3.4.1.4
Advanced......................................................................................................................47
Deploy Settings............................................................................................................50
3.4.2.1
Network Interface.........................................................................................................51
Local Subnet.................................................................................................................60
Static Route..................................................................................................................60
Dynamic Route.............................................................................................................63
3.4.2.5
Windows Domain.........................................................................................................64
VPN Interface...............................................................................................................65
3.4.2.7
Vlan Settings................................................................................................................67
Multi-Line Settings......................................................................................................71
3.4.2.9
CDP Settings.................................................................................................................73
Users............................................................................................................................80
Network Objects...........................................................................................................85
3.4.4.1
IP Group.......................................................................................................................85
Application List............................................................................................................89
Case Study 13: Add ERP System Application into Application List...........................................91
3.4.4.3
Time Schedule..............................................................................................................92
WAN OPTIMIZATION.....................................................................................................94
3.5.1
Application...................................................................................................................94
3.5.1.1
HTTP............................................................................................................................94
3.5.1.2
CIFS..............................................................................................................................95
3.5.1.3
SMTP............................................................................................................................96
3.5.1.4
POP3.............................................................................................................................97
3.5.1.5
Exchange......................................................................................................................97
3.5.1.6
Oracle EBS...................................................................................................................98
3.5.1.7
Citrix.............................................................................................................................98
3.5.1.8
RDP..............................................................................................................................99
3.5.2
Compression.................................................................................................................99
Server.........................................................................................................................100
3.5.3.1
Acceleration Policy....................................................................................................101
3.5.3.3
Acceleration User.......................................................................................................105
Case Study 16: Create Acceleration User and Associate Policy Group.....................................107
Case Study 17: Accelerate Exchange Server 2007 Email Delivery...........................................108
Case Study 18: Accelerate Access to Oracle EBS......................................................................109
Case Study 19: Accelerate Access to CITRIX............................................................................112
Case Study 20: Accelerate Access to RDP.................................................................................115
3.5.4
Client..........................................................................................................................118
3.5.4.1
Prefetch.......................................................................................................................130
Certificates.................................................................................................................133
3.5.5.1
CA Certificate.............................................................................................................134
3.5.5.2
Server Certificate........................................................................................................135
Advanced....................................................................................................................140
3.5.6.1
Exclusion Rule...........................................................................................................141
Asymmetric Route......................................................................................................144
3.5.6.3
3.6
BANDWIDTH MANAGEMENT.......................................................................................148
3.6.1
Objects........................................................................................................................148
3.6.1.1
Application Identification..........................................................................................149
3.6.1.2
Intelligent Identification.............................................................................................152
3.6.1.3
URL Group.................................................................................................................153
3.6.1.4
3.6.2
Policy Settings............................................................................................................156
3.6.2.1
User Group.................................................................................................................157
Bandwidth Settings.....................................................................................................169
3.6.3.1
Virtual Line.................................................................................................................170
Bandwidth Management............................................................................................173
Policy Troubleshooting..............................................................................................180
3.6.5
Advanced....................................................................................................................181
3.6.5.1
Proxy Server...............................................................................................................181
3.6.5.2
Excluded IP................................................................................................................182
3.6.5.3
Auto Update...............................................................................................................183
3.7
FIREWALL....................................................................................................................184
3.7.1
NAT.............................................................................................................................184
3.7.2
SNAT...........................................................................................................................184
DNAT..........................................................................................................................185
Firewall Rules............................................................................................................188
Anti-DoS.....................................................................................................................190
3.7.6
ARP Protection...........................................................................................................191
3.8
SANGFOR VPN............................................................................................................193
3.8.1
3.8.1.1
Basic Settings.............................................................................................................193
3.8.1.2
VPN User....................................................................................................................196
Virtual IP Pool............................................................................................................209
Case Study 38: Configurations for Mobile VPN Users Connecting In......................................212
3.8.2
Client..........................................................................................................................214
3.8.2.1
VPN Connection.........................................................................................................214
Case Study 39: Only Allow Peer VPN to Access Local WEB Services....................................217
Multi-Line...................................................................................................................220
3.8.3.1
Third-Party Authentication........................................................................................229
3.8.4.1
LDAP Server..............................................................................................................229
Case Study 42: Mobile VPN User Connects in By Using LDAP Auth.....................................232
3.8.4.2
3.8.5
Advanced....................................................................................................................235
3.8.5.1
Case Study 43: Allow VPN User to Access Multiple Local Subnets.........................................236
3.8.5.2
LAN Service...............................................................................................................238
Case Study 44: Control VPN Users Privilege to Access LAN Services...................................239
3.8.5.3
Multicast Service........................................................................................................243
3.8.5.4
Tunnel Route..............................................................................................................246
Case Study 45: Tunnel Route Achieves Communication Between Connecting-in Branch VPN
Sites
248
Case Study 46: Access Internet via VPN Destination Route User.............................................250
3.8.5.5
Generate Certificate....................................................................................................252
3.8.6
3.8.6.1
3.8.6.2
3.9
IPSEC CONNECTION....................................................................................................256
3.9.1
IPSec Connection.......................................................................................................256
3.9.1.1
Phase I........................................................................................................................256
3.9.1.2
Phase II.......................................................................................................................258
3.9.1.3
Security Options.........................................................................................................261
HOME PAGE................................................................................................................269
4.2
HISTORY REPORT........................................................................................................269
4.3
CUSTOMIZE REPORT...................................................................................................272
4.3.1
Customize Wizard.......................................................................................................272
4.3.1.1
Statistic Report...........................................................................................................272
Trend Report...............................................................................................................279
4.3.1.3
Sum Report.................................................................................................................284
6
Report Template.........................................................................................................287
4.4
STATISTICS..................................................................................................................290
4.4.1
IP Flow.......................................................................................................................290
4.4.2
Application Flow........................................................................................................294
4.5
WANO REPORT..........................................................................................................297
4.5.1
IP Connection............................................................................................................297
4.5.2
Application Connection.............................................................................................300
4.5.3
IP Flow Trend.............................................................................................................303
4.5.4
4.5.5
4.5.6
4.6
TREND REPORT...........................................................................................................315
4.6.1
IP Flow Trend.............................................................................................................315
4.6.2
4.7
SEARCH.......................................................................................................................322
4.7.1
Flow Search...............................................................................................................322
4.7.2
Firewall Log...............................................................................................................326
4.7.3
4.8
SYSTEM MANAGEMENT..............................................................................................330
4.8.1
4.8.1.1
4.8.1.2
Disk Usage.................................................................................................................331
4.8.2
System Configuration.................................................................................................332
4.8.3
Configuration Import/Export.....................................................................................333
5.1.1
Installation.................................................................................................................336
5.1.2
Deployment................................................................................................................339
5.1.3
Usage..........................................................................................................................340
5.2
5.2.1
Installation.................................................................................................................346
5.2.2
Deployment................................................................................................................350
5.2.3
Usage..........................................................................................................................351
5.2.3.1
VPN Settings..............................................................................................................357
5.3.1
Installation.................................................................................................................366
5.3.2
Deployment................................................................................................................371
5.3.3
Usage..........................................................................................................................372
5.3.3.1
VPN Settings..............................................................................................................378
Announcement
Copyright 2011 SANGFOR Technology Co., Ltd. All rights reserved.
No part of the contents of this document shall be extracted, reproduced or transmitted in any form
or by any means without prior written permission of SANGFOR.
SANGFOR, SANGFOR Technology and the SANGFOR logo
registered trademarks of SANGFOR Technology Co., Ltd. All other trademarks used or
mentioned herein belong to their respective owners.
This manual shall only be used as usage guide, and no statement, information, or suggestion in it
shall be considered as implied or express warranty of any kind, unless otherwise stated. This
manual is subject to change without notice. To obtain the latest version of this manual, please
contact the Customer Service of SANGFOR Technology Co., Ltd.
Preface
About This Manual
The WAN Accelerator 6.0 User Manual includes the following chapters:
Chapter
Describe
Installation
Deployment
deployment mode.
Document Conventions
Symbol Conventions
This manual also adopts the following symbols to indicate the parts which need special attention
to be paid during the operation:
Convention
Meaning
Description
Caution
Warning
10
Indicates helpful
information.
suggestion
or
supplementary
Meaning
Example
boldface
Keywords or highlighted
items
Directories, URLs
[]
<>
>
Multilevel
submenus
Prompts popped up
italics
menus
and
CLI Conventions
Command syntax on Command Line Interface (CLI) applies the following conventions:
Any content in brackets [ ] is optional
Any content in {} is necessary
If there is more than one option, use vertical bar (|) to separate each option, for example,
ip wccp 60 redirect { in | out }
CLI command appears in bold, for example:
configure terminal
11
Technical Support
For technical support, use the following methods:
Acknowledgements
Thanks for using our product and user manual. If you have any suggestion about our product or
user manual, please provide feedback to us through phone or email. Your suggestion will be much
appreciated.
12
1.1
Environment Requirement
To ensure long-term and stable running of the WAN Accelerator, the power supply should be well
grounded, dustproof measures taken, working environment well ventilated and indoor temperature
kept stable. This product conforms to the requirements on environment protection, and the
placement, usage and discard of the product should comply with relevant national law and
regulation.
1.2
Power
The SANGFOR WAN Accelerator uses 110 ~ 230V alternating current (AC) as its power supply.
Make sure it is well-grounded before providing it with power supply.
1.3
Product Appearance
Above is the front panel of SANGFOR WAN Accelerator 6.0. The interfaces and indicators on the
front panel (from left to right) are described respectively in the table below:
Interface/Indicator
Description
13
USB
ETH0
ETH1
ETH2
ETH3
POWER
ALARM
1.4
Before configuring the device, please get a computer ready and make sure the web browser (IE
browser is supported only, such as Internet Explorer, Maxthon, etc.; while Opera, Firefox, Safari
and Chrome are not supported) can be used normally. Then connect the computer to the WAN
Accelerator (in a same local area network) and configure the WAN Accelerator on the computer
over the established network.
1.5
Wiring Method
Connect the power cable to the power interface on the rear panel of the WAN Accelerator and
switch on the power supply. The POWER indicator (in green) and ALARM indicator (in red) on
the front panel will be lighted. The ALARM indicator will go out one or two minutes later,
indicating the device runs normally.
Then follow the instructions below to wire the interfaces:
Use standard RJ-45 Ethernet cable to connect the ETH0 interface to the local area network (LAN)
14
While WAN Accelerator runs normally, the POWER indicator (in green) will keep on
lighted, the ALARM indicator off, and the ETH2/3 LINK (WAN) and ETH0 LINK (LAN)
indicators (in orange) lighted. The ACT indicators (in green) will flicker if there is data flow.
The ALARM indicator will be lighted only for about one minute due to system loading
when the device is starting up, and then go out indicating successful startup of the device. If
the ALARM indicator stays lighted during startup, please switch off the power supply and
restart the device. If it still keeps on lighted and does not go out, please contact SANGFOR.
Keep the followings in mind: while connecting the defined WAN interface with the router,
use crossover cable; while connecting the defined LAN interface with the switch, use
straight-through cable; while connecting the other defined LAN interface with the computer
(for logging in to the gateway console), use crossover cable. If connections cannot be
established but the corresponding indicator functions normally, please check whether the
cables are the right cables used for certain connections. The differences between straightthrough cable and crossover cable are the wire sequences at both ends, as shown in the figure
below:
15
16
Gateway Mode
Step 1: Configure IP addresses of WAN and LAN interfaces, DNS address and firewall rules.
Step 2: Configure standard IPSec VPN.
Step 3: Configure WAN optimization module.
Step 4: Add the routes of the different network segments for the WAN Accelerator if there is layer
3 switch and different network segments in the local area network.
2.2
Bridge Mode
The network topology of WAN Accelerator deployed in Bridge mode is as shown below:
17
Step 1: Under the [System] > [Deploy Settings] > [Network Interface] page, select [Service
Mode] Acceleration Only, and select [Deployment Mode] Bridge.
Step 2: Configure the IP addresses of the logical interface, default gateway, MANAGE interface
and DNS.
Step 3: Configure WAN Optimization module.
In Bridge mode, the two WAN Accelerators must be able to communicate with each other
through the VPN established by a VPN device or through a dedicated line, and the two
SANGFOR WAN Accelerators can access each other normally.
In Bridge mode, the VPN function is invalid. Therefore, you have to switch the service
mode to [Acceleration only] to enable the bridge function.
2.3
The network topology of WAN Accelerator deployed in Double Bridge mode is as shown below:
18
Step 1: Under the [System] > [Deploy Settings] > [Network Interface] page, select [Service
Mode] Acceleration Only, and select [Deployment Mode] Double bridge.
Step 2: Configure the interface IP address for Br0 and Br1, default gateway IP addresses (WAN 1,
WAN 2, LAN and DMZ), virtual IP address and DNS address.
Step 3: Configure WAN Optimization module.
2.4
The network topology of WAN Accelerator deployed in Single Arm mode is as shown below:
Step 1: Under the [System] > [Deploy Settings] > [Network Interface] page, select [Deployment
Mode] Single arm,
Step 2: Configure IP address of the LAN interface, default gateway and DNS address.
19
As to a WAN Accelerator deployed in Single Arm mode, the following four methods may
help to avoid routing loop:
a.) In Layer 2 environment, have the gateway of the LAN PCs direct to the SANGFOR
WAN Accelerator;
b.) In Layer 2 environment, add a route for each LAN PC that directs to the peer terminal,
the local single-arm WAN Accelerator as the gateway of the route;
c.) Enable policy-based routing and CDP on the frontend device;
d.) Enable WCCP function on the frontend device.
Unless the above measures are taken, routing loop may appear in the local area network and
disable all the data communications between the devices at both ends.
Since the WAN Accelerator is deployed in single arm mode ([Acceleration Only] does not
support VPN function), you have to ensure that a VPN connection between the two local area
networks has been established and the WAN Accelerators of both terminals can access each
other.
20
Web UI Login
Having completed wiring, you can go on configuring the SANGFOR WAN Accelerator through
the WEBUI of the gateway console. Detailed procedures are as described in the following sections
of this chapter.
Configure a valid IP address for the WAN Accelerator (e.g., 10.254.254.251), and subnet mask
255.255.256.0. Then type the default login IP address and port of the WAN Accelerator in the
location box of the IE browser, https://10.254.254.254, and the following gateway console login
interface appears:
Before login, you may be required to install the pop-up ActiveX control, as shown below:
Click This site might require the following ActiveX control: WebUI Control from Sangfor
Technologies Co., Ltd. Click here to install and then click Install ActiveX Control.
Follow the instructions to finish installation, as shown in the following page:
21
If you want to view the version information, click the link <View Version>. The version
information is displayed as follows:
Logging into the Web UI, you will see the following configuration modules:
[Home]: Homepage of the WAN Accelerator. You can maintain the device and view the running
status.
22
In case there is a <OK>, <Save> or <Save and Apply> button on a configuration page, click
it after modifying/configuring the parameters to save or apply the settings of that page/tab.
This will not be illustrated again in the subsequent parts in this user manual.
Each configuration page has a <Help> link at the top of the console interface. If help is
wanted, click it to view the brief description of the items or page/tab.
23
3.2
Main Menus
The six main menus are [Maintenance], [Status], [Tools], [Wizard], [Data Center] and [Help], at
the top of gateway console. Click any of it and select a submenu, you can get into the
corresponding page directly.
The main menus are as shown below:
3.2.1 Maintenance
[Maintenance]
consists
of
four
submenus,
namely,
[License],
[Backup/Restore],
3.2.1.1 License
[License] requires you to enter the serial numbers related to this WAN Accelerator. These serial
numbers determine the availability of the WAN optimization function, IPSec VPN function,
bandwidth management function, URL library update service, etc. After the serial numbers have
been filled in and the <Save and Apply> button has been clicked, the authorized licenses will be
generated automatically.
The [License] page is as shown below:
24
[WANO License]: Enter the WANO license and click the <Save and Apply> button to activate the
WAN optimization function. Activated means the function is available; while Not activated
indicates the function is unavailable.
[Number of Mobile VPN Users Allowed]: Indicates the number of mobile VPN users supported
by this WAN Accelerator.
[Cross-ISP License]: Enter the Cross-ISP license and click the <Save and Apply> button to
activate the Cross-ISP function (multiple Internet Service Providers (ISP) are supported).
Activated means the function is available; while Not activated indicates the function is
unavailable.
[VPN License]: Enter the VPN license and click the <Save and Apply> button to activate the
Sangfor VPN function. Activated means the function is available; while Not activate
indicates the function is unavailable.
[BM License]: Enter the Bandwidth Management (BM) license and click the <Save and Apply>
button to activate the BM function. Activated means the function is available; while Not
activated indicates the function is unavailable.
25
3.2.1.2Backup/Restore
[Backup/Restore] page helps to backup and restore the configurations of this WAN Accelerator,
including two configuration pages: [System] and [WAN Optimization].
3.2.1.2.1
System
On the [System] page, check the [Backup Reminder] option and configure [Every( _ )day(s)], and
the system will remind you to back up the configurations at the configured time interval once you
log in to the gateway console, as shown below:
Click the <OK> button and you may enter the [Maintenance] > [Backup/Restore] > [System] page
directly, as shown below:
26
The system configurations saved in the local computer include that of the [WAN
Optimization] module.
3.2.1.2.2
WAN Optimization
On the [WAN Optimization] configuration page, the three options, namely, [Backup
Configuration], [Restore Configuration] and [Restore From Auto Backup], only help to back up or
restore the configuration of [WAN Optimization] module rather than back up or restore all the
configurations of the local WAN Accelerator; and these backup configurations are stored in the
WAN Accelerator instead of the local computer.
27
Select [Restore Configuration] option and select a needed backup file; click the <Restore> button
to replace the current configurations with those of the selected backup file, as shown below:
Select the [Restore From Auto Backup] option and select a needed backup file; click the
<Restore> button to replace the current WAN optimization configurations with those in the
selected file that has been backed up, as shown below:
28
3.2.1.3Reset/Restart/Shutdown
[Reset/Restart/Shutdown] is used for fast reboot, shutdown of the local WAN Accelerator and
recovery the settings to factory default.
The page is as shown below:
Some WAN Accelerator models DO NOT support the <Shutdown> function on this page
(as shown below):
3.2.1.4Web Console
[Web Console] page enables you to execute some common commands on Web page (including
29
Here, we take the most frequently-used commands ping, ip route for examples to illustrate how
to use the commands on web console.
Example 1:
Type ping plus a destination IP address on the command line, and you can check the connectivity
between this destination IP address and the local WAN Accelerator, as shown below:
30
From the returned results we can see the connectivity to destination address 10.254.254.120 is
smooth.
Example 2:
Type ip route on the command line to view the routing table of the WAN Accelerator, as shown
below:
As to other commands that can be executed through the [Web Console] page and the related
introduction to each command, please type help command on the command line.
3.2.2 Status
[Status] includes six submenus, namely, [WAN Optimization], [Logs], [Bandwidth Monitor],
[VPN], [DHCP Status] and [Gateway Status].
31
3.2.2.1WAN Optimization
[WAN Optimization] consists of [Acceleration Status], [Acceleration Connections] and
[Application Connections] pages.
3.2.2.1.1
Acceleration Status
[Acceleration Status] displays the system running status, including CPU usage, memory usage,
disk usage (used/total), flow reduction rate, flow before/after acceleration, service uptime, etc.
You can also view the real-time flow over the past 60 seconds, real-time connections over the past
60 seconds and real-time IP flow on this page, as shown below:
32
33
3.2.2.1.2
Acceleration Connections
[Acceleration Connections] page helps to search and display the connection information.
The page is as shown below:
34
[User]: Displays the name of the gateway/user currently connecting in or connecting out.
[Reverse User]: Displays the name of the user.
[Peer Device]: Displays the name of the peer device. If it is a mobile user, the name is PACC.
[Peer IP]: Displays the LAN IP address of the peer WAN Accelerator.
[Speed]: Displays transmission speed of the currently-accelerated data.
[Sessions/Tunnels]: Displays the total number of sessions and the remaining number of sessions
available for acceleration connection.
[Flow(before/after)]: Displays the amount of flow going through the device before and after
acceleration. Normally, flow throughput caused after acceleration is less than that caused before
acceleration.
[Reduction Rate]: Displays the rate of the flow caused before acceleration to the flow caused after
acceleration.
[Status]: Displays the connection status of the corresponding user.
[Protocol]: Displays the acceleration protocol being used by the user.
[Connection Time]: Displays the time when the user connects in to or exits from the WAN
Accelerator.
[Operation]: Click the corresponding link and you can view that single users real-time flow
caused over the past 60 seconds, or view the application connections of that user.
You can also set some filtering options to view the connection status of specified device(s) or
mobile user(s).
Once you clear the cache, all the cached files on the WAN Accelerator will be deleted,
which means all the data saved by the byte cache will get lost and afterward have to be cached
once again.
35
3.2.2.1.3
Application Connections
[Application Connections] page enables you to search and display the connection status of various
applications. Choose an application type (Proxy type), and enter source IP address (Host IP) and
destination IP address (Remote IP), and then click the <Search/Refresh> button to view the
connection status of the specified connection(s) applying the selected application type.
The page is as shown below:
3.2.2.2Logs
[Service Logs] displays the running logs and error messages of the WAN Accelerator. To view the
needed logs, select a date and the system will display the corresponding logs generated during the
specified time period, as shown below:
Click the <Log Settings> button to define the display of service logs, as shown below:
36
The SANGFOR WAN Accelerator will only save the logs for 14 days, the logs of the
earlier days will be deleted automatically.
3.2.2.3Bandwidth Monitor
[Bandwidth Monitor] enables you to view the running status of the bandwidth management
function and of each channel, and view the flow information of the external lines and bandwidth
channels.
3.2.2.4Flow Status
[Flow Status] page displays the running information of BM module, flow information of
bandwidth channels and information of exclusion policy (of bandwidth channels), as shown
below:
37
[Running Information of Bandwidth Management]: Displays the running status of the system and
the flow information of the external lines.
[+] or [-]: Click the icon [+] or [-] to unfold or fold the information of each sub-channel
respectively.
<Stop Refresh>: Click this button to stop automatically refreshing the flow information.
[Display]: Select [All Channels] or [Running Channels] to display the bandwidth and flow
information of all the configured bandwidth channels or of the running channels configured.
[Over]: Select a time period based on which the flow and flow speed statistics are to be made. The
device will calculate the flow information over the selected time period, namely, the past [5
minutes], [15 minutes], [30 minutes], [1 hour], [2 hours], or [6 hours], etc.
[Save Settings]: Click this item to save your display preferences, [Display] and [Over]. Next time
when you view the [Flow Status] page, the flow status information to be displayed will be
collected according to your display preferences.
Bandwidth Channel
38
Exclusion Policy
[Exclusion Policy] displays the real-time speed, history speed and history flow related to the
application(s) and service(s) not included in the bandwidth channel (polices).
The page is as shown below:
3.2.2.4.1
Flow Rankings
[Flow Rankings] page enables you to view the real-time uplink flow and downlink flow rankings.
You can search for (by specifying the IP address) maximum 400 users of their flow rankings, and
view [Uplink and downlink] flow, [Only uplink] flow or [Only downlink] flow, as well as select
the time interval to have the flow rankings be automatically refreshed.
The page is as shown below:
39
3.2.2.4.2
Connections Monitor
[Connections Monitor] page enables you to search for the connection information of the entered
IP address.
The page is as shown below:
3.2.2.5VPN
[VPN Status] page displays the information of the real-time VPN connections and network flow.
The page is as shown below:
Click the <Stop Service> button to stop the VPN service temporarily.
40
3.2.2.7Gateway Status
[Gateway Status] page presents the WAN interface IP addresses of the local WAN Accelerator and
traffic going through these WAN interfaces, and allows you to enable the remote maintenance
feature and to start the services, etc. The page is as shown below:
3.2.3 Tools
[Tools] includes [Ping], [Tracert] and [Show ARP].
41
3.2.3.1Ping
[Ping] page mainly helps to check the connectivity of the networks. Enter the IP address, and click
the <Ping> button, as shown below:
Here, <Ping> has exactly the same function as the ping command on Web console.
3.2.3.2Tracert
[Tracert] page mainly helps to check whether there is any route address unreachable between the
SANGFOR WAN Accelerator and the destination IP address. Enter the destination IP address and
then click the <Tracert> button, as shown below:
42
Here, <Tracert> has exactly the same function as the traceroute command on Web
console.
3.2.3.3Show ARP
[Show ARP] page mainly helps to check the ARP table of the SANGFOR WAN Accelerator, and
thus check whether ARP spoofing exists. Click the <Show ARP> button, as shown below:
Here, <Show ARP> has exactly the same function as the arp command on Web console.
3.2.4 Wizard
[Wizard] page shows you the sequential steps to configure the basic pages quickly. Just follow the
steps given by the wizard to complete configuring each module.
43
Click the link (in light blue) to directly enter the corresponding configuration page. As for the
detailed configuration guide for each page, please refer to the relevant section in this user manual.
For detailed introduction and usage guide to the Data Center, please refer to 3.8 Sangfor VPN.
44
3.2.6 Help
Click [Help] and you will see the brief introduction to the activated page.
45
3.3
Home
[Home] page is exactly the same as that of [Status] > [WAN Optimization] page. Please refer to
Section 3.2.2.1 WAN Optimization.
3.4
System
[System] module includes the configurations of [System Settings], [Deploy Settings], [Users],
[Network Objects] and [DHCP Settings], as shown below:
46
3.4.1.1General
[General] page configures the date, time and time zone on the WAN Accelerator, as shown below:
Have completed configuring the date, time and time zone, you have to click the <Save and
Apply> button to save the settings.
3.4.1.2NTP Settings
[NTP Settings] page configures the time synchronization options to have the system time of the
WAN Accelerator keep synchronizing with the NTP servers. Enter the addresses for the four
servers, and then click the <Sync Now> button. Having saved and applied the settings, you can
get the time of each NTP server, and choose a most accurate time to synchronize the time of the
local device.
The page is as shown below:
47
Click the <Sync Now> button to have the system time synchronize with the server immediately,
Having completed configuring the page, you have to click the <Save> button to save the settings.
3.4.1.3Web UI Settings
[Web UI Settings] page configures the Web service port of the gateway console and the timeout
options functioning after the user logs in to the gateway console. If the service port (HTTPS login
port) is modified, you have to log in to the gateway console through this new port.
The page is as shown below:
[HTTPS Login Port]: Configures the HTTPS port used for logging in to the gateway console.
[Page Timeout]: If there is no operation on the console during this period of time, the console user
will automatically log out of the gateway console.
[Operation Timeout]: If a page fails to open during this time interval, the system will think it
48
3.4.1.4Advanced
[Advanced] page configures the listening port for the acceleration service provided by the WAN
Accelerator, the device name and functions of MAC Track, High-speed TCP.
[Listening Port]: Configures the listening port of acceleration service provided by the WAN
Accelerator. It is TCP and UDP 5400 port by default. Each WAN Accelerator must be able to
access its peer listening port normally; otherwise, the two terminals will fail to establish the
acceleration connection.
[Device Name]: Defines the name of the WAN Accelerator, distinguishing it from WAN
Accelerators of other sites. This name will be displayed at the top of WEB UI page, together with
the SANGFOR logo, as shown below:
49
[Enable MAC Track]: Check or uncheck this option to enable or disable the MAC Track function
respectively.
When the WAN interface of the bridge device receives TCP SYN data from other tunnel (instead
of the acceleration tunnel), the destination IP address and Destination MAC address will be
recorded. If there are other TCP data need access this destination IP address through the
acceleration tunnel, the bridge device will directly forward the data from the LAN interface to the
hosts MAC address according to the information recorded before.
Check the [Enable MAC Track] option and there is no need for you to add a return route in single
Bridge mode.
50
As to the configuration on the Branchs WAN Accelerator, please follow the steps below:
Step 1: On the [System] > [Deploy Settings] > [Network Interface] page, select [Acceleration
Only] as the [Service Mode], and select [Bridge] as the [Deployment Mode].
Step 2: Configure the Br0 IP address as 172.16.0.2/24, default gateway IP address as
172.16.0.1/24, MANAGE interface IP and DNS address according to your case.
Step 3: Configure [WAN Optimization] > [Client] page.
51
52
3.4.2.1Network Interface
[Network Interface] page configures the working mode the WAN Accelerator, interface IP address
and DNS address, etc.
Working mode includes [Service Mode] and [Deployment Mode].
[Service Mode] falls into [Acceleration Only] and [VPN and Acceleration] service modes.
[Acceleration Only]: When this option is selected, the device only enables the acceleration
function, which means the VPN function is unavailable. Under this service mode, you can deploy
the WAN Accelerator in Gateway mode, Bridge mode, Double Bridge mode and Single Arm
53
3.4.2.1.1
Gateway Mode
The [Network Interface] configuration page of gateway mode is as shown in the following page:
54
[LAN] is a network segment that the firewall protects, covering all the devices and hosts of the
local area network. LAN network segment is a trusted one for the firewall.
[WAN] section configures the external lines. Select a [Line Type], [Ethernet], [PPPOE] or
[DHCP].
If you are connecting to the Internet through PPPOE dial-up, select [Line Type] PPPOE; fill in
the [User Name], [Password] and check the [Enable auto dial] option. Having completed
configuring the page, click the <Save and Apply> button to save all the settings; all the services
will restart; log in again and then click the <Start Dial-up> button; from then, the WAN
Accelerator will automatically dial up once it disconnects with the Internet. [Advanced Attribute]
consists of the parameters for dial-up; they are 20, 80 and 3 by default, as shown below:
55
[DMZ] defines the small network segment in a local area network of an enterprise. Some servers
are located in DMZ network segment, such as web server, mail server, FTP server and external
DNS server, etc., providing services for the external networks. The firewall allows the services of
this network segment to be delivered to the WAN and protects it from attacks at the same time.
If the DMZ interface (ETH1 on the front panel of device) is not used, keep the default
settings unchanged.
[MTU] configures the MTU value of the interface; it is the Ethernet standard value 1500 bytes by
default. In some network environment, if the MTU of certain network device is lower than 1500,
the related data packets might be discarded; in that case, you can manually modify this MTU
value and keep it relevant with that of the network device.
[DNS] shows the DNS addresses provided by the local ISP. Fill in the correct address according to
your case.
The filled in interface IP addresses of LAN, WAN, DMZ must be coherent with your
network.
If WAN interface is using a static IP address, you can bind multiple IP addresses with this
interface. Just click the <Multi-IP Binding> button, enter the IP addresses and click the
<OK> button, as shown below:
56
The IP address bound with the WAN interface must be of a same network segment with that
of the WAN interface; otherwise, the IP address bound will not work normally.
The IP address bound with WAN interface cannot be used again to connect VPN.
3.4.2.1.2
The [Network Interface] configuration page of Single Arm mode is as shown below:
Under Single Arm mode, WAN and DMZ options are unavailable.
57
If there are multiple network segments in the local area network where the single-arm
mode WAN Accelerator locates, you have to configure the subnet segments of the LAN on the
[Local Subnet] page (excluding the subnet segment of the LAN interface IP).
3.4.2.1.3
Bridge Mode
58
[Bridge Interface]: Select two interfaces to establish the bridge, options are [LAN->WAN1],
[DMZ->WAN2]. You cannot define the interface for bridging.
[Logic Interface]: Configures the IP address of the logic interface (Br0), subnet mask and default
gateway of the bridge-mode WAN Accelerator.
[Manage Interface]: Configures the IP address of the MANAGE interface of the bridge-mode
WAN Accelerator. You can select any of the interface as the MANAGE interface except the
interfaces used for bridging.
59
Under Bridge mode, LAN and WAN direction cannot be mixed up; otherwise, no
acceleration effect will be achieved.
The IP address of the logic interface must be of the same subnet segment as that of the WANend firewall/router, and as that of the LAN-end core switch.
The MANAGE interface can only be used for managing the SANGFOR WAN Accelerator,
not supporting other use such as the WAN Accelerator getting access to the Internet through
this MANAGE interface.
3.4.2.1.4
The [Network Interface] configuration page of Double Bridge mode is as shown below:
60
61
Under the Double Bridge mode, you need to configure two bridges (BR0 and BR1), including the
logic IP address, subnet mask, default gateway of LAN and default gateway of WAN.
[Default Gateway(WAN1/WAN2)]: Indicates the interface IP address of other devices at the WAN
end of the SANGFOR WAN Accelerator. Configure [Default Gateway(WAN1/WAN2)] and you
will have the WAN Accelerator communicate with the external networks normally to establish
acceleration connection.
[Enable synchronization link]: This function is applied to the redundant network environment
(such as VRRP) where the WAN Accelerator is deployed in Double Bridge mode. Once the
system detects that any interface of the bridge pair falls out, it will automatically disconnect the
other interface of the bridge pair, so as to ensure smooth data transmission and switch between the
redundant WAN Accelerators.
[Default Gateway(LAN/DMZ)]: Indicates the interface IP address of the core switch at the
LAN/DMZ end of the WAN Accelerator. Configure [Default Gateway(LAN/DMZ)] and you will
be free from adding a return route when there is layer 3 switch in the local area network and there
are divisions of VLAN.
[Virtual IP Settings]: Configures the virtual IP address of the double-bridge WAN Accelerator. It is
this virtual IP address through which other WAN Accelerators establish acceleration connections
with this double-bridge WAN Accelerator.
62
The virtual IP can be or not be in the same network segment of BR0 or BR1.
If there is a layer 3 switch in the local area network, [Default Gateway(LAN/DMZ)] must be
filled in; if there is only a layer 2 switch, [Default Gateway(LAN/DMZ)] is not required.
3.4.2.2Local Subnet
[Local Subnet] page configures the subnet segments of the local terminal if the WAN Accelerator
is deployed in Single Arm mode (the subnet segment where the LAN interface IP locates does not
need to be added).
The page is as shown below:
3.4.2.3Static Route
[Static Route] page helps to add a route for the data (both VPN and non-VPN) that are to be
forwarded by the WAN Accelerator and the data of the WAN Accelerator itself.
63
65
3.4.2.4Dynamic Route
[Dynamic Route] page configures the dynamic RIP settings to enable the SANGFOR WAN
Accelerator to inform other routing devices of the routing information by using RIPv2 protocol,
and therefore, to ensure that the RIP routing information of the LAN routing devices can be
dynamically updated.
[Enable Routing Information Protocol]: Check the option and this function will be activated. The
WAN Accelerator will inform the LAN routing device (configured on the tab above) of the
network information of the peer terminal with which the local WAN Accelerator has established
VPN connection. With that information, the routing device will update its routing table, adding a
route that directs to the peer WAN Accelerator, and the local WAN Accelerator being the gateway
of this route; once the VPN connection cuts off, the local WAN Accelerator will inform that
routing device of the disconnection so that it can delete this route).
The routing device itself does not accept dynamic update implemented by the RIP routing
protocol. If the WAN Accelerator wants to communicate with other LAN routing devices that have
enabled RIP protocol, it must be configured manually with a static route.
[Enable Password Authentication]: Configures the password needed for exchanging RIPv2
protocol information. You can configure it according to your specific case.
[IP Address], [Port]: Configures the IP address and port of the routing device to which the WAN
Accelerator sends routing update information initiatively.
[Trigger Update]: Check this option and the WAN Accelerator will trigger the update of the
66
3.4.2.5Windows Domain
[Windows Domain] page helps to add the WAN Accelerator into the windows domain of the
intranet, so as to improve Exchange 2007 in receiving and sending emails. If the WAN
Accelerator cannot be added into the windows domain, receiving/sending email of Exchange 2007
will not be accelerated.
The page is as shown below:
67
Only the server WAN Accelerator need join the windows domain; the client WAN
Accelerator need not join the windows domain.
3.4.2.6VPN Interface
[VPN Interface] page configures the IP address and mask of the virtual network adapter for the
IPSec VPN service.
The page is as shown below:
68
[VPN Interface Setting]: Configures the local VPNs network segment and mask which the peer
VPN will be informed of. If either [LAN Mask] and [DMZ Mask] is checked and configured, the
local WAN Accelerator will only inform the peer VPN of the network segment that owns the
configured mask (mask of the LAN or/and DMZ interface). If neither is checked and configured,
the network segments that the LAN interface and DMZ interface locate at both sides (server WAN
accelerator and client WAN accelerator) cannot access each other.
Select the [Default] option if you want to use the default IP address and mask; or define an
idle IP address if the default IP address conflicts with any working IP address. The configuration
is as shown below:
69
VPN port is a virtual port of the WAN Accelerator; in reality, no such physical port exists.
3.4.2.7Vlan Settings
[Enable VLAN Support]: Check this option to enable the VLAN Support feature. The page is as
shown below:
VLAN Support function enables the peer WAN Accelerator (peer device) to restore the original
VLAN ID of the processed data packet (for the local WAN Accelerator changes the VLAN ID
70
The Headquarters and Branch Office are connected to each other by a leased line; at each end of
the leased line is a switch; the two switches have enabled trunk. Both the Headquarters and
Branch Office have VLAN 1 and VLAN 2; VLAN 1 and VLAN 2 cannot access each other.
Requirement: To accelerate the data transmission from VLAN 1 and VLAN 2 to the Headquarters
(HQ).
To achieve the acceleration effect, we deploy the two WAN Accelerators in between the two
switches of the headquarters and the branch, in Bridge mode. Detailed configuration procedure is
as shown below:
Step 1: Under Bridge mode, configure the IP addresses of the Br0 interfaces of the two WAN
Accelerators; the two IP addresses must be of a same network segment, ensuring the
communication between the two WAN Accelerators.
Step 2: Configure the server WAN Accelerator and client WAN Accelerator to have the server and
client establish acceleration connection quickly.
71
[Enable VLAN ID Settings]: Check this option to apply the VLAN ID settings.
Click the <New> button and configure [VLAN ID] and [Destination IP] (single IP address or IP
range) to have the destination IP address labeled with the VLAN ID. The related IP address(es)
contained in the data packet that is to be forwarded, after being handled by the WAN Accelerator,
will be tagged with the corresponding VLAN ID. In this way, the IP addresses of a same VLAN or
of different VLANs can access each other.
72
The HQ WAN Accelerator and Branch WAN Accelerator are connected to each other with a
leased line; at each end of the leased line is a router. The router enables single-arm routing
function (the interface is configured with multiple sub-interfaces). Both the headquarters and
branch have VLAN 100, VLAN 200 and VLAN 300, which cannot be accessed by other VLAN.
Requirements: a). accelerate the data transfer between the VLAN (VLAN 100, VLAN 200 or
VLAN 300) and headquarters; b). VLAN 100, VLAN 200 and VLAN 300 can access each other,
and at the same time, these VLANs and HQ VLAN servers can access each other.
To meet the customers two requirements, our only choice is to deploy the WAN Accelerator in
Bridge mode, in between the switch and router, and then configure the system as follows:
1. Configurations on WAN Accelerators:
1.) Bind the server/client WAN Accelerator with IP addresses, ensuring that each VLAN has
at least an IP address being bound, so that the WAN Accelerator can access every VLAN.
2.) Check the [Enable VLAN ID Settings] option for the server WAN Accelerator and the
client WAN Accelerator, and then configure the VLAN settings, as shown below:
73
3.) Configure the other necessary settings for the server WAN Accelerator and the client
WAN Accelerator, and ensure that the two WAN Accelerators can establish acceleration
connection smoothly.
2. Configuration on the Switches
1.) Configure Switch
Configure the switch to ensure it supports VLAN; configure the TRUNK interface and the
VLAN data that are allowed to go through it.
2.) Configure Router
The router must be configured with sub-interfaces; every VLAN is assigned with a subinterface IP address.
3.4.2.8Multi-Line Settings
In network that WAN Accelerator is deployed in Gateway mode using multiple WAN lines, or in
network that WAN Accelerator is deployed in Single-arm mode with multiline function being
enabled, you need add the lines on this tab. You can add, delete and edit the line information and
configure the line selection policy.
The default configuration page is as shown below:
If your case is any of the two situations above, please check the [Enable Multiline] option and add
74
75
If you want to close the multiline status detection function when the Internet lines are activated
and in good status, UNCHECK the [Enable DNS Detection] option.
[DNS Detection Time]: Specifies the time interval that the multiline status is to be detected. It
only applies when the option [Enable DNS Detection] is checked.
Multi-line advanced settings are only applicable to network that has multiple Internet lines.
If your network has only one Internet line, you need not configure the advanced settings.
3.4.2.9CDP Settings
[CDP Settings] page configures the options of CDP protocol supported by the WAN Accelerator.
In page [System] > [Deploy Settings] > [Network Interface], select [Accelerator Only] Service
Mode, and select [Deployment Mode] Single arm, and then the [CDP Settings] tab is seen, as
shown below:
76
Check the [Support CDP Protocol] option and type the gateway name and detection time in the
boxes.
The purpose of checking the [Support CDP Protocol] option is to enable the single-arm WAN
Accelerator (VPN function is not supported) to associate with the CDP-supported frontend
device, so as to implement policy-based routing. As the front-end device will be unable to
detect the existence of the WAN Accelerator with CDP when the single-arm WAN
Accelerator is in failure, the frontend device itself will invalidate the policy-based routing
and restore the previous data flow direction, so as to avoid impact caused by the failure of the
WAN Accelerator.
77
CISCO IOS
12.1(14),
12.2(26),
12.3(13),
12.4(10),
12.1(3)T,
12.2(14)T,12.3(14)T5, 12.4(9)T1
Catalyst 6500 with Sup720 or Sup32
12.2(18)SXF12
12.1(27)E, 12.2(18)SXF10
Catalyst 4500
12.2(31)SG
Catalyst 3750
12.2(37)SE
* The information in the above table is only for reference. They are subject to change without
notice. Please refer to the CISCO official website.
The typical network topology of WCCP deployment is as shown below.
Only when both the [Acceleration only] and [Single arm] options (under the [System] > [Deploy
Settings] > [Network Interface] page) are checked, will the following configuration page of
[WCCP Settings] appear, as shown below:
78
Click the check box next to [Enable WCCP v2] to enable the WCCP function.
What should be noted is that, WCCP and CDP will not be available at the same time.
[Transmission Mode]: Transmission mode specifies the data encapsulation method when the
WAN Accelerator and the router are communicating. Options are GRE and Layer 2.
[GRE] can work through a layer 3 switch, while [Layer 2] can only communicate in layer 2
environment. Selection of transmission mode is subject to the actual topology, and the
transmission method of the switch or router supported.
The following table lists the transmission modes supported by CISCO devices respectively. For
devices of other venders, please contact your hardware device supplier:
CISCO HARDWARE
GRE
GRE or L2
GRE or L2
Catalyst 4500
L2
Catalyst 3750
L2
* The information in the above table is only for reference. They are subject to change without
notice. Please refer to the CISCO official website.
[Weight]: When there are several local WAN Accelerators deployed in your network, this
parameter helps to allocate weight for these devices with TCP traffic, according to certain ratio.
For example, if the weight of device A is 100 and the weight of device B is 200, device A will take
the flow of 100/(100+200) and device B will take the flow of 200/(100+200). When there is only
one WAN Accelerator, you can set the weight as any value.
Click the <New> button to add a new router or switch IP address to enable WCCP protocol; you
79
[Service Group ID]: Configures WCCP service group to which the WAN Accelerator and
router/switch belongs. This service group IP must be the same as that configured on the
router/switch; otherwise, the WCCP protocol cannot be used.
[Password]: Configures the password for WCCP interaction. If the password is incorrect, relevant
information of WCCP protocol will not be interacted properly. DO keep the [Password] here the
same as the password set on the router/switch.
[Data Flow Type]: [TCP] and [ICMI] options are available. It defines the types of data that the
router/switch redirects to the WAN Accelerator. If no type of data flow is selected, system will
redirect the types of data according to the routing table of the router/switch. Generally, TCP data
is recommended, while ICMP is mainly used for checking the validity of WCCP function with
ping/tracert command.
[Priority]: Priority is accessible if there are several different service groups. In case that the
different service groups have the same redirection policy, select the service group policy with
higher priority to redirect the data. If there is only one service group, the priority can be set as any
value.
[Policy Mark]: Enable Hash policy when there are several WAN Accelerators, assigning data
redirection by different policies. With this approach, it can avoid the situation that multiple
connections originated from a same IP address to a same server are redirected to a different WAN
80
81
According to the customers requirements, the headquarters must utilize WCCP protocol to meet
the needs.
Here, in this section, we only focus on the configuration of WCCP, and other settings are
ignored.
It is necessary to understand the WCCP configuration on CISCO device. There are two
configuration methods of WCCP on CISCO device: one is to configure in, which means the data
received by this interface will be redirected; the other is to configure out, which means the data
sent out by this interface will be redirected. In this example, we configure out (as to configure in,
we need to configure for each VLAN interface).
1. The configuration commands are as shown below:
configure terminal
ip access-list extended wccp_acl1 permit tcp 172.16.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended wccp_acl2 permit tcp 172.16.2.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended wccp_acl3 permit tcp 172.16.3.0 0.0.0.255 192.168.2.0 0.0.0.255
exit
ip wccp version 2
ip wccp 60 redirect-list wccp_acl1 password 123456
ip wccp 60 redirect-list wccp_acl2 password 123456
ip wccp 60 redirect-list wccp_acl3 password 123456
interface f0/10
ip wccp 60 redirect out
2. Next, we are going to configure WCCP options on the SANGFOR WAN Accelerator, as
shown in the figures below:
82
3.
Click the <OK> button and we have completed configuring the WCCP router address.
4.
Finally, click the <Save and Apply> button to save all the above settings.
3.4.3 Users
[Users] page enables you to set the accounts (administrator or acceleration user) for logging in to
the gateway console, as shown below:
Click the <New> button to configure [User Name], [Password] and [User type]. [User type] falls
83
If [User Type] is [System Administrator], it indicates that the account is an administrator account
for Web page. If [User Type] is [Guest], you can specify privilege for this account: [Edit] or [View
only].
The system administrator with [View only] privilege cannot fulfill configuring on the WAN
Accelerator. Only the administrator with [Edit] privilege can do so. The default account Admin is
an administrator account with [Edit] privilege; it cannot be deleted and its privilege cannot be
altered. You can only modify the password.
84
Having completed configuring an acceleration account, you can reference the user when
configuring the acceleration policy group, so as to decide which users are able to connect to this
WAN Accelerator.
If [User Type] is [Guest], it indicates that this account only allows the user to log in to the WAN
Accelerator to either view or edit, as shown below:
85
Click the <Online User> button and you can view the current online user list under administrator
account, as shown below:
86
Next, enter the [WAN Optimization] > [Server] > [Acceleration User] page, select the newlycreated user wanotest, and click <Edit> to edit this user; check the [Enable This User] option, and
then this user can be used by the branch users.
The [Acceleration User] page is as shown below:
Approach 2:
Under the [WAN Optimization] > [Server] > [Acceleration User] page, click the <New> button to
create a new user wanotest; enter the user name and password; select the user type and then check
the [Enable This User] option, as shown below:
87
3.4.4.1IP Group
[IP Group] defines the IP ranges, which may be composed of single IP addresses, IP ranges and
88
Click the <New> button and the corresponding options appear, as shown below:
Enter the name, description of this IP group, and the IP addresses to be covered by this IP group.
You can [Select] to [Add] the IP addresses filled in the text box above or to [Auto Parse] the IP
address according to the configured domain name followed. If [Auto Parse] is the selected one,
the options are as shown below:
89
[Try Times]: Configures the try times allowed to parse the domain name.
[Domain Name]: Configures the domain name according to which the IP address is parsed.
Click <Parse> and the corresponding IP address of this domain name will be parsed and be listed
in the [IP Address] text box.
If [Add] is the selected one, you then need select an [Address Type].
[Address Type]: Configures the type of the IP address. Options are [Single IP], [IP Range] and
[Subnet].
Having completed configuring the page, you have to click the <OK> button to save the settings.
90
Approach 2:
Select [Add] and [IP Address]; type 172.16.1.100 into the [IP Address] text box and click <Add>
to add this IP address into the [IP Address] list. Finally, click the <OK> button, as shown below:
91
Approach 2:
Select [Add] and [IP Range]; type 172.16.1.100 into the [Start IP] text box and 172.16.1.120 into
the [End IP] text box, and then click <Add> to add this IP range into the [IP Address] list. Finally,
click the <OK> button, as shown below:
Approach 2:
Select [Add] and [Subnet]; type 172.16.1.0 into the [Subnet Segment] text box and 255.255.256.0
into the [Subnet Mask] text box, and click <Add> to add subnet the into the [IP Address] text box.
Finally, click the <OK> button, as shown below:
3.4.4.2Application List
[Application List] page defines the protocols and ports of various applications so that they can be
referenced on [WAN Optimization] > [Server] > [Acceleration policy] page and [Firewall] >
93
Click the <New> button and the corresponding options appear. Name the application and give it a
brief description, as shown below.
Click the <New> button to add specific protocol and port so that they can be used in acceleration
policy configuration.
94
Case Study 13: Add ERP System Application into Application List
Requirements: Add an ERP system application into the Application List so that this application
can be referenced by [Acceleration Policy] configuration page, and have the branchs access to the
headquarters ERP system speed up.
Under the [Application List] page, click the <New> button; type in the name and description of
the application, as shown below:
Click the <New> button, and enter the port or port range to be used by the ERP system (In this
scenario, it is TCP 8000), as shown below:
Click the <OK> button to complete configuring the page, as shown below:
95
3.4.4.3Time Schedule
[Time Schedule] defines the time schedules which consist of some commonly used time periods.
The defined time schedule may be used in [Bandwidth Management] > [Policy Settings] to set
valid time and expiry time of the policy. The time is based on the system time of the SANGFOR
WAN Accelerator.
Click the <New> button and the corresponding options appear; name the time schedule and give it
a brief description; select and enable the needed time periods, as shown below:
96
Name the time schedule and give it a short description; select the needed time periods and finally
click the <OK> button.
97
3.5
WAN Optimization
3.5.1 Application
[Application] configures the protocol proxies supported by the SANGFOR WAN Accelerator. It
consists of eight configuration pages, namely, [HTTP], [CIFS], [SMTP], [POP3], [Exchange],
[Oracle EBS], [Citrix] and [RDP].
3.5.1.1HTTP
[HTTP] page configures the proxy function for HTTP protocol, as shown below:
98
Check the [Enable HTTP Proxy] option to enable HTTP protocol proxy.
[Max. Cache Size]: Configures the upper size limit of the object type file.
[Object Timeout]: Configures the timeout of caching object file.
[Cache Object Type]: Configures the HTTP object types that are to be cached by the WAN
Accelerator. The default image file types are bmp, jpg, gif; the default script file type is js.
[First-synchronize-then-respond Object Type]: Configures the HTTP objects that are first to be
synchronized and then be responded. This configuration ensures that the objects requested by the
client terminal are objects from the destination server, but not the outdated objects cached in the
WAN Accelerator.
Having completed configuring the page, you have to click the <Save and Apply> button to save
and apply all the settings of this page.
3.5.1.2CIFS
[CIFS] page configures the proxy function for CIFS protocol, as shown below:
99
Check the [Enable CIFS Proxy] option to enable CIFS protocol proxy.
Check the [Enable SMB Signing] option to enable SMB Signing.
Check the [Enable Open/Read Optimization] option to enable open/read optimization of CIFS.
Check the [Enable Save/Write Optimization] option to enable save/write optimization of CIFS.
Check the [Enable Directory Optimization] option to optimize access to folder.
Check the [Enable Print Optimization] option to optimize printing.
Check the [Enable pre-read data for open(Low bandwidth used with caution)] option to read
ahead the data when opening a file.
[Session Cache Size]: Configures the cache size of a single session over My Network Places. The
higher the value is, the better the acceleration effect shows.
Having completed configuring the page, you have to click the <Save and Apply> button to save
and apply all the settings of this page.
3.5.1.3SMTP
[SMTP] configures the proxy function for the SMTP protocol, as shown below:
100
Check the [Enable SMTP Proxy] option to enable SMTP protocol proxy.
Click the <Save and Apply> button to save and apply the settings of this page.
3.5.1.4POP3
[POP3] page configures the proxy function for the POP3 protocol, as shown below:
Check the [Enable POP3 Proxy] option to enable the POP3 protocol proxy.
Click the <Save and Apply> button to save and apply the settings of this page.
3.5.1.5Exchange
[Exchange] page configures the proxy function for the EXCHANGE protocol, as shown below:
Check the [Enable Exchange Proxy] option to enable the Exchange protocol proxy.
101
If none of the above protocols applies to the acceleration data, it will use TCP protocol
proxy.
3.5.1.6Oracle EBS
[Oracle EBS] page configures the optimization function of Oracle EBS, as shown below:
Check the [Enable Oracle EBS Optimization] option to enable Oracle EBS optimization.
Check the [Enable HTTP Mode] option to optimize Oracle EBS running in HTTP mode.
Oracle EBS supports connection modes such as HTTP, HTTPS, SOCKET and so on. However, by
default, SANGFOR WAN Accelerator only optimizes Oracle EBS running in SOCKET mode; if
you want to optimize Oracle EBS running in HTTP mode, please check the option [Enable HTTP
Mode].
Click the <Save and Apply> button to save and apply the settings of this page.
If [Enable HTTP Mode] is not checked, the WAN Accelerator will not optimize Oracle
EBS when it is running in HTTP mode.
3.5.1.7Citrix
[Citrix] page configures the optimization function of Citrix applications, as shown below:
102
Check the [Enable Citrix Optimization] option to enable Citrix application optimization .
Click the <Save and Apply> button to save and apply the settings of this page.
3.5.1.8RDP
[RDP] page configures the optimization function of RDP, as shown below:
3.5.2 Compression
[Compression] consists of only one tab, [Compression Settings], as shown below:
[IP Compression]: Check the options and the corresponding non-acceleration data between the
two WAN Accelerators will be compressed and therefore transmission of them will speed up.
Check the [Enable TCP Packet Compression] option to enable the TCP packets to be compressed.
103
By default, the TCP compression and UDP compression functions are not enabled, for the
transfer of the compressed TCP or UDP data will get too fast. If there is a frontend firewall device
that can defend against DoS attacks, that data transmission will be misjudged as attack.
[Cache]: Decides whether to load the byte cache index and whether to enable byte cache bypass
when the device reboots.
[Load the data cache index when the device reboots]: Check this option, and it will load the data
cache index when system restarts, and therefore still have the previously-cached data work even
though the acceleration connection is rebuilt; uncheck this option and the previously-cached data
will get invalid for new acceleration connections.
If there are too many WAN Accelerators connecting in or connecting out, this option is not
recommended to be checked, for the time taken by loading data cache index may be long and thus
lower down the data transfer after the new acceleration connection is built.
[Enable Byte Cache Bypass]: Check this option, and the acceleration data will be bypassed
automatically if the system is too busy and the disk I/O meets bottleneck. Byte Cache Bypass
function help to avoid disk I/O bottleneck which lowers down data transfer of the acceleration
data.
Click the <Save and Apply> button to save and apply all the settings of this page.
104
3.5.3 Server
[Server] consists of [Acceleration Policy], [Acceleration Policy Group] and [Acceleration User]
pages, as shown below:
Click the <Delete> button to delete the selected acceleraton poicy (policies); or click the <New>
button to define the parameters for the acceleration policy, such as [Dst. IP Group], [Application],
[Application Protocol], [Algorithm], [Enable SNAT], [Session Limit] and [Enable Byte Cache], as
shown below:
105
106
To select CIFS proxy, you have to CHECK the [Enable SNAT] option.
Click the <Delete> button to delete the selected policy group; or click the <New> button to add an
acceleration group, as shown below:
107
108
If [Allocate automatically] is selected, when a user connects in, the data cache allocator of
the device will allocate a block of disk space (128 MB per block) from the remaining disk
space to a client gateway as its data cache. After the allocated block of data cache has been
used up, the data cache allocator will continue to allocate another piece from the remaining
disk space to the gateway, and so forth. When the entire disk space is used up, the data cache
will reclaim the block of data cache firstly allocated and allocate it once again.
Click the <Delete> button to delete the selected acceleration policy; or click the <New> button to
add a new connecting-in acceleration user and associate it with an acceleration policy group, as
shown below:
109
[User Name]: Configures the name of the user allowed to access the local WAN Accelerator.
[Password]: Configures the password of the user account.
[Confirm Password]: Enter the password again to check the correctness of it.
[Description]: Give this account a brief introduction.
[User Type]: Configures the user type of the connecting-in user. Options are [Gateway] user and
[PACC] user. [Gateway] user is the user whose data are accelerated through the acceleration
connection established between the WAN Accelerators; while [PACC] user is the user whose data
are accelerated through the connection established between the WAN Accelerator and the PACC
user (for mobile acceleration user).
[Enable This User]: Check this option to enable this acceleration user account.
[Select Policy Group]: Select the needed acceleration policy group that will reference this user.
Click <Add> to enter the [Acceleration Policy Group] page to add a new acceleration policy
group.
[Policy Group Details]: Displays the acceleration policy information covered by this acceleration
policy group.
110
Case Study 16: Create Acceleration User and Associate Policy Group
Create an acceleration user wanotest for the Branch WAN Accelerator, and have it associate with
the HTTP and FTP service of the subnet segment 172.16.100.0/24. Detailed procedures are as
introduced below:
Step 1: Under the [Acceleration Policy] page, configure the application and destination address.
As HTTP and FTP are default applications for acceleration, you need not create acceleration
policies for these two applications.
Step 2: Under the [Acceleration Policy Group] policy, add an acceleration policy group named
wanotest group and associate it with the HTTP and FTP acceleration policy group. In this step,
you need not associate this acceleration policy group with the acceleration user because you have
not added the acceleration user yet, as shown below:
Step 3: Under the [Acceleration User] page, add a new Gateway user named wanotest and
111
Till then, we have completed adding the acceleration user and associating it with the acceleration
policy group, and the branch users can get access to the Internet through the headquarters with the
user account wanotest, having the HTTP and FTP application accelerated.
113
1.) Ensure that the two WAN Accelerators (server and client) are well connected and can access
each other, and the flow caused when client user accesses the server goes through the server
WAN Accelerator.
2.) Go to the [WAN Optimization] > [Application] > [Oracle EBS] tab and check the options
[Enable Oracle EBS Optimization] and [Enable HTTP Mode], as shown below:
3.) Go to the [System] > [Networks Objects] > [IP Group] tab to add the host IP address of the
Oracle server into the address list, as shown below:
4.) Go to the [WAN Optimization] > [Server] > [Acceleration Policy] tab. Configure an
114
5.) Go to the [WAN Optimization] > [Server] > [Acceleration Policy Group] tab. Add a new
acceleration policy group (in this scenario, it is named Oracle), and have this policy group
associate with the Oracle acceleration policy and Oracle IP group (the branch users), as
shown below:
115
1.) Ensure that the two WAN Accelerators (server and client) are well connected and can access
each other, and the flow caused when client-end accesses the server goes through the WAN
116
3.) Go to the [System] > [Networks Objects] > [IP Group] tab to add the host IP address of the
Citrix server into the address list, as shown below:
4.) Go to the [WAN Optimization] > [Server] > [Acceleration Policy] tab. Configure an
acceleration policy (in this case, it is named Citrix): associate this policy with the [Citrix]
server IP address (configured in the above step); select [Application] citrix, and [Application
Protocol] Citrix Proxy, as shown below:
117
5.) Go to the [WAN Optimization] > [Server] > [Acceleration Policy Group] tab. Add a new
acceleration policy group (in this case, it is named Citrix), and have this policy group
associate with the Citrix acceleration policy and Citrix IP group (the branch users), as
shown below:
118
119
3.) Go to the [System] > [Networks Objects] > [IP Group] tab to add the host IP address of the
RDP server into the address list, as shown below:
4.) Go to the [WAN Optimization] > [Server] > [Acceleration Policy] tab. Configure an
acceleration policy (in this scenario, it is named RDP): associate this policy with the RDP
server IP address (configured in the above step); select [Application] rdp and [Application
Protocol] RDP Proxy, as shown below:
120
5.) Go to the [WAN Optimization] > [Server] > [Acceleration Policy Group] tab. Add a new
acceleration policy group (in this scenario, it is named RDP), and have this policy group
associate with the RDP acceleration policy and RDP IP group (the branch users), as shown
below:
121
3.5.4 Client
[Client] includes two configuration pages, [Connect to Gateway] and [Prefetch], as shown below:
122
Click the <New> button and the following options appear, as shown below:
[Gateway Name]: Indicates the name of the peer device to be connected by the local device. It is
user-defined.
[User Name]: Indicates the gateway account for connecting to the peer device.
[Password]: Indicates the password of the gateway account for connecting to the peer device.
123
[Description]: Indicates the description for the peer device to be connected to.
[Enable Gateway Settings]: Check this option to enable the settings of this WAN Accelerator.
<Advanced>: Click it and the options [Enable Network Transparency] and [Pre-Connection] are
seen.
[Enable Network Transparency]: Check this option to enable the network transparency mode, and
the WAN Accelerator will reveal the real IP addresses of the source IP and destination IP that
work for data transmission in the acceleration channel. This function is applicable to the network
environment that the application control policy of either WAN Accelerator has referenced the
source IP or destination IP and controls the bandwidth of them.
If the WAN Accelerator is deployed and configured in the following two modes, [Enable
Network Transparency] can NOT be checked: a). In Gateway mode and VPN function is enabled;
b). In Single Arm mode, but the CDP or WCCP function is not enabled.
124
[Enable Reverse Acceleration]: Check this option to enable reverse acceleration between the peers
of the established connection.
Reverse acceleration function will have the client WAN Accelerator (local device) inform and
allow the server WAN Accelerator (peer device) to actively connect to the acceleration user
created by the local device, when the client WAN Accelerator connecting to the server WAN
Accelerator. In this way, both sides (server and client) can feel the acceleration effect, and as a
result it can save one WANO license.
Click <Add> and you will enter the [Acceleration User] page to create or edit a user.
125
The connect-out gateway port of the peer WAN Accelerator must be coherent with the
[Listening port] of the local WAN Accelerator; otherwise, the acceleration connection cannot be
established.
In this scenario, we only focus on the acceleration configuration at the client end, other
configurations being ignored.
126
First of all, confirm the following information with the device administrator of Beijing
headquarters: username/password, LAN IP of the WAN Accelerator and the port providing
acceleration service.
Suppose that, Username is HongKong, Password is wanacc, LAN IP of is 10.1.1.1 and service
port is 5400. Enter the information, as shown below:
127
Now, the tasks are, firstly, to guarantee that information of Source IP, Source port, Destination IP,
Destination port of the data packets keep unchanged when they go through the SANGFOR WAN
Accelerator; and secondly, to guarantee that the bandwidth policies configured on the bandwidth
management device for each IP still take effect.
Check the [Enable Network Transparency] option on the [Connect to Central Gateway] page, as
shown below:
First, follow the steps below to configure the headquarters WAN Accelerator:
Step 1: On the [System Setting] > [Network Objects] > [IP Group] page, create an IP group
covering the LAN network segments of the headquarters, as shown below:
Step 2: On the [WAN Optimization] > [Server] > [Acceleration Policy] page, create
corresponding acceleration policies for Exchange, HTTP and FTP. Taking the HTTP for example,
the configurations are as shown below:
129
Step 3: On the [WAN Optimization] > [Server] > [Acceleration Policy Group] page, create an
acceleration policy group which associates with the three acceleration policies on Exchange,
HTTP and FTP, as shown below:
Step 4: On the [WAN Optimization] > [Server] > [Acceleration User] page, create an acceleration
user for the branch, and associate this user with the acceleration policy group created in the above
step, as shown below:
130
Step 5: Add the headquarters WAN Accelerator into the domain where the Exchange server
locates (for detailed configuration guide, please refer to Section 3.4.2.4 Dynamic Route).
Then, follow the steps below to configure the branchs WAN Accelerator:
Step 1: On the [System Setting] > [Network Objects] > [IP Group] page, create an IP group
covering the LAN network segments of the branch, as shown below:
Step 2: On the [WAN Optimization] > [Server] > [Acceleration Policy] page, create an
acceleration policy on FTP. The configurations are as shown below:
131
Step 3: On the [WAN Optimization] > [Server] > [Acceleration Policy Group] page, create an
acceleration policy group which associates with the acceleration policy FTP, as shown below:
Step 4: On the [WAN Optimization] > [Server] > [Acceleration User] page, create an acceleration
user for the branch, and associate this user with the acceleration policy group created in the above
step, as shown below:
132
Step 5: Initiate connection requests to the headquarters. Get into the [WAN Optimization] >
[Client] > [Connect to Central Gateway] page; check the [Enable Reverse Acceleration] option
and select the acceleration user (HQ, configured in the above step) as the [Reverse User], as
shown below:
133
3.5.4.2 Prefetch
SANFOR WAN Accelerator 6.0 provides the prefetching function. You can enable this function so
that the device will automatically fetch the data from the server in advance and save it to the byte
cache at the preset time. The client PC will acquire the acceleration effect when accessing the
server for the first time, with greatly improved user experience.
The configuration page is as shown below:
[Start Time], [End Time]: Configures the start time and end time of prefetching respectively.
During this time range, the device will prefetch data from the remote server.
[Days]: Specifies the date implementing prefetch operation.
Click the <New> button and the following options appear, as shown below:
134
[Days] is based on the system time. Therefore, make sure the system time of the WAN
Accelerator is consistent with the actual time.
[Prefetch] function only supports two protocols, HTTP and FTP, and it only supports login to
FTP server (not HTTP server) with username and password.
The address and file name should be English characters; otherwise, prefetching will fail
because of decoding failure.
135
In this scenario, we only focus on how to configure the prefetch rule, while other
configurations are ignored.
First of all, confirm the following information with the device administrator in Beijing
headquarters: IP address of FTP server and the Username/Password of the FTP server (it is OK if
there is no username/password). Suppose the IP address of the FTP server is 10.1.1.3, username
and password for FTP download are beijing and FTP respectively.
Detailed steps are as stated below:
Step 1: Set the time on the Hong Kong branchs WAN Accelerator so that the device will
automatically prefetch report files from the FTP server in Beijing headquarters at the preset time
every day.
136
3.5.5 Certificates
[Certificates] includes the configurations of [CA Certificate] and [Server Certificate]. Here you
can import server certificate or automatically generate server certificate, the device acting as
HTTPS protocol proxy for the client to accelerate the HTTPS protocol.
The page is as shown below:
This function only supports the HTTPS applications that adopts SSL one-way authentication.
If you are accessing this page for the first time, the system may ask you whether to install the
certificate import component. Click the <Install> button to install it, as shown below:
137
3.5.5.1 CA Certificate
[CA Certificate] page helps to import the root certificate provided by the CA. The default
configuration page is as shown below:
Click the <New> button; enter [Name] and select the directory of the [Certificate File], as shown
below:
Check the [Enable] option to enable this root certificate provided by the CA.
Click the <OK> button to save the settings of this page; or click the <Cancel> button to give up
138
Click the <New> button; enter the [Destination IP] address and [Destination Port] of the HTTPS
server, as shown below:
[SSL Version]: This option is offered for the specific use of Oracle EBS applications. Check the
version according to the SSL version of your Oracle EBS. If Oracle EBS uses digital certificate,
both the WAN Accelerator and the Oracle server should join the domain.
Select the [Import Certificate That Contains Key] option; upload the file for [Certificate File] and
enter corresponding [Encrypted Password] of the certificate, as shown below:
139
Some CA may issue a certificate file without key to a HTTPS server; in that case, you need select
the [Import Certificate With Separate Key] option and configure the [Private Key File] and the
[Encrypted Password], as shown below:
140
First, follow the steps below to configure the headquarters WAN Accelerator:
Step 1: On the [System Setting] > [Network Objects] > [IP Group] page, create an IP group
covering the LAN network segments of the headquarters.
Step 2: On the [WAN Optimization] > [Server] > [Acceleration Policy] page, create an
acceleration policy on HTTPS and select [HTTP Proxy] application protocol and check the
[Accelerate HTTPS] option, as shown below:
141
Step 3: On the [WAN Optimization] > [Server] > [Acceleration Policy Group] page, create an
acceleration policy group and associate it with the HTTPS acceleration policy, as shown below:
Step 4: On the [WAN Optimization] > [Server] > [Acceleration User] page, create an acceleration
user for the branch and associate it with the HTTPS policy group configured in the previous step,
as shown below:
142
Step 5: On the [WAN Optimization] > [Certificates] > [CA Certificate] page, import the CA root
certificate of the HTTPS server, as shown below:
Step 6: On the [WAN Optimization] > [Certificates] > [Server Certificate] page, import the
HTTPS servers server certificate issued by the CA, as shown below:
143
In this scenario, the server certificate that the HTTPS server acquired from the CA contains no
private key. We select the [Import Certificate With Separate Key] option, and import the server
certificate and the private key file into the WAN Accelerator.
Till then, we have completed configuring the HTTPS settings on the headquarters WAN
Accelerator. The remaining step is creating an acceleration connection to have the branch access
the headquarters HTTPS application.
3.5.6 Advanced
[Advanced] include configurations of [Exclusion Rule], [Asymmetric Route] and [Keep Alive
Settings].
The default configuration page is as shown below:
144
145
[Enable Acceleration For All IP]: When this option is selected, the data packet will not be
accelerated if the source IP address of the data packet is consistent with that configured in the list.
[Disable Acceleration For All IP]: When this option is selected, the data packet will be accelerated
only when the source IP address of the data packet is consistent with that configured in the list.
As shown in the above figure, system default is that the data transmission through some common
ports (in the list) cannot be accelerated. If the WAN Accelerator receives a data packet whose
destination port is any of the port in the list, this data packet will not be handled by the
acceleration channel; instead, it will be bypassed.
Click the <New> button to create a new exclusion rule, as shown below:
146
Enter a network segment or a specified IP range. The correct format of network segment is as
shown below:
Fill in the needed source IP address, destination IP address, destination port of the data packet that
are to be excluded from.
Check the [Enable] option and click the <OK> button.
Finally, click the <Save and Apply> button to complete configuring the page and save the settings.
147
In this scenario, we only focus on how to configure the exclusion policy, while other
configurations are ignored.
Suppose the computers of accountants are on the 192.168.3.0/24 subnet. Specific operations are as
follows:
Step 1: On the [Exclusion Rule] page of the Hong Kong branchs WAN Accelerator gateway
console, select the [Disable Acceleration For All IP] option, as shown below:
148
Step 2: Enter the source IP addresses (subnet), destination IP 0.0.0.0, port 0, and then check
the [Enable] option, as shown below:
Step 3: Click the <Save and Apply> button to save the settings.
149
As shown in the above figure, SANGFOR WAN Accelerator A and WAN Accelerator B have
established an accelaration channel between them. However, the efficiency is not high, as there is
dual switches and dual routers sharing the loads. The truth is that, data from the branch may
follow the upper route to get access to the headquarters, and then travel back through the lower
route.
To solve this problem, we deploy an WAN Accelerator C in the headquarters network. When
there are to-be-accelarated data transmitted to WAN Accelerator C, C transmits these data to
WAN Accelerator A, ensuring both the back-and-forth data always travel through the same line,
hence enhancing accelarating effect.
To enable the Asymmetric Route function for WAN Accelerator A and WAN Accelerator C,
the page should be configured as follows:
[Peer Gateway Address]: Specifies the IP address of LAN interface, DMZ interface or bridge
(subject to the deployment) of the other WAN Accelerator (of the local terminal). Ensure that the
two local WAN Accelerators are able to communicate with each other.
150
[Keep Alive Interval]: Configures the period of time that a packet keeps alive.
[Timeout Counts]: Configures the maximum number of times that a packet is sent. If there is still
no response from the peer device after the maximum attempts (timeout counts), the connection
151
152
3.6
Bandwidth Management
Different from most of the previous versions, SANGFOR WAN Accelerator 6.0 is designed with
bandwidth management (BM) function. Type of the data going through the WAN Accelerator will
be automatically identified, according to which the WAN Accelerator controls the bandwidth and
guarantees the bandwidth for the core businesses of a company.
Bandwidth management function is available in Gateway mode, Bridge mode, Double Bridge
mode and Single Arm mode.
3.6.1 Objects
[Objects] consists of [Application Identification], [Intelligent Identification], [URL Group] and
[File Type Group]. The default configuration page is as shown below:
153
154
The key to identify the application and block some communications is to analyze the features of
these data packets. SANGFOR will periodically provide the feature values definition of the
software tools such as P2P, IM, etc. You can contact SANGFOR and apply for the application
identification rule package to manually import the rules, and you can analyze data packets by
yourself and define your own application identification rule by clicking the <New> button and
define the features of the packets. The page is as shown below:
155
Configure in [Data Packet Content Matching] section the feature values according to the analysis
on the data packets.
[Application Identification] supports [Import] and [Export] of the rules. To export the existing
user-defined rule(s), just select the rule(s), and click the <Export> button and name the file, and
finally confirm exporting (the internal rule cannot be exported).
[Import Rule]: To import a rule, click the <Browse> button and upload the rule (extension of the
rule file is *.ccf), and then click the <Import> button.
[Search Rule]: Type in the keyword of a rule name, click the <Search> button and you can find
the rule whose name contains this keyword.
[Rules Priority]: Click the <Modify> button to switch the priority between the user-defined
application identification rules and the internal rules. The rule types of higher priority to be
matched are displayed in red.
Since BT and IM software tools differ from each other and keep updating, some application
156
For the internal rules, you can only alter the classification and cannot edit the policy or
export the rule.
[Application Identification] detects the P2P application as well, limited to plaintext P2P data.
If you disable the [P2P Action] (in the Intelligent Identification Rule List on the [Intelligent
Identification] page), it can still successfully identify the plaintext P2P data but be unable to
identify the cipher text P2P data.
Skype data are encrypted. To control and record the Skype data, you have to select the
[Enable] option on the [Intelligent Identification] > [Edit Intelligent Identification Rule] page
of Skype.
157
As shown in the above figure, the WAN Accelerator is integrated with large number of
categorized URL groups.
[Expiry Date of Update Service]: Indicates the latest time the URL library was automatically
updated.
[Update Internal URL Library Manually]: If the URL library cannot automatically update for it is
disconnected to the Internet, you can manually update the URL library. Just click the <Browse>
button and upload the URL library file from the local PC, and then click the <Upload> button.
[URL Search]: Enter the domain name into [URL Search] and click the <Search> button to search
whether this domain name exists in the URL library and in which URL group this domain name is
158
SANGFOR WAN Accelerator 6.0 is built in with a large number of URL groups when it is
delivered from the factory. You can add a new URL into the URL library if necessary, in addition
to using the existing and built-in URLs.
Click the <New> button and configuration page appears, as shown below:
One SANGFOR WAN Accelerator 6.0 supports at most 100 URL groups (including
internal URL and user-defined URL groups). As to the user-defined URL groups, you can have at
most 10 URL groups enabled at the same time. Multiple URL groups can be disabled as well.
Click the <New> button to add a new file type group. The page is as shown below:
160
161
To have certain [Application Control Policy] take effect, you have to associate it with the user
group. We first introduce [User Group] which is followed by the introduction to [Application
Control Policy].
Click the <New> button to add a new user group, as shown below:
162
Having completed configuring the above page, you have to click the <OK> button to save the
settings.
On this page, you can relate a user group with an IP address or MAC address. The IP address can
be single IP address, IP range and subnet; MAC address can be single MAC address and MAC
range. The IP address (list) and the MAC address (list) are of OR relationship, that is to say, if a
data packet from the client terminal matches either of the conditions (IP address or MAC address)
of this user group, the client will be regarded as a user of this user group, and its requests will
match the related policies when they reaches the WAN Accelerator.
If there is a layer 3 switch in the local area network, the MAC address contained in the
header of the data packet will be the MAC address of the layer 3 switch. In that case, you need use
the IP address to add a user group, for the MAC address of the LAN client configured in this page
will NOT take effect.
163
Requirements: Add the following three user groups, a). Finance Department user group,
covering 192.168.0.0/24; b.) Managers user group, covering the IP addresses of 192.168.1.100,
192.168.2.100, 192.168.3.100 and 192.168.4.100; c). General Staff user group to which the other
PCs belong.
Configuration procedures:
Step 1: Add a new user group named Finance Department. The page is as shown below:
164
Step 3: Add a new user group named General Staff, as shown below:
165
Click the <OK> button after your have configured the page and the three newly-created user
groups are seen in the user group list, as shown below:
While creating a new user group, please note that an IP address or MAC address can
belong to several user groups. If you want to distinguish some users from a subnet, a user group
covering most of IP addresses of the subnet must be composed of some shorter ranges of IP
addresses.
166
3.6.2.2.1
Application Control
With [Access Control] rule, you can control the applications which the LAN users get access to,
or allow/deny their access to certain application. The access control rule may be based on
[Application], [Service] and [Advanced] (proxy).
[Application] configures the items based on which the content of data packets are inspected and
analyzed, and then achieves controlling over certain application. The WAN Accelerator is
integrated with a library of identification rules on some common applications (please refer to
Section 3.6.1.1
existing application identification rules and helps to control the users access to these applications.
[Service] configures the IP address, protocol number and port of the data packets based on which
the Internet access data will be inspected and controlled. Before configuring the items, you have
to create the needed destination IP group on the [System] > [Network Objects] > [IP Group] page,
and configure the target protocol or port on the [System] > [Network Objects] > [Application List]
page (please refer to Section 3.4.4.2 Application List). The [Service] configuration references the
existing application objects and controls the users access to these applications.
[Advanced] includes the options of whether to allow HTTP proxy and SOCK proxy. Check the
[Allow to use other protocol in standard ports of HTTP protocol and SSL protocol] option to
prevent some applications from using HTTP port (TCP 80) and SSL port (TCP 443) to transmit
their data, hence disallow them to shy away from the control of the WAN Accelerator.
3.6.2.2.2
Web Filter
With [WEB Filter] rule, you can control the Internet access of the LAN user via HTTP protocol,
by filtering the URLs to be browsed, by filtering the keywords to be searched through the search
engine, and by filtering the keywords contained in the uploaded information and the file types to
be uploaded or downloaded via HTTP.
[URL Filter] covers [Basic] and [Advanced] options.
[Basic] options help to inspect the website of the to-be-browsed URLs and control the users web
167
3.6.2.2.3
Flow
Application control policy is only applicable to user group(s). If you want to apply an
application policy to a single user, define a user group that covers the IP address or MAC address
of only that user.
168
169
Options for [Expiry Date] are [Never] and [Expired on], as shown below:
After you have completed configuring an expiry date, this application policy will automatically
get invalid on the preset date.
Step 4: Select user group. You can select the [All] option to have this application control policy be
applicable to all the LAN users; or select the [Custom] option and select the needed user group(s)
from the [Available] user group list to the [Selected] user group list, to have this application
control policy apply to the selected user group(s).
Step 5: Configure the rules of [Access Control], [Web Filter] and [Flow].
Step 6: Click the <OK> button to save all the above settings.
170
Click the <New> button and the options appear, as shown below:
Configure the required items and then click the <OK> button to save the settings. It backs to the
default configuration page of [IP Group]. The newly-created IP group is as shown below:
171
Step 2: Click [Bandwidth Management] > [Policy Settings] > [Application Control Policy] to
create an application control policy named Finance Department; select the needed user group
Finance Department, as shown below:
Step 3: Configure a rule to deny the user group Finance Department to get access to the Internet,
as shown below:
Internet behaviors of the users involved in a user group can only be distinguished according
to the IP addresses instead of their behaviors. For instance, they may use the ping command,
browse webpage, access FTP server or even use video when accessing the headquarters network
and public networks. For this reason, [Service] rules have to be configured to control their access
to the networks.
Step 4: Check [Flow] > [Flow] and the [Make Flow Statistics of Each Application for Users of
172
Step 6: Configure a rule to deny the user group General Staff to use the P2P download tools, as
shown below:
Step 7: Check [Flow] > [Flow] and the [Make Flow Statistics of Each Application for Users of
173
174
175
176
In the same way, click <Add> and configure the bandwidth of Line2, as shown below:
177
[LAN IP]: Configures the source IP address and source port of the data packets.
[WAN IP]: Configures the destination IP address and destination port of the data packet.
[Protocol Type]: Specifies the protocol used by the data packet.
[Physical Interface]: Configures the bridge that forwards the rule-matched data packet (in multibridge mode).
[Target Line]: Configures a virtual line that will transfer the data packet if the above four
conditions are satisfied.
Step 3: Follow the steps above to configure another virtual line rule, so as to keep the virtual line
rules exactly the same as the policy routing rules of the firewall.
The virtual line rules are matched from top to button (according to the rule order in the
virtual line rule list).
Several virtual line rules are allowed be configured at the same time; however, you can only
configure the destination IP address and bridge (physical interface) of these rules in batch.
Click the <Import> button of [Import Rules in Batches] and then configure the need rules.
178
Step 2: Under the [Bandwidth Management] > [Bandwidth Settings] > [Bandwidth Management]
page, enable the bandwidth management system, as shown below:
179
Click the <New> button to configure the assured bandwidth and maximum bandwidth for the
members of Finance Department, as shown below:
[Channel Name]: Type one or more names for the bandwidth channels. One entry per row, length
of each name is within 96 characters.
[Service and Application]: Configures the specific service(s) applied to this bandwidth channel. If
[Custom] is selected, you can define and add services.
[User Group]: Configures the valid users and user groups. You can select [All] to have all the
users and user groups applied to this policy, or select [Custom] to have some of the users or user
groups applied to this policy.
[Bandwidth Channel Type]: Defines the type of bandwidth channel, [Assured Channel] or
[Limited Channel]. In this case study, it is [Assured channel], for you are required to guarantee the
180
The ratio sum of the assured bandwidth ratio might be over 100%. When it is over
100%, the assured bandwidth of each channel will reduce according to the proportions.
For example, if we configure two channels, Line 1 is assured with 30% and Line2 is
181
Channel with higher priority would preferentially use the idle bandwidth of other
channels.
Limited Channel
[Limited Channel] configures the maximum bandwidth of the channel. The data that matches the
rules of this limited channel will be controlled, that is to say, the maximum bandwidth of this
channel shall not exceed the preset value.
Step 2: Under the [Bandwidth Management] > [Bandwidth Settings] > [Bandwidth Management]
page, enable the bandwidth management system, as shown below:
[Channel Name]: Type a name for the bandwidth channel(s). One name per row, length of each
name is within 96 characters.
[Service and Application]: Configures the specific service(s) applied to this bandwidth channel. If
[Custom] is selected, you can define and add services. In this case study, we are going to control
the flow for downloading data with P2P and download tools, the selected services and
applications are [File Download]/[All], [P2P/[All], [P2P Stream Media]/[All], [MEDIA]/[All].
What is more, you can also select [Website Type] or [File Type]. [Website Type] options control
the access to certain type of website; while [File Type] options control the file types downloaded
through HTTP and FTP protocols. Confirm the [Custom Service] items and complete configuring
the [Service and Application] options.
183
3.6.3.2.2
Exclusion Policy
[Exclusion Policy] works in the case that some data are applicable to none of the bandwidth
184
Step 2: Click [Bandwidth Management] > [Bandwidth Settings] > [Bandwidth Management] >
[Exclusion Policy] and the following default configuration page is seen. Click the <New> button
to configure an exclusion policy.
185
Step 4: Click the <OK> button to complete configuring the page and save the above settings.
186
[IP Address List]: Configures the IP address to which this rule is applied. It defaults including all
the network segments.
[Protocol Type], [Port]: Configures the protocol condition that only when the protocol and port
contained in the transmitted data packet are the configured ones will the denied information be
recorded.
Click the <Enable Drop List> button to enable the Drop list (all the access control policies
configured on the WAN Accelerator are taking effect), and the packets (to be denied) applicable to
the policies will be denied and the related information will be outputted to a WEB page; or click
the <F5> key to refresh and view the page. Click the <Click here to view packet drop list> button
to open the page and view the detailed information of the denied data packets.
Click the <Enable Drop List and Bypass> button to enable the drop list and enable the bypass
function (all the access control policies configured on the WAN Accelerator will get invalid), and
the data packets applicable to the policy (to be denied) will be let pass and the related information
will be outputted to a WEB page. Click the <Click here to view packet drop list> button to open
the page and view detailed information of the denied data packets; or click the <F5> key to
refresh and view the page.
This function helps do troubleshooting quickly and locate the configuration mistakes made on
bandwidth management (BM) module (of the WAN Accelerator) which caused faults such as
network disconnection, etc., and therefore helps the network administrator to quickly correct the
configurations.
<Close Drop List>: Click this button to close the Drop list and disable the bypass function.
187
3.6.5 Advanced
3.6.5.2 Excluded IP
[Excluded IP List]: If the IP address of a LAN user or the destination IP address of a server is any
of the IP addresses configured in the [Excluded IP List], the access of the LAN user to the Internet
or to the destination server will not be monitored, the data packets getting passed directly.
The configuration page is as shown below:
188
If the firewall has configured a rule on any of the IP addresses that are involved in the
exclusion rule, the firewall rule has higher priority.
[Enable Auto Update]: Tick the check box to have the internal URL library and Application
Identification update automatically.
<Update Now>: Click this button to immediately update the URL library and Application
Identification that have not gotten expired.
189
190
3.7
Firewall
3.7.1 NAT
[NAT Rules] covers [SNAT] and [DNAT] configurations.
3.7.2 SNAT
[SNAT] page configures the SNAT (Source Network Address Translation) rules to have the local
area network get access to the Internet through the proxy function of the firewall. The system is
built in with no SNAT rule. As a result, SNAT rule has to be added manually.
The default configuration page is as shown below:
Or check the [Advanced Settings] option to configure the advanced options, such as [Destination
Address] and [Protocol], as shown below:
192
3.7.3 DNAT
[DNAT] page configures the DNAT (Destination Network Address Translation) rules of the
firewall. In case that a LAN server needs to provide the external networks with services, adding a
DNAT rule is a necessity then.
The default configuration page is as shown below:
193
Step 2: Under the [DNAT] page, click the <New> button to add a new DNAT rule.
[Rule Name]: Name this DNAT rule.
[Ingress Interface]: Select WAN1 as the ingress interface.
[Protocol]: Select [Protocol] TCP; [Source Port] is 0 and [Destination Port] is from 80 to 80.
[Translate Destination Address To]: Select [IP] and enter 192.168.1.100. [Port] is from 80 to 80.
Check the [Enable] option and click the <OK> button. The configuration page is as shown below:
After this DNAT rule takes effect, the external networks can access the WEB service provided by
the internal network with the help of this DNAT rule.
194
The LAN server that uses the DNAT rule (configured on the SANGFOR WAN Accelerator)
to provide the external networks with service must be connected to the Internet through the NAT
proxy of the device (in other words, the LAN servers gateway directs to the WAN Accelerator or
the route for Internet access eventually directs to the WAN Accelerator); otherwise, the DNAT
rule will not take effect.
Click the <New> button and the configuration page appears, as shown below:
195
196
197
3.7.5 Anti-DoS
Firewall is responsible for protecting the local area network from being attacked by users of the
external networks. But it is well-known that, most of the time, virus-infected computer of a local
area network will send large number of data packets to the gateway, which may result in
bandwidth congestion or gateway breakdown.
To solve the aforesaid problems, SINGFOR WAN Accelerator 6.0 is integrated with an Anti-DoS
attack function to monitor the quantity of data packets sent from certain IP address to the gateway
in a unit time. When number of the data being sent exceeds certain value, the VPN device
(SANGFOR WAN Accelerator) will regard it as DoS attack from this IP, and instantly stop the
host from transmitting data packets for a while for self-protection.
For configuration of this function, please refer to the [Anti-DoS] page, as shown below:
198
[LAN Address List]: Configures the LAN IP range which gets access to the Internet through the
SANGFOR WAN Accelerator. The data packets from the IP addresses outside the [LAN Address
List] will be dropped by the WAN Accelerator. If the source IP is in the list, the device will
calculate and inspect each setting for anti-DoS attack, in order to handle the events accordingly.
Function of [LAN Router List] is similar to that of the [LAN Segment List].
[Excluded IP List]: Configures the LAN IP addresses that are free from the protection of the antiDoS policy.
Other optional settings are available, such as [Max New TCP Connections Per IP Within One
Minute], [Max SYN Packets Per IP Within One Second] and [Host Blocking Time After Attack is
Detected (minute)]. Please set them according to your case.
199
[Enable ARP Protection]: Check this option to enable the ARP protection function.
[Static ARP List]: Configures the IP address and MAC address that are to be bound with the LAN
device or computer.
[Broadcast Interval of The Device MAC Address]: Indicates the frequency broadcasting the IP
address and MAC address of the gateway (the LAN interface of the WAN Accelerator) to the local
area network.
Click the <Save and Apply> button to save and apply the above settings.
200
3.8
Sangfor VPN
201
[Primary WebAgent], [Secondary WebAgent]: Specifies the WEB server address where the
dynamic addressing file locates.
If the server WAN Accelerator uses dynamic IP address, the Webagent must be in format of
Webpage URL which ends with .php (you can apply for Webagent from SANGFOR free of
charge, or obtain Webagent file and deploy Webagent server by yourself). Having typed in the
Webagent address, you may click the <Test> button to check the connectivity of the Webagent.
If the server WAN Accelerator uses static IP address, the Webagent must be in format of IP
address:Port (e.g., 202.96.134.133:4009). In case there are several lines whose IP addresses are
static
IP
addresses,
format
of
Webagent
address
is
IP1#IP2:Port
(e.g.,
202.96.134.133#58.67.23.22:4009).
<Modify Password>: Click this button to change the password of the Webagent, which will help
to prevent illegal users from using and updating fake IP addresses into the Webagent page.
<Shared Key>: Configures the shared key needed when VPN connection is established. The
shared key can prevent illegal devices from connecting in.
If the Webagent password gets lost, there is no way to get back the lost password. The only
solution is to contact the Customer Service of SANGFOR to generate a new file (without
Webagent password) and replace the original one.
If the [Shared Key] is configured, all the branch VPN sites have to configure the same shared
key to interconnect and communicate with each other.
[MTU]: Configures the MTU (Maximum Transmission Unit) of the data transmitted among the
VPN sites. It is 1500 by default (recommended).
[Min Compression Value]: Configures the minimum size of a VPN data packet that is to be
compressed. It is 100 by default.
[VPN Listing Port]: Configures the listening port for the VPN service. It is 4009 by default. You
can change the port according to your case.
[Modify MSS]: Configures the maximum size of the fragmentation under UDP transmission
mode.
Generally, it is recommended to adopt the default [MTU], [Min Compression Value] and
[Modify MSS] values. If you need change the values, please follow the instructions given by the
SANGFOR technicians.
[Directly connect], [Indirectly connect]: Select the connecting methods fulfilled between the
WAN Accelerator and the Internet, [Directly connect] or [Indirectly connect]. If the Internet IP
address can be obtained directly or the Internet users can access the VPN port of the WAN
Accelerator with DNAT (destination network address translation) function, select [Directly
connect]; if the Internet IP address cannot be obtained, select [Indirectly connect].
<Advanced>: Click this button and the [Advanced Settings] dialog appears, as shown below:
203
[Threads]: Configures the maximum number of VPN connections. It is 20 by default. One WAN
Accelerator allows maximum 1280 VPN connections. If you need to modify this parameter,
please DO follow the instructions given by the SANGFOR technicians.
[Broadcast Packet]: Configures whether to allow broadcast packets to be transmitted on the VPN
channels (some applications, such as My Network Places need the support of broadcast packet).
You can specify a port to transfer broadcast packets, so as to avoid broadcast storm from
appearing at both ends of a VPN connection.
[Multicast Settings]: Configures wherther to allow multicast packets to be transmitted on the VPN
channels (some vedio applications need the support of multicast packet).
Having completed configuring this tab, you have to click the <Save> button to save the settings.
204
<Check DKey>: Click the <Check DKey> button to inspect whether the DKey has inserted into
the USB port of the computer (through which you have logged in to the WAN Accelerator
console). If it has not yet been installed with the DKey driver, you will be prompted to download
the DKey driver.
<Download DKey Driver>: Click the <Download DKey Driver> link to download and install the
driver.
Before generating the DKey, please DO install the DKey driver, otherwise the computer
cannot recognize the DKey hardware.
During the process of installing the DKey driver, please DO close the third-party anti-virus
software and firewall, otherwise, conflicts between the programs will appear and the DKey
driver will fail to be installed.
<Search>: Click this button to search for the specified username. The matching user will be
highlighted in yellow, as shown below:
<Advanced Search>: Click this button to enter the [Advanced Search] webpage dialog and specify
205
Before using Radius authentication and LDAP authentication, please go to the [Sangfor
VPN] > [Third-Party Auth] > [Radius Server Settings] tab or [LDAP Server Settings] tab to
configure a corresponding authentication server.
[Use Group Properties]: Classifies the user into certain group and configures whether to have the
user adopt the group properties. Check this option and the user will added to the specified group
and adopt the public properties of this selected group.
Before checking the [Use Group Properties] option, you have to add the user group first.
After the user is added to this group, the [Algorithm], [Enable My Network Places] and [LAN
Privilege] options are unavailable.
[Enable Hardware Auth]: Check this option to configure the hardware-featured certificate for
authentication. Click the <Browse> button to select and upload the certificate file (in *.id format).
[Enable DKEY]: Check this option to enable the mobile VPN user(s) to use DKey authentication.
Before enabling the DKey, please DO first insert the DKey into the USB port of the computer and
then generate the DKey by clicking the <Generate DKEY> button.
[Enable Virtual IP]: Mainly used for allocating virtual IP address to the mobile VPN (users). If a
users user type is defined as Mobile VPN and is allocated with a virtual LAN IP address (from
the virtual IP pool), once this mobile VPN user connects to the VPN, it will take this allocated IP
address as the virtual LAN IP. IP address 0.0.0.0 indicates that the system will automatically
allocate a virtual LAN IP address (from the virtual IP pool) for this user.
[Valid Time]: Configures respectively the valid time of the VPN user (connecting-in user
account).
[Enable Expiry Time], [Expired At]: Configures the expiry time of the VPN user (connecting-in
user account).
[Enable My Network Places]: Check this option if the VPN user needs to use My Network Places.
[Enable Compression]: Check this option and the WAN Accelerator will compress the data that
207
This is a unique technology of SANGFOR VPN. It will take the best advantage of the
bandwidth, in particularly in network environment with limited bandwidth resources, and
accelerate data transmission. However, this function is not suitable for all the cases. Check or
uncheck this option according to your case.
[Deny Internet Access after Connecting to VPN]: This function is only available for the mobile
VPN users. Check this option and the mobile VPN users can only visit the local area network
where the server VPN locates (unable to access the Internet).
[Enable Multi-User Login]: Check this option and this user account can be used by multiple users
(for logon).
[Deny Password Change Online]: Check this option and mobile VPN user cannot modify the
login password after it connects to the local VPN; uncheck this option and the user can modify the
login password online.
[LAN Privilege]: Configures the privileges of this user after it connects to the VPN, such as the
privileges of accessing some services. By default, there is not privilege limitation.
Before configuring [LAN Privilege], please go to the [VPN Settings] > [Advanced] >
[LAN Service] page to add some needed services.
<Advanced>: Click this button to enter the [VPN Advanced Properties] page and configure some
advanced properties, including multicast service, tunnel flow control, tunnel NAT rules, etc. The
multicast service mainly provides the multicast protocol support required by some applications
(such as video, etc.) used by and between the HQ VPN and Branch VPN. Tunnel flow control
options help to control the flow of certain connecting-in branch VPN user, not allowing the flow
to get too high. Tunnel NAT mainly solves the problem of IP conflict appearing when two branch
VPN users of a same LAN network segment connect in to the HQ VPN at the same time. The
related tabs are as follows:
208
For detailed introduction to line section policy, please refer to Section 3.8.3.1 Multi-Line Routing
Policy.
For detailed introduction to multicast service, please refer to Section Step 4. Multicast Service.
[Tunnel Parameter] covers VPN tunnel timeout, dynamic detection among tunnels and tunnel flow
control options.
[VPN Tunnel Timeout]: In network environment of high latency and packet loss rate, SANGFOR
VPN enables you to configure timeout parameter for some specific networks. Timeout of each
209
[Enable Tunnel Flow Control] defines a value range rather than an exact value. For
instance, if the maximum flow is 100k, the actual flow amount will be controlled within 80-120k,
fluctuating around 100k.
[Tunnel NAT Rule]: It achieves SNAT (source network address translation) function when IP
addresses of multiple branches conflict. It enables those branch VPN sites to connect in and
communicate smoothly with the HQ VPN, without requirement on modifying network segment of
the related branches.
210
<New>: Under the [Tunnel NAT Rule] tab, click this button to enter the [Tunnel NAT] webpage
dialog and create a new tunnel NAT rule. Type in the source subnet segment, subnet mask and the
translate-to subnet segment, and click the <Auto Allocate> button to have the system
automatically allocate it with an IP range from the virtual IP pool, as shown below:
211
Please ensure that the subnet mask matches the source subnet segment. The tunnel NAT rule
only applies to the subnet segment of the configured mask, hostname of the computers
keeping unchanged.
Before configuring the [Tunnel NAT Rule] of [VPN Advanced Properties], please add the
needed virtual IP range for the branch on the [Sangfor VPN] > [Server] > [Virtual IP Pool].
<New Group]: Under the [VPN Users] tab, click this button to add a new user group. Type a name
and description for this user group; define the group properties (includes [Encryption Algorithm],
[Enable My Network Places], [LAN Privilege] and [Advanced]). The page is as shown below:
As for the introductions to [LAN Privilege] and <Advanced> button, please refer to those
described above, for they are the same as those of adding a new user.
212
Select the needed user and specify user type (mobile VPN or branch VPN), user group, and
encryption algorithm, and decide whether to enable compression and My Network Places; and
then click the <Import> button to import the selected users into the local WAN Accelerator from
the LDAP server. If users are imported successfully, the results are as shown below:
213
<Import Text User>: Under the [VPN Users] tab, click this button to import the TXT or CSV file
that contains the user information. You can specify a user group to import these users into this
group or use the group properties, and classify them as mobile VPN users or branch VPN users.
TXT file should contain very simple user information that is in format of username,,password,
other information being unable to be imported; CSV file is similar to TXT file, but the English
commas are replaced by a blank column, as shown below:
214
<Export User>: Click this button to export and save the user information of this WAN Accelerator
to the local computer. You can decide whether to export it as [Plaintext] or as [Cipher text]. The
dialog is as shown below:
215
Step 1: On the Beijing HQ WAN Accelerator, go to [Sangfor VPN] > [Server] > [Virtual IP Pool]
page and add a new virtual IP pool that consists of IP range 192.168.20.0/24, as shown below:
Step 2: Go to the [Sangfor VPN] > [Server] > [VPN User] page and create a VPN user account for
branch VPN user. Under the [Edit User: Branch-ShenZhen] page, click the <Advanced> button to
enter the [VPN Advanced Properties] page; click [Tunnel NAT Rule] tab and check the option
[Enable Tunnel NAT], and click the <New> button to add subnet 192.168.20.0/24 into the rule list
to have this subnet associate with this user account. The page is as shown below:
216
217
Click the <Save> button one by one to save the settings and have the tunnel NAT rule take effect,
and the Shenzhen branch will be able to connect to the Beijing HQ smoothly, without changing its
LAN IP address; in addition, the Beijing HQ can access the services provided by Shenzhen branch
simply by accessing the corresponding IP address of the subnet 192.168.20.0/24.
In the above case, the Shenzhen branch and Shanghai branch cannot access each other via
the tunnel route. If you want to have the two branches access each other, you first have to enable
the tunnel NAT function of the Shenzhen WAN Accelerator and Shanghai WAN Accelerator,
meanwhile their subnets being translated to two different IP network segments; and then add a
tunnel route (on [Sangfor VPN] > [Advanced] > [Tunnel Route] tab of each WAN Accelerator)
whose source network IP is the physical IP range, and destination network ID is the peers virtual
network segment.
a.)
In this case, the IP addresses in the virtual IP pool may be idle IP addresses of the local area
network, or be IP addresses randomly specified. If the IP addresses are randomly specified, you
should ensure that routing information of these specified IP addresses are forwarded to the
SANGFOR WAN Accelerator by the LAN server, otherwise, the mobile VPN user will be unable
to access the HQ VPNs LAN server even though it has connected in successfully.
Click the <New> button to enter the [Virtual IP Settings] webpage dialog. Select the user type for
this IP pool, and configure the start and end IP, as shown below:
Then, click the <Advanced> button on the [Virtual IP Pool] tab and configure the mask of the
virtual IP address, DNS, and WINS servers, as shown below:
219
Having configured a virtual IP pool for the mobile VPN user, you can go to the [Sangfor VPN] >
[Server] > [VPN Users] tab to create a new VPN user account, selecting user type Mobile VPN.
If the virtual IP is 0.0.0.0, the HQ VPN WAN Accelerator will automatically allocate an idle
virtual IP address to this mobile VPN user from the IP pool when the mobile VPN user connects
in. Except using the default (0.0.0.0), we can also type in an IP address to assign a fixed virtual IP
address to this mobile VPN user.
After configuring the [Advanced] options of [Virtual IP Pool], the SANGFOR VPN
virtual network adapter of the mobile VPN users computer must be configured as [Obtain an IP
address automatically] and [Use the following DNS server addresses], otherwise, the addresses
configured in [Advanced] will not be allocated to the virtual network adapter of the mobile VPN
users computer.
b.)
Assign the virtual IP addresses of the virtual IP pool to the branch VPN users. When a branch
VPN user connects in the HQ VPN, the source IP address of the branch VPN user will be replaced
by one of the virtual IP addresses of the virtual IP pool, which solves the problem of IP conflict
when two branches of the same network segment connects in the HQ VPN at the same time.
Enter the [Virtual IP Settings] webpage dialog and configure the [Start IP] of the virtual IP pool,
and [Subnet Mask] of the virtual IP addresses, and the [Total Network Segments]; then click the
<Calculate> button, and the system will automatically calculate the [End IP] of this virtual IP pool
according to the other settings on the page, as shown below:
220
[Start IP]: Indicates the first IP address of the virtual IP range assigned to the branch VPN users.
[End IP]: Indicates the last IP address of the virtual IP range assigned to the branch VPN users.
<Calculate>: Click this button and the system will automatically calculate the last IP address of
the virtual IP range.
[Total Network Segment]: Specifies the number of network segments of the IP pool.
[Subnet Mask]: Indicates the mask of the virtual IP range. This subnet mask should be coherent
with the subnet mask of the branch VPN User.
Having configured the virtual IP addresses for the branch VPN user, you can go to [Sangfor VPN]
> [Server] > [VPN Users] tab to add a new user account; select [Branch VPN], and then click the
<Advanced> button to enter the [VPN Advanced Properties] > [Tunnel NAT Rule] tab and add a
corresponding tunnel NAT rule for the branch VPN.
Enter the [Virtual IP Pool] tab; click the <New> button to enter the [Virtual IP Settings]
page and configure an IP range (this IP range should be of the same network segment of the LAN
221
Step 2.
Go to the [VPN Users] tab; click the <New> button to create a user account for the use
of mobile VPN user, and check the [Enable Virtual IP] option and use the default virtual IP
address 0.0.0.0 which indicates that the system will automatically allocate a virtual IP address to
the mobile VPN user, or type in an IP address to assign a fixed virtual IP address to the mobile
VPN user.
222
3.8.2 Client
223
Click the <New> button to create a VPN connection that enables the local WAN Accelerator to
connect in the HQ VPN and the [Edit Connection] page pops up, as shown below:
[Connection Name], [Description]: Type respectively the name and the description for this new
connection.
[Primary Webagent], [Secondary Webagent]: Type the primary and secondary Webagent of the tobe-connected HQ VPN. Click the <Test> button followed to check the availability of the
Webagent. The testing results are as shown below:
224
This test request is initiated by the local computer instead of the local WAN Accelerator.
If the Webagent is in format of domain name and testing results show success, the webpage
exists, otherwise, it indicates that the webpage does not exist. If the Webagent is a static IP
address and testing results show success, then the format (IP:PORT) of it is correct. In a
word, successful testing results do not indicate connection success (of the VPN)
[Transfer Type]: Configures the transfer mode of the VPN data packet. Options are TCP and
UDP. It is UDP by default.
[Data Encryption Key], [Username] and [Password]: Indicates the corresponding account
information provided by the HQ VPN.
[Cross-ISP]: If the HQ VPN and the branch VPN apply different Internet service providers (ISP)
and these different links cause frequent packet loss, this option is recommended to be checked.
You can also tell the system the status of your network environment, by selecting [Low packet
loss], [High packet loss] or [Set manually] and configuring the [Packet Loss Rate].
To enable this function, you have to activate the cross-ISP license. As to the interconnection
between two branch VPN sites, both the WAN Accelerators have to enable cross-ISP function; as
to the interconnection between mobile VPN user and VPN site, only the WAN Accelerator needs
to enable cross-ISP function.
<LAN Privilege>: Click this button to enter the [LAN Privilege] configuration page and configure
the privileges of the peer VPN, that is, to specify the services (provided by the local terminal) that
will be available for the peer VPN.
225
Having completed configuring the VPN connection, you have to check [Enable] to activate this
connection, and click the <Save> button to save all the settings.
If you are to configure LAN services for a VPN site that has enabled tunnel NAT function,
the network segments, no matter to be configured on the HQ VPN device or on the branch VPN
device, must be the network segment or IP addresses of the network segment which has been
translated to (according to the corresponding tunnel NAT rule).
Case Study 39: Only Allow Peer VPN to Access Local WEB Services
Requirement: VPN A users access to VPN B; VPN A controls the access privilege of VPN
B users, allowing VPN B users to access its WEB server, other servers being unavailable.
To achieve the expected effect, we configure on the WAN Accelerator of VPN A, as follows:
Step 1.
Go to the [Sangfor VPN] > [Advanced] > [LAN Service] tab to add a LAN service item
Click the <New> button to enter the [LAN Service] page; type in service name and click the tab
226
Click the <New> button and enter the [IP Range Settings] page to configure the IP range that can
access to the WEB services, as shown below:
In the above page, the source IP addresses are the LAN network segment of the peer VPN (VPN
B), and the port number is between 1 and 65535 because the port from where the VPN
connection request initiated is a random port. The destination IP addresses are LAN network
227
Go the [Sangfor VPN] > [Client] > [VPN Connection] tab and add a VPN connection to
Click the <LAN Privilege> button to enter the [LAN Privilege] page; configure the LAN
privileges for VPN B users accessing VPN A, only allowing WEB service, all others services
being denied by default, as shown below:
228
3.8.3 Multi-Line
229
Click the <New> button to enter the [Edit Multi-Line Routing Policy] webpage dialog, as shown
below:
[Policy Name]: Type in a unique name for this policy-based routing to distinguish it from others.
[Source IP], [Destination IP]: Configures the source IP, destination IP of the data packet on which
this policy routing applies. Four options are available, namely, [All], [Single IP], [IP range] and
[Subnet].
[Description]: Type in description for this policy.
230
231
Requirements: the CT line of the branch VPN and the two CT lines (CT1, CT2) of the HQ VPN
establish VPN connections and transmit data at the same time, while the CNC line and the two CT
lines (CT1, CT2) of the HQ VPN are taken as secondary lines.
Detailed configuration steps are as follows:
Step 1.
Configure the corresponding lines (in [System] > [Deploy Settings] > [Multi-Line
Settings]) on the HQ WAN Accelerator and branch WAN Accelerator respectively, as shown
below:
Step 2.
[Sangfor VPN] > [Multi-Line] > [Multi-Line Routing Policy] and clicking the <New> button. The
pop-up [Edit Multi-Line Routing Policy] page is as shown below:
232
Select the number of [Local Lines] and [Peer Lines], and leave local line CT1 and peer line
CT (Line 1), local line CT2 and peer line CT in the primary lines list; and move local line
CT1 and line CNC (Line 2), local line CT2 and peer line CNC into the secondary lines
list. Select routing mode [Evenly Allocate According to Packets].
Step 3.
Go to the [Sangfor VPN] > [Server] > [VPN Users] tab, and edit the corresponding
user; click the <Advanced> button to enter the [VPN Advanced Properties], as shown below.
Click tab name [Routing Policy] and select the routing policy (in this case is test).
233
To use VPN multiple lines in Single-arm mode, you need deploy a front-end firewall or switch to
do policy routing based on source IP address, enabling the system to forward the packets of
different source IP addresses to different outlets of the network; otherwise, using multiple lines in
Single-arm mode is unachievable.
234
Configure deployment mode for the HQ WAN Accelerator. Go to the [System] >
[Deploy Settings] > [Network Interface] tab; select service mode [VPN and Acceleration] and
deployment mode [Single Arm]; configure the LAN interface IP address, and two binding IP
addresses (please be noted that the two binding IP addresses and the LAN interface IP address
must be of a same LAN network segment). The page is as shown below:
235
Step 2.
Configure multiple lines. Go the [System] > [Deploy Settings] > [Multi-Line Settings]
tab and configure the Internet lines. You will see that the page shows it is in Single arm mode, and
the outlet lines displayed are Line 1 (LAN) and Line 2 (LAN), as shown below:
Step 3.
Click <Edit> to enter the [Edit Multiline] page and edit this line (as shown below). If
the mapping IP is a static IP address, check the option [Use Static Internet IP] and type in the right
IP address; type in the testing DNS addresses or leave them blank, as shown below:
236
Step 4.
Go to the [Sangfor VPN] > [Multi-Line] > [Multi-Line Routing Policy] page and
Step 5.
Go to the [Sangfor VPN] > [Server] > [VPN Users] tab to apply this routing policy to a
237
Please remember to map the port 4009 of the two IP addresses (of the front-end firewall)
respectively to the two binding IP addresses (not the LAN interface IP address) of this
WAN Accelerator.
This section only shows how to configure the multi-line and multi-line routing policy for
the Single-arm WAN Accelerator, other VPN configurations being ignored.
On the page above, [Administrator Name] must be the account name of the domain administrator,
and be fully written (e.g., Administrator@Sangfor.local).
Having completed configuring the LDAP server (domain server), you can click the <Advanced>
button to open the [Advanced Settings] dialog. Configure the advanced options of the LDAP, as
shown blow:
[User Filter] and [Login Name Attr.]: Defaults are recommended to be used.
239
LDAP authentication only supports Microsoft Active Directory and Novell eDirectory,
240
Case Study 42: Mobile VPN User Connects in By Using LDAP Auth
Requirement: The customer wants the mobile VPN users connect in the HQ VPN by using LDAP
authentication, to ensure the security of its network.
Detailed configuration procedures are as follows:
Step 1.
Go to the [Sangfor VPN] > [Third-Party Auth] > [LDAP Server Settings] tab to
Type in the full name of the domain administrator account (in this scenario, it is
Administrator@support.sangfor.com); configure the attribute of the user (which group it belongs
to; in this scenario, it is under group Users), and so type in the information CN=Users,
DC=Sangfor,DC=com into the [User Root Directory] and [Search Directory] textboxes, as
shown below:
241
If the settings are tested correct, click the <Save> button to complete configuring the LDAP server
option.
Step 2.
Go to the [Sangfor VPN] > [Server] > [Virtual IP Pool] tab to configure virtual IP pool.
Click the <New> button to enter the [Virtual IP Settings] page. Select user type Mobile VPN
and type in the start IP and end IP of the virtual IP range (in this scenario, it is 192.168.10.100192.168.10.110), as shown below:
242
Step 3.
Go to the [Sangfor VPN] > [Server] > [VPN User] tab to import domain users, by
clicking the <Import Domain User>. The system will automatically upload the domain users from
the configured LDAP server, as shown below:
Step 4.
Check the needed domain users and select user type [Mobile VPN], encryption
algorithm, and enable the user, compression and My Network Places. Finally click the <Import>
243
Configure the correct Radius server IP and port, shared key and select the needed authentication
protocol, and then click the <Save> button to save and apply the settings.
3.8.5 Advanced
[Advanced] covers configuration of [VPN Local Subnet], [LAN Service], [Multicast Service],
[Tunnel Route] and [Generate Certificate], as shown below:
244
Case Study 43: Allow VPN User to Access Multiple Local Subnets
The HQ VPN A has three subnets (192.168.10.X, 192.168.20.X and 192.168.30.X).
Requirement: To allow the branch VPN (B) users to access the three subnets after they have
connected in the HQ VPN.
Network topology is as shown below:
245
To meet the needs of this customer, we have to configure [VPN Local Subnet], by adding the
subnets 192.168.20.X and 192.168.30.X and the corresponding static route.
Configurations on the HQ WAN Accelerator are as follows (other VPN setups being ignored in
this section):
Step 1.
Go to the [Sangfor VPN] > [Advanced] > [VPN Local Subnet] tab to add the subnets
Add the subnets 192.168.20.0/24 and 192.168.30.0/24 into the local subnet list.
Step 2.
Go to the [System] > [Deploy Settings] > [Static Rout] tab to configure a static route for
246
After configuring the above, the branch users will be able to access the three subnets of the HQ
VPN once they connect in.
The [Local Subnet List] stands for a kind of declaration. The subnets defined here will be
taken as VPN network segments by the VPN device and the client-end software. All the data
going through the VPN device or software will be encapsulated and transmitted through the VPN
tunnels. Therefore, you need to configure the [Static Route], in addition to adding the related
subnets into the [Local Subnet List]], so as to enable the VPN users to access these subnets.
247
Case Study 44: Control VPN Users Privilege to Access LAN Services
Requirements: only allow the connecting-in VPN users (of subnet 192.168.20.0/24) to access the
TCP port 80 of the OA server (IP: 192.168.10.250) and to ping OA server, all the access requests
to others server being denied.
The network topology is as shown below:
248
Step 2. Under the [TCP List] tab, click the <New> button to enter the [IP Range Settings]
dialog; type in the IP addresses and port accordingly, as shown below:
249
[Source IP]: Fill in the source IP. In this scenario, it is the LAN IP addresses of the peer branch
VPN, 192.168.20.1-192.168.20.254. If this OA LAN service is to be referenced by multiple VPN
users, the source IP address can be 0.0.0.0-255.255.255.255 which indicates all the IP addresses.
[Source Port]: Type in 1-65535.
[Destination IP]: Fill in the destination IP addresses. In this scenario, it is the OA server IP address
of the local terminal, 192.168.10.250.
[Destination Port]: Service port of the OA system, 80-80.
Step 3. Under the [ICMP List] tab, click the <New> button to enter the [IP Range Settings], as
shown below:
250
[Source IP]: Fill in the source IP address. In this scenario, it is the LAN IP addresses of the peer
branch VPN, 192.168.20.1-192.168.20.254. If this OA LAN service is to be referenced by
multiple VPN users, the source IP address can be 0.0.0.0-255.255.255.255 which indicates all the
IP addresses.
[Destination IP]: Fill in the destination IP addresses. In this scenario, it is the OA server IP address
of the local terminal (HQ VPN), 192.168.10.250.
Here you are just defining the LAN service. After these configurations, you have to go to
[Sangfor VPN] > [Server] > [VPN Users] tab, to create/edit a VPN user account and
configure its [LAN Privilege] to complete configuring the LAN service.
The LAN services configured here may be referenced by [IPSec Connection] > [IPSec VPN]
> [Inbound Policy] and [Outbound Policy]. For details, please refer to Section 3.9.1.2 Phase
II.
Go to page [Sangfor VPN] > [Server] > [VPN Users] tab to create/edit branch VPN user; click the
<LAN Privilege> button.
251
Step 4. Under the pop-up LAN Privilege Settings] dialog, move the OA LAN service to the
service list at the right side. Check the [Allow] checkbox and select [Default action] Deny, as
shown below:
After the above five steps, the branch VPN users whose IP addresses are 192.168.20.0/24 can
access the local OA server 192.168.10.250 once they connect in the local terminal (HQ VPN)
successfully, and the requests initiated by the branch VPN users for other services will be denied.
252
These settings also disable the access requests initiated by the other computers of the local
terminal to access the branch. Because the [LAN Service] settings will deny the response packet
sent from other computers of the local terminal if the destination IP address is not 192.168.10.250
(IP address of the OA server).
Click the <New> button and the [Multicast Service] webpage dialog pops up. You can configure
the needed IP addresses and ports for the multicast service, as shown below:
253
After you have defined the multicast service, you can add/edit user on the [Sangfor VPN] >
[Server] > [VPN Users] tab and click the <Advanced> button to enter [VPN Advanced Properties]
> [Multicast Service] and enable the selected multicast service(s), as shown below:
254
Before using the multicast service(s) configured on the [VPN Advanced Properties] >
[Multicast Service] tab, first you have to check the [Enable Multicast] option on the [Sangfor
VPN] > [Server] > [Basic Settings] > [Advanced Settings] tab, as shown below:
255
Click the <New> button to add a new tunnel route. The pop-up [Configure Route] dialog is as
shown below:
[Destination Route User] determines the VPN device to which the data packets are forwarded
by this tunnel route (indicating the corresponding username selected in the [Sangfor VPN] >
[Client] > [VPN Connection] > [Edit Connection]). In this scenario, Shanghai branch has
258
The VPN user account acting as destination route user cannot be used by multiple users to
log in to the HQ VPN.
Step 2. Configure the Guangzhou WAN Accelerator. Go to the [Tunnel Route] tab; click the
<New> button to add a tunnel route that directs to the Beijing branch VPN; check the [Enable]
option, as shown below:
Case Study 46: Access Internet via VPN Destination Route User
In addition to the above introduced function, SANGFOR VPN tunnel route may also be used to
forward all the Internet access data to the HQ VPN, so that the branch VPN users can only access
the Internet via the network outlet of the HQ VPN.
259
261
Send this certificate to the administrator of the HQ VPN. Then, the administrator can check the
[Enable Hardware Auth] option, upload this hardware certificate and bind it with the user while
creating a user account for this VPN user, as shown below:
262
263
[Single arm setting]: Leave these settings blank unless the single-arm WAN Accelerator involved
in multiple lines. As to the detailed configuration guide and usage of multi-line routing policy of
single-arm VPN, please refer to Case Study 41: Configure Multi-Line Routing Policy for SingleArm VPN in Section 3.8.3.1 Multi-Line Routing Policy.
264
265
3.9
IPSec Connection
SANGFOR WAN Accelerator allows a third-party VPN to interconnect with the existing
networks, establishing a standard IPSec VPN connection. [IPSec VPN] covers [IPSec Connection]
configurations, as shown below:
3.9.1.1 Phase I
[Phase I] page configures the peer VPN device which is to establish standard IPSec connection
with the SANGFOR WAN Accelerator. This is the first phase of standard IPSec protocol
negotiation.
The default configuration page is as shown below:
266
The encryption algorithm SANGFOR_DES is available only when both parties are
267
[ISAKMP Authentication Algorithm]: Select an authentication algorithm for Phase I. Options are
[MD5] and [SHA-1].
[Pre-shared Key]: Configures the shared key of the two parties.
[D-H group]: Defines Differ-Hellman group of the two negotiating parties. Options are group1,
group2 and group5.
[ISAKMP Live Time]: Defines the life time of the Phase I policy, in unit of second.
[Retry Times]: Configures the retry times of Phase I negotiation.
Check the [Enable Rule] option and click the <OK> button. This policy is enabled and applies
immediately.
3.9.1.2 Phase II
[Phase II] page configures the related policies for establishing standard IPSec connection. This is
the second phase of IPSec protocol negotiation, consisting of configurations of [Outbound
Policies] and [Inbound Policies]
The default configuration page is as shown below:
[Outbound Policies]: Configures the rules for delivering the data packet from the local device to
the peer device.
Click the <New> button to add new policy; the options are as shown below:
268
269
[Inbound Policies] section configures the rules for data transfer from the peer device to the local
device.
Click the <New> button to add a new policy; the options are as shown below:
Click the <New> button and the options appear as shown below:
Before establishing IPSec connection with the third-party device, specify a policy to connect the
peer device, including encapsulation [Protocol] adopted by the peer device (AH or ESP), the
[Authentication] algorithm (MD5 or SHA-1), [Encryption] algorithm (DES, 3DES, AES or
SANGFOR_DES).
Click the <OK> button to save and enable the policy. The SANGFOR WAN Accelerator will use
these policies to negotiate with the peer to establish an IPSec connection.
[Security option] > [Encryption] algorithm is to specify the data encryption algorithm for
the standard IPSec Phase. As to interconnecting several devices which adopt different
connection policies, you have to add the connection policies of each device respectively to
271
273
274
275
278
The Internal Data Center includes the following 8 modules: [Home Page], [History Report],
[Customize Report], [Statistics], [WANO Report], [Trend Report], [Search] and [System
Management].
The first time you log in to the Internal Data Center, you may be required to install the pop-up
ActiveX control.
Click This site might require the following ActiveX control: WebUI Control from Sangfor
Technologies Co., Ltd. Click here to install and then click Install ActiveX Control.
Follow the instructions to finish installation, as shown below:
279
4.1
Home Page
Click [Home Page] and you will see the following page:
[Login], [Logout]: Click [Login] or [Logout] to log in with another user account or log out the
current user respectively.
[Current User]: Displays the name of the current user who logs in to the Data Center Web UI
[Quick Link]: Displays the built-in quick links of this Data Center, to some search results or
history reports.
4.2
History Report
[History Report] displays the one-off and periodic customized reports and system default reports.
The page is as shown below:
280
[Generated Report Search]: Searches for the already-generated reports (history reports), with the
specified conditions. The conditions are as shown below:
281
<First>, <Last>: If there are large numbers of reports, click it to go to the first or last page of the
[Generated Report] list.
<Previous>, <Next>: Click it to go to the previous or next page of the [Generated Report] list.
[Records/page 100 records]: Indicates 100 records (report items) are displayed per page. Other
options are 10, 20, 50 and 100.
If there are too many reports in the [Generated Report] list, you can delete some of them
manually.
[Select]: Tick the checkbox of a report record and the report is selected.
<Select all>: Click this button to select all the report items of the current page.
<Reverse>: Click this button to deselect report items and select the other unselected report items.
<Delete>: Click this button to delete the selected report(s).
<Delete all>: Click this button to delete all the report items at one time.
The displayed information includes [Report name], [Report type], [Generation time], [User],
[Operation]. The page is as shown below:
<View>: Click this button to view the detailed information of this report, as shown below:
282
The above figure shows the statistics of a user group, including total flow statistics and the
behavior counts. Each type of statistics is listed, in chart or in table. Here, we are not to introduce
the chart and table in detail.
<Print>: Click it to print this report.
<Export>: Click it to export the report, in format of PDF.
<Send mail>: Click it to send the report to the specified email address.
4.3
Customize Report
The Internal Data Center of SANGFOR WAN Accelerator 6.0 facilitates you to customize report.
The administrator can define statistics report, trend report and summary report, according to
various objects, contents and date/time
283
Click the <Previous> button to back to the previous step; or click the <Next> button to go to the
next step.
Step 3: Set report filtering conditions.
284
[Make report on each application] indicates that multiple reports will be generated if there are
several applications being selected, at least one report specific for each application.
[Make report on multiple applications] indicates that only one report will be generated even
though there are several applications being selected. This report covers the related statistics of
these selected applications.
Click the <Previous> button to back to the previous step; or click the <Next> button to go to the
next step.
Step 4: Configure date and time.
[Time]: Specifies the time period whose data are to be collected. Options are [Time range] and
[Time object].
[Time range]: Specifies the time range whose data are to be collected. It can be any time of the
day.
[Time object]: Select the time object (the so-called time schedule, it is defined on the WAN
Accelerator, for details, please refer to Section 3.4.4.3 Time Schedule). Options are [All day],
[Office hours], [Non-office hours] and [Internet Access Total Time[Null]].
[One-off report(generate only once)] indicates that the report will only be generated once. Select
285
[Display Ranking]: Defines the top ranking statistics that will be made in the report. Maximum
100 supported.
[Chart type]: Defines the graph type the statistics displayed. Options are [Bar chart] and [Pie
chart].
[Report name]: Defines the name of the report to be generated.
[Subscribe]: Configures the subscription options.
Check [Subscribe the report](Use default SMTP setting) and the generated report will be delivered
to the email address of the administrator. The default receiver address is the address configured on
[System Configuration] page; if you want to have the email delivered to another email address,
check this option and enter the [Receiver address].
[Receiver address]: Configures the email address to receive this report.
Or click the <SMTP setting> link to enter the [System Configuration] page.
Check the [Send report to subscribed mailbox even it is null] option and the generated report will
be sent to the receiver address even though the report has no content.
286
Provided that the report name is weekly and others options are defaults, as shown below:
Click the <Finish> button and the prompt will be If periodic report is selected, you can perform
the following operations:
287
[Daily]: The generation time of the report will be determined by the time configured on
[System Management] > [System Configuration] page.
[Weekly]: Indicates that the report will be generated every Sunday. The generation time of
the report will be determined by the time configured on [System Management] > [System
Configuration] page.
[Monthly]: Indicates that the report will be generated on the first day every month. The
generation time of the report will be determined by the time configured on [System
Management] > [System Configuration] page.
The above report generation time options are applicable to periodic report of the other types of
reports (such as WANO report, trend report).
288
Step 4: Select statistic date and time. [Time range] is [00:00:00]-[23:59:59]; [Time object] is [All
day]; [Periodic report] is [Monthly] report, which means generating the report every month, as
shown below:
289
Step 5: Complete report setting. [Display Ranking] is top 30; [Chart type] is [Bar chart]; [Report
name] is Monthly_All. Check the option [Subscribe the report](Use default SMTP setting); and
enter [Receiver address] test@abc.com; check the [Send report to subscribed mailbox even it is
null] option, and the report will be sent to test@abc.com even though the report has no content.
Step 6: Click the <Finish> button to complete customizing the statistic report. Click the <Save
and Generate> button to save the report to the Report Template list and generate a report
immediately (at the same time, the generated report will be sent to the receiver address
test@abc.om).
290
Select [Trend report] and the report generated according to this report template will be Trend
report.
Click the <Next> button to go to the next step.
Step 2: Select ranking object.
Select [IP ranking] and the ranking statistics will be made on the basis of IP addresses.
Select [Application ranking] and the ranking statistics will be made on the basis of applications.
Click the <Previous> button to back to the previous step; or click the <Next> button to go to the
next step.
Step 3: Select the statistic content.
Statistics trend falls into two types: [Flow statistic] and [Flow Speed Statistic].
291
[Make report on each application] indicates that multiple reports will be generated if there are
several applications being selected, at least one report specific for each application.
[Make report on multiple applications] indicates that only one report will be generated even
though there are several applications being selected. This report covers the statistics of these
selected applications.
Click the <Previous> button to back to the previous step; or click the <Next> button to go to the
next step.
Step 5: Configure date and time.
[One-off report(generate only once)] indicates that the report will only be generated once.
[Statistic time]: Defines the time range for the data which are to be collected; options are [This
292
Provided that the report name is Periodic report_Weekly and others options are defaults, as
shown below:
Click the <Finish> button and the prompt will be If periodic report is selected, you can perform
the following operations:
294
Select [Sum report] and the report generated according to this report template will be summary
report.
Click the <Next> button to go to the next step.
Step 2: Configure date and time.
295
[One-off report(generate only once)] indicates that the report will only be generated once.
[Date range]: Defines the date range based on which the data that are to be collected.
[Statistic time]: Defines the time range for the data which are to be collected for making the trend
report; options are [This day], [This week] and [This month].
[Date]: Defines the date based on which the data are to be collected for making the trend report, of
the day, of the week or of the month.
Select [Periodic report] and the report will be generated periodically, [Daily], [Weekly] or
[Monthly].
Click the <Previous> button to back to the previous step; or click the <Next> button to go to the
next step.
Step 3: Complete report settings.
[Display Ranking]: Defines the top ranking statistics will be made in the report. Maximum 100
supported.
296
297
Provided that the report name is Periodic report _Monthly and others options are defaults, the
configurations are as shown below:
Click the <Finish> button and the prompt will be If periodic report is selected, you can perform
the following operations:
298
[Report Template]: Displays all the user-defined report templates and system default report
templates. Here you can edit and delete the report template.
There are to two system default report templates, namely, [Default daily summarization report]
and [Default weekly summarization report].
[Report name]: Indicates the name of the report template, for instance, name of a system default
template is [Default weekly summarization report].
[Report type]: Indicates the type of the report template, for instance, [Weekly customized report].
[Latest generation time]: Indicates the latest time this report template is used to generate a report,
for instance, 2010-06-25.
[User]: Indicates the administrator of the Data Center who has created this report template, for
instance, [admin].
[Operation]: Indicates the operation that can be executed on this report template. Available options
are [Edit], [Delete], [Generate] and [View].
<Edit>: Click it to edit the corresponding report template.
<Delete>: Click it to delete the corresponding report template.
<Generate>: Click it to immediately generate a report based on this report template.
<View>: Click this button to view the already generated reports of this template. The report page
is the same as that of the [History Report] (for details, please refer to Section 4.2 History Report).
[Operation information]: Display the [Tips] information and the operation results, for instance, it
gives the information: You can generate the report of 2010-06-26 and earlier time now.
<Report wizard>: Click this button to enter the default page of [Customize Wizard].
<Import>: Click this button to import the report template settings, as shown below:
299
Click the <Browse> button and the following dialog pops up:
Select the needed file and then click the <Open> button to upload the file, as shown below:
300
Click the <OK> button to the import the backup report template to the Data Center.
<Export>: Click this button to export the report template settings. The pop-up dialog is as shown
below:
Click the <Save> button and save the configuration file into the local computer.
<Generate all>: Click this button to generate report based on all the report templates listed.
4.4
Statistics
Internal Data Center of the SANGFOR WAN Accelerator 6.0 mainly helps to make flow statistics
of the users that access the Internet, and provides quick links to make some commonly needed
statistics as well.
301
4.4.1 IP Flow
[IP Flow] indicates that IP address is the object based on which the flow statistics and rankings are
made, according to the selected application type and time range.
[Flow type]: Defines the type of flow statistics. Options are [Uplink Flow], [Downlink Flow] and
[Total Flow].
[Date range]: Defines the date range based on which the data are to be collected.
[Time]: Defines the time range whose data are to be collected. Option are [Time range] and [Time
object].
[Time range]: Specifies the time range and the report will be generated at any time during that
time range, based on this report template.
[Time object]: Specifies a time schedule and the data caused during that time schedule will be
covered (time schedule is defined on the WAN Accelerator; for detailed configuration guide,
please refer to Section 3.4.4.3 Time Schedule). Options are [All day], [Office hours], [Non-office
hours] and [Internet Access Total[Null]].
[Application type]: Specifies the application type whose flow statistics are to be made.
[Specific application]: Specifies the application whose flow statistics are to be made.
[Ranking display]: Specifies how many top users will be displayed that caused the most flow with
the selected application, maximum 100 supported.
<Statistic>: Click this button to make the flow statistics. The statistics made are as shown below:
302
The flow and related information are shown in graphs or listed in tables. You can read clearly the
detailed searched results.
[Click to select the column]: Click it and you can select the needed columns to have them and the
corresponding information displayed in the table.
Click the host IP address, application, main application flow detail, uplink, downlink or total flow
of a corresponding record, and you will enter the flow search page of that record.
<Generate report>: Click this button to generate a report according to the specified conditions.
303
<Subscribe>: Click this button to subscribe this statistics search. The statistics report will be
automatically made, emailed to the administrator and saved to the Report Template list. The page
is as shown below:
[Flow type]: Defines the type of flow statistics. Options are [Uplink Flow], [Downlink Flow] and
[Total Flow].
[Time]: Defines the time range whose data are to be collected. Option are [Time range] and [Time
object].
[Time range]: Specifies a time range and the flow caused during that time range will be collected.
[Time object]: Specifies a time schedule and the data caused during that time schedule will be
covered (time schedule is defined on the WAN Accelerator; for detailed configuration guide,
please refer to Section 3.4.4.3 Time Schedule). Options are [All day], [Office hours], [Non-office
hours] and [Internet Access Total[Null]].
[Application type]: Specifies the application type whose flow statistics are to be made.
[Specific application]: Specifies the application whose flow statistics are to be made.
304
<Favorite>: Click this button and the specified conditions will be saved as a report template and
listed on the [Quick Link] on the [Home Page]. If you want to get data of the same conditions,
you need only click the corresponding quick link to enter the search page. This function facilitates
you to save your search preferences. Click the button and name this bookmark, as shown below:
305
As seen on the [Home Page], the newly added bookmark is listed under [Customized Link], as
shown below:
[Host IP]: Configures host IP address whose application flow statistics are to be made.
[Flow type]: Defines the type of flow statistics. Options are [Uplink Flow], [Downlink Flow] and
306
307
The flow and related information are shown in graphs or listed in tables. You can read clearly the
detailed search results.
[Click to select the column]: Click it and you can select the needed columns to have them and the
corresponding information displayed in the table.
<Generate report>: Click this button and the report will be generated according to the specified
conditions. For details, please refer to Section 4.4.1 IP Flow.
<Subscribe>: Click this button to subscribe this statistics search. The statistics report will be
periodically and automatically made, emailed to the administrator and saved to the Report
Template list. For details, please refer to Section 4.4.1 IP Flow.
<Favorite>: Click this button and the specified conditions will be saved as a report template and
listed under [Customized Link] on the [Home Page]. For details, please refer to Section 4.4.1 IP
Flow.
308
4.5
WANO Report
WANO report mainly collects the information of the data being accelerated. You can also get
trend report and report on acceleration connections. [WANO Report] module includes [IP
Connection], [Application Connection], [IP Flow Trend], [Application Flow Trend], [Acceleration
User Flow Trend] and [Device Flow Trend].
4.5.1 IP Connection
[IP Connection] makes statistics of the IP connections accelerated, as shown below:
[Date range]: Specifies the date range based on which the matching data are to be collected.
[Time]: Specifies the time range whose matching data are to be collected.
[Application type]: Specifies the application type whose related data are to be collected.
[Specific application]: Specifies the application whose related data are to be collected.
[Ranking display]: Specifies how many top users will be displayed that caused the most
connections.
<Statistic>: Click this button to make the IP connection statistics. The statistics made are as
shown below:
309
The flow and related information are shown in graphs or listed in tables. You can read clearly the
detailed searched results. As shown in the above figure, the connections of an acceleration tunnel
caused by each IP address are displayed and ranked.
[Click to select the column]: Click it and you can select the needed columns to have them and the
corresponding information displayed in the table, as shown below:
<Generate report>: Click this button to generate a report according to the specified conditions.
Enter [Report name] (as shown below). Click the <Submit> button and a report will be generated
according to the specified conditions.
310
<Subscribe>: Click this button to subscribe this statistics search. The statistics report will be
periodically and automatically made, emailed to the administrator and saved to the Report
Template list. The page is as shown below:
[Time]: Specifies the time period whose IP connections information are to be collected.
[Application type]: Specifies the application type according to which the IP connections statistics
are to be made.
[Specific application]: Specifies the application according to which the IP connections statistics
are to be made.
[Ranking display]: Specifies how many top users (IP addresses) will be displayed that caused the
most connections with the selected application, maximum 100 supported.
[Report name]: Defines the name of the report.
Click the <Subscribe> button and the following options appear.
[Report period]: Specifies how often this periodic report is to be generated. Options are [Daily],
[Weekly] and [Monthly].
[Mail subscription]: Specifies the receiver address. Once a report is generated according to this
311
[Host IP]: Configures the host IP address whose application connection statistics are to be made.
[Date range]: Specifies the date range based on which the matching data are to be collected.
[Time]: Specifies the time period of the date range based on which the matching data are to be
collected.
[Ranking object]: Specifies the application type or application whose related data are to be
collected.
[Ranking display]: Specifies how many top users will be displayed that caused the most
312
The flow and related information are shown in graphs or listed in tables. You can read clearly the
detailed searched results. As shown in the above figures, the displayed statistics in the graph and
table are number of connections caused by the corresponding application, as well as the
connection rankings.
[Click to select the column]: Click it and you can select the needed columns to have them and the
corresponding information displayed in the table, as shown below:
<Generate report>: Click this button to generate a report according to the specified conditions.
313
<Subscribe>: Click this button to subscribe this statistics search. The statistics report will be
periodically and automatically made, emailed to the administrator and saved to the Report
Template list. The page is as shown below:
[Host IP]: Configures host IP address whose application connections statistics are to be made.
[Time]: Specifies the time period whose matching data are to be collected.
[Ranking object]: Specifies the application type or application whose related data are to be
collected.
[Ranking display]: Specifies how many top applications will be displayed that caused the most
connections, maximum 100 supported.
Click the <Subscribe> button and the following options appear.
[Report name]: Defines the name of the report.
[Report period]: Specifies how often this periodic report is to be generated. Options are [Daily],
[Weekly] and [Monthly].
314
[Host IP]: Configures the host IP addresses whose flow trend statistics are to be made.
[Application type]: Specifies the application type whose related data are to be collected.
[Specific application]: Specifies the application whose related data are to be collected.
[Statistic Time]: Specifies the time period whose data are to be collected.
[Date]: Specifies the date based on which the matching data are to be collected.
315
The flow speed and related information are shown in graphs or listed in tables. You can read
clearly the detailed search results. These results, such as flow of each IP address and flow speed
trend, shown in the graph and table are made according to the specified conditions.
<Generate report>: Click this button to generate a report according to the specified conditions.
Enter [Report name], as shown below:
316
[Host IP]: Configures the host IP addresses whose flow trend statistics are to be made.
[Application type]: Specifies the application type whose related data are to be collected.
[Specific application]: Specifies the application whose related data are to be collected.
[Flow type]: Specifies the type of flow.
[Trend type]: Specifies the type of trend.
[Report name]: Defines the name of the report.
[Report period]: Specifies how often this periodic report is to be generated. Options are [Daily],
[Weekly] and [Monthly].
[Mail subscription]: Specifies the receiver address. Once a report is generated according to this
report template, the report will be sent to the designated receivers email address.
<Favorite>: Click this button to add the search conditions to the [Home Page] as a report
template, under [Customized Link], as shown below:
317
[Host IP]: Configures the host IP addresses whose application flow trend statistics are to be made.
[Application type]: Specifies the application type whose related data are to be collected.
[Specific application]: Specifies the application whose related data are to be collected.
[Statistic time]: Specifies the time period applicable.
[Date]: Specifies the date based on which the matching data will be collected.
[Flow type]: Specifies the type of flow.
318
As shown in the above figures, bandwidth usage (flow) caused before and after acceleration are in
detailed comparison, and the average flow and reduction ratio information are also provided.
319
The above graphs and table show the acceleration information of HTTP file download, including
the flow and bandwidth usage before acceleration (Before Acc) and after acceleration (After Acc),
as well as reduction rate (Discharge Acc), ratio of the uplink flow and downlink flow to the total
flow.
If there are other applications, the other charts and tables will show the corresponding data.
<Generate report>: Click this button to generate a report according to the specified conditions.
Enter [Report name], as shown below:
<Subscribe>: Click this button to subscribe this statistics search. The statistics report will be
periodically and automatically made, emailed to the administrator and saved to the Report
Template list. The page is as shown below:
320
[Object list]: Specifies the application types whose related data are to be collected.
[Search object]: Specifies the users whose related data are to be collected.
[Flow type]: Specifies the type of flow.
[Trend type]: Specifies the type of trend.
Click the <Subscribe> button and the following options appear.
[Report name]: Defines the name of the report.
[Report period]: Specifies how often this periodic report is to be generated. Options are [Daily],
[Weekly] and [Monthly].
[Mail subscription]: Specifies the receiver address. Once a report is generated according to this
report template, the report will be sent to the designated receivers email address.
<Favorite>: Click this button to add the search conditions to the [Home Page] as a report
template, under [Customized Link], as shown below:
321
[User name]: Specifies the acceleration users whose flow speed information will be counted into
the statistics.
[Application type]: Specifies the application type whose related data are to be collected.
[Specific application]: Specifies the application whose related data are to be collected.
[Statistic time]: Specifies the time period applicable.
[Date]: Specifies the date based on which the matching data will be collected.
322
The searched results and statistics shown in the above graphs and tables are of a specified
acceleration user group, including the flow caused before acceleration and that after acceleration,
and reduction rate.
The searched results and statistics shown in the above graphs and tables are of [All users],
including the flow and bandwidth used before acceleration and that after acceleration, and
reduction rate.
<Generate report>: Click this button to generate a report according to the specified conditions.
Enter [Report name], as shown below:
323
<Subscribe>: Click this button to subscribe this statistics search. The statistics report will be
periodically and automatically made, emailed to the administrator and saved to the Report
Template list. The page is as shown below:
[User name]: Specifies the acceleration users whose flow speed information will be counted into
the statistics.
[Application type]: Specifies the application type whose related data are to be collected.
[Specific application]: Specifies the application whose related data are to be collected.
[Flow type]: Specifies the type of flow.
[Trend type]: Specifies the type of trend.
Click the <Subscribe> button and the following options appear:
[Report name]: Defines the name of the report.
[Report period]: Specifies how often this periodic report is to be generated. Options are [Daily],
[Weekly] and [Monthly].
324
[Device name]: Specifies the device whose related data are to be collected.
[Application type]: Specifies the application type whose related data are to be collected.
[Specific application]: Specifies the application whose related data are to be collected.
[Statistic Time]: Specifies the time period whose data are to be collected.
[Date range]: Specifies the date based on which the matching data are to be collected.
325
The results and statistics shown in the above graph and table are of the local WAN Accelerator,
including uplink/downlink flow volume caused before and after acceleration, reduced flow and
reduction rate.
<Generate report>: Click this button to generate a report according to the specified conditions.
Enter [Report name], as shown below:
<Subscribe>: Click this button to subscribe this statistics search. The statistics report will be
periodically and automatically made, emailed to the administrator and saved to the Report
Template list. The page is as shown below:
326
[Host IP]: Configures the host IP addresses whose device flow statistics are to be made.
[Application type]: Specifies the application type whose related data are to be collected.
[Specific application]: Specifies the application whose related data are to be collected.
[Flow type]: Specifies the type of flow.
[Trend type]: Specifies the type of trend.
Click the <Subscribe> button and the following options appear:
[Report name]: Defines the name of the report.
[Report period]: Specifies how often this report is to be generated. Options are [Daily], [Weekly]
and [Monthly].
[Mail subscription]: Specifies the receiver address. Once a report is generated according to this
report template, the report will be sent to the designated receivers email address.
<Favorite>: Click this button to add the search conditions to the [Home Page] as a report
template, under [Customized Link], as shown below:
327
4.6
Trend Report
Trend report collects the flow trends of Internet access as well as the trends of Internet behavior
counts of the users. A trend chart or table collects the information of flow caused at each time
point of certain period of time. These trends information often leads to detailed flow conclusion
and analysis of the statistics, and helps the administrator to view visually the utilization of the
network.
[Trend Report] falls into [IP Flow Trend] report and [Application Flow Trend] report.
The page is as shown below:
[Application type]: Specifies the application type whose related flow trends are to be made. Such
as the applications of P2P, HTTP, File Download, etc.
[Specific application]: Specifies the application whose related flow trends are to be made, such as
WebMail of HTTP application type.
[Statistic time]: Specifies the period of time whose flow trends are to be made; options are [This
day], [This week] and [This month].
[Date]: Specifies the date whose flow trends will be covered. It only works in association with the
specified [Statistic time]. For example, If you select [This day], it will only collect the flow data
of this day (specified by [Date]) to make flow trend statistics; if you select [This week], it will
only collect the flow data of this week (the same week where the specified [Date] belongs) to
make flow trend statistics; if you select [This month], it will only collect the flow data of this
month (the same month where the specified [Date] belongs) to make the flow trend statistics.
[Flow Type]: Specifies [Uplink Flow], [Downlink Flow] or [Total Flow] to make the flow trend
statistics.
[Trend type]: Specifies [Total flow] or [Flow Speed] to make the trends statistics, among which
[Total flow] indicates that it shows the trends of flow volume; while [Flow speed] indicates that it
329
The flow speed and related information are shown in graphs or listed in tables. You can read
330
<Subscribe>: Click this button to subscribe this statistics search. The trend statistics report will be
periodically and automatically made, emailed to the administrator and saved to the Report
Template list. The page is as shown below:
[Host IP]: Configures the host IP addresses whose flow trend statistics are to be made.
[Application type]: Specifies the application type whose flow trends data are to be collected.
[Specific application]: Specifies the application whose flow trends data are to be collected.
[Flow Type]: Specifies [Uplink Flow], [Downlink Flow] or [Total Flow] to make the flow trend
statistics.
331
0:00~6:00 oclock is only a default time. You can modify it on the [System Management] >
[System Configuration] page of the Data Center; as for detailed configuration guide, please refer
to Section 4.8.2 System Configuration.
[Mail subscription]: Specifies the email address of the receiver. Once a report is generated
according to this report template, the report will be sent to the designated receivers email address.
<Favorite>: Click this button and the specified conditions will be saved as a report template and
listed under [Customized Link] on the [Home Page]. If you want to get data of the same
conditions, you need only click the corresponding quick link to enter the search page. This
function facilitates you to save your search preferences. Click the button and name this bookmark,
as shown below:
Click the <Submit> button and the report template with the newly-specified conditions is seen on
332
[Host IP]: Configures the host IP addresses whose flow trends are to be made.
333
The flow speed and related information are shown in graphs or listed in tables. You can read the
details from the searched results visually.
334
4.7
Search
[Search] includes [Flow Search], [Firewall Log] and [Gateway Operation Log] search.
The default page is as shown below:
335
[Excluded object]: Specifies the objects excluded from the flow search. Options are [All user],
[Gateway Connect-in user], [Gateway Connect-out user] and [Host IP]. The entered objects are
generally the objects that are covered by the [Search object].
[Application]: Specifies the application type whose flow data are to be searched, for instance,
applications such as P2P, HTTP, File Download, etc.
[Specific application]: Specifies the application whose related flow data are to be searched, such
as WebMail of HTTP application type.
[Time]: Defines the time range of the flow data. Option are [Time range] and [Time object]
[Time range]: Specifies a time range and the flow caused during that time range will be covered.
[Time object]: Specifies a time schedule and the flow data caused during that time schedule will
be covered (time schedule is defined on the WAN Accelerator; for detailed configuration guide,
please refer to Section 3.4.4.3 Time Schedule). Options are [All day], [Office hours], [Non-office
hours] and [Internet Access Total[Null]].
[Date range]: Specifies the date range based on which the matching data are to be covered.
Click the <Search> button and the details of the matching objects are displayed in the [Flow
Search Result] list, as shown below:
336
<Export log>: Click this button and the search results will be exported in format of .xls. Click the
<here> link to download and save the excel document to the local computer, as shown below:
<Favorite>: Click this button and the specified conditions will be saved as a report template and
listed under [Customized Link] on the [Home Page]. If you want to search data with the same
conditions, you need only click the corresponding quick link to enter the search page. This
function facilitates you to save your search preferences. Click the button and name this bookmark,
as shown below:
Enter the name and then click the <Submit> button to save the search template listed on the
[Home Page], under [Customized Link], as shown below:
337
[Flow Search Result]: Displays the results searched according to the specified conditions, as
shown below:
Click the
icon to view the search result in extended mode. The data displayed in extended view
Click the
icon to view the search result in list view mode. The results displayed in list view
338
Click <First> or <Last> go to the first page or the last page of the search results.
Click <Previous> or <Next> to go to the previous page or the next page of the search results.
[Click to select the column]: Click it and select the needed columns to have them displayed in the
table, as shown below:
[Records/page 100 records]: Indicates 100 records of searched records are displayed per page.
[Sort by time(desc)] and [Sort by time(asc)] are not available on this version.
339
[Destination port]: Specifies the destination port to which the needed firewall logs are related.
[Source IP]: Specifies the source IP address to which the needed firewall logs are related.
[Date range]: Specifies the date range that the matching firewall logs are to be covered.
[Time]: Defines the time range of firewall logs. Option are [Time range] and [Time object]
[Time range]: Specifies a time range and the firewall logs recorded during that time range will be
covered.
[Time object]: Specifies a time schedule and the flow data caused during that time schedule will
be covered (time schedule is defined on the WAN Accelerator; for detailed configuration guide,
please refer to Section 3.4.4.3 Time Schedule). Options are [All day], [Office hours], [Non-office
hours] and [Internet Access Total[Null]].
Check the [Search in detail] option and more filtering conditions appear, as shown below:
340
Function and use of [Firewall Log Search Result] is almost the same as that of the [Flow Search
Result]. For detailed introduction, please refer to the relevant part in Section 4.7.1 Flow Search.
<Export log>: Click this button to generate a report covering the searched results. For detailed
guide, please refer to Section 4.7.1 Flow Search.
Click the <Favorites> button and the report template of newly-specified search conditions is seen
on the [Home Page]. For detailed guide, please refer to Section 4.7.1 Flow Search.
341
[Console user]: Specifies the objects whose related gateway operation logs are to be searched.
Options are [User] and [IP].
[Date range]: Specifies the date range during which the gateway operation logs are recorded.
[Time]: Defines the time range of gateway operation logs. Option are [Time range] and [Time
object]
[Time range]: Specifies a time range and the gateway operation logs recorded during that time
range will be covered.
[Time object]: Specifies a time schedule and the gateway operation logs recorded during that time
schedule will be covered (time schedule is defined on the WAN Accelerator; for detailed
configuration guide, please refer to Section 3.4.4.3 Time Schedule). Options are [All day], [Office
hours], [Non-office hours] and [Internet Access Total[Null]].
[Description]: Enter a description for the searched gateway operation logs.
Click the <Search> button and the details of the matching firewall logs are displayed in the
[Operation Log Search Result] list, as shown below:
342
For the detailed introduction to [Operation Log Search Result], please refer to the relevant part in
Section 4.7.1 Flow Search.
<Export log>: Click this button to generate a report covering the searched results. For detailed
guide, please refer to Section 4.7.1 Flow Search.
Click the <Favorites> button and the report template of newly-specified search conditions is seen
on the [Home Page]. For detailed guide, please refer to Section 4.7.1 Flow Search.
4.8
System Management
[System Management] configurations help you to manage the log library, user login to Internal
Data Centers and to configure the parameters for the system.
[System Management] includes three parts, namely, [Log Library Mgt], [System Configuration]
and [Configuration Import/Export]. The default page is as shown below:
343
344
[Date range]: Specifies the date range during which the libraries are recorded.
<Search>: Click this button to search for the needed logs according to the specified date range.
The search result will be displayed, including the information of table size, size of the attachment
and the log library.
<Select all>: Click this button to select all the displayed libraries of this page.
<Reverse>: Click the button to deselect the selected libraries and select the other unselected
libraries of this page.
<Delete>: Click this button to delete the selected log libraries.
<Delete all>: Click it to delete all the log libraries.
345
As shown in the above figure, the current status of disk usage is shown a pie chart and in a table,
including information of total disk space (Total), used disk space (Used), free disk space (Free)
and percentage of free disk space.
346
347
The newly-imported system configurations will replace the original configurations of the
Data Center, and the newly-imported customized report templates will be added to the report
template list of the corresponding report type.
348
Memory: 256MB or above (VPN-only client software); 512MB or above (VPN-PlusAcceleration client software)
Hard disk: remaining partition 50MB or above (VPN-only client software); 1GB or above
(VPN-Plus-Acceleration client software)
Operating system: Windows 2000 server, Windows XP (32bit), Windows 2003 server
(32bit), Windows Vista (32bit) and Windows 7 (32bit)
349
5.1
5.1.1 Installation
1.) Double-click the program PACC6.0_EN.exe to install the PACC software (alias of
SANGFOR acceleration-only client software), as shown below:
Before continuing the installation of PACC software, please terminate the antivirus program on
your computer. You can run the antivirus software after the installation finishes.
2.) Click the <OK> button and the Wizard page appears, as shown below:
350
3.) Click the <Next> button to go to the next step, as shown below:
4.) Enter the username and company name; click the <Next> button to go to the next step, as
shown below:
351
5.) Select an installation directory; click the <Next> button to go to the next step, as shown
below:
6.) Click the <Install> button. Completing installation, it requires restarting the computer, as
shown below:
352
7.) Click the <Finish> button and the installation completes. After computer reboot, the Sangfor
PACC software icon will appear on the desktop of your computer, as shown below:
5.1.2 Deployment
SANGFOR PACC software supports the following two types of network deployments:
a.) Bridge Mode
The WAN Accelerator is deployed Bridge mode in the local area network (LAN); the front-end
firewall maps the TCP/UDP 5400 (default) port to SANGFOR WAN Accelerator, as shown in the
network topology below:
353
5.1.3 Usage
The logon interface of the PACC software of SANGFOR WAN Accelerator is as shown below:
354
[Gateway address]: Specifies the IP address of the SANGFOR WAN Accelerator that is to be
connected to.
[Port]: Configures the port used by SANGFOR WAN Accelerator that is to be connected to.
[Username] and [Password]: Enter the corresponding username and password configured on the
server WAN Accelerator for this PACC user.
[Save Profile]: Check this option to save the entered information such as gateway IP address, port,
username and password, so that this PACC user will not be bothered to enter the information
again next time it logs in.
[Login automatic]: Check this option so that the PACC user can automatically log in to the WAN
Accelerator next time when the PACC user double-clicks the PACC software icon.
<Setting>: Click this button and the [PACC Setting] dialog appears, as shown below:
355
[Network type]: It specifies the network type that the clients PC connects to the Internet. If it is
connected wirelessly (through CDMA, GPRS, etc.; yet excluding WiFi, etc), choose the
corresponding option (Wireless network) and it will optimize the wireless networks.
[Enable datacache]: Check this option and select a directory to enable byte cache function of the
local terminal.
<Clear>: Click it to clear the byte cache files in the Cache directory.
[Cache size]: Configures the size of the local hard disk allocated to the byte cache.
[Transmission type]: Configures the protocol that the PACC software uses for connecting to the
SANGFOR WAN Accelerator. If packet loss happens, please select HTP protocol; otherwise,
select TCP protocol. However, [Auto] is recommended.
[Enable LSP Service]: Check this option and it will capture the data packets of the applications
that are going through the WAN accelerations, except those of My Network Places and Exchange.
[Enable TDI Service]: Check this option and it supports the acceleration of My Network Places
and Exchange. The option takes effect after computer reboot.
356
Click the <Add> button and the [Exclusion Rule] dialog pops up. Configure the [Port Range], [IP
type], etc., as shown below:
357
[Port Range]: Enter the range of the ports to be excluded from the acceleration policies.
[IP Type]: Specifies the type of the IP addresses to be excluded from the acceleration policies;
options are [Single IP], [IP range] and [Subnet].
Click the <Edit> button to modify the existing exclusion rule.
Click the <Remove> button to delete the existing exclusion rule.
[Login Setting] includes [Gateway], [Port], [Username], [Password], [Save profile], [Auto login],
and [Start with system], as shown below:
358
<Stop PACC>: Click this button to stop connecting the PACC software to the server WAN
Accelerator.
<Change PW>: Click this button to modify the password for the PACC user.
<Help>: Click this button to view the help information of the PACC software.
359
<View Log>: Click this button to view the connection logs of this PACC software, as shown
below:
360
5.2
5.2.1 Installation
1.) Double-click the program Dlan4.32_PDLAN_Setup.exe to install the client software. Before
installing, please terminate the antivirus program of your computer; otherwise, installation
will fail.
2.) Click the <Next> button to go to the next step, as shown below:
361
4.) Select an installation directory and click the <Next> button to go to the next step, as shown
below:
362
5.) Check or uncheck Sinfor Dkey Driver and click the <Next> button to go to the next step, as
shown below:
6.) During the installing process, it will require disconnecting the Internet.
363
To ensure that the installation goes smoothly, disable the Local Area Connection of the
computer. You can enable it after installation completes, as shown below:
7.) Click the <Continue> button. When installation completes, it require restarting the computer,
as shown below:
9.) Enable the Local Area Connection to have the computer connect to the Internet, as shown
364
5.2.2 Deployment
SANGFOR PDLAN (alias of VPN-only client software) supports the following two types of
network deployment:
a.) Bridge Mode
The WAN Accelerator is deployed in Bridge mode; the mobile VPN user and WAN Accelerator
establish VPN connection. The network topology is as shown below:
365
5.2.3 Usage
The first time the PDLAN client software runs, the Config Wizard appears, as shown below:
1.) Select a method of configuring the system, [Manual] or [Import Config File]. The
configuration file that to be imported should be given by the HQ VPN administrator who has
used the corresponding VPN user account and exported the configurations of the HQ WAN
Accelerator. Generally, it is recommended to configure the system manually.
Click the <Next> button to go to the next step, as shown below:
366
2.) Type in the Webagent of the HQ WAN Accelerator and click the <Test> button to check the
validity of the Webagent addresses, as shown below:
If the HQ WAN Accelerator uses one static IP address, type in the Webagent in format of
IP:port, as shown below:
367
If the HQ WAN Accelerator uses multiple static IP addresses, type in the IP addresses in
format of IP1#IP2:port, as shown below:
368
Please contact the HQ VPN administrator to ask for the Webagent address(es).
3.) Click the <Next> button and type in the username and password to be used by this mobile
VPN user to connect to the HQ VPN, as shown below:
369
4.) Click the <Next> button and then confirm the correctness of the configured options, as shown
below:
370
371
System Info
<Change>: Click this button to edit the password of the VPN-only client software. The mobile
VPN users who do not know this password will unable to run this software.
<Backup>: Click this button to backup the configuration of the VPN-only client software to the
372
The way of configuring time schedule is the same as that in Section 3.4.4.3. Having completed
configuring a time schedule, you have to click the <Apply> button to save and apply the settings;
otherwise, the settings will not be saved and take effect.
[Algorithm Management]: Configures the VPN encryption and authentication algorithms that are
supported by this VPN-only client software. The default page is as shown below:
373
To add an algorithm, click the <New> button and then manually add the algorithm into the list.
Having completed configuring the page, you have to click the <Apply> button (at the right bottom
of the page) to save and apply the settings; otherwise, the settings will not be saved and take
effect.
If you want to add and use your own encryption or authentication algorithm, please make
sure the encryption/authentication algorithms used on the HQ VPN and the client software are the
same. Different encryption/authentication algorithms will incur failure in establishing VPN
channel.
[Create Certificate]: Helps to generate the hardware-featured certificate of the computer. If the HQ
VPN has defined a user (VPN user account) to use hardware authentication, that user has to go to
the [Create Certificate] page of the client software and click the <Create> button to generate the
hardware-featured certificate of its computer. After generating the hardware-featured certificate,
the user has to send this certificate to the administrator to of the HQ VPN. Only after the HQ VPN
administrator has had the hardware-featured certificate bound with the user, can this user establish
VPN connection with the HQ VPN smoothly. The default page is as shown below:
374
5.2.3.1.2
PDLAN
375
Generally, you are recommended to adopt the default [MTU], [Min Compression Value]
values. If you need change these values, please follow the instructions given by the SANGFOR
technicians.
[Main connection parameters]: Configures the necessary information used for establishing VPN
connections with the HQ VPN, as well as the options for optimizing multiple-ISP network and
mobile VPN, as shown below:
[Username], [Password]: Type in the correct username and password that the HQ VPN has
configured for this user on the [VPN Connection] tab.
[Trans Mode]: Configures the transfer mode of the VPN data packet. Options are TCP and
UDP. When the VPN connection appears unstable, try to alter the transfer mode.
[Cross-ISP Optimization]: This function is recommended to be enabled if the HQ VPN and the
branch VPN apply different Internet service providers (ISP) and these different links cause
frequent packet loss. You can also tell the system the status of your network environment, by
selecting [Low packet loss], [High packet loss] or [Set manually] and configuring the [Packet
Loss Rate]. To enable this function, you first have to activate the cross-ISP license.
Having completed configuring the page, you have to click the <Apply> button (at the right bottom
376
If the mobile VPN user is to connect to a second new HQ VPN, click the <New> button to add a
new VPN connection, as shown below:
377
Enter the name (MDLAN is an alias of HQ VPN) and description of this VPN connection (better
the name of the HQ VPN site), and then click the <Next> button to go to the next step, as shown
below:
378
Configure the needed information, Webagent and transfer mode, and then click the <Next> button
to go to the next step, as shown below:
379
Enter the username and password used for establishing the VPN connection, and click the<Next>
button, as shown below:
380
Check the correctness of the configurations and then click the <Finish> button to complete adding
a new VPN connection.
If the mobile VPN user only connects to one HQ VPN, the [Connection Management] need
not be configured.
[LAN service settings] and [Tunnel Route] are configured in the similar way as that on the WAN
Accelerator. For details, please refer to Section 3.8.5.2 LAN Service and Section 3.8.5.4 Tunnel
Route in this users manual.
381
5.3
5.3.1 Installation
1.) Double-click the program PDLAN_PACC6.0EN.exe to install the software, as shown below:
Before installing the client software, please terminate the antivirus program of your computer;
otherwise, installation may fail. You can run the antivirus software after the installation finishes.
2.) Click the <OK> button and the Wizard page appears, as shown below
382
3.) Click the <Next> button to go to the next step, as shown below:
4.) Click the <Yes> button to go to the next step, as shown below:
383
5.) Click the <Browse> button to select an installation directory and then click the <Next>
button to go to the next step, as shown below:
6.) Check or uncheck Sangfor Dkey Driver. If the user is to use DKey, this option must be
384
To ensure that installation goes smoothly, disable the Local Area Connection of the
computer. You can enable it after installation completes, as shown below:
8.) Click the <Continue> button. When installation completes, it require restarting the computer,
as shown below:
385
After computer reboot, the software icon will appear on the desktop of the computer, as shown
below:
9.) Enable the Local Area Connection to have the computer connect to the Internet, as shown
below:
386
5.3.2 Deployment
SANGFOR PDLAN_PACC (alias of SANGFOR VPN-plus-acceleration client software) supports
the following two types of network deployment:
a.) Gateway Mode
The WAN Accelerator is deployed in Gateway mode. Mobile VPN user and WAN Accelerator
establish VPN connection and acceleration connection at the same time. The network topology is
as shown below:
387
5.3.3 Usage
The first time the VPN-Plus-Acceleration client software runs, the Config Wizard appears, as
shown below:
1.) Select a method of importing configuration file, [Configure Manually] or [Import Config
File]. The configuration file that to be imported should be sent by the HQ VPN administrator
who has used the corresponding VPN user account and exported the configurations of the
HQ WAN Accelerator. Generally, it is recommended to import the configuration file
manually. Click the <Next> button to go to the next step, as shown below:
388
2.) Type in the Webagent (primary and secondary Webagent) of the HQ WAN Accelerator and
click the <Test> button to check the validity of the Webagent addresses, as shown below:
If the HQ WAN Accelerator uses one static IP address, type in the Webagent in format of
IP:port, as shown below:
389
If the HQ WAN Accelerator uses multiple static IP addresses, type in the IP addresses in
format of IP1#IP2:port, as shown below:
390
Please contact the administrator of HQ VPN to ask for the Webagent address(es).
3.) Click the <Next> button and type in the username and password that are to be used by this
mobile VPN user to connect to the HQ VPN, as shown below:
391
4.) Click the <Next> button and then confirm the correctness of the configured options, as shown
below:
392
5.) Click the <Finish> button and manual setup completes, as shown below:
6.) Click the <OK> button to apply the new configurations. Open the software and the console
appears, as shown below:
393
System Info
394
<Change>: Click this button to edit the password of the VPN-Plus-Acceleration client software.
The mobile VPN users who do not know this password will unable to run this software.
<Backup>: Click this button to backup the configuration of the VPN-Plus-Acceleration client
software to the local computer. After re-installing the software, you can restore the backed up
configurations if necessary.
[Time Schedule Management]: Configures the time schedule which will be referenced by the
LAN privilege settings. In general, the time schedule will be referenced when the mobile VPN is
configuring LAN privilege for the HQ VPN.
395
The way of configuring time schedule is the same as that in Section 3.4.4.3 Time Schedule.
Having completed configuring a time schedule, you have to click the <Apply> button to save and
apply the settings; otherwise, the settings will not be saved and take effect.
[Algorithm Management]: Configures the VPN encryption and authentication algorithms that are
supported by this VPN-Plus-Acceleration client software. The default page is as shown below:
396
If you want to add and use your own encryption or authentication algorithm, please make
sure the encryption/authentication algorithms used on the HQ VPN and the client software are the
same. Different encryption/authentication algorithms will incur failure in establishing VPN
channel.
[Create Certificate]: Helps to generate the hardware-featured certificate of the computer. If the HQ
VPN has defined a user (VPN user account) to use hardware authentication, that user has to go to
the [Create Certificate] page of the client software and click the <Create> button to generate the
hardware-featured certificate of its computer. After generating the hardware-featured certificate,
the user has to send this certificate to the administrator to of the HQ VPN. Only after the HQ VPN
administrator has had the hardware-featured certificate bound with the user, can this user establish
VPN connection with the HQ VPN smoothly. The default page is as shown below:
5.3.3.1.2
Mobile VPN
[Mobile VPN] includes [Basic Settings], [User Settings], [VPN Connection], [LAN Service
Settings], [Tunnel Route] and [PACC].
397
[User Settings]: Configures the necessary information used for establishing VPN connections with
the HQ VPN, as well as the options for optimizing multiple-ISP network and mobile VPN, as
shown below:
398
[Username], [Password]: Type in the correct username and password that the HQ VPN has
configured for this user on the [VPN Connection] tab.
[Transfer Mode]: Configures the transfer mode of the VPN data packet. Options are TCP and
UDP. When the VPN connection appears unstable, try to alter the transfer mode.
[Cross-ISP Optimization]: This function is recommended to be enabled if the HQ VPN and the
branch VPN apply different Internet service providers (ISP) and these different links cause
frequent packet loss. You can also tell the system the status of your network environment, by
selecting [Low packet loss], [High packet loss] or [Set manually] and configuring the [Packet
Loss Rate]. To enable this function, you first have to activate the cross-ISP license.
Having completed configuring the page, you have to click the <Apply> button (at the right bottom
of the page) to save and apply the settings; otherwise, the settings will not be saved and take
effect.
[VPN Connection]: This page should be configured if this mobile VPN user is connecting to two
or more HQ VPN sites at the same time. The default page is as shown below:
399
If the mobile VPN user is to connect to a second new HQ VPN, click the <New> button to add a
new VPN connection, as shown below:
Enter the name and description of this VPN connection (better the name of the HQ VPN site), and
400
Configure the needed information, Webagent and transfer mode, and then click the <Next> button
to go to the next step, as shown below:
401
Enter the username and password used for establishing the VPN connection and click the<Next>
button, as shown below:
402
Check the correctness of the configurations and then click the <Finish> button to complete adding
a new VPN connection.
If the mobile VPN user only connects to one HQ VPN, the [VPN Connection] need not be
configured.
[LAN service settings] and [Tunnel Route] are configured in the similar way as that on the WAN
Accelerator. For details, please refer to Section 3.8.5.2 LAN Service and Section 3.8.5.4 Tunnel
Route in this user manual.
[PACC]: Enables you to enable acceleration function, configure the related parameters and change
the password, etc., as shown below:
403
<Start>: Click this button to apply acceleration function to this PACC user (mobile VPN user).
[Setting] covers [Basic Settings], [Exclusion Rule] and [Login Setting], as shown below:
404
[Network type]: It specifies the network type that the clients PC connects to the Internet. If it is
connected wirelessly (through CDMA, GPRS, etc.; yet excluding WiFi, etc), choose the
corresponding option (Wireless network) and it will optimize the wireless networks. Auto detect
is the default selection.
[Enable datacache]: Check this option and select a directory to enable byte cache function of the
local terminal.
<Clear>: Click it to clear the byte cache files in the Cache directory.
[Cache size]: Configures the size of the local hard disk space allocated to the byte cache.
[Enable LSP Service]: Check this option and it will capture the data packets of the applications
that are going through the WAN accelerations, except those of My Network Places and Exchange.
[Enable TDI Service]: Check this option and it supports the acceleration of My Network Places
and Exchange. The option takes effect after computer reboot.
405
Click the <Add> button and the [Exclusion Rule] dialog pops up. Configure the [Port Range], [IP
type], etc., as shown below:
406
[Port Range]: Enter the range of the ports to be excluded from the acceleration policies.
[IP Type]: Specifies the type of the IP addresses to be excluded from the acceleration policies;
options are [Single IP], [IP range] and [Subnet].
Click the <Edit> button to modify the selected exclusion rule.
Click the <Remove> button to delete the selected exclusion rule.
[Login Setting] covers [Gateway], [Port], [Username], [Password], [Save profile], [Auto login],
[Start with system], as shown below:
407
408
One of the improvements of Gateway Updater 5.0 is the function of synchronizing the PCs time
409
410
[Connect]: Click it and enter the IP address of WAN Accelerator and then type in the password to
log in.
The default password is dlanrecover. The login page is as shown below.
Logging in successfully, you will see the login success information, as shown below:
411
[Search]: It will automatically search for the LAN interface IP address of the SANGFOR WAN
Accelerator in the local area network (as long as there is no routing devices between the local
computer and the WAN Accelerator, and layer 2 broadcast can reach), even though the WAN
Accelerator is located in a different network segment (as long as there is no router or layer 3
switch between the local computer and the WAN Accelerator). The search results are as shown
below:
412
[Change password]: Click it to modify the login password of the gateway client.
Once the original password is modified, there is no way to get the modified password if
you fail to remember it. Please DO take care of your modified login password.
[Update]: Submenus are [Update Firmware], [Restore Default Configuration], [Restore Default
Network] and [Check Update SN], as shown below:
413
[Update Firmware] and [Restore Default Configuration]: Both are only available after the user
logging in WAN Accelerator. The former ([Update Firmware]) is used for updating the kernel
Firmware of WAN Accelerator and the latter ([Restore Default Configuration]) for restoration of
the default configuration. These operations will update the key document of the device, or will
change serial number. Please DO NOT perform this operation at will. If update is needed, please
contact the technicians of SANGFOR and follow the instructions.
[Restore Default Network]: This function is only available when the system is disconnected with
the SANGFOR WAN Accelerator. Conduct this function and the network configuration of the
device will recover to defaults. This operation is realized with the command sent by the broadcast
package, and will apply to all the SANGFOR WAN Accelerators deployed in the local area
network (LAN).
[Check Update SN]: Displays the valid period of software update of this WAN Accelerator.
Operation of [Restore Default Network] may result in hazardous outcome. Please DO NOT
implement this function without second thought.
WAN Accelerator can only be updated from lower version to higher version; it does not
permit skipping a version to update or degrading.
414
Update is also a kind of risk. If update operation is not appropriate, the device may be
damaged. Please DO NOT update the system by yourself at will. If necessary, please contact
the technicians of SANGFOR for instructions.
[Backup Config]: Click it to backup all the configuration information of the WAN Accelerator.
[Restore Backup]: Click it to restore all the backup configuration information to the WAN
Accelerator.
Both operations are only applied to the same-model and same-version SANGFOR devices.
Devices of different models and versions are inapplicable.
415
[Check Current]: Click it to view the information of the currently-loaded update package.
[Load Package]: Click it to upload the downloaded update package. Before uploading the update
package, first exit from the WAN Accelerator, and then click [Update]> [Update Firmware].
[Download]: Please visit the SANGFOR official website www.sangfor.com to download the
corresponding update package to the local computer.
[Update History]: Submenus are [View Gateway History], [View Local Records] and [Delete
Local Records], as shown below:
416
[View Gateway History]: Click it to view the update logs of the WAN Accelerator.
[View Local Records]: Click it to view the update logs of the local gateway client.
[Delete Local Records]: Click it to clear the update logs of the local gateway client.
[Time Sync]: Displays and synchronizes the Internet time, as shown below:
[Tools]: Submenus are [Ping], [Route Table], [ARP Table], [Network Config], [View Mode], [Set
Net Mode] and [Exchange Net Interface], as shown below:
[Ping]: Log in to the WAN Accelerator, ping an external network on the WAN Accelerator to
check whether it is connected to the external networks.
[Route Table]: Click it to view the routing table of the WAN Accelerator.
[ARP Table]: Click it to view the ARP table of the WAN Accelerator.
[Network Config]: Click it to view the network configuration of the WAN Accelerator, including
information of interface IP address, etc.
[View Mode]: Click it to view the mode the current network interface card (NIC) is working in.
[Set Net Mode]: Click it to configure manually the working mode of NIC for the WAN
Accelerator, if the setting is not coherent to the actual network interface card mode.
[Exchange net interface]: Click it to exchange the logic network interface of the NIC for the WAN
Accelerator. For instance, originally WAN1 is the optical interface and WAN4 is the electrical
interface, but you need use WAN1 as the electrical interface in the real network; in that case, you
418
Exchanging network interface is risky. If not appropriately exchanged, the WAN Accelerator
may not work normally.
Exchanging network interface may lead to unavailability of the serial number of the device.
In that case, you need obtain another serial number. Please DO follow the intructions given
by SANGFOR technician to exchange network interface.
419
Alternating Current
ARP
BM
Bandwidth Management
CA
Certificate Authority
CPU
DMZ
Demilitarized Zone
DNAT
DNS
DoS
HQ
Headquarters
HTTP
HTTPS
ICMP
IM
Instant Message
IP
Internet Protocol
ISP
LAN
LDAP
MDLAN
Alias of HQ VPN
MTU
NIC
OS
Operating System
OSI
PACC
PDLAN
POP3
RADIUS
SMTP
SNAT
SSL
TCP
UDP
UI
User Interface
420
VLAN
VPN
WAN
WANO
WCCP
421