Sangfor Wano v6.0 User Manual

SANGFOR WAN Accelerator 6.
0 User Manual
WAN Accelerator 6.0 User Manual
April, 2011
SANGFOR WAN Accelerator 6.0 User Manual
Table of Contents
TABLE OF CONTENTS..............................................................................................................1
ANNOUNCEMENT......................................................................................................................9
PREFACE....................................................................................................................................10
ABOUT THIS MANUAL...................................................................................................................10
DOCUMENT CONVENTIONS............................................................................................................10
Symbol Conventions......................................................................................................................10
Graphic Interface Conventions.....................................................................................................11
CLI Conventions...........................................................................................................................11
TECHNICAL SUPPORT.....................................................................................................................12
ACKNOWLEDGEMENTS..................................................................................................................12
CHAPTER 1 WAN ACCELERATOR INSTALLATION......................................................13
1.1
ENVIRONMENT REQUIREMENT.....................................................................................13
1.2
POWER..........................................................................................................................13
1.3
PRODUCT APPEARANCE................................................................................................13
1.4
CONFIGURATION AND MANAGEMENT..........................................................................14
1.5
WIRING METHOD..........................................................................................................14
CHAPTER 2 WAN ACCELERATOR DEPLOYMENT........................................................17

2.1
GATEWAY MODE...........................................................................................................17
2.2
BRIDGE MODE..............................................................................................................17
2.3
DOUBLE BRIDGE MODE................................................................................................18
2.4
SINGLE ARM MODE......................................................................................................19
CHAPTER 3 GATEWAY CONSOLE......................................................................................21

3.1
WEB UI LOGIN.............................................................................................................21
3.2
MAIN MENUS................................................................................................................24
3.2.1
Maintenance.................................................................................................................24
3.2.1.1
License..........................................................................................................................24
3.2.1.2
Backup/Restore............................................................................................................26
3.2.1.2.1 System..........................................................................................................................26
3.2.1.2.2 WAN Optimization.......................................................................................................27
3.2.1.3
Reset/Restart/Shutdown...............................................................................................29
3.2.1.4
Web Console.................................................................................................................29
3.2.2
Status............................................................................................................................31
3.2.2.1
WAN Optimization.......................................................................................................31
3.2.2.1.1 Acceleration Status.......................................................................................................32

1

3.2.2.1.2 Acceleration Connections............................................................................................33
3.2.2.1.3 Application Connections..............................................................................................35
3.2.2.2
Logs..............................................................................................................................35
3.2.2.3
Bandwidth Monitor......................................................................................................36
3.2.2.4
Flow Status...................................................................................................................37
3.2.2.4.1 Flow Rankings..............................................................................................................39

3.2.2.4.2 Connections Monitor....................................................................................................39
3.2.2.5
VPN..............................................................................................................................39
3.2.2.6
DHCP Running Status..................................................................................................40
3.2.2.7
Gateway Status.............................................................................................................40
3.2.3
Tools.............................................................................................................................41
3.2.3.1
Ping...............................................................................................................................41
3.2.3.2
Tracert...........................................................................................................................41
3.2.3.3
Show ARP....................................................................................................................42
3.2.4
Wizard...........................................................................................................................42
3.2.5
Data Center..................................................................................................................43
3.2.6
Help..............................................................................................................................44
3.3
HOME............................................................................................................................45
3.4
SYSTEM.........................................................................................................................45
3.4.1
System Settings.............................................................................................................45
3.4.1.1
General.........................................................................................................................46
3.4.1.2
NTP Settings.................................................................................................................46
3.4.1.3
Web UI Settings............................................................................................................47
3.4.1.4
Advanced......................................................................................................................47
Case Study 1: Environment and Configuration For MAC Track.................................................49

3.4.2
Deploy Settings............................................................................................................50
3.4.2.1
Network Interface.........................................................................................................51
3.4.2.1.1 Gateway Mode.............................................................................................................52

3.4.2.1.2 Single Arm Mode.........................................................................................................54
3.4.2.1.3 Bridge Mode.................................................................................................................55
3.4.2.1.4 Double Bridge Mode....................................................................................................57
3.4.2.2
Local Subnet.................................................................................................................60
Case Study 2: Add Subnet In Single-Arm Mode..........................................................................60

3.4.2.3
Static Route..................................................................................................................60
Case Study 3: Add Packet Return Route......................................................................................61

Case Study 4: Add Packet Return Route......................................................................................62

3.4.2.4
Dynamic Route.............................................................................................................63
3.4.2.5
Windows Domain.........................................................................................................64
Case Study 5: Join WCC.COM Domain......................................................................................65

3.4.2.6
VPN Interface...............................................................................................................65
3.4.2.7
Vlan Settings................................................................................................................67
Case Study 6: Environment and Configuration of VLAN Restore..............................................68

Case Study 7: Environment and Configuration of VLAN ID Settings........................................70
3.4.2.8
Multi-Line Settings......................................................................................................71
3.4.2.9
CDP Settings.................................................................................................................73
3.4.2.10 WCCP Settings.............................................................................................................74

Case Study 8: WCCP Avoiding Routing Loop in Single Arm Mode...........................................78
3.4.3
Users............................................................................................................................80
Case Study 9: Add Acceleration User...........................................................................................83

3.4.4
Network Objects...........................................................................................................85
3.4.4.1
IP Group.......................................................................................................................85
Case Study 10: Create IP Group with Single IP Addresses..........................................................86

Case Study 11: Create IP Group with IP Range...........................................................................87
Case Study 12: Create IP Group with Subnet...............................................................................88
3.4.4.2
Application List............................................................................................................89
Case Study 13: Add ERP System Application into Application List...........................................91
3.4.4.3
Time Schedule..............................................................................................................92
Case Study 14: Define Office Hours............................................................................................93

3.5
WAN OPTIMIZATION.....................................................................................................94
3.5.1
Application...................................................................................................................94
3.5.1.1
HTTP............................................................................................................................94
3.5.1.2
CIFS..............................................................................................................................95
3.5.1.3
SMTP............................................................................................................................96
3.5.1.4
POP3.............................................................................................................................97
3.5.1.5
Exchange......................................................................................................................97
3.5.1.6
Oracle EBS...................................................................................................................98
3.5.1.7
Citrix.............................................................................................................................98
3.5.1.8
RDP..............................................................................................................................99
3.5.2
Compression.................................................................................................................99
Case Study 15: Type of Data Applicable to Compression..........................................................100

3.5.3
Server.........................................................................................................................100
3.5.3.1
Acceleration Policy....................................................................................................101

3.5.3.2
Acceleration Policy Group.........................................................................................103
3.5.3.3
Acceleration User.......................................................................................................105
Case Study 16: Create Acceleration User and Associate Policy Group.....................................107
Case Study 17: Accelerate Exchange Server 2007 Email Delivery...........................................108
Case Study 18: Accelerate Access to Oracle EBS......................................................................109
Case Study 19: Accelerate Access to CITRIX............................................................................112
Case Study 20: Accelerate Access to RDP.................................................................................115
3.5.4
Client..........................................................................................................................118
3.5.4.1
Connect to Central Gateway.......................................................................................118
Case Study 21: Branch Establishes Acceleration Connection With HQ....................................122

Case Study 22: Enable Network Transparency Mode................................................................123
Case Study 23: Use Reverse Acceleration..................................................................................124
3.5.4.2
Prefetch.......................................................................................................................130
Case Study 24: Prefetch Data from FTP Server.........................................................................131

3.5.5
Certificates.................................................................................................................133
3.5.5.1
CA Certificate.............................................................................................................134
3.5.5.2
Server Certificate........................................................................................................135
Case Study 25: Accelerate Access to HTTPS Server.................................................................137

3.5.6
Advanced....................................................................................................................140
3.5.6.1
Exclusion Rule...........................................................................................................141
Case Study 26: Exclusion Rule Defines Acceleration Subnet...................................................143

3.5.6.2
Asymmetric Route......................................................................................................144
3.5.6.3
Keep Alive Settings....................................................................................................146
3.6
BANDWIDTH MANAGEMENT.......................................................................................148
3.6.1
Objects........................................................................................................................148
3.6.1.1
Application Identification..........................................................................................149
3.6.1.2
Intelligent Identification.............................................................................................152
3.6.1.3
URL Group.................................................................................................................153
3.6.1.4
File Type Group..........................................................................................................155
3.6.2
Policy Settings............................................................................................................156
3.6.2.1
User Group.................................................................................................................157
Case Study 27: Add User Group.................................................................................................158

3.6.2.2
Application Control Policy........................................................................................161
3.6.2.2.1 Application Control....................................................................................................161

3.6.2.2.2 Web Filter...................................................................................................................161
3.6.2.2.3 Flow............................................................................................................................162

Case Study 28: Configure Application Control Policy for Specific User/User Group..............162
Case Study 29: Configure a Needed Application Control Policy..............................................165
3.6.3
Bandwidth Settings.....................................................................................................169
3.6.3.1
Virtual Line.................................................................................................................170
Case Study 30: Create Virtual Line............................................................................................170

3.6.3.2
Bandwidth Management............................................................................................173
3.6.3.2.1 Bandwidth Channel....................................................................................................173

Case Study 31: Configure Assured Channel for a Specific Application....................................173
Case Study 32: Configure Limited Channel for a Specific Application....................................176
3.6.3.2.2 Exclusion Policy.........................................................................................................178
Case Study 33: Configure Exclusion Policy...............................................................................179
3.6.4
Policy Troubleshooting..............................................................................................180
3.6.5
Advanced....................................................................................................................181
3.6.5.1
Proxy Server...............................................................................................................181
3.6.5.2
Excluded IP................................................................................................................182
3.6.5.3
Auto Update...............................................................................................................183
3.7
FIREWALL....................................................................................................................184
3.7.1
NAT.............................................................................................................................184
3.7.2
SNAT...........................................................................................................................184
Case Study 34: Configure SNAT Rule.......................................................................................184

3.7.3
DNAT..........................................................................................................................185
Case Study 35: Configure DNAT Rule.......................................................................................186

3.7.4
Firewall Rules............................................................................................................188
Case Study 36: Open Port of Local Area Network.....................................................................189

3.7.5
Anti-DoS.....................................................................................................................190
3.7.6
ARP Protection...........................................................................................................191
3.8
SANGFOR VPN............................................................................................................193
3.8.1
Configure HQ WAN Accelerator................................................................................193
3.8.1.1
Basic Settings.............................................................................................................193
3.8.1.2
VPN User....................................................................................................................196
Case Study 37: Configure Tunnel NAT Rule.............................................................................206

3.8.1.3
Virtual IP Pool............................................................................................................209
Case Study 38: Configurations for Mobile VPN Users Connecting In......................................212
3.8.2
Client..........................................................................................................................214
3.8.2.1
VPN Connection.........................................................................................................214
Case Study 39: Only Allow Peer VPN to Access Local WEB Services....................................217

3.8.3
Multi-Line...................................................................................................................220
3.8.3.1
Multi-Line Routing Policy.........................................................................................220
Case Study 40: VPN Primary Lines/Secondary Line.................................................................222

Case Study 41: Configure Multi-Line Routing Policy for Single-Arm VPN............................225
3.8.4
Third-Party Authentication........................................................................................229
3.8.4.1
LDAP Server..............................................................................................................229
Case Study 42: Mobile VPN User Connects in By Using LDAP Auth.....................................232
3.8.4.2
Radius Server Settings...............................................................................................235
3.8.5
Advanced....................................................................................................................235
3.8.5.1
VPN Local Subnet......................................................................................................236
Case Study 43: Allow VPN User to Access Multiple Local Subnets.........................................236
3.8.5.2
LAN Service...............................................................................................................238
Case Study 44: Control VPN Users Privilege to Access LAN Services...................................239
3.8.5.3
Multicast Service........................................................................................................243
3.8.5.4
Tunnel Route..............................................................................................................246
Case Study 45: Tunnel Route Achieves Communication Between Connecting-in Branch VPN
Sites
248
Case Study 46: Access Internet via VPN Destination Route User.............................................250
3.8.5.5
Generate Certificate....................................................................................................252
3.8.6
Configure Sangfor VPN Module in Single-Arm Mode..............................................254
3.8.6.1
Configure Network Interface.....................................................................................254
3.8.6.2
Configure Sangfor VPN.............................................................................................255
3.9
IPSEC CONNECTION....................................................................................................256
3.9.1
IPSec Connection.......................................................................................................256
3.9.1.1
Phase I........................................................................................................................256
3.9.1.2
Phase II.......................................................................................................................258
3.9.1.3
Security Options.........................................................................................................261
Case Study 47: IPSEC VPN Connection with CISCO...............................................................262

CHAPTER 4 INTERNAL DATA CENTER..........................................................................268
4.1
HOME PAGE................................................................................................................269
4.2
HISTORY REPORT........................................................................................................269
4.3
CUSTOMIZE REPORT...................................................................................................272
4.3.1
Customize Wizard.......................................................................................................272
4.3.1.1
Statistic Report...........................................................................................................272
Case Study 48: Generate and View Report.................................................................................277

4.3.1.2
Trend Report...............................................................................................................279
4.3.1.3
Sum Report.................................................................................................................284
6

4.3.2
Report Template.........................................................................................................287
4.4
STATISTICS..................................................................................................................290
4.4.1
IP Flow.......................................................................................................................290
4.4.2
Application Flow........................................................................................................294
4.5
WANO REPORT..........................................................................................................297
4.5.1
IP Connection............................................................................................................297
4.5.2
Application Connection.............................................................................................300
4.5.3
IP Flow Trend.............................................................................................................303
4.5.4
Application Flow Trend.............................................................................................306
4.5.5
Acceleration User Flow Trend...................................................................................309
4.5.6
Device Flow Trend.....................................................................................................312
4.6
TREND REPORT...........................................................................................................315
4.6.1
IP Flow Trend.............................................................................................................315
4.6.2
Application Flow Trend.............................................................................................320
4.7
SEARCH.......................................................................................................................322
4.7.1
Flow Search...............................................................................................................322
4.7.2
Firewall Log...............................................................................................................326
4.7.3
Gateway Operation Log.............................................................................................328
4.8
SYSTEM MANAGEMENT..............................................................................................330
4.8.1
Log Library Mgt.........................................................................................................330
4.8.1.1
Log Library Search.....................................................................................................331
4.8.1.2
Disk Usage.................................................................................................................331
4.8.2
System Configuration.................................................................................................332
4.8.3
Configuration Import/Export.....................................................................................333
CHAPTER 5 CLIENT SOFTWARE......................................................................................335

5.1
ACCELERATION-ONLY CLIENT SOFTWARE.................................................................336
5.1.1
Installation.................................................................................................................336
5.1.2
Deployment................................................................................................................339
5.1.3
Usage..........................................................................................................................340
5.2
VPN-ONLY CLIENT SOFTWARE..................................................................................346
5.2.1
Installation.................................................................................................................346
5.2.2
Deployment................................................................................................................350
5.2.3
Usage..........................................................................................................................351
5.2.3.1
VPN Settings..............................................................................................................357
5.2.3.1.1 System Info.................................................................................................................357

5.2.3.1.2 PDLAN.......................................................................................................................360

5.3
VPN-PLUS-ACCELERATION CLIENT SOFTWARE.........................................................366
5.3.1
Installation.................................................................................................................366
5.3.2
Deployment................................................................................................................371
5.3.3
Usage..........................................................................................................................372
5.3.3.1
VPN Settings..............................................................................................................378
5.3.3.1.1 System Info.................................................................................................................378

5.3.3.1.2 Mobile VPN................................................................................................................381
APPENDIX A: UPDATE OF GATEWAY CLIENT..............................................................393
APPENDIX B: ACRONYMS AND ABBREVIATIONS.......................................................403
Announcement
Copyright 2011 SANGFOR Technology Co., Ltd. All rights reserved.
No part of the contents of this document shall be extracted, reproduced or transmitted in any form
or by any means without prior written permission of SANGFOR.
SANGFOR, SANGFOR Technology and the SANGFOR logo
are the trademarks or
registered trademarks of SANGFOR Technology Co., Ltd. All other trademarks used or
mentioned herein belong to their respective owners.
This manual shall only be used as usage guide, and no statement, information, or suggestion in it
shall be considered as implied or express warranty of any kind, unless otherwise stated. This
manual is subject to change without notice. To obtain the latest version of this manual, please
contact the Customer Service of SANGFOR Technology Co., Ltd.
Preface
About This Manual
The WAN Accelerator 6.0 User Manual includes the following chapters:
Chapter
Describe
Chapter 1 WAN Accelerator
The product appearance, function features and performance
Installation
parameters of SANGFOR WAN Accelerator 6.0, wiring and

cautions before installation.
Chapter 2 WAN Accelerator
How to deploy the WAN Accelerator 6.0 and select
Deployment
deployment mode.
Chapter 3 Gateway Console
How to use and configure the WAN Accelerator 6.0 through

the gateway console, including configurations of the system,
WAN optimization, bandwidth management (BM), firewall,
IPSec VPN, etc.
3.8 Sangfor VPN
How to search for needed statistics and logs, customize

report and make WANO/Trend reports on specified objects,
and maintain the Internal Data Center.
Chapter 5 Client Software
The installation and usage of the SANGFOR client software.
Document Conventions
Symbol Conventions
This manual also adopts the following symbols to indicate the parts which need special attention
to be paid during the operation:
Convention
Meaning
Description
Caution
Indicates actions that could cause setting error, loss of

data or damage to the device.
Warning
Indicates actions that could cause injury to human body.
10

Note
Indicates helpful
information.
suggestion
or
supplementary
Graphic Interface Conventions

This manual uses the following typographical conventions for special terms and instructions:
Convention
Meaning
Example
boldface
Keywords or highlighted
items
The user name and password are Admin by

default.
Directories, URLs
Enter the following address in the IE address

bar: http://10.254.254.254:1000
[]
Page titles, names of

parameters, menus, and
submenus
Select [System] > [Web UI] to open the Web

UI page, and then configure the [Webpage
Timeout].
<>
Names of buttons or links

on the web interface or
key-press
Click <Update> to save the settings.
>
Multilevel
submenus
Go to [System] > [Network Interface] to

configure the network interfaces.
Prompts popped up
italics
menus
and
The browser may pop up the prompt "Install

ActiveX control"
CLI Conventions
Command syntax on Command Line Interface (CLI) applies the following conventions:
Any content in brackets [ ] is optional
Any content in {} is necessary
If there is more than one option, use vertical bar (|) to separate each option, for example,
ip wccp 60 redirect { in | out }
CLI command appears in bold, for example:
configure terminal
11

Variables appear in italic, for example:
interface e0/1
Technical Support
For technical support, use the following methods:
Go to our official website: http://www.sangfor.com
Go to our technical support forum: http://www.sangfor.com/cn/forum
Email us at: support@sangfor.com.cn
Acknowledgements
Thanks for using our product and user manual. If you have any suggestion about our product or
user manual, please provide feedback to us through phone or email. Your suggestion will be much
appreciated.
12
Chapter 1 WAN Accelerator Installation

This chapter gives a general introduction to the SANGFOR WAN Accelerator and wiring of the
system. After correct installation, you can configure and debug the system.
1.1
Environment Requirement
The SANGFOR WAN Accelerator requires the following working environment:
Input voltage: 110V-230V

Temperature: -10-45
Humidity: 5%-90%
To ensure long-term and stable running of the WAN Accelerator, the power supply should be well
grounded, dustproof measures taken, working environment well ventilated and indoor temperature
kept stable. This product conforms to the requirements on environment protection, and the
placement, usage and discard of the product should comply with relevant national law and
regulation.
1.2
Power
The SANGFOR WAN Accelerator uses 110 ~ 230V alternating current (AC) as its power supply.
Make sure it is well-grounded before providing it with power supply.
1.3
Product Appearance
Front Panel of SANGFOR WAN Accelerator 6.0
Above is the front panel of SANGFOR WAN Accelerator 6.0. The interfaces and indicators on the
front panel (from left to right) are described respectively in the table below:
Interface/Indicator
Description
13

CONSOLE
Interface used only for debugging by the device supplier
USB
Standard USB port connecting to the peripheral device
ETH0
Network interface to be defined as LAN interface, connecting to the

LAN network segment
ETH1
Network interface to be defined as DMZ interface, connecting to the

DMZ network segment
ETH2
Network interface to be defined as WAN1 interface, connecting to

the first Internet line
ETH3
Network interface to be defined as WAN2 interface, connecting to

the second Internet line
POWER
Power indicator of WAN Accelerator
ALARM
Alarm indicator of WAN Accelerator (it keeps on for one minute

while the device is starting up)
The product appearance varies from model to model.
1.4
Configuration and Management
Before configuring the device, please get a computer ready and make sure the web browser (IE
browser is supported only, such as Internet Explorer, Maxthon, etc.; while Opera, Firefox, Safari
and Chrome are not supported) can be used normally. Then connect the computer to the WAN
Accelerator (in a same local area network) and configure the WAN Accelerator on the computer
over the established network.
1.5
Wiring Method
Connect the power cable to the power interface on the rear panel of the WAN Accelerator and
switch on the power supply. The POWER indicator (in green) and ALARM indicator (in red) on
the front panel will be lighted. The ALARM indicator will go out one or two minutes later,
indicating the device runs normally.
Then follow the instructions below to wire the interfaces:
Use standard RJ-45 Ethernet cable to connect the ETH0 interface to the local area network (LAN)
14

and then configure the WAN Accelerator.
Use standard RJ-45 Ethernet cable to connect the ETH2 interface with the networking device,
such as router, optical fiber transceiver, ADSL Modem, etc.
Use standard RJ-45 Ethernet cable to connect ETH1 interface to the DMZ network segment,
generally, to the Web server and Mail server providing services to wide area network (WAN) that
are placed at the DMZ network segment. The WAN Accelerator provides secure protection for
these servers.
While WAN Accelerator runs normally, the POWER indicator (in green) will keep on
lighted, the ALARM indicator off, and the ETH2/3 LINK (WAN) and ETH0 LINK (LAN)
indicators (in orange) lighted. The ACT indicators (in green) will flicker if there is data flow.
The ALARM indicator will be lighted only for about one minute due to system loading
when the device is starting up, and then go out indicating successful startup of the device. If
the ALARM indicator stays lighted during startup, please switch off the power supply and
restart the device. If it still keeps on lighted and does not go out, please contact SANGFOR.
Keep the followings in mind: while connecting the defined WAN interface with the router,
use crossover cable; while connecting the defined LAN interface with the switch, use
straight-through cable; while connecting the other defined LAN interface with the computer
(for logging in to the gateway console), use crossover cable. If connections cannot be
established but the corresponding indicator functions normally, please check whether the
cables are the right cables used for certain connections. The differences between straightthrough cable and crossover cable are the wire sequences at both ends, as shown in the figure
below:
15
16
Chapter 2 WAN Accelerator Deployment

2.1
Gateway Mode
The deployment topology of WAN Accelerator in Gateway mode is as shown below:
Step 1: Configure IP addresses of WAN and LAN interfaces, DNS address and firewall rules.
Step 2: Configure standard IPSec VPN.
Step 3: Configure WAN optimization module.
Step 4: Add the routes of the different network segments for the WAN Accelerator if there is layer
3 switch and different network segments in the local area network.
2.2
Bridge Mode
The network topology of WAN Accelerator deployed in Bridge mode is as shown below:
17
Step 1: Under the [System] > [Deploy Settings] > [Network Interface] page, select [Service
Mode] Acceleration Only, and select [Deployment Mode] Bridge.
Step 2: Configure the IP addresses of the logical interface, default gateway, MANAGE interface
and DNS.
Step 3: Configure WAN Optimization module.
In Bridge mode, the two WAN Accelerators must be able to communicate with each other
through the VPN established by a VPN device or through a dedicated line, and the two
SANGFOR WAN Accelerators can access each other normally.
In Bridge mode, the VPN function is invalid. Therefore, you have to switch the service
mode to [Acceleration only] to enable the bridge function.
2.3
Double Bridge Mode
The network topology of WAN Accelerator deployed in Double Bridge mode is as shown below:
18
Step 1: Under the [System] > [Deploy Settings] > [Network Interface] page, select [Service
Mode] Acceleration Only, and select [Deployment Mode] Double bridge.
Step 2: Configure the interface IP address for Br0 and Br1, default gateway IP addresses (WAN 1,
WAN 2, LAN and DMZ), virtual IP address and DNS address.
2.4
Single Arm Mode
The network topology of WAN Accelerator deployed in Single Arm mode is as shown below:
Step 1: Under the [System] > [Deploy Settings] > [Network Interface] page, select [Deployment
Mode] Single arm,
Step 2: Configure IP address of the LAN interface, default gateway and DNS address.
19

Step 4: Under the [System] > [Deploy Settings] > [Local Subnet] page, add the subnet segment of
the local device.
Step 5: Configure the gateway IP address on the LAN computers to have the gateway of LAN
computers direct to the LAN interface of the WAN Accelerator. You can also enable the policybased routing or WCCP function on the frontend switch/router.
As to a WAN Accelerator deployed in Single Arm mode, the following four methods may
help to avoid routing loop:
a.) In Layer 2 environment, have the gateway of the LAN PCs direct to the SANGFOR
WAN Accelerator;
b.) In Layer 2 environment, add a route for each LAN PC that directs to the peer terminal,
the local single-arm WAN Accelerator as the gateway of the route;
c.) Enable policy-based routing and CDP on the frontend device;
d.) Enable WCCP function on the frontend device.
Unless the above measures are taken, routing loop may appear in the local area network and
disable all the data communications between the devices at both ends.
Since the WAN Accelerator is deployed in single arm mode ([Acceleration Only] does not
support VPN function), you have to ensure that a VPN connection between the two local area
networks has been established and the WAN Accelerators of both terminals can access each
other.
20
Chapter 3 Gateway Console

3.1
Web UI Login
Having completed wiring, you can go on configuring the SANGFOR WAN Accelerator through
the WEBUI of the gateway console. Detailed procedures are as described in the following sections
of this chapter.
Configure a valid IP address for the WAN Accelerator (e.g., 10.254.254.251), and subnet mask
255.255.256.0. Then type the default login IP address and port of the WAN Accelerator in the
location box of the IE browser, https://10.254.254.254, and the following gateway console login
interface appears:
Before login, you may be required to install the pop-up ActiveX control, as shown below:
Click This site might require the following ActiveX control: WebUI Control from Sangfor
Technologies Co., Ltd. Click here to install and then click Install ActiveX Control.
Follow the instructions to finish installation, as shown in the following page:
21
Click the <Install> button to install the ActiveX Control.

If there is no prompt of installing the ActiveX control, click the <Download ActiveX> link (on the
gateway console login interface) to manually download the ActiveX control and follow the
instructions to finish installation.
Enter the user name and password; click the <Login> button or press <Enter> key to log in to the
gateway console of the WAN Accelerator.
The user name and password are Admin by default.
If you want to view the version information, click the link <View Version>. The version
information is displayed as follows:
Logging into the Web UI, you will see the following configuration modules:
[Home]: Homepage of the WAN Accelerator. You can maintain the device and view the running
status.
22

[System]: Configures the system time, IP address of each interface, working mode, etc., of the
WAN Accelerator.
[WAN Optimization]: Configures the WAN Optimization options for the WAN Accelerator.
[Bandwidth Management]: Configures the BM options for the WAN Accelerator.
[Firewall]: Configures the firewall options of the WAN Accelerator.
[IPSec VPN]: Configures the IPSec VPN options for the WAN Accelerator.
At the top of the WEB UI, there are six main menus, [Maintenance], [Status], [Tools], [Wizard],
[Data Center] and [Help], as shown in the interface below:
In case there is a <OK>, <Save> or <Save and Apply> button on a configuration page, click
it after modifying/configuring the parameters to save or apply the settings of that page/tab.
This will not be illustrated again in the subsequent parts in this user manual.
Each configuration page has a <Help> link at the top of the console interface. If help is
wanted, click it to view the brief description of the items or page/tab.
23
3.2
Main Menus
The six main menus are [Maintenance], [Status], [Tools], [Wizard], [Data Center] and [Help], at
the top of gateway console. Click any of it and select a submenu, you can get into the
corresponding page directly.
The main menus are as shown below:
3.2.1 Maintenance
[Maintenance]
consists
of
four
submenus,
namely,
[License],
[Backup/Restore],
[Reset/Restart/Shutdown] and [Web Console].
3.2.1.1 License
[License] requires you to enter the serial numbers related to this WAN Accelerator. These serial
numbers determine the availability of the WAN optimization function, IPSec VPN function,
bandwidth management function, URL library update service, etc. After the serial numbers have
been filled in and the <Save and Apply> button has been clicked, the authorized licenses will be
generated automatically.
The [License] page is as shown below:
24
[WANO License]: Enter the WANO license and click the <Save and Apply> button to activate the
WAN optimization function. Activated means the function is available; while Not activated
indicates the function is unavailable.
[Number of Mobile VPN Users Allowed]: Indicates the number of mobile VPN users supported
by this WAN Accelerator.
[Cross-ISP License]: Enter the Cross-ISP license and click the <Save and Apply> button to
activate the Cross-ISP function (multiple Internet Service Providers (ISP) are supported).
Activated means the function is available; while Not activated indicates the function is
unavailable.
[VPN License]: Enter the VPN license and click the <Save and Apply> button to activate the
Sangfor VPN function. Activated means the function is available; while Not activate
indicates the function is unavailable.
[BM License]: Enter the Bandwidth Management (BM) license and click the <Save and Apply>
button to activate the BM function. Activated means the function is available; while Not
activated indicates the function is unavailable.
25

[Application Identification/URL Library License]: Enter the Application Identification/URL
Library license and click the <Save and Apply> button to activate the update service of the
Application Identification and URL Library. Activated means the update service is available;
while Not activated indicates the update service is unavailable.
[Software Update License]: Enter the software update license and click the <Save and Apply>
button to activate the software update service. Activated means the update service is available;
while Not activated indicates the update service is unavailable.
3.2.1.2Backup/Restore
[Backup/Restore] page helps to backup and restore the configurations of this WAN Accelerator,
including two configuration pages: [System] and [WAN Optimization].
3.2.1.2.1
System
On the [System] page, check the [Backup Reminder] option and configure [Every( _ )day(s)], and
the system will remind you to back up the configurations at the configured time interval once you
log in to the gateway console, as shown below:
Click the <OK> button and you may enter the [Maintenance] > [Backup/Restore] > [System] page
directly, as shown below:
26

[Restore]: Click the <Click to Restore Backup Configurations> link and load the backup
configuration file to replace the current configurations with the backed up ones; and then click the
<Save> button.
[Backup]: Click the <Click to Back Up System Configurations> link and select a saving path to
backup the present configurations and save them into the local computer. The related pages are as
shown below:
The system configurations saved in the local computer include that of the [WAN
Optimization] module.
3.2.1.2.2
WAN Optimization
On the [WAN Optimization] configuration page, the three options, namely, [Backup
Configuration], [Restore Configuration] and [Restore From Auto Backup], only help to back up or
restore the configuration of [WAN Optimization] module rather than back up or restore all the
configurations of the local WAN Accelerator; and these backup configurations are stored in the
WAN Accelerator instead of the local computer.
27

Select [Backup Configuration] option and select a needed backup file in the list; and then click the
<Save Backup> button to back up the current WAN Optimization configurations into the file or
click the <Delete Backup> button to delete the selected backup file. The tab is as shown below:
Select [Restore Configuration] option and select a needed backup file; click the <Restore> button
to replace the current configurations with those of the selected backup file, as shown below:
Select the [Restore From Auto Backup] option and select a needed backup file; click the
<Restore> button to replace the current WAN optimization configurations with those in the
selected file that has been backed up, as shown below:
28
3.2.1.3Reset/Restart/Shutdown
[Reset/Restart/Shutdown] is used for fast reboot, shutdown of the local WAN Accelerator and
recovery the settings to factory default.
The page is as shown below:
Some WAN Accelerator models DO NOT support the <Shutdown> function on this page
(as shown below):
3.2.1.4Web Console
[Web Console] page enables you to execute some common commands on Web page (including
29

Ping, arp, ip route, etc.) and to inspect the network failure and device failure. You can easily
locate some problems by executing these commands.
Here, we take the most frequently-used commands ping, ip route for examples to illustrate how
to use the commands on web console.
Example 1:
Type ping plus a destination IP address on the command line, and you can check the connectivity
between this destination IP address and the local WAN Accelerator, as shown below:
30
From the returned results we can see the connectivity to destination address 10.254.254.120 is
smooth.
Example 2:
Type ip route on the command line to view the routing table of the WAN Accelerator, as shown
below:
As to other commands that can be executed through the [Web Console] page and the related
introduction to each command, please type help command on the command line.
3.2.2 Status
[Status] includes six submenus, namely, [WAN Optimization], [Logs], [Bandwidth Monitor],
[VPN], [DHCP Status] and [Gateway Status].
31
3.2.2.1WAN Optimization
[WAN Optimization] consists of [Acceleration Status], [Acceleration Connections] and
[Application Connections] pages.
3.2.2.1.1
Acceleration Status
[Acceleration Status] displays the system running status, including CPU usage, memory usage,
disk usage (used/total), flow reduction rate, flow before/after acceleration, service uptime, etc.
You can also view the real-time flow over the past 60 seconds, real-time connections over the past
60 seconds and real-time IP flow on this page, as shown below:
32
33
3.2.2.1.2
Acceleration Connections
[Acceleration Connections] page helps to search and display the connection information.
[Refresh]: Click it to refresh the displayed running status of WAN optimization.

[Disable]/[Enable]: Click it to stop or start WAN optimization service. Click the <Enable> button
to start the WAN optimization service, or click the <Disable> button to stop the WAN
optimization service.
[Clear All Cache]: Click it to clear all the cached data used by the WAN optimization service. If
you are sure to clear the cache, click the <OK> button on the pop-up dialog (as shown below),
and all the sessions of the WAN Accelerator will be disconnected, WAN optimization services will
stop and all the system cache related to WAN optimization will be cleared. After system has
cleared the cache, the acceleration connection will resume automatically.
34
[User]: Displays the name of the gateway/user currently connecting in or connecting out.
[Reverse User]: Displays the name of the user.
[Peer Device]: Displays the name of the peer device. If it is a mobile user, the name is PACC.
[Peer IP]: Displays the LAN IP address of the peer WAN Accelerator.
[Speed]: Displays transmission speed of the currently-accelerated data.
[Sessions/Tunnels]: Displays the total number of sessions and the remaining number of sessions
available for acceleration connection.
[Flow(before/after)]: Displays the amount of flow going through the device before and after
acceleration. Normally, flow throughput caused after acceleration is less than that caused before
acceleration.
[Reduction Rate]: Displays the rate of the flow caused before acceleration to the flow caused after
acceleration.
[Status]: Displays the connection status of the corresponding user.
[Protocol]: Displays the acceleration protocol being used by the user.
[Connection Time]: Displays the time when the user connects in to or exits from the WAN
Accelerator.
[Operation]: Click the corresponding link and you can view that single users real-time flow
caused over the past 60 seconds, or view the application connections of that user.
You can also set some filtering options to view the connection status of specified device(s) or
mobile user(s).
Once you clear the cache, all the cached files on the WAN Accelerator will be deleted,
which means all the data saved by the byte cache will get lost and afterward have to be cached
once again.
35
3.2.2.1.3
Application Connections
[Application Connections] page enables you to search and display the connection status of various
applications. Choose an application type (Proxy type), and enter source IP address (Host IP) and
destination IP address (Remote IP), and then click the <Search/Refresh> button to view the
connection status of the specified connection(s) applying the selected application type.
3.2.2.2Logs
[Service Logs] displays the running logs and error messages of the WAN Accelerator. To view the
needed logs, select a date and the system will display the corresponding logs generated during the
specified time period, as shown below:
Click the <Log Settings> button to define the display of service logs, as shown below:
36
The SANGFOR WAN Accelerator will only save the logs for 14 days, the logs of the
earlier days will be deleted automatically.
3.2.2.3Bandwidth Monitor
[Bandwidth Monitor] enables you to view the running status of the bandwidth management
function and of each channel, and view the flow information of the external lines and bandwidth
channels.
3.2.2.4Flow Status
[Flow Status] page displays the running information of BM module, flow information of
bandwidth channels and information of exclusion policy (of bandwidth channels), as shown
below:
37
[Running Information of Bandwidth Management]: Displays the running status of the system and
the flow information of the external lines.
[+] or [-]: Click the icon [+] or [-] to unfold or fold the information of each sub-channel
respectively.
<Stop Refresh>: Click this button to stop automatically refreshing the flow information.
[Display]: Select [All Channels] or [Running Channels] to display the bandwidth and flow
information of all the configured bandwidth channels or of the running channels configured.
[Over]: Select a time period based on which the flow and flow speed statistics are to be made. The
device will calculate the flow information over the selected time period, namely, the past [5
minutes], [15 minutes], [30 minutes], [1 hour], [2 hours], or [6 hours], etc.
[Save Settings]: Click this item to save your display preferences, [Display] and [Over]. Next time
when you view the [Flow Status] page, the flow status information to be displayed will be
collected according to your display preferences.
Bandwidth Channel
[No.]: Displays the name of the channels.
38

[Realtime Speed]: Displays the real-time uplink and downlink bandwidth of the channel.
[Usage]: Displays the ratio of actual bandwidth utilized by the channel to the total bandwidth.
[History Speed]: Displays the history speed of the selected time period.
[History Flow]: Displays the history flow caused during the selected time period.
[Number of Users]: Displays the number of users that are causing flow on the channel.
[Assured Bandwidth]: Displays the assured bandwidth of the channel allocated by the system.
[Max. Bandwidth]: Displays the configured maximum bandwidth of the channel.
[Priority]: Displays the priority of the channel. The channel that has higher priority will be
allocated with more remaining bandwidth from other bandwidth channels.
[Status]: Displays the running status of the channel, running, disabled or stopped, etc. [Stopped]
mainly shows up when it is an invalid time for the bandwidth channel to take effect (check the
valid time of this bandwidth channel).
Exclusion Policy
[Exclusion Policy] displays the real-time speed, history speed and history flow related to the
application(s) and service(s) not included in the bandwidth channel (polices).
3.2.2.4.1
Flow Rankings
[Flow Rankings] page enables you to view the real-time uplink flow and downlink flow rankings.
You can search for (by specifying the IP address) maximum 400 users of their flow rankings, and
view [Uplink and downlink] flow, [Only uplink] flow or [Only downlink] flow, as well as select
the time interval to have the flow rankings be automatically refreshed.
39
3.2.2.4.2
Connections Monitor
[Connections Monitor] page enables you to search for the connection information of the entered
IP address.
3.2.2.5VPN
[VPN Status] page displays the information of the real-time VPN connections and network flow.
Click the <Stop Service> button to stop the VPN service temporarily.
40
3.2.2.6DHCP Running Status

[DHCP Running Status] page displays the IP allocation information of DHCP. Only when the
DHCP is enabled and configured will the relevant data be displayed on this page. It is as shown
below:
3.2.2.7Gateway Status
[Gateway Status] page presents the WAN interface IP addresses of the local WAN Accelerator and
traffic going through these WAN interfaces, and allows you to enable the remote maintenance
feature and to start the services, etc. The page is as shown below:
3.2.3 Tools
[Tools] includes [Ping], [Tracert] and [Show ARP].
41
3.2.3.1Ping
[Ping] page mainly helps to check the connectivity of the networks. Enter the IP address, and click
the <Ping> button, as shown below:
Here, <Ping> has exactly the same function as the ping command on Web console.
3.2.3.2Tracert
[Tracert] page mainly helps to check whether there is any route address unreachable between the
SANGFOR WAN Accelerator and the destination IP address. Enter the destination IP address and
then click the <Tracert> button, as shown below:
42
Here, <Tracert> has exactly the same function as the traceroute command on Web
console.
3.2.3.3Show ARP
[Show ARP] page mainly helps to check the ARP table of the SANGFOR WAN Accelerator, and
thus check whether ARP spoofing exists. Click the <Show ARP> button, as shown below:
Here, <Show ARP> has exactly the same function as the arp command on Web console.
3.2.4 Wizard
[Wizard] page shows you the sequential steps to configure the basic pages quickly. Just follow the
steps given by the wizard to complete configuring each module.
43

Click the link (in light blue) to directly enter the corresponding configuration page. As for the
detailed configuration guide for each page, please refer to the relevant section in this user manual.
3.2.5 Data Center

Click the main menu [Data Center] and you will enter the Internal Data Center of the WAN
Accelerator. The homepage of the Internal Data Center is as shown below:
For detailed introduction and usage guide to the Data Center, please refer to 3.8 Sangfor VPN.
44
3.2.6 Help
Click [Help] and you will see the brief introduction to the activated page.
45
3.3
Home
[Home] page is exactly the same as that of [Status] > [WAN Optimization] page. Please refer to
Section 3.2.2.1 WAN Optimization.
3.4
System
[System] module includes the configurations of [System Settings], [Deploy Settings], [Users],
[Network Objects] and [DHCP Settings], as shown below:
3.4.1 System Settings

[System Settings] consists of [General], [NTP Settings], [Web UI Settings] and [Advanced] pages,
as shown below:
46
3.4.1.1General
[General] page configures the date, time and time zone on the WAN Accelerator, as shown below:
Have completed configuring the date, time and time zone, you have to click the <Save and
Apply> button to save the settings.
3.4.1.2NTP Settings
[NTP Settings] page configures the time synchronization options to have the system time of the
WAN Accelerator keep synchronizing with the NTP servers. Enter the addresses for the four
servers, and then click the <Sync Now> button. Having saved and applied the settings, you can
get the time of each NTP server, and choose a most accurate time to synchronize the time of the
local device.
47
Click the <Sync Now> button to have the system time synchronize with the server immediately,
Having completed configuring the page, you have to click the <Save> button to save the settings.
3.4.1.3Web UI Settings
[Web UI Settings] page configures the Web service port of the gateway console and the timeout
options functioning after the user logs in to the gateway console. If the service port (HTTPS login
port) is modified, you have to log in to the gateway console through this new port.
[HTTPS Login Port]: Configures the HTTPS port used for logging in to the gateway console.
[Page Timeout]: If there is no operation on the console during this period of time, the console user
will automatically log out of the gateway console.
[Operation Timeout]: If a page fails to open during this time interval, the system will think it
48

timed out and will not try to open this page again.
Having completed configuring the page, you have to click the <Save and Apply> button to save
and apply the settings.
3.4.1.4Advanced
[Advanced] page configures the listening port for the acceleration service provided by the WAN
Accelerator, the device name and functions of MAC Track, High-speed TCP.
[Listening Port]: Configures the listening port of acceleration service provided by the WAN
Accelerator. It is TCP and UDP 5400 port by default. Each WAN Accelerator must be able to
access its peer listening port normally; otherwise, the two terminals will fail to establish the
acceleration connection.
[Device Name]: Defines the name of the WAN Accelerator, distinguishing it from WAN
Accelerators of other sites. This name will be displayed at the top of WEB UI page, together with
the SANGFOR logo, as shown below:
49
[Enable MAC Track]: Check or uncheck this option to enable or disable the MAC Track function
respectively.
When the WAN interface of the bridge device receives TCP SYN data from other tunnel (instead
of the acceleration tunnel), the destination IP address and Destination MAC address will be
recorded. If there are other TCP data need access this destination IP address through the
acceleration tunnel, the bridge device will directly forward the data from the LAN interface to the
hosts MAC address according to the information recorded before.
Check the [Enable MAC Track] option and there is no need for you to add a return route in single
Bridge mode.
MAC Track function takes effect only in Bridge mode.
Case Study 1: Environment and Configuration For MAC Track

The following figure shows the topology of certain company: the WAN Accelerator is deployed in
Bridge mode, in the headquarters network, as shown below:
50
Configuration steps on the Headquarters WAN Accelerator are as shown below:

Step 1: On the [System] > [Deploy Settings] > [Network Interface] page, select [Acceleration
Only] as the [Service Mode], and select [Bridge] as the [Deployment Mode].
Step 2: Configure the Br0 IP address as 192.168.0.2/24, gateway IP address as 192.168.0.1/24,
MANAGE interface IP and DNS address according to your case.
Step 3: Check the [Enable MAC Track] option on the [System] > [Advanced] page.
Step 4: Configure [WAN Optimization] > [Server] page.
As to the configuration on the Branchs WAN Accelerator, please follow the steps below:
Step 1: On the [System] > [Deploy Settings] > [Network Interface] page, select [Acceleration
Only] as the [Service Mode], and select [Bridge] as the [Deployment Mode].
Step 2: Configure the Br0 IP address as 172.16.0.2/24, default gateway IP address as
172.16.0.1/24, MANAGE interface IP and DNS address according to your case.
Step 3: Configure [WAN Optimization] > [Client] page.
[Enable High-speed TCP]: Check it to enable the high-speed TCP function.

High-speed TCP function is an improvement of the traditional TCP protocol, with enhancement
on the sliding window and amendment on congestion control algorithm, more efficient than TCP
51

protocol in large bandwidth and high-latency environment.
However, in some network environment, the efficiency of high-speed TCP might be lower than
that of the traditional TCP; and in that case, this option is not recommended to be checked.
3.4.2 Deploy Settings

[Deploy Settings] includes configuration pages of [Network Interface], [Local Subnet], [Static
Route], [Static Route], [Windows Domain], [VPN Interface] and [Multi-line Settings]. Another
two configuration pages of [CDP Settings] and [WCCP Settings] are only available in
[Acceleration Only] service mode and [Single arm] deployment mode, as shown below:
52
3.4.2.1Network Interface
[Network Interface] page configures the working mode the WAN Accelerator, interface IP address
and DNS address, etc.
Working mode includes [Service Mode] and [Deployment Mode].
[Service Mode] falls into [Acceleration Only] and [VPN and Acceleration] service modes.
[Acceleration Only]: When this option is selected, the device only enables the acceleration
function, which means the VPN function is unavailable. Under this service mode, you can deploy
the WAN Accelerator in Gateway mode, Bridge mode, Double Bridge mode and Single Arm
53

mode. Bridge mode supports asymmetrical route mode while single arm mode supports
deployment combined with PBR+CDP or WCCP. This selection is suitable for the network
environment that is using a dedicated line or that has established VPN with other networks.
[VPN and Acceleration]: When this option is selected, the device enables both the VPN function
and acceleration function. It is suitable for the environment that both WAN Accelerators are
deployed in public network but neither has established any VPN connection. In this service mode,
you can only deploy the WAN Accelerator in gateway mode: use the integrated IPSec VPN
function of SANGFOR WAN Accelerator to establish VPN connection between the two terminals;
and then enable the acceleration function to establish acceleration tunnel.
3.4.2.1.1
Gateway Mode
The [Network Interface] configuration page of gateway mode is as shown in the following page:
54
[LAN] is a network segment that the firewall protects, covering all the devices and hosts of the
local area network. LAN network segment is a trusted one for the firewall.
[WAN] section configures the external lines. Select a [Line Type], [Ethernet], [PPPOE] or
[DHCP].
If you are connecting to the Internet through PPPOE dial-up, select [Line Type] PPPOE; fill in
the [User Name], [Password] and check the [Enable auto dial] option. Having completed
configuring the page, click the <Save and Apply> button to save all the settings; all the services
will restart; log in again and then click the <Start Dial-up> button; from then, the WAN
Accelerator will automatically dial up once it disconnects with the Internet. [Advanced Attribute]
consists of the parameters for dial-up; they are 20, 80 and 3 by default, as shown below:
55
[DMZ] defines the small network segment in a local area network of an enterprise. Some servers
are located in DMZ network segment, such as web server, mail server, FTP server and external
DNS server, etc., providing services for the external networks. The firewall allows the services of
this network segment to be delivered to the WAN and protects it from attacks at the same time.
If the DMZ interface (ETH1 on the front panel of device) is not used, keep the default
settings unchanged.
[MTU] configures the MTU value of the interface; it is the Ethernet standard value 1500 bytes by
default. In some network environment, if the MTU of certain network device is lower than 1500,
the related data packets might be discarded; in that case, you can manually modify this MTU
value and keep it relevant with that of the network device.
[DNS] shows the DNS addresses provided by the local ISP. Fill in the correct address according to
your case.
The filled in interface IP addresses of LAN, WAN, DMZ must be coherent with your
network.
If WAN interface is using a static IP address, you can bind multiple IP addresses with this
interface. Just click the <Multi-IP Binding> button, enter the IP addresses and click the
<OK> button, as shown below:
56
The IP address bound with the WAN interface must be of a same network segment with that
of the WAN interface; otherwise, the IP address bound will not work normally.
The IP address bound with WAN interface cannot be used again to connect VPN.
3.4.2.1.2
Single Arm Mode
The [Network Interface] configuration page of Single Arm mode is as shown below:
Under Single Arm mode, WAN and DMZ options are unavailable.
57

Having completed configuring the LAN interface IP, subnet mask, default gateway and DNS
address, you have to click the <Save and Apply> button to save the settings.
If there are multiple network segments in the local area network where the single-arm
mode WAN Accelerator locates, you have to configure the subnet segments of the LAN on the
[Local Subnet] page (excluding the subnet segment of the LAN interface IP).
3.4.2.1.3
Bridge Mode
The [Network Interface] configuration page of Bridge mode is as shown below:
58
[Bridge Interface]: Select two interfaces to establish the bridge, options are [LAN->WAN1],
[DMZ->WAN2]. You cannot define the interface for bridging.
[Logic Interface]: Configures the IP address of the logic interface (Br0), subnet mask and default
gateway of the bridge-mode WAN Accelerator.
[Manage Interface]: Configures the IP address of the MANAGE interface of the bridge-mode
WAN Accelerator. You can select any of the interface as the MANAGE interface except the
interfaces used for bridging.
59
Under Bridge mode, LAN and WAN direction cannot be mixed up; otherwise, no
acceleration effect will be achieved.
The IP address of the logic interface must be of the same subnet segment as that of the WANend firewall/router, and as that of the LAN-end core switch.
The MANAGE interface can only be used for managing the SANGFOR WAN Accelerator,
not supporting other use such as the WAN Accelerator getting access to the Internet through
this MANAGE interface.
3.4.2.1.4
Double Bridge Mode
The [Network Interface] configuration page of Double Bridge mode is as shown below:
60
61
Under the Double Bridge mode, you need to configure two bridges (BR0 and BR1), including the
logic IP address, subnet mask, default gateway of LAN and default gateway of WAN.
[Default Gateway(WAN1/WAN2)]: Indicates the interface IP address of other devices at the WAN
end of the SANGFOR WAN Accelerator. Configure [Default Gateway(WAN1/WAN2)] and you
will have the WAN Accelerator communicate with the external networks normally to establish
acceleration connection.
[Enable synchronization link]: This function is applied to the redundant network environment
(such as VRRP) where the WAN Accelerator is deployed in Double Bridge mode. Once the
system detects that any interface of the bridge pair falls out, it will automatically disconnect the
other interface of the bridge pair, so as to ensure smooth data transmission and switch between the
redundant WAN Accelerators.
[Default Gateway(LAN/DMZ)]: Indicates the interface IP address of the core switch at the
LAN/DMZ end of the WAN Accelerator. Configure [Default Gateway(LAN/DMZ)] and you will
be free from adding a return route when there is layer 3 switch in the local area network and there
are divisions of VLAN.
[Virtual IP Settings]: Configures the virtual IP address of the double-bridge WAN Accelerator. It is
this virtual IP address through which other WAN Accelerators establish acceleration connections
with this double-bridge WAN Accelerator.
Logic Interface IP of BR0 and BR1 cannot be at a same network segment.
62
The virtual IP can be or not be in the same network segment of BR0 or BR1.
If there is a layer 3 switch in the local area network, [Default Gateway(LAN/DMZ)] must be
filled in; if there is only a layer 2 switch, [Default Gateway(LAN/DMZ)] is not required.
3.4.2.2Local Subnet
[Local Subnet] page configures the subnet segments of the local terminal if the WAN Accelerator
is deployed in Single Arm mode (the subnet segment where the LAN interface IP locates does not
need to be added).
Case Study 2: Add Subnet In Single-Arm Mode

Suppose there are two network segments in the Intranet of an enterprise: 192.168.10.0/24 and
192.168.20.0/24. The WAN Accelerator locates at 192.168.10.0/24, deployed in Single Arm
mode. You need only enter the subnet segment (192.168.20.0) and the subnet mask on the
following page, and then click the <OK> button, as shown below:
3.4.2.3Static Route
[Static Route] page helps to add a route for the data (both VPN and non-VPN) that are to be
forwarded by the WAN Accelerator and the data of the WAN Accelerator itself.
63

[Static Route] can fulfill the following two functions:

a.) Add packet return route when the WAN Accelerator proxies multiple segments for Internet
access.
b.) Local WAN Accelerator being deployed in Bridge mode, configure the packet return route to
establish acceleration connection if the target LAN consists of multiple subnets and the [PreConnection] option is checked on the peers WAN Accelerator.
Case Study 3: Add Packet Return Route

This case study presents how to add packet return route when the device proxies multiple
segments for Internet access.
When there are several segments in the Intranet of an enterprise and these segments request
accessing the Internet through SANGFOR WAN Accelerator, you need to add a system route so
that the WAN Accelerator can return the data packets from different network segments to the right
switch or router in the internal network.
For example, suppose there are two network segments in the internal network of an enterprise:
192.168.10.X and 192.168.20.X. The two segments are interconnected and can communicate with
each other through the layer 3 switch. The computers of each segment direct to their respective
gateway 192.168.X.254 of the layer 3 switch. The LAN interface IP of WAN Accelerator is
192.168.10.1, located in the 192.168.10.X subnet. The WAN interface is connected to the Internet.
Now, the 192.168.20.X and 192.168.10.X subnets want to connect to the Internet through the
WAN Accelerator which works as the public network egress.
Since the 192.168.20.X subnet and LAN interface (192.168.10.X) of WAN Accelerator are not of
a same segment, you need to add a static route on the WAN Accelerator so that it can return the
data packets of 192.168.20.X to the layer 3 switch 192.168.20.254 and the data packets can finally
return to the computer located in the 192.168.20.X network segment. Please follow the steps
below to complete the configurations:
Step 1: Add multiple rules of source translation, including that for 192.168.10.0/24 and
64

192.168.20.0/24 (for details, please see [Firewall] > [Source Translation] or Section 3.7.2 SNAT).
Step 2: Add static route: 192.168.20.0/24 ->192.168.10.254, as shown below:
Case Study 4: Add Packet Return Route

The case study shows how to configure the packet return route to establish acceleration
connection, when the local WAN Accelerator is deployed in Bridge mode and if the target LAN
consists of multiple subnets and the [Pre-Connection] option is checked on the peer WAN
Accelerator.
The WAN Accelerator of the Headquarters is deployed in Bridge mode, between the core switch
and the firewall, in the network segment 192.168.1.x/24. The core switch divides some subnets to
several VLANs. On the Branchs WAN Accelerator, the [Pre-Connection] option is checked (for
detailed introduction, please refer to Section 3.5.4.1 Connect to Central Gateway), and is going to
connect to the Headquarters WAN Accelerator and access the VLAN 10 (subnet:
192.168.10.x/24) of the core switch.
Solution: add a route on the [Static Route] page for subnet 192.168.10.X whose gateway directing
to the interface 192.168.1.254 of the layer 3 switch (able to reach subnet 192.168.1.X), as shown
below:
65
3.4.2.4Dynamic Route
[Dynamic Route] page configures the dynamic RIP settings to enable the SANGFOR WAN
Accelerator to inform other routing devices of the routing information by using RIPv2 protocol,
and therefore, to ensure that the RIP routing information of the LAN routing devices can be
dynamically updated.
[Enable Routing Information Protocol]: Check the option and this function will be activated. The
WAN Accelerator will inform the LAN routing device (configured on the tab above) of the
network information of the peer terminal with which the local WAN Accelerator has established
VPN connection. With that information, the routing device will update its routing table, adding a
route that directs to the peer WAN Accelerator, and the local WAN Accelerator being the gateway
of this route; once the VPN connection cuts off, the local WAN Accelerator will inform that
routing device of the disconnection so that it can delete this route).
The routing device itself does not accept dynamic update implemented by the RIP routing
protocol. If the WAN Accelerator wants to communicate with other LAN routing devices that have
enabled RIP protocol, it must be configured manually with a static route.
[Enable Password Authentication]: Configures the password needed for exchanging RIPv2
protocol information. You can configure it according to your specific case.
[IP Address], [Port]: Configures the IP address and port of the routing device to which the WAN
Accelerator sends routing update information initiatively.
[Trigger Update]: Check this option and the WAN Accelerator will trigger the update of the
66

routing information when the routing information changes; in that case, the [Update Frequency]
setting will get invalid.
[Record Logs]: Check this option and the WAN Accelerator will log the RIP routing update
information.
Click <Save> button to complete configuring and saving the settings of this page.
3.4.2.5Windows Domain
[Windows Domain] page helps to add the WAN Accelerator into the windows domain of the
intranet, so as to improve Exchange 2007 in receiving and sending emails. If the WAN
Accelerator cannot be added into the windows domain, receiving/sending email of Exchange 2007
will not be accelerated.
[Domain Name]: Defines the domain name of windows domain.

[Domain Controller]: Configures the domain controller of the windows domain.
[Username]: Configures the admin account used for logging into the windows domain.
[Password]: Configures the password of the admin for logging into the windows domain.
[Confirm Password]: Enter the password again to confirm the correctness of the password.
[Primary DNS]: Displays the DNS address configured on the [Network Interface] page. This DNS
address must be the DNS address of the Intranet domain.
[Status]: Displays the status whether it has been added to the windows domain.
<Join>: Click this button to have the WAN Accelerator join the configured windows domain.
67

<Exit>: Click this button to have the WAN Accelerator exit from the windows domain.
<Reset>: Click this button to clear the configurations and configure these items once again.
Only the server WAN Accelerator need join the windows domain; the client WAN
Accelerator need not join the windows domain.
Case Study 5: Join WCC.COM Domain

Requirement: To add the server WAN Accelerator into www.wcc.com domain of the Intranet.
Enter the [Windows Domain] configuration page; define the domain name wcc.com, domain
controller sangfor.wcc.com, username Administrator and the password. Make sure that the
WAN Accelerator can communicate with the domain controller smoothly, and then click the
<Join> button to add the WAN Accelerator into the www.wcc.com domain. If it joined
successfully, you can see the status In domain wcc.com, as shown below:
3.4.2.6VPN Interface
[VPN Interface] page configures the IP address and mask of the virtual network adapter for the
IPSec VPN service.
68
[VPN Interface Setting]: Configures the local VPNs network segment and mask which the peer
VPN will be informed of. If either [LAN Mask] and [DMZ Mask] is checked and configured, the
local WAN Accelerator will only inform the peer VPN of the network segment that owns the
configured mask (mask of the LAN or/and DMZ interface). If neither is checked and configured,
the network segments that the LAN interface and DMZ interface locate at both sides (server WAN
accelerator and client WAN accelerator) cannot access each other.
Select the [Default] option if you want to use the default IP address and mask; or define an
idle IP address if the default IP address conflicts with any working IP address. The configuration
is as shown below:
69
VPN port is a virtual port of the WAN Accelerator; in reality, no such physical port exists.
3.4.2.7Vlan Settings
[Enable VLAN Support]: Check this option to enable the VLAN Support feature. The page is as
shown below:
VLAN Support function enables the peer WAN Accelerator (peer device) to restore the original
VLAN ID of the processed data packet (for the local WAN Accelerator changes the VLAN ID
70

during data processing), and ensures the peer device to distinguish the data (which VLAN it
belongs to).
When the LAN interface of the local WAN Accelerator (local device) receives a request data
packet from the peer device, the local device removes the VLAN ID of the packet and sends the
processed packet (accelerated) back to the peer device through its WAN interface; after that, the
peer device receives the returned packet and also handles the packet, and then forwards the
processed data to its local area network, at the same time, the peer device restores the original
VLAN ID of the data packet according to the records taken by the local device.
VLAN Support function only works in one type of network; for details, please refer to the case
study followed (Case Study 6).
Case Study 6: Environment and Configuration of VLAN Restore

VLAN Support function only takes effect in one type of network, as shown below:
The Headquarters and Branch Office are connected to each other by a leased line; at each end of
the leased line is a switch; the two switches have enabled trunk. Both the Headquarters and
Branch Office have VLAN 1 and VLAN 2; VLAN 1 and VLAN 2 cannot access each other.
Requirement: To accelerate the data transmission from VLAN 1 and VLAN 2 to the Headquarters
(HQ).
To achieve the acceleration effect, we deploy the two WAN Accelerators in between the two
switches of the headquarters and the branch, in Bridge mode. Detailed configuration procedure is
as shown below:
Step 1: Under Bridge mode, configure the IP addresses of the Br0 interfaces of the two WAN
Accelerators; the two IP addresses must be of a same network segment, ensuring the
communication between the two WAN Accelerators.
Step 2: Configure the server WAN Accelerator and client WAN Accelerator to have the server and
client establish acceleration connection quickly.
71

Step 3: Check the [Enable VLAN Restore] option on both the server WAN Accelerator and client
WAN Accelerator.
Step 4: Configure on the bridge device to bind multiple IP addresses that are at the network
segment of VLAN 1 and VLAN 2.
Step 5: If the [Pre-Connection] option is checked, we have to configure the local subnet on the
server gateway, to add the network segments of VLAN 1 and VLAN 2.
VLAN restore function only takes effect in the network environment as shown above. As to
other VLAN environment and whether it is appliable, please consult the technicians of
SANGFOR.
[Enable VLAN ID Settings]: Check this option to apply the VLAN ID settings.
Click the <New> button and configure [VLAN ID] and [Destination IP] (single IP address or IP
range) to have the destination IP address labeled with the VLAN ID. The related IP address(es)
contained in the data packet that is to be forwarded, after being handled by the WAN Accelerator,
will be tagged with the corresponding VLAN ID. In this way, the IP addresses of a same VLAN or
of different VLANs can access each other.
<Delete>: Click this button to delete the selected VLAN Item.

<Search>: Enter a destination IP address into [DST IP Range] textbox and click this button to
search the VLAN items that contain this destination IP address.
<Save and Apply>: Click this button to save and apply the newly added VLAN settings.
72

For case study, please refer to the case study followed (Case Study 7).
Case Study 7: Environment and Configuration of VLAN ID Settings

VLAN ID Settings apply to networks of the following topology:
The HQ WAN Accelerator and Branch WAN Accelerator are connected to each other with a
leased line; at each end of the leased line is a router. The router enables single-arm routing
function (the interface is configured with multiple sub-interfaces). Both the headquarters and
branch have VLAN 100, VLAN 200 and VLAN 300, which cannot be accessed by other VLAN.
Requirements: a). accelerate the data transfer between the VLAN (VLAN 100, VLAN 200 or
VLAN 300) and headquarters; b). VLAN 100, VLAN 200 and VLAN 300 can access each other,
and at the same time, these VLANs and HQ VLAN servers can access each other.
To meet the customers two requirements, our only choice is to deploy the WAN Accelerator in
Bridge mode, in between the switch and router, and then configure the system as follows:
1. Configurations on WAN Accelerators:
1.) Bind the server/client WAN Accelerator with IP addresses, ensuring that each VLAN has
at least an IP address being bound, so that the WAN Accelerator can access every VLAN.
2.) Check the [Enable VLAN ID Settings] option for the server WAN Accelerator and the
client WAN Accelerator, and then configure the VLAN settings, as shown below:
73
3.) Configure the other necessary settings for the server WAN Accelerator and the client
WAN Accelerator, and ensure that the two WAN Accelerators can establish acceleration
connection smoothly.
2. Configuration on the Switches
1.) Configure Switch
Configure the switch to ensure it supports VLAN; configure the TRUNK interface and the
VLAN data that are allowed to go through it.
2.) Configure Router
The router must be configured with sub-interfaces; every VLAN is assigned with a subinterface IP address.
3.4.2.8Multi-Line Settings
In network that WAN Accelerator is deployed in Gateway mode using multiple WAN lines, or in
network that WAN Accelerator is deployed in Single-arm mode with multiline function being
enabled, you need add the lines on this tab. You can add, delete and edit the line information and
configure the line selection policy.
The default configuration page is as shown below:
If your case is any of the two situations above, please check the [Enable Multiline] option and add
74

the related lines into the list.
<New>: Click this button to add a line. The pop-up [Edit Multiline] page is as shown below:
Select a line and configure the connection mode of the line.

[Static IP]: Enter the corresponding static Internet IP address according to your case. If it is a
dynamic IP address, uncheck the [Use Static Internet IP] option and leave [Static IP] blank.
Click <Save> button to save the settings.
If the line type is Ethernet, you must configure testing DNS and the DNS IP address must
be an accessible Internet IP address; if the line type is ADSL dial-up, the DNS address can be null.
<Advance>: Under the [Multi-Line Settings] tab, click this button and the [Multi-Line Advanced
Settings] dialog pops up, as shown below:
75
If you want to close the multiline status detection function when the Internet lines are activated
and in good status, UNCHECK the [Enable DNS Detection] option.
[DNS Detection Time]: Specifies the time interval that the multiline status is to be detected. It
only applies when the option [Enable DNS Detection] is checked.
Multi-line advanced settings are only applicable to network that has multiple Internet lines.
If your network has only one Internet line, you need not configure the advanced settings.
3.4.2.9CDP Settings
[CDP Settings] page configures the options of CDP protocol supported by the WAN Accelerator.
In page [System] > [Deploy Settings] > [Network Interface], select [Accelerator Only] Service
Mode, and select [Deployment Mode] Single arm, and then the [CDP Settings] tab is seen, as
shown below:
76
Check the [Support CDP Protocol] option and type the gateway name and detection time in the
boxes.
The purpose of checking the [Support CDP Protocol] option is to enable the single-arm WAN
Accelerator (VPN function is not supported) to associate with the CDP-supported frontend
device, so as to implement policy-based routing. As the front-end device will be unable to
detect the existence of the WAN Accelerator with CDP when the single-arm WAN
Accelerator is in failure, the frontend device itself will invalidate the policy-based routing
and restore the previous data flow direction, so as to avoid impact caused by the failure of the
WAN Accelerator.
At present, the only supplier supporting CDP is CISCO.
3.4.2.10 WCCP Settings

WCCP is a newly-added function of SANGFOR WAN Accelerator 6.0.
[WCCP Settings] (Web Cache Communication Protocol) is able to restore the network structure in
case of network fault. It can keep the network structure unchanged when the routing table on the
core switch is modified because of the single arm deployment, ensuring the robustness of the
network.
Introduction to WCCP Protocol

WCCP is a communication protocol specifying communcation between a router and Cache
Engine. The Cache Engine is a specific device (such as the SANGFOR WAN Accelerator)
for data cache; while the router is in association with the Cache Engine redirecting TCP
data flow to the Cache Engine, achieving the purpose of improving data transfer efficiency
77

and shortening TCP process time.
WCCP uses UDP 2048 port to perform data communication, with two versions, WCCP V1 and
WCCP V2. Currently, SANGFOR WAN Accelerator 6.0 only supports WCCP V2. To enable the
WCCP function, the switch or router must support WCCP protocol; otherwise, the WCCP
function is disabled.
The following table lists the CISCO device models and hardware versions that support WCCP.
For devices of other venders, please contact your hardware device supplier.
CISCO HARDWARE
CISCO IOS
ISR and 7200 Routers
12.1(14),
12.2(26),
12.3(13),
12.4(10),
12.1(3)T,
12.2(14)T,12.3(14)T5, 12.4(9)T1
Catalyst 6500 with Sup720 or Sup32
12.2(18)SXF12
Catalyst 6500 with Sup2
12.1(27)E, 12.2(18)SXF10
Catalyst 4500
12.2(31)SG
Catalyst 3750
12.2(37)SE
* The information in the above table is only for reference. They are subject to change without
notice. Please refer to the CISCO official website.
The typical network topology of WCCP deployment is as shown below.
Only when both the [Acceleration only] and [Single arm] options (under the [System] > [Deploy
Settings] > [Network Interface] page) are checked, will the following configuration page of
[WCCP Settings] appear, as shown below:
78
Click the check box next to [Enable WCCP v2] to enable the WCCP function.
What should be noted is that, WCCP and CDP will not be available at the same time.
[Transmission Mode]: Transmission mode specifies the data encapsulation method when the
WAN Accelerator and the router are communicating. Options are GRE and Layer 2.
[GRE] can work through a layer 3 switch, while [Layer 2] can only communicate in layer 2
environment. Selection of transmission mode is subject to the actual topology, and the
transmission method of the switch or router supported.
The following table lists the transmission modes supported by CISCO devices respectively. For
devices of other venders, please contact your hardware device supplier:
CISCO HARDWARE
Redirection and Return Method
ISR and 7200 Routers
GRE
Catalyst 6500 with Sup720 or Sup32
GRE or L2
Catalyst 6500 with Sup2
GRE or L2
Catalyst 4500
L2
Catalyst 3750
L2
* The information in the above table is only for reference. They are subject to change without
notice. Please refer to the CISCO official website.
[Weight]: When there are several local WAN Accelerators deployed in your network, this
parameter helps to allocate weight for these devices with TCP traffic, according to certain ratio.
For example, if the weight of device A is 100 and the weight of device B is 200, device A will take
the flow of 100/(100+200) and device B will take the flow of 200/(100+200). When there is only
one WAN Accelerator, you can set the weight as any value.
Click the <New> button to add a new router or switch IP address to enable WCCP protocol; you
79

can also add a number of IP addresses, as shown below:
[Service Group ID]: Configures WCCP service group to which the WAN Accelerator and
router/switch belongs. This service group IP must be the same as that configured on the
router/switch; otherwise, the WCCP protocol cannot be used.
[Password]: Configures the password for WCCP interaction. If the password is incorrect, relevant
information of WCCP protocol will not be interacted properly. DO keep the [Password] here the
same as the password set on the router/switch.
[Data Flow Type]: [TCP] and [ICMI] options are available. It defines the types of data that the
router/switch redirects to the WAN Accelerator. If no type of data flow is selected, system will
redirect the types of data according to the routing table of the router/switch. Generally, TCP data
is recommended, while ICMP is mainly used for checking the validity of WCCP function with
ping/tracert command.
[Priority]: Priority is accessible if there are several different service groups. In case that the
different service groups have the same redirection policy, select the service group policy with
higher priority to redirect the data. If there is only one service group, the priority can be set as any
value.
[Policy Mark]: Enable Hash policy when there are several WAN Accelerators, assigning data
redirection by different policies. With this approach, it can avoid the situation that multiple
connections originated from a same IP address to a same server are redirected to a different WAN
80

Accelerator. Hash policies can be created by defining and combining the Source IP, Destination
IP, Source port, or Destination port. If there is only one WAN Accelerator, you can ignore this
option.
[Port Mode]: [All port] mode and [Application mode] are available. WCCP can define the ports to
redirect data. Select [All port] mode and all the data at TCP 1-65535 will be redirected to the
WAN Accelerator; select [Application port] mode, and only the data at the allocated 8 TCP ports
are to be redirected. In this mode, ports are separated from each other by comma (,).
[Route Device Address]: Indicates the IP address of router/switch interacting with WCCP. This
route device address is the same as the route device address configured in [Deploy Settings].
Click the check box next to [Enable], and then click the <OK> button to complete configuring the
WCCP service.
Lastly, click the <Save and Apply> button to save and apply the above settings.
CISCO Device Configuration

The WCCP configuration commands on CISCO device are shown below:
configure terminal
ip access-list extended wccp_acl permit tcp sourceIP netmask destinationIP netmask (Better
not use permit tcp any any command)
exit
ip wccp version 2
ip wccp 60 redirect-list wccp_acl password 123456
interface e0/1
ip wccp 60 redirect { in | out }
Case Study 8: WCCP Avoiding Routing Loop in Single Arm Mode

Requirements are as follows:
a). The WAN Accelerator deployed in single arm mode, the Headquarters need accelerate its
business system, without changing the routing table on the core switch.
b). The network should be able to recover in case of gateway device failure, so as to ensure the
normal running of business.
The deployment topology is as shown below
81
According to the customers requirements, the headquarters must utilize WCCP protocol to meet
the needs.
Here, in this section, we only focus on the configuration of WCCP, and other settings are
ignored.
It is necessary to understand the WCCP configuration on CISCO device. There are two
configuration methods of WCCP on CISCO device: one is to configure in, which means the data
received by this interface will be redirected; the other is to configure out, which means the data
sent out by this interface will be redirected. In this example, we configure out (as to configure in,
we need to configure for each VLAN interface).
1. The configuration commands are as shown below:
configure terminal
ip access-list extended wccp_acl1 permit tcp 172.16.1.0 0.0.0.255 192.168.2.0 0.0.0.255
exit
ip wccp version 2
ip wccp 60 redirect-list wccp_acl1 password 123456
interface f0/10
ip wccp 60 redirect out
2. Next, we are going to configure WCCP options on the SANGFOR WAN Accelerator, as
shown in the figures below:
82
3.
Click the <OK> button and we have completed configuring the WCCP router address.
4.
Finally, click the <Save and Apply> button to save all the above settings.
3.4.3 Users
[Users] page enables you to set the accounts (administrator or acceleration user) for logging in to
the gateway console, as shown below:
Click the <New> button to configure [User Name], [Password] and [User type]. [User type] falls
83

into [Gateway], [PACC], [System Administrator] and [Guest], as shown below:
If [User Type] is [System Administrator], it indicates that the account is an administrator account
for Web page. If [User Type] is [Guest], you can specify privilege for this account: [Edit] or [View
only].
The system administrator with [View only] privilege cannot fulfill configuring on the WAN
Accelerator. Only the administrator with [Edit] privilege can do so. The default account Admin is
an administrator account with [Edit] privilege; it cannot be deleted and its privilege cannot be
altered. You can only modify the password.
84

If [User Type] is [Gateway] or [PACC], it indicates that this account is allocated for acceleration
users. These two types of users can be referenced by the acceleration policy group.
[Gateway] account is used when the networks are connected and accelerated through two WAN
Accelerators. [PACC] account is used when mobile users connect to the WAN Accelerator. The
pages are as shown below:
Having completed configuring an acceleration account, you can reference the user when
configuring the acceleration policy group, so as to decide which users are able to connect to this
WAN Accelerator.
If [User Type] is [Guest], it indicates that this account only allows the user to log in to the WAN
Accelerator to either view or edit, as shown below:
85
Click the <Online User> button and you can view the current online user list under administrator
account, as shown below:
Case Study 9: Add Acceleration User

Requirement: Add an acceleration user account wanotest for a branch, to enable the Branchs
WAN Accelerator and Headquarters WAN Accelerator to establish an acceleration channel.
Approach 1:
Under the [System] > [Users] > [Users] page, type the user name and password, and select
[Gateway] as the [User Type], as shown below:
86
Next, enter the [WAN Optimization] > [Server] > [Acceleration User] page, select the newlycreated user wanotest, and click <Edit> to edit this user; check the [Enable This User] option, and
then this user can be used by the branch users.
The [Acceleration User] page is as shown below:
Approach 2:
Under the [WAN Optimization] > [Server] > [Acceleration User] page, click the <New> button to
create a new user wanotest; enter the user name and password; select the user type and then check
the [Enable This User] option, as shown below:
87
3.4.4 Network Objects

[Network Objects] consists of three pages, namely, [IP Group], [Application List] and [Time
Schedule], as shown below:
3.4.4.1IP Group
[IP Group] defines the IP ranges, which may be composed of single IP addresses, IP ranges and
88

subnets. The defined IP group may be referenced by [WAN Optimization] > [Server] >
[Acceleration Policy] page and [Firewall] > [Firewall Rule] page.
Click the <New> button and the corresponding options appear, as shown below:
Enter the name, description of this IP group, and the IP addresses to be covered by this IP group.
You can [Select] to [Add] the IP addresses filled in the text box above or to [Auto Parse] the IP
address according to the configured domain name followed. If [Auto Parse] is the selected one,
the options are as shown below:
89
[Try Times]: Configures the try times allowed to parse the domain name.
[Domain Name]: Configures the domain name according to which the IP address is parsed.
Click <Parse> and the corresponding IP address of this domain name will be parsed and be listed
in the [IP Address] text box.
If [Add] is the selected one, you then need select an [Address Type].
[Address Type]: Configures the type of the IP address. Options are [Single IP], [IP Range] and
[Subnet].
Having completed configuring the page, you have to click the <OK> button to save the settings.
Case Study 10: Create IP Group with Single IP Addresses

Create an IP group and have it cover the LAN server 172.16.1.100. Two approaches are
applicable:
Approach 1:
Type 172.16.1.100 into the [IP Address] text box and select [Add] and [IP Address] as the
[Address Type], as shown below:
90
Approach 2:
Select [Add] and [IP Address]; type 172.16.1.100 into the [IP Address] text box and click <Add>
to add this IP address into the [IP Address] list. Finally, click the <OK> button, as shown below:
Case Study 11: Create IP Group with IP Range

Create an IP group and have it cover the LAN servers in 172.16.1.100-172.16.1.120. Two
approaches are applicable:
Approach 1:
Type 172.16.1.100-172.16.1.120 into the [IP Address] text box; select [IP Range] as the [Address
91

Type] and then click the <OK> button, as shown below:
Approach 2:
Select [Add] and [IP Range]; type 172.16.1.100 into the [Start IP] text box and 172.16.1.120 into
the [End IP] text box, and then click <Add> to add this IP range into the [IP Address] list. Finally,
click the <OK> button, as shown below:
Case Study 12: Create IP Group with Subnet

Create an IP group and have it cover the LAN subnet segment 172.16.1.0/24. Two approaches are
applicable:
92

Approach 1:
Type 172.16.1.0/255.255.256.0 into the [IP Address] text box; select [Subnet] as the [Address
Type] and then click the <OK> button, as shown below:
Approach 2:
Select [Add] and [Subnet]; type 172.16.1.0 into the [Subnet Segment] text box and 255.255.256.0
into the [Subnet Mask] text box, and click <Add> to add subnet the into the [IP Address] text box.
Finally, click the <OK> button, as shown below:
3.4.4.2Application List
[Application List] page defines the protocols and ports of various applications so that they can be
referenced on [WAN Optimization] > [Server] > [Acceleration policy] page and [Firewall] >
93

[Firewall Rule] page. The system already includes some frequently used applications, as shown
below. For other applications, you can add them by yourself.
Click the <New> button and the corresponding options appear. Name the application and give it a
brief description, as shown below.
Click the <New> button to add specific protocol and port so that they can be used in acceleration
policy configuration.
[Application]: Configures the name of the application.

[Description]: Configures the brief description for this application.
[Port type]: Defines the port type used by the application.
94

[Port operation]: Configures whether to include or exclude the specific port for the application.
[Start port]: Defines the start port of certain application or the start port which is to be excluded.
[End port]: Defines the end port of certain application or the end port which is going to be
excluded.
If there is another port used this application, click the <New> button again to add the
corresponding port.
Finally, click the <OK> button to complete configuring the application list.
Case Study 13: Add ERP System Application into Application List
Requirements: Add an ERP system application into the Application List so that this application
can be referenced by [Acceleration Policy] configuration page, and have the branchs access to the
headquarters ERP system speed up.
Under the [Application List] page, click the <New> button; type in the name and description of
the application, as shown below:
Click the <New> button, and enter the port or port range to be used by the ERP system (In this
scenario, it is TCP 8000), as shown below:
Click the <OK> button to complete configuring the page, as shown below:
95
Finally, click the <OK> button to save all the settings.
3.4.4.3Time Schedule
[Time Schedule] defines the time schedules which consist of some commonly used time periods.
The defined time schedule may be used in [Bandwidth Management] > [Policy Settings] to set
valid time and expiry time of the policy. The time is based on the system time of the SANGFOR
WAN Accelerator.
Click the <New> button and the corresponding options appear; name the time schedule and give it
a brief description; select and enable the needed time periods, as shown below:
96

Green represents valid time and gray stands for invalid time.
Case Study 14: Define Office Hours

Define a time schedule named Office Hours which is composed of the hours from 8:30-12:00 and
14:00-17:30, Monday to Friday. The other time periods are non-office hours.
Click the <New> button and the corresponding options appear, as shown below:
Name the time schedule and give it a short description; select the needed time periods and finally
click the <OK> button.
97
3.5
WAN Optimization
[WAN Optimization] covers the configurations of [Application], [Compression], [Server],

[Client], [Certificates] and [Advanced].
3.5.1 Application
[Application] configures the protocol proxies supported by the SANGFOR WAN Accelerator. It
consists of eight configuration pages, namely, [HTTP], [CIFS], [SMTP], [POP3], [Exchange],
[Oracle EBS], [Citrix] and [RDP].
3.5.1.1HTTP
[HTTP] page configures the proxy function for HTTP protocol, as shown below:
98
Check the [Enable HTTP Proxy] option to enable HTTP protocol proxy.
[Max. Cache Size]: Configures the upper size limit of the object type file.
[Object Timeout]: Configures the timeout of caching object file.
[Cache Object Type]: Configures the HTTP object types that are to be cached by the WAN
Accelerator. The default image file types are bmp, jpg, gif; the default script file type is js.
[First-synchronize-then-respond Object Type]: Configures the HTTP objects that are first to be
synchronized and then be responded. This configuration ensures that the objects requested by the
client terminal are objects from the destination server, but not the outdated objects cached in the
WAN Accelerator.
and apply all the settings of this page.
3.5.1.2CIFS
[CIFS] page configures the proxy function for CIFS protocol, as shown below:
99
Check the [Enable CIFS Proxy] option to enable CIFS protocol proxy.
Check the [Enable SMB Signing] option to enable SMB Signing.
Check the [Enable Open/Read Optimization] option to enable open/read optimization of CIFS.
Check the [Enable Save/Write Optimization] option to enable save/write optimization of CIFS.
Check the [Enable Directory Optimization] option to optimize access to folder.
Check the [Enable Print Optimization] option to optimize printing.
Check the [Enable pre-read data for open(Low bandwidth used with caution)] option to read
ahead the data when opening a file.
[Session Cache Size]: Configures the cache size of a single session over My Network Places. The
higher the value is, the better the acceleration effect shows.
and apply all the settings of this page.
3.5.1.3SMTP
[SMTP] configures the proxy function for the SMTP protocol, as shown below:
100
Check the [Enable SMTP Proxy] option to enable SMTP protocol proxy.
Click the <Save and Apply> button to save and apply the settings of this page.
3.5.1.4POP3
[POP3] page configures the proxy function for the POP3 protocol, as shown below:
Check the [Enable POP3 Proxy] option to enable the POP3 protocol proxy.
3.5.1.5Exchange
[Exchange] page configures the proxy function for the EXCHANGE protocol, as shown below:
Check the [Enable Exchange Proxy] option to enable the Exchange protocol proxy.
101

If none of the above protocols applies to the acceleration data, it will use TCP protocol
proxy.
3.5.1.6Oracle EBS
[Oracle EBS] page configures the optimization function of Oracle EBS, as shown below:
Check the [Enable Oracle EBS Optimization] option to enable Oracle EBS optimization.
Check the [Enable HTTP Mode] option to optimize Oracle EBS running in HTTP mode.
Oracle EBS supports connection modes such as HTTP, HTTPS, SOCKET and so on. However, by
default, SANGFOR WAN Accelerator only optimizes Oracle EBS running in SOCKET mode; if
you want to optimize Oracle EBS running in HTTP mode, please check the option [Enable HTTP
Mode].
If [Enable HTTP Mode] is not checked, the WAN Accelerator will not optimize Oracle
EBS when it is running in HTTP mode.
3.5.1.7Citrix
[Citrix] page configures the optimization function of Citrix applications, as shown below:
102
Check the [Enable Citrix Optimization] option to enable Citrix application optimization .
3.5.1.8RDP
[RDP] page configures the optimization function of RDP, as shown below:
Check the [Enable RDP Optimization] option to enable RDP optimization.

3.5.2 Compression
[Compression] consists of only one tab, [Compression Settings], as shown below:
[IP Compression]: Check the options and the corresponding non-acceleration data between the
two WAN Accelerators will be compressed and therefore transmission of them will speed up.
Check the [Enable TCP Packet Compression] option to enable the TCP packets to be compressed.
103

Check the [Enable UDP Packet Compression] option to enable the UDP packets to be compressed.
By default, the TCP compression and UDP compression functions are not enabled, for the
transfer of the compressed TCP or UDP data will get too fast. If there is a frontend firewall device
that can defend against DoS attacks, that data transmission will be misjudged as attack.
[Cache]: Decides whether to load the byte cache index and whether to enable byte cache bypass
when the device reboots.
[Load the data cache index when the device reboots]: Check this option, and it will load the data
cache index when system restarts, and therefore still have the previously-cached data work even
though the acceleration connection is rebuilt; uncheck this option and the previously-cached data
will get invalid for new acceleration connections.
If there are too many WAN Accelerators connecting in or connecting out, this option is not
recommended to be checked, for the time taken by loading data cache index may be long and thus
lower down the data transfer after the new acceleration connection is built.
[Enable Byte Cache Bypass]: Check this option, and the acceleration data will be bypassed
automatically if the system is too busy and the disk I/O meets bottleneck. Byte Cache Bypass
function help to avoid disk I/O bottleneck which lowers down data transfer of the acceleration
data.
Click the <Save and Apply> button to save and apply all the settings of this page.
Case Study 15: Type of Data Applicable to Compression

As shown in the following network topology, there are three types of data going through the WAN
Accelerators: Internet access data, peer server access data (accelerated) and peer LAN access data
(non-accelerated). The [Compression Settings] is only applicable to the last type of data, nonacceleration data accessing the peer LAN.
104
3.5.3 Server
[Server] consists of [Acceleration Policy], [Acceleration Policy Group] and [Acceleration User]
pages, as shown below:
3.5.3.1 Acceleration Policy

[Acceleration Policy] configures policies related to acceleration. The WAN Accelerator is already
built in with some default acceleration policies, as shown below:
Click the <Delete> button to delete the selected acceleraton poicy (policies); or click the <New>
button to define the parameters for the acceleration policy, such as [Dst. IP Group], [Application],
[Application Protocol], [Algorithm], [Enable SNAT], [Session Limit] and [Enable Byte Cache], as
shown below:
105
[Policy Name]: Indicates the name of the policy.

[Dst. IP Group]: Configures the host IP address to be accelerated. Click <Add> to get into the
[Network Objects] > [IP Group] page or select the needed group (the needed IP group should be
defined on the [IP Group] page in advance; for detailed configuration guide, please refer to
Section 3.4.4.1 IP Group).
[Application]: Configures the application to be accelerated. Click <Add> to get into the [Network
Objects] > [Application List] page or select the needed application (the needed application should
be defined on the [Application List] page in advance; for detailed configuration guide, please refer
to Section 3.4.4.1 IP Group).
[Description]: Gives a brief description to this acceleration policy.
[Application Protocol]: Indicates the protocol to be proxied; options are [Auto proxy], [TCP
proxy], [HTTP proxy], [FTP proxy], [CIFS proxy], [POP3 proxy], [SMTP proxy], [EXCHANGE
proxy], [Citrix proxy], [RDP proxy] and [Oracle Forms proxy]).
106

[Algorithm]: Configures the algorithm used by the acceleration tunnel. Options are [No
compression], [LZO compression] and [GZIP compression]. Compression effect of LZO
compression is 15% higher than that of GZIP compression, but it consumes more performance of
the WAN Accelerator. Generally, GZIP compression is recommended.
[Enable Byte Cache]: Decides whether to enable the data cache for this policy.
[Enable SNAT]: Check this option, and it will disclose the real source IP address of the data
packet when some applications require reserving the source IP; otherwise, the IP address of the
local WAN Accelerator will be taken as the source IP address of the data packet (indicating the
data packet is forwarded from this source IP address). You have to check this function if the LAN
application masquerades the true source IP address of the data packet.
[Session Limit]: Defines the sessions to be accelerated. The default is the maximum value 800.
Each policy for PACC user (mobile user) supports at most 50 sessions and the excessive ones will
be bypassed.
Having competed configuring this page, you have to click the <OK> button to save the settings;
or click the <Cancel> button to give up configuring this page.
To select CIFS proxy, you have to CHECK the [Enable SNAT] option.
3.5.3.2 Acceleration Policy Group

[Acceleration Policy Group] is a blend of various acceleration policies.
Click the <Delete> button to delete the selected policy group; or click the <New> button to add an
acceleration group, as shown below:
107
[Policy Group Name]: Configures the name of the policy group.

[Select Policy]: Select the needed acceleration policies that are to be included in the policy group.
To add a new acceleration policy, please enter the [Acceleration Policy] page.
[Associate With User]: Select the needed user(s) to associate with the policy.
[Byte Cache Settings]: Defines the allocation method of data cache. Options are [Allocate
automatically] and [Allocate manually]. If [Allocate manually] is selected, you need to specify the
[Minimum Disk Quota] and [Maximum Disk Quota] which are used to control the disk space size
occupied by the data cache related to these acceleration policies. If [Allocate automatically] is
selected, the remaining disk space will be automatically allocated to the policies of this policy
group as the disk space demand gets larger and larger.
Having competed configuring this page, you have to click the <OK> button to save the settings;
or click the <Cancel> button to give up configuring and back to the previous page.
108
If [Allocate automatically] is selected, when a user connects in, the data cache allocator of
the device will allocate a block of disk space (128 MB per block) from the remaining disk
space to a client gateway as its data cache. After the allocated block of data cache has been
used up, the data cache allocator will continue to allocate another piece from the remaining
disk space to the gateway, and so forth. When the entire disk space is used up, the data cache
will reclaim the block of data cache firstly allocated and allocate it once again.
The byte cache allocated manually will not be reclaimed.
3.5.3.3 Acceleration User

[Acceleration User] page configures the acceleration access account for the client gateway, and
associates the account with acceleration policy, as shown below:
Click the <Delete> button to delete the selected acceleration policy; or click the <New> button to
add a new connecting-in acceleration user and associate it with an acceleration policy group, as
shown below:
109
[User Name]: Configures the name of the user allowed to access the local WAN Accelerator.
[Password]: Configures the password of the user account.
[Confirm Password]: Enter the password again to check the correctness of it.
[Description]: Give this account a brief introduction.
[User Type]: Configures the user type of the connecting-in user. Options are [Gateway] user and
[PACC] user. [Gateway] user is the user whose data are accelerated through the acceleration
connection established between the WAN Accelerators; while [PACC] user is the user whose data
are accelerated through the connection established between the WAN Accelerator and the PACC
user (for mobile acceleration user).
[Enable This User]: Check this option to enable this acceleration user account.
[Select Policy Group]: Select the needed acceleration policy group that will reference this user.
Click <Add> to enter the [Acceleration Policy Group] page to add a new acceleration policy
group.
[Policy Group Details]: Displays the acceleration policy information covered by this acceleration
policy group.
110

Having competed configuring the acceleration user, you have to click the <OK> button to save the
settings.
Case Study 16: Create Acceleration User and Associate Policy Group
Create an acceleration user wanotest for the Branch WAN Accelerator, and have it associate with
the HTTP and FTP service of the subnet segment 172.16.100.0/24. Detailed procedures are as
introduced below:
Step 1: Under the [Acceleration Policy] page, configure the application and destination address.
As HTTP and FTP are default applications for acceleration, you need not create acceleration
policies for these two applications.
Step 2: Under the [Acceleration Policy Group] policy, add an acceleration policy group named
wanotest group and associate it with the HTTP and FTP acceleration policy group. In this step,
you need not associate this acceleration policy group with the acceleration user because you have
not added the acceleration user yet, as shown below:
Step 3: Under the [Acceleration User] page, add a new Gateway user named wanotest and
111

associate it with the acceleration policy group wanotest group, as shown below:
Till then, we have completed adding the acceleration user and associating it with the acceleration
policy group, and the branch users can get access to the Internet through the headquarters with the
user account wanotest, having the HTTP and FTP application accelerated.
Case Study 17: Accelerate Exchange Server 2007 Email Delivery

The headquarters has a server for Exchange Server 2007, providing mail services and locating in
the www.wcc.com domain.
Requirement: Accelerate the email sending/receiving for the branch.
To accomplish acceleration, the followings should be done:
a.) Ensure that the WAN Accelerator of the headquarters and WAN Accelerator of the branch can
communicate with each other, and that the received and delivered email data should go
through the WAN Accelerators.
b.) The headquarters WAN Accelerator joins the LAN www.wcc.com domain (for detailed
configuration guide, please refer to Section 3.4.2.4 Dynamic Route).
c.) Configure an acceleration policy group exchange for the headquarters WAN Accelerator and
associate it with the corresponding acceleration policies and the related branch gateway user,
112

as shown blow:
Case Study 18: Accelerate Access to Oracle EBS

The headquarters has an Oracle EBS server 192.200.200.225.
Requirement: The client-side LAN users accesses to the Oracle EBS server are to be accelerated.
To meet the requirement, we are going to configure the headquarters WAN Accelerator as
follows:
113
1.) Ensure that the two WAN Accelerators (server and client) are well connected and can access
each other, and the flow caused when client user accesses the server goes through the server
WAN Accelerator.
2.) Go to the [WAN Optimization] > [Application] > [Oracle EBS] tab and check the options
[Enable Oracle EBS Optimization] and [Enable HTTP Mode], as shown below:
3.) Go to the [System] > [Networks Objects] > [IP Group] tab to add the host IP address of the
Oracle server into the address list, as shown below:
4.) Go to the [WAN Optimization] > [Server] > [Acceleration Policy] tab. Configure an
114

acceleration policy (in this scenario, it is named Oracle) for Oracle applications: associate
this policy with the Oracle server IP address (configured in the above step); select
[Application] ebs, and [Application Protocol] Oracle Forms Proxy, as shown below:
5.) Go to the [WAN Optimization] > [Server] > [Acceleration Policy Group] tab. Add a new
acceleration policy group (in this scenario, it is named Oracle), and have this policy group
associate with the Oracle acceleration policy and Oracle IP group (the branch users), as
shown below:
115
Case Study 19: Accelerate Access to CITRIX

The headquarters has a CITRIX server 192.200.200.226.
Requirement: Accelerate the users accesses to the CITRIX server.
To meet the requirement, we are going to configure the HQ WAN Accelerator as follows:
each other, and the flow caused when client-end accesses the server goes through the WAN
116

Accelerator.
2.) Go to the [WAN Optimization] > [Application] > [Citrix] tab and check the options [Enable
Citrix Optimization], as shown below:
Citrix server into the address list, as shown below:
acceleration policy (in this case, it is named Citrix): associate this policy with the [Citrix]
server IP address (configured in the above step); select [Application] citrix, and [Application
Protocol] Citrix Proxy, as shown below:
117
acceleration policy group (in this case, it is named Citrix), and have this policy group
associate with the Citrix acceleration policy and Citrix IP group (the branch users), as
shown below:
118
Case Study 20: Accelerate Access to RDP

The headquarters has a RDP server 192.200.200.227.
Requirement: To accelerate the users accesses to the RDP server.
To meet the requirement, we are going to configure the headquarters WAN Accelerator as
follows:
119

each other, and the flow caused when client user accesses the server goes through the WAN
Accelerator.
2.) Go to the [WAN Optimization] > [Application] > [RDP] tab and check the option [Enable
RDP Optimization], as shown below:
RDP server into the address list, as shown below:
acceleration policy (in this scenario, it is named RDP): associate this policy with the RDP
server IP address (configured in the above step); select [Application] rdp and [Application
Protocol] RDP Proxy, as shown below:
120
acceleration policy group (in this scenario, it is named RDP), and have this policy group
associate with the RDP acceleration policy and RDP IP group (the branch users), as shown
below:
121
3.5.4 Client
[Client] includes two configuration pages, [Connect to Gateway] and [Prefetch], as shown below:
122
3.5.4.1 Connect to Central Gateway

[Connect to Central Gateway] page configures on the local WAN Accelerator the parameters of its
peer WAN Accelerator. The local WAN Accelerator (local device) acts as an acceleration client,
connecting to the peer WAN Accelerator (peer device).
Click the <New> button and the following options appear, as shown below:
[Gateway Name]: Indicates the name of the peer device to be connected by the local device. It is
user-defined.
[User Name]: Indicates the gateway account for connecting to the peer device.
[Password]: Indicates the password of the gateway account for connecting to the peer device.
123

[IP Address]: Configures the LAN IP address or bridge IP address.
[Listening Port]: Indicates the listening port of the peer device (rather than the HTP working port
number).
[Transfer Protocol]: Configures the encapsulation mode of the data packets that are to be
transferred and accelerated. Options are [High-speed TCP] and [HTP]. High-speed TCP is
generally applied to network with high latency, while HTP is applicable to network with packet
loss or high packet loss. The default selection is [Auto select], which means the WAN Accelerator
will detect the network by itself and then decide the transfer mode.
[Set Parameters]: It is only available when the [Transfer Protocol] is [HTP]. You can click it to set
the [Work Mode]: [Normal], [High packet loss] or [Low latency], and configure the [UDP Data
Packet Size(MTU)] as well, according to your network environment, as shown below:
[Description]: Indicates the description for the peer device to be connected to.
[Enable Gateway Settings]: Check this option to enable the settings of this WAN Accelerator.
<Advanced>: Click it and the options [Enable Network Transparency] and [Pre-Connection] are
seen.
[Enable Network Transparency]: Check this option to enable the network transparency mode, and
the WAN Accelerator will reveal the real IP addresses of the source IP and destination IP that
work for data transmission in the acceleration channel. This function is applicable to the network
environment that the application control policy of either WAN Accelerator has referenced the
source IP or destination IP and controls the bandwidth of them.
If the WAN Accelerator is deployed and configured in the following two modes, [Enable
Network Transparency] can NOT be checked: a). In Gateway mode and VPN function is enabled;
b). In Single Arm mode, but the CDP or WCCP function is not enabled.
124

[Pre-Connection]: Check this option to enable prefetching connection mode.
The versions issued before WAN Accelerator 5.0 are of pre-connection mode. Pre-connection
mode indicates that, the moment the client PC sends the access requests to the server, the client
WAN Accelerator can respond to and accept the requests for the destination server, without
waiting for the response from the destination server; in this way, it can shorten the time for
establishing connection as well as data transmission.
However, one problem is inevitable, that in case the server WAN Accelerator and the destination
server fails to build the connection, but the acceleration policies for all the network segments and
ports have already been configured and enabled, some other non-acceleration TCP data (for
instance, the Internet access data) will also be handled by the WAN Accelerator, because the
policies allows the WAN Accelerator to proxy all the TCP data sent by the client and to forward
the handled data to the destination server; therefore, these TCP applications cannot work
normally.
The SANGFOR WAN Accelerator 5.0 and 6.0 is different from the previous versions on
connection mode. The client WAN Accelerator will not accept the client PCs connection requests
in advance for the destination server, instead, it accepts the requests and allows data transmission
only after the destination server gives the positive response; in this way, the problem caused by
the pre-connection mode can be avoided.
[Pre-Connection] option can be checked when the acceleration connection is established

between two WAN Accelerators; if the acceleration connection is established between the PACC
user (mobile acceleration user) and WAN Accelerator, the [Pre-Connection] option will not
function.
[Enable Reverse Acceleration]: Check this option to enable reverse acceleration between the peers
of the established connection.
Reverse acceleration function will have the client WAN Accelerator (local device) inform and
allow the server WAN Accelerator (peer device) to actively connect to the acceleration user
created by the local device, when the client WAN Accelerator connecting to the server WAN
Accelerator. In this way, both sides (server and client) can feel the acceleration effect, and as a
result it can save one WANO license.
Click <Add> and you will enter the [Acceleration User] page to create or edit a user.
125
The connect-out gateway port of the peer WAN Accelerator must be coherent with the
[Listening port] of the local WAN Accelerator; otherwise, the acceleration connection cannot be
established.
HTP is a high-speed and reliable transmission protocol based on UDP, developed by

SANGFOR. It can solve the problem of high packet loss and high latency of the network, and
accomplish quite good transmission effect both in wireless and Long-Fat-Pipe environment.
Case Study 21: Branch Establishes Acceleration Connection With

HQ
Suppose a customer has deployed the SANGFOR WAN Accelerator 6.0 into the network of its
Beijing Headquarters and configured the corresponding acceleration services. Now, another WAN
Accelerator is required to be deployed in the Hong Kong branchs network, and the acceleration
connection must be established between the Hong Kong branch WAN Accelerator and Beijing
headquarters WAN Accelerator.
The deployment topology is as shown below:
In this scenario, we only focus on the acceleration configuration at the client end, other
configurations being ignored.
126
First of all, confirm the following information with the device administrator of Beijing
headquarters: username/password, LAN IP of the WAN Accelerator and the port providing
acceleration service.
Suppose that, Username is HongKong, Password is wanacc, LAN IP of is 10.1.1.1 and service
port is 5400. Enter the information, as shown below:
Click the <OK> button to save the settings.
Case Study 22: Enable Network Transparency Mode

The customer deploys the SANGFOR WAN Accelerator 6.0 in Bridge mode, in its network where
a bandwidth management device is deployed at frontend of the WAN Accelerator. In the previous
section, different bandwidth control policies have been configured for the Intranet IP.
The deployment topology is as shown in the following figure:
127
Now, the tasks are, firstly, to guarantee that information of Source IP, Source port, Destination IP,
Destination port of the data packets keep unchanged when they go through the SANGFOR WAN
Accelerator; and secondly, to guarantee that the bandwidth policies configured on the bandwidth
management device for each IP still take effect.
Check the [Enable Network Transparency] option on the [Connect to Central Gateway] page, as
shown below:
Case Study 23: Use Reverse Acceleration

The headquarters has HTTP, FTP and EXCHANGE servers, and the branch also has FTP server.
Requirements: To have the branch users feel the acceleration effect while they are getting access
to the headquarters HTTP, FTP and EXCHANGE servers; at the same time, have the
headquarters users feel the acceleration effect when they are getting access to the branchs FTP
server.
128

The deployment topology is as shown in the following figure:
First, follow the steps below to configure the headquarters WAN Accelerator:
Step 1: On the [System Setting] > [Network Objects] > [IP Group] page, create an IP group
covering the LAN network segments of the headquarters, as shown below:
Step 2: On the [WAN Optimization] > [Server] > [Acceleration Policy] page, create
corresponding acceleration policies for Exchange, HTTP and FTP. Taking the HTTP for example,
the configurations are as shown below:
129
Step 3: On the [WAN Optimization] > [Server] > [Acceleration Policy Group] page, create an
acceleration policy group which associates with the three acceleration policies on Exchange,
HTTP and FTP, as shown below:
Step 4: On the [WAN Optimization] > [Server] > [Acceleration User] page, create an acceleration
user for the branch, and associate this user with the acceleration policy group created in the above
step, as shown below:
130
Step 5: Add the headquarters WAN Accelerator into the domain where the Exchange server
locates (for detailed configuration guide, please refer to Section 3.4.2.4 Dynamic Route).
Then, follow the steps below to configure the branchs WAN Accelerator:
covering the LAN network segments of the branch, as shown below:
Step 2: On the [WAN Optimization] > [Server] > [Acceleration Policy] page, create an
acceleration policy on FTP. The configurations are as shown below:
131
acceleration policy group which associates with the acceleration policy FTP, as shown below:
user for the branch, and associate this user with the acceleration policy group created in the above
step, as shown below:
132
Step 5: Initiate connection requests to the headquarters. Get into the [WAN Optimization] >
[Client] > [Connect to Central Gateway] page; check the [Enable Reverse Acceleration] option
and select the acceleration user (HQ, configured in the above step) as the [Reverse User], as
shown below:
133
3.5.4.2 Prefetch
SANFOR WAN Accelerator 6.0 provides the prefetching function. You can enable this function so
that the device will automatically fetch the data from the server in advance and save it to the byte
cache at the preset time. The client PC will acquire the acceleration effect when accessing the
server for the first time, with greatly improved user experience.
The configuration page is as shown below:
[Start Time], [End Time]: Configures the start time and end time of prefetching respectively.
During this time range, the device will prefetch data from the remote server.
[Days]: Specifies the date implementing prefetch operation.
Click the <New> button and the following options appear, as shown below:
[Address]: Configures the directory/address where server or file is located in.

[Username], [Password]: Configures the user name and password used for logging in to the server.
134

[Description]: Configures the contents to be prefetched.
[Enable]: Check this option to enable the settings of this page and enable this prefetch rule.
and apply the above settings.
[Days] is based on the system time. Therefore, make sure the system time of the WAN
Accelerator is consistent with the actual time.
[Prefetch] function only supports two protocols, HTTP and FTP, and it only supports login to
FTP server (not HTTP server) with username and password.
The address and file name should be English characters; otherwise, prefetching will fail
because of decoding failure.
Case Study 24: Prefetch Data From FTP Server

From the previous two case studies (Case Study 18 and Case Study 19), we get known that an
acceleration connection between Beijing headquarters and Hong Kong branch has been
established. However, the employees in Hong Kong branch frequently download report files of
the previous day via the limited bandwidth from the FTP server of Beijing headquarters. Since the
report files are very large, the download speed is very slow.
To solve this problem, the customer enables the prefetching function on Hong Kong branchs
WAN Accelerator and set the prefetching time (early morning every day) so that the device will
prefetch the report files from the FTP server of Beijing headquarters. By doing this, the byte cache
will take effect and the download will speed up when the employees of Hong Kong branch
download these report files from the FTP server for the first time.
The deployment topology is shown below:
135
In this scenario, we only focus on how to configure the prefetch rule, while other
configurations are ignored.
First of all, confirm the following information with the device administrator in Beijing
headquarters: IP address of FTP server and the Username/Password of the FTP server (it is OK if
there is no username/password). Suppose the IP address of the FTP server is 10.1.1.3, username
and password for FTP download are beijing and FTP respectively.
Detailed steps are as stated below:
Step 1: Set the time on the Hong Kong branchs WAN Accelerator so that the device will
automatically prefetch report files from the FTP server in Beijing headquarters at the preset time
every day.
136

Step 2: Enter the IP address of the FTP server and the username/password for logging in to the
FTP server.
Click the <OK> button to save the above settings.
3.5.5 Certificates
[Certificates] includes the configurations of [CA Certificate] and [Server Certificate]. Here you
can import server certificate or automatically generate server certificate, the device acting as
HTTPS protocol proxy for the client to accelerate the HTTPS protocol.
This function only supports the HTTPS applications that adopts SSL one-way authentication.
If you are accessing this page for the first time, the system may ask you whether to install the
certificate import component. Click the <Install> button to install it, as shown below:
137
3.5.5.1 CA Certificate
[CA Certificate] page helps to import the root certificate provided by the CA. The default
configuration page is as shown below:
Click the <New> button; enter [Name] and select the directory of the [Certificate File], as shown
below:
Check the [Enable] option to enable this root certificate provided by the CA.
Click the <OK> button to save the settings of this page; or click the <Cancel> button to give up
138

configuring and back to the previous page.
On the [CA Certificate] page, you can click the <Delete> button to delete the selected CA
certificate(s).
3.5.5.2 Server Certificate

[Server Certificate] page helps to import the server certificate of the HTTPS server.
Click the <New> button; enter the [Destination IP] address and [Destination Port] of the HTTPS
server, as shown below:
[SSL Version]: This option is offered for the specific use of Oracle EBS applications. Check the
version according to the SSL version of your Oracle EBS. If Oracle EBS uses digital certificate,
both the WAN Accelerator and the Oracle server should join the domain.
Select the [Import Certificate That Contains Key] option; upload the file for [Certificate File] and
enter corresponding [Encrypted Password] of the certificate, as shown below:
139
Some CA may issue a certificate file without key to a HTTPS server; in that case, you need select
the [Import Certificate With Separate Key] option and configure the [Private Key File] and the
[Encrypted Password], as shown below:
Check the [Enable] options to enable the server certificate.

Click the <OK> button to save the settings of this page; or click the <Cancel> button to give up
configuring and back to the previous page.
140
Case Study 25: Accelerate Access to HTTPS Server

To accelerate the branchs access to the headquarters HTTP server, the network and WAN
Accelerator are deployed as follows:
First, follow the steps below to configure the headquarters WAN Accelerator:
covering the LAN network segments of the headquarters.
Step 2: On the [WAN Optimization] > [Server] > [Acceleration Policy] page, create an
acceleration policy on HTTPS and select [HTTP Proxy] application protocol and check the
[Accelerate HTTPS] option, as shown below:
141
acceleration policy group and associate it with the HTTPS acceleration policy, as shown below:
user for the branch and associate it with the HTTPS policy group configured in the previous step,
as shown below:
142
Step 5: On the [WAN Optimization] > [Certificates] > [CA Certificate] page, import the CA root
certificate of the HTTPS server, as shown below:
Step 6: On the [WAN Optimization] > [Certificates] > [Server Certificate] page, import the
HTTPS servers server certificate issued by the CA, as shown below:
143
In this scenario, the server certificate that the HTTPS server acquired from the CA contains no
private key. We select the [Import Certificate With Separate Key] option, and import the server
certificate and the private key file into the WAN Accelerator.
Till then, we have completed configuring the HTTPS settings on the headquarters WAN
Accelerator. The remaining step is creating an acceleration connection to have the branch access
the headquarters HTTPS application.
3.5.6 Advanced
[Advanced] include configurations of [Exclusion Rule], [Asymmetric Route] and [Keep Alive
Settings].
144
3.5.6.1 Exclusion Rule

SANGFOR WAN Accelerator 6.0 allows you to configure exclusion policy for acceleration
service. By configuring exclusion policy, you can enable or disable the acceleration function for
specific IP addresses, subnets or network segments. By default, all of the IP addresses are
accelerated.
145
[Enable Acceleration For All IP]: When this option is selected, the data packet will not be
accelerated if the source IP address of the data packet is consistent with that configured in the list.
[Disable Acceleration For All IP]: When this option is selected, the data packet will be accelerated
only when the source IP address of the data packet is consistent with that configured in the list.
As shown in the above figure, system default is that the data transmission through some common
ports (in the list) cannot be accelerated. If the WAN Accelerator receives a data packet whose
destination port is any of the port in the list, this data packet will not be handled by the
acceleration channel; instead, it will be bypassed.
Click the <New> button to create a new exclusion rule, as shown below:
146
Enter a network segment or a specified IP range. The correct format of network segment is as
shown below:
The correct format of IP range is as shown below:
Fill in the needed source IP address, destination IP address, destination port of the data packet that
are to be excluded from.
Check the [Enable] option and click the <OK> button.
Finally, click the <Save and Apply> button to complete configuring the page and save the settings.
147
Case Study 26: Exclusion Rule Defines Acceleration Subnet

Provided the customer has established a VPN connection between Beijing headquarters and Hong
Kong branch. However, it is required that only the network segments where the Hong Kong
accountants locate can feel the acceleration effect while they are accessing the Beijing server.
The deployment topology is as shown below:
In this scenario, we only focus on how to configure the exclusion policy, while other
configurations are ignored.
Suppose the computers of accountants are on the 192.168.3.0/24 subnet. Specific operations are as
follows:
Step 1: On the [Exclusion Rule] page of the Hong Kong branchs WAN Accelerator gateway
console, select the [Disable Acceleration For All IP] option, as shown below:
148
Step 2: Enter the source IP addresses (subnet), destination IP 0.0.0.0, port 0, and then check
the [Enable] option, as shown below:
Step 3: Click the <Save and Apply> button to save the settings.
3.5.6.2 Asymmetric Route

[Asymmetric Route]: Asymmetric route can solve the problem that acceleration effect is
unobvious, because that the routes for data back and forth are asymmetric for there may be
multiple switches or multiple routers deployed in the Intranet (in redundancy).
Typical deployment topology of asymmetric route is as shown in the following figure:
149
As shown in the above figure, SANGFOR WAN Accelerator A and WAN Accelerator B have
established an accelaration channel between them. However, the efficiency is not high, as there is
dual switches and dual routers sharing the loads. The truth is that, data from the branch may
follow the upper route to get access to the headquarters, and then travel back through the lower
route.
To solve this problem, we deploy an WAN Accelerator C in the headquarters network. When
there are to-be-accelarated data transmitted to WAN Accelerator C, C transmits these data to
WAN Accelerator A, ensuring both the back-and-forth data always travel through the same line,
hence enhancing accelarating effect.
To enable the Asymmetric Route function for WAN Accelerator A and WAN Accelerator C,
the page should be configured as follows:
[Peer Gateway Address]: Specifies the IP address of LAN interface, DMZ interface or bridge
(subject to the deployment) of the other WAN Accelerator (of the local terminal). Ensure that the
two local WAN Accelerators are able to communicate with each other.
150

[Communication Port]: Configures the data communication port of the WAN Accelerator whose
asymmetric route function are to be enabled. DO note that the communication ports of both
devices should be consistent with each other.
[Keep-alive Interval]: Configures the period of time after which the asymmetric route function
times out. If no keep-alive packet is received from the asymmetric route during the period of time,
the asymmetric route will get invalid.
Finally, check the [Enable Asymmetric Route] option and click the <Save and Apply> button to
save and apply the settings.
Once the asymmetric route function is enabled, the flow direction of the original TCP data
will change (excluding non-TCP data, such as ICMP and UDP, etc), incorrect usage may result in
communication failure of the data. Therefore, before enabling this function, make sure that you
have detailed and clear knowledge of the general network infrastructure and the data flow
direction, and have a thorough communication with the technicians of SANGFOR.
3.5.6.3 Keep Alive Settings

SANGFOR WAN Accelerator 6.0 facilitates you to configure the keep-alive settings of the TCP
connection, and allows a TCP connection to be kept for certain time.
[Keep Alive Interval]: Configures the period of time that a packet keeps alive.
[Timeout Counts]: Configures the maximum number of times that a packet is sent. If there is still
no response from the peer device after the maximum attempts (timeout counts), the connection
151

will be broken.
Having completed configuring the above, you have to click the <Save and Apply> button to save
the settings.
152
3.6
Bandwidth Management
Different from most of the previous versions, SANGFOR WAN Accelerator 6.0 is designed with
bandwidth management (BM) function. Type of the data going through the WAN Accelerator will
be automatically identified, according to which the WAN Accelerator controls the bandwidth and
guarantees the bandwidth for the core businesses of a company.
Bandwidth management function is available in Gateway mode, Bridge mode, Double Bridge
mode and Single Arm mode.
3.6.1 Objects
[Objects] consists of [Application Identification], [Intelligent Identification], [URL Group] and
[File Type Group]. The default configuration page is as shown below:
153
3.6.1.1 Application Identification

Download software tools such as BT, Emule, etc., consume lots of bandwidth resources; IM
software tools such as QQ, MSN and stock trading software, etc., definitely occupy the working
hours and lowers down working efficiency of the staff. Though most of the enterprises issue
regulations to ban their staff from using these software tools, however, they can do nothing to
prevent their employees from using them, for nearly all of these software tools are designed to be
able to shy away from the ordinary firewalls.
SANGFOR WAN Accelerator 6.0 adopts some patented technologies to efficiently block the
above mentioned chat and IM software tools. Because the data packets of each kind of software
have unique feature values, when the software communicates with the external networks, WAN
Accelerator will detect the features contained in the data packets and determines whether the data
packets should be blocked. If the data packets contain the features we configured, then they will
not be sent or received. In this way, this software will be inaccessible for the LAN users.
Application identification rules ability of detecting traffic on the basis of protocol, port, direction,
length of data packet, and the content of the data packets, etc., can help to identify P2P traffic
quite well. Application identification rule falls into internal rule and user-defined rule. The
internal rules cannot be modified, while the user-defined rule can be added, deleted, and edited,
etc.
The application identification rules fall into various types and can distinguish the flow of certain
application in association with the [Application] configured on [Bandwidth Management] >
[Policy Settings] > [Application Control Policy] > [Access Control] page and the [Bandwidth
Settings] on [Bandwidth Management] page.
Click [Bandwidth Management] > [Objects] > [Application Identification] and the following page
is seen:
154
The key to identify the application and block some communications is to analyze the features of
these data packets. SANGFOR will periodically provide the feature values definition of the
software tools such as P2P, IM, etc. You can contact SANGFOR and apply for the application
identification rule package to manually import the rules, and you can analyze data packets by
yourself and define your own application identification rule by clicking the <New> button and
define the features of the packets. The page is as shown below:
155
Configure in [Data Packet Content Matching] section the feature values according to the analysis
on the data packets.
[Application Identification] supports [Import] and [Export] of the rules. To export the existing
user-defined rule(s), just select the rule(s), and click the <Export> button and name the file, and
finally confirm exporting (the internal rule cannot be exported).
[Import Rule]: To import a rule, click the <Browse> button and upload the rule (extension of the
rule file is *.ccf), and then click the <Import> button.
[Search Rule]: Type in the keyword of a rule name, click the <Search> button and you can find
the rule whose name contains this keyword.
[Rules Priority]: Click the <Modify> button to switch the priority between the user-defined
application identification rules and the internal rules. The rule types of higher priority to be
matched are displayed in red.
Since BT and IM software tools differ from each other and keep updating, some application
156

identification rules may get invalid for some latest versions of the software tools. SANGFOR
will periodically update the application identification rules. Please make sure that your WAN
Accelerator can access the Internet to update these rules online.
For the internal rules, you can only alter the classification and cannot edit the policy or
export the rule.
3.6.1.2 Intelligent Identification

[Intelligent Identification] configured in [Bandwidth Management] > [Objects] mainly identifies
the plain text or cipher text form P2P applications, identifies the encrypted Skype data according
to the Skype actions, and identifies the SSL certificate, SANGFOR VPN data, data from proxy
tool.
[Application Identification] detects the P2P application as well, limited to plaintext P2P data.
If you disable the [P2P Action] (in the Intelligent Identification Rule List on the [Intelligent
Identification] page), it can still successfully identify the plaintext P2P data but be unable to
identify the cipher text P2P data.
Skype data are encrypted. To control and record the Skype data, you have to select the
[Enable] option on the [Intelligent Identification] > [Edit Intelligent Identification Rule] page
of Skype.
157
3.6.1.3 URL Group

Internal URL group and user-defined URL group can be referenced by the [Bandwidth
Management] > [Policy Settings] > [Application Control Policy] > [Web Filter] > [URL Filter]
page, and the [Bandwidth Management] > [Bandwidth Settings] page, to achieve controlling over
the access privilege to certain URL, URL filtering, bandwidth distribution and management.
Click [Bandwidth Management] > [Objects] > [URL Group] and the following page appears:
As shown in the above figure, the WAN Accelerator is integrated with large number of
categorized URL groups.
[Expiry Date of Update Service]: Indicates the latest time the URL library was automatically
updated.
[Update Internal URL Library Manually]: If the URL library cannot automatically update for it is
disconnected to the Internet, you can manually update the URL library. Just click the <Browse>
button and upload the URL library file from the local PC, and then click the <Upload> button.
[URL Search]: Enter the domain name into [URL Search] and click the <Search> button to search
whether this domain name exists in the URL library and in which URL group this domain name is
158

contained. For instance, type in www.google.com and click the <Search> button, the search result
is displayed, as shown in the following figure:
SANGFOR WAN Accelerator 6.0 is built in with a large number of URL groups when it is
delivered from the factory. You can add a new URL into the URL library if necessary, in addition
to using the existing and built-in URLs.
Click the <New> button and configuration page appears, as shown below:
[URL Group Name]: Name the new URL group.

[Description]: Type in a brief description for this new URL group
[URL]: Type the domain name (URL) into the textbox, one URL per row. The URL group
159

consists of the URL(s) in this list. Wildcard character is supported.
[Domain Name Keyword]: URL group is automatically matched if the URL contains the
configured domain name keyword.
Having completed configuring this page, you have to click the <OK> button to save the above
settings.
One SANGFOR WAN Accelerator 6.0 supports at most 100 URL groups (including
internal URL and user-defined URL groups). As to the user-defined URL groups, you can have at
most 10 URL groups enabled at the same time. Multiple URL groups can be disabled as well.
3.6.1.4 File Type Group

[File Type Group] configured in [Bandwidth Management] > [Objects] can be referenced by the
[Bandwidth] > [Management] > [Policy Settings] > [Application Control Policy] page > [Web
Filter] > [File Type Group] configuration to control HTTP/FTP upload and download, and be
referenced by [Bandwidth Management] > [Bandwidth Settings] to control the upload and
download bandwidth of the configured file types (in the file type group).
Click the <New> button to add a new file type group. The page is as shown below:
160
[Name]: Defines the name of the new file type group.

[Description]: Gives a brief description to this file type group.
[File Type]: Configures the extension of file type, one entry per row.
Having completed configuring the above, you have to click the <OK> button to save the settings.
A file type cannot be entered twice.
3.6.2 Policy Settings

[Policy Settings] configured in [Bandwidth Management] defines the access control policy for the
LAN users. It consists of the two pages, [Application Control Policy] and [User Group].
[Application Control Policy] can be referenced by multiple user groups to control the Internet
access and behaviors of the LAN users.
The default configuration pages are as shown below:
161
To have certain [Application Control Policy] take effect, you have to associate it with the user
group. We first introduce [User Group] which is followed by the introduction to [Application
Control Policy].
3.6.2.1 User Group

[User Group] configured in [Bandwidth Management] > [Policy Settings] takes some LAN users
into a group, facilitating the management of a special group of users.
Click the <New> button to add a new user group, as shown below:
162
Having completed configuring the above page, you have to click the <OK> button to save the
settings.
On this page, you can relate a user group with an IP address or MAC address. The IP address can
be single IP address, IP range and subnet; MAC address can be single MAC address and MAC
range. The IP address (list) and the MAC address (list) are of OR relationship, that is to say, if a
data packet from the client terminal matches either of the conditions (IP address or MAC address)
of this user group, the client will be regarded as a user of this user group, and its requests will
match the related policies when they reaches the WAN Accelerator.
If there is a layer 3 switch in the local area network, the MAC address contained in the
header of the data packet will be the MAC address of the layer 3 switch. In that case, you need use
the IP address to add a user group, for the MAC address of the LAN client configured in this page
will NOT take effect.
Case Study 27: Add User Group

The network environment of a customer is as shown below:
163
Requirements: Add the following three user groups, a). Finance Department user group,
covering 192.168.0.0/24; b.) Managers user group, covering the IP addresses of 192.168.1.100,
192.168.2.100, 192.168.3.100 and 192.168.4.100; c). General Staff user group to which the other
PCs belong.
Configuration procedures:
Step 1: Add a new user group named Finance Department. The page is as shown below:
164

Step 2: Add a new user group named Managers. The page is as shown below:
Step 3: Add a new user group named General Staff, as shown below:
165
Click the <OK> button after your have configured the page and the three newly-created user
groups are seen in the user group list, as shown below:
While creating a new user group, please note that an IP address or MAC address can
belong to several user groups. If you want to distinguish some users from a subnet, a user group
covering most of IP addresses of the subnet must be composed of some shorter ranges of IP
addresses.
166
3.6.2.2 Application Control Policy

[Application Control Policy] covers the configurations of [Access Control], [Web Filter] and
[Flow].
3.6.2.2.1
Application Control
With [Access Control] rule, you can control the applications which the LAN users get access to,
or allow/deny their access to certain application. The access control rule may be based on
[Application], [Service] and [Advanced] (proxy).
[Application] configures the items based on which the content of data packets are inspected and
analyzed, and then achieves controlling over certain application. The WAN Accelerator is
integrated with a library of identification rules on some common applications (please refer to
Section 3.6.1.1
Application Identification). The [Application] configuration references the
existing application identification rules and helps to control the users access to these applications.
[Service] configures the IP address, protocol number and port of the data packets based on which
the Internet access data will be inspected and controlled. Before configuring the items, you have
to create the needed destination IP group on the [System] > [Network Objects] > [IP Group] page,
and configure the target protocol or port on the [System] > [Network Objects] > [Application List]
page (please refer to Section 3.4.4.2 Application List). The [Service] configuration references the
existing application objects and controls the users access to these applications.
[Advanced] includes the options of whether to allow HTTP proxy and SOCK proxy. Check the
[Allow to use other protocol in standard ports of HTTP protocol and SSL protocol] option to
prevent some applications from using HTTP port (TCP 80) and SSL port (TCP 443) to transmit
their data, hence disallow them to shy away from the control of the WAN Accelerator.
3.6.2.2.2
Web Filter
With [WEB Filter] rule, you can control the Internet access of the LAN user via HTTP protocol,
by filtering the URLs to be browsed, by filtering the keywords to be searched through the search
engine, and by filtering the keywords contained in the uploaded information and the file types to
be uploaded or downloaded via HTTP.
[URL Filter] covers [Basic] and [Advanced] options.
[Basic] options help to inspect the website of the to-be-browsed URLs and control the users web
167

browsing behaviors. The URLs to be referenced are the existing URL groups configured on
[Bandwidth Management] > [Objects] > [URL Group] page. The SANGFOR WAN Accelerator
6.0 is integrated with a library of a great many URL groups, you can reference the internal URL
group, or define a needed URL group by yourself (for details, please refer to Section 3.6.1.3 URL
Group).
[Advanced] options help to inspect the website of the to-be-browsed URLs and control the users
HTTP POST behaviors when they are browsing websites. In other words, if you need an access
control policy that allows some LAN users to browse a website but does not allow them to post on
the forum of this website, configure an [Advanced] URL filter policy.
[File Type Filter] covers [Upload] option and [Download] option.
[File Type Filter] configures the file types based on which the HTTP/FTP upload and download
are filtered. The to-be-referenced file types are configured on the [Bandwidth Management] >
[Objects] > [File Type Group] page (for details, please refer to 3.6.1.4 File Type Group).
3.6.2.2.3
Flow
[Flow] covers [Flow] and [Connection] options.

[Flow] option helps to make (daily, weekly or monthly) flow statistics of each application for
users of this user group.
[Connection] option helps to limit number of sessions of a single IP with the external networks. If
number of the concurrent sessions is more than that allowed, the excessive sessions will be
disconnected.
Case Study 28: Configure Application Control Policy for Specific

User/User Group
Both user/user group and application control policy are individual objects in the WAN
Accelerator. To make these objects work, you have to associate the application control policy with
the corresponding user or user group. When the user/user group is getting access to the Internet,
the corresponding application control policy will take effect.
Application control policy is only applicable to user group(s). If you want to apply an
application policy to a single user, define a user group that covers the IP address or MAC address
of only that user.
168
Please follow the steps below to configure an application control policy:

Step 1: Create a needed user group (of LAN user) on the [Bandwidth Management] > [Policy
Settings] > [User Group] page (for details, please refer to Section 3.6.2.1 User Group).
Step 2: Under the [Bandwidth Management] > [Policy Settings] > [Application Control Policy]
page, click the <New> button to create a new application control policy, as shown below:
Select [Single Policy] or [Multiple Policies].

Enter a name for this application control policy. If you are creating multiple policies, enter the
policy names, one entry per row; the rules of the policies are exactly the same.
Step 3: Configure [Expiry Date] and the [User Group], as shown below:
169
Options for [Expiry Date] are [Never] and [Expired on], as shown below:
After you have completed configuring an expiry date, this application policy will automatically
get invalid on the preset date.
Step 4: Select user group. You can select the [All] option to have this application control policy be
applicable to all the LAN users; or select the [Custom] option and select the needed user group(s)
from the [Available] user group list to the [Selected] user group list, to have this application
control policy apply to the selected user group(s).
Step 5: Configure the rules of [Access Control], [Web Filter] and [Flow].
Step 6: Click the <OK> button to save all the above settings.
170
Case Study 29: Configure a Needed Application Control Policy

We still take Case Study 23 as the background.
The requirements for each user group are as follows:
a.) Finance Department: Deny the LAN users of this user group to access the Internet but allow
their access to the Intranet of the Headquarters (172.16.0.0/16); make flow statistics of this
user group.
b.) General Staff: Allow the LAN users of this user group to access the Internet but deny them to
use P2P download tools; each user can have maximum 300 concurrent sessions; make flow
statistics of this user group.
c.) Managers: Allow the LAN users of this group to access the Internet; make flow statistics of
this user group.
Configuration steps are as shown below:
Step 1: Click [System] > [Network Objects] > [IP Group] to create an IP group, as shown below:
Click the <New> button and the options appear, as shown below:
Configure the required items and then click the <OK> button to save the settings. It backs to the
default configuration page of [IP Group]. The newly-created IP group is as shown below:
171
Step 2: Click [Bandwidth Management] > [Policy Settings] > [Application Control Policy] to
create an application control policy named Finance Department; select the needed user group
Finance Department, as shown below:
Step 3: Configure a rule to deny the user group Finance Department to get access to the Internet,
as shown below:
Internet behaviors of the users involved in a user group can only be distinguished according
to the IP addresses instead of their behaviors. For instance, they may use the ping command,
browse webpage, access FTP server or even use video when accessing the headquarters network
and public networks. For this reason, [Service] rules have to be configured to control their access
to the networks.
Step 4: Check [Flow] > [Flow] and the [Make Flow Statistics of Each Application for Users of
172

This User Group] option to make the flow statistics for this user group Finance Department, as
shown below:

Till then, we have completed configuring the application control policy for the user group
Finance Department.
Step 5: Configure an application control policy named General Staff; select the user group
General Staff, as shown below:
Step 6: Configure a rule to deny the user group General Staff to use the P2P download tools, as
shown below:
Step 7: Check [Flow] > [Flow] and the [Make Flow Statistics of Each Application for Users of
173

This User Group] option to make the flow statistics for this user group General Staff; configure
the [Connection] options; enable sessions control and configure [Concurrent Sessions Limit Per
IP] as 300, as shown below:

Till then, we have completed configuring the application control policy for this user group
General Staff.
Step 8: Create an access control policy named Managers; check [Flow] > [Flow] and [Make Flow
Statistics of Each Application for Users of This User Group] option to make the flow statistics for
the user group General Staff, as shown below:
174

Till then, all the needed policies have been configured and is seen on the [Bandwidth
Management] > [Policy Settings] > [Application Control Policy] page (as shown in the figure
below), and the needs of the customer are satisfied.
3.6.3 Bandwidth Settings

Bandwidth management is achieved by building a bandwidth channel to control the flow for
various applications.
The limitations are fulfilled through configuring assured bandwidth and bandwidth limitation.
With assured bandwidth configuration, you can guarantee enough bandwidth for some key
applications; with bandwidth limitation, you can limit the uplink/downlink bandwidth of some
user/user group, and of various applications.
Some Basic Concepts:
Bandwidth channel: We divide a bandwidth channel into smaller parts in proportions, according to
the service and application, user/user group. Each smaller part is taken as a bandwidth channel,
[Assured Channel] or [Limited Channel].
Limited channel: Configures the options based on the maximum flow speed of the channel. When
the network is busy, the bandwidth occupied by this channel will be no more than the preset
maximum bandwidth.
Assured channel: In addition to configuring the maximum bandwidth of the channel, it also
configures minimum bandwidth (assured). Even when the network is busy, the minimum
bandwidth of this channel will be no less than the preset assured bandwidth.
Virtual line: Virtual line is applicable to the bridge-mode WAN Accelerator. One virtual line can
be divided into several lines. Each subdivided line can be allocated with some bandwidth, being
regarded as a bandwidth channel.
175

Priority: When the bandwidth management (BM) function is enabled, the data packet going
through the WAN Accelerator will try to match a bandwidth channel, according to the conditions
of user/user group, service and application, valid time, destination IP group. If all the conditions
are satisfied, the data packet can get a bandwidth channel. A same data packet will get maximum
one bandwidth channel matched. Since the bandwidth channels are been matched from top to
bottom, you should better move the more detailed and specific rules to the top of the bandwidth
channel list.
3.6.3.1 Virtual Line

Under Bridge mode, all the data packets are taken as data of a same line from the viewpoint of the
WAN Accelerator, no matter how many lines the frontend device is connected with, or whether the
WAN Accelerator is in Double Bridge mode and has two egresses. Whats more, the bandwidth
management function is specific for the overall lines of the network by default. Therefore, if you
want to distinguish the lines when doing bandwidth management, you need create virtual lines to
achieve your network design and management.
For example, there is one default line (Line1) shown in [Virtual Line] default configuration page.
If you do not create another virtual line, the bandwidth of Line1 will be the bandwidth sum of the
lines (provided that the frontend device is connected with several external lines from the public
network, or the WAN Accelerator is in Double Bridge with multiple egresses). As a result, you
cannot accomplish bandwidth managing over the multiple external lines.
Case Study 30: Create Virtual Line

To have the WAN Accelerator work in Bridge mode, the firewall should have two egresses,
among which Line1 is allocated with 10Mb/s and Line 2 is allocated with 4Mb/s. Policy routing
of the firewall: 202.96.0.0/24---Line1, 58.251.0.0/24----Line2
Requirements: Control the bandwidth of the two lines for P2P data; the bandwidth for P2P data
going through these two lines must not be higher than 20% of total allocated bandwidth for each
line.
176
Configuration steps are as follows:

Step 1: Configure two virtual lines representing respectively the two external public lines of the
firewall, one line with the bandwidth of 10Mb/s and the other line with the bandwidth of 4Mb/s
(the actual bandwidth of the two Internet lines).
Go to the [Bandwidth Management] > [Bandwidth Settings] > [Virtual Line] page, and configure
the bandwidth of Line1, as shown below:
In the same way, click <Add> and configure the bandwidth of Line2, as shown below:
Step 2: Configure rule for these two virtual lines.

To configure rule for virtual line is to have the data allocated to different virtual lines according to
the line selection rule, and to have the virtual lines and external lines be well associated.
Generally, the frontend device is configured with line selection rule; therefore, you need only
configure the virtual line rule with the frontend devices route settings. Just follow the route
settings on the firewall to configure the virtual line rule.
177

Go to the [Bandwidth Management] > [Bandwidth Settings] > [Virtual Line] page, and click the
<New> button, and the interface pops up (as shown below). Follow the rule of the firewall. As for
the data forwarded to the destination IP address 202.96.0.0/24, we define this virtual line as Line1.
[LAN IP]: Configures the source IP address and source port of the data packets.
[WAN IP]: Configures the destination IP address and destination port of the data packet.
[Protocol Type]: Specifies the protocol used by the data packet.
[Physical Interface]: Configures the bridge that forwards the rule-matched data packet (in multibridge mode).
[Target Line]: Configures a virtual line that will transfer the data packet if the above four
conditions are satisfied.
Step 3: Follow the steps above to configure another virtual line rule, so as to keep the virtual line
rules exactly the same as the policy routing rules of the firewall.
The virtual line rules are matched from top to button (according to the rule order in the
virtual line rule list).
Several virtual line rules are allowed be configured at the same time; however, you can only
configure the destination IP address and bridge (physical interface) of these rules in batch.
Click the <Import> button of [Import Rules in Batches] and then configure the need rules.
Virtual line rules can be imported and exported, in format of .ini.
178
3.6.3.2 Bandwidth Management

3.6.3.2.1 Bandwidth Channel
Assured Channel
[Assured Channel] is configured to guarantee the normal use of some key applications. You can
set the minimum bandwidth for the channel, to make sure that the data of certain type is provided
with bandwidth (no less than the configured value of bandwidth amount); and therefore make sure
the key applications are available and in normal use even when the line is busy.
Case Study 31: Configure Assured Channel for a Specific Application

A company has a leased line, 10Mb/s, of CHINA TELECOM. Several LAN users access the
Internet through this leased line.
Requirements: Allocate the members of Finance Department with bandwidth no less than 2Mb/s
and no more than 5Mb/s to get access to the headquarters data even when the line is busy.
Step 1: Under the [Bandwidth Management] > [Bandwidth Settings] > [Virtual Line] page,
configure the bandwidth of the public line, and the bandwidth value of Line1, as shown below:
Step 2: Under the [Bandwidth Management] > [Bandwidth Settings] > [Bandwidth Management]
page, enable the bandwidth management system, as shown below:
Step 3: Configure assured channel.

Click [Bandwidth Management] > [Bandwidth Settings] > [Bandwidth Management] >
[Bandwidth Channel] and the default [Bandwidth Channel] configuration page is as shown below:
179
Click the <New> button to configure the assured bandwidth and maximum bandwidth for the
members of Finance Department, as shown below:
[Channel Name]: Type one or more names for the bandwidth channels. One entry per row, length
of each name is within 96 characters.
[Service and Application]: Configures the specific service(s) applied to this bandwidth channel. If
[Custom] is selected, you can define and add services.
[User Group]: Configures the valid users and user groups. You can select [All] to have all the
users and user groups applied to this policy, or select [Custom] to have some of the users or user
groups applied to this policy.
[Bandwidth Channel Type]: Defines the type of bandwidth channel, [Assured Channel] or
[Limited Channel]. In this case study, it is [Assured channel], for you are required to guarantee the
180

members of the Finance Department with at least 2Mb/s and at most 5Mb/s. Select the [Assured
Channel] option; configure [Assured Uplink Bandwidth] and [Assured Uplink Bandwidth] ratio as
20%, and [Max Uplink Bandwidth] and [Max Downlink Bandwidth] ratio as 50% ( because the
total bandwidth is 10Mb/s, assured bandwidth is 2Mb/s and maximum bandwidth is 5Mb/s).
[Priority]: Options are [High], [Medium] and [Low]. The bandwidth channel with higher priority
is preferred to be assigned with idle bandwidth (from other bandwidth channels).
[Bandwidth Allocation Policy]: Configures the bandwidth for the users and the specific
service/application that apply to this bandwidth chancel (policy). The only option is [Allocate
evenly]. Please note that the user indicates the user who is causing flow in this channel, excluding
the users that apply to this channel but are not causing flow traffic.
[Bandwidth Upper Limit Per IP]: Click the [Enable] option and configure the [Uplink] and
[Downlink] to limit the [Bandwidth Upper Limit Per IP]. In this case study, it does not require
bandwidth upper limit to each IP address; therefore, there is no need to check and configure this
option.
[Valid Time]: Configures the time period during which this bandwidth channel (policy) will get
valid.
[Valid Line]: Configures the virtual line to which this bandwidth channel (policy) applies.
[Destination IP Group]: Configures the destination IP address to which this bandwidth channel
(policy) applies.
Step 4: Click the <OK> button to save the assured channel settings and this newly-created
[Bandwidth Channel] is listed in the bandwidth channel list of the [Bandwidth Channel] default
configuration page, as shown below:
The ratio sum of the assured bandwidth ratio might be over 100%. When it is over
100%, the assured bandwidth of each channel will reduce according to the proportions.
For example, if we configure two channels, Line 1 is assured with 30% and Line2 is
181

assured with 90%, the bandwidth actually allocated to Line1 is 30/(90+30)%, that is,
25%, and the bandwidth actually allocated to Line2 is 90/(90+30)%, that is, 75%.
Channel with higher priority would preferentially use the idle bandwidth of other
channels.
Limited Channel
[Limited Channel] configures the maximum bandwidth of the channel. The data that matches the
rules of this limited channel will be controlled, that is to say, the maximum bandwidth of this
channel shall not exceed the preset value.
Case Study 32: Configure Limited Channel for a Specific Application

A company has a leased line, 10Mb/s, of CHINA TELECOM. Several LAN users access the
Internet through this leased line. It is found that the managers use some download tools such as
Thunder, P2P, etc., and consume large amount of bandwidth resources, causing great impacts on
the office businesses of other departments.
Requirements: With the bandwidth management system, configure a 2Mb/s bandwidth channel for
this type of data.
Step 1: Under the [Bandwidth Management] > [Bandwidth Settings] > [Virtual Line] page,
configure a public line Line1 and its bandwidth, as shown below:
Step 2: Under the [Bandwidth Management] > [Bandwidth Settings] > [Bandwidth Management]
page, enable the bandwidth management system, as shown below:
Step 3: Configure the limited channel.

Click [Bandwidth Management] > [Bandwidth Settings] > [Bandwidth Management] >
[Bandwidth Channel], and click the <New> button to configure the maximum bandwidth for the
members of Managers (no more than 2Mb/s, for the P2P and video data), as shown below:
182
[Channel Name]: Type a name for the bandwidth channel(s). One name per row, length of each
name is within 96 characters.
[Service and Application]: Configures the specific service(s) applied to this bandwidth channel. If
[Custom] is selected, you can define and add services. In this case study, we are going to control
the flow for downloading data with P2P and download tools, the selected services and
applications are [File Download]/[All], [P2P/[All], [P2P Stream Media]/[All], [MEDIA]/[All].
What is more, you can also select [Website Type] or [File Type]. [Website Type] options control
the access to certain type of website; while [File Type] options control the file types downloaded
through HTTP and FTP protocols. Confirm the [Custom Service] items and complete configuring
the [Service and Application] options.
183

[User Group]: Configures the valid users and user groups. You can select [All] to have all the user
and user groups applied to this policy, or select [Custom] to have some of the users or user groups
applied to this policy.
[Bandwidth Channel Type]: Defines the type of bandwidth channel, [Assured Channel] or
[Limited Channel]. In this case study, it is [Limited Channel] to control the bandwidth of P2P
applications. Select [Limited Channel] and allocate the [Maximum Uplink Bandwidth] and
[Maximum Downlink Bandwidth] with 20% of the total bandwidth.
[Bandwidth Allocation Policy]: Configures the bandwidth for the users and the specific
service/application that applies to this bandwidth chancel (policy). The only option is [Allocate
evenly]. Please note that the user indicates the user who is causing flow in this channel, excluding
the users that apply to this channel but are not causing flow.
[Bandwidth Upper Limit Per IP]: Check the [Enable] option and configure the [Uplink] and
[Downlink] to limit the [Bandwidth Upper Limit Per IP]. In this case study, it does not require
bandwidth upper limit to each IP address; therefore, there is no need to check and configure this
option.
[Valid Time]: Configures the time period during which this bandwidth channel (policy) will get
valid.
[Valid Line]: Configures the virtual line to which this bandwidth channel (policy) applies.
[Destination IP Group]: Configures the destination IP address to which this bandwidth channel
(policy) applies.
Having completed configuring this page, you have to click the <OK> button to save the limited
channel settings.
Step 4: Having clicked the <OK> button, you will see the newly-created channel displayed in the
bandwidth channel list, as shown below:
3.6.3.2.2
Exclusion Policy
[Exclusion Policy] works in the case that some data are applicable to none of the bandwidth
184

channels and that you want to exclude some data from the bandwidth management. For instance,
the WAN acceleration is deployed in Bridge mode and the DMZ network segment of the frontend
firewall is connecting to some servers, the applications or IP addresses related to these servers
need be excluded from the bandwidth channels (policies) in that the related data accessed by the
LAN users have nothing to do with the public network and thus should be excluded from the
bandwidth channels configured for the external lines.
Case Study 33: Configure Exclusion Policy

The WAN Accelerator works in Bridge mode and the DMZ network segment of the frontend
firewall is connecting with some servers.
Requirement: Have the access data to these servers excluded from the existing bandwidth
channels (policies).
Step 1: Under the [System] > [Network Objects] > [IP Group] page, click the <New> button and
then add the needed IP address into the new IP group, as shown below:
Step 2: Click [Bandwidth Management] > [Bandwidth Settings] > [Bandwidth Management] >
[Exclusion Policy] and the following default configuration page is seen. Click the <New> button
to configure an exclusion policy.
185
Step 3: Configure the exclusion policy.

Enter the [Name], [Application Type]. If the application type is not a specified one, select [All].
Select a [Destination IP Group] (in this case study, it is the IP group configured in Step 1).
Step 4: Click the <OK> button to complete configuring the page and save the above settings.
3.6.4 Policy Troubleshooting

[Policy Troubleshooting] page enables you to view which module has denied the data packet, for
what reason, so as to locate the configuration mistakes made on certain module or test whether
some rules is taking effect or not. Check the [Configure Conditions] option and the filtering
conditions appear, such as [IP Address List], [Protocol Type] and [Port], as shown below:
186
[IP Address List]: Configures the IP address to which this rule is applied. It defaults including all
the network segments.
[Protocol Type], [Port]: Configures the protocol condition that only when the protocol and port
contained in the transmitted data packet are the configured ones will the denied information be
recorded.
Click the <Enable Drop List> button to enable the Drop list (all the access control policies
configured on the WAN Accelerator are taking effect), and the packets (to be denied) applicable to
the policies will be denied and the related information will be outputted to a WEB page; or click
the <F5> key to refresh and view the page. Click the <Click here to view packet drop list> button
to open the page and view the detailed information of the denied data packets.
Click the <Enable Drop List and Bypass> button to enable the drop list and enable the bypass
function (all the access control policies configured on the WAN Accelerator will get invalid), and
the data packets applicable to the policy (to be denied) will be let pass and the related information
will be outputted to a WEB page. Click the <Click here to view packet drop list> button to open
the page and view detailed information of the denied data packets; or click the <F5> key to
refresh and view the page.
This function helps do troubleshooting quickly and locate the configuration mistakes made on
bandwidth management (BM) module (of the WAN Accelerator) which caused faults such as
network disconnection, etc., and therefore helps the network administrator to quickly correct the
configurations.
<Close Drop List>: Click this button to close the Drop list and disable the bypass function.
187
3.6.5 Advanced
3.6.5.1 Proxy Server

[Proxy Server] works in the case that the users of the WAN Accelerator get access to the Internet
through proxy, when all the Internet access data are forwarded to the proxy server. In that case,
most of the functions of the SANGFOR WAN Accelerator will get invalid, as the firewall module
decides whether to allow or deny the data packet only according to the destination address and
port
To have the firewall module function, you first need to have the WAN Accelerator to unveil the
real IP address and port through which the data packets are forwarded by the proxy, and then
enable the firewall to get the information.
3.6.5.2 Excluded IP
[Excluded IP List]: If the IP address of a LAN user or the destination IP address of a server is any
of the IP addresses configured in the [Excluded IP List], the access of the LAN user to the Internet
or to the destination server will not be monitored, the data packets getting passed directly.
188
If the firewall has configured a rule on any of the IP addresses that are involved in the
exclusion rule, the firewall rule has higher priority.
3.6.5.3 Auto Update

[Auto Update] page configures the update options of the internal [URL Library] and [Application
Identification].
[Enable Auto Update]: Tick the check box to have the internal URL library and Application
Identification update automatically.
<Update Now>: Click this button to immediately update the URL library and Application
Identification that have not gotten expired.
189

To update the URL library and Application Identification, the WAN Accelerator should be ensured
to connect to the Internet. If the WAN Accelerator cannot access the Internet, you then need to
configure [HTTP Proxy] options in [Server Update Settings] (provided there is HTTP proxy), so
as to ensure the WAN Accelerator to access the Internet smoothly and update the URL items.
[HTTP Proxy] requires server [IP address] and [Port]; [Require Authentication] requires
[Username] and [Password].
To ensure update speed, select an update server. Generally, the update process will go faster if the
ISP server of the update server is the same as that used by the local WAN Accelerator.
Auto update of application identification library is a new update service provided by

SANGFOR. To enable the application identification library of WAN Accelerator to update online,
customer needs to purchase the license (serial number) and ensure the WAN Accelerator can
access the Internet.
190
3.7
Firewall
IPSec SANGFOR WAN Accelerator is integrated with high-performance and enterprise-level

firewall fulfilling status inspecting. This firewall can efficiently protect the internal network from
various attacks while it is connecting to the Internet or other local area networks through VPN.
Whats is more, the built-in anti-DoS function enables the SANGFOR WAN Accelerator to defend
against the DoS attacks from external networks, as well as to defend the DoS attacks initiated by
the Intranet computers.
3.7.1 NAT
[NAT Rules] covers [SNAT] and [DNAT] configurations.
3.7.2 SNAT
[SNAT] page configures the SNAT (Source Network Address Translation) rules to have the local
area network get access to the Internet through the proxy function of the firewall. The system is
built in with no SNAT rule. As a result, SNAT rule has to be added manually.
Case Study 34: Configure SNAT Rule

Provided that one network segment of the local area network is 192.168.1.0/24. The SANGFOR
WAN Accelerator is about to proxy the LAN users of this network segment to get access to the
Internet.
Follow the steps below to configure the SNAT rule:
Click the <New> button and configure the following required options.
191

[Rule name]: Defines the name of the SNAT rule.
[Source Address]: Subnet segment is 192.168.1.0 and subnet mask is 255.255.256.0.
[Translate Source Address To]: Enter the IP address of the WAN interface (the proxy uses a public
IP as the WAN interface IP).
Check the [Enable] option and then click the <OK> button, as shown below:
Or check the [Advanced Settings] option to configure the advanced options, such as [Destination
Address] and [Protocol], as shown below:
192
3.7.3 DNAT
[DNAT] page configures the DNAT (Destination Network Address Translation) rules of the
firewall. In case that a LAN server needs to provide the external networks with services, adding a
DNAT rule is a necessity then.
Case Study 35: Configure DNAT Rule

A computer (IP address: 192.168.1.100) of a local area network is to provide the external
networks with WEB service, using port 80.
Requirement: Configure a DNAT rule to deliver the port 80 to the public networks.
Follow the steps below to configure the DNAT rule:
Step 1: On the [Firewall Rules] default configuration page, click the <New> button to add a new
firewall rule (to allow the WEB services) and configure the following required options:
[Rule Name]: Enter the name of firewall rule DNAT and select [Action] Allow.
[Service]: Select the [HTTP] option. If there is no such [HTTP] option, click <Add> followed to
add a HTTP application).
[Src. IP]: Select the [ALL IP] option.
[Dst. IP]: Select server. IP address of server should be defined in advanced. If there is no such IP
group, click <Add> followed to add this IP group; name it and enter the IP address
192.168.1.100).
Check the [Enable Rule] option and click the <OK> button, as shown below:
193
Step 2: Under the [DNAT] page, click the <New> button to add a new DNAT rule.
[Rule Name]: Name this DNAT rule.
[Ingress Interface]: Select WAN1 as the ingress interface.
[Protocol]: Select [Protocol] TCP; [Source Port] is 0 and [Destination Port] is from 80 to 80.
[Translate Destination Address To]: Select [IP] and enter 192.168.1.100. [Port] is from 80 to 80.
Check the [Enable] option and click the <OK> button. The configuration page is as shown below:
After this DNAT rule takes effect, the external networks can access the WEB service provided by
the internal network with the help of this DNAT rule.
194
The LAN server that uses the DNAT rule (configured on the SANGFOR WAN Accelerator)
to provide the external networks with service must be connected to the Internet through the NAT
proxy of the device (in other words, the LAN servers gateway directs to the WAN Accelerator or
the route for Internet access eventually directs to the WAN Accelerator); otherwise, the DNAT
rule will not take effect.
3.7.4 Firewall Rules

The hardware firewall the SANGFOR WAN Accelerator is integrated with stateful inspection
packet filtering technology. It allows you to filter data packets according to protocol, source IP
address and destination IP address.
Click the <New> button and the configuration page appears, as shown below:
195
[Rule Name]: Defines the name of the firewall rule.

[Description]: Configures a brief description for this firewall rule.
[Sequence Number]: Configures the sequence number of this firewall rule.
[Action]: Configures the final measure to be taken once the data matched this firewall rule.
[Service]: Configures the service type to which this firewall rule is applied. If the list contains no
needed service, you can click <Add> to add a new service type (for detailed configuration guide,
please refer Section 3.4.4.2 Application List).
[Src. IP]: Configures the source IP address to which this firewall rule is applied. If the list contains
no needed source IP group, you can click <Add> to add a new IP group (for detailed configuration
guide, please refer Section 3.4.4.1 IP Group).
[Dst. IP]: Configures the destination IP address to which this firewall rule is applied. If the list
contains no needed destination IP group, you can click <Add> to add a new IP group (for detailed
configuration guide, please refer Section 3.4.4.1 IP Group).
[Valid Time]: Configures the valid time when this firewall rule is valid. If there is no needed time
schedule, you can click <Add> to add a new time schedule (for detailed configuration guide,
please refer to Section 3.4.4.3 Time Schedule).
Check the [Enable Rule] option. The moment you complete configuring this firewall rule, it gets
valid.
196

Check the [Enable Log] option, and all the information of the applicable data going through the
WAN Accelerator will be recorded as logs. This function will produce massive logs; it is NOT
recommended to be enabled if unnecessary.
Case Study 36: Open Port of Local Area Network

A SSL VPN of a local area network is to be delivered to the external networks.
Requirement: Allow the data of external networks to access the SSL device (IP address:
192.168.1.200) on port 443.
Follow the steps below to configure the firewall rule:
Under the default configuration [Firewall Rules], click the <New> button and configure the
following required options:
[Rule Name]: Enter the rule name HTTPS.
[Sequence Number]: Define the sequence number of the rule as 1.
[Action]: Select [Allow] to allow the data packet go through if it matches this firewall rule.
[Service]: Select [SSL] as the service (if there is no [SSL] option, click <Add> to add it; for
detailed configuration guide, please refer Section 3.4.4.2 Application List).
[Src. IP]: Select [All IP].
[Dst. IP]: Select HTTPS SERVER (If the list contains no needed destination IP group, you can
click <Add> to add a new IP group HTTPS SERVER whose IP address is 192.168.1.200 (for
detailed configuration guide, please refer Section 3.4.4.1 IP Group).
Check the [Enable Rule] option and click the <OK> button, as shown below:
197
3.7.5 Anti-DoS
Firewall is responsible for protecting the local area network from being attacked by users of the
external networks. But it is well-known that, most of the time, virus-infected computer of a local
area network will send large number of data packets to the gateway, which may result in
bandwidth congestion or gateway breakdown.
To solve the aforesaid problems, SINGFOR WAN Accelerator 6.0 is integrated with an Anti-DoS
attack function to monitor the quantity of data packets sent from certain IP address to the gateway
in a unit time. When number of the data being sent exceeds certain value, the VPN device
(SANGFOR WAN Accelerator) will regard it as DoS attack from this IP, and instantly stop the
host from transmitting data packets for a while for self-protection.
For configuration of this function, please refer to the [Anti-DoS] page, as shown below:
198
[LAN Address List]: Configures the LAN IP range which gets access to the Internet through the
SANGFOR WAN Accelerator. The data packets from the IP addresses outside the [LAN Address
List] will be dropped by the WAN Accelerator. If the source IP is in the list, the device will
calculate and inspect each setting for anti-DoS attack, in order to handle the events accordingly.
Function of [LAN Router List] is similar to that of the [LAN Segment List].
[Excluded IP List]: Configures the LAN IP addresses that are free from the protection of the antiDoS policy.
Other optional settings are available, such as [Max New TCP Connections Per IP Within One
Minute], [Max SYN Packets Per IP Within One Second] and [Host Blocking Time After Attack is
Detected (minute)]. Please set them according to your case.
3.7.6 ARP Protection

To protect the local area network from ARP spoofing, you can configure the ARP protection
options on the SANGFOR WAN Accelerator.
199
[Enable ARP Protection]: Check this option to enable the ARP protection function.
[Static ARP List]: Configures the IP address and MAC address that are to be bound with the LAN
device or computer.
[Broadcast Interval of The Device MAC Address]: Indicates the frequency broadcasting the IP
address and MAC address of the gateway (the LAN interface of the WAN Accelerator) to the local
area network.
Click the <Save and Apply> button to save and apply the above settings.
200
3.8
Sangfor VPN
3.8.1 Configure HQ WAN Accelerator

This section describes how to configure the HQ WAN Accelerator (HQ VPN) of the SAGFOR
VPN so that the peer branch WAN Accelerator can establish VPN connections with the local end
(server end). Related configuration pages are [Basic Settings], [VPN Users] and [Virtual IP Pool],
as shown below:
3.8.1.1 Basic Settings

[Basic Settings] on the server WAN Accelerator covers the settings that enable the VPN user to
connect in, such as settings of Webagent information, MTU, minimum compression value, VPN
listening port, VPN connection mode, broadcast and performance.
201
[Primary WebAgent], [Secondary WebAgent]: Specifies the WEB server address where the
dynamic addressing file locates.
If the server WAN Accelerator uses dynamic IP address, the Webagent must be in format of
Webpage URL which ends with .php (you can apply for Webagent from SANGFOR free of
charge, or obtain Webagent file and deploy Webagent server by yourself). Having typed in the
Webagent address, you may click the <Test> button to check the connectivity of the Webagent.
If the server WAN Accelerator uses static IP address, the Webagent must be in format of IP
address:Port (e.g., 202.96.134.133:4009). In case there are several lines whose IP addresses are
static
IP
addresses,
format
of
Webagent
address
is
IP1#IP2:Port
(e.g.,
202.96.134.133#58.67.23.22:4009).
<Modify Password>: Click this button to change the password of the Webagent, which will help
to prevent illegal users from using and updating fake IP addresses into the Webagent page.
<Shared Key>: Configures the shared key needed when VPN connection is established. The
shared key can prevent illegal devices from connecting in.
If the Webagent password gets lost, there is no way to get back the lost password. The only
solution is to contact the Customer Service of SANGFOR to generate a new file (without
Webagent password) and replace the original one.
If the [Shared Key] is configured, all the branch VPN sites have to configure the same shared
key to interconnect and communicate with each other.
A Webagent supports maximum 4 static IP addresses, which are written as

IP1#IP2#IP3#IP4:4009.
202
[MTU]: Configures the MTU (Maximum Transmission Unit) of the data transmitted among the
VPN sites. It is 1500 by default (recommended).
[Min Compression Value]: Configures the minimum size of a VPN data packet that is to be
compressed. It is 100 by default.
[VPN Listing Port]: Configures the listening port for the VPN service. It is 4009 by default. You
can change the port according to your case.
[Modify MSS]: Configures the maximum size of the fragmentation under UDP transmission
mode.
Generally, it is recommended to adopt the default [MTU], [Min Compression Value] and
[Modify MSS] values. If you need change the values, please follow the instructions given by the
SANGFOR technicians.
[Directly connect], [Indirectly connect]: Select the connecting methods fulfilled between the
WAN Accelerator and the Internet, [Directly connect] or [Indirectly connect]. If the Internet IP
address can be obtained directly or the Internet users can access the VPN port of the WAN
Accelerator with DNAT (destination network address translation) function, select [Directly
connect]; if the Internet IP address cannot be obtained, select [Indirectly connect].
<Advanced>: Click this button and the [Advanced Settings] dialog appears, as shown below:
203
[Threads]: Configures the maximum number of VPN connections. It is 20 by default. One WAN
Accelerator allows maximum 1280 VPN connections. If you need to modify this parameter,
please DO follow the instructions given by the SANGFOR technicians.
[Broadcast Packet]: Configures whether to allow broadcast packets to be transmitted on the VPN
channels (some applications, such as My Network Places need the support of broadcast packet).
You can specify a port to transfer broadcast packets, so as to avoid broadcast storm from
appearing at both ends of a VPN connection.
[Multicast Settings]: Configures wherther to allow multicast packets to be transmitted on the VPN
channels (some vedio applications need the support of multicast packet).
Having completed configuring this tab, you have to click the <Save> button to save the settings.
3.8.1.2 VPN User

[VPN User] is used for managing the connecting-in VPN user accounts. The configurations
include user name, password of the connecting-in VPN user and the algorithm applied to
configuring this account, user type (mobile VPN or branch VPN), grouping the user and the
public attributes of the group users, whether to enable hardware authentication and DKey, virtual
IP, expiry date of the account, LAN privilege of this account, multicast settings, tunnel parameter
and tunnel flow control.
204

The default page is as shown below:
<Check DKey>: Click the <Check DKey> button to inspect whether the DKey has inserted into
the USB port of the computer (through which you have logged in to the WAN Accelerator
console). If it has not yet been installed with the DKey driver, you will be prompted to download
the DKey driver.
<Download DKey Driver>: Click the <Download DKey Driver> link to download and install the
driver.
Before generating the DKey, please DO install the DKey driver, otherwise the computer
cannot recognize the DKey hardware.
During the process of installing the DKey driver, please DO close the third-party anti-virus
software and firewall, otherwise, conflicts between the programs will appear and the DKey
driver will fail to be installed.
<Search>: Click this button to search for the specified username. The matching user will be
highlighted in yellow, as shown below:
<Advanced Search>: Click this button to enter the [Advanced Search] webpage dialog and specify
205

detailed conditions for searching user, such as conditions of user group, group property (enabled
or disabled), user status (enabled or disabled), user type (mobile VPN or branch VPN), DKey
(enabled or not enabled), idle time of the account, as shown below:
<Delete>: Click this button to delete the selected user account(s).

<New User>: Click it to add a new user. Configure the username, password, description and
algorithm, type, etc. The [Add User] page is as shown below:
[Authentication]: Configures the authentication method, [Local] (hardware authentication),

206

[LDAP] or [RADIUS]
Before using Radius authentication and LDAP authentication, please go to the [Sangfor
VPN] > [Third-Party Auth] > [Radius Server Settings] tab or [LDAP Server Settings] tab to
configure a corresponding authentication server.
[Use Group Properties]: Classifies the user into certain group and configures whether to have the
user adopt the group properties. Check this option and the user will added to the specified group
and adopt the public properties of this selected group.
Before checking the [Use Group Properties] option, you have to add the user group first.
After the user is added to this group, the [Algorithm], [Enable My Network Places] and [LAN
Privilege] options are unavailable.
[Enable Hardware Auth]: Check this option to configure the hardware-featured certificate for
authentication. Click the <Browse> button to select and upload the certificate file (in *.id format).
[Enable DKEY]: Check this option to enable the mobile VPN user(s) to use DKey authentication.
Before enabling the DKey, please DO first insert the DKey into the USB port of the computer and
then generate the DKey by clicking the <Generate DKEY> button.
[Enable Virtual IP]: Mainly used for allocating virtual IP address to the mobile VPN (users). If a
users user type is defined as Mobile VPN and is allocated with a virtual LAN IP address (from
the virtual IP pool), once this mobile VPN user connects to the VPN, it will take this allocated IP
address as the virtual LAN IP. IP address 0.0.0.0 indicates that the system will automatically
allocate a virtual LAN IP address (from the virtual IP pool) for this user.
[Valid Time]: Configures respectively the valid time of the VPN user (connecting-in user
account).
[Enable Expiry Time], [Expired At]: Configures the expiry time of the VPN user (connecting-in
user account).
[Enable My Network Places]: Check this option if the VPN user needs to use My Network Places.
[Enable Compression]: Check this option and the WAN Accelerator will compress the data that
207

are to be transmitted between the WAN Accelerator and the user, using the selected algorithm.
This is a unique technology of SANGFOR VPN. It will take the best advantage of the
bandwidth, in particularly in network environment with limited bandwidth resources, and
accelerate data transmission. However, this function is not suitable for all the cases. Check or
uncheck this option according to your case.
[Deny Internet Access after Connecting to VPN]: This function is only available for the mobile
VPN users. Check this option and the mobile VPN users can only visit the local area network
where the server VPN locates (unable to access the Internet).
[Enable Multi-User Login]: Check this option and this user account can be used by multiple users
(for logon).
[Deny Password Change Online]: Check this option and mobile VPN user cannot modify the
login password after it connects to the local VPN; uncheck this option and the user can modify the
login password online.
[LAN Privilege]: Configures the privileges of this user after it connects to the VPN, such as the
privileges of accessing some services. By default, there is not privilege limitation.
Before configuring [LAN Privilege], please go to the [VPN Settings] > [Advanced] >
[LAN Service] page to add some needed services.
<Advanced>: Click this button to enter the [VPN Advanced Properties] page and configure some
advanced properties, including multicast service, tunnel flow control, tunnel NAT rules, etc. The
multicast service mainly provides the multicast protocol support required by some applications
(such as video, etc.) used by and between the HQ VPN and Branch VPN. Tunnel flow control
options help to control the flow of certain connecting-in branch VPN user, not allowing the flow
to get too high. Tunnel NAT mainly solves the problem of IP conflict appearing when two branch
VPN users of a same LAN network segment connect in to the HQ VPN at the same time. The
related tabs are as follows:
208
For detailed introduction to line section policy, please refer to Section 3.8.3.1 Multi-Line Routing
Policy.
For detailed introduction to multicast service, please refer to Section Step 4. Multicast Service.
[Tunnel Parameter] covers VPN tunnel timeout, dynamic detection among tunnels and tunnel flow
control options.
[VPN Tunnel Timeout]: In network environment of high latency and packet loss rate, SANGFOR
VPN enables you to configure timeout parameter for some specific networks. Timeout of each
209

channel is determined by the server WAN Accelerator and is 20 (seconds) by default. If your
network is even poorer, you can adjust it to a higher value.
[Enable Dynamic Detection Among Tunnels]: This option takes effect only when the local end or
the peer end has multiple Internet lines. If it is enabled, the SANGFOR WAN Accelerator will
periodically detect the latency and packet loss status of each line and select the optimal line to
transmit data according to the detected information.
[Enable Tunnel Flow Control]: Enable this option and every connecting-in user will be allocated
with a fixed amount of uplink and downlink bandwidth when multiple branch VPN users or
mobile VPN users connecting in. This feature helps to avoid the situation that one branch VPN
user or mobile VPN user uses all the bandwidth resources of the HQ VPN and other branch users
or mobile users accesses get slower, and therefore, ensures that every user gets a normal speed to
access the HQ VPN.
[Enable Tunnel Flow Control] defines a value range rather than an exact value. For
instance, if the maximum flow is 100k, the actual flow amount will be controlled within 80-120k,
fluctuating around 100k.
[Tunnel NAT Rule]: It achieves SNAT (source network address translation) function when IP
addresses of multiple branches conflict. It enables those branch VPN sites to connect in and
communicate smoothly with the HQ VPN, without requirement on modifying network segment of
the related branches.
210
Tunnel NAT function is only available for branch VPN users.
<New>: Under the [Tunnel NAT Rule] tab, click this button to enter the [Tunnel NAT] webpage
dialog and create a new tunnel NAT rule. Type in the source subnet segment, subnet mask and the
translate-to subnet segment, and click the <Auto Allocate> button to have the system
automatically allocate it with an IP range from the virtual IP pool, as shown below:
[Source Subnet Segment]: Indicates the real subnet of the branch.

[Translated-to Subnet Segment]: Specifies the virtual IP range that the source subnet segment is to
211

be translated to.
[Subnet Mask]: Indicates the mask of the real subnet of the branch.
Please ensure that the subnet mask matches the source subnet segment. The tunnel NAT rule
only applies to the subnet segment of the configured mask, hostname of the computers
keeping unchanged.
Before configuring the [Tunnel NAT Rule] of [VPN Advanced Properties], please add the
needed virtual IP range for the branch on the [Sangfor VPN] > [Server] > [Virtual IP Pool].
<New Group]: Under the [VPN Users] tab, click this button to add a new user group. Type a name
and description for this user group; define the group properties (includes [Encryption Algorithm],
[Enable My Network Places], [LAN Privilege] and [Advanced]). The page is as shown below:
As for the introductions to [LAN Privilege] and <Advanced> button, please refer to those
described above, for they are the same as those of adding a new user.
212

<Import Domain User>: Click this button to import the user accounts into the local device from
LDAP server (before importing the user, please configure the LDAP server first on the [Sangfor
VPN] > [Third-Party Auth] > [LDAP Server Settings] tab; for details, please refer to Section
3.8.4.1 LDAP Server ). By default, the imported users use LDAP authentication method without
password. The page is as shown below:
Select the needed user and specify user type (mobile VPN or branch VPN), user group, and
encryption algorithm, and decide whether to enable compression and My Network Places; and
then click the <Import> button to import the selected users into the local WAN Accelerator from
the LDAP server. If users are imported successfully, the results are as shown below:
213
<Import Text User>: Under the [VPN Users] tab, click this button to import the TXT or CSV file
that contains the user information. You can specify a user group to import these users into this
group or use the group properties, and classify them as mobile VPN users or branch VPN users.
TXT file should contain very simple user information that is in format of username,,password,
other information being unable to be imported; CSV file is similar to TXT file, but the English
commas are replaced by a blank column, as shown below:
214
<Export User>: Click this button to export and save the user information of this WAN Accelerator
to the local computer. You can decide whether to export it as [Plaintext] or as [Cipher text]. The
dialog is as shown below:
Case Study 37: Configure Tunnel NAT Rule

Beijing HQs SANGFOR WAN Accelerator is deployed in Route mode.
Requirements: the Shanghai branch (IP:192.168.2.0/24) is able to connect to Beijing HQ via VPN
channel; and the Beijing branch also is able to connect to Beijing HQ via VPN channel.
To achieve the expected results and solve the problem of LAN network segment conflicts faced
by Shanghai branch and Shenzhen branch, we should configure a tunnel NAT rule on the Beijing
SANGFOR WAN Accelerator. Detailed steps are as follows:
215
Step 1: On the Beijing HQ WAN Accelerator, go to [Sangfor VPN] > [Server] > [Virtual IP Pool]
page and add a new virtual IP pool that consists of IP range 192.168.20.0/24, as shown below:
Step 2: Go to the [Sangfor VPN] > [Server] > [VPN User] page and create a VPN user account for
branch VPN user. Under the [Edit User: Branch-ShenZhen] page, click the <Advanced> button to
enter the [VPN Advanced Properties] page; click [Tunnel NAT Rule] tab and check the option
[Enable Tunnel NAT], and click the <New> button to add subnet 192.168.20.0/24 into the rule list
to have this subnet associate with this user account. The page is as shown below:
216
217
Click the <Save> button one by one to save the settings and have the tunnel NAT rule take effect,
and the Shenzhen branch will be able to connect to the Beijing HQ smoothly, without changing its
LAN IP address; in addition, the Beijing HQ can access the services provided by Shenzhen branch
simply by accessing the corresponding IP address of the subnet 192.168.20.0/24.
In the above case, the Shenzhen branch and Shanghai branch cannot access each other via
the tunnel route. If you want to have the two branches access each other, you first have to enable
the tunnel NAT function of the Shenzhen WAN Accelerator and Shanghai WAN Accelerator,
meanwhile their subnets being translated to two different IP network segments; and then add a
tunnel route (on [Sangfor VPN] > [Advanced] > [Tunnel Route] tab of each WAN Accelerator)
whose source network IP is the physical IP range, and destination network ID is the peers virtual
network segment.
3.8.1.3 Virtual IP Pool

[Virtual IP Pool] contains idle LAN IP addresses specified by the local SANGFOR WAN
Accelerator for the use of mobile VPN users or contains IP ranges that specified for the use of
branch VPN users when they connect to the gateway device (VPN). The allocation of virtual IP
helps to avoid IP conflicts if two branches have the same network segment and connect to the HQ
via SANGFOR VPN channels at the same time.
When a mobile VPN user connects in, the WAN Accelerator allocates a virtual IP address to this
mobile VPN user. All the operations implemented by this mobile VPN user on the HQ VPN are
based on the allocated virtual IP address (source IP), completely the same as those implemented
218

by a HQ VPN LAN user. Whats more, the mobile VPN user can also be specified with some
network attributes such as DNS.
The [Virtual IP Pool] tab is as shown below:
a.)
Create Virtual IP Pool for Mobile VPN Users
In this case, the IP addresses in the virtual IP pool may be idle IP addresses of the local area
network, or be IP addresses randomly specified. If the IP addresses are randomly specified, you
should ensure that routing information of these specified IP addresses are forwarded to the
SANGFOR WAN Accelerator by the LAN server, otherwise, the mobile VPN user will be unable
to access the HQ VPNs LAN server even though it has connected in successfully.
Click the <New> button to enter the [Virtual IP Settings] webpage dialog. Select the user type for
this IP pool, and configure the start and end IP, as shown below:
Then, click the <Advanced> button on the [Virtual IP Pool] tab and configure the mask of the
virtual IP address, DNS, and WINS servers, as shown below:
219
Having configured a virtual IP pool for the mobile VPN user, you can go to the [Sangfor VPN] >
[Server] > [VPN Users] tab to create a new VPN user account, selecting user type Mobile VPN.
If the virtual IP is 0.0.0.0, the HQ VPN WAN Accelerator will automatically allocate an idle
virtual IP address to this mobile VPN user from the IP pool when the mobile VPN user connects
in. Except using the default (0.0.0.0), we can also type in an IP address to assign a fixed virtual IP
address to this mobile VPN user.
After configuring the [Advanced] options of [Virtual IP Pool], the SANGFOR VPN
virtual network adapter of the mobile VPN users computer must be configured as [Obtain an IP
address automatically] and [Use the following DNS server addresses], otherwise, the addresses
configured in [Advanced] will not be allocated to the virtual network adapter of the mobile VPN
users computer.
b.)
Create Virtual IP Pool for Branch VPN User
Assign the virtual IP addresses of the virtual IP pool to the branch VPN users. When a branch
VPN user connects in the HQ VPN, the source IP address of the branch VPN user will be replaced
by one of the virtual IP addresses of the virtual IP pool, which solves the problem of IP conflict
when two branches of the same network segment connects in the HQ VPN at the same time.
Enter the [Virtual IP Settings] webpage dialog and configure the [Start IP] of the virtual IP pool,
and [Subnet Mask] of the virtual IP addresses, and the [Total Network Segments]; then click the
<Calculate> button, and the system will automatically calculate the [End IP] of this virtual IP pool
according to the other settings on the page, as shown below:
220
[Start IP]: Indicates the first IP address of the virtual IP range assigned to the branch VPN users.
[End IP]: Indicates the last IP address of the virtual IP range assigned to the branch VPN users.
<Calculate>: Click this button and the system will automatically calculate the last IP address of
the virtual IP range.
[Total Network Segment]: Specifies the number of network segments of the IP pool.
[Subnet Mask]: Indicates the mask of the virtual IP range. This subnet mask should be coherent
with the subnet mask of the branch VPN User.
Having configured the virtual IP addresses for the branch VPN user, you can go to [Sangfor VPN]
> [Server] > [VPN Users] tab to add a new user account; select [Branch VPN], and then click the
<Advanced> button to enter the [VPN Advanced Properties] > [Tunnel NAT Rule] tab and add a
corresponding tunnel NAT rule for the branch VPN.
Case Study 38: Configurations for Mobile VPN Users Connecting In

The SANGFOR WAN Accelerator of the HQ VPN is deployed in Route mode.
Requirement: To have the remote mobile VPN users connect to the HQ VPN to deal with the
business of the company.
To achieve the expected results, we have to go through the followings steps:
Step 1.
Enter the [Virtual IP Pool] tab; click the <New> button to enter the [Virtual IP Settings]
page and configure an IP range (this IP range should be of the same network segment of the LAN
221

interface IP and be idle) for the use of mobile VPN, as shown below:
Step 2.
Go to the [VPN Users] tab; click the <New> button to create a user account for the use
of mobile VPN user, and check the [Enable Virtual IP] option and use the default virtual IP
address 0.0.0.0 which indicates that the system will automatically allocate a virtual IP address to
the mobile VPN user, or type in an IP address to assign a fixed virtual IP address to the mobile
VPN user.
222
3.8.2 Client
3.8.2.1 VPN Connection

If you want the local SANGFOR WAN Accelerator to remotely connect to another SANGFOR
WAN Accelerator, you have to go to the [Sangfor VPN] > [Client] > [VPN Connection] tab and
configure a VPN connection for it.
223
Click the <New> button to create a VPN connection that enables the local WAN Accelerator to
connect in the HQ VPN and the [Edit Connection] page pops up, as shown below:
[Connection Name], [Description]: Type respectively the name and the description for this new
connection.
[Primary Webagent], [Secondary Webagent]: Type the primary and secondary Webagent of the tobe-connected HQ VPN. Click the <Test> button followed to check the availability of the
Webagent. The testing results are as shown below:
224
This test request is initiated by the local computer instead of the local WAN Accelerator.
If the Webagent is in format of domain name and testing results show success, the webpage
exists, otherwise, it indicates that the webpage does not exist. If the Webagent is a static IP
address and testing results show success, then the format (IP:PORT) of it is correct. In a
word, successful testing results do not indicate connection success (of the VPN)
[Transfer Type]: Configures the transfer mode of the VPN data packet. Options are TCP and
UDP. It is UDP by default.
[Data Encryption Key], [Username] and [Password]: Indicates the corresponding account
information provided by the HQ VPN.
[Cross-ISP]: If the HQ VPN and the branch VPN apply different Internet service providers (ISP)
and these different links cause frequent packet loss, this option is recommended to be checked.
You can also tell the system the status of your network environment, by selecting [Low packet
loss], [High packet loss] or [Set manually] and configuring the [Packet Loss Rate].
To enable this function, you have to activate the cross-ISP license. As to the interconnection
between two branch VPN sites, both the WAN Accelerators have to enable cross-ISP function; as
to the interconnection between mobile VPN user and VPN site, only the WAN Accelerator needs
to enable cross-ISP function.
<LAN Privilege>: Click this button to enter the [LAN Privilege] configuration page and configure
the privileges of the peer VPN, that is, to specify the services (provided by the local terminal) that
will be available for the peer VPN.
225
Having completed configuring the VPN connection, you have to check [Enable] to activate this
connection, and click the <Save> button to save all the settings.
If you are to configure LAN services for a VPN site that has enabled tunnel NAT function,
the network segments, no matter to be configured on the HQ VPN device or on the branch VPN
device, must be the network segment or IP addresses of the network segment which has been
translated to (according to the corresponding tunnel NAT rule).
Case Study 39: Only Allow Peer VPN to Access Local WEB Services
Requirement: VPN A users access to VPN B; VPN A controls the access privilege of VPN
B users, allowing VPN B users to access its WEB server, other servers being unavailable.
To achieve the expected effect, we configure on the WAN Accelerator of VPN A, as follows:
Step 1.
Go to the [Sangfor VPN] > [Advanced] > [LAN Service] tab to add a LAN service item
with WEB services, as shown below:
Click the <New> button to enter the [LAN Service] page; type in service name and click the tab
226

name [TCP List], as shown below:
Click the <New> button and enter the [IP Range Settings] page to configure the IP range that can
access to the WEB services, as shown below:
In the above page, the source IP addresses are the LAN network segment of the peer VPN (VPN
B), and the port number is between 1 and 65535 because the port from where the VPN
connection request initiated is a random port. The destination IP addresses are LAN network
227

segment of the local VPN (VPN A); however, it can also be the IP address of the specified
WEB server of the local VPN, and the destination port is the WEB port 80.
Finally, click the <Save> button to save the LAN service settings.
Step 2.
Go the [Sangfor VPN] > [Client] > [VPN Connection] tab and add a VPN connection to
have VPN A connect in VPN B.
Click the <LAN Privilege> button to enter the [LAN Privilege] page; configure the LAN
privileges for VPN B users accessing VPN A, only allowing WEB service, all others services
being denied by default, as shown below:
228
Click <Save> button to save the LAN privilege settings.

Once any LAN privilege is configured, not only the peer VPNs access to the local VPN
will be restricted, but the local VPN users access to the peer VPN will be restricted as well. That
because the LAN privilege option only helps to inspect the IP address and port of the data packets,
without considering whether the VPN connection is initiated by the peer VPN or initiated by the
local VPN, but every packet that matches the rule will be handled in the same way.
3.8.3 Multi-Line
3.8.3.1 Multi-Line Routing Policy

SANGFOR WAN Accelerator offers the powerful multiline routing policy for VPN. Based on
knowing the link status of multiple lines, the system will select the optimal line from others to
transmit data. Whats more, multiple lines can be coupled, which not only ensures that the data are
always transmitted on an Internet line of better link status, and that data transmission is of high
reliability, but enables multiple lines work together for certain data transmission as well,
improving utilization of the lines.
229
Click the <New> button to enter the [Edit Multi-Line Routing Policy] webpage dialog, as shown
below:
[Policy Name]: Type in a unique name for this policy-based routing to distinguish it from others.
[Source IP], [Destination IP]: Configures the source IP, destination IP of the data packet on which
this policy routing applies. Four options are available, namely, [All], [Single IP], [IP range] and
[Subnet].
[Description]: Type in description for this policy.
230

[Local Lines]: Specifies the number of Internet lines of the local VPN.
[Peer Lines]: Specifies the number of Internet lines of the peer VPN.
[Valid Load Line Selection Threshold]: Defines the threshold that checks the link status of each
link of primary lines. If the delay difference between two lines or among mores lines are less than
this threshold, all the primary lines are regarded as in good status (optimal lines), and the data will
be transmitted through these lines; whereas, if the delay difference between two lines or among
mores lines are higher than this threshold, all the primary lines are regarded as in poor status, and
the data will not be transmitted through these lines. This threshold only applies to all the primary
lines.
[Primary Lines]: Different from secondary lines, primary lines are the lines chosen to transmit the
data. Once all the VPN connections loaded by the primary lines fall out, the VPN module will
automatically switch to the secondary lines and have them load the VPN connections, ensuring
high reliability of the VPN connections. Once the primary lines recover from faults, the VPN
module will switch back to the primary lines to achieve optimal transmission effect.
[Secondary Lines]: All the other lines exclusive from the primary lines are secondary lines. By
default, the secondary lines are not going to transmit VPN data, unless all the primary lines get
fault and are about to disconnect all the VPN connections.
[Routing Mode]: Configures the VPN flow allocation method if several primary links are
transmitting VPN data. Options are [Evenly Allocate According to Sessions] and [Evenly Allocate
According to Packets]. The former indicates that multiple lines take average share of the sessions
if multiple sessions exist, but if there is only one session, that session will be solely loaded by one
line; while the latter indicates that the each VPN data packet is evenly loaded by different lines,
being allocated to each line by method of round robin.
Having configured multi-line routing policy, you can go to the [Sangfor VPN] > [Server] > [VPN
Users] tab to specify routing policy for a specific VPN user (account)
Case Study 40: VPN Primary Lines/Secondary Line

The HQ VPN of a customer has two CT lines (CT1, CT2); the remote branch VPN has a CT line
and a CNC line. The network topology is as shown in the figure below:
231
Requirements: the CT line of the branch VPN and the two CT lines (CT1, CT2) of the HQ VPN
establish VPN connections and transmit data at the same time, while the CNC line and the two CT
lines (CT1, CT2) of the HQ VPN are taken as secondary lines.
Detailed configuration steps are as follows:
Step 1.
Configure the corresponding lines (in [System] > [Deploy Settings] > [Multi-Line
Settings]) on the HQ WAN Accelerator and branch WAN Accelerator respectively, as shown
below:
Step 2.
Configure multi-line routing policy on the HQ WAN Accelerator, by going to the
[Sangfor VPN] > [Multi-Line] > [Multi-Line Routing Policy] and clicking the <New> button. The
pop-up [Edit Multi-Line Routing Policy] page is as shown below:
232
Select the number of [Local Lines] and [Peer Lines], and leave local line CT1 and peer line
CT (Line 1), local line CT2 and peer line CT in the primary lines list; and move local line
CT1 and line CNC (Line 2), local line CT2 and peer line CNC into the secondary lines
list. Select routing mode [Evenly Allocate According to Packets].
Step 3.
Go to the [Sangfor VPN] > [Server] > [VPN Users] tab, and edit the corresponding
user; click the <Advanced> button to enter the [VPN Advanced Properties], as shown below.
Click tab name [Routing Policy] and select the routing policy (in this case is test).
233
Case Study 41: Configure Multi-Line Routing Policy for Single-Arm

VPN
The network of a customer has two Internet lines.
Requirements: To deploy the WAN Accelerator in single-arm mode, in the local area network; at
the same, take full use of the two lines of the HQ VPN to do load balancing while the WAN users
are connecting in the HQ VPN (WAN Accelerator).
The network topology is as shown below:
To use VPN multiple lines in Single-arm mode, you need deploy a front-end firewall or switch to
do policy routing based on source IP address, enabling the system to forward the packets of
different source IP addresses to different outlets of the network; otherwise, using multiple lines in
Single-arm mode is unachievable.
234

Detailed configuration steps are as follows:
Step 1.
Configure deployment mode for the HQ WAN Accelerator. Go to the [System] >
[Deploy Settings] > [Network Interface] tab; select service mode [VPN and Acceleration] and
deployment mode [Single Arm]; configure the LAN interface IP address, and two binding IP
addresses (please be noted that the two binding IP addresses and the LAN interface IP address
must be of a same LAN network segment). The page is as shown below:
235
Step 2.
Configure multiple lines. Go the [System] > [Deploy Settings] > [Multi-Line Settings]
tab and configure the Internet lines. You will see that the page shows it is in Single arm mode, and
the outlet lines displayed are Line 1 (LAN) and Line 2 (LAN), as shown below:
Step 3.
Click <Edit> to enter the [Edit Multiline] page and edit this line (as shown below). If
the mapping IP is a static IP address, check the option [Use Static Internet IP] and type in the right
IP address; type in the testing DNS addresses or leave them blank, as shown below:
236
Step 4.
Go to the [Sangfor VPN] > [Multi-Line] > [Multi-Line Routing Policy] page and
configure the corresponding multi-line routing policy, as shown below:
Step 5.
Go to the [Sangfor VPN] > [Server] > [VPN Users] tab to apply this routing policy to a
237

specific user.
Please remember to map the port 4009 of the two IP addresses (of the front-end firewall)
respectively to the two binding IP addresses (not the LAN interface IP address) of this
WAN Accelerator.
This section only shows how to configure the multi-line and multi-line routing policy for
the Single-arm WAN Accelerator, other VPN configurations being ignored.
3.8.4 Third-Party Authentication

SANGFOR WAN Accelerator supports the VPN connecting-in users to be authenticated by a third
party, so as to enhance the security of the VPN connection. The two supported authentication
methods are LDAP and RADIUS, as shown below:
3.8.4.1 LDAP Server

The VPN service of SANGFOR WAN Accelerator supports third-party LDAP authentication. If
you need to have a third party to fulfill LDAP authentication, configure the [LDAP Server
Settings] (including [LDAP Server IP], [LDAP Server Port], [Administrator Name] and
238

[Administrator Password]).
On the page above, [Administrator Name] must be the account name of the domain administrator,
and be fully written (e.g., Administrator@Sangfor.local).
Having completed configuring the LDAP server (domain server), you can click the <Advanced>
button to open the [Advanced Settings] dialog. Configure the advanced options of the LDAP, as
shown blow:
[User Filter] and [Login Name Attr.]: Defaults are recommended to be used.
239

[User Root Dir.]: Type in the root directory of the user and the search directory. When a user is
connecting in and being verified, it is searched and verified according to search directory; the root
directory is used only when the search directory is left blank. When importing users, the system
uses the root directory.
Having configured and saved the above options, you can click the <Test> button (on [LDAP
Server Settings] tab) to check the correctness of the entered administrator name and password. If
test results show success, the LDAP server settings are correct. The related pages are as shown
below:
Click <Save> button to save the [LDAP Server Settings].
LDAP authentication only supports Microsoft Active Directory and Novell eDirectory,
240

others such as OpenLDAP unsupported.
Case Study 42: Mobile VPN User Connects in By Using LDAP Auth
Requirement: The customer wants the mobile VPN users connect in the HQ VPN by using LDAP
authentication, to ensure the security of its network.
Detailed configuration procedures are as follows:
Step 1.
Go to the [Sangfor VPN] > [Third-Party Auth] > [LDAP Server Settings] tab to
configure the LDAP server.
Type in the full name of the domain administrator account (in this scenario, it is
Administrator@support.sangfor.com); configure the attribute of the user (which group it belongs
to; in this scenario, it is under group Users), and so type in the information CN=Users,
DC=Sangfor,DC=com into the [User Root Directory] and [Search Directory] textboxes, as
shown below:
241
If the settings are tested correct, click the <Save> button to complete configuring the LDAP server
option.
Step 2.
Go to the [Sangfor VPN] > [Server] > [Virtual IP Pool] tab to configure virtual IP pool.
Click the <New> button to enter the [Virtual IP Settings] page. Select user type Mobile VPN
and type in the start IP and end IP of the virtual IP range (in this scenario, it is 192.168.10.100192.168.10.110), as shown below:
242
Step 3.
Go to the [Sangfor VPN] > [Server] > [VPN User] tab to import domain users, by
clicking the <Import Domain User>. The system will automatically upload the domain users from
the configured LDAP server, as shown below:
Step 4.
Check the needed domain users and select user type [Mobile VPN], encryption
algorithm, and enable the user, compression and My Network Places. Finally click the <Import>
243

button.
After configuring the above, these mobile VPN users will go through LDAP authentication when
they are connecting in the HQ VPN.
3.8.4.2 Radius Server Settings

The VPN service of SANGFOR WAN Accelerator supports third-party RADIUS authentication.
If you want to have a third party fulfill the RADIUS authentication, correctly configure the
[Radius Server Settings] (including [RADIUS Server IP], [RADIUS Server Port], [Authentication
Shared Key] and [RADIUS Authentication Protocol]).
Configure the correct Radius server IP and port, shared key and select the needed authentication
protocol, and then click the <Save> button to save and apply the settings.
3.8.5 Advanced
[Advanced] covers configuration of [VPN Local Subnet], [LAN Service], [Multicast Service],
[Tunnel Route] and [Generate Certificate], as shown below:
244
3.8.5.1 VPN Local Subnet

[VPN Local Subnet] configures the subnets used in the situation that the local area network of the
SANGFOR WAN Accelerator has multiple subnets (exclusive of the network segment where the
LAN interface IP address locates), and that the connecting-in VPN users need to access the other
LAN subnets and/or to be accessed by other LAN subnets.
Under the [VPN Local Subnet] tab, click the <New> button and you will see the pop-up [Subnet
Settings] page; type in the subnet segment and mask, as shown below:
Case Study 43: Allow VPN User to Access Multiple Local Subnets
The HQ VPN A has three subnets (192.168.10.X, 192.168.20.X and 192.168.30.X).
Requirement: To allow the branch VPN (B) users to access the three subnets after they have
connected in the HQ VPN.
Network topology is as shown below:
245
To meet the needs of this customer, we have to configure [VPN Local Subnet], by adding the
subnets 192.168.20.X and 192.168.30.X and the corresponding static route.
Configurations on the HQ WAN Accelerator are as follows (other VPN setups being ignored in
this section):
Step 1.
Go to the [Sangfor VPN] > [Advanced] > [VPN Local Subnet] tab to add the subnets
that are to be accessed by the branch VPN users, as shown below:
Add the subnets 192.168.20.0/24 and 192.168.30.0/24 into the local subnet list.
Step 2.
Go to the [System] > [Deploy Settings] > [Static Rout] tab to configure a static route for
the two VPN local subnets, as shown below:
246
After configuring the above, the branch users will be able to access the three subnets of the HQ
VPN once they connect in.
The [Local Subnet List] stands for a kind of declaration. The subnets defined here will be
taken as VPN network segments by the VPN device and the client-end software. All the data
going through the VPN device or software will be encapsulated and transmitted through the VPN
tunnels. Therefore, you need to configure the [Static Route], in addition to adding the related
subnets into the [Local Subnet List]], so as to enable the VPN users to access these subnets.
3.8.5.2 LAN Service

SANGFOR WAN Accelerator enables you to specify the access privileges of the connecting-in
VPN users, or even to specify a branch VPN user or mobile VPN user (IP address) to access
247

certain service(s) provided by a LAN computer; besides, you can configure the service parameters
of the inbound policy used for connecting to a third-party device
For example, to meet the following two requirements, you have to configure the privilege of the
relevant VPN user to certain service, so as to ensure the security of the VPN channels and achieve
secure management.
a.) only allow a user test to access the OA server (other services are unavailable for this user)
b.) allow an IP address of a Shanghai branch VPN to access the SQL server of the HQ VPN
(other IP addresses of this branch are unable to access this server)
The [LAN Service] tab is as shown below:
Configuration of LAN Service Privilege is fulfilled by two setups:

1.) Create LAN service
2.) Specify privilege for a specific user
By default, the SANGFOR WAN Accelerator allows all the connecting-in VPN users to access all
the services, with no privilege restriction on any connecting-in VPN user.
Case Study 44: Control VPN Users Privilege to Access LAN Services
Requirements: only allow the connecting-in VPN users (of subnet 192.168.20.0/24) to access the
TCP port 80 of the OA server (IP: 192.168.10.250) and to ping OA server, all the access requests
to others server being denied.
The network topology is as shown below:
248
Configurations on the local WAN Accelerator are as follows:

Step 1. Under the default configuration page [LAN Service], click the <New> button to enter
the [LAN Service] webpage dialog, as shown below; type in the service name (e.g., OA) and
check the needed protocol (in this scenario, they are TCP and ICMP), as shown below:
Step 2. Under the [TCP List] tab, click the <New> button to enter the [IP Range Settings]
dialog; type in the IP addresses and port accordingly, as shown below:
249
[Source IP]: Fill in the source IP. In this scenario, it is the LAN IP addresses of the peer branch
VPN, 192.168.20.1-192.168.20.254. If this OA LAN service is to be referenced by multiple VPN
users, the source IP address can be 0.0.0.0-255.255.255.255 which indicates all the IP addresses.
[Source Port]: Type in 1-65535.
[Destination IP]: Fill in the destination IP addresses. In this scenario, it is the OA server IP address
of the local terminal, 192.168.10.250.
[Destination Port]: Service port of the OA system, 80-80.
Step 3. Under the [ICMP List] tab, click the <New> button to enter the [IP Range Settings], as
shown below:
250
[Source IP]: Fill in the source IP address. In this scenario, it is the LAN IP addresses of the peer
branch VPN, 192.168.20.1-192.168.20.254. If this OA LAN service is to be referenced by
multiple VPN users, the source IP address can be 0.0.0.0-255.255.255.255 which indicates all the
IP addresses.
[Destination IP]: Fill in the destination IP addresses. In this scenario, it is the OA server IP address
of the local terminal (HQ VPN), 192.168.10.250.
Here you are just defining the LAN service. After these configurations, you have to go to
[Sangfor VPN] > [Server] > [VPN Users] tab, to create/edit a VPN user account and
configure its [LAN Privilege] to complete configuring the LAN service.
The LAN services configured here may be referenced by [IPSec Connection] > [IPSec VPN]
> [Inbound Policy] and [Outbound Policy]. For details, please refer to Section 3.9.1.2 Phase
II.
Go to page [Sangfor VPN] > [Server] > [VPN Users] tab to create/edit branch VPN user; click the
<LAN Privilege> button.
251
Step 4. Under the pop-up LAN Privilege Settings] dialog, move the OA LAN service to the
service list at the right side. Check the [Allow] checkbox and select [Default action] Deny, as
shown below:
After the above five steps, the branch VPN users whose IP addresses are 192.168.20.0/24 can
access the local OA server 192.168.10.250 once they connect in the local terminal (HQ VPN)
successfully, and the requests initiated by the branch VPN users for other services will be denied.
252
These settings also disable the access requests initiated by the other computers of the local
terminal to access the branch. Because the [LAN Service] settings will deny the response packet
sent from other computers of the local terminal if the destination IP address is not 192.168.10.250
(IP address of the OA server).
3.8.5.3 Multicast Service

To meet the customers needs for some applications such as VOIP and video conference,
SANGFOR WAN Accelerator 6.0 is designed to support multicast services being transmitted
among the SANGFOR VPN channels. The applicable IP range is 224.0.0.1-239.255.255.255, and
applicable ports are 1-65535.
The [Multicast Service] tab is as shown below:
Click the <New> button and the [Multicast Service] webpage dialog pops up. You can configure
the needed IP addresses and ports for the multicast service, as shown below:
253
After you have defined the multicast service, you can add/edit user on the [Sangfor VPN] >
[Server] > [VPN Users] tab and click the <Advanced> button to enter [VPN Advanced Properties]
> [Multicast Service] and enable the selected multicast service(s), as shown below:
254
Before using the multicast service(s) configured on the [VPN Advanced Properties] >
[Multicast Service] tab, first you have to check the [Enable Multicast] option on the [Sangfor
VPN] > [Server] > [Basic Settings] > [Advanced Settings] tab, as shown below:
255
3.8.5.4 Tunnel Route

SANGFOR WAN Accelerator offers the powerful VPN tunnel routing function. You can configure
route for the VPN tunnels, to achieve interconnection among different VPN sites (software or
hardware) and establish a true web-like VPN network.
Click the <New> button to add a new tunnel route. The pop-up [Configure Route] dialog is as
shown below:
[Network ID(source)]: Configures the source subnet.

[Subnet Mask (source)]: Configures the mask of the source subnet.
[Network ID(destination)]: Configures the destination subnet.
[Subnet Mask(destination)]: Configures the mask of the destination subnet.
[Destination Route User]: Configures the VPN device to which this tunnel route directs. For
example, suppose that VPN A and VPN B have established a VPN connection for
communication and the [User Name] used by that VPN connection is A, but now VPN A
users want to access VPN C via VPN B, then the username A is selected to act as the
destination route user for VPN A. In a word, the destination route user is the corresponding user
account used by the VPN connection that has established between the branch VPN (in this
256

scenario, A is the branch VPN) and the HQ VPN (in this scenario, B is the HQ VPN).
[Enable]: Check this option to enable this tunnel route.
[Connect Internet Through Destination Route User]: Check this option and all the Internet-related
packets that are going through the WAN Accelerator will be forwarded to the specified destination
route user of that tunnel route, and the packets are then forwarded to the Internet by the
destination route user.
[Enable]: Check it to enable this tunnel route.
To enable the VPN users to access Internet via the destination route user, you have to
deploy the remote connecting-in WAN Accelerator (branch VPN) in Gateway mode, and the HQ
WAN Accelerator (HQ VPN) in Gateway mode or Single-arm mode.
Case Study 45: Tunnel Route Achieves Communication Between

Connecting-in Branch VPN Sites
Both branches (Beijing, 172.16.1.0/24; and Guangzhou, 10.1.1.0/24) have established VPN
connections (by configuring VPN connection) with their HQ WAN Accelerator (Shenzhen,
192.168.1.0/24). But no VPN connection has established between branch Beijing and branch
Guangzhou.
Requirement: To enable the branch Beijing and branch Guangzhou access each other.
To achieve the predicted result, we are going to configure a corresponding tunnel route. The
network topology is as shown below:
Detailed configuration procedures are as follows:

257

Step 1. Configure the Beijing WAN Accelerator. Go to the [Tunnel Route] tab; click the <New>
button to add a tunnel route that directs to the Guangzhou branch VPN; check the [Enable]
option, as shown below:
[Network ID(source)]: Configures the source subnet. In this scenario, it is 172.16.1.0.

[Subnet Mask (source)]: Configures the mask of the source subnet. In this scenario, it is
255.255.256.0.
[Network ID(destination)]: Configures the destination subnet. In this scenario, it is 10.1.1.0.
[Subnet Mask(destination)]: Configures the mask of the destination subnet. In this scenario, it is
255.255.256.0.
[Destination Route User]: Configures the VPN device to which this tunnel route directs. In this
scenario, it is beijing.
[Network ID(source)] and [Network ID(destination)] define respectively the source IP

address and destination IP address of the data packet to be transmitted. If the data packet
satisfies these two conditions, this route will take effect, and the data will then be transmitted
to the corresponding VPN device.
[Destination Route User] determines the VPN device to which the data packets are forwarded
by this tunnel route (indicating the corresponding username selected in the [Sangfor VPN] >
[Client] > [VPN Connection] > [Edit Connection]). In this scenario, Shanghai branch has
258

established a VPN connection with its Shenzhen HQ VPN (using the username beijing in the
[VPN Connection] page). Therefore, we choose the destination route user beijing to forward
the tunnel routes data to the Shenzhen WAN Accelerator.
The VPN user account acting as destination route user cannot be used by multiple users to
log in to the HQ VPN.
Step 2. Configure the Guangzhou WAN Accelerator. Go to the [Tunnel Route] tab; click the
<New> button to add a tunnel route that directs to the Beijing branch VPN; check the [Enable]
option, as shown below:

255.255.256.0.
[Network ID(destination)]: Configures the destination subnet. In this scenario, it is 172.16.1.0.
[Subnet Mask(destination)]: Configures the mask of the destination subnet. In this scenario, it is
255.255.256.0.
scenario, it is guangzhou.
Case Study 46: Access Internet via VPN Destination Route User
In addition to the above introduced function, SANGFOR VPN tunnel route may also be used to
forward all the Internet access data to the HQ VPN, so that the branch VPN users can only access
the Internet via the network outlet of the HQ VPN.
259

For instance, to enable the Shenzhen branch VPN users to access Internet via the Shanghai HQ
VPN, we deploy the WAN Accelerators as follows:
Detailed configuration procedures are as shown below:

Step 1. Configure the Shenzhen WAN Accelerator. Go to the [Tunnel Route] tab; click the
<New> button to add a tunnel route; type the local subnet and mask into the [Network ID(source)]
and [Subnet Mask (source)] textboxes respectively, and check the [Enable] and [Connect Internet
Through Destination Route User] options, as shown below:

255.255.256.0.
scenario, it is Shenzhen.
Step 2. Configure the Shanghai WAN Accelerator. Go to the [Firewall] > [NAT] > [SNAT] tab
260

and add a new SNAT (source network address translation) rule so that the source IP addresses of
the data packets forwarded from Shenzhen branch are to be translated, as shown below:
3.8.5.5 Generate Certificate

The HARDCA is one of the patents of SANGFOR. The device that applies this technology can
use its certificate to get its identity authenticated among different VPN nodes. The certificate of a
device is generated with some of the hardware features of this device and is then encrypted. Due
to the uniqueness of the hardware feature of the device, the corresponding certificate is also
unique and cannot be counterfeited. By requiring authentication the hardware features, the WAN
Accelerator can ensure that only certain specified hardware device can get connected to a
network, and therefore, eliminate the potential security hazards.
Click the <Generate> button and select a path to generate the hardware certificate and save it to
the local computer, as shown below:
261
Send this certificate to the administrator of the HQ VPN. Then, the administrator can check the
[Enable Hardware Auth] option, upload this hardware certificate and bind it with the user while
creating a user account for this VPN user, as shown below:
262
3.8.6 Configure Sangfor VPN Module in Single-Arm Mode

In addition to being deployed in Gateway mode with SANGFOR VPN function, SANGFOR
WAN Accelerator supports SANGFOR VPN in Single-arm mode. If deployed in Single-arm
mode, the WAN Accelerator connects to the customers network only through its LAN interface,
incurring no change on the original network.
3.8.6.1 Configure Network Interface

Go to the [System] > [Deploy Settings] > [Network Interface] tab. Select service mode VPN and
Acceleration and deployment mode Single arm; configure the LAN interface IP, mask, default
gateway and DNS, as well as the DMZ interface IP and mask, as shown below:
263
[Single arm setting]: Leave these settings blank unless the single-arm WAN Accelerator involved
in multiple lines. As to the detailed configuration guide and usage of multi-line routing policy of
single-arm VPN, please refer to Case Study 41: Configure Multi-Line Routing Policy for SingleArm VPN in Section 3.8.3.1 Multi-Line Routing Policy.
3.8.6.2 Configure Sangfor VPN

The configurations are exactly the same as those in Section 3.8 Sangfor VPN .
If the WAN Accelerator is deployed in Single-arm mode, you have to add at least one static
route on the front-end router or firewall (destination of this static route is the network segment of
264

the peer VPN; gateway is the LAN interface of the local WAN Accelerator); otherwise, the two
parties cannot access each other through the SANGFOR VPN.
265
3.9
IPSec Connection
SANGFOR WAN Accelerator allows a third-party VPN to interconnect with the existing
networks, establishing a standard IPSec VPN connection. [IPSec VPN] covers [IPSec Connection]
configurations, as shown below:
3.9.1 IPSec Connection

[IPSec Connection] consists of configuration pages of [Phase I], [Phase II] and [Security
Options].
3.9.1.1 Phase I
[Phase I] page configures the peer VPN device which is to establish standard IPSec connection
with the SANGFOR WAN Accelerator. This is the first phase of standard IPSec protocol
negotiation.
Click the <New> button and the following options appear:
266
[Name]: Defines the policy name of the first phase.

[Mode]: Defines the mode for Phase I negotiation; options are [Main mode] and [Aggressive
mode]. Main mode is applicable to the following situations: a). both parties have fixed Internet IP
address, and are deployed in Route mode, at the egress of the Internet; b). one party has fixed
Internet IP address, while the other party has no static IP, and under routing mode but is deployed
at the egress of the Internet.
[Description]: Gives brief description to this policy.
[Address Type]: Options are [Static IP], [Dynamic IP] and [Dynamic Name] (domain name).
[ISAKMP Encryption Algorithm]: Defines an encryption algorithm for Phase I. Options are
[DES], [3DES], [AES] and [SANGFOR_DES].
The encryption algorithm SANGFOR_DES is available only when both parties are
267

SANGFOR devices.
[ISAKMP Authentication Algorithm]: Select an authentication algorithm for Phase I. Options are
[MD5] and [SHA-1].
[Pre-shared Key]: Configures the shared key of the two parties.
[D-H group]: Defines Differ-Hellman group of the two negotiating parties. Options are group1,
group2 and group5.
[ISAKMP Live Time]: Defines the life time of the Phase I policy, in unit of second.
[Retry Times]: Configures the retry times of Phase I negotiation.
Check the [Enable Rule] option and click the <OK> button. This policy is enabled and applies
immediately.
3.9.1.2 Phase II
[Phase II] page configures the related policies for establishing standard IPSec connection. This is
the second phase of IPSec protocol negotiation, consisting of configurations of [Outbound
Policies] and [Inbound Policies]
[Outbound Policies]: Configures the rules for delivering the data packet from the local device to
the peer device.
Click the <New> button to add new policy; the options are as shown below:
268
[Name]: Defines the name for the user-defined outbound policy.

[Service]: Defines the services allowed by the outbound policy.
[Description]: Gives brief description to the outbound policy.
[Source IP Type]: Configures the IP address or IP range of the local VPN that are allowed to
access the peer VPN.
[Peer Device]: Select a peer device. The device is defined in Phase I.
[Security Option]: Select the security policy for negotiation of the two parties. The security
policies are configured on the [Security Option] page. For detailed configuration guide, please
refer to the section followed.
[SA Live Time]: Configures the life time of this outbound policy.
Check the [Enable This Policy] option to enable this policy. If the peer device is configured with
PFS, check the [Enable Perfect Forward Secrecy] option as well.
269

[Inbound Policies] section configures the rules for data transfer from the peer device to the local
device.
Click the <New> button to add a new policy; the options are as shown below:
[Name]: Defines the name for the user-defined inbound policy.

[Service]: Defines the services allowed by the inbound policy.
[Description]: Gives brief description to the inbound policy.
[Source IP Type]: Configures the IP address(es) or IP range(s) of the peer VPN that is allowed to
access the local VPN.
[Peer Device]: Select a peer device. The device is defined in Phase I.
Check the [Enable This Policy] option and click the <OK> button to enable, save and apply this
inbound policy.
270
3.9.1.3 Security Options

[Security Options] page configures the related security parameters for establishing the standard
IPSec connection.
Click the <New> button and the options appear as shown below:
Before establishing IPSec connection with the third-party device, specify a policy to connect the
peer device, including encapsulation [Protocol] adopted by the peer device (AH or ESP), the
[Authentication] algorithm (MD5 or SHA-1), [Encryption] algorithm (DES, 3DES, AES or
SANGFOR_DES).
Click the <OK> button to save and enable the policy. The SANGFOR WAN Accelerator will use
these policies to negotiate with the peer to establish an IPSec connection.
[Security option] > [Encryption] algorithm is to specify the data encryption algorithm for
the standard IPSec Phase. As to interconnecting several devices which adopt different
connection policies, you have to add the connection policies of each device respectively to
271

[Security Options].
Case Study 47: IPSEC VPN Connection with CISCO

Cisco device and SANGFOR WAN Accelerator are connected through standard IPSec VPN, in
Main mode. The branch (network segment: 10.3.0.0/16) is to access the server of the
Headquarters (subnet: 10.1.10.0/24). Network segment of the headquarters is 10.1.0.0/16).
The network topology is as shown in the figure below:
Follow the commands below to configure the Cisco VPN:

crypto ipsec transform-set sangfor esp-des esp-md5-hmac crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 102
crypto map mymap 10 set pfs group2
crypto map mymap 10 set peer 222.222.222.222
crypto map mymap 10 set transform-set sangfor
crypto map mymap interface outside
isakmp enable outside
isakmp key test123 address 222.222.222.222 netmask 255.255.255.252
isakmp identity address
isakmp policy 10 authentication pre-share
272

isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
access-list 102 permit ip 10.3.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list nonat permit ip 10.3.0.0 255.255.0.0 10.1.0.0 255.255.0.0 global (outside) 1
111.111.111.2
nat (inside) 0 access-list nonat
nat (inside) 1 10.3.0.0 255.255.0.0 0 0
Follow the steps below to configure the SANGFOR VPN:
Step 1: Configure the first phase, as shown below:
273
[Name]: Enter the name cisco for the Phase I policy.

[Mode]: Select Main mode as the mode for Phase I negotiation. Please note that main mode is
applicable to the following situations: a). both parties have fixed Internet IP address, and deployed
in Route mode, at the egress of the Internet; b). one party has fixed Internet IP address, while the
other party has no static IP, and under routing mode but is deployed at the egress of the Internet.
[Address Type]: Select [Static IP].
[Static IP]: Enter 111.111.111.2.
[ISAKMP Encryption Algorithm]: Select [DES] encryption algorithm for Phase I.
[ISAKMP Authentication Algorithm]: Select [MD5] authentication algorithm for Phase I.
[Pre-shared Key]: Configure the shared key for the negotiation of both parties.
[D-H group]: Select [MODP1024group2] as the Differ-Hellman group for the negotiation of both
274

parties.
[ISAKMP Live Time]: Configure 28800 as the live time of Phase I policy.
[Retry Times]: Configures the retry times of Phase I negotiation as 10.
Check the [Enable Rule] and [Auto Connect] option to have it take effect after completing
configuring the page.
Click the <OK> button to save and apply this policy.
Step 2: Configure security options for Phase , as shown below:
Click the <New> button and configure the followings:

[Name]: Enter the name cisco for the [Security Options] policy.
[Protocol]: Select [ESP] protocol.
[Authentication]: Select authentication algorithm [MD5].
[Encryption]: Select encryption algorithm [DES].
Click the <OK> button to save the settings.
Step 3: Configure the outbound policy and inbound policy for Phase .
The options for the outbound policy are as shown below:
275
[Name]: Enter the name cisco for the outbound policy.

[Service]: Select [All Services] as the allowed services by the outbound policy.
[Source IP Type]: Select [Subnet] and enter [Subnet Segment] 10.1.0.0 and [Subnet Mask]
255.255.0.0 to allow these IP addresses of the local VPN to get access to the peer VPN.
[Peer Device]: Select the peer device cisco. The device cisco has been defined in Phage I.
[Security Options]: Select the security options policy named cisco for negotiation between the two
276

parties.
[SA Live Time]: Configure the life time of the policy as 28800.
Check the [Enable This Policy] option to enable the policy.
Check the [Perfect Forward Secrecy] option, for the device cisco is configured with PFS.
The options for the inbound policy are as shown below:
[Name]: Enter the name cisco for the inbound policy.

[Service]: Select [All Services] as the allowed services by the inbound policy.
[Source IP Type]: Select [Subnet] and enter [Subnet Segment] 10.3.0.0 and [Subnet Mask]
255.255.0.0 to allow these IP addresses of the peer VPN to get access to the local VPN.
[Peer Device]: Select the peer device named cisco. The device cisco has been defined in Phase I.
Check the [Enable This Policy] option to enable this policy.
277

278
Chapter 4 Internal Data Center

This chapter introduces the function and usage of the Internal Data Center.
Click the main menu [Data Center] (at the top of the gateway console) to enter the Internal Data
Center of SANGFOR WAN Accelerator 6.0.
The Internal Data Center includes the following 8 modules: [Home Page], [History Report],
[Customize Report], [Statistics], [WANO Report], [Trend Report], [Search] and [System
Management].
The first time you log in to the Internal Data Center, you may be required to install the pop-up
ActiveX control.
Click This site might require the following ActiveX control: WebUI Control from Sangfor
Technologies Co., Ltd. Click here to install and then click Install ActiveX Control.
Follow the instructions to finish installation, as shown below:
Click the <Install> button to install the ActiveX Control.

If there is no prompt of installing the ActiveX control, click the <Download ActiveX> link to
manually download the ActiveX control, and follow the instructions to finish installation.
279
4.1
Home Page
Click [Home Page] and you will see the following page:
[Login], [Logout]: Click [Login] or [Logout] to log in with another user account or log out the
current user respectively.
[Current User]: Displays the name of the current user who logs in to the Data Center Web UI
[Quick Link]: Displays the built-in quick links of this Data Center, to some search results or
history reports.
4.2
History Report
[History Report] displays the one-off and periodic customized reports and system default reports.
280
[Generated Report Search]: Searches for the already-generated reports (history reports), with the
specified conditions. The conditions are as shown below:
The optional conditions include the followings:

[Report name]: Enter the report name or former part of the report name (fuzzy search supported).
The searching is fulfilled by filtering the report name.
[Date range]: Specifies the date range during which the reports are generated. Only the reports
generated during this period will be searched and displayed.
[Operation information]: Displays number of the reports that match the specified conditions. If no
condition is specified, it is the total number of history reports.
Having specified the conditions, you have to click the <Search> button to search for the needed
reports. The matching report(s) will be displayed in the [Generated Report] list.
[Generated Report]: Displays all the information of the generated reports, or the matching history
reports searched according to the specified conditions. The displayed information includes report
name, report type, generation time, user (name) that has generated the report, as shown below:
281
<First>, <Last>: If there are large numbers of reports, click it to go to the first or last page of the
[Generated Report] list.
<Previous>, <Next>: Click it to go to the previous or next page of the [Generated Report] list.
[Records/page 100 records]: Indicates 100 records (report items) are displayed per page. Other
options are 10, 20, 50 and 100.
If there are too many reports in the [Generated Report] list, you can delete some of them
manually.
[Select]: Tick the checkbox of a report record and the report is selected.
<Select all>: Click this button to select all the report items of the current page.
<Reverse>: Click this button to deselect report items and select the other unselected report items.
<Delete>: Click this button to delete the selected report(s).
<Delete all>: Click this button to delete all the report items at one time.
The displayed information includes [Report name], [Report type], [Generation time], [User],
[Operation]. The page is as shown below:
<View>: Click this button to view the detailed information of this report, as shown below:
282
The above figure shows the statistics of a user group, including total flow statistics and the
behavior counts. Each type of statistics is listed, in chart or in table. Here, we are not to introduce
the chart and table in detail.
<Print>: Click it to print this report.
<Export>: Click it to export the report, in format of PDF.
<Send mail>: Click it to send the report to the specified email address.
4.3
Customize Report
The Internal Data Center of SANGFOR WAN Accelerator 6.0 facilitates you to customize report.
The administrator can define statistics report, trend report and summary report, according to
various objects, contents and date/time
4.3.1 Customize Wizard

[Customize Wizard] helps you quickly define, generate and export the needed report(s).
283
4.3.1.1 Statistic Report

Step 1: Select a needed report type.
Select [Statistic report] and the generated report will be a statistics report, as shown below:
Click the <Next> button to go to the next step.

Step 2: Select ranking object.
Select [IP ranking] and the ranking statistics will be made on the basis of IP addresses.
Select [Application ranking] and the ranking statistics will be made on the basis of applications.
Click the <Previous> button to back to the previous step; or click the <Next> button to go to the
next step.
Step 3: Set report filtering conditions.
284
[Make report on each application] indicates that multiple reports will be generated if there are
several applications being selected, at least one report specific for each application.
[Make report on multiple applications] indicates that only one report will be generated even
though there are several applications being selected. This report covers the related statistics of
these selected applications.
next step.
Step 4: Configure date and time.
[Time]: Specifies the time period whose data are to be collected. Options are [Time range] and
[Time object].
[Time range]: Specifies the time range whose data are to be collected. It can be any time of the
day.
[Time object]: Select the time object (the so-called time schedule, it is defined on the WAN
Accelerator, for details, please refer to Section 3.4.4.3 Time Schedule). Options are [All day],
[Office hours], [Non-office hours] and [Internet Access Total Time[Null]].
[One-off report(generate only once)] indicates that the report will only be generated once. Select
285

[One-off report(generate only once)] and the [Date range] options appears.
[Date range]: Select the needed date based on which the data are to be collected.
Select [Periodic report] and the report will be generated periodically, [Daily], [Weekly] or
[Monthly].
next step.
Step 5: Complete report settings.
[Display Ranking]: Defines the top ranking statistics that will be made in the report. Maximum
100 supported.
[Chart type]: Defines the graph type the statistics displayed. Options are [Bar chart] and [Pie
chart].
[Report name]: Defines the name of the report to be generated.
[Subscribe]: Configures the subscription options.
Check [Subscribe the report](Use default SMTP setting) and the generated report will be delivered
to the email address of the administrator. The default receiver address is the address configured on
[System Configuration] page; if you want to have the email delivered to another email address,
check this option and enter the [Receiver address].
[Receiver address]: Configures the email address to receive this report.
Or click the <SMTP setting> link to enter the [System Configuration] page.
Check the [Send report to subscribed mailbox even it is null] option and the generated report will
be sent to the receiver address even though the report has no content.
286

[The customized are randomly generated from 00:00 to 06:00 everyday. You can adopt System
Setting to modify]: Click the <System setting> link and you will enter the [System Configuration]
page. If necessary, modify the [Report generation time] (for detailed introduction, please refer to
Section 4.8.2 System Configuration).
Click the <Finish> button to complete customizing the statistic report.
Clicking the <Finish> button and it prompts If one-off report is selected, click the following
button to generate, and the report will be added to other generated reports, as shown below:
<Previous>: Click this button to back to the previous step.

<Generate Now>: Click this button to generate the report immediately.
If you have selected [Periodic report] and [Weekly] options in Step 4, the prompt will be as shown
below:
Provided that the report name is weekly and others options are defaults, as shown below:
Click the <Finish> button and the prompt will be If periodic report is selected, you can perform
the following operations:
287

Click the <Save template> button to save this report template to the Report Template List (for
details, pleaser refer to Section 4.3.2 Report Template).
Or click the <Save and Generate> button to save the report template to the Report Template List
and generate the report immediately.
A periodic report is generated according to any of the following frequencies:
[Daily]: The generation time of the report will be determined by the time configured on
[System Management] > [System Configuration] page.
[Weekly]: Indicates that the report will be generated every Sunday. The generation time of
the report will be determined by the time configured on [System Management] > [System
Configuration] page.
[Monthly]: Indicates that the report will be generated on the first day every month. The
generation time of the report will be determined by the time configured on [System
Management] > [System Configuration] page.
The above report generation time options are applicable to periodic report of the other types of
reports (such as WANO report, trend report).
Case Study 48: Generate and View Report

Requirement: Generate statistics report on application every month and send all these reports to
the specified email address test@abc.om. Follow the steps below to customize and generate
report:
Step 1: Select report type [Statistic report], as shown below:
288
Step 2: Select the ranking object [Application ranking], as shown below:
Step 3: Configure filtering condition [Application] as [All Type], as shown below:
Step 4: Select statistic date and time. [Time range] is [00:00:00]-[23:59:59]; [Time object] is [All
day]; [Periodic report] is [Monthly] report, which means generating the report every month, as
shown below:
289
Step 5: Complete report setting. [Display Ranking] is top 30; [Chart type] is [Bar chart]; [Report
name] is Monthly_All. Check the option [Subscribe the report](Use default SMTP setting); and
enter [Receiver address] test@abc.com; check the [Send report to subscribed mailbox even it is
null] option, and the report will be sent to test@abc.com even though the report has no content.
Step 6: Click the <Finish> button to complete customizing the statistic report. Click the <Save
and Generate> button to save the report to the Report Template list and generate a report
immediately (at the same time, the generated report will be sent to the receiver address
test@abc.om).
4.3.1.2 Trend Report

290
Select [Trend report] and the report generated according to this report template will be Trend
report.
Step 2: Select ranking object.
Select [IP ranking] and the ranking statistics will be made on the basis of IP addresses.
Select [Application ranking] and the ranking statistics will be made on the basis of applications.
next step.
Step 3: Select the statistic content.
Statistics trend falls into two types: [Flow statistic] and [Flow Speed Statistic].
291

Check [Flow Statistic] and the detailed statistics of flow will be made.
Check [Flow Speed Statistic] and detailed information of the flow speed will be made.
next step.
Step 4: Set report filtering conditions.
[Make report on each application] indicates that multiple reports will be generated if there are
several applications being selected, at least one report specific for each application.
[Make report on multiple applications] indicates that only one report will be generated even
though there are several applications being selected. This report covers the statistics of these
selected applications.
next step.
[One-off report(generate only once)] indicates that the report will only be generated once.
[Statistic time]: Defines the time range for the data which are to be collected; options are [This
292

day], [This week] and [This month].
[Date]: Defines the date based on which the data are to be collected, of the day, of the week or of
the month.
[Monthly].
next step.

293

Click the <Finish> button and it prompts If one-off report is selected, click the following button
to generate, and the report will be added to other generated reports, as shown below:

<Generate Now>: Click this button to generate the report immediately.
If you have selected [Periodic report] and [Weekly] options in Step 5, the prompt will be as shown
below:
Provided that the report name is Periodic report_Weekly and others options are defaults, as
shown below:
294

4.3.1.3 Sum Report

Select [Sum report] and the report generated according to this report template will be summary
report.
295
[One-off report(generate only once)] indicates that the report will only be generated once.
[Date range]: Defines the date range based on which the data that are to be collected.
[Statistic time]: Defines the time range for the data which are to be collected for making the trend
report; options are [This day], [This week] and [This month].
[Date]: Defines the date based on which the data are to be collected for making the trend report, of
the day, of the week or of the month.
[Monthly].
next step.
[Display Ranking]: Defines the top ranking statistics will be made in the report. Maximum 100
supported.
296

[Chart type]: Defines the graph type the statistics displayed. Options are [Bar chart] and [Pie
chart].
Clicking the <Finish> button and it prompts If one-off report is selected, click the following
button to generate, and the report will be added to other generated reports, as shown below:
Click the <Previous> button to back to the previous step.

Click the <Generate Now> button to generate the report immediately.
If you have selected [Periodic report] and [Weekly] options in Step 5, the configurations are as
shown below:
297
Provided that the report name is Periodic report _Monthly and others options are defaults, the
configurations are as shown below:
Click the <Previous> button to back to the previous step.

298
4.3.2 Report Template
[Report Template]: Displays all the user-defined report templates and system default report
templates. Here you can edit and delete the report template.
There are to two system default report templates, namely, [Default daily summarization report]
and [Default weekly summarization report].
[Report name]: Indicates the name of the report template, for instance, name of a system default
template is [Default weekly summarization report].
[Report type]: Indicates the type of the report template, for instance, [Weekly customized report].
[Latest generation time]: Indicates the latest time this report template is used to generate a report,
for instance, 2010-06-25.
[User]: Indicates the administrator of the Data Center who has created this report template, for
instance, [admin].
[Operation]: Indicates the operation that can be executed on this report template. Available options
are [Edit], [Delete], [Generate] and [View].
<Edit>: Click it to edit the corresponding report template.
<Delete>: Click it to delete the corresponding report template.
<Generate>: Click it to immediately generate a report based on this report template.
<View>: Click this button to view the already generated reports of this template. The report page
is the same as that of the [History Report] (for details, please refer to Section 4.2 History Report).
[Operation information]: Display the [Tips] information and the operation results, for instance, it
gives the information: You can generate the report of 2010-06-26 and earlier time now.
<Report wizard>: Click this button to enter the default page of [Customize Wizard].
<Import>: Click this button to import the report template settings, as shown below:
299
Click the <Browse> button and the following dialog pops up:
Select the needed file and then click the <Open> button to upload the file, as shown below:
300

Click the <Import> button and the following prompt appears:
Click the <OK> button to the import the backup report template to the Data Center.
<Export>: Click this button to export the report template settings. The pop-up dialog is as shown
below:
Click the <Save> button and save the configuration file into the local computer.
<Generate all>: Click this button to generate report based on all the report templates listed.
4.4
Statistics
Internal Data Center of the SANGFOR WAN Accelerator 6.0 mainly helps to make flow statistics
of the users that access the Internet, and provides quick links to make some commonly needed
statistics as well.
301
4.4.1 IP Flow
[IP Flow] indicates that IP address is the object based on which the flow statistics and rankings are
made, according to the selected application type and time range.
[Flow type]: Defines the type of flow statistics. Options are [Uplink Flow], [Downlink Flow] and
[Total Flow].
[Date range]: Defines the date range based on which the data are to be collected.
[Time]: Defines the time range whose data are to be collected. Option are [Time range] and [Time
object].
[Time range]: Specifies the time range and the report will be generated at any time during that
time range, based on this report template.
[Time object]: Specifies a time schedule and the data caused during that time schedule will be
covered (time schedule is defined on the WAN Accelerator; for detailed configuration guide,
please refer to Section 3.4.4.3 Time Schedule). Options are [All day], [Office hours], [Non-office
hours] and [Internet Access Total[Null]].
[Application type]: Specifies the application type whose flow statistics are to be made.
[Specific application]: Specifies the application whose flow statistics are to be made.
[Ranking display]: Specifies how many top users will be displayed that caused the most flow with
the selected application, maximum 100 supported.
<Statistic>: Click this button to make the flow statistics. The statistics made are as shown below:
302
The flow and related information are shown in graphs or listed in tables. You can read clearly the
detailed searched results.
[Click to select the column]: Click it and you can select the needed columns to have them and the
corresponding information displayed in the table.
Click the host IP address, application, main application flow detail, uplink, downlink or total flow
of a corresponding record, and you will enter the flow search page of that record.
<Generate report>: Click this button to generate a report according to the specified conditions.
303

Enter [Report name], as shown below:
<Subscribe>: Click this button to subscribe this statistics search. The statistics report will be
automatically made, emailed to the administrator and saved to the Report Template list. The page
is as shown below:
[Total Flow].
object].
[Time range]: Specifies a time range and the flow caused during that time range will be collected.
[Application type]: Specifies the application type whose flow statistics are to be made.
[Specific application]: Specifies the application whose flow statistics are to be made.
304

[Ranking display]: Specifies how many top users will be displayed that caused the most flow with
the selected application, maximum 100 supported.
Click the <Subscribe> button and the following options appear:
[Report name]: Enter a name for the report.
[Report period]: Specifies how often this periodic report is to be generated. Options are [Daily],
[Weekly] and [Monthly].
[Mail subscription]: Specifies the receiver address. Once a report is generated according to this
report template, the report will be sent to the designated receivers email address.
<OK>: Click this button to save this report template into the Report Template list on the
[Customize Report] > [Report Template] page.
Having saved the report template, it prompts that the template is added successfully, as shown
below:
<Favorite>: Click this button and the specified conditions will be saved as a report template and
listed on the [Quick Link] on the [Home Page]. If you want to get data of the same conditions,
you need only click the corresponding quick link to enter the search page. This function facilitates
you to save your search preferences. Click the button and name this bookmark, as shown below:
Click the <Submit> button and the following prompt appears:
305
As seen on the [Home Page], the newly added bookmark is listed under [Customized Link], as
shown below:
4.4.2 Application Flow

[Application Flow] indicates that application is the object based on which the flow statistics and
rankings are made, according to the selected time range.
[Host IP]: Configures host IP address whose application flow statistics are to be made.
306

[Total Flow].
[Date range]: Defines the date range based on which the data are to be collected.
object].
[Time range]: Specifies a time range and the flow caused during that time range will be collected.
[Ranking display]: Specifies how many top application types or applications will be displayed that
that caused the most flow, maximum 100 supported.
[Application type]: Specifies the application type according to which the flow statistics are to be
made.
[Specific application]: Specifies the application according to which the flow statistics are to be
made.
<Statistic>: Click this button to make the flow statistics. The statistics made are as shown below:
307
detailed search results.
corresponding information displayed in the table.
<Generate report>: Click this button and the report will be generated according to the specified
conditions. For details, please refer to Section 4.4.1 IP Flow.
periodically and automatically made, emailed to the administrator and saved to the Report
Template list. For details, please refer to Section 4.4.1 IP Flow.
listed under [Customized Link] on the [Home Page]. For details, please refer to Section 4.4.1 IP
Flow.
308
4.5
WANO Report
WANO report mainly collects the information of the data being accelerated. You can also get
trend report and report on acceleration connections. [WANO Report] module includes [IP
Connection], [Application Connection], [IP Flow Trend], [Application Flow Trend], [Acceleration
User Flow Trend] and [Device Flow Trend].
4.5.1 IP Connection
[IP Connection] makes statistics of the IP connections accelerated, as shown below:
[Date range]: Specifies the date range based on which the matching data are to be collected.
[Time]: Specifies the time range whose matching data are to be collected.
[Application type]: Specifies the application type whose related data are to be collected.
[Specific application]: Specifies the application whose related data are to be collected.
[Ranking display]: Specifies how many top users will be displayed that caused the most
connections.
<Statistic>: Click this button to make the IP connection statistics. The statistics made are as
shown below:
309
detailed searched results. As shown in the above figure, the connections of an acceleration tunnel
caused by each IP address are displayed and ranked.
corresponding information displayed in the table, as shown below:
Enter [Report name] (as shown below). Click the <Submit> button and a report will be generated
according to the specified conditions.
310
Template list. The page is as shown below:
[Time]: Specifies the time period whose IP connections information are to be collected.
[Application type]: Specifies the application type according to which the IP connections statistics
are to be made.
[Specific application]: Specifies the application according to which the IP connections statistics
are to be made.
[Ranking display]: Specifies how many top users (IP addresses) will be displayed that caused the
most connections with the selected application, maximum 100 supported.
[Report name]: Defines the name of the report.
Click the <Subscribe> button and the following options appear.
311

<Favorite>: Click this button to add the search conditions to the [Home Page] as a report
template, under [Customized Link], as shown below:
4.5.2 Application Connection

[IP Connection] makes statistics of the application connections being accelerated, as shown
below:
[Host IP]: Configures the host IP address whose application connection statistics are to be made.
[Date range]: Specifies the date range based on which the matching data are to be collected.
[Time]: Specifies the time period of the date range based on which the matching data are to be
collected.
[Ranking object]: Specifies the application type or application whose related data are to be
collected.
[Ranking display]: Specifies how many top users will be displayed that caused the most
312

connections with the selected application.
<Statistic>: Click this button to make the application connection statistics. The statistics made are
as shown below:
detailed searched results. As shown in the above figures, the displayed statistics in the graph and
table are number of connections caused by the corresponding application, as well as the
connection rankings.
corresponding information displayed in the table, as shown below:
313

[Host IP]: Configures host IP address whose application connections statistics are to be made.
[Time]: Specifies the time period whose matching data are to be collected.
[Ranking object]: Specifies the application type or application whose related data are to be
collected.
[Ranking display]: Specifies how many top applications will be displayed that caused the most
connections, maximum 100 supported.
314

4.5.3 IP Flow Trend

[IP Flow Trend] makes trend statistics of the IP flow being accelerated, as shown below:
[Host IP]: Configures the host IP addresses whose flow trend statistics are to be made.
[Statistic Time]: Specifies the time period whose data are to be collected.
[Date]: Specifies the date based on which the matching data are to be collected.
315

[Flow type]: Specifies the type of flow.
[Trend type]: Specifies the type of trend.
<Statistic>: Click this button to make statistics of IP flow speed trends. The statistics made are as
shown below:
The flow speed and related information are shown in graphs or listed in tables. You can read
clearly the detailed search results. These results, such as flow of each IP address and flow speed
trend, shown in the graph and table are made according to the specified conditions.
316

317
4.5.4 Application Flow Trend

[Application Flow Trend] makes trend statistics of the application flow being accelerated, as
shown below:
[Host IP]: Configures the host IP addresses whose application flow trend statistics are to be made.
[Statistic time]: Specifies the time period applicable.
[Date]: Specifies the date based on which the matching data will be collected.
318

<Statistic>: Click this button to make statistics of application flow speed trends. The statistics
made are as shown below:
As shown in the above figures, bandwidth usage (flow) caused before and after acceleration are in
detailed comparison, and the average flow and reduction ratio information are also provided.
319
The above graphs and table show the acceleration information of HTTP file download, including
the flow and bandwidth usage before acceleration (Before Acc) and after acceleration (After Acc),
as well as reduction rate (Discharge Acc), ratio of the uplink flow and downlink flow to the total
flow.
If there are other applications, the other charts and tables will show the corresponding data.
320
[Object list]: Specifies the application types whose related data are to be collected.
[Search object]: Specifies the users whose related data are to be collected.
321
4.5.5 Acceleration User Flow Trend

[Acceleration User Trend] makes trend statistics of the flow speed caused by acceleration users, as
shown below:
[User name]: Specifies the acceleration users whose flow speed information will be counted into
the statistics.
[Statistic time]: Specifies the time period applicable.
[Date]: Specifies the date based on which the matching data will be collected.
322

<Statistic>: Click this button to make statistics of application flow speed trends. The statistics
made are as shown below:
The searched results and statistics shown in the above graphs and tables are of a specified
acceleration user group, including the flow caused before acceleration and that after acceleration,
and reduction rate.
The searched results and statistics shown in the above graphs and tables are of [All users],
including the flow and bandwidth used before acceleration and that after acceleration, and
reduction rate.
323
[User name]: Specifies the acceleration users whose flow speed information will be counted into
the statistics.
324

4.5.6 Device Flow Trend

[Device Flow Trend] makes trend statistics of the flow acquired by the local WAN Accelerator
driver, as shown below:
[Device name]: Specifies the device whose related data are to be collected.
[Statistic Time]: Specifies the time period whose data are to be collected.
[Date range]: Specifies the date based on which the matching data are to be collected.
325

<Statistic>: Click this button to make statistics of device flow trends. The statistics made are as
shown below:
The results and statistics shown in the above graph and table are of the local WAN Accelerator,
including uplink/downlink flow volume caused before and after acceleration, reduced flow and
reduction rate.
326
[Host IP]: Configures the host IP addresses whose device flow statistics are to be made.
[Report period]: Specifies how often this report is to be generated. Options are [Daily], [Weekly]
and [Monthly].
327
4.6
Trend Report
Trend report collects the flow trends of Internet access as well as the trends of Internet behavior
counts of the users. A trend chart or table collects the information of flow caused at each time
point of certain period of time. These trends information often leads to detailed flow conclusion
and analysis of the statistics, and helps the administrator to view visually the utilization of the
network.
[Trend Report] falls into [IP Flow Trend] report and [Application Flow Trend] report.
4.6.1 IP Flow Trend

[IP Flow Trend] makes trends for flow caused by each IP address, based on the specified
328

conditions such as application, time, etc.
[Host IP]: Specifies the IP addresses whose flow trends are to be made. Enter single IP address, or
IP range; correct format of IP range is IP1-IP2 (instead of the format of subnet/mask).
[Application type]: Specifies the application type whose related flow trends are to be made. Such
as the applications of P2P, HTTP, File Download, etc.
[Specific application]: Specifies the application whose related flow trends are to be made, such as
WebMail of HTTP application type.
[Statistic time]: Specifies the period of time whose flow trends are to be made; options are [This
[Date]: Specifies the date whose flow trends will be covered. It only works in association with the
specified [Statistic time]. For example, If you select [This day], it will only collect the flow data
of this day (specified by [Date]) to make flow trend statistics; if you select [This week], it will
only collect the flow data of this week (the same week where the specified [Date] belongs) to
make flow trend statistics; if you select [This month], it will only collect the flow data of this
month (the same month where the specified [Date] belongs) to make the flow trend statistics.
[Flow Type]: Specifies [Uplink Flow], [Downlink Flow] or [Total Flow] to make the flow trend
statistics.
[Trend type]: Specifies [Total flow] or [Flow Speed] to make the trends statistics, among which
[Total flow] indicates that it shows the trends of flow volume; while [Flow speed] indicates that it
329

shows the trends of flow speed.
Having specified the above conditions, you have to click the <Statistic> button to make the trends
statistics. The statistics made are as shown below:
The flow speed and related information are shown in graphs or listed in tables. You can read
330

clearly the details from the searched results visually.
Enter [Report name] and click the <Submit> button, as shown below:
<Subscribe>: Click this button to subscribe this statistics search. The trend statistics report will be
[Application type]: Specifies the application type whose flow trends data are to be collected.
[Specific application]: Specifies the application whose flow trends data are to be collected.
[Flow Type]: Specifies [Uplink Flow], [Downlink Flow] or [Total Flow] to make the flow trend
statistics.
331

[Trend Type]: Specifies [Total Flow] or [Flow Speed] to make the flow trend statistics, among
which [Total flow] indicates that it shows the trends of flow volume; while [Flow speed] indicates
that it shows the trends of flow speed.
[Weekly] and [Monthly]. If [Daily] is the selected [Report period], this trend report will be
generated during 0:00~6:00 oclock everyday; if [Weekly] is the selected [Report period], this
trend report will be generated during 0:00~6:00 oclock on Monday every week; if [Monthly] is
the selected [Report period], this trend report will be generated during 0:00~6:00 oclock on the
first day of the month. The generated trend report will then be sent to the designated receiver
email address.
0:00~6:00 oclock is only a default time. You can modify it on the [System Management] >
[System Configuration] page of the Data Center; as for detailed configuration guide, please refer
to Section 4.8.2 System Configuration.
[Mail subscription]: Specifies the email address of the receiver. Once a report is generated
according to this report template, the report will be sent to the designated receivers email address.
listed under [Customized Link] on the [Home Page]. If you want to get data of the same
conditions, you need only click the corresponding quick link to enter the search page. This
function facilitates you to save your search preferences. Click the button and name this bookmark,
as shown below:
Click the <Submit> button and the report template with the newly-specified conditions is seen on
332

the [Home Page], as shown below:
4.6.2 Application Flow Trend

[IP Flow Trend] makes flow trends for the application type being used online, based on the
specified conditions such as host IP, time, etc.
[Search range]: Options are [Top 5 Applications] and [Specify search object column]
[Specify search object column]: Specifies the application whose trends data will be covered in the
trend report. Click the <Select> button and the application type list pops up, as shown below:
[Host IP]: Configures the host IP addresses whose flow trends are to be made.
333

[Statistic time]: Specifies the period of time whose flow trends are to be made; options are [This
[Date]: Specifies the date whose flow trends will be covered. It only works in association with the
specified [Statistic time]. For example, If you select [This day], it will only collect the flow data
of this day (specified by [Date]) to make flow trend statistics; if you select [This week], it will
only collect the flow data of this week (the same week where the specified [Date] belongs) to
make flow trend statistics; if you select [This month], it will only collect the flow day of this
month (the same month where the specified [Date] belongs) to make the flow trend statistics.
[Trend Type]: Specifies [Total Flow] or [Flow Speed] to make the flow trend statistics, among
which [Total flow] indicates that it shows the trends of flow volume; while [Flow speed] indicates
that it shows the trends of flow speed.
Having specified the above conditions, you have to click the <Statistic> button to make the trends
statistics. The statistics made are as shown below:
The flow speed and related information are shown in graphs or listed in tables. You can read the
details from the searched results visually.
334

<Generate report>: Click this button to generate a report covering the searched results. For
detailed guide, please refer to Section 4.6.1 IP Flow Trend .
<Subscribe>: Click this button to subscribe the statistics search. The trend statistics report will be
Template list. For detailed guide, please refer to Section 4.6.1 IP Flow Trend.
Click the <Submit> button and the report template of newly-specified conditions is seen on the
[Home Page]. For detailed guide, please refer to Section 4.6.1 IP Flow Trend.
4.7
Search
[Search] includes [Flow Search], [Firewall Log] and [Gateway Operation Log] search.
4.7.1 Flow Search

[Flow Search] specifies the conditions used for searching the flow caused by online activities of
the related users. You can specify the filtering conditions according to your case and needs.
[Search object]: Specifies the objects whose flow data are to be searched. Options are [All user],
[Gateway Connect-in user], [Gateway Connect-out user] and [Host IP].
335
[Excluded object]: Specifies the objects excluded from the flow search. Options are [All user],
[Gateway Connect-in user], [Gateway Connect-out user] and [Host IP]. The entered objects are
generally the objects that are covered by the [Search object].
[Application]: Specifies the application type whose flow data are to be searched, for instance,
applications such as P2P, HTTP, File Download, etc.
[Specific application]: Specifies the application whose related flow data are to be searched, such
as WebMail of HTTP application type.
[Time]: Defines the time range of the flow data. Option are [Time range] and [Time object]
[Time range]: Specifies a time range and the flow caused during that time range will be covered.
[Time object]: Specifies a time schedule and the flow data caused during that time schedule will
be covered (time schedule is defined on the WAN Accelerator; for detailed configuration guide,
[Date range]: Specifies the date range based on which the matching data are to be covered.
Click the <Search> button and the details of the matching objects are displayed in the [Flow
Search Result] list, as shown below:
336
<Export log>: Click this button and the search results will be exported in format of .xls. Click the
<here> link to download and save the excel document to the local computer, as shown below:
listed under [Customized Link] on the [Home Page]. If you want to search data with the same
conditions, you need only click the corresponding quick link to enter the search page. This
function facilitates you to save your search preferences. Click the button and name this bookmark,
as shown below:
Enter the name and then click the <Submit> button to save the search template listed on the
[Home Page], under [Customized Link], as shown below:
337
[Flow Search Result]: Displays the results searched according to the specified conditions, as
shown below:
Click the
icon to view the search result in extended mode. The data displayed in extended view
mode is as shown below:
Click the
icon to view the search result in list view mode. The results displayed in list view
338

mode are as shown below:
Click <First> or <Last> go to the first page or the last page of the search results.
Click <Previous> or <Next> to go to the previous page or the next page of the search results.
[Click to select the column]: Click it and select the needed columns to have them displayed in the
table, as shown below:
[Records/page 100 records]: Indicates 100 records of searched records are displayed per page.
[Sort by time(desc)] and [Sort by time(asc)] are not available on this version.
4.7.2 Firewall Log

[Firewall Log] page enables you to specify the conditions and search for the needed firewall logs.
339
[Destination port]: Specifies the destination port to which the needed firewall logs are related.
[Source IP]: Specifies the source IP address to which the needed firewall logs are related.
[Date range]: Specifies the date range that the matching firewall logs are to be covered.
[Time]: Defines the time range of firewall logs. Option are [Time range] and [Time object]
[Time range]: Specifies a time range and the firewall logs recorded during that time range will be
covered.
[Time object]: Specifies a time schedule and the flow data caused during that time schedule will
be covered (time schedule is defined on the WAN Accelerator; for detailed configuration guide,
Check the [Search in detail] option and more filtering conditions appear, as shown below:
340

[Rule name]: Specifies the rule name to which the needed firewall logs are related.
[Destination IP]: Specifies the destination IP address to which the needed firewall logs are related.
[Activity]: Specifies the action recorded by the firewall log. Options are [Reject] and [Allow].
[Protocol]: Specifies the protocol to which the needed firewall logs are related. Options are [TCP],
[UDP], [ICMP] and [Other].
Click the <Search> button and the details of the matching firewall logs are displayed in the
[Firewall Log Search Result] list, as shown below:
Function and use of [Firewall Log Search Result] is almost the same as that of the [Flow Search
Result]. For detailed introduction, please refer to the relevant part in Section 4.7.1 Flow Search.
<Export log>: Click this button to generate a report covering the searched results. For detailed
guide, please refer to Section 4.7.1 Flow Search.
Click the <Favorites> button and the report template of newly-specified search conditions is seen
on the [Home Page]. For detailed guide, please refer to Section 4.7.1 Flow Search.
4.7.3 Gateway Operation Log

[Gateway Operation Log] enables you to specify the conditions and search for the needed gateway
operation logs. The default page is as shown below:
341
[Console user]: Specifies the objects whose related gateway operation logs are to be searched.
Options are [User] and [IP].
[Date range]: Specifies the date range during which the gateway operation logs are recorded.
[Time]: Defines the time range of gateway operation logs. Option are [Time range] and [Time
object]
[Time range]: Specifies a time range and the gateway operation logs recorded during that time
range will be covered.
[Time object]: Specifies a time schedule and the gateway operation logs recorded during that time
schedule will be covered (time schedule is defined on the WAN Accelerator; for detailed
configuration guide, please refer to Section 3.4.4.3 Time Schedule). Options are [All day], [Office
hours], [Non-office hours] and [Internet Access Total[Null]].
[Description]: Enter a description for the searched gateway operation logs.
Click the <Search> button and the details of the matching firewall logs are displayed in the
[Operation Log Search Result] list, as shown below:
342
For the detailed introduction to [Operation Log Search Result], please refer to the relevant part in
Section 4.7.1 Flow Search.
<Export log>: Click this button to generate a report covering the searched results. For detailed
guide, please refer to Section 4.7.1 Flow Search.
Click the <Favorites> button and the report template of newly-specified search conditions is seen
on the [Home Page]. For detailed guide, please refer to Section 4.7.1 Flow Search.
4.8
System Management
[System Management] configurations help you to manage the log library, user login to Internal
Data Centers and to configure the parameters for the system.
[System Management] includes three parts, namely, [Log Library Mgt], [System Configuration]
and [Configuration Import/Export]. The default page is as shown below:
343
4.8.1 Log Library Mgt

[Log Library] consists of [Log Library Search] and [Disk Usage]. The default page is as shown
below:
4.8.1.1 Log Library Search

[Log Library Search] is used to search for log libraries details, facilitating you to manage and
delete the specified log libraries.
344
[Date range]: Specifies the date range during which the libraries are recorded.
<Search>: Click this button to search for the needed logs according to the specified date range.
The search result will be displayed, including the information of table size, size of the attachment
and the log library.
<Select all>: Click this button to select all the displayed libraries of this page.
<Reverse>: Click the button to deselect the selected libraries and select the other unselected
libraries of this page.
<Delete>: Click this button to delete the selected log libraries.
<Delete all>: Click it to delete all the log libraries.
4.8.1.2 Disk Usage

[Disk Usage] shows the disk utilization status in charts and tables.
345
As shown in the above figure, the current status of disk usage is shown a pie chart and in a table,
including information of total disk space (Total), used disk space (Used), free disk space (Free)
and percentage of free disk space.
4.8.2 System Configuration

[System Configuration] configures for the mail server, such as time for generating the report,
exporting log, etc.
Click [System Management] > [System Configuration] and the following interface appears:
346

[Mail server setting]: Configures the receiver email address, sender email address and the mail
server address. If you want to email the report to the administrator, you have to configure the
options on this page.
[Mail server address]: Configures the mail server of the email sender. Domain name is supported.
To have the senders mail server require user authentication, you need check the [Username and
password required] option and configure a username and password.
[Report generation time]: Configures the time when the periodic report is to be generated. It is
00:00-06:00 by default, indicating that system will generate the report during this period of time
randomly.
[Generated Report Setting]: Configures the options to manage the generated reports. Type a
positive integer into [Auto delete report generated _ days ago(within 31 days)] and the system will
automatically delete the reports generated in earlier days; or enter the number of reports and the
system will only save that number of reports.
[Log export setting]: Configures a numeric value to define the logs that can be exported. System
allows you to export maximum 10000 logs. It is 1000 by default.
4.8.3 Configuration Import/Export

[Configuration Import/Export] configures the options to back up or restore the system
configurations and customized report template.
Click [System Management] > [Configuration Import/Export] and the following page appears:
347

[Configuration Export] helps to export the configurations of the Data Center, including system
configuration and customized report templates.
<Export>: Click this button and follow the steps to export the configurations of the Data Center.
[Configuration Import]: Helps to import configurations into the Data Center.
<Browse>: Click it to select and upload a configuration file from the local computer.
Click the <Import> button to import the configuration file into the Data Center.
The newly-imported system configurations will replace the original configurations of the
Data Center, and the newly-imported customized report templates will be added to the report
template list of the corresponding report type.
348
Chapter 5 Client Software

In addition to VPN/acceleration connection to be established between two hardware devices
(WAN Accelerators), it is also supported that a VPN/acceleration connection is established
between client-end software and hardware device(s). At present, three types of client software are
supported, namely, Acceleration-Only client software, VPN-only client software and VPN-PlusAcceleration client software.
Detailed installation requirements of the three types of software are as listed below:
Memory: 256MB or above (VPN-only client software); 512MB or above (VPN-PlusAcceleration client software)
Hard disk: remaining partition 50MB or above (VPN-only client software); 1GB or above
(VPN-Plus-Acceleration client software)
Operating system: Windows 2000 server, Windows XP (32bit), Windows 2003 server
(32bit), Windows Vista (32bit) and Windows 7 (32bit)
349
5.1
Acceleration-Only Client Software
5.1.1 Installation
1.) Double-click the program PACC6.0_EN.exe to install the PACC software (alias of
SANGFOR acceleration-only client software), as shown below:
Before continuing the installation of PACC software, please terminate the antivirus program on
your computer. You can run the antivirus software after the installation finishes.
2.) Click the <OK> button and the Wizard page appears, as shown below:
350
3.) Click the <Next> button to go to the next step, as shown below:
4.) Enter the username and company name; click the <Next> button to go to the next step, as
shown below:
351
5.) Select an installation directory; click the <Next> button to go to the next step, as shown
below:
6.) Click the <Install> button. Completing installation, it requires restarting the computer, as
shown below:
352
7.) Click the <Finish> button and the installation completes. After computer reboot, the Sangfor
PACC software icon will appear on the desktop of your computer, as shown below:
5.1.2 Deployment
SANGFOR PACC software supports the following two types of network deployments:
a.) Bridge Mode
The WAN Accelerator is deployed Bridge mode in the local area network (LAN); the front-end
firewall maps the TCP/UDP 5400 (default) port to SANGFOR WAN Accelerator, as shown in the
network topology below:
353
b.) Single-arm Mode

The WAN Accelerator is deployed Single-arm mode in the local area network; the front-end
firewall maps the TCP/UDP 5400 (default) port to the SANGFOR WAN Accelerator, as shown in
the network topology below:
5.1.3 Usage
The logon interface of the PACC software of SANGFOR WAN Accelerator is as shown below:
354
[Gateway address]: Specifies the IP address of the SANGFOR WAN Accelerator that is to be
connected to.
[Port]: Configures the port used by SANGFOR WAN Accelerator that is to be connected to.
[Username] and [Password]: Enter the corresponding username and password configured on the
server WAN Accelerator for this PACC user.
[Save Profile]: Check this option to save the entered information such as gateway IP address, port,
username and password, so that this PACC user will not be bothered to enter the information
again next time it logs in.
[Login automatic]: Check this option so that the PACC user can automatically log in to the WAN
Accelerator next time when the PACC user double-clicks the PACC software icon.
<Setting>: Click this button and the [PACC Setting] dialog appears, as shown below:
355
[Network type]: It specifies the network type that the clients PC connects to the Internet. If it is
connected wirelessly (through CDMA, GPRS, etc.; yet excluding WiFi, etc), choose the
corresponding option (Wireless network) and it will optimize the wireless networks.
[Enable datacache]: Check this option and select a directory to enable byte cache function of the
local terminal.
<Clear>: Click it to clear the byte cache files in the Cache directory.
[Cache size]: Configures the size of the local hard disk allocated to the byte cache.
[Transmission type]: Configures the protocol that the PACC software uses for connecting to the
SANGFOR WAN Accelerator. If packet loss happens, please select HTP protocol; otherwise,
select TCP protocol. However, [Auto] is recommended.
[Enable LSP Service]: Check this option and it will capture the data packets of the applications
that are going through the WAN accelerations, except those of My Network Places and Exchange.
[Enable TDI Service]: Check this option and it supports the acceleration of My Network Places
and Exchange. The option takes effect after computer reboot.
356

[Exclusion Rule]: Configures the server-end IP addresses whose data transmission is not to be
optimized. The PACC users requests of accessing these excluded IP addresses will not get into
the acceleration channel. Click the tab name [Exclusion Rule] and the corresponding options
appear, as shown below:
Click the <Add> button and the [Exclusion Rule] dialog pops up. Configure the [Port Range], [IP
type], etc., as shown below:
357
[Port Range]: Enter the range of the ports to be excluded from the acceleration policies.
[IP Type]: Specifies the type of the IP addresses to be excluded from the acceleration policies;
options are [Single IP], [IP range] and [Subnet].
Click the <Edit> button to modify the existing exclusion rule.
Click the <Remove> button to delete the existing exclusion rule.
[Login Setting] includes [Gateway], [Port], [Username], [Password], [Save profile], [Auto login],
and [Start with system], as shown below:
358
[Gateway]: Indicates the IP address of the peer WAN Accelerator.

[Port]: Indicates the port used by the peer WAN Accelerator for acceleration.
Logging in successfully, you will see the acceleration status, real-time flow information over the
past 60 seconds, application status, etc.
<Stop PACC>: Click this button to stop connecting the PACC software to the server WAN
Accelerator.
<Change PW>: Click this button to modify the password for the PACC user.
<Help>: Click this button to view the help information of the PACC software.
359
<View Log>: Click this button to view the connection logs of this PACC software, as shown
below:
360
5.2
VPN-Only Client Software
5.2.1 Installation
1.) Double-click the program Dlan4.32_PDLAN_Setup.exe to install the client software. Before
installing, please terminate the antivirus program of your computer; otherwise, installation
will fail.
361
3.) Click the <Yes> button to agree to the License Agreement.
4.) Select an installation directory and click the <Next> button to go to the next step, as shown
below:
362
5.) Check or uncheck Sinfor Dkey Driver and click the <Next> button to go to the next step, as
shown below:
6.) During the installing process, it will require disconnecting the Internet.
363
To ensure that the installation goes smoothly, disable the Local Area Connection of the
computer. You can enable it after installation completes, as shown below:
7.) Click the <Continue> button. When installation completes, it require restarting the computer,
as shown below:
8.) Click the <Finish> button and the installation completes.

After computer reboot, the software icon will appear on the desktop of the computer, as shown
below:
9.) Enable the Local Area Connection to have the computer connect to the Internet, as shown
364

below:
Till then, installation of the client software completes.
5.2.2 Deployment
SANGFOR PDLAN (alias of VPN-only client software) supports the following two types of
network deployment:
a.) Bridge Mode
The WAN Accelerator is deployed in Bridge mode; the mobile VPN user and WAN Accelerator
establish VPN connection. The network topology is as shown below:
b.) Single-arm Mode

The WAN Accelerator is deployed in Single-arm mode in the local area network; the front-end
firewall maps the TCP/UDP 4009 (default) port to the SANGFOR WAN Accelerator; the mobile
VPN user and WAN Accelerator have established a VPN connection, as shown in the network
topology below:
365
5.2.3 Usage
The first time the PDLAN client software runs, the Config Wizard appears, as shown below:
1.) Select a method of configuring the system, [Manual] or [Import Config File]. The
configuration file that to be imported should be given by the HQ VPN administrator who has
used the corresponding VPN user account and exported the configurations of the HQ WAN
Accelerator. Generally, it is recommended to configure the system manually.
Click the <Next> button to go to the next step, as shown below:
366
2.) Type in the Webagent of the HQ WAN Accelerator and click the <Test> button to check the
validity of the Webagent addresses, as shown below:
If the HQ WAN Accelerator uses one static IP address, type in the Webagent in format of
IP:port, as shown below:
367
If the HQ WAN Accelerator uses multiple static IP addresses, type in the IP addresses in
format of IP1#IP2:port, as shown below:
368
Please contact the HQ VPN administrator to ask for the Webagent address(es).
3.) Click the <Next> button and type in the username and password to be used by this mobile
VPN user to connect to the HQ VPN, as shown below:
369
4.) Click the <Next> button and then confirm the correctness of the configured options, as shown
below:
370
5.) Click the <Finish> button and manual setup completes.

6.) Open the software and the console is as shown below:
371
5.2.3.1 VPN Settings

5.2.3.1.1
System Info
[System Info]: It includes [Console Management], [Time Schedule Management], [Algorithm

Management] and [Create Certificate].
[Console Management]: Configures the password of the VPN-only client software. The default
page is as shown below:
<Change>: Click this button to edit the password of the VPN-only client software. The mobile
VPN users who do not know this password will unable to run this software.
<Backup>: Click this button to backup the configuration of the VPN-only client software to the
372

local computer. You can restore the backed up configurations into the software if necessary.
[Time Schedule Management]: Configures the time schedule which will be reference by the LAN
privilege settings. In general, the time schedule will be referenced when the mobile VPN is
configuring LAN privilege for the HQ VPN.
The way of configuring time schedule is the same as that in Section 3.4.4.3. Having completed
configuring a time schedule, you have to click the <Apply> button to save and apply the settings;
otherwise, the settings will not be saved and take effect.
[Algorithm Management]: Configures the VPN encryption and authentication algorithms that are
supported by this VPN-only client software. The default page is as shown below:
373
To add an algorithm, click the <New> button and then manually add the algorithm into the list.
Having completed configuring the page, you have to click the <Apply> button (at the right bottom
of the page) to save and apply the settings; otherwise, the settings will not be saved and take
effect.
If you want to add and use your own encryption or authentication algorithm, please make
sure the encryption/authentication algorithms used on the HQ VPN and the client software are the
same. Different encryption/authentication algorithms will incur failure in establishing VPN
channel.
[Create Certificate]: Helps to generate the hardware-featured certificate of the computer. If the HQ
VPN has defined a user (VPN user account) to use hardware authentication, that user has to go to
the [Create Certificate] page of the client software and click the <Create> button to generate the
hardware-featured certificate of its computer. After generating the hardware-featured certificate,
the user has to send this certificate to the administrator to of the HQ VPN. Only after the HQ VPN
administrator has had the hardware-featured certificate bound with the user, can this user establish
VPN connection with the HQ VPN smoothly. The default page is as shown below:
374
5.2.3.1.2
PDLAN
[PDLAN] includes [Basic config], [Main Connection Parameters], [Connection Management],

[LAN service settings] and [Tunnel Route].
[Basic config] covers the settings of Webagent information, MTU, minimum compression value,
VPN listening port, privilege and shared key, as shown below:
375
Generally, you are recommended to adopt the default [MTU], [Min Compression Value]
values. If you need change these values, please follow the instructions given by the SANGFOR
technicians.
[Main connection parameters]: Configures the necessary information used for establishing VPN
connections with the HQ VPN, as well as the options for optimizing multiple-ISP network and
mobile VPN, as shown below:
[Username], [Password]: Type in the correct username and password that the HQ VPN has
configured for this user on the [VPN Connection] tab.
[Trans Mode]: Configures the transfer mode of the VPN data packet. Options are TCP and
UDP. When the VPN connection appears unstable, try to alter the transfer mode.
[Cross-ISP Optimization]: This function is recommended to be enabled if the HQ VPN and the
branch VPN apply different Internet service providers (ISP) and these different links cause
frequent packet loss. You can also tell the system the status of your network environment, by
selecting [Low packet loss], [High packet loss] or [Set manually] and configuring the [Packet
Loss Rate]. To enable this function, you first have to activate the cross-ISP license.
376

effect.
[Connection Management]: This page should be configured if this mobile VPN user is connecting
to two or more HQ VPN sites at the same time. The default page is as shown below:
If the mobile VPN user is to connect to a second new HQ VPN, click the <New> button to add a
new VPN connection, as shown below:
377
Enter the name (MDLAN is an alias of HQ VPN) and description of this VPN connection (better
the name of the HQ VPN site), and then click the <Next> button to go to the next step, as shown
below:
378
Configure the needed information, Webagent and transfer mode, and then click the <Next> button
to go to the next step, as shown below:
379
Enter the username and password used for establishing the VPN connection, and click the<Next>
button, as shown below:
380
Check the correctness of the configurations and then click the <Finish> button to complete adding
a new VPN connection.
If the mobile VPN user only connects to one HQ VPN, the [Connection Management] need
not be configured.
[LAN service settings] and [Tunnel Route] are configured in the similar way as that on the WAN
Accelerator. For details, please refer to Section 3.8.5.2 LAN Service and Section 3.8.5.4 Tunnel
Route in this users manual.
381
5.3
VPN-Plus-Acceleration Client Software
5.3.1 Installation
1.) Double-click the program PDLAN_PACC6.0EN.exe to install the software, as shown below:
Before installing the client software, please terminate the antivirus program of your computer;
otherwise, installation may fail. You can run the antivirus software after the installation finishes.
2.) Click the <OK> button and the Wizard page appears, as shown below
382
4.) Click the <Yes> button to go to the next step, as shown below:
383
5.) Click the <Browse> button to select an installation directory and then click the <Next>
button to go to the next step, as shown below:
6.) Check or uncheck Sangfor Dkey Driver. If the user is to use DKey, this option must be
384

checked; if the user is not to use DKey, it may not be checked.
7.) Click the <Next>button to go to the next step, as shown below:
During the installing process, it will require disconnect the Internet.
To ensure that installation goes smoothly, disable the Local Area Connection of the
computer. You can enable it after installation completes, as shown below:
8.) Click the <Continue> button. When installation completes, it require restarting the computer,
as shown below:
385
After computer reboot, the software icon will appear on the desktop of the computer, as shown
below:
9.) Enable the Local Area Connection to have the computer connect to the Internet, as shown
below:
Till then, installation of the VPN-Plus-Acceleration software completes.
386
5.3.2 Deployment
SANGFOR PDLAN_PACC (alias of SANGFOR VPN-plus-acceleration client software) supports
the following two types of network deployment:
a.) Gateway Mode
The WAN Accelerator is deployed in Gateway mode. Mobile VPN user and WAN Accelerator
establish VPN connection and acceleration connection at the same time. The network topology is
as shown below:
b.) Single-Arm Mode

In this deployment mode, the WAN Accelerator is deployed in the local area network; the frontend firewall maps the TCP/UDP 4009 (default) port to the SANGFOR WAN Accelerator. The
mobile VPN user and WAN Accelerator establish VPN connection and acceleration connection at
the same time, as shown in the network topology below:
387
5.3.3 Usage
The first time the VPN-Plus-Acceleration client software runs, the Config Wizard appears, as
shown below:
1.) Select a method of importing configuration file, [Configure Manually] or [Import Config
File]. The configuration file that to be imported should be sent by the HQ VPN administrator
who has used the corresponding VPN user account and exported the configurations of the
HQ WAN Accelerator. Generally, it is recommended to import the configuration file
manually. Click the <Next> button to go to the next step, as shown below:
388
2.) Type in the Webagent (primary and secondary Webagent) of the HQ WAN Accelerator and
click the <Test> button to check the validity of the Webagent addresses, as shown below:
If the HQ WAN Accelerator uses one static IP address, type in the Webagent in format of
IP:port, as shown below:
389
If the HQ WAN Accelerator uses multiple static IP addresses, type in the IP addresses in
format of IP1#IP2:port, as shown below:
390
Please contact the administrator of HQ VPN to ask for the Webagent address(es).
3.) Click the <Next> button and type in the username and password that are to be used by this
mobile VPN user to connect to the HQ VPN, as shown below:
391
4.) Click the <Next> button and then confirm the correctness of the configured options, as shown
below:
392
5.) Click the <Finish> button and manual setup completes, as shown below:
6.) Click the <OK> button to apply the new configurations. Open the software and the console
appears, as shown below:
393
5.3.3.1 VPN Settings

5.3.3.1.1
System Info
[System Info]: It includes [Console Management], [Time Schedule Management], [Algorithm

Management] and [Create Certificate].
[Console Management]: Configures the password of the VPN-Plus-Acceleration client software.
394
<Change>: Click this button to edit the password of the VPN-Plus-Acceleration client software.
The mobile VPN users who do not know this password will unable to run this software.
<Backup>: Click this button to backup the configuration of the VPN-Plus-Acceleration client
software to the local computer. After re-installing the software, you can restore the backed up
configurations if necessary.
[Time Schedule Management]: Configures the time schedule which will be referenced by the
LAN privilege settings. In general, the time schedule will be referenced when the mobile VPN is
configuring LAN privilege for the HQ VPN.
395
The way of configuring time schedule is the same as that in Section 3.4.4.3 Time Schedule.
Having completed configuring a time schedule, you have to click the <Apply> button to save and
apply the settings; otherwise, the settings will not be saved and take effect.
[Algorithm Management]: Configures the VPN encryption and authentication algorithms that are
supported by this VPN-Plus-Acceleration client software. The default page is as shown below:
396

To add an algorithm, click the <New> button and then manually add the algorithm into the list.
effect.
If you want to add and use your own encryption or authentication algorithm, please make
sure the encryption/authentication algorithms used on the HQ VPN and the client software are the
same. Different encryption/authentication algorithms will incur failure in establishing VPN
channel.
[Create Certificate]: Helps to generate the hardware-featured certificate of the computer. If the HQ
VPN has defined a user (VPN user account) to use hardware authentication, that user has to go to
the [Create Certificate] page of the client software and click the <Create> button to generate the
hardware-featured certificate of its computer. After generating the hardware-featured certificate,
the user has to send this certificate to the administrator to of the HQ VPN. Only after the HQ VPN
administrator has had the hardware-featured certificate bound with the user, can this user establish
VPN connection with the HQ VPN smoothly. The default page is as shown below:
5.3.3.1.2
Mobile VPN
[Mobile VPN] includes [Basic Settings], [User Settings], [VPN Connection], [LAN Service
Settings], [Tunnel Route] and [PACC].
397

[Basic Settings] covers the settings of Webagent information, MTU, minimum compression value,
VPN listening port, privilege and shared key, as shown below:
Generally, it is recommended to adopt the default [MTU], [Min Compression Value]

values. If you need change these values, please follow the instructions given by the SANGFOR
technicians.
[User Settings]: Configures the necessary information used for establishing VPN connections with
the HQ VPN, as well as the options for optimizing multiple-ISP network and mobile VPN, as
shown below:
398
[Username], [Password]: Type in the correct username and password that the HQ VPN has
configured for this user on the [VPN Connection] tab.
[Transfer Mode]: Configures the transfer mode of the VPN data packet. Options are TCP and
UDP. When the VPN connection appears unstable, try to alter the transfer mode.
[Cross-ISP Optimization]: This function is recommended to be enabled if the HQ VPN and the
branch VPN apply different Internet service providers (ISP) and these different links cause
frequent packet loss. You can also tell the system the status of your network environment, by
selecting [Low packet loss], [High packet loss] or [Set manually] and configuring the [Packet
Loss Rate]. To enable this function, you first have to activate the cross-ISP license.
effect.
[VPN Connection]: This page should be configured if this mobile VPN user is connecting to two
or more HQ VPN sites at the same time. The default page is as shown below:
399
If the mobile VPN user is to connect to a second new HQ VPN, click the <New> button to add a
new VPN connection, as shown below:
Enter the name and description of this VPN connection (better the name of the HQ VPN site), and
400

then click the <Next> button to go to the next step, as shown below:
Configure the needed information, Webagent and transfer mode, and then click the <Next> button
to go to the next step, as shown below:
401
Enter the username and password used for establishing the VPN connection and click the<Next>
button, as shown below:
402
Check the correctness of the configurations and then click the <Finish> button to complete adding
a new VPN connection.
If the mobile VPN user only connects to one HQ VPN, the [VPN Connection] need not be
configured.
[LAN service settings] and [Tunnel Route] are configured in the similar way as that on the WAN
Accelerator. For details, please refer to Section 3.8.5.2 LAN Service and Section 3.8.5.4 Tunnel
Route in this user manual.
[PACC]: Enables you to enable acceleration function, configure the related parameters and change
the password, etc., as shown below:
403
<Start>: Click this button to apply acceleration function to this PACC user (mobile VPN user).
[Setting] covers [Basic Settings], [Exclusion Rule] and [Login Setting], as shown below:
404
[Network type]: It specifies the network type that the clients PC connects to the Internet. If it is
connected wirelessly (through CDMA, GPRS, etc.; yet excluding WiFi, etc), choose the
corresponding option (Wireless network) and it will optimize the wireless networks. Auto detect
is the default selection.
[Enable datacache]: Check this option and select a directory to enable byte cache function of the
local terminal.
<Clear>: Click it to clear the byte cache files in the Cache directory.
[Cache size]: Configures the size of the local hard disk space allocated to the byte cache.
[Enable LSP Service]: Check this option and it will capture the data packets of the applications
that are going through the WAN accelerations, except those of My Network Places and Exchange.
[Enable TDI Service]: Check this option and it supports the acceleration of My Network Places
and Exchange. The option takes effect after computer reboot.
405

[Exclusion Rule]: Configures the server-end IP addresses whose data transmission is not to be
optimized. The PACC users requests of accessing these excluded IP addresses will not get into
the acceleration channel. Click the tab name [Exclusion Rule] and the corresponding options
appear, as shown below:
Click the <Add> button and the [Exclusion Rule] dialog pops up. Configure the [Port Range], [IP
type], etc., as shown below:
406
[Port Range]: Enter the range of the ports to be excluded from the acceleration policies.
[IP Type]: Specifies the type of the IP addresses to be excluded from the acceleration policies;
options are [Single IP], [IP range] and [Subnet].
Click the <Edit> button to modify the selected exclusion rule.
Click the <Remove> button to delete the selected exclusion rule.
[Login Setting] covers [Gateway], [Port], [Username], [Password], [Save profile], [Auto login],
[Start with system], as shown below:
407
[Gateway]: Indicates the IP address of the peer WAN Accelerator.

[Port]: Indicates the port used by the peer WAN Accelerator for acceleration.
[Username], [Password]: Type in the correct username and password that have been configured on
the server-end WAN Accelerator (HQ VPN) for this mobile user.
[Save profile]: Check this option to save the entered information such as gateway IP address, port,
username and password, so that you will not be bothered to enter the information again next time
you logs in.
[Auto login]: Check this option so that you can automatically log in to the HQ WAN Accelerator
next time when you double-click the software icon.
408
Appendix A: Update of Gateway Client

The gateway update and restoration system can be used to update the kernel version of
SANGFOR WAN Accelerator and backup configuration. When vital errors occur in the system,
the WAN Accelerator can be restored to factory default configurations via the gateway restoration
system. In addition, the gateway restoration system can be used to inspect the running status of the
network port and configuration of the routing, as well as to modify the working mode and MTU
value of the network port, etc.
As to the update of WAN Accelerator 6.0, gateway clients have to use Sangfor Gateway Client
Gateway Updater 5.0. The configuration page is as shown below:
One of the improvements of Gateway Updater 5.0 is the function of synchronizing the PCs time
409

with Internet. The later versions are entitled with the function of controlling the expiry time of the
software update. If the WAN Accelerator has not been updated when the expiry time is reached,
the customer will be unable to update the WAN Accelerator with the software package. Therefore,
to make this function work normally, you have to synchronize the Internet time to the client
software to ensure that update is fulfilled at the expected and right time.
You can use the Gateway Updater 5.0 to load the update package to upgrade the software of your
WAN Accelerator, if the computer on which the Gateway Updater 5.0 runs can obtain the Internet
time.
However, if the network environment of the WAN Accelerator is limited, for instance, both the
WAN Accelerator and the computer are in local area network, being unable to connect to the
Internet, you then cannot upgrade the WAN Accelerator directly by using Gateway Updater 5.0. In
this situation, you can move the computer (on which the Gateway Updater 6.0 runs) to another
network segment which can access Internet, and run the Gateway Updater 5.0 to synchronize the
PCs time with Internet, and then, without turning off the computer, move the computer to the
LAN and connect it to the WAN Accelerator to fulfill upgrade.
Menus included are [System], [Update], [Backup], [ManagePackage], [Updatehistory], [Time

Sync] [Tools] and [Help].
[System]: Submenus are [Connect], [Search], [Change password], [Disconnect] and [Quit].
410
[Connect]: Click it and enter the IP address of WAN Accelerator and then type in the password to
log in.
The default password is dlanrecover. The login page is as shown below.
Logging in successfully, you will see the login success information, as shown below:
411
[Search]: It will automatically search for the LAN interface IP address of the SANGFOR WAN
Accelerator in the local area network (as long as there is no routing devices between the local
computer and the WAN Accelerator, and layer 2 broadcast can reach), even though the WAN
Accelerator is located in a different network segment (as long as there is no router or layer 3
switch between the local computer and the WAN Accelerator). The search results are as shown
below:
412
[Change password]: Click it to modify the login password of the gateway client.
Once the original password is modified, there is no way to get the modified password if
you fail to remember it. Please DO take care of your modified login password.
[Disconnect]: Click it to disconnect with the SANGFOR WAN Accelerator. If there is no

operation for a certain time, the client-end will also disconnect automatically.
[Update]: Submenus are [Update Firmware], [Restore Default Configuration], [Restore Default
Network] and [Check Update SN], as shown below:
413
[Update Firmware] and [Restore Default Configuration]: Both are only available after the user
logging in WAN Accelerator. The former ([Update Firmware]) is used for updating the kernel
Firmware of WAN Accelerator and the latter ([Restore Default Configuration]) for restoration of
the default configuration. These operations will update the key document of the device, or will
change serial number. Please DO NOT perform this operation at will. If update is needed, please
contact the technicians of SANGFOR and follow the instructions.
[Restore Default Network]: This function is only available when the system is disconnected with
the SANGFOR WAN Accelerator. Conduct this function and the network configuration of the
device will recover to defaults. This operation is realized with the command sent by the broadcast
package, and will apply to all the SANGFOR WAN Accelerators deployed in the local area
network (LAN).
[Check Update SN]: Displays the valid period of software update of this WAN Accelerator.
Operation of [Restore Default Network] may result in hazardous outcome. Please DO NOT
implement this function without second thought.
WAN Accelerator can only be updated from lower version to higher version; it does not
permit skipping a version to update or degrading.
414
Update is also a kind of risk. If update operation is not appropriate, the device may be
damaged. Please DO NOT update the system by yourself at will. If necessary, please contact
the technicians of SANGFOR for instructions.
Brief update procedures are:
Step1. Upload the corresponding update package to the gateway client.

Step2. Log in to the gateway client and implement update operations.
[Backup]: Submenus are [Backup Configuration], [Restore Backup], as shown below:
[Backup Config]: Click it to backup all the configuration information of the WAN Accelerator.
[Restore Backup]: Click it to restore all the backup configuration information to the WAN
Accelerator.
Both operations are only applied to the same-model and same-version SANGFOR devices.
Devices of different models and versions are inapplicable.
415

[Managepackage]: Submenus are [Check Current], [Load Package], [Download], as shown in the
following figure:
[Check Current]: Click it to view the information of the currently-loaded update package.
[Load Package]: Click it to upload the downloaded update package. Before uploading the update
package, first exit from the WAN Accelerator, and then click [Update]> [Update Firmware].
[Download]: Please visit the SANGFOR official website www.sangfor.com to download the
corresponding update package to the local computer.
[Update History]: Submenus are [View Gateway History], [View Local Records] and [Delete
Local Records], as shown below:
416
[View Gateway History]: Click it to view the update logs of the WAN Accelerator.
[View Local Records]: Click it to view the update logs of the local gateway client.
[Delete Local Records]: Click it to clear the update logs of the local gateway client.
[Time Sync]: Displays and synchronizes the Internet time, as shown below:
[View Current Time]: Click it to view the current Internet time.

417

[Sync at once]: Click it to synchronize the Internet time.
[Tools]: Submenus are [Ping], [Route Table], [ARP Table], [Network Config], [View Mode], [Set
Net Mode] and [Exchange Net Interface], as shown below:
[Ping]: Log in to the WAN Accelerator, ping an external network on the WAN Accelerator to
check whether it is connected to the external networks.
[Route Table]: Click it to view the routing table of the WAN Accelerator.
[ARP Table]: Click it to view the ARP table of the WAN Accelerator.
[Network Config]: Click it to view the network configuration of the WAN Accelerator, including
information of interface IP address, etc.
[View Mode]: Click it to view the mode the current network interface card (NIC) is working in.
[Set Net Mode]: Click it to configure manually the working mode of NIC for the WAN
Accelerator, if the setting is not coherent to the actual network interface card mode.
[Exchange net interface]: Click it to exchange the logic network interface of the NIC for the WAN
Accelerator. For instance, originally WAN1 is the optical interface and WAN4 is the electrical
interface, but you need use WAN1 as the electrical interface in the real network; in that case, you
418

can exchange WAN1 with WAN4, after exchange, the original WAN1 is an electrical interface and
WAN4 is an optical interface.
Exchanging network interface is risky. If not appropriately exchanged, the WAN Accelerator
may not work normally.
Exchanging network interface may lead to unavailability of the serial number of the device.
In that case, you need obtain another serial number. Please DO follow the intructions given
by SANGFOR technician to exchange network interface.
419
Appendix B: Acronyms and Abbreviations

AC
Alternating Current
ARP
Address Resolution Protocol
BM
Bandwidth Management
CA
Certificate Authority
CPU
Central Processing Unit
DMZ
Demilitarized Zone
DNAT
Destination Network Address Translation
DNS
Domain Name Server
DoS
Denial of Service Attack
HQ
Headquarters
HTTP
Hyper Test Transfer Protocol
HTTPS
Secure Hyper Text Transfer Protocol
ICMP
Internet Control Message Protocol
IM
Instant Message
IP
Internet Protocol
ISP
Internet Service Provider
LAN
Local Area Network
LDAP
Lightweight Directory Access Protocol
MDLAN
Alias of HQ VPN
MTU
Maximum Transmission Unit
NIC
Network Interface Card
OS
Operating System
OSI
Open System Interconnect Reference Model
PACC
Alias of SANGFOR acceleration-only client software for mobile user
PDLAN
Alias of Mobile VPN
POP3
Post Office Protocol 3
RADIUS
Remote Authentication Dial In User Service
SMTP
Simple Message Transfer Protocol
SNAT
Source Network Address Translation
SSL
Secure Sockets Layer
TCP
Transmission Control Protocol
UDP
User Datagram Protocol
UI
User Interface
420

URL
Uniform Resource Locator
VLAN
Virtual Local Area Network
VPN
Virtual Private Network
WAN
Wide Area Network
WANO
Wide Area Network Optimization
WCCP
Web Cache Communication Protocol
421

Sangfor Wano v6.0 User Manual

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Sangfor Wano v6.0 User Manual

Încărcat de

Drepturi de autor:

Formate disponibile

SANGFOR WAN Accelerator 6.

WAN Accelerator 6.0 User Manual

SANGFOR WAN Accelerator 6.0 User Manual

CONFIGURATION AND MANAGEMENT..........................................................................14

CHAPTER 2 WAN ACCELERATOR DEPLOYMENT........................................................17

DOUBLE BRIDGE MODE................................................................................................18

SINGLE ARM MODE......................................................................................................19

CHAPTER 3 GATEWAY CONSOLE......................................................................................21

3.2.2.1.1 Acceleration Status.......................................................................................................32

SANGFOR WAN Accelerator 6.0 User Manual

3.2.2.4.1 Flow Rankings..............................................................................................................39

DHCP Running Status..................................................................................................40

Case Study 1: Environment and Configuration For MAC Track.................................................49

3.4.2.1.1 Gateway Mode.............................................................................................................52

Case Study 2: Add Subnet In Single-Arm Mode..........................................................................60

Case Study 3: Add Packet Return Route......................................................................................61

SANGFOR WAN Accelerator 6.0 User Manual

Case Study 5: Join WCC.COM Domain......................................................................................65

Case Study 6: Environment and Configuration of VLAN Restore..............................................68

3.4.2.10 WCCP Settings.............................................................................................................74

Case Study 9: Add Acceleration User...........................................................................................83

Case Study 10: Create IP Group with Single IP Addresses..........................................................86

Case Study 14: Define Office Hours............................................................................................93

Case Study 15: Type of Data Applicable to Compression..........................................................100

SANGFOR WAN Accelerator 6.0 User Manual

Acceleration Policy Group.........................................................................................103

Connect to Central Gateway.......................................................................................118

Case Study 21: Branch Establishes Acceleration Connection With HQ....................................122

Case Study 24: Prefetch Data from FTP Server.........................................................................131

Case Study 25: Accelerate Access to HTTPS Server.................................................................137

Case Study 26: Exclusion Rule Defines Acceleration Subnet...................................................143

Keep Alive Settings....................................................................................................146

File Type Group..........................................................................................................155

Case Study 27: Add User Group.................................................................................................158

Application Control Policy........................................................................................161

3.6.2.2.1 Application Control....................................................................................................161

SANGFOR WAN Accelerator 6.0 User Manual

Case Study 30: Create Virtual Line............................................................................................170

3.6.3.2.1 Bandwidth Channel....................................................................................................173

Case Study 34: Configure SNAT Rule.......................................................................................184

Case Study 35: Configure DNAT Rule.......................................................................................186

Case Study 36: Open Port of Local Area Network.....................................................................189

Configure HQ WAN Accelerator................................................................................193

Case Study 37: Configure Tunnel NAT Rule.............................................................................206

SANGFOR WAN Accelerator 6.0 User Manual

Multi-Line Routing Policy.........................................................................................220

Case Study 40: VPN Primary Lines/Secondary Line.................................................................222

Radius Server Settings...............................................................................................235

VPN Local Subnet......................................................................................................236

Configure Sangfor VPN Module in Single-Arm Mode..............................................254

Configure Network Interface.....................................................................................254

Configure Sangfor VPN.............................................................................................255

Case Study 47: IPSEC VPN Connection with CISCO...............................................................262

Case Study 48: Generate and View Report.................................................................................277

SANGFOR WAN Accelerator 6.0 User Manual

Application Flow Trend.............................................................................................306

Acceleration User Flow Trend...................................................................................309

Device Flow Trend.....................................................................................................312

Application Flow Trend.............................................................................................320

Gateway Operation Log.............................................................................................328

Log Library Mgt.........................................................................................................330

Log Library Search.....................................................................................................331

CHAPTER 5 CLIENT SOFTWARE......................................................................................335

ACCELERATION-ONLY CLIENT SOFTWARE.................................................................336