Beruflich Dokumente
Kultur Dokumente
Scenario
Configure a site-to-site IPSec VPN connection between Site A and Site B by following the steps
given below. In this article, we have used the following parameters to create the VPN
connection.
Network Parameters
Local Network details
Site A Configuration
The configuration is to be done from Site As Cyberoam Web Admin Console using profile
having read-write administrative rights for relevant feature(s).
Step 1: Create IPSec Connection
To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create
the connection using the following parameters.
Parameter Description
Parameter
Value
Description
Name
SiteA_to_SiteB
Connection Type
Site to Site
Policy
Authentication details
Authentication Type
Preshared Key
Preshared Key
123456789
Endpoints Details
Local
Remote
22.23.24.25
10.5.6.0/24
On clicking OK, the following screen is displayed showing the connection created above.
Click
Site B Configuration
The configuration is to be done from Site Bs Cyberoam Web Admin Console using profile
having read-write administrative rights for relevant feature(s).
Step 1: Create IPSec Connection
To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create
the connection using the following parameters.
Parameter Description
Parameter
Value
Description
SiteB_to_SiteA
Connection Type
Site to Site
Policy
Name
Action on VPN
Restart
Initiate
Authentication details
Authentication Type
Preshared Key
Preshared Key
123456789
Endpoints Details
Local
PortB-22.23.24.25
Remote
14.15.16.17
172.23.9.0/24
Click
The above configuration establishes an IPSec connection between Two (2) sites.
Note:
Make sure that Firewall Rules that allow LAN to VPN and VPN to LAN traffic are configured.
In a Head Office and Branch Office setup, usually the Branch Office acts as the tunnel
initiator and Head Office acts as a responder due to
following reasons:
- Since Branch Office or other Remote Sites have dynamic IPs, Head Office is not able to
initiate the connection.
-
As there can be many Branch Offices, to reduce the load on Head Office it is a good
Allow file type categories like .mpeg, .mp3, .exe for website www.example.com, while
blocking the file types for other websites.
Prerequisite
Web and Application Filter Module Subscribed.
Configuration
You must be logged on to the Web Admin Console as an administrator with Read-Write
permission for relevant feature(s).
Step 1: Create a Custom Web Category
Create a Custom Web Category to add the required URL: www.example.com. To create a
web category, go to Web Filter > Category > Category and click Add to create a new
category. Specify the category parameters along with the Domain value
aswww.example.com, refer screen below.
Click OK and the Custom Web Category AllowFileDownload will be created successfully.
Click OK and the Web Filter Policy Example_Custom will be created successfully.
Step 3: Configure Rules for Web Filter Policy
Select the Policy Example_Custom created inStep 2 and click Add to add the Web Filter
Policy Rules.
Value
Description
Category Type
File Type
Category
Video Files,
Audio Files,
Executable Files
Deny
HTTP and
HTTPS Action
Schedule
Click Add and the Web Filter Policy Rule will be added successfully.
Rule 2
Here file type categories like .mpeg, .mp3, .exe are blocked for all the sites, but all these
file types are allowed for www.example.com.
Parameters
Value
Description
Category Type
Web Category
Category
AllowFileDownload
Select the
CategoryAllowFileDownloadcreated
inStep 1.
HTTP and
HTTPs Action
Allow
Schedule
Click Add and the Web Filter Policy Rule will be added successfully.
Note:
AllowFileDownload Category should be on top as rules are executed in top to bottom
sequence.
Step 4: Apply Policy to Firewall Rule or User/User Group
Firewall Rule
You can apply the policy through a Firewall Rule such that it is applied on all traffic that hits
on that rule. To create a Firewall Rule, go toFirewall > Rule > IPv4 Rule and click Add. As
shown below, apply the Policy created in Step 1.
Note:
Load Balancing and Failover is supported both for IPv4 and IPv6 traffic. The Load Balancing
or Failover can be done between Two (2) IPv4 gateways or Two (2) IPv6 gateways.
Scenario
Consider the hypothetical network in which one ISP link is terminated on Port B and
Administrator wants to terminate another ISP link on Port D.
IP Schema
Below given IP schema is configured on Cyberoam.
Parameters
Value
Port A
IP Address
10.10.1.1
Subnet Mask
255.255.255.0
Zone
LAN
Port B
IP Address
172.16.16.1
Subnet Mask
255.252.240.0
Zone
WAN
Gateway Details
ISP Name
Default
IP Address
172.16.16.15
Port C
IP Address
10.10.10.1
Subnet Mask
255.255.255.0
Zone
DMZ
Port D
Port D is an unbound port so zone type for port D is set to N/A
DNS Configuration
Primary DNS
4.2.2.2
This article is divided into the following Three (3) sections:
- Add a New Gateway
Prerequisites
An unbound physical port should be available on Cyberoam. An unbound port is one, which is
not assigned to any security zone.
port according to parameters given below. Here, as an example, we have configured Port D.
Parameters
Value
Description
General Settings
Physical Interface
PortD
Network Zone
WAN
IP Assignment
Static
IP Address
10.10.2.1
Subnet Mask
Primary DNS
203.88.135.194
Secondary DNS
4.2.2.2
PortD_Gateway
Specify IP Address.
Gateway Details
Gateway Name
IP Address
10.10.2.19
Go to Network > Gateway > Gateway and select the required Gateway.
2.
Select Gateway Type as Backup and configure Backup Gateway Details as shown
below.
This setup indicates if any Active Gateway Fails, PortD_Gateway would get activated and
would inherit the weight of the failed gateway.
Configure Failover Condition
By default, on adding a gateway, Cyberoam adds a Failover Rule indicating that if Cyberoam
is not able to PING the gateway, it would be considered down, as shown below.
Click Add to add another rule, or Edit to change the existing rule. Here, as an example, we
have added a Rule that indicates that if Cyberoam is not able to PING the
Gateway 172.16.16.15 and establish a TCP connection on port 80 with 4.2.2.2, the gateway
will be considered down.
Overview
Cyberoam allows configuration of Email notifications for certain system-generated events and
reports (as specified by administrator). Such Email notifications can be configured to inform
administrator about:
Scenario
Configure Email Notifications in Cyberoam.
Configuration
The entire configuration is to be done from the Web Admin Console of Cyberoam. Configuration
requires read-write administrative permission for the relevant features.
Step 1: Configure Mail Server Settings
Configuring Mail Server Settings enables administrator to receive Email notifications for systemgenerated events like change in gateway status, change in HA link status and change in state
of IPSec Tunnel. Configure Mail Server by going to System > Configuration >
Notification and setting parameters as shown below.
Parameters
Mail Server Settings
Mail Server IP
Address/FQDN - Port
Authentication Required
Value
172.16.16.24 - 25
Enabled
Description
Configure your Mail Server IP Address
and port
Email Setting
From Email Address
admin@cyberoam.com
Send Notifications to
Email Address
john.smith@cyberoam.com
Click Test Mail to check Mail Server Configuration. If test mail is delivered successfully,
click Apply to save configuration.
available on Icon
In iView, go to System > Configuration > Report Notification and click Add to add report
Parameters
Value
Description
Name
Search_Engine_Report
To Email Address
admin@cyberoam.com
Report Group
Search Engine
Email Frequency
Daily at 11 hours
With above configuration, all the Search Engine reports will be mailed everyday at 10 am.
Configure Port Forwarding using Virtual Host to access devices on Internal network
Applicable to Version: 10.00 onwards
This article describes a detailed configuration example that demonstrates how to configure Cyberoam
to provide the access of internal resources.
Article covers how to
Virtual host
Virtual host implementation is based on the Destination NAT concept of older versions of Cyberoam.
Virtual Host maps services of a public IP address to services of a host in a private network. In other
words, it is a mapping of public IP address to an internal IP address. This virtual host is used as the
Destination address to access internal or DMZ server.
A Virtual host can be a single IP address or an IP address range or Cyberoam interface itself.
Cyberoam will automatically respond to the ARP request received on the WAN zone for the external
IP address of Virtual host.
Sample schema
Throughout the article we will use the network parameters displayed in the below given network
diagram. Outbound traffic from LAN and DMZ is allowed while inbound traffic is restricted. The public
servers - mail and web server are hosted in DMZ.
Network
components
Web server
Mail server
External IP address
(Public)
203.88.135.208
204.88.135.192
IP address (Internal)
192.168.1.4 (Mapped)
192.168.1.15
(Mapped)
Configuration
The entire configuration is to be done from Web Admin Console with user having Administrator
profile.
Step 1: Create virtual host for Web server
Go to Firewall --> Virtual Host and click on Add button to add a virtual host with the parameters as
specified in sample schema.
In our example, Internet users will access internal web server using public IP 203.88.135.208 which is
mapped to local IP 192.168.1.4. In other words, all the inbound requests from 203.88.135.208 will be
forwarded to 192.168.1.4.
Parameters
Name
Value
WebServer
203.88.135.208
External IP
Mapped IP
Physical Zone
Click on OK and the Virtual Host WebServer has been added successfully.
Note
In case you have custom zones, change the Physical Zones accordingly.
Public IP address is the IP address through which Internet users access internal server/host. If
public IP address is already configured as main
Interface IP or alias IP, then use the option Interface IP to select it as an external IP or else
Create the host of the IP and select it from the
IP address.
Parameters
Name
Value
Mailserver
203.88.135.192
External IP
Mapped IP
Physical Zone
Click on OK and the Virtual Host MailServer has been added successfully.
Rule 2
Go to Firewall Rule and add a firewall rule for MailServer with the parameters as displayed in the
below given screens.
To create firewall rules to allow internal users to access resources in DMZ using its public IP (external
IP) or FQDN follow the below mentioned steps:
Go to Firewall Rule and add a firewall rule for each server with the parameters as displayed in the
below given screens.
Click OK and the Firewall Rule for Web Server will be created successfully.
Click OK and the Firewall Rule for Mail Server will be created successfully.
Note:
DO NOT Apply NAT for inbound SMTP rules. This will setup the MailServer as an OPEN RELAY.
Overview
This article describes how you can connect an Android device, like mobile phone, PDA, tablet,
etc., with Cyberoam using L2TP VPN. Such a connection is especially useful when you want to
securely connect to the Internet at a public Wi-Fi hotspot. The VPN connection enables all data
to be transferred in an encrypted form, ensuring security of personal data in your device.
Scenario
Configure Cyberoam and Android device to enable an L2TP VPN connection between them.
This document consists of 2 sections:
1. Cyberoam Configuration
2. Android Configuration
Cyberoam Configuration
Configure Cyberoam as the L2TP VPN server by following the steps given below. Configuration
is to be done from Web Admin console as well as Cyberoam CLI using Administrator profile.
Note:
PPTP and L2TP connections established using MSCHAPv2 or CHAP protocol can be
authenticated through RADIUS or Local authentication server.
For AD Authentication, the AD Server should be behind a RADIUS Server and passwords
should be stored in reversible encrypted form.
below.
Parameter Description
Parameters
Value
Description
Enable L2TP
Enabled
General Settings
Assign IP from
172.16.16.221172.16.16.225
Client Information
Primary DNS
Server
Secondary DNS
Server
203.88.135.194
4.2.2.2
Parameter Description
Parameters
Value
Description
General Settings
Name
L2TP
Policy
DefaultL2TP
Action on VPN
Restart
Respond Only
Authentication Details
Authentication Type
Preshared Key
Preshared Key
cyberoam
PortB
192.168.13.120
Disabled
Any IP Host
VPN tunnel.
Quick Mode Selectors
Local Port
1701
Remote Port
Click
Note:
You can also set the authentication to CHAP or PAP or ANY depending on your requirement.
Select the Users/User Groups to give L2TP VPN access. Here we have selected the user
cyberoam.
Click Apply to add these Users/User Groups to the L2TP members list.
Android Configuration
You can configure your Android device to connect with Cyberoam using L2TP VPN by following
the steps given below.
On your Device go to Menu Settings Wireless and network VPN settings Add
VPN and click Add L2TP/IPSec PSK VPN to configure L2TP settings according to parameters
given below.
Parameters
VPN name
Set VPN Server
Set IPSec pre-shared
key
Value
CyberoamL2TP
192.168.13.120
cyberoam
The above steps configure L2TP VPN in your Android device and connect it to your L2TP server.