SINFOR IAM v1.9 Manual EN 20090112 PDF

Declaration.................................................................................................................................
3
Technical support ...................................................................................................................... 3
Chapter 1. Preface ................................................................................................................... 3
1.1.
1.2.
This Manual comprises the following parts:..................................................... 3

Definitions ....................................................................................................... 4
1.2.1.
Definition of format of graphic interface ................................................ 4
1.2.2.
Marks.................................................................................................... 5
1.3. Introduction ..................................................................................................... 5
1.3.1.
IAM Internet Access Management........................................................ 5
1.3.2.
Product structure .................................................................................. 8
1.3.3.
Working environment............................................................................ 9
Chapter 2. Configuration and management ........................................................................... 10
2.1.
2.2.
2.3.
2.4.
2.5.
Use of the control table ..................................................................................11

2.1.1.
Log in WEBUI configuration interface..................................................11
System Configuration .................................................................................... 14
2.2.1.
Gateway Status .................................................................................. 15
2.2.2.
Security Status.................................................................................... 16
2.2.3.
Serial Number .................................................................................... 17
2.2.4.
Gateway Mode ................................................................................... 18
2.2.5.
Net Interface....................................................................................... 30
2.2.6.
Date/Time Setting ............................................................................... 31
2.2.7.
Console User Management ................................................................ 32
2.2.8.
WEBUI Configuration ......................................................................... 36
2.2.9.
Backup/Restore .................................................................................. 37
2.2.10. Restart Operation ............................................................................... 38
2.2.11. Auto Update ....................................................................................... 39
2.2.12. Routing Configuration......................................................................... 40
Object Setting................................................................................................ 45
2.3.1.
Application Identification Rule ............................................................ 46
2.3.2.
Intelligent Identification Rule............................................................... 48
2.3.3.
Network Service ................................................................................. 49
2.3.4.
IP Group ............................................................................................. 52
2.3.5.
Time Group......................................................................................... 54
2.3.6.
URL Group ......................................................................................... 56
2.3.7.
Keyword Group................................................................................... 58
2.3.8.
File Type Group .................................................................................. 59
2.3.9.
Ingress Rule ....................................................................................... 61
2.3.10. SSL Certificate Management.............................................................. 69
Firewall.......................................................................................................... 70
2.4.1.
Firewall Rule....................................................................................... 70
2.4.2.
NAT Rule Setting ................................................................................ 76
2.4.3.
DOS Attack Protection........................................................................ 81
2.4.4.
ARP Protection ................................................................................... 84
Internet Access Management........................................................................ 86
2.5.1.
Internet Policy..................................................................................... 86
2.5.2.
Authentication Option ........................................................................116
2.5.3.
Authentication Server ....................................................................... 141
2.5.4.
Organization ..................................................................................... 145
2.5.5.
Users Import ..................................................................................... 170
2.5.6.
AD Domain Synchronization............................................................. 174
2.5.7.
Online User List ................................................................................ 181
2.6. Traffic Mgt System ...................................................................................... 183
2.6.1.
Traffic Status..................................................................................... 184
2.6.2.
Traffic Mgt......................................................................................... 187
2.6.3.
Line Bandwidth ................................................................................. 198
2.7. Mail Withholding.......................................................................................... 199
2.7.1.
Withholding Policy ............................................................................ 199
2.7.2.
Audited Mails .................................................................................... 200
2.7.3.
Unaudited Mails................................................................................ 201
2.8. Internet Action Audit .................................................................................... 201
2.8.1.
Real-Time log ................................................................................... 202
2.8.2.
Traffic Ranking.................................................................................. 202
2.8.3.
Seeion Ranking ................................................................................ 206
2.8.4.
Session Query .................................................................................. 207
2.8.5.
Access Control Log Option............................................................... 208
2.8.6.
Data Center Setting .......................................................................... 208
2.8.7.
Data Center .......................................................................................211
2.9. Gateway Troubleshooting............................................................................ 213
2.9.1.
View Log........................................................................................... 213
2.9.2.
Exclude Policy Fault ......................................................................... 216
2.10.
Advanced Configuration .......................................................................... 218
2.10.1. Alarm Setting .................................................................................... 218
2.10.2. Proxy Server Control ........................................................................ 219
2.10.3. Web Tracking Option ........................................................................ 221
2.10.4. Audit Exemption ............................................................................... 222
2.10.5. Page Customization ......................................................................... 223
2.11. Safety Features Extension .......................................................................... 224
2.11.1. Gateway Anti-virus............................................................................ 224
2.11.2. Spam Mail Filter................................................................................ 226
2.11.3. Intrusion Prevention System............................................................. 234
2.12.
DHCP Services........................................................................................ 238
2.12.1. DHCP Status .................................................................................... 238
2.12.2. DHCP Configuration ......................................................................... 239
2.13.
User Guide .............................................................................................. 241
Chapter 3. DLAN Gateway ClientDlanupdater ................................................................. 241
Declaration
Copyright 2008. Copyrights are reserved by SINFOR Technologies Co.Ltd. and its
licensees. All rights reserved.
No unit or individual shall make extracts of or replicate the contents of this Manual partially
or in whole without prior written permission of Sinfor, nor transmit them in any form.
Sinfor serves as the trademark of SINFOR Technologies Co., Ltd. The copyrights of
trademarks, product logos and commodity names of other companies as described in this
Manual are owned by their respective proprietors.
This Manual shall only be used for operating guidance and no description, information and
advice provided in it shall be considered as implied or express guarantee of any form,
unless otherwise stipulated. If the user intends to obtain the latest version of this Manual,
please contact the Customer-Service Department of Sinfor.
Technical support
Global uniform hotline: +86 755 86336042
Email for customer service: overseasupport@sinfors.com.cn
Website: http://www.sinfors.com/en
Chapter 1. Preface
1.1. This Manual comprises the following parts:
Part 1: Overview of IAM Products. This part introduces the features of appearances and
functionalities of IAM products, as well as the preparation work and precautions before
using. The corresponding descriptions are mainly provided in the Preface.

Part 2: Detailed configurations of Sinfor Dlan M5100-IAM,including system configuration,
route setting, object, firewall, activity management, spam filter, ingress system, IPS, DOS
protection, virus killing for gateway, traffic statistic, troubleshooting, VPN configuration,
DHCP service and so on. Apart from the detailed configurations, the related precautions
and the methods for reviewing log are also presented. The aforesaid information is mainly
seen in the section of Sinfor DLAN M5100-IAM WebUI.
This Manual is based on M5100-IAM of Sinfor.As difference exits between the

specifications of hardware and software of different models, users should consult
the Customer-Service Department of Sinfor for details and confirmation of the
products specification concerned.
1.2. Definitions
1.2.1. Definition of format of graphic interface
Format
<>
Meaning
The contents in this sharp bracket < > indicate the names of
the keys. For example, click < Enter>.
[]
The contents in this square bracket [ ] indicate the names of

windows, menus and data sheets. For example, pop up the
window [New User].
The multilevel menus are separated by the symbol /. For

example, the multilevel menus[File/New/Folder] means the
item [Folder] under the sub-menu of [New] of menu [File].
1.2.2. Marks
In this Manual, various types of eye-striking marks are employed to tell the places where
special attention should be paid in the process of operations. The definitions are as
follows:
Caution, attention: It indicates the precautions the user should take into
consideration during operation. Inappropriate operations may results in data losses
or equipment damage.
Warning: The interpretation behind this mark tells the user that extra attention
should be paid at the place. Inappropriate operations may results in personal
injuries.
Remarks, hint, tips and contemplations: It refers to the necessary

complements and explanations over the descriptions for operation.
1.3. Introduction
1.3.1. IAM Internet Access Management
1.3.1.1.
Background
Management should be on the top priority in info era.
In China, the popularity of internet reduces the organizationscosts to communicate with

the outside world and brings about great number of commercial opportunities. However,
the lack of proper internet access management also poses numerous troubles to users.
First is the lowering of work efficiency. As the internet access of employees are out of
control, it is a known secret that they can browse the news, chat about private things, play
games or buying or selling securities during the business hour, the results of which are the
drop of work efficiency, loss of production force and lagged turnovers.
The issue of security also troubles the IT managers. The invasion of Trojan, viruses and
malicious codes puts the LAN in an extremely dangerous position, whereas the factor that
fishing websites and spy tools remain unabated involves everybody in the issue of
information security. Meanwhile, owing to the lack of awareness of information security,
some employees may transmit the confidential documents and information of the
organization via internet. Most seriously, the organization may be damaged if such
situation is not controlled properly.
In addition, most of the users feel the bandwidth is not sufficient enough for their business
operations. Actually, most of these problems are not form the carriers, but the factor that it
is hard to control internet activities in the LAN, for instance, the abuses of P2P download
tools, like BT, Emule, etc.
The legal issues also puzzle a lot of users. Some employees in the organization may visit
evil websites, or unconsciously download the video, audio and text files whose copy rights
not protected. Such behaviors may get the organization involved in law suits.
The uncontrolled internet access has warned the users. Then what can we do to address
such issues.
1.3.1.2.
Solutions
As advocator and leader in the field of internet access management, Sinfor has launched
SINFOR IAM, an internet access management device consisting of such modular
functionalities as access control, content supervision, security review, bandwidth traffic
management and administrative software of data center, which eliminate the
disadvantages that firewalls emphasize the outer but not inner problems and effective
management is lacked over internet access. This device provides overall and detailed
solutions as follows:
Overall growth of work efficiency
SINFOR IAM not only provides controls over such common services as visiting websites,
Ftp and Mail, but also limits and controls various types P2P activities such as QQ, BT,
MSN and Skype. Meanwhile, IAM provides a personalized time management strategy
which allows the administrators to rationally arrange the internet access time for
departments and individuals on the basis of operation in the organization, and set different
access authorities according to the time, effectively enhancing the work efficiency.
Optimization of network bandwidth
Through the Network Traffic Intelligence Analysis (NTIA), the administrators can distribute
the designated bandwidth for different departments and applications, not only solving the
problem that bandwidth is occupied by various sorts of software, but also further
improving the management of network resources.
Protection of info assets and avoidance of legal risks
As a professional internet access management product, IAM can fully record and save the
information sent from intranet to internet. Apart from the common applications such as
URL records, FTP upload and download and sending BBS comments, Sinfor can use its
cutting-edge technology RMM (Real-time Monitor For Messages, first of its kind in China)
to realize monitoring and recording of the contents of encrypted chatting.
1.3.1.3.
Technological benefits
Complete P2P blocking: Based on the analysis on applicable protocols and inspection of
traffic, SINFOR IAM can completely block various types of P2P software and control the
user-oriented traffic, enabling different users to receive their respective bandwidth.
Delayed Email Review: As patented technology owned by Sinfor, Delayed Email Review
can delay the sending of the emails of specific departments and employees. Only those
that have been checked by the info security staffs can be sent out, and those
nonconforming emails will be returned, greatly reducing the possibility of information
leakage.
NAR: As another patented technology of Sinfor, IAMs NAR (Network Admission Rules)
can evaluate the clients before allowing the realization of network access. The objects to
be evaluated include the operating system of the host, version of the software and stage
of progress.The users with lower security indexes within the intranet will attain fewer
authorities for network access. Only those whose systems conform to the required
security standards and who use safe software can normally access internet.
Data center: The data center provides the users a powerful Web log data base. Through
this data center, the users can query all access records within the intranet, including the
web pages, occupation of bandwidth, sent information of the intranet users and trend of
network application, quickly and visually understanding the network efficiency.
1.3.2. Product structure
Figure 1: Front panel of Sinfor IAM (taking M5100-IAM as an example)

1. Control port; 2. LAN port; 3. DMZ port; 4. WAN1; 5. WAN2;
6. Power indicator; 7. Alarming lamp
The alarming lamp is long illuminated in red during the start-up process.
Normally, this red lamp will be turned off after one or two minutes, indicate the
start-up process is normal.If the red lamp is not turned off for a long time, please
shut down the equipment and wait for another five minutes, then reset the machine
again.If the alarming lamp is still long illuminated after that, please contact Sinfors
Customer-Service Department to confirm whether the device is damaged. After the
start-up process is normally completed, its a normal phenomenon that the red
lamp flashes, meaning the device is writing the log.
The control port is only used for R&D and commissioning purposes. The end
user can only connect the device via the network ports.
Figure 2: Rear panel of Sinfor IAM (taking M5100-IAM as an example)

1. Radiation fan; 2. Power port; 3. Power switch
1.3.3. Working environment

SINFOR IAM hardware gateway products require the following working environment:
Input voltage: 220~240V
emperature: -10~50
Humidity: 5~90%
To ensure the long-term and steady running of the system, the power supply should be
properly grounded, dustproof measures taken, working site well ventilated and room
temperature kept stable. This product conforms to the requirements on environmental
protection.
Make sure the device works in the suggested environment. Otherwise, the
device may be damaged or aged earlier than designed.
Power supply
SINFOR IAM hardware gateway products use IAM 220V-240V as its power supply. Please
make sure the power supply is correctly grounded before connecting.
Proper grounding for the device can avoid lightning strike.
Chapter 2. Configuration and management

Before the gateway is configured, you should have one PC. Then connect the PC and
SINFOR IAM hardware gateway to the same LAN and carry the configuration via the
network.
Wiring
Please follow the procedures below for the wiring of the IAM hardware devices.
Insert the power plug into the power port on the rear panel, turn on the power switch, and
the Power lamp (green) and Alarm lamp (red) will be illuminated. They will be turned off in
about 1-2 minutes, suggesting the normal working state of the gateway.
If the red lamp is still illuminated five minutes after the device is turned on,
please shut down the equipment and wait for another five minutes, then start the
machine again. If the red lamp is still illuminated after that, please do not turn off
the device and wait for another 30 minutes. If the illumination state remains
unchanged even so, it is possible that the equipment have failures. In this case,
please contact the Customer-Service Department of Sinfor for inspection.
Use standard RJ-45 Ethernet cable to connect LAN port to intranet, and configure IAM
hardware gateway via PC which is in the same network segment as IAM device.
Use standard RJ-45 Ethernet cable to connect WAN1 port to internet access equipment,
such as routers, optical fiber transceiver and ADSL Modem.
Multi-line IAM hardware gateway can support multiple lines. For this purpose,
connect WAN2 and other WAN ports to other internet access cables.
Use standard RJ-45 Ethernet cable to connect DMZ port to the network of
DMZ section. Normally, DMZ section is configured with Web Server, Email Server
and other devices that provide services. SINFOR IAM hardware device can provide
security protection for these servers to prevent attacks from various DOS including
SYN FLOOD and invasion of hackers.
2.1. Use of the control table

2.1.1. Log in WEBUI configuration interface
IAM supports the safety HTTPS login in the form of standard port in HTTPS
protocol.The initial login URL is https://10.251.251.251.
Logging on WEBUI with HTTPS to manage IAM enables you to prevent the
hidden safety trouble of configuration information from being captured during the
transmission.
Once the wiring is completed on the basis of the abovementioned method, you can
configure Sinfor IAM hardware gateway device via Web interface, with procedures
described as follows:
First configure an IP of 10.251.251.X network segment for the device (for example,
configure it as10.251.251.100). Then enter the defaulted login IP and port
https://10.251.251.251 in the IE browser. Then the following interface on security will
appear:
After you click <Yes>, the following login interface will appear:
At the time, the browser will pop up the hintinstall Active X control, as shown in the
following figure, Please click <Install Active X Control>, If no hint is available, you can click
and log in the manual download Active X control below the interface, and install the
Control as instruction.
Enter [Username] and [Password] in the login box, click <Login>, then you can log in IAM
gateway to conduct the related configuration. The defaulted username and password are
both Admin.
If you want to view the version number of the current gateway, click <Version>, and the
information on version of the current hardware will appear.
Before configuration, make sure the PC to be configured and SINFOR IAM

hardware gateway are in the same network segment, but not 10.251.251.251. After
the system is powered on, observe the alarming lamp on the front panel, if it is
extinguished, it means the gateway has been successfully started up. Normally this
lamp will be turned off after the machine is powered on for 1-2 minutes. If this lamp
flashes during running, it means some warning may have happened.
Configuration and use

After you log in IAM hardware gateway, you can conduct configurations for IAM hardware
gateway.
If the button <OK> (confirm) is seen in any configuration interface, you

should click this button after the related configuration is completed so that the
settings can be effective in the gateway. The same requirement should be satisfied
in other parts followed, but no such description will be presented. When the
intranet and internet interfaces are configured by setting, the key module may be
re-stared up at the time the gateways running mode is switched over, which can
result in the disconnection of the network and the need that the connection be
resumed. This is the normal phenomenon, the system will be restored after you log
in the IAM gateway again.
2.2. System Configuration

[System
Configuration]
includes
[Gateway
Status],[Security
Status],[Serial
Number],[Gateway Mode],[Net Interface],[Date/Time Setting],[Console User Mgt],[WEBUI

Configuration],[Backup/Restore],[Restart
Operation],[Auto
Configuration], The configuration interface is shown as follows:
Update]
and
[Routing
2.2.1. Gateway Status

[Gateway Status] is used to view the working state of IAM hardware gateway.In this item,
you can view [CPU usage],[WAN IP],[Session count],[Network state], etc.You can also
view [Session ranking],[Traffic ranking],[Session query],[Online user].
If you click [Session ranking],you can see the ranking related to IAM hardware gateway,
and see the exact session number of IP connection. For details, please refer to [Internet
Adtion Audit/Real-Time Log/Session Ranking].
If you click [Traffic ranking],you can see the top ten of the current upstream and
downstream traffics, and visually see what group the IP belongs to and how much is the
upstream and downstream traffic. Click <get> under the item of acquiring machine name,
you can get the machine name corresponding to this IP. For details, please refer to
[Internet Adtion Audit/Real-Time Log/Traffic Ranking].
If you click [Session Query], and enter the IP address you want to enquire, you can see
the connection situation of this IP. For details, please refer to [Internet Adtion
Audit/Real-Time Log/Session Query].
If you click [Online user],you can see the online users who have been authorized by IAM
authentication, and login time and online duration of each IP. In addition,you can <Logout>
or <Block> the user in this page. For details, please refer to [Internet Access Mgt/Online
User List], The configuration interface is shown as follows:
2.2.2. Security Status

In the interface of [Security Status] will display the information on statistics over the
network security of IAM hardware gateway, including Mail(s)infected with virus,
File(s)infected with virus, DOS/ARP attacks, etc. The interface is shown below:
2.2.3. Serial Number

[Serial Number] is used to control the number of lines, number of branches, number of
authorized mobile users, anti virus licenses and so on. Different serial number
corresponds to different quantity of lines [Gateway anti-virus authorization],[Application
filtering/RUL library update] and [Multi-Function authorization] are optional modules.
[Gateway anti-virus authorization] is used to activate the upgrading of the virus killing
module.
Click <Activate Multi-Function>, enter the serial number, and you can activate the
authorization of Muti-function. Muti-function includes spam filtering, IPS, tracking,DKEY
manage the Data Center.
[Application filtering/RUL library update] is used to activate URL,Application Identification

Rule. AC can update the library after activated
2.2.4. Gateway Mode

[Gateway Mode] is used to set the working mode for IAM hardware gateway. You can set
the IAM hardware gateway as route mode, bridge mode or bypass mode. The setting
interface is shown as below:
Click <Configure>, the options of <Route Mode>, <Bridge Mode>, <Bypass Mode> will
appear, Select your desired gateway mode and click <Next>.
2.2.4.1.
Route Mode
[Route Mode] is used to set the IAM hardware gateway as a routing device. In this case,
the IAM hardware device is placed at the exit of the intranet gateway and acts as LAN
agent for internet access. Or, the IAM hardware device is placed at the back of the router,
and then acts as LAN agent for internet access, as shown in the figure below:
1. When IAM hardware gateway is working in the route mode, all the gateways
of PC within the LAN are directed to the LAN port of IAM hardware gateway or to the
Layer 3 switch, whereas the gateway of Layer 3 switch is directed to IAM reversely.
The network data is transmitted by IAM in NAT way via the router.
2IP with different network segment should be set for WAN and LAN.
3. If WAN2 port is not used, you can define WAN2 as a LAN2 or DMZ2.
4. After LAN port is configured with 802.1QVLAN address, LAN port can support
the TRUNK port of the Layer 2 switch of VLAN. IAM can transmit data within VLAN
(single-port route) and implement the firewall rules in LAN<->LAN direction. In
other words, IAM can control the accesses between different VLANIDs.
[Gateway Route Mode Configuration]:The configuration interface under route mode is
shown as below:
Under the route mode, configure information of[LAN interface configuration], [WAN
interface configuration],
2.2.4.2.
[NATconfiguration], then click <Finish> to save the settings.
Bridge Mode
[Bridge mode], similar to transparent mode, is to use IAM hardware gateway as a network
cable with filtering function. This mode is only used when it is not easy to change original
topological structure of the network. In this mode, the IAM hardware is connected between
original gateway and intranet users and used without modifying the configurations of the
original gateway and intranet users. The original gateway and intranet users do not feel
the existence of IAM hardware gateway. In other words, IAM is transparent to them. The
major difference between bridge mode and transparent mode is that the former can
penetrate the data of the data link layer and is completely transparent to users. It is
strongly recommended the bridge mode be used in such a topological structure, as shown
in the figure below:
The related configuration interface is shown as below:
Multi-Interface & Multi-Bridge
Bridge over other Interface of IAM to achieve the multi-bridge channel to support the
backup of bridge environment and the intranet environment of dual-machine.
Examples of multi-bridge operating environment:
Operating environment 1: S1 connects to two external lines, to which IAM net bridge is
inserted.
Operating environment 2: To enhance the stability of network and decrease the single
point of failure, both the core switch of intranet and the router use dual-machine as shown
below. VRRP protocol is used in main/standby routers (R1 and R2) and switches (S1 and
S2). When the main machine is shut down, the standby machine will enable the virtual IP
to take over the network.
To add IAM device to this environment, and to provide dual machine backup, there are two
ways of connection.
The configuration interface of multi-bridge is shown as below:
Under the item [Multi-Network interface and Multi-Bridge configuration],use to choose the
configuration of multi-interface.
Under the item [LAN zone network interface list],use to choose the interface that
connected to the external network.
Under the item [WAN zone network interface list],use to choose the interface that
connected to the output devices.
Under the item [Bridge direction],use to define the forwarding direction of data. It is able to
allow or deny the direction of data communications combining the firewall setup.
1. When IAM hardware gateway is working in bridge mode, the gateways of

PCs within the LAN do not need to be changed, but keep the original gateway
direction (that is, direct to the intranet interface IP of the pre-set equipment).
2. When IAM hardware gateway is working in bridge mode, WAN port and LAN port
are bridged. Both are located in the same switching domain and function as two
interfaces of the switch. The IP of WAN port and LAN port cant be configured. The
configuration of interfaces for both intranet and internet under bridge mode are
hidden. One IP (this is a virtue IP for this device) can be configured for the device
and used for internet access of the device itself and synchronously sending the log
of the device to data center. A PC whose route can reach the public network or data
center must be provided.
3. When IAM hardware gateway is working in bridge mode, an exclusive physical
connection between the original gateway and the intranet users must be
guaranteed and IAM hardware gateway must be connected to this physical line in
serial method. In other words, no intranet user should be connected to the physical
line of the original gateway without passing through IAM hardware gateway.
4. When IAM hardware gateway is working in bridge mode, WAN2 of IAM hardware
gateway cant function nor be configured. One administrative IP can be configured
for DMZ port. Only WAN1 and LAN1 can be used when the data is penetrated.
Meanwhile, it must be guaranteed that no reverse connection happen when WAN1
port is connected to pre-set router and LAN port to intranet switch.
5. The bridge mode of IAM hardware gateway realizes the transparency on the basis
of the data link layer (second layer of OSI) and functions via the connection
between IAMs WAN1 port and LAN port. Both the data link layer and those above it
can be penetrated. Functions that need the penetration of the second layer, such as
use of IP/MAC binding by original gateway and DHCP, can be normally realized.
6. Do not activate NAT function when under bridge mode.
7. VPN function of IAM itself cant be realized under bridge mode.
8. Do not connect the devices WAN1 and LAN to the same switch. If so, it has the
same effects as that one network cable is connected the two ports of a switch,
which will result in the loop of the second layer and thus abnormal communication.
9. If gateway anti-virus , mail filter or other functions are activated, or you want to
enable the device to realize auto upgrading of URL database, contents inspection,
virus database, etc., the bridge IP, defaulted gateway and DNS must be configured
and it should be guaranteed IAM itself visit internet (ping test can be conducted via
upgrading console tool).
10. If WEB authentication, admission rules or other functions that need to be
re-directed to IAM gateway are activated, and multi-network segments exist within
the intranet, the route of non-directly connected network segment should be added
to be directed to the routing device of the intranet.
11. If the PC on the switch of second layer has multiple network segments
(non-LAN), the gateway should also have the IP of multiple network segments. If
anti-virus function , mail filtering, admission rules, WEB authentication or other
functions that need to be re-directed to IAM gateway are activated, the IP of multiple
network segment should also be configured to [multiple-IP binding] of [bridge
mode]. Otherwise, the configuration cant be realized.
12. Under bridge mode, IAM bridge supports VLAN TRUNK penetration and IP
address of bridge supports the address of 802.1Q-VLAN. In other words, IAM
gateway can be transparently connected to the trunk of VLAN TRUNK. Through
[gateway state/bridge mode/VLAN configuration], it can be set that the bridge mode
support VLAN TRUNK.
Enter [VID] here, add VLAN address and mask, then click <add>.
Only when anti-virus function , mail filter, admission rules, WEB authentication or
other functions that need to be re-directed to IAM gateway are activated, should
this IP be configured. Otherwise, it is fine if VLAN IP is not configured.
2.2.4.3.
Bypass Mode
When the monitoring function is realized via bypass mode, the network environment of the
users does not have to be changed and the risk that the network is interrupted by IAM can
be avoided. This mode is used to connect IAM to the mirror port of the switch or the hub,
and monitor and control the whole LAN in bypass mode. This mode does not affect the
network environment, and the network wont be interrupted even in the DOWN status. The
topological structure is shown as below:
In[Gateway Mode], you can set IAM as the bypass mode, as shown in the figure
below:
The IP address configured here is used for administrative interface (DMZ port). To enable
the console or the upgraded system to be connected to IAM for management, the IP
address and gateway of this interface must be correctly set and the network cable
connected to DMZ port. Click <next>, enter the network segment to be monitored. As in
bypass mode, only one network cable is needed to connect LAN port or WAN1 port of IAM
to hub or mirror port of switch, IAM doesnt know what addresses belong to intranet and
internet. Therefore, IAM considers the address displayed in [Monitor network segment list]
as intranet address and record it, and doesnt record the address not displayed in the list.
Click <next> again to conduct the configuration of excluded IP. When an address belongs
to [Monitor network segment list], and you dont want it to be recorded, you can enter this
address to [excluded IP list]. That is to say, the address in [excluded IP list] wont be
recorded.
The related configuration interface is shown below:
1. The user must use hub or switch with mirror port. If the switch doesnt have
mirror port, you can add a hub in front of the switch to realize this function.
2. In bypass mode, the functions of traffic display and number of session cant be
activated.
3. In bypass mode, when the data within the intranet is monitored, the return data
packet connected to tcp will also be recorded. For example, when a visits 80 port of
b, the network monitor log will not only record the data from a to b 80 port, but also
the data of a random port from a to b.
4. In bypass mode, when the agent is used, the IP address in the same network
segment as the agent must be bound at the bypass (or there is a route which can
reach this IP) so that the reset packet sent by it can be received by PC or proxy
server.
5. In bypass mode, a number of functions which can be realized under route mode,
such as VPN, DHCP and admission rules, cant be realized.
6. The bypass mode is mainly used for monitoring, and its function of restriction
can not reach the same extent as route mode and bridge mode. In other words, it
can only restrict TCP connection, such as URL filtering, key words filtering, mail
filtering and so on. But it cant restrict UDP, such as P2P software and QQ login, etc.
2.2.5. Net Interface

In route mode, the configuration for the interfaces can be conducted in this interface. In
other modes, the configuration for interfaces should be conducted in pages of gateway
mode.
Under the item [Basic information of LAN interface] , LAN ports IP address and mask can
be configured. If multiple IP addresses are needed, you can add here multiple IPs that
should be bound. Click <Next>, to select whether VLAN should be activated. If the
interface where the intranets switch is connected to IAM uses Trunk, you can configure
the IP and the VLAN ID for each VLAN at the LAN port.
After LAN port is configured with 802.1QVLAN address, LAN port can support the
TRUNK port of the Layer 2 switch of VLAN. Different VLANI IAM can transmit data
within VLAN (single-port route) and implement the firewall rules in LAN<->LAN direction.
In other words, IAM can control the accesses between Ds. This configuration can be used
for the network environment compatible to VLAN (802.1Q).
Under the item [Basic information of DMZ interface] , the IP address and mask of DMZ
can be configured.
Under the item [Basic information of WAN interface] you can configure the access mode
for internet lines. If multiple lines are available, you can configure it at WAN2 port.
Under the item [Basic information of WAN2 interface] can not only be used to configure
the second internet line, but also be customized as a LAN port or DMZ port.
Under the item [Muti-lines configuration information], you can configure bandwidth
distribution plan for multiple lines.In the interface configured for the multiple lines of
internet, you can see four options which correspond to their respective plans. For the
introduction of the each option, you can refer to the aforesaid instructions on help and hint.
It is applicable to environment with multiple internet lines.
2.2.6. Date/Time Setting

The item [Date/Time Setting] is used to set the system time of SINFOR IAM hardware
gateway.
Under the item [Time Zone], use to choose the current time zone of the device.
Change the time on the interface directly, and click <OK> to save the setup. The interface
is shown as below:
Click < System time >, you can refresh the time of the IAM hardware gateway.
Click < Local time >, you can modify the system time of IAM to the time of the computer
which is used for console login.
2.2.7. Console User Management

[Console User Management] is used to set the login users that can manage the IAM
gateway with the console.
<Select All> and <Select Inversely> are used to choose the console users you want to edit
quickly.
<Delete>, <Enable>, and <Disable> are used to delete, enable, or disable the console
users.
Click <Add>, and [Add/Modify Console User] page is popped out as below:
You can fill in the words that are easy to remember in [Username] and [Depict]. It is
recommended to use the words that are easy to label.
Under the item [Password],use to set the login password.
<System administrator> and <Common administrator> are available in [Administrator

type].
<System administrator> has the default superior right, which can manage all functions
and user groups.
<Common administrator> can set the detailed management right. For detailed setup,
please refer to the following detailed descriptions.
[Login IP setting] is used to restrict the login IP of the console user. Single IP or IP
segment are available. You can set only one IP item in a line for as much as 32 lines.
<Common administrator>: Common user is required to acquire the privilege

independently. The configuration interface is shown as below:
The privileges include [Organization Management], [System Configuration], [Object

Setting], [Firewall], [Internet Access Mgt], [Traffic Mgt System], [Mail Withholding],
[Internet Action Audit], [Gateway Troubleshooting], [Advanced Configuration], [Safety
Features Extension] and [DHCP Service].
[Organization Management] is to set the authority of console users to manage the user
groups. The user group can be selected. To manage the group, click <Select> to select
the group from the IAM organization.
[Organization Management]: There are five kinds of privileges, including <View privilege>,
<Member management privilege>, <Policy management privilege>, <Mail delay audit
privilege>, and <DataCenter audit privilege>.
[View privilege]: View the user and sub-group information in the selected group; view the
use policy of the group, and its online user list.
[Member management privilege]: Manage or modify the user and sub-group information in
the selected group. The user can view or freeze the online users when this option is
selected.
[Policy management privilege]: Manage the policy of the users and sub-group in the
selected group. The user can view the relevant information when this option is selected.
[Mail delay audit privilege]: This privilege can be set independently, and allocated
according to different groups. It is mainly used to audit the delay audit mail in selected
group.
[DataCenter audit privilege]: Base on the privilege of built-in data center, the users can log
in the data center to view the log of the selected group. The [System Management] and
[Customize Report] can be appointed separately.
For normal configuration modules, such as [System Configuration] and [Object Setting],
[Edit] and [View] privileges can be appointed.
1. With policy management privilege, you can only modify the relationship
between group/users and the policy. You cannot modify the policy unless you
create the policy or the system administrators.
2. When you have no privilege of view nor edit for a module, this module will
not be shown in the left when the user log in the IAM console.
2.2.8. WEBUI Configuration

You can set the [Default encoding], [HTTPS login port], [Auto log off time], and [Web
overtime] in [WEBUI Configuration].
The configuration interface is shown as below:
[Default encoding]: You can set the default code when there are unrecognizable codes in
the monitored data.
[HTTPS login port]: You can set the port of HTTPS protocol when logging on WEBUI. The
default port is 443.
[Auto log off time]: It is to set the overtime of the console. The system will log off
automatically if this is no action for the console in the set time.
[Web overtime]: It is to set the overtime of opening other pages of the console. The
system will consider it overtime and do not try to open the page if it does not open in this
set time.
2.2.9. Backup/Restore
You can backup/restore the configuration here. <Click to download configuration> enable
you to backup the current configuration. To restore the configuration, click <Browser>, and
open the backup files, then, click <Restore> to restore the backup configuration.
The configuration interface is shown as below:
2.2.10. Restart Operation

You can <Restart gateway> or <Restart service> in the following interface:
2.2.11. Auto Update

[Auto Update] is to update the [Virus library],[URL library],[Gateway Fireware],[Application
recognition],[Ingress inner rule], The interface is shown as below
You can make a tick in <Enable> to choose the libraries that need auto update.
The library can be updated by clicking the corresponding <Update now> within the period
of validity.
Click <Roll back> use to restore the corresponding library to the recently updated rules
library.
If the IAM cannot connect to the internet while there is HTTP proxy server in the network,
to ensure that IAM can connect to the internet for updating corresponding rules, you can
set the relevant configurations of <HTTP proxy> in [Proxy server]. There need set the [IP]
and [port]of server, if the server need certification, set the [Username] and [Password] in
the box.
To ensure the update speed, you can appoint an update server in [Select server].
Generally, in order to get the fastest speed, it is recommended to choose the same
operator server with the IAM internet line.
2.2.12. Routing Configuration

[Routing Configuration] includes [System Routing]and[Policy Routing], mainly used for
setting the routes related to the IAM hardware gateway itself.
2.2.12.1. Policy Routing

The function of [Policy Routing] provided by SINFOR IAM hardware gateway is mainly
used for setting some routes on the basis of some policies according to such conditions as
source/destination IP, source/destination port and protocol when multiple internet lines are
available for IAM hardware gateway, so that it can be determined which internet line can
be used for export to realize the function of manual routing. The related configuration
Click<Add>, the dialogue box [Policy Routing Setting] appears as follows:
Enter the name you want into the item [Route neme].
At [Source IP Address] and [Destination IP Address], you can enter those needed at the
time the data packet is matched by policy routing. The system supports four types of set
<All IP Address>, <Single IP Address>, <IP Address range>, <Subnet>.
[Protocol type] includes the protocols of the data packets, its options are <ALL>, <TCP>,
<UDP>, <ICMP>and<OTHER>. When TCP/UDP is selected for [Protocol type], you can
set [Source port]and[Destination port]when [Other] is selected, the [Protocol number]
needs to set.
At [Source port] and [Destination port], you can enter those with you can enter those
needed at the time the data packet is matched by policy routing.
The item [Destination line] is used to select which line could be for the internet export to
transmit data packet when the aforesaid conditions for policy routing is met.
For example, if IAM hardware gateway has two internet lines, with Line 1 from China
Telecom and Line 2 from China Netcom, and you want to realize internet access
diffluence, you can set the similar [Policy Routing] rules, as shown below:
It is supposed here that all addresses of China Netcom are located at 221.199.32.0/20, so
when [Destination IP Address] is set as 221.199.32.0/20 and [Destination Port] as 80, all
data packets use the policy routing that Line 2 is the [Destination Line].
Through <Moveup> and <Movedown>, the matching order of the route can be adjusted.
With routes of similar conditions, priority is given to the upper ones for matching.
1. If the designated line cant be used, IAM will automatically switch the data
to usable ones.
2. If you want to the routing table of the carriers, you can contact the
customer-service department of Sinfor. After you get the table, the policy routing is
imported to the saving path where the routing table is selected, and then click
<Import>.
2.2.12.2. System Routing

The function of [System Routing] provided by SINFOR IAM hardware gateway is similar to
that attached in Windows operating system. The concrete routing is only effective to IAM
hardware gateway itself. The related setting interface is shown as follows:
Click <Add>, the following interface appears:
Act as agent for adding return data packet when multiple network
segments access internet.
When the corporate intranet has multiple network segments and all these segments want
to access internet via SINFOR IAM hardware gate, you should add [system routing] so as
to realize that, for data packets of different network segments, IAM hardware gateway can
return the data packets to the correct routing device for intranet switching.
For
example:
Suppose
that
the
companys
intranet
has
two
network
segments10.251.251.X and 192.168.2.X, which are inter-connected via the Layer 3

switch, the PC gateway within its respective network segment is directed to the respective
gateway 192.168.X.254, and the LAN port of IAM hardware gateway is 10.251.251.251,
which is located at network segment10.251.251.X and connected to internet via WAN port.
Now, both the network segment 10.251.251.X and 192.168.2.X want to share the IAM
hardware gateway as a public output port to access to the internet.
As network segment 192.168.2.X and the LAN port (10.251.251.251) of IAM hardware
gateway are not within the same network segment, [System Routing] should be added for
IAM hardware gateway, so that the data packet of 192.168.2.X can be sent back to
intranet Layer 3 switch10.251.251.253 for handling, and finally return to the PC with
segment 192.168.2.X. The related configuration is shown as follows:
1Add multiple [Proxy network segment]: including 10.251.251.0/24 and 192.168.2.0/24.

(For details, please refer to [Firewall/NAT Rule Settings/SNAT])
2Add [System Routing]: 192.168.2.0/2410.251.251.253. The related settings are

shown as follows:
2.3. Object Setting

The item [Object Setting] includes [Application Ident.Rule],[Intelligent Ident.Rule],[Network
Service],[IP
Group],[Time
Group],[URL
Group],[Ingress Rule],[SSL Certificate Mgt].
Group],[Keyword
Group],[File
Type
2.3.1. Application Identification Rule

Some download software, such as BT and Emule, can occupy a large quantity of
bandwidth resources. The running of QQ, MSN and stock software and other
instant-message tools will consume the office time and lower down the working efficiency.
At present, a large number of companies prohibit the use of such software through
publicized regulations. However, such software has been added with the function of
breaking through firewalls within the design and ordinary firewalls cant obstruct them.
Through the Application Ident.Rule, the traffic can be checked according to such elements
as protocol, port, direction, matching of data packet length and matching of data packet
content, after which P2P and other traffic contents can be inspected.Application
Ident.Rule can be divided into inner rules and customized rules. The inner rules cant be
modified, whereas the customized rules can be added, deleted and modified. The content
inspection rules are classified according to the types. Once the corresponding content
traffic is found out, the system will carry out the operation of permission, refuse or traffic
control.
Through application ident.rule, SINFOR IAM hardware gateway can effectively obstruct
the aforesaid software. When the software is communicating with the internet, the data
packet will have special fixed fields. IAM hardware gateway can inspect the fields of the
data packet to judge whether or not they should be obstructed. If these data packets
include the special set fields, they cant be sent or received. Thus the data packets are
effectively obstructed.
The key point is to analyze the special fields of these data packets when content
inspection is used to block some communications. Sinfor will provide and upgrade the
definitions of special features of those commonly used software, such as P2P and IM in
an irregular manner. The users can also consult Sinfor to apply for the content inspection
data packets and import them manually. In addition, the users can also analyze the data
packets
by
themselves
and
customize
the
[Application
Indentification
Rule
Setting].Click<Add>, the dialogue box of [Application Indentification Rule Setting] , as

shown in the following figure:
You can fill the items in above interface according to the results of analysis. If the detailed
contents of the data packet need to be entered, you can click <Add>, the following
interface will appear:
Based on the analysis results of the data packets, you can set the feature code for the
[Matching content] in it.
The item [Application Indentification Rule Setting] supports importing and exporting of
rules via <Import/Export>. Select the rules to be exported, click <Export> in the setting
interface, enter the file name, and then click <OK>.
If you want to import the rules, click <Import> and select the rules to be imported (rules
when *.ccf is used as the suffixes), click <OK>.
[Search rule] is used to search the specific rules. To search the rules, you just have to
enter the key words of the rules in the dialogue box.
[Rule priority] can be used to switch the priority of customized rules and inner rules. You
just need to click <Change> to switch the priority. The current priority rule is shown in red
font.
1Due to the difference or upgrading of BT or IM software, some admission

rules may be ineffective to the software of certain versions. Sinfor will update the
admission rules in an irregular manner. To ensure IAM can be upgraded for the
latest admission rules, you should first ensure the device can access the internet
normally. In addition, the date of current inner rules library in the interface indicates
the latest upgrading time.
2The inner rules cant be modified and viewed, nor exported.
2.3.2. Intelligent Identification Rule

[Intelligent Identification Setting] is usually used in P2P application, such as intelligently
identify the plaintext or ciphertext; identify the encrypted skype data according to the
skype actions, and identify the SSL website certificate and SINFOR VPN data. The
configuration interface is shown as below:
1. [Application Identification Rule] also include the detection of P2P

applications, but it only aims at plaintext P2P data. If [Intelligent Identification
Rule/P2P/P2P Action] is disabled, then, plaintext P2P data can still be identified, but
the encrypted P2P data cannot be identified.
2. Skype data is encrypted. Enable the [Intelligent Identification Rule/P2P/Skype] to
identify the skype, and to realize the control and the recording. The pre-condition of
the intelligent identification Skype action is that [Intelligent Identification
Rule/P2P/P2P Action] should be enabled, and then the rule of [Intelligent
Identification Rule/P2P/Skype].
3. [Intelligent Identification Rule/SSL/SSL] is to identify the SSL protocol. It is to test
the root certificate of the SSL website. If this rule is not enabled, the following
[Internet Access Management/Internet Policy/Web filter/SSL control] setup is
invalid.
2.3.3. Network Service

The item [Network Service] is normally used together with [Firewall/Firewall
Rule]and[Internet Access Management/Internet Policy/Access authority/Network control].
First customize different types of services of the firewall in [Network Service], including the
ports and protocols used by the services, Then determine the firewall filtering rules on the
basis of services customized in [Firewall Rule] or determine the internet authority on the
basis of services customized in [Internet Access Management/Internet Policy/Access
authority/Network control].
Click <Add>, the added service dialogue box is popped up as follow:
Enter any name you can easily remember into [Service name]. It is recommended the
easily recognized characters be used.
Then click <TCP><UDP><ICMP><Other> to select the protocol used by the selected

services. The system supports the customization of TCP, UDP, ICMP and other protocols.
After you select protocol, tick [Add port], then, if the following interface appears, enter the
<Single port>or<Port range>:
At the item Other, you can enter the protocol number. The protocol
number 0 represents all protocols.
2.3.4. IP Group
[IP Group Setting] are used to customize an IP group that includes some IP addresses.
This IP group can be the IP segment of intranet, or some IP range of internet, or all IP
addresses.
[IP Group Setting] are normally used together with [Firewall/Firewall Rule] for setting
source IP, destination IP and others in [Firewall Rule]. Or, used together with [Internet
Access Management/Organization/User attribute/Bind IP or MAC/Bind IP/Get from IP
group] to customize the intranet users. It can also be used to customize the destination IP
in [Internet Access Management/Internet Policy/Access authority/Network control].
Click <add>, the following dialogue box for [Add/Modify IP Group] will appear:
You can enter any characters easily understood at [Name] and [Description] of IP group.
Then click <Add>, and enter the begin address and end address under it. Click
<Auto-resole>, the following interface will appear. Enter the domain name, click
<Auto-resolve>, then click <OK>.
2.3.5. Time Group
[Time Group Setting] is used to customize the combination of time segments which are
often
used.
Then
when
operating
[Firewall/Firewall
rule]
,[Internet
Access
Management/Internet Policy]and [Traffic Management System/Traffic Management], you

can select the configured time segments so as to set the effective and ineffective time for
this rules.
Click <Add>, the following dialogue box will appear:
You can enter any characters easily understood at [Name] and [Description], select the
corresponding time segment combination at the time coordinate, then click <Effect>. In
other words, the time segment has been customized to make the rules effective. Click
<OK> to complete the customization of time group.
2.3.6. URL Group
The inner and customized URL group can be used in rules of [Internet Access
Mgt/Internet Policy/Web filter/URL filter] and [Traffic Mgt System/Traffic Mgt] to set flow
control of the URL access, realizing the <URL filter> and the <Traffic Management>.
There are many default assorted URL groups in IAM. [Current URL library version] shows
the latest time of updating the URL library automatically.
If the URL library cannot update automatically due to the reason that the device cannot
connect to the internet, you can also update it manually. To do this, click <Browse>,
choose the URL library file, and click <Upload> to import the file.
Enter a domain name (DN) in <URL query> to check whether the URL is belong to some.
Inner URL library.Enter geren.sdb.com.cn in <URL query >, and the interface is shown as
below:
Click <Search>, the following interface will appear:
In addition, you can also click <Add> to conveniently customize a URL group. Each URL
has one line and supports the wildcard character *, as shown in the following interface:
You can also set different URL groups as needed to control the users access to the
websites. One group can include multiple domain names.
1To realize the auto upgrading of URL group, please ensure that IAM
hardware gateeay can access to the internet.
2. As a wildcard character, * can only be put in the front of the URL. It can match up
to the one level of DN. (Such as, *.163.com can be used to match mail.163.com but
kefu.mail.163.com; kefu.mail.163.com needs to be matched by *.mail.163.com.)
3. One URL cannot be defined in different customized groups.
2.3.7. Keyword Group

The item [Keyword group] is used to set and classify the keywords, which can limit the
searching and uploading of some keywords via [Internet Access Management/Internet
Policy/Web filter/Keyword filter].
Click <Add>, the following interface will appear. Enter the keywords, with one keyword for
one line. After adding, click <OK>.
2.3.8. File Type Group

[Object Setting/File Type Group] is used to define the needed file type. It can also be used
in [Internet Access Mgt/Internet Policy/Web filter/File type] to restrict the file HTTP upload
and download, and in [Traffic Mgt system/Traffic Mgt] to set the flow control of
upload/download of the file types.
Click <Add>, the following interface will appear.Enter the extension of the file, with format
as follows:
The same file type cannot be defined in different file type groups.
2.3.9. Ingress Rule

Set the internet ingress rules, such as Disable proxy software, IP-MAC binding of
cross-Layer 3 and Monitoring the IM encrypted chat log, which are used in [Internet
Access Mgt/Internet Policy/Ingress system]. If the Ingress rule is enabled in the policy, the
users should meet the relevant rules to be able to connect to internet. The user needs to
install the ingress control for the first when accessing the internet. There are many inner
ingress rules in the IAM gateway, while the users can also define the ingress rules by
themselves.
At [Manual-update inner rule], you can manually upload the files of inner rules. However,
you should attain such files from Sinfor.
The item [Import rule] are corresponding to [Import] in the rules list below. You can select
the related ingress rules to be exported. The exported files will have .conf format.
Importing rules means to import the rule files with suffix as .conf into the device again.
Click <Add> and the following interface appears:
If you want to add new rule types at the same time, you can directly enter the rule names
customized by yourself into the dialogue box, as shown below:
Five options are available for the item [Classification], namely, [Operation system],
[Progress], [File], [Registry] and [Other].
[Operation system]: It is used to restrict the version of the operation system installed in the
PC that access the internet via IAM hardware gateway. For example, for the PC used
within the company, it can be set that the Windows XP system should be used for all of
them. To avoid virus attacks due to the factor that SP3 patch of Windows XP is not made,
you can set the system as follows: all intranet users should install SP3 patch into their
systems, and PCs without this patch will not be allowed to access the internet. The related
configuration interface is shown below:
The detailed setting is described as follows:
1<Add> a new ingress rule and select the Rule classification as: [Operation system] (if
you set it as other rules, just select the corresponding rule types)
2Enter the [Rule type]. To do that, you can select from the pop-up menu or directly enter
the rule type into the dialogue box. Note: The description of the rule type must consist of
less than 20 bytes.
3Enter the [Rule name]: The description of the name must consist of less than 20 bytes.
4Select the [operation system]: The omitted items are prohibited. First select the
corresponding version, then click <Enable>. Then the information of this version is in a
enabled state, and tick it.
5 Select [Operation]: You can choose <Not allow user to visit Internet> or <Not
operate(Only submit report)>.
6. Click <OK> to make the rules effective.
[Process]: It is used to control the process of PC which accesses internet via IAM
hardware gateway. To add a new ingress rule for process, you can select the rule type as
[Process], as shown in the following figure:
Enter the respective information in [Rule type], [Rule name], [Rule Description], [Process
name], [Window name] and [Program patch]. Then select whether the user runs the
process, [Program MD5] and [File size] for the process, and corresponding action that this
process is running or not for users. For example,<Not allow user to visit Internet>,<Stop
progress>,<Not operate(Only submit report>. Then click <OK>, the adding of rules is
completed.
[File]: It is used to control the files in PC that accesses internet via IAM hardware gateway
in the intranet. If ingress system is enabled, this item can be used to detect whether there
is special file under the system directory. For example, you can judge whether the system
directory has a dll file, and then determine whether special software was installed in the
users PC.
To set an ingress with [File] as its type, select [Add /File], as shown in the following figure:
Enter here the respective information in [Rule type], [Rule name] and [Rule description],
select whether or not this file exist in the users PC. In [File path], enter the path of this file,
then select [MD5], [File size], select [updating date after current date] and enter the
number of delayed days. For operation, select [Not allow user to visit Internet], [Delete file]
or [Only submit report)]. Finally, click <OK> to complete the adding of rules.
As shown in above interface, the configuration can detect whether the antivirus software
installed in PC that accesses internet is upgraded timely. To do that, the system checks
the modification date of antivirus database to judge what time this antivirus software was
upgraded. If the delayed days are exceeded and the software is not upgraded, it is judged
that the rules become effective and the related operations are conducted.
1The file path supports the escaping of the file path. Due to the difference of
the installation directories in the operation system, the system directories can be
different too. Therefore, it is necessary to realize the path escaping of the macro
directories. For example, %SystemRoot% represents the system directories of
Windows, normally as C:\WINDOWS or C:\WINNT.
2When adding ingress rules of file types, you can directly enter the macro
directory that can escape into the item [File path].
At present, the macro directories the system supports and their respective
meanings are described as follows:
Format
Significance
%SystemDrive
%
//C:
%SystemRoot%
//C:\WINNT
%System%
//C:\WINNT\system32
%Windir%
//C:\WINNT
%UserProfile%
//C:\Documents and Settings\SINFOR
%Temp%
//C:\Documents and Settings\SINFOR\Local Settings\Temp
%Program%
//C:\Program Files
[Registry]: It is used to check the registration forms of the operation system installed in PC
that accesses the internet so as to find out the software installed in the operation system
or security issues.
To set an ingress rule with rule type as [Registry], select [Add/Registry], as shown in the
following figure:
The above example is to restrict the intranet PC to use CCproxy proxy software via
detecting the registration forms in the intranet PC.
[Other]: It is used to realize the IP-MAC binding of cross-Layer 3 switches and restrict
client machines to log in the client PC for internet access with the identity of administrator
(to avoid virus infecting).
To set an ingress rule with rule type as [Other], select [Add/Other], as shown in the
following figure:
Enter here the respective information in [Rule type], [Rule name] and [Rule description],
select <Validate IP/MAC in the client] so as to realize the IP-MAC binding of cross-Layer 3
switches.
If you select <To prevent infecting virus, modify system file and registry, the machine is not
allow to access Internet by Admin identity login>, the system will forbid the client to login
PC for internet access without the identity of administrator.
Click <OK> to complete the adding of the rule.
Binding IP-MAC via ingress rules is mainly used for the environment in which
PC and IAM are not located in the same network segment (separated by three
devices, MAC address changed). In addition to the application of the ingress rules,
you should also make the settings for IP-MAC binding via [Internet Access
Mgt]/Organization/Add user].
2.3.10. SSL Certificate Management
The item [Trustable root certificate list] corresponds to [Internet Access Mgt]/Internet
Policy/Web filter/SSL control], If SSL control is activated for IAM group, the root
certificates of SSL certificate library are trusted. The user can also import or delete the
certificates in this certificate library.
The item [Add trustable root certificate] only support the importing of certificates with
formats as crt and cer, and they must be imported from native resources.
The inspection of certificates is based on the MD5 values of the certificates. If MD5 is
inconsistent, it means the certificates are different. The same certificates cant be
repeatedly imported.
Normally, the name of the certificate body is a CN name corresponding to this

certificate subject. If there is no CN name in the subject of the certificate, the name
of last field of the subject will be employed (the arranged order of the subject field
may be different from IE) as the name.
2.4. Firewall
The settings of the [Firewall] include [Firewall Rule],[NAT Rule Setting],[DOS Attack
Protection],[ARP Protection], shown in the following figure:
2.4.1. Firewall Rule

The item[Firewall Rule] is used to set the details for the access of the data packet. IAM
hardware gateway provides mutual-access filter rules of 10 directions among
[LAN<->DMZ], [DMZ<->WAN], [WAN<->LAN], [LAN<->LAN], [DMZ<->DMZ].
2.4.1.1.
LAN<->DMZ
This interface is used to set the mutual-access rules between LAN port and DMZ port, by
which all services of some protocol can be used through opening or some special service
as customized can be used.
If we want to realize the full mutual-access between LAN port and DMZ port and PING
orders can be used for test, all TCP UDP and ICMP access rules should be opened from
the two directions. The defaulted value in the system is that all TCP, UDP and ICMP are
opened from the direction of [LAN->DMZ]. However, the rules are not enabled, but in
disabled state, as shown in the following figure:
To enable the rules, click <Edit>,
If you click <Add>,the following interface will appear:
The firewall observes the principle that the rules are matched from the
upward to downward. If one rule has been matched, it cant be matched downward.
So the attention should be paid to the order of the rules. You can customize the
order of the rules via [Rule number]. In addition, the firewall rules includes a hidden
one which refuses all data packets. In other words, if all added rules are not
matched, the data packets will be eventually discarded.
2.4.1.2.
DMZ<->WAN
This interface is used to set the mutual-access rules between WAN port and DMZ port, by
which all services of some protocol can be used through opening or some special service
as customized can be used. The setting method can be referred to that for [LAN<->DMZ].
The defaulted interface is shown as below:
2.4.1.3.
WAN<->LAN
This interface is used to set the rules when the LAN port accesses the internet, as well as
the rules that the intranet provides access to the internet. In defaulted state, LAN ports
access to internet has no restrictions, but WAN port is not permitted to access the intranet.
If IP of internet access some IP in the LAN, the related filter rules must be enabled.
The following figure shows an example that the internet IP is permitted to access 80 port
of intranet. It is equals to that the 80 port of [WAN->LAN] direction is opened.
The above [Service object], [Source IP group], [Destination IP group] and [Time group]
can be customized in the previous descriptions of [Object Setting]. You can click the
nearby <Add> to set the corresponding [Object Setting]. For details, please refer to the
previous chapters.
As the setting of [WAN<->LAN] direction is most frequently used, IAM hardware gateway
defaults the frequently used rules through an built-in way. The firewall defaults define
three enabling rules from [WAN<-LAN] direction.
2.4.1.4.
LAN<->LAN
This interface is used to set the mutual-access rules between LAN1 port (original LAN port)
and LAN2 port (converted from idling WAN2), or between the IPs of several network
segments bound on LAN port, by which all services of some protocol can be used through
opening or some special service as customized can be used. For the related configuration
method, you can refer to that of [LAN<->DMZ]. The defaulted interface is shown as below:
2.4.1.5.
DMZ<->DMZ
This interface is used to set the mutual-access rules between DMZ1 port (original DMZ
port) and DMZ2 port (converted from idling WAN2), or between the IPs of several network
segments bound on DMZ port, by which all services of some protocol can be used through
opening or some special service as customized can be used. For the related configuration
method, you can refer to that of [LAN<->DMZ].The defaulted interface is shown as below:
2.4.2. NAT Rule Setting

The item[NAT Rule Setting] includes [SNAT] and [DNAT] as shown below:
2.4.2.1.
SNAT
For example, to establish a rule which can act as an agent for internet access of clients
within the LAN, if the IP address of LAN is 10.251.251.0 / 255.255.255.0, the setting
procedures can be described as follows:
Click <Add>, the page of [Proxy Network Segment Setting] appears. You can enter a
name into the item [Rule name]. This name is only used for marking and can be any
character.
To make selection for [WAN interface], you can choose [Specified network interface], or
directly [Apply to all WAN interfaces], by which the data can be exported to all usable
internet interfaces.
At [Proxy network segment], you can select [Proxy all IP Address] or [Proxy appointed
segment], where we enter 10.251.251.0 for network, and 255.255.255.0 for [Subnet
mask].
At the item [Convert source IP Address to], you can select to use the WAN interface
address or designated an IP (note: this item is filled only for some special applications, for
example, when destination IP designated to some segment passes by some line).
Normally, when [Using WAN interface address] is selected, all IP addresses of internet are
represented. Thus all internet access applications in the designated network segment are
realized in a proxy mode.
If you select <Advanced configuration>, you can attain more detailed settings.
Normally, at the item [Destination IP Address conversion condition], you can select [All
destination IP Address], by which the source addresses can be converted only when the
destination is designated as IP segment
Here, this item can be used together with [Proxy network segment].If settings are done for
both [Proxy network segment] and [Destination IP Address conversion condition], the
addresses can be converted only when both of the set conditions are met. If only one of
the two is set, the conversion can be done when the condition of set item is satisfied.
At the item [Protocol conversion condition], you can select [All protocols], which
represents all protocols. This item is filled only for special applications, for example, when
some protocols are designated to pass by some lines. Finally, click <OK>.
Please enable the corresponding firewall rules of LAN->WAN.
2.4.2.2.
DNAT
If sometimes the server within the LAN needs to provide services to the internet, you need
to do [DNAT] at the gateway. IAM hardware gateway also provides such a function. The
setting interface is shown as below:
For example, if a PC with IP as 10.251.251.61 within the intranet wants to provide Web
services to the internet, and the port to be used is 80, the setting procedures can be
described as follows:
Use the item <Add> to establish a mapping rule in [Port Mapping Setting]. You can enter a
name into the item [Rule name]. This name is only used for marking and can be any
character.
At [WAN interface], enter the interface name. At [Protocol conversion condition], you can
select from the following two: [All protocol] or [Specified protocol type]. For the latter, you
set it as TCP, with source port: 0 (representing all ports), [Destination port]: from 80 to 80.
At [Convert destination IP to], set it as [Specified IP Address] as 10.251.251.61, and
[Convert destination port to] as from 80 to 80.
If you select <Advanced configuration>, you can attain more detailed settings.
Normally, at the item [Source IP address conversion condition], you can select <All IP
Address>, you can also select <Specified network segment>, by which the destination
addresses can be converted only when the source IP is designated as the IP segment.
At [Destination IP Address conversion condition], you can select <Specified network

interface address>. If there are multiple IPs of internet, you can specify one internet IP to
be mapped to intranet.
[Source IP Address conversion condition] and [Destination IP Address conversion

condition] can be used together. If settings are done for both of them, the addresses can
be converted only when both of the set conditions are met. If only one of the two is set, the
conversion can be done when the condition of set item is satisfied.
Finally, click <OK>.The related configuration interface is shown as below:
1. When the source interface is set as 0, it means all the interfaces.

2. At [Firewall Rule Settings/ WAN<->LAN], add one enable rule that any
internet IP can access to 80 port of 10.251.251.61 of the intranet, as shown in the
following figure:
2.4.3. DOS Attack Protection

DOS attacks (service-refusal attacks), normally aiming at the consuming the resources of
the server end and forcing the suspension of services responses, make the normal user
requests not to be responded so as to realize their objectives of attacks by fabricating the
requested data that exceed the handling capacity of the server to cause the response
blocking at the server. The DOS protection of SINFOR IAM gateway can prevent not only
the DOS attacks from internet to intranet, but also the virus attacks to the machines in the
intranet or DOS attacks conducted from the intranet with some attacking tools.
The option [Enable DoS attack protection] is the switch to enable or disable the DOS
protection function.
[Intranet network segment list]: it refers to the intranet network segment that accesses to
internet by using SINFOR IAM gateway as a proxy. If this list is set, the data packets
intended to be transmitted from the IP addresses not included in the network list to IAM
will be discarded. Therefore, the related IP addresses cant access to internet, nor
connected to IAM device via LAN and DMZ ports (if the setting error of this item cause the
failure of login at the console, you can log in via WAN port). You can leave this list not set.
But if set, it will help SINFOR IAM gateway to better prevent the DOS attacks, for instance,
the fabricated IP attacks.
[Intranet router list(MAC or IP Address)]: It refers to the routers (not enable NAT) or Layer
3 switches that pass by LAN port or DMZ ports one end of IAM. After the PCs, which are
not within the same network segment as the LAN port or MDZ port of IAM hardware
gateway, pass by the routers, their MAC will be converted to the MAC of routers. The
interfaces with the network segment shared by both this router and IAM device may be
locked by IAM hardware gateway due to the excessive connections. This list can prevent
IAM gateway from locking the MAC addresses of intranet routers.
Here, you can enter the IP or MAC addresses of the interfaces where the routers
(or
Layer 3 switches) are directly connected to IAMs intranet interface.
[Excluded address list]: The SINFOR IAM gateway does not defend the IP address in
[Excluded address list] even when the connections and the sending frequency of the IP
come to the DOS protection standards.
[Max TCP connection numbers per IP address in one minute]: After this item is set, the
max. quantity of SYN and ICMP packets and small TCP and UDP packets transmitted via
IAM gateway within second at a single IP or MAC address can be controlled. If the set
value is exceeded, IP or MAC will be locked to the specified time (for time locking, please
refer to other part of this section).
[Max attacking packets sent per host in one second(attacking packet classification
includes SYN,ICMP and TCP/UDP tiny packets)]: After this item is set, the max. quantity
of SYN packets transmitted via IAM gateway within one second at a single IP or MAC
address (intranet and internet) can be controlled. If the set value is exceeded, IP or MAC
will be locked to the specified time (for time locking, please refer to other part of this
section).
[Host denied time after attack detected(minutes) ]: It is used to set the lockdown time for
the attacking host after the IAM gateway detects out the attacks.
1. It is recommended to enable the DOC protection function so that the

system can effectively prevent the attacks from the internet as well the network
blocking due to the excessive packets transmitted when intranet PC is attacked by
viruses.
2.It is recommended to set the item [Intranet network segment list] so that the
system can prevent the attacks conduced by the fabricated IP. If you make adding
on [Intranet network segment list], please make sure all network segments of the
intranet have been added. The data packets transmitted from the IP addresses not
included in the [Intranet network segment list] to IAM or to pass by IAM will be
discarded.
3. If routers or Layer 3 switches are available in the intranet, you must add the IP of
the interface, where the routing device is directly connected to IAM, to the [Intranet
router list]. Thus the MAC address of this interface is excluded from DOS protection
and can avoid the lockdown. Normally, if there is firewall or router at the WAN port
end, the interface address should be added to [Intranet router list].
4. The defaulted value for [Max TCP connection numbers per IP address in one
minute] in the DOS Protection module of the C hardware device is 1024. The value
of [Max attacking packets sent per host in one second] is 512. If the internet access
is interrupted because a large quantity of virus data packets are transmitted, it is
recommended that the value of [Max TCP connection numbers per IP address in
one minute] be modified to 512, and the value of [Max attacking packets sent per
host in one second] to 300. Thus the system will better defense against the PC
attacked by viruses.
5. As Thunders initial connection is very large and shows the similar features of
DOS attacks, the DOS protection may be enabled to lock down the machine with
Thunder. In this case, you can set the parameters to reduce the chances that the
machine with Thunder is locked. It is recommended the value of [Max TCP
connection numbers per IP address in one minute] be adjusted to 1024, and [Max
attacking packets sent per host in one second] to 512.
2.4.4. ARP Protection

ARP cheat is an type of normally seen intranet virus.PCs attacked by this virus will
irregularly transmit the broadcast packets of ARP cheat, which can interfere and damage
the normal communication state of the machines in the intranet, and more seriously, the
whole intranet can be disconnected from the internet. The ARP protection of IAM is
realized via the cooperation between the IAM device and the access client of PCs in the
intranet. IAM protects the ARP cache of itself via not accepting the ARP request or reply
which is characterized by attacks and thus become immune for itself.
If the bound IP/MAC is available when IAM accesses and controls users, IAM will consider
the bound IP/MAC as prevailing. The ARP protection within the intranet is realized via
access client.After the access client is installed, the access client will communicate with
IAM device to attain the correct gateway IP/MAC relations and bind it.
[Enable ARP protection]: The general switch for enabling ARP protection function.
[Static ARP Settings]: If the gateway of intranet PC is not the interface of IAM, you have to
set here, for example, set IAM to use bridge mode, and the gateway address of intranet
PC is the interface address of the router (or firewall) in the front. At the time, you can enter
the interface IP/MAC of the router in the front into [static ARP settings]. If access client is
installed in intranet PC, the correct gateway IP/MAC can be attained from IAM and bound.
Thus it can be ensured that the IP/MAC matching of gateway in PC is correct.
[Gateway MAC broadcast period]: This item is used to set the time interval for the MAC of
broadcasting gateway (intranet interface of IAM). It is recommend to set it as 10 seconds.
Click <OK> to save the configuration of this part.
Click <Broadcast Gateway MAC> to immediately broadcast the MAC address of the
intranet interface of the device. After ARP protection is deleted in the intranet, you can use
this button to quickly restore the ARP table of intranet PC.
2.5. Internet Access Management

[Internet
Access
Management]
includes
[Internet
Policy],[Authentication
Option],[Authentication Server],[Organization],[User Import],[AD Domain Synchronization]

and [Online User List], The related configuration interface is shown as below:
2.5.1. Internet Policy

[Internet Policy] is to set the internet access policy of the intranet users. The policies
include [Access authority], [Web filter], [Mail filter], [Application audit], [Flux and internet
access time statistics], [Ingress system] etc. The set policies can be used by users or user
groups to control and monitor the internet access actions. The related interface is shown
as below:
[Internet policy list]: Shows the set policies. The contents include [Policy name],
[Description], and [Operation].
You can swiftly select the desired policies that you want to edit by using <Select All> and
<Select Inversely>.
<Add> Add a new policy.
<Delete> Delete the selected policy/policies in the list.
<Export> Export the selected policy/policies in the list.
<Import> Import the policy file/files to the device.
<Download policy template> Download the self-contained policy/policies of the device.
Click <View usage information> to view which group and users are using this policy. The
related interface is shown as following:
<Rename> is used to rename the policy. Click <Rename>, and the following interface
appears:
Enter the new name and click <OK> to save the configuration.
2.5.1.1.
Add a new internet policy
Click <Add> in [Internet Policy] to enter the policy editorial interface as following:
You can fill in the words that are easy to remember in [Policy name] and [Description]. It is
recommended to use the words that are convenient to label.
You can switch between adding single policy or multiple policies at one time by choosing
<Single policy> or <Multiple policy>. Many policies of the same property can be added at
one time if <Multiple policy> is chosen. The related interface is shown as below:
Click <OK> to add one or more policies as below:
2.5.1.2.
Edit the internet policy
Click the name of policy that you want to edit in the [Internet policy list] to enter the
editorial page as following:
You can select the policy in [Current edited group] for edition.
[Policy template] includes [Access authority], [Web filter], [Mail filter], [Application audit],
[Flux and internet access time statistics], and [Ingress system].
To set the modules of the policy and make them effective, you have to tick
and select the left label of the corresponding modules first.
Explanations of all settable modules of policies are as following.
Access authority
To make it convenient for the network administrators to restrict the internet access actions
of the intranet LAN users, SINFOR IAM gateway not only provides control of specific
application based on the detection of dpackets but also provide control of the network
service based on destination IP, protocol port, and the time segment. [Access authority]
includes [Application control] and [Network control].
<Access authority> is the switch of the internet authority control. Tick and select the item
to enable it.
The setup interface is shown as below:
Application control
[Application control] is a method to control some applications by detecting the contents of
the packets.
<Application control> is the switch of the application control. Tick and select the item to
enable it.
Click <Add>, and the interface is shown as below:
Select the relevant options in [Application type], [Application name], [Rule name], [Action],
and [Effective time], and click <Add> to complete the setup of a [Application control]. For
example, to restrict the intranet to be able to visit the applications based on HTTP protocol
only, you just have to enable all HTTP and DNS applications. (For the definitions of the
application type, application name, and the rule name, please refers to the relevant
chapters in the above [Object Setting].)
You can swiftly select the application you want to edit by using <Select All> and <Select
Inversely>.
Click <Allow>, <Deny> or <Delete> to carry out the corresponding operations on the
selected applications.
Click <Moveup> and <Movedown> to change the sequence of the selected application.
<Default allow> and <Default deny> are usually used combined with the application rules
of the above list. If the rules of the above list do not match, this default option will be done.
<If policy groups,the following should be the default action, and rules will be repeated> is
used to decide whether to go on matching application rules of other policies downwards if
policy groups. If it is not selected, default action of the policy is carried out after the rules in
the list are matched; otherwise, the rules will be repeated.
Finally, click <OK> to save the setup.
Network control
[Network control] is a method to control the destination IP, port, and time segment of the
packets.
<Network control> is the switch of the network service control of the policy. Tick and select
the item to enable it.
Click <Add>, and the interface is shown as below:
Select the relevant options in [Destination IP group], [Service name], [Effective time] and
[Action], and click <Add> to complete the setup of a [Network control] rule. For example,
to restrict the intranet users to browse the website at duty time, you just have to deny the
HTTP service at duty time. (For the definitions of the Destination IP group, Service name,
and Effective time, please refers to the relevant chapters in the above [Object Setting].)
You can swiftly select the network service you want to edit by using <Select All> and
<Select Inversely>.
Click <Allow>, <Deny> or <Delete> to carry out the corresponding operations on the
selected network services.
Click <Moveup> and <Movedown> to change sequence of the selected network service.
<Default allow> and <Default deny> are usually used combined with the network service
rules of the above list. If the rules of the above list do not match, this default option will be
done.
<If policy groups, the following should be the default action, and rules will be repeated> is
used to decide whether to go on matching network service rules of other policies
downwards if policy groups. If it is not selected, default action of the policy is carried out
after the rules in the list are matched; otherwise, the rules will be repeated.
Advanced
<Advanced> is the advanced control of network authority. Tick and select the item to
enable it.
You can cancel the selected <Allow users of this group to use HTTP proxy> and <Allow
users of this group to use SOCK4, SOCK5 proxy> to forbid the intranet users using HTTP,
SOCK4, and SOCK5 proxy server to access the internet, which therefore getting round of
the monitoring and control of the IAM. If you do not want to restrict using the proxy server,
just tick and select these two options.
Remove the tick of the <Allow to use other protocol in standard ports of HTTP protocol
and SSL protocol> to prevent some applications to use standard HTTP port (TCP 80) and
SSL port (TCP 443) to transmit the data, which is free from the restrict of the IAM.
1. In order to pass the firewall successfully, some known/unknown software

will use the general known ports to communicate, and the communicating contents
are of their own protocol format. In this way, you can remove the tick of <Allow to
use other protocol in standard ports of HTTP protocol and SSL protocol> to block
these data.
2. To control the SSL, you have to enable the SSL control first. See [Web
filter/SSL control].
Web filter
[Web filter] includes [URL filter], [Keyword filter], [File type], and [SSL control].
Tick off the <URL filter> to enable the web page filter function of the policy.
URL filter
Tick off the <URL filter> to enable the URL filter function.
The effective URL appears when you click the <Effective URL group>. Select the URL
group that you want to edit, and click <Allow>, <Deny> and <Cancel> to carry out the
corresponding operations on the selected group. If you choose <Cancel>, the selected
group will appear in <Ineffective URL group>.
The effective time is defined in [Object Setting/Time Group] ahead. You can select the
corresponding effective time from the list.
You can swiftly select the URL group you want to edit by using <Select All> and <Select
Inversely>.
Click <Moveup> and <Movedown> to change the sequence of the selected URL group.
<Default allow> and <Default deny> are usually used combined with the URL filter rules in
the list of <Effective URL group>. If the rules of the above list do not match, this default
option will be done.
<If policy groups, the following should be the default action, and rules will be repeated> is
a rule of network service used to continue to match other URL filter rules of the policies
when there are many policies. The IAM will carry out the default operation after matching
the rules in the list if this option is not selected.
The ineffective built-in URL library and defined URL group address may appear when you
click <Ineffective URL group>. The interface is shown as below:
Select one or some URL groups, click <Allow> or <Deny>, then, click <Effective> to add
the selected URL to the <Effective URL group>.
Keyword filter
Tick off the <Keyword filter> to enable the keyword filter function.
Keyword filter includes two kinds of filters: [Search engine] and [HTTP upload].
Search engine filter is used to restrict the intranet users using search engine to search
some certain keywords.
Tick off the <Search engine> to enable the keyword filter function of the search engine.
After the search engine is enabled, the keyword groups in [Object Setting/Keyword Group]
should also be added to the denied list.
Click <Not denied keyword group>; then, the set but not-yet-effective keywords of [Object
Setting/Keyword Group] will appear. The interface is shown as following:
Select the keyword group you want to deny, and click <Deny> to add the keywords to the
denied keyword groups.
Click <Denied keyword group> to show the list of denied keywords, set the [Effective time]
(The effective time has been defined in [Object Setting/Time Group]) and click <OK> to
save the setup.
The keywords here will all be denied within the effective time.
If you select the keyword group and click <Cancel>, you can cancel denying these
keywords.
You can swiftly select the keyword group you want to edit by using <Select All> and
<Select Inversely>.
Click <Moveup> and <Movedown> to change sequence of the selected keyword group.
[HTTP upload] keyword filter is used to filter the keyword contained in uploading
(HTTP_POST). For example, it is used to filter the keywords contained in the BBS and
WEB e-mails sent by intranet users. The operations are similar with that of the Search
engine keyword filter; please refer to [Search engine].
[Keyword filter] is only for HTTP.
File type
Tick off the <File type> to enable the file type filter function.
File type filter includes two kinds: [Upload] and [Download].
If you choose the <The following limits are also applicable to FTP upload and download>,
the upload/download of FTP will also be restricted by the below rules.
[Upload] is to restrict the intranet users to upload some kinds of files (Based on the
filename extension), for example, WebMail accessories or BBS accessories.
Tick off the <Upload> to enable the upload file type filter. After <Upload> is enabled, the
file type groups in [Object Setting/Keyword Group] should also be added to the denied list.
Click <Not denied file type group>; then, the set but not-yet-effective file type of
[Object/File Type Group] will appear. The interface is shown as below:
Select the file type group you want to deny, and click <Deny> to add it to the denied file
type groups.
Click <Denied file type group> to show the list of denied file types, set the [Effective time]
(The effective time has been defined in [Object Setting/Time Group]) and click <OK> to
save the setup.
The file type here will all be denied within the effective time.
If you select the file type and click <Cancel>, you can cancel denying these file types.
You can swiftly select the file type you want to edit by using <Select All> and <Select
Inversely>.
Click <Moveup> and <Movedown> to change the sequence of the selected file type.
[Download] is to restrict the intranet users to download some kinds of files (Based on the
filename extension), for example, MP3 files or Movie files etc. The operations are similar
with [Upload]; please refer to the above section.
The
[Upload/Download]
restriction
is
used
for
HTTP
(or
FTP)
upload/download only, therefore, IAM will only analyze the suffix name of the files
contained in the WEB and FTP communication data.
SSL control
Accessing the internet in SSL way is encrypted that the real URL is unknown; therefore, it
is unable to filter the website visited by SSL. SSL control uses the Black/White list and
expired certificate control to control whether the client can visit the website.
SSL control further improves the security of SSL access. (Black/White list; Expired
certificate is not allowed; Check the certificate chain)
Tick off the <SSL control> to enable the SSL control function of the policy. Then, set the
SSL control as the following picture:
Enter your black/white list here and select/deselect Expired certificate is not allowed.
[Certificates issued by the following organizations are not allowed]: The blacklist;
[Only allow the certificates issued by the following organizations]: The white list.
The above [Enable/Disable] is to enable/disable the SSL control function.
If you select the <Expired certificate is not allowed>, IAM will check whether the certificate
is expired. It denies the certificate if the certificate is expired.
<Enable SSL certificate chain control> can check the certificate chain according to the
certificate list in the [Object Setting/SSL Certificate Mgt]. If the lower and upper
certification authorities are incompatible, or the certificate is changed when issuing, the
clients access to the website will be denied.
SSL control is also effective when the clients access the internet with HTTP
proxy server.
Mail filter
Send/Receive mail
[Mail filter] is to restrict, monitor, filter, or delay audit the send/received mails when the
intranet users use the mail server to send/receive mail in POP3/SMTP protocol. This
function includes [Send/Receive mail] and [Delay Audit Rule].
[Send/Receive mail] is to restrict sending mails according to the source address, mail
headline, or content and type of accessories. It can also delay audit the sending mails. For
specific configurations, please refer to the tips on page.
The setup interface is shown as below:
Select the <Mail filter> and the [Enable] on the left top to enable the mail filter function.
<Mails can't be sent with the following suffixes> and <Mails can only be sent with the
following suffixes> are alternative. Tick off the corresponding options, and enter the mail
suffixes in the box. For example, if you want to restrict the intranet users using the
company mail only, you can just choose the [Mails can only be sent with the following
suffixes] and enter vpn.com.cn. Then, when the intranet users send e-mail in SMTP
protocol, only mails with suffix of @vpn.com.cn can be sent.
<Mails can't be sent with title or content including the following keywords> and <Mails
can't be sent with the following attachments> is to restrict the mail content of the intranet
users. You just have to choose this option and enter the corresponding keyword and the
suffixes. Only one keyword is allowed for a line.
<Enable spam mail filter (Only apply to filter spam mail received)> is to enable the spam
mail filter function. It is used for filtering the mail when the intranet users send the mail in
POP3 protocol. For specific setup, please refer to the relevant chapters in [Delay Audit
Rule] below.
Delay Audit Rule

IAM has the delay audit for the send-mail before it is sent. You can set the corresponding
policies in the [Delay Audit Rule] as below:
<Mails sent to the following address (or suffixes) will be delay audit> and <Mails sent to
the following address (or suffixes) will not be delayed audit> are used to define the
policies that need/need not to be audited according to the receiver mail address.
For example, if you do not need delay audit for the mails sent to the company, you can fill
the DN of your company mail server (such as @ vpn.com.cn) in <Mails sent to the
following address (or suffixes) will not be delayed audit>.
Besides, you can also define the mails need to be audited in [Mail size] and [Attachment
quantity].
<Need delay audit if E-mail contains the following keywords in title or content> is used to
define the mail audit policy based on the mail title or the keywords in mail content.
For example, if you set Source code as the keyword, and when the mail title or the
content contains this word, then this mail will need delay audit.
<Email will be sent to auditor's mailbox when audit takes place> is used to inform the
auditor by mail when there are mails in this group need to be audited. The gateway
console can send mails in time automatically to inform the auditor when there are mails
need to be audited, avoiding the delay of the important mails. You can fill in an e-mail
address here.
To make the <Email will be sent to auditor's mailbox when audit takes place> work
normally; you have to make the corresponding setup in [Advanced Configuration/Alarm
Setting] in the menu. For detailed setup, please refer to [Advanced Configuration/Alarm
Setting].
Application audit
[Application audit] is mainly to monitor the messages and logs of intranet users accessing
internet with the IAM. Tick off the <Application audit> to enable the audit function. The
setup interface is shown as below:
[Application audit] includes the following several items:
[Application action audit]: Record all internet actions of the users.
[Application content audit]: Audit the specific content of the internet action.
[Webpage upload audit]: Audit the contents of text, BBS articles, WebMail, and
accessories uploaded from the webpage.
[Webpage download audit]: Audit the address of the visited website and the filename of
the file downloaded from the webpage.
[Mail audit]: Audit all mail information, including sending mail by SMTP and receiving mail
by POP3.
[Audit IM chat content]: Audit the chat contents and actions of MSN and Yahoo Massager.
[Audit FTP]: Audit the upload file and the filename of download file through FTP.
[Audit TELNET]: Audit the command executed through the telnet.
[Webpage content audit]: Audit the webpage title and contents. It only confine the
webpage with the match keywords.
<Enable> or <Disable> is to enable/disable the webpage content audit.
You can select one of the following three recording ways:
<Audit all webpage titles and contents which users browsed>
<Audit all webpage titles which users browsed, not auditing contents>
<Audit the webpage including the keyword only (set the keyword in the following list)>
Tick off the <Reject any webpage including the following keywords (set the keyword in the
following list)> to reject any webpage including the denied keywords.
For keyword filter setup, please refer to [Internet Access Mgt/Internet Policy/Web
filter/Keyword filter]. Choose the items you want to monitor and click <OK> to save the
setup.
The recorded information of application audit can be checked in the [Internet Action
Audit/Data Center] of the IAM. ( For detailed operations, please refer to the later relevant
chapters.)
1. You may need to select the corresponding code to view the WebMail or
BBS articles.
2. There will be a large amount of logs if [Webpage content audit] is chosen. To
set some certain websites or file types need not audit, please go to [Advanced
Configuration/Web Tracking Option] and set the relevant options.
3. The sent/received messages and the name of sent accessories of MSN and
Yahoo! Manager can be recorded. If you just need to audit the encrypted IM account
information, such as QQ, you only have to choose the <Audit application action of
all unknown networks, such as access to a certain port (large log will be
generated)>. To record the chat content of encrypted chat software such as QQ,
please use the ingress rule. For details, please see chapter [Ingress system].
Flux and internet access time statistics

[Flux and internet access time statistics] includes three parts: [Flux and internet access
time statistics], [Access time control], and [connection control].
Tick off the <Flux and internet access time statistics> to enable the function of flux and
internet access time statistics.
Flux and internet access time statistics

This function is used to count the flux of access control group visiting all internet
applications, and the internet access time of users in the group. The interface is shown
asbelow:
Access time control

[Access time control] is to control the internet access time of users. The interface is shown
as below:
Select an option in the [Control time], and then the internet access time takes effect within
the control time. (For the definition of control time, please see the relevant chapter of
[Object Setting] above.)
[Limit user's max internet access time in a day]: Set the internet access time. (Unit:
minute)
[Excluded port]: Exclude some ports that do not need time control. The ports should be
the target ports.
Choose the <Enable> or <Disable> to enable/disable this function.
Then, click <OK> to save the setup.
Connection control
[Connection control] is to set the max connection of a single user. The related interface is
shown as below:
[The max connection of a single user]: Restrict the max connections of a single user. It
can restrict the users using scan software or P2P download that need lots of connections
at the same time, and decrease the rate of virus transmission by scanning the
connections.
Limit the max connections of single user; when the current connections exceed the max
value, the connection will be denied.
Click <OK> to save and complete the setup.
Ingress system
The ingress rule is to restrict using the proxy software, IP-MAC binding of cross-Layer 3,
and to monitor the IM encrypted chat log. If the internet ingress system is enabled, the
user should meet the relevant rules to be able to connect to internet allowed by IAM.
Tick off the <Ingress system> to enable the ingress checking function. The related
Click <Add>, and a page appears as shown below:
Select an option in [Type] and [Effective time], and click <Add> to complete the setup of
an ingress rule.
Effective time is set in [Object Setting/Time Group] above, you can select the relevant
effective time in the list.
You can swiftly select the ingress rule that you want to edit by using <Select All> and
<Select Inversely>.
Use the <Delete> to delete the selected ingress rule/rules.
Click <OK> to save and complete the setup.
1. A user or user group may use many policies. When there are many policies,
the policy matching sequence is as following:
The above picture list the parts of policies that needed to be stacked and the
matching sequence to be followed. When a packet matches the internet service
control 1 in policy 1, it goes on detecting the internet access control 1 instead of
going down matching the internet service control 2 in policy 2. If the matching is
Deny, IAM will deny the packet and stop matching. If the matching is Allow, IAM
will go on matching following the above sequence.
2. When there is [If policy group, the following should be the default action, and
rules will be repeated] in the module, and you have not selected this option, the
gateway will match the default actions ([Default allow] and [Default deny]) in the
current policy and do not go on matching downwards.
3. Parts of the policies that do not need to stack include: Internet access
authority Advanced configuration, Webpage filter SSL control, Mail filter,
Application audit, Flux audit, and Internet access time. These parts are based on
the first point in the policy matching.
4. The rule is matched from up to bottom. Once a rule is matched, it will be
carried out immediately. The same type of rule below will not be matched any more.
Therefore, thinning rules are usually put on top, and the wide rules are put in the
bottom. To avoid the logic matching error, try not to put the thinning rules in the
wide rules.
2.5.2. Authentication Option

[Authentication Option] is to set the authentication information of IAM. The related
2.5.2.1.
New user authentication
[New user authentication]: It is to set the default operations for the new users not in the
user list. It can add the new user to the user list and a certain group automatically, as well
as automatically binding the IP or MAC for the new user. The related interface is shown as
below:
<Allow to authenticate new user (i.e. the user isn't in the list now)> enable you to add the
unauthenticated users to the user list and the certain group.
Treatment of the new users

The new user authentication includes the three following ways:
<Use IP Address as new user>: Add the new user with IP as the user name to the user list
automatically.
<Use computer name as new user>: Add the new user with computer name as the user
name to the user list automatically.
<Authenticate in server (password is required when login)>: This is a way of

authentication using the third party authentication server to authenticate the user name
and password. If the authenticated user name is not in the user name list, the device will
automatically add it to the user name list.
The third party servers that IAM supported include <Authenticate in LDAP server>,
<Authenticate in RADIUS server>, and <Authenticate in POP3 server>.
You can select the corresponding server based on the actual situation. For server
configuration, please see the relevant chapter of [Authentication Server].
Treatment of authenticated new user

Add New User Policy: IAM automatically adds the authenticated new user to a certain
group according to its IP, which gives the new user the authority of this group. Click <set
and add new user policy>, and the policy configuration page appears:
You can swiftly select the added policies that you want to edit by using <Select All> and
<Select Inversely>.
Click <Moveup> and <Movedown> to change the sequence of the selected added policy..
Click <Add> to add policy to the new user:
[Policy name]: You can use any words that are easy to understand.
[IP segment]: Set the condition of IP. Users whose IP is within the set IP will be added to
the group defined below.
[Satisfying policy add to group]: Set a group that the new users who satisfy the policy
automatically add to.
The authenticated users may also have the following operations automatically: <Not bind>,
<Bind IP>, <Bind MAC>, and <Bind IP/MAC at the same time>.
1. New users that take IP address or computer name as the user name
should have bound at least one IP or MAC address.
2. If the firewall in client PC results in the failure of recognizing the computer
name, then the PC will not be added to the user name list, however, the PC will have
the authority of root group or the group it automatically add to (When Add to the
group automatically if the authentication is success is selected).
2.5.2.2.
Single Sign On Option Setting
Single Sign On
Single Sign On means when the users PC logs in the third party server for authentication,
it will automatically pass the WEB authentication, without the need to re-enter the
username and password.
SSO can reduce both the times of entering the password and the risk of password
leakage as the user needs to enter the password for only once to log in the third-party
server and the authentication will be automatically passed.
The item [Single Sign On Option Setting] is used to make the related settings, including
domain SSO, POP3 SSO and proxy SSO. In addition, one options is used to configure the
monitoring interface, which is employed to monitor the login data in the network. The
related configuration interface is shown as below:
LDAP SSO
Domaim SSO
When users PC logs in the domain server, WEB authentication will be automatically
passed, without need of re-entering the username and password. The typical application
topology is shown as follows:
Network environment:
The network structure is shown as follows:
The domain server is located in the intranet. In other words, PC1 and PC2 can log in the
domain server before authentication. Mutual access should be realized between domain
server and IAM so that the domain server can transmit the information of successful
authentication to IAM. The first DNS of users PC should be set as the IP address of
domain server.
Operating procedures:
Tick [enable domain SSO] to activate the process of domain SSO.
Domain SSO is classified into two types: One is realized via the login log of domain
intercepted by the SSO component installed at the domain controller, the other is realized
via the mirror interface of switch intercepted by monitoring interface or domain login
information in the data transmitted by the HUB.
Domain server group policy mode

This mode uses the group policy of domain server to realize SSO function. The WEB
authentication can also be automatically completed when PC logs in the domain. When
the user is logged out, the related login information is also logged out at IAM.
Configuring login script program
1. After the PC logs in the server, open the menu manage your server, as shown in the
following figure:
2. Select active directory users and computers, as shown in the following figure:
3. Right click the domain to be monitored in the popped-up window to select the
properties:
4. In the popped-up window, click group policy, and in this group policy window, double
click default domain policy.
5. In the popped-up group policy editor, click in turn user configuration-Windows

settings-script (logon/logoff).
6. Double click the option logon at the right side, then click show files at the lower left
angle of the popped-up edition window of logon script. Then a directory will be opened,
and you can save the logon script file under this directory. After that, close the directory.
7.Click <add> in the popped-up edition window of logon script, click <browse> in the
script-adding window to select the saved logon script file (logon_release.exe), and enter
the IP (belonging to the IAM end) , interface number (fixed number is 1773) and cipher
key (same password as set at the IAM end) in the item script parameters. Remember to
separate each parameter with a space. Then click apply and OK. After that, close in
turn all pages used for configuring group policy properties.
8. After the configuration of scripts, click in turn <start> and <run> at the lower left corner
of the desktop, and enter <gpupdate> in the popped-up run window and click <OK> to
effect the configured policy group.
9. Now, the logon script program has been successfully added. When the domain user
logs in, this logon script program will be executed.
Configure logout script program

1. Conduct the procedures used to configure the logon script program in turn, and double
click<logoff>,
2. Click <show files> at the lower left angle of the popped-up edition window of logout
script. Then a directory will be opened, and you can save the logout script file
(logoff_release.exe) under this directory. After that, close the directory.
3. Click <add> in the popped-up edition window of logout script, click <browse> in the
script-adding window to select the saved AD logout script file (logout.exe), and enter the
IP 10.251.251.251, which was entered when logon script parameters are configured, in
the item [script parameters]. After that, close in turn all pages used for configuring group
policy properties.
4. After the configuration of scripts, click in turn <start> and <run> at the lower left corner
of the desktop, and enter gpupdate in the popped-up run window and click <OK> to
effect the configured policy group.
5. Now, the logout script program has been successfully added. When the domain user
logs out, this logout script program will be executed.
1. It is required that the first DNS of the users PC should be set as the IP
address of the domain server. Otherwise, the system may not find out the domain
server when the domain is added. Besides, after the first successful login, if the
users machine has changed DNS or IP address thereafter, you can use the correct
password to log in the domain to enter Windows. However, the PC has not really
logged in the domain, and SSO is ineffective at the time. The user has to enter the
password to access to the internet. This is because Windows can remember the
correct password for the previous time, and Windows can be accessed even if the
actual domain server is not logged in.
Mutual access is required to be realized between domain server IP, gateway LAN
port IP and users PC.This is used under the conditions that LDAP authentication is
enabled and users PC logs in the domain server when logging in Windows.
2. Using the monitor mode
Tick [Monitor mode] and enter the IP and port of the domain server at [login server
as follow].After setting, the device will monitor the authentication information from
client machine to domain server in the network.
3. If the authentication information does not pass by IAM, you should first set the
monitor interface before the monitor mode is used for SSO. For details of setting
monitor port, please refer to the related part in this section concerning the
configuration of monitor ETH.
4. It is preferable that the two SSO ways be used simultaneously.
POP3 SSO
POP3 authentication
It is normally used in the internal mail system of the user, for which each user is provided
with the mail account and the mail filter is enabled.
This authentication can suit the environment in which the mail system is used, diversifying,
quickening and personalizing the authentication methods.
After POP3 authentication method is set, the user will belong to those existing on POP3
server. When the user enters its password, the authentication system will automatically
log in the designated POP3 server. If the login is successful, it suggests that the password
is correct and authentication passed. If not, not passed. If you tick [enable POP3 SSO],
when the user uses Outlook, Foxmail and other clients to log in POP3 server, the
authentication system will automatically identify and allow the user to be passed. At the
time, the user can directly access the internet, without the need of re-entering the
password.
If both POP3 server and the authenticated PC are in the intranet, the authentication data
will not pass by IAM. To realize auto authentication, the mirror interface must be set.
Otherwise, the manual authentication should be used, in other words, the authentication
should be conducted by entering the username and password when the dialogue box is
popped up during visiting web pages.
Tick [enable POP3 SSO] and enter the IP and port of POP3 server at [login server as
follow]. After setting, the device will monitor the authentication information from client
machine to POP3 server in the network.
1. If the authentication information does not pass by IAM, you should first set
the monitor port to enable SSO. For details of setting monitor port, please refer to
the related part in this section concerning the configuration of monitor interface.
2If POP3 server is in the internet, to enable the auto authentication, you must tick
<Users can access basic service before authentication(default root group authority,
excludes HTTP)>, and open the authorization to this POP3 server in the root group.
Proxy SSO
Proxy authentication
It is normally used for the proxy of the user and each user is provided with the account of
the proxy.
This authentication can suit the environment in which the proxy server is used to access
the internet. After the proxy authentication is set, the user will belong to those existing on
proxy server. The user can access the internet via proxy server and be authenticated with
the password of the proxy servers user. If the verification is successful, it suggests that
the password is correct and authentication passed. If not, not passed. IAM intercepts the
verification information from the user to proxy server to match an IP to an username.
If IAM uses bypass mode, the authentication data will not pass by IAM. To realize auto
authentication, the mirror interface must be set. Otherwise, the manual authentication
should be used, in other words, the authentication should be conducted by entering the
username and password in the authentication web page.
Tick <Enable PROXY SSO>, and enter the IP and port of proxy server at [Login server as
follow].After setting, the device will monitor the authentication information from client
machine to proxy server in the network.
If the authentication information does not pass by IAM, you should first set
the monitor port to enable SSO. For details of setting monitor port, please refer to
the related part in this section concerning the configuration of monitor interface.
Listening mapping network port

listening mapping network port is mainly used under the circumstances that, when
authentication data do not pass by IAM, IAM monitors the mirror interface of the switches
and intercepts the authentication information from the network via setting an interface so
as to realize SSO.
To make this selection, Tick <If sign on data will not go through IAM,please set listening
mapping network port(mapping port should be set as idle network port)> and an idling
interface for listening.
1. The listening mapping network port must be the one not used by IAM.
2. The listening mapping network port of the switch must at least be the one of
the mirror authentication server.
Must use single sign on

Tick off the <Users belong to the following IP range must use single sign on, but not
including users not require authentication and DKEY> to set IP segment of intranet users
that must use single sign on. The related interface is as shown below:
Set the IP segment that must use the signal sign on from the list, then, the users in this IP
segment must use the single sign on and pass the IAM authentication before accessing
the internet. If some users bind to the IP in this segment without choosing authentication,
or some users have enabled the DKEY authentication, the single sign on is not a
necessity.
2.5.2.3.
Page skip setting after authentication
Under the item [Page skip setting after authentication], you can set the skip page after the
WEB authentication. The related configuration interface is as shown below:
If <Skip to the recent acquired Webpage> is selected, the webpage of intranet users will
skip to the recent acquired webpage after the authentication.
If <Skip to URL of customized pageURL> is selected, the webpage of intranet users will
skip to URL of customized pageURL after the authentication.
2.5.2.4.
Authentication conflict setting
Under the item [Authentication conflict setting], you can prohibit several users to log in
together at the same time with the same account. If the account is in use when
authenticating, IAM offers the following ways of treatment: <If sign off from the former one
by force, it should pass the authentication at the current IP>, and <Note if users sign on
with another IP, they will not sign off from the former one>.
2.5.2.5.
Other authentication option setting
Under the item [Other authentication option setting], you can configure some options
related with authentication, which include [Logout the user automatically if there is no
traffic within minutes], [User can access DNS service before authentication], and [User
can access basic service before authentication (default root group authority, excludes
HTTP)]. The interface is as shown below:
Under the item [Logout the user automatically if there is no traffic within minutes], you can
set the overtime. When there is no traffic within the time, the IAM will logout the user
automatically.
You can select the item <Users can access DNS service before authentication> to allow
users to access DNS service before authentication.
You can select the item <Users can access basic service before authentication (default
root group authority, excludes HTTP)> to allow users to access the root group (exclude
TCP 80 port) authority before authentication.
1. You can modify your password in the authentication of user

name/password. The account will be frozen for a minute if you fail to modify the
password for successively three times.
2. Open the page for modifying the password (http://gateway IP), and click
<Modify password> on the bottom.
Enter the user name, old password, new password, confirm new password, and
click <Submit> to complete.
3. If you want to enable the Dkey authentication, you need to click <DKEY
client> on the bottom of on-line user list to download the Dkey authentication
client.
4. If ingress client cannot be installed automatically, you can click <Ingress
client> in this page to download and install it manually.
2.5.3. Authentication Server

The item [Authentication Server] is used to configure the information for the third-party
authentication servers, including LDAP, RADIUS and POP3 servers.
The related setting interface is shown as below:
Click <Add>, the following interface will appear:
[Server type] three servers are available. After you select the server, the corresponding
interface will appear.
2.5.3.1.
LDAP Server
LDAP server supports three types of servers, namely, Microsoft Active Directory, SUN
LDAP and OPEN LDAP. You can select the server in light of the actual situation.
After you select <LDAP>, the following interface will appear:
For details of the parameter settings, you can consult the system administrator of LDAP
server. Normally, you only need to enter the respective information in [IP address],
[Authentication port], [Server user], [User password] and [Type]. For other parameters,
you can keep the defaulted values.
2.5.3.2.
RADIUS Server
After you select <RADIUS>, the following interface will appear:
For details of the parameter settings, you can consult the system administrator of RADIUS
server. Normally, you need to enter the respective information in [IP Address],
[Authenticated port], [Share cipher key], [Overtime(seconds)] and [Adopt protocol].
2.5.3.3.
POP3 Server
After you select <POP3>, the following interface will appear:
For this option, you can enter the respective information in [IP Address], [Authenticated
port] and [Overtime(seconds)].
2.5.4. Organization
Under the item [Organization], you can set the organization of the intranet users and user
groups, and the relationship of policy and user and user group. The configuration interface
is as shown below:
The default group is root group, which cannot be deleted and whose name cannot be
modified. All groups users created are sub-groups of root group. You can set the
succession relationship of the groups in IAM 1.9, which is convenient to distinguish
between parent group and sub-group, parent group and the users. It is fit for the
organization structure management of a company.
[Member list]: List the sub-groups and users in the group.
[Internet policy list]: List the internet policies that used in the group.
[NO]: List the serial number of the groups.
[Type]: List the member types, including sub-groups and users.
[Name]: List the member names. <Select All/Select inversely> is used to swiftly select the
members you want to edit.
[Group]: List the paths of the member organization structures.
[Internet policy]: List the types of internet policies used by all members. The type include
[Use parent group policy] and [Use your own policy]. [Use parent group policy] means the
Internet policy of the member inherits that of the parent group completely. [Use your own
policy] means the Internet policy of the member is set in [Internet policy list].
[Summary]: List the summaries of all members.
[Description]: List the descriptions of all members.
The group is managed with different grades. There are as much as 16 default
grades.
2.5.4.1.
Search
Under the item <Search>, you can search the users or user group with some certain
characteristics. The range of searching is confine to all sub-groups and users in the
current group. As shown in the following picture, it is to search the sub-groups and users
under the root group.
Under the item [Search condition], you can set the search condition, which includes
<Name>, <IP Address> and <MAC Address>. <IP Address> and <MAC Address> can
only be used to search the users.
Under the item [Record numbers per page], you can set the numbers of the searched
members displayed per page.
Tick the <Advanced search> to show the following options, which are used to set the
detailed conditions when searching the users. The options include [Authentication ways],
[Other option], and [Column sorted].
Then, you can click <Search> to search the users and sub-groups that meet the
conditions.
2.5.4.2.
Add subgroup
Click <Add subgroup> in the page of [Member list], and the following picture shows up:
You can select <Single subgroup> or <Multi-subgroup> to switch between adding single
subgroup and multi-subgroup at one time. If you select <Multi-subgroup>, you can add
several subgroups with the same attribute at one time. The interface is as shown below:
You can set the name of the subgroup in [Group name]/ [Group name list]. You can fill in
the name, which is easy to remember. It is recommended to use the words that are easy
to label.
Under the item [Group path], you can list the path of new group in its parent group. For
example, the new subgroup here is the root group, whose path is "/".
Under the item [Description], you can set the description of the group.
You may add one or several subgroups as shown in the following picture when you click
<Submit>.
The new subgroup will be shown in the member list and tree on the left of the interface.
1. To add subgroup, you can click <Add subgroup> in the editorial interface of
parent group. If you want to add the sub-group of "A-Group", you need to add it in
the editorial interface of "A-Group".
2. IAM supports as much as 16 grades of organization structure (includes the
root group).
2.5.4.3.
Edit subgroup
Click the name of subgroup in [Member list] that needs to be edited to enter the editorial
interface as shown below:
The functions and settings of <Search> here are similar with those of the above chapters.
Notice: If you click <Search> here, you are searching all members of the "/Group" of the
group. Range of other search follows this way.
Click the <Add subgroup> to add subgroup of the current group. For detailed settings,
please refer to the previous chapters.
Click the <Add user> to add users of the current group. For detailed settings, please refer
to the following chapters.
Under the item <Multi-edit>, you can edit the public information of selected members at
the same time.
Under the item <Delete>, you can delete the selected subgroups or users.
<Enable> and <Disable> are used to enable or disable the selected users.
You can click <Move> to move the subgroups or users to other group. The affiliated group
and policy of the subgroup will be moved. The setting interface is as shown below:
Tick the user and group that you want to move and click <Select>, and select the target
group in the pop-up list, then, click <Move> to move the users and groups to the select
target group.
You can click <Return to previous group> to return to the page of previous group.
<Export> and <Import current group>: They are used when you want to save some
organizations and their members, or copy the members to another organization. Tick the
groups and users that you want to export, and click <Export> to export the selected
groups
and
users,
including
the
attribute
of
"/B-Group/B-sub-group" to /A-Group as shown below:
members.
For
example,
copy
Enter the A-Group management page, and click <Import current group> to import the
/B-Group/B-sub-group as the following picture:
The imported result is as shown in the following picture:
You cannot import the users mutually in the same IAM, because the user
name cannot be repeated in IAM, but the group name can be repeated as long as
the group path is different.
Under the item <Internet policy list>, you can manage and set the internet policy of the
group. The configuration interface is as shown below:
Select <Use patent group policy>, then the "A-Group" totally succeeds the internet policy
of the parent group (root group), and cannot carry out the operations of <Add [policy>,
<Moveup>, <Movedown>, and <Delete>.
Deselect the <Use patent group policy> to use your own internet policy of the group.
You can use the <Select all/Select Inversely> to swiftly select the policies you want to edit.
<Add policy> is used to add internet policy, click <Add policy> and the interface is as
shown below:
Select an option in [Policy object], and click <Add> to add the selected policy to the group
policy. (For the definition of [Policy object], please refer to the relevant chapter before.)
You can click <Moveup> and <Movedown> to move the selected policy, and adjust the
sequence of policy matching.
You can use <Delete> to delete the selected policy/policies.
[Forcing sub-group succession] is used to force sub-group succession. The succession
sub-group includes direct sub-group, and the subordinate group and users of the direct
sub-group. The direct users of this group are also forced to succeed this policy. Unlike the
succession subgroup, the user can move and delete the policy, and the forced succession
policy has the most advanced priority in sub-group policy.
1. One user or group can associate to up to 10 internet policies.

2. When there are more than one policy, please refer to [Internet Access
Mgt/Internet policy] for the policy matching sequence and the notice.
2.5.4.4.
Add user
Click <Add user> in the page of [Member list], and the following picture shows up:
You can select either <Single user> or <Multi-user> in [Add object].
If <Multi-user> is selected, you cannot set to display the name, bind the IP/MAC address,
or create DKEY authentication user. The interface is as shown below:
Click <OK> to add the user, and the interface is as shown below:
The user information is shown in the member list of the group after the user is added.
2.5.4.5.
Edit user
You can click the user name in [Member list] to enter the editorial interface as shown
below:
Bind IP/Bind MAC

Under the item <Bind IP/Bind MAC>, you can set the user to be able to pass the IAM
authentication only in computer with the set IP/MAC. The interface is as shown below:
You can select <Bind IP>, <Bind MAC>, <Bind IP/MAC at the same time>, or <Not bind>.
When <Not bind> is selected, you have to choose one option in [Authentication ways]
except <Not need authentication>.
You can click <Format Explanation> to view the format of IP or MAC.
Bind IP
Select <Bind IP>, and set the information of binding IP as the following picture:
Click <Add IP>, and select <Single IP>, <IP range>, and <Subnet> in [Add object], you
can add a single IP or the IP range.
Under the item [Get form IP group], you can select the IP(s) form IP group. (For the
definition of IP group, please refer to the relevant chapters of [Object Setting] before.)
You can click [Clear list] to clear the IP quickly.
Bind MAC
Select the <Bind MAC>, and set the information of binding MAC as the following picture:
You can add the information of MAC address directly in the MAC address list
You can input the scanning begin and end IP, and click <Scan MAC address> to scan the
MAC address between this IP range.(For MAC address scanning by NETBIOS protocol, it
is able to scan across the different network, on the condition that the NETBIOS protocol of
the network to be scanned is enabled and there is no firewall.)
You can click <Clear list> to clear the MAC quickly.
Bind IP/MAC at the same time

Select the <Bind IP/MAC at the same time>, and set the information of binding IP/MAC as
the following picture:
You can add the information of IP/MAC address directly in the address list.
Click <Scan MAC address>, choose an option in [Scan object], and input the IP range to
scan the MAC address in this IP range. <Single IP>, <IP Range>, and <Subnet> are
available in [Scan object].
You can click <Clear list> to clear the IP/MAC quickly.
Not bind
If you do not bind any IP or MAC, you have to choose one option in [Authentication ways]
When <Not bind> is selected. The configuration interface is as shown below:
Group
Under the item [Group], you can select the user groups. The interface is as shown below:
Click <Select>, and the current user group and the group structure are shown on the
interface.
You can click <OK> to select your user group, and <Cancel> to deselect the user group.
Authentication ways
[Authentication ways] includes <Password authentication>, <DKEY authentication>, <Not
need authentication>, and <Only allow SSO>. The interface is as shown below:
Under the item <Password authentication>, you can authenticate the new user name and
password base on WEB.
<Customized password> can offer an initial password for the user authenticated on the
IAM.
<LDAP authentication>, <RADIUS authentication> and <POP3 authentication> are three

ways of the corresponding third party password authentication servers.
One user can choose several ways of password authentication at the same time, as long
as one of the authentication ways is matched.
You can select <DKEY authentication> to authenticate with USB key. You can also select
the [Enable DKEY monitor protection].
DKEY has two types, one is for authentication, and the other is for monitor protection.
These two types of DKEY cannot be mix used.
Choose the <DKEY authentication> and click <Generate DKEY>, the following picture
shows up:
The internet actions of the DKEY users will not be recorded when <Enable DKEY monitor
protection> is choosed.
Input the DKEY initial password in [Please input DKEY initial password], and confirm it in
[Please input DKEY initial password again].Then, the password will be set as the DKEY
initial password.
You can download the DKEY driver by clicking <Download DKEY driver>. DKEY can be
recognized and generated only after the driver has been installed.
You can click <Start to write DKEY> to generate the DKEY.
The users do not need the user name/password authentication base on WEB when <Not
need authentication> is selected, you have to Bind IP or MAC.
The users can only pass the IAM authentication in SSO mode when <Only allow SSO> is
selected.
<Allow more than one user to sign on the same account> allows more than one users to
sign on the same account.
Expired time
There are two types: [Permanent] and [Expire after the date].
The user name expires after the expired time. The time format is yyyy-mm-dd, for
example, 2008-12-31. The interface is as shown below:
User status
Under the item [User status], you can decide whether the user is effective. If you select
<Disable>, the user is not effective.
1. If you have selected more than one password authentication ways, the
rules are matched from upward to downward. If one rule has been matched, it will
not match downward. For example, if four authentication ways are selected, the
matching is started from [Customized password] to [LDAP authentication],
[RADIUS authentication], and then to [POP3 authentication] in sequence.
2. Please download and install the DKEY driver before generating DKEY. You
can click <Start to write DKEY> to generate DKEY only after you have inserted the
DKEY.
3. DKEY has two types, one for authentication, and the other for monitor
protection. These two types cannot be mix used. If the DKEY is for authentication,
you should not select the <Enable DKEY monitor protection> when generating the
DKEY. If the DKEY is for monitor protection, you should select the <Enable DKEY
monitor protection> when generating the DKEY.
4. Enter the gateway IP in IE browser and click <DKEY client> on the page to
download the authentication client, and then install it. Open the authentication
client after you have inserted the DKEY, and the following dialogue box will show
up:
Enter the password to login. If the DKEY is for monitor protection, the
authentication client will prompt that you are not under monitored.
5. If you select <Not need authentication> in [Authentication ways], you have to
bind at least one IP or MAC address.
6. MAC address scan is done by the machine using NETBIOS protocol. If you
cannot scan the MAC address, please check whether the NETBIOS protocol of the
machine is enabled, whether there is firewall block or the firewall of the machine is
enabled, or whether the machine has several IP addresses.
Internet policy
IAM 1.9 can set the independent internet policy especially for a single user. Click [Internet
policy list] and the following configuration interface shows up:
The user internet policy setting is similar with that of the group policy, except that it cannot
set the [Forcing sub-group succession], because the user is independent without
sub-group. For other detailed settings, please refer to the above chapter.
1. One user or group can associate to up to 10 internet policies.

2. When there are more than one user policy, please refer to [Internet Access
Mgt/Internet policy] for the policy matching sequence and the notice.
2.5.5. Users Import

Under the item [Users Import], you can import users in batch. The setting interface is as
shown below:
[Column] shows the description of column. Imports of seven fields such as <Username>,
<Group>,
<IP
address>,
<MAC
address>,
<Authentication>,
<Description>,
and<Password> are supported.
The [Content] is filled with one record for each line with a "|" to separate the field. Use "|"
even if the field is empty. If a field contains several values, such as IP or authentication
ways, please use "," to separate it.
You can select the item <When user exists, update its attribute automatically> in [Option]
to update the attribute of users in the user list.
You can select the item <When group doesn't exist, create group automatically> to import
user group from <Group>.
Click <Import the users above> in [Operation] to import the users and their attributes in
[Content].
Click <Scan intranet computer>, and the following picture shows up:
You can import users by <Single IP>, <IP range> or <Subnet>. Fill in the relevant content
and click <Scan>, then, the corresponding machine name, IP and MAC address will
appear in the list of the [Content].
Click <Import LDAP user>, and the following picture shows up:
The added LDAP server will be shown in [Select and import LDAP server]. Click <Import>,
and the following picture shows up:
You can select to import the "user" or "group user" in LDAP server.
You can click <Clear list> to clear the data of the [Content].
2.5.6. AD Domain Synchronization

Under the item [AD Domain Synchronization], you can make the user and organization
structure of LADP server synchronous with IAM, which realizes the auto synchronization
of users and organization structure of LDAP server. Only MS Active Directory is supported
for the moment. The synchronization way includes <According to AD domain organization
structure> and <According to AD domain safety group>.
Under the item [Set synchronous mode], you can set the working mode of AD domain
synchronization. Two modes cannot be selected at the same time. Select a mode and
click <Save> to complete the setting.
<Select All>/<Select inversely> is used to select the policy quickly.
You can click <Add policy> to enter the page of adding new policy.
<Delete policy> is used to delete the domain synchronization policies.
<Refresh> is used to refresh manually to view the synchronous status.
2.5.6.1.
According to AD domain organization structure
[According to AD domain organization structure]:
If this mode is selected, the users are imported according to the AD domain OU and its
structure.
Select < According to AD domain organization structure > and click <Add policy>, and the
following configuration page shows up:
You can set the name of the synchronization policy in [Policy name]. You can fill in words
that are easy to remember. It is recommended to use words that are easy to label.
Under the item [Policy description], you can set the description of the synchronization
policy. You can fill in words that are easy to remember. It is recommended to use words
that are easy to label.
Under the item [Auto-synchronize], you can set whether auto-synchronize. If

[Auto-synchronize] is enabled, the device will select any time between 00:00 and 05:00
randomly to synchronize with the domain. If [Auto-synchronize] is disabled, the device will
not auto-synchronize with the domain users.
Under the item [AD domain server], you can select the AD domain servers that need
synchronization. (For settings of domain server, please refer to the above chapter.)
Under the item [Import to local position], you can set the domain synchronization policy to
synchronize the domain user and organization structure to some groups of IAM. Click
<Select> and the IAM organization structure shows up, and select the local position. Take
importing to "C-Group" as an example.
If < Import by relations in server domains > is selected, DC in domain server will be
imported at the same time. Take this for example, DC=cti, DC=support will also be
imported as a sub-group.
Under the item [Remote destination to be imported], you can set the OU of domain server
that need synchronization. Click <Select>, and organization structure (Unit: OU) of the
domain server shows up, then, you can select the OU that need synchronization. Take this
as an example; the synchronization OU includes ou1 and ou2.
Under the item [Filter parameter], you can set the synchronization filter condition
according to the domain parameters. It is not restricted if you do not fill in any value in this
option.
Under the item [From which level to import], you can set from which level to import the
users. If you select <Import from the inputted OU>, the import is started from the inputted
OU; if you select <Import from the sub-OU of the inputted OU>, the import is started from
the sub-OU, superior OU and the direct users re not imported.
Under the item [Max depth of imported OU], you can set the depth of imported OU. The
max depth of imported OU is 15. For example, if the depth is 2, only ou1 and the next level
of ou1 are imported, but the users under the OU will also be imported and synchronized to
the group.
Set the policy and click <OK> to save the policy settings.
The policy page is as shown below:
You can click <Synchronize immediately> to synchronize immediately according to the

policy.
Click <Refresh> to view the synchronous status. If the synchronization is successful, the
interface is as shown below:
[Last synchronous status] shows whether the synchronization is successful, and the time
of last synchronous status.
After the import, the organization structure and users of IAM are as shown below:
2.5.6.2.
According to AD domain safety group
[According to AD domain safety group]:
If this mode is selected, the users are imported according to AD domain safety group.
Select <According to AD domain safety group> and click <Add policy>, and the following
configuration page shows up:
The basic settings are the same with those of the item [According to AD domain safety
group], with an exception that [Remote destination to be imported] selects the user group
of LDAP server to import the users.
2.5.6.3.
View synchronous report
For domain synchronization policy, there will be a report for each time of synchronization,
which includes the user group, and user name etc. Click <View synchronous report> to list
all the current recorded reports as shown below:
[Synchronous report name] shows the report name. Click the report name to view the
details. The interface is as shown below:
[Synchronous ways] shows the synchronous ways of the synchronization policy.

[Synchronize immediately] and [Auto-synchronize] are available.
[Synchronous time] shows the time of synchronous report.
[Synchronous status] shows whether the synchronization is successful.
You can click <Clear> to clear all the reports.
1. You can set up to 10 synchronization policies for each type.

2. There can be as many as 20 synchronous reports. The report is not recorded
if the number exceeds 20, but the synchronization does not stop. To record the
report, please click <Clear> to clear the previous report first.
2.5.7. Online User List

Under the item [Online User List], you can view the on-line users that have passed the
IAM authentication. You can search and manage the on-line users. The interface is as
shown below:
[Online User List] shows the on-line users that have passed the IAM authentication. The
content includes the [NO.], [Login name (Display)], [Authentication ways], [Group], [IP],
[Online time], and [Login time].
You can use <Select All>/<Select inversely> to select the users quickly.
<Logout> is used to logout the selected on-line user.
<Block> is used to block the internet access of the selected on-line user. The block time
can be set.
[Search condition] is used to set the search condition.
[Search object] allows you to search by <Group>, <Name>, or <IP Address>.
Under the item [Results per page], you can set the number of users displayed in one page.
As many as 200 users can be displayed in one page.
Under the item [User type], you can set the type of users you want to search. <Online
users> and < Blocked users> are available.
If you select <Blocked users> to search, the list will show the blocked users. The interface
is as shown below:
[Blocked user list] shows the blocked users. The content includes [NO.], [Login name
(Display)], [Authentication ways], [Group], [IP], [Block start time] and [Block time left].
You can click <Thaw> to thaw the selected blocked users. Then the users can access the
internet through IAM again after the thaw.
2.6. Traffic Mgt System

SINFOR IAM Traffic Mgt System provides a powerful function for guaranteeing and
limiting the bandwidth. It not only guarantees the access bandwidth of important
applications, but also limits the total uplink/downlink bandwidth. Whats more, it can also
create policy for guaranteeing and limiting the bandwidth considering the service type,
access control user-group, and access control user. The configuration interface is as
shown below:
2.6.1. Traffic Status

Under the item [Traffic Status], you can view the running status of the Traffic Mgt System
and all channels, and the flux information of internet lines and bandwidth channel. The
interface is as shown below:
[Traffic Mgt System running information] shows the system running status and the flux
information of the internet lines.
<Stop refreshing> is used to stop the real-time refreshing of flux status.
Under the item [Display], you can set the bandwidth channel displayed. You can select
<All channels> or <Running channels> to set the bandwidth displayed.
Under the item [History], you can set the counting time of history flux and history speed.
When you have selected a time, the device will count the history flux information in the set
time.
You can click <Save your preference> to save the settings of [Display] and [History].
When you view the traffic status next time, the device will count and display the traffic
status according to the saved information.
2.6.1.1.
Bandwidth channel
Used for inquiring the operation state of all the channels. The interface is
asbelow:
[Name] Used for displaying the name of the channel.
[Moment speed] Used for displaying the real-time bandwidth value of the uplink and
downlink channels.
[Proportion] Display the proportion of used bandwidth among the total bandwidth.
[History speed] Used for displaying the history speed calculated on the basis of [History].
[History Traffic] Used for displaying the history traffic calculated on the basis of [History].
[User number] Used for displaying the real-time traffic user number of the channel.
[Assurance bandwidth] Used for displaying the distributed assurance bandwidth to the
channel by the system.
[Max bandwidth] Used for displaying the set maximum bandwidth of the channel in the
system.
[Priority] Used for displaying the priority of the channel.
[Status] Used for displaying the operation state of the channel.
2.6.1.2.
Exclude policy
Inquire the application service information of instantaneous speed, history speed and
history traffic excluded by the traffic management system. The interface is as shown in the
following figure:
2.6.2. Traffic Mgt

[Traffic Mgt] used for distributing bandwidth of management line. The configuration
interface is as below:
[Enable traffic management system] used for enabling the traffic management function.
Select <Enable> or <Disable> for the function on/off.
[Rule filtration] used for filtering the bandwidth channel rule equipped on a certain line.
The interface is as below:
2.6.2.1.
Distribute bandwidth
Bandwidth distribution function provided by SINFOR IAM hardware gateway is used for
guaranteeing and limiting network bandwidth. Bandwidth distribution policy is selected
based on the application service, application object, effective time, externet line and
destination IP for achieving assurance bandwidth and bandwidth limit. The setting
interface is shown as in the following figure:
Newly added bandwidth distribution policy for

Bandwidth distribution policy satisfies the order match principle of up-bottom. Click <Add>
key to pop up the following interface:
[Channel name] one or more can be filled in. When more than one name are filled in, there
will be one policy for each line with less than 20 characters for name length.
[Applicable service and application]used for defining the detailed service suitable for this
policy. <Customization> can be selected for adding service types. The interface is as
below:
If <Application type> under [Service type] is selected, the application type and application
name can be selected based on actual application;
If <Website type> is selected, it is to select the corresponding website database in the

website type dropdown box;
If <File type> is selected, it will be OK just to select the corresponding file type database in
the file type dropdown box.
[Applicable object] used for ruling the effective access control unit and user. It can be
either used for all the access control units and users, or certain access control units and
users. The interface is as below:
[Bandwidth channel type] used for selecting traffic policy: Assured channel or Limit
channel. If to select Assured channel, what is assured is the minimum user bandwidth. If
to select Limit channel, it is to limit the bandwidth of network service. The assured channel
interface is as below:
[Priority] High, middle, low are for option. The channel at high priority has the priority to
use the idle bandwidth if idle bandwidth available.
[Assured upstream bandwidth] and [Assured downstream bandwidth] are used for setting
the proportion of the preserved bandwidth among the total network bandwidth.
[Max uplink bandwidth] and [Max downlink bandwidth] are used for setting the total up limit
of uplink and downlink of this channel.
Limit channel setting interface is shown as in the following figure:
[Online user distribution policy] Used for used bandwidth of qualified service by users in
this channel.
<Distribute averagely>: If there are 20 online users, the assured uplink bandwidth is
40KB/S. When all the 20 users access to the service at the same time, it assures a
minimum uplink bandwidth of 2KB/S for each user;
[Limit single user max. bandwidth] Used for limiting the maximum uplink and downlink
bandwidth of single user. Select <Enable> for on.
Single user bandwidth limit sets the fixed bandwidth rather than the proportion free from
the influence of line bandwidth change; while, the maximum bandwidth setting for
assurance bandwidth and bandwidth limit is in proportion, and it varies with the change of
line bandwidth setting.
If <Advanced options setting> is selected, it is to take the externet IP of the intranet user in
the connected channel as node. Take the externet user as node to distribute the
bandwidth equally. At this time, the intranet user does not make node. It is recommended
to carefully make it on. This is because that problems may be caused to the system by too
many externet nodes.
[Effective time] Used for ruling the range of effective time.
[Effective line] Used for ruling the effective externet line.
[Destination IP group] Used for ruling the destination IP to be effective.
[Enable channel] Used for ruling the policy to be enabled or disabled. This is to be realized
by selecting <Enable> or <Disable>.
Select/Edit bandwidth distribution policy

In page of [Traffic Mgt/Distribute bandwidth], click <Select All> to all the distribution policy
rules of the current page. Click <Select inversely> to select other rules beyond the
selected policies. As shown in the following figure:
Click policy name listed in the name line to enter [Edit Bandwidth Channel] page for
editing single policy.
After selecting one or more rules, click <Enable>, <Disable> and <Delete> for the
selected rule on, off and deletion.
Because [Default channel] under [Distribute bandwidth] is the default channel

of the system, it cannot be deleted.
After selecting more than one rules, click <Edit> to edit rules. Yet, selection of a certain
policy as template is required. When editing the policies, it will take this rule as template to
open the page to be edited. As shown in the following figure:
1For editing policies, it is required to select <Enable Policy> firstly. Then,
<Enable> <Disable> edited later are enabled.

2 Setting of [Applicable service and application], [Applicable object],
[Bandwidth channel type], [Limit single user max. bandwidth], [Effective time],
[Effective line], [Destination IP group], and [Enable channel] is the same as
mentioned above.
3The default of [Bandwidth channel type] and [Effective line] must be selected
or not selected simultaneously.
2.6.2.2.
Exclude policy
[Exclude policy] mainly used in intranet with proxy server and equipped at direction of
SINFOR IAM WAN port. The intranet accesses to network via access proxy server free
from assurance bandwidth or bandwidth limit. The setting interface is as below:
Click
below:
<Add>
to
add
the
newly
excluded
policy.
The
interface
is
as
[Name] will be filled in as per need.
[Application type] select the application free from bandwidth assurance or bandwidth limit.
[Destination IP group] will be filled in the destination IP address to access.
Prudence is required for adding the exclude policy. The exclude policy
directly ignores the set line bandwidth, meaning that the traffic satisfying the
exclude policy is beyond the control of traffic management system, and that the
physical bandwidth available can be fully used the traffic. That probably causes line
congestion.
2.6.3. Line Bandwidth

Function: Configuration of actual uplink and downlink bandwidth of public network line
serves as the foundation for assurance bandwidth and bandwidth limit. The configuration
interface is shown as in the following figure:
1Please note that 2 different speeds can be set for the bandwidth.
2In net bridge mode, only line 1 is enabled.
3 Improper configuration of line bandwidth will probably cause waster
bandwidth (too small configuration) or line congestion (too large configuration).
2.7.
Mail Withholding
[Mail Withholding] is used to define the audit policy of mails and audit the mails. It includes
[Withholding Policy], [Audited Mails], [Unaudited Mails].
2.7.1. Withholding Policy

The item [Withholding Policy] is used to define the audit policy, including two
options:[Audit timeout action] and [Limitation of sending attempt].
Click [Mail Withholding/Withholding Policy] and the following figure appears:
The item [Timeout Valuehour] is used to set the time period after which the audit will
become ineffective. The defaulted value is 1 hour.
The item [When time out,action taken:] is used to set the handling of the unaudited mails
when the set time is out. You can select:<Send>or<Delete>.
The item [Maximun times of sending attempt] is used to set the times for attempted
sending. Once the set times run out, the mails to be sent will be deleted. Audited Mails.
2.7.2. Audited Mails
The audited mails and mails being sent will appear in this interface, as shown in the above
figure. The mails already sent out can only be searched via [Internet Action Audit/ Data
Center/Mail] of IAM hardware gateway.
2.7.3. Unaudited Mails
At the item[Search object ] select the object to be searched from the three options,
namely,<Access control group >,< Access control user> and <IP Address>.
After that, click <Search>, the list of unaudited mails will appear. To view the contents of
the mails, click <download>.
Use the two options <Select All> and <Select Inversely> to fast select the mails to be
audited.
After auditing, select the corresponding mail and click <Audit pass >, To delete the mail,
click <Delete>.
You can select the priority level for sending the audited mails.
2.8. Internet Action Audit

[Internet Action Audit] includes [Real-Time log],[Access Control Log Option],[Data Center
Setting],[Data Center].The structure is shown in the following figure:
2.8.1. Real-Time log

Real-Time log includes:
[Traffic Ranking]: Inquire the real-time network traffic information for intranet user to
access Internet.
[Seeion Ranking]: Inquire the session number of intranet users.
[Session Query]: Inquire all the connection established between a certain IP of intranet
and internet. Force disconnection can also be selected for some connections.
2.8.2. Traffic Ranking

Function: Inquire the real-time network traffic information of visiting Internet by intranet
users. It displays only the top ten users with maximum traffic at uplink and downlink. The
corresponding masters name can be got based on IP address, and the operation of
blocking user for the selected user can be performed.
After setting refreshing frequency, click<Auto-refresh> to refresh the page at the set
frequency.
Click <Manual refresh> to refresh the page manually.
Click <get> to automatically get the machine name of the corresponding computer as
shown in the following figure:
For <select> the user to be blocked, after setting ready the blocking time, it is to click
<Block User> to block the designated user. As shown in the following figure:
After clicking <ok>, the system shows: Have submitted thaw command!
After clicking < Manual refresh > again, it is found no traffic for the corresponding user/IP
(At this time, this user is block.):
In [Internet Access Mgt/Online User List] user mode, it is to select <Blocked users>, and
then click < Search> to inquire the currently blocked users.
Select the user requiring thaw, and then click <Thaw> for the selected user.
Maximum the top ten for the traffic ranking.
2.8.3. Seeion Ranking

Function: To view the sessions rank of the intranet users. Only the top ten IP with the
greatest session quantity will be displayed. To view the latest session rank, click
<Refresh>:
Click any IP address in the column [Loaclhost IP Address] , the system will jump to the
current connections page of the computer. You can view the current connections of this IP
in the page.
Maximum the top twenty for the session ranking.
2.8.4. Session Query

Function: To view all connections established between some intranet IP and internet. You
can also disconnect some connections in a coerce manner. All connections of internet
access by the user to be audited will be displayed, with 200 as maximum. The related
setting interface is shown as below:
2.8.5. Access Control Log Option

Function:To set whether the system will automatically delete the recorded IAM
logs.Select< Enable Auto delete log before 15days > and set the days, or select
<Enable When log size exceeds 80% of the disk space, auto delete the earliest day
log>, or select<Disable>, and then lick <OK>:
2.8.6. Data Center Setting

Function: To set the server IP for synchronization log data as well as the synchronization
account, as shown in the following figure:
At [Data Center primary address] and [Data Center Backup address],you can enter the
server IP of Sinfor IAM data center that will be connected, and the mode that supports IP
or domain name.
It must be assured that the entered domain name can be resolved by the IAM device.
At [Data synchronization account] and [Data synchronization password] it is to fill in the

information of independent data center synchronization account.
Click <Test> to test the connectivity to the server of Sinfor IAM data center.
Click <Synchronize>, the IAM hardware gateway will send the command to immediately
Conduct the synchronous operations for the log data
[WEB port] fill in the WEB service port supplied by the independent data center.
Click <Save>, the settings in this interface will be saved.
Click <Enter independent Data Center http://IP:PORT> to enter the WEB service interface
of the independent data center, as shown in the following figure:
2.8.7. Data Center

Function: IAM 1.9 hardware gateway provides a built-in data center system, which is free
from an independent data center data center to be installed for realizing the function of log
query and statistics.
Click <Enter> to access to the built-in data center of the equipment. As shown in the
following figure:
In this interface, it can add up and inquire the internet record of the intranet users and
work out the report if needed.
The equipment is equipped with a limited storage capacity. In case of mass

data, data searching and inquiring will use a large proportion of the system
performance. If the data of log in actual environment are at a large quantity, it is
recommended to install an independent data center server used for storing and
inquiring log data.
2.9. Gateway Troubleshooting

The item [Gateway Troubleshooting] includes [Exclude Policy Fault] and [View log],as
shown below:
2.9.1. View Log

Function: To view the running-state log of each module, through which it can be judged
whether the module is running properly.
Click <Option> To select the type of to be viewed, as shown below:
After clicking <OK>, click <Refresh> and the selected log will be displayed:
2.9.2. Exclude Policy Fault

Function: To query what module denies a data packet and why it is denied when it passes
by the gateway so as to fast position the configuration errors. It can also be used to test
whether some rules are effective, as shown in the following figure:
Here, you can set various conditions for filtering, including [IP Address], [Protocol type],
[Port] and so on.
Click <Enable denied list> to enable this module, The system will output the information of
denied data packets to one web page.Click<Click here to view>, the browser will be
automatically opened for viewing the denied data packets.
Click <Enable reject list and direct through> the denied list will be enabled and all data
packets will bypass the all modules of IAM device, with the same function as bypass.
Through this function, errors, like that the network is interrupted due to the configuration
errors, can be fast eliminated.Click<Click here to view>, the browser will be automatically
opened for viewing the denied data packets.
<Close denied list> To close the denied list.
Click <Click here to view>, the browser will be automatically opened for viewing the
denied data packets, as shown below:
1The item [Set enabled conditions] is used to make detailed settings, thus
the useless information can effectively filtered and the error-eliminating process is
visually clear.
2Please make sure the denied list is closed after you use this function, for this
service will consume some of the resources in the system. In addition, if the denied
list is not closed after [enable and pass] is enabled, all restriction functions may
become ineffective.
2.10. Advanced Configuration

2.10.1. Alarm Setting
[Enable alarm]:It is used to enable the event alert function for the whole device and serves
as a general switch. To enable that function, just select <Enable>.
[Alarm events]:It includes <Attack alarm>, <Anti-virus alarm>, <Divulgence alarm> and
<E-mail delay audit alarm>.You can select one or more than one events in light of needs.
[Mail title]:To enter the title of the mail. You can enter any characters that are
understandable.
[Sender]:Refers to the source address by which the alert mail is sent.
[Receiver]:It means, when mails need to be delayed, send them to this mail address. The
mails to be audited with delay in each group will be sent to this address.
[Alternate]:A backup address. If the main address has problem, the mail to be delayed will
be sent to this address.
[SMTP server address]:Refers to the SMTP server address used to send the alert mails.
When <Need authenticate server username and password> enter the [Username] and
[Password].
2.10.2. Proxy Server Control

In the case that a proxy is used for internet access, as all data of the users are sent to the
proxy server and modules like the firewall determine whether or not the connections be
denied via detecting the destination address and port, many of the modules functionalities
will become ineffective. Therefore, to make modules like the firewall effective, the
destination address and port to which the data sent to proxy server are really connected
must be identified, and used by firewall and other modules.
It must be assured that the data sent to proxy server first pass IAM gateway. In other
words, the proxy server should be located on the side of WAN.
At [IP Address] , you can add the IP address or IP range of proxy server the users PC can
set.
That is to say, the system only detects the data sent to this address to see whether they
are proxy data and set internet authority for them.
1It must be assured that the data sent to proxy server first pass IAM gateway.
In other words, the proxy server should be located on the side of WAN.
2Proxy server verified by passwords are not supported.
2.10.3. Web Tracking Option
The options include: if to record the detailed URL information; if only to record the access
to the webpage of text type; if to record all the HTTP file downloads; if to record the URL
containing the specific prefix and suffix.
If to select <Record access to root directory of the webpage only>, it will not record the
detailedURL, but only the URL of root directory. If the detailed record is required, it is to
cancel the selection.
If to select <Record access to text/html webpage>, it is to record the access to the text
website. If not selected, it records the accesses to all the types of webpage.
If to select <Do not record the following HTTP file types >, it will not record the file type in
the dialogue box. In case of multi file types, comma in between for separation is required.
If to select < Do not record URLs with the following prefixes(one line each)>, it is not to
record the URL of prefix filled in the dialogue box. It supports fuzzy matching, but not the
general matching.
If to select < Do not record URLs with the following postfixes(one line each)>, it is not to
record the URL of suffix filled in the dialogue box. It supports fuzzy matching, but not the
general matching.
1In URL filtration rule, it is to simultaneously select yes or no relation for

prefix and suffix matching, meaning that they will be audited if one of the
conditions is satisfied.
2 Prefix starts matching from the first character, supports fuzzy matching ,
but not the general matching. For example, if www.s is filled in, the website like
www.sina.com.cn and www.sohu.com will not be audited. Suffix starts matching
from the last character, supports fuzzy matching , but not the general matching.
2.10.4. Audit Exemption
[Exemption IP Address]:If the destination IP address to access is listed in the excluded IP

address, all the operations intranet users to access to this destination IP is out of the
supervision and control of the internet access management module. Please note that if
there is set definition of firewall rule for the corresponding rule of this destination IP
address. The firewall rule has the priority to be treated free from IP influence. Because
there are couples of IP address for IM server and they are changeable, enabling the
excluded IP address will not be entirely out of the supervision of IM.
2.10.5. Page Customization
[Customize object]:use to choose the page need to customize. The page includes:
Authorize(authresult.htm),Forbid
access
time
access(disable.htm),Find
overtime(expire.htm),Network
ingress
Virus(virus.htm),Internet
client(sinstall.htm),Modify
user
password(user.htm),Announcement file(index.htm).
[Enable this reminder interface]:It is recommended to select <Enable>. In case of

<Disable>, this page can not be displayed.
[Edit page]: It is to change the displayed page by changing source code of the webpage. It
is recommended only to change the part of text and picture. Change of other parts
probably cause loss of some of the normal links on this page.
[Upload picture]: User can upload the picture displayed in the page customization. The
picture supports only those in jpg and gif format. Chinese characters are not allowed for
the name of picture.
User can preview the user-defined page, and restore the initial page and the previous
page. Click <Preview> to preview the current user-defined page; click <Save> to store the
current user-defined page; click <Restore default page> to restore the initial page of the
equipment; click <Restore last page> to restore the last user-defined page.
2.11. Safety Features Extension

2.11.1. Gateway Anti-virus
The item [Gateway Anti-virus] is used to scan and kill the viruses in the data passing by
IAM hardware gateway so as to ensure the security of the intranet PC. The IAM hardware
gateway can realize that virus-killing purpose for the four commonly used protocols, which
are HTTP, FTP, POP3 and SMTP. Inside the IAM device, the anti-virus engine, produced
by Iceland s well known company F-PORT, was installed, featuring high identification rate
over viruses and high killing efficiency. The virus library of IAM is updated synchronously
with that of F-PORT, with a upgrading cycle of 1-2 days.
In the gateway anti-virus interface, you can view the valid time for updating and the date
for the current version of the virus library. You can also configure the auto-update time,
import of virus library, switch of four-protocol virus killing, website or domain name which
do not need virus killing and file types for virus killing under HTTP and FTP.
To view the version of the current virus library, valid time for the updating and time setting
for virus library updating, refer to the following figure:
[Update service valid period]: To display the auto updating time for virus killing by IAM.
Within the valid period, the device will be automatically connected to www.sinfors.com.cn
for upgrading the virus library.
[Current virus library date]: To display the date of the current version of the virus library.
[Auto-update time setting]: To display the time when IAM automatically updates its virus
library. IAM hardware gateway will do that at the designated time each day.
The two options [Enable] and [Disable] behind all the four items, which are [Enable HTTP
anti-virus], [Enable FTP anti-virus], [Enable POP3 anti-virus] and [Enable SMTP
anti-virus],serve as the switch to enable or disable the virus-killing function under these
four protocols.
[Not need anti-virus websites(domain names),only applicable to HTTP anti-virus]: To set

the websites whose the data do not need to be virus killed, with domain name format,
wildcard supported, and one domain name occupies one line.
[ly anti-virus for the following types (For HTTP and FTP anti-virus)]: To define the
extension of the files to be virus killed.
1. After the valid time of virus library expires, the virus library cant be
updated nor imported manually. However, the virus killing function still works.
2. For IAM whose version is earlier than 1.6 (including 1.6), when in bridge mode, as
IAM kills the viruses on the agent basis, only after it is ensured that IAM device can
normally access the corresponding protocol of destination IP (to access the
internet normally), can the virus killing function be enabled.
3. The trustworthy websites can be added to [Website (domain name) that does not
need to be virus killed, apply to HTTP virus killing]. In addition, if virus-killing
software installed in the machine needs to be updated from the related producer,
you also need to enter the domain name of the producer to the list. As the virus
library contains the special codes of the virus when the virus library is downloaded
in the process of updating, IAM device may misjudge the virus library as the virus,
which will result in the failure of virus library updating.
4. HTTP pages with viruses will be blocked from opening by IAM hardware. For
virus files downloaded via HTTP or FTP, IAM will damage the entirety of files
downloaded. Thus data downloaded to the files wont be opened. For received
mails with viruses, IAM will pack the mail, mark it as virus-infected and send to the
user.
2.11.2. Spam Mail Filter

The item [Spam Mail Filter] is used to set the filter rules for the spam mails received by the
device, which determines what are spam on the basis of these rules. When the mails are
being received, they will be considered as spam and handled accordingly if they conform
to the one of such rules. You can add multiple rules for spam filter, but the one at the front
always has higher priority level than the one behind it.
The item [Delete E-mails that avoid spam mail filter automatically] is used to delete mails
intended to escape detection. Such mails refer to those whose receiver or sender is
empty.
2.11.2.1. Filter Rule Setting

Click <Add> to add a new filter rule and set the related conditions for filtering.
[Address filter]: The mails sent to the following addresses are considered as spam mails.
[Content
filter]: The mails whose title or text contain the set keywords are considered as
Spam mail.The keywords can be wild.
The format of the keywords: One keyword occupies one line and supports regular
expressions. The keyword should be followed by one numeric number for weight (must be
an integer), which is separated by space. If the keyword has no weight, the mails
containing the this keyword as detected will be considered as spam immediately. If the
weight is available, once the weights added up is more than or below the value set in [In
content filter,the E-mail will be classifies as spam mail if the accumulated weight of
keyword is X or higher], they will be considered as spam.
[Size filter]: Mails or attachments whose size conforms to the rule are considered as spam,
for instance, set this condition as the attachment is bigger than 20MB.
[Action]:If the mails conform to the rule and be considered as spam, actions will be taken.
Two options are available for the action:<Pack E-mail into EML format attachment and
send to user >, <Delete E-mails from server directly and send simple information to user>.
After adding the new filter rule, click <OK> to save the settings.
2.11.2.2. Black-white List

This item is used to set the list of mail addresses to which the mails can be directly deleted
or sent. You can manually add information into the list, or obtain the blacklist from RBL
server directly, as shown in the following figure:
For example, if mails from support@sinfors.com.cn are defaulted as non-spam, it does

not needs to be filtered. Then you can add support@sinfors.com.cn to the whitelist.
Please pay attention to the format: One domain name occupies one line, and wildcards
are supported, as shown below:
The mails sent from the addresses listed in [Blacklist] are considered as spam and
deleted immediately.
The mails sent from the addresses listed in [Whitelist] are not filtered and audited.
One address occupies one line.
[Real-time blacklist]for short RBL, functions similarly with the blacklist filter. The
difference is that the third party provides the real-time blacklist to the user. The judgment
over spam is done on the internet, without the need to interfere and manually add. You
can select the built-in RBL in the list or enter the domain name of RBL server.
When intranet users receives the mails, IAM device will submit the address of the sender
to the RBL server for validation so as to check whether the address is listed in the blacklist.
If so, it will be considered as spam.
To make this function effective, select <Enable> behind [Enable black-white list].
2.11.2.3. Mail Filter Option

This item is used to set the server addresses for mails not filtered by IAM gateway.
Normally, after the function of mail filter is activated, mails sent from the intranet to the
mail server of internet will be filtered or audited with delay. However, after some server
addresses for mails are set here, mails sent to these servers or received from these
servers will not be filtered.
To add mail servers, click <Add> and enter the respective information at [IP Address] and
[Description], and finally click <OK> to make the settings effective, as shown below:
2.11.3. Intrusion Prevention System

2.11.3.1. Funtction Option
The item IPS (Intrusion Prevention System) is used to find out the potential threats on
intranet via detecting the data packets. IPS will inspect the data packets to be transmitted
to the intranet so as to ascertain what is the real use of them and determine whether they
should enter your network. This section will mainly describe the parameter settings for
IPS.
To enable [Enable Intrusion Protection System],select <Enable>and click <OK>.
After IPS is enabled, click <Advanced configuration> to setting the parameters in details,
as shown in the following figure:
SINFOR IAM gateway provides three built-in protection levels, namely, <High>,
<Medium> and <Low>.Different protection level should be enabled on the basis of actual
situation of network security. The suspected attacks configured to the intrusion rules will
be recorded by IAM gateway and protection actions will conducted for the selected rule
levels. For details of the log, you can view in [SINFOR IAM datacenter].
The item [Defend attacker for] is used to set the protection time during which IAM gateway
takes defense actions against the attacks and discards all data packets from that address
once attack is detected. The defaulted time is 180 seconds. It can be changed in light of
the actual situation.
At [Report type] , you can select <Simple> (which records the summary of the intrusion),
or <Detail> (which records the data packets of the intrusion and needs more memory
space).
At [Enable IPS for data from right side] you can set IPS to take protection actions for data
between WAN, LAN and DMZ. The settings can be customized. In defaulted state, all
three items are enabled.
1. The order of three protection levels, <High>, <Medium> and <Low>, shows
the threats on the intranet in a decrease manner. Meanwhile, due to the decreasing
severity of the attacks, the misjudgments over the three levels are increased
reversely. Under normal circumstances, it is recommended to select <High> so as
to minimize the misjudgments while ensuring security of the intranet.
2. Normally, the intranet is protected by the firewall of IAM device, without the
need to enable IPS protection. IPS only needs to protect the corresponding ports of
servers (with port mapping to intranet) where the intranet provides services to
internet. In this way, the intranet can be effectively protected and the efficiency of
IAM gateway ensured.
2.11.3.2. Rule Setting

This item is used to set the priority level and the process of automatic updating for the IPS
rules.
The IPS rule list can be viewed according to the service and priority level. All rules are
classified into three levels, namely, <High>, <Medium> and <Low>. The user can select
whether auto updating is permitted, and view the IPS rule list according to <Classified
query> or <Exact query>.
To automatically update the rules, select <Enable> for [Auto update rule].
If normal application is misjudged by IPS, this rule will be decreased in priority level, as
shown below:
Select the rule whose priority level needs to be modified, and click <Edit>
To
know
the
detailed
descriptions
of
the
rule,
click
<Detail>
behind
the
rule.
2.12. DHCP Services

2.12.1. DHCP Status
The function of DHCP (Dynamic Host Configuration Protocol) is to display the DHCP
running state and information on distribution of IP addresses to the intranet. The list
displays such information as the running state of DHCP services, total number of
distributed IP addresses, distributed IP addresses, and name and MAC address of the PC.
To refresh the list, click <Refresh>.
2.12.2. DHCP Configuration

You can set the detailed parameters for DHCP services, including gateway distributed with
IP, DNS, WINS, IP address range and retained IP, etc., as shown below:
[DHCP network paramter]:To set the respective information in [Gateway], [DNS] and
[WINS] obtained by DHCP client. Normally, enter our products LAN port IP to [Gateway],
enter the IP of DNS server provided by local ISP at [DNS], with 2 at maximum. If not filled,
DNS of client PC will not be distributed. For [WINS] server, you can determine whether it
should be entered according to your own application.
[DHCP IP Address range]:To enter the start IP and end IP for the distributed IP section,
and then click <Add>.
[DHCP reserved IP settings]:To set the preserved IP address and distribute the preserved
IP to the corresponding PC according to the MAC address or PC name. Click <Add
reserved IP>, the edition box for preserved IP will appear. In the box, you can enter the
customized username in [User name], and the special IP of LAN to be preserved in [IP
Address].
The conditions for preserving DHCP can be set according to MAC address or name of the
users PC.
To do that, make related selection, then enter the respective information in [MAC Address]
and [Computer name]. You can click <Get by IP> to obtain the corresponding parameters,
then click <OK> to save the settings.
The item <Enable DHCP Service> serves as a witch for DHCP module.
1.For PC engaged in the intranet, the fixed IP of LAN has been set. Thus the IP
range entered here should not include those being used. Otherwise, conflict may
occur during IP distribution.
2Normally, do not add IP addresses with the end as 0 or 255, for theses two are the
network address and broadcast address of this network segment. For example, you
should set the IP range as 10.251.251.1-10.251.251.254.
2.13. User Guide

[User Guide] Describe the basically configured flow of the equipment, and provides link of
the configuration step (click the characters in blue). It is to directly access to the
configured page of the corresponding modules by links.
Chapter 3. DLAN
Gateway
Client
Dlanupdater
The gateway restoration system can be used to update the kernel version of IAM
hardware gateway and backup configuration. When vital errors occur in the system, the
IAM hardware gateway can be restored to the ex-factory state via the gateway restoration
system. In addition, the gateway restoration system can also be used to inspect the
running state of the interface, routes and other information in the system, as well as to
modify the working mode and MTU value of the interface, etc.
The interface is shown below:
The gateway update client includes the following menus: [Sys], [Update], [Backup],
[ManagePackage] and [Tool].Their functionalities are respectively described as follows:
[Sys]: Includes [Connect],[Search],[Change Password],[Disconnect],[Quit],etc.
[Connect]: Directly enter the IP address and password of IAM device to log in. The
defaulted login password is dlanrecover, as shown below:
After the successful login, the corresponding hint will appear in the interface, as shown
below:
[Search]: It will automatically search for the IAM hardware gateway in LAN (so long as not
to cross over the router, the distance of Layer 2 broadcast can be reached), even not
within the same network segment (not cross the router or Layer 3 switch), as shown
below:
[ChangePassword] : it is to change clients password of access for gateway upgrade.
[Disconnect]:To disconnect the connection with the hardware gateway. If no operation

occurs after the set time is exceeded, the client will be automatically disconnected.
[Update]:Includes Update Firmware, Resore Default Config, Restore Default Network.as

shown below:
[Update Firmware] and [Resore Default Config]: To be used only after IAM device is
successfully logged in.
They are respectively used to update the kernel firmware of IAM device and restore the
defaulted configurations. The related operations will involve the updating of core files of
the device, the change of serial number, etc. Please do no operate these items randomly.
If it is really necessary to do so, please accomplish the operations under the guidance of
engineers from SINFOR.
[Restore Default Network]: To be used only when the device is not connected. Through
this item, you can restore the network configurations to the ex-factory defaulted state. This
operation is carried out via the commands sent by broadcast packet and is effective to all
[Sinfor Hardware Gateway]. Due the potential risks, please do not operate this item
randomly.
1.IAM hardware gateway can only be updated from lower to higher version,
and normally cant be updated by jumping over more than one version.
2. Updating may bring about risks. If not properly operated, the device may be
damaged. Please do not update the system randomly. To do that, you should
contact the Customer-Service Dept. of SINFOR.
[Backup]: Includes [Backup Config] and [Restore Backup],as shown below:
[Backup Config]: To back up the current configuration information of IAM device.
[Restore Backup]: To restore the backed-up configuration information to IAM device.
[ManagePackage]: Includes [CheckCurrent], [LoadPackage], [Download],as shown

below:
[CheckCurrent]: To view the information of the loaded update package.
[LoadPackage]: To load the update package. Only after it is loaded, can the [firmware] in
[update] be updated.
[Download]: To download the corresponding update package from the website of SINFOR
to local.
[Tool]: Includes [Ping], [Route table], [Arp table] and [Network config] , as shown below:
[Ping]: After IAM device is logged in, ping from the device to internet so as to check
whether IAM device is connected to internet.
[Route table]: To view the route table of IAM device.
[Arp table]: To view the ARP table of IAM device.
[Network config]: To view the network configuration of IAM device, including the IP
configuration of ports.
Procedures for product updating:

1.
2.
3.
4.
Download the update package and save it to local.

Open the DLAN gateway client and load the update package via
[ManagePackage/LoadPacket].
Log in IAM hardware gateway via [Sys/Connect].
Click [Update/UpdateFirmware], and the system will hint the
successful updating and the computer be re-started.
To update the firmware kernel of IAM hardware gateway, please seek

guidance from our supporting engineers,

SINFOR IAM v1.9 Manual EN 20090112 PDF

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SINFOR IAM v1.9 Manual EN 20090112 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Declaration.................................................................................................................................

This Manual comprises the following parts:..................................................... 3

Use of the control table ..................................................................................11

Email for customer service: overseasupport@sinfors.com.cn

using. The corresponding descriptions are mainly provided in the Preface.

This Manual is based on M5100-IAM of Sinfor.As difference exits between the

The contents in this square bracket [ ] indicate the names of

The multilevel menus are separated by the symbol /. For

Remarks, hint, tips and contemplations: It refers to the necessary

Management should be on the top priority in info era.

In China, the popularity of internet reduces the organizationscosts to communicate with

1.3.2. Product structure

Figure 1: Front panel of Sinfor IAM (taking M5100-IAM as an example)

6. Power indicator; 7. Alarming lamp

lamp flashes, meaning the device is writing the log.

Figure 2: Rear panel of Sinfor IAM (taking M5100-IAM as an example)

1.3.3. Working environment

Proper grounding for the device can avoid lightning strike.

Chapter 2. Configuration and management

2.1. Use of the control table

Before configuration, make sure the PC to be configured and SINFOR IAM

Configuration and use

If the button <OK> (confirm) is seen in any configuration interface, you

2.2. System Configuration

Number],[Gateway Mode],[Net Interface],[Date/Time Setting],[Console User Mgt],[WEBUI

Configuration], The configuration interface is shown as follows:

2.2.1. Gateway Status

2.2.2. Security Status

2.2.3. Serial Number

[Application filtering/RUL library update] is used to activate URL,Application Identification

2.2.4. Gateway Mode

[NATconfiguration], then click <Finish> to save the settings.

The related configuration interface is shown as below:

Multi-Interface & Multi-Bridge

backup of bridge environment and the intranet environment of dual-machine.

Examples of multi-bridge operating environment:

The configuration interface of multi-bridge is shown as below:

1. When IAM hardware gateway is working in bridge mode, the gateways of

The related configuration interface is shown as below:

The related configuration interface is shown below:

2.2.5. Net Interface

The related configuration interface is shown as below:

2.2.6. Date/Time Setting

2.2.7. Console User Management

Under the item [Password],use to set the login password.

<System administrator> and <Common administrator> are available in [Administrator

<Common administrator>: Common user is required to acquire the privilege

The privileges include [Organization Management], [System Configuration], [Object

2.2.8. WEBUI Configuration

The configuration interface is shown as below:

The configuration interface is shown as below:

2.2.10. Restart Operation

2.2.11. Auto Update

2.2.12. Routing Configuration

2.2.12.1. Policy Routing

Click<Add>, the dialogue box [Policy Routing Setting] appears as follows:

2.2.12.2. System Routing

Click <Add>, the following interface appears:

segments10.251.251.X and 192.168.2.X, which are inter-connected via the Layer 3

1Add multiple [Proxy network segment]: including 10.251.251.0/24 and 192.168.2.0/24.

2Add [System Routing]: 192.168.2.0/2410.251.251.253. The related settings are

2.3. Object Setting