Partner Certification Training - IAM Professional

System Mangement

Sangfor CTI
tech.support@sangfor.com
May 2017
www.sangfor.com
Content Objective
Link Load Balancing Master the Link Load Balancing applicable evironment and able
to configure according to user requirement
Alarm Option Grasp the Alarm Option available type and configure according to
user requirement.
SNMP Understand the SNMP version supported by IAM and configure
SNMP option to support SNMP management software system.
Web Access Master the Web Access Connection Quality applicable situation
Connection Quality and master the configuration to meet expected result.
Custom Webpage Understand the applicable scenario for the custom webpage and
able to configure base on user requirement
 Link Load Balancing

Alarm Options

SANGFOR SNMP
IAM
Web Access Connection Quality

Custom Webpage
Link Load Balancing
Load Balancing - Introduction
Background: With the continuous growth and development of enterprises, an enterprise has more than one
Internet line, and the bandwidth of each line is very limited. How to set up a more reasonable use of line
bandwidth, improve the speed of access to the public network
Solution: IAM offers 3 technologies: Policy Base Routing, Link Load Balancing and VPN as backup.

1.Policy Base Routing: Forward traffics to different ISP according to source/destination IP and Protocol.
2.Link Load Balancing: Forward traffics to different lines base on bandwidth remaining, weighted round
robin, even load assignment and prefer link at top settings.
3.Make VPN Tunnel as Standby Link: Customer has two ISP lines, Line1 is using for VPN Tunnel to
branch, Line2 is lease line to branch. By default, all the traffics to branch by using lease line, when lease line
is faulty, the traffics is forward via VPN tunnel.
Load Balancing - Introduction
1. Deploy device in route mode, configure IP address, DNS and Gateway for each WAN interface
correctly.

2. Configure access control policy in IAM, allow all internal network segments to access Internet
by using all WAN interfaces.

The configuration steps above are skipped, please refer to PPT slides: IAM_Deployment,
IAM_Access_control and IAM_Firewall
Load Balancing - Introduction
3. Configure Link State Detection

Link State Detection has 2

detection methods: DNS
lookup and Ping

Configure link state for second line as well

(1) Any detection method: Ping and DNS lookup failed, the line is consider down
(2) DNS lookup and Ping support multiple IP address/domain, the line is consider normal if any IP/domain accessible
Load Balancing - Introduction
4. Configure Policy Base Routing

For Criteria configuration,

Source and Dst Address can
select defined IP group,
Service can select IAM
Internal available service
group.
Load Balancing - Introduction
5. Link Load Balancing Configuration

Selection Policy:
Choose Balance load among links.

There are multiple type of LB methods

Load Balancing - Introduction
6. Make VPN tunnel standby link

Note: This policy purpose

is to use VPN tunnel as
backup line if lease line is
down, therefore the Line
selected must be the
lease line
 Precaution

1. Link Load Balancing only available for route mode deployment.

2. When there is requirement for multiple WAN lines, make sure the WAN lines license under
device license is enough.

3. Link State Detection configuration must be done first because this function will detect and
determine whether ISP line is valid. If the line is faulty, IAM will forward the traffics to another
line.
Alarm Options
Alarm Options - Introduction
IAM alarm option can support multiple function modules, when there is event hit the alarm settings, IAM
will send alarm alert via Email and the notification on the bottom right of WebUI to inform network
administrator. The supported events are shown below:
Alarm Options - Introduction
1. Configure SMTP server
Alarm Options - Introduction
2. Select related Events which will send administrator email alert
SNMP
SNMP - Introduction
Normally, there are many brands of network devices in customer's network environment, this
would cause inconvenience to customer when want to manage and maintenance. Customer hope to
monitor and manage all the devices by using network management server. By default, IAM support
SNMP protocol (support SNMP v1 v2 v3) and come with MIB file, so that by importing the MIB
file to the network management server, the server could monitor and manage IAM.
SNMP - Configuration
SNMP - Configuration
Insert Device IP. community and OID (1.3.6.1) into the SNMP agent to retrieve all the information from the
device, as shown in figure below:

However this method show all OID information but we don't know the meaning of each
result entry, also due to lack of OID information, it is hard to get the information needed.
SNMP - Configuration

Download MIB and import

into MIB agent to get the OID
tree

IAM device's MIB file provided information available via SNMP

 Web Access
Connection Quality
Connection Quality - Introduction
Background: With the structure of the internal network become more complex, it increases the difficulty of
operation and maintenance for IT managers, such as when the network has abnormally web access or a single
user web access speed is very slow. The administrator is hard to find the root cause and troubleshooting
difficulty is also very large. IAM web access quality function is developed under this scenario for the network
access to the quality of Web access analysis. The network of single-user access to the quality of WEB analysis to
provide administrators with intuitive analysis of the results, so that operation and maintenance is more simple.

Theory: The function will determine the web access connection quality(excellent or poor) of each user via TCP
and DNS packets details when monitoring the web browsing traffics passing through device.
Suggestion will be given if there are problems detected based on analysis or overall web access connection
quality for each user. Then analysis process could be run as user based detection to get high accuracy result for
single user.
Connection Quality - Configuration
Web Access Connection Quality Configuration:

1. Enable Web Access Connection Quality Monitor, configure the options in Connection
Quality Defination.

2. Configure the websites settings, by default IAM will analysis all HTTP traffics (port 80), the
settings can change to analyze only select website.

3. Monitor the result.

4. Configure User-Based Detection option to analyze the web access connection quality for single
user.
Connection Quality - Configuration

Excellent: 90% means if there is a total

users of 100, if there are 90 and above
By default, IAM will perform analysis
users are quick in Internet Access, the
for all HTTP traffics, configure
result ishere if
Excellent.
want to analyze for select website
Poor: 40%only.
means if there are 40 users and
above are slow in Internet access, the result
shows Poor.
If the number of user between 40-90 are
quick, the result shows Good.
If the total number of users is less than 5,
no analysis will be done, the network
quality is shown as ‘--’
Connection Quality - Configuration
Result:
Mouse pointer can move on the graph to check the connection quality and user number on specific time.

Click on View to check users

involved in poor connection.
Connection Quality - Configuration
User-Based Detection:

Settings: to select user redirection method.

1. Redirect user to test webpage when the
user browse www.google.com
2. Redirect user to test webpage when any
web access request detected
Connection Quality - Configuration
User-Based Detection:

1. Administrator select user and click on start

Connection Quality - Configuration
User-Based Detection:

2. User browse to www.google.com and redirect to test webpage

3. User clicks on Start Test.

Connection Quality - Configuration
User-Based Detection:

4. Testing is completed

5. Result shown in Web UI page

Connection Quality
Precautions:

1. Service port 80 or HTTP traffics deny will cause no conenction quality detection

2. IAM deployed in single arm and bypass mode does not support this function, the module is
hidden by default under these deployments.

3. Active users count is different with online users, web access by user must generate enough
information in specific period(5 min) to get the result.
Custom Webpage
Custom Webpage
Background: IAM has many built in prompt page such as reminder, denial and login portal, many
customers has requirement to modify and customize the webpage accourding to their own policy
and style nowadays. Therefore IAM provide the feasibility for users to customize their own
prompt page.

Prompt Page: These webpages are mainly for access control policy denial and reminder policy to
alert users.

Login Portal: This webapge is using for user authentication redirection to input details.
Custom Webpage
Custom webpage modification:

IAM provide preview for each webpage, and

able to change to coding view to modify
directly.
Custom Webpage
Captive Portal Modification:

IAM has a few templates and user can modify, clone and
download base on requirements.

If user completed the captive portal modification, user can

upload to IAM accordingly to template format.

User can change content and picture in the webpage

Custom Webpage
Captive Portal: Right Segregation

Captive portal can be control base on administrator account privilege, different

account can have different privilege to modify captive portail

Administrator can authorize user

to selected captive portal,
unauthorized user cannot view or
edit the captive portal
 Question

1. What are the policies included in Link Load Balance module of IAM?

2. Sangfor IAM SNMP support which SNMP version?

www.sangfor.com

Sangfor Technologies (Headquarters)

Block A1, Nanshan iPark, No.1001
Xueyuan Road, Nanshan District,
Shenzhen, Guangdong Province,
P. R. China (518055)