Symantec 460R - Gateway Security, Installation Manual

Page 1: ...Symantec Gateway Security 400 Series Installation Guide Supported models Models 420 440 460 and 460R ...

Page 2: ...Technical support As part of Symantec Security Response the Symantec global Technical Support group maintains support centers throughout the world The Technical Support group s primary role is to respond to specific questions on product feature function installation and configuration as well as to author content for our Web accessible Knowledge Base The Technical Support group works collaborativel...

Page 3: ...on Error messages log files Troubleshooting performed prior to contacting Symantec Recent software configuration changes and or network changes Customer Service To contact Enterprise Customer Service online go to www symantec com techsupp select the appropriate Global Site for your country then select the enterprise Continue link Customer Service is available to assist with the following types of ...

Page 4: ......

Page 5: ...15 DHCP 16 DSL 17 PPPoE 17 PPTP 17 Static IP address 18 Dial up ISDN 18 Running the Setup Wizard 19 Before you begin 19 Starting the Setup Wizard 20 Setting up Dialup ISDN 20 Configuring a DHCP connection 21 Configuring a DSL connection 22 Configuring a static IP address connection 22 Completing the Setup Wizard 23 Accessing the Security Gateway Management Interface SGMI 24 Joining SESA 24 Appendi...

Page 6: ...ndix B Licensing Appendix C Specifications and safety Product specifications 43 Safeguard instructions 44 Product certifications 45 Appendix D LEDs and DIP switches About LEDs 47 Interpreting the LEDs 48 LiveUpdate LED status 48 DIP switches 49 Appendix E About troubleshooting Accessing troubleshooting information 51 Index ...

Page 7: ...tec Gateway Security 5400 Series appliances deployed at hub sites Symantec Gateway Security 400 Series models are wireless capable They have special wireless firmware and a CardBus slot that can accommodate an optional Symantec wireless network card consisting of an integrated 802 11b g radio and separate antenna to allow the highest possible integrated security for wireless LANs when used with cl...

Page 8: ...rity 400 Series with the SGMI and provides step by step instructions for configuring and using the appliance Symantec Event Manager and Advanced Manager for Security Gateways Group 2 v2 1 Integration Guide This guide describes how to integrate the Symantec security gateway into the Symantec Enterprise Security Architecture SESA environment Table 1 1 Document structure Chapter Title Content Chapter...

Page 9: ...rate Printed documentation Symantec Gateway Security 400 Series Quick Start Card Symantec Security Gateway 400 Series Release Notes Symantec Gateway Security 400 Series software CD ROM AVpe AVpe client activation registration file The following documentation in PDF format Symantec Gateway Security 400 Series Administrator s Guide PDF Symantec Gateway Security 400 Series Getting Started Guide PDF S...

Page 10: ...lacement CD ROMs You may need to replace the media due to a defective or lost CD ROM If you need a replacement CD ROM because it is defective contact Customer Support If you require a new CD ROM because you have lost it contact your Sales Representative to purchase a new media kit ...

Page 11: ... Plenty of air circulation Ensure that there is adequate space at least 1 inch on all sides of the appliance to allow for air circulation to cool the machine Never place objects or paper on top of the appliance Proper power source Install the appliance near a power source that is adequate and near enough the appliance that the power cord is not strained stretched or in danger of coming unplugged A...

Page 12: ... icons on the back panel of all the models Table 2 1 Symantec Gateway Security 400 Series back panel controls Location Icon Feature Description 1 Restart When you press this button current connections and all client VPN tunnels are lost all Gateway to Gateway VPN tunnels that were previously connected re establish after the appliance restarts and the initial hardware self test is run This button i...

Page 13: ...connector from a node that the appliance will protect The LAN ports are not ordered you can plug any cable from a node into any of the LAN ports The node will be assigned an IP address by the DHCP server by default 4 Repeat step 3 for up to four different nodes on models 420 and 440 or eight different nodes on models 460 and 460R Switches can be connected to any of the LAN ports to connect additio...

Page 14: ...ss the power switch on the back panel 7 The appliance power is functioning correctly if the LEDs on the front panel illuminate See LEDs and DIP switches on page 47 Configuring the appliance Once you have completed the physical installation of the appliance you must log in and begin system configuration The first time that you log in to the appliance the Setup Wizard begins and guides you through a...

Page 15: ...tand your connection type First determine if you have a dial up or dedicated account Typical dial up accounts are analog through a normal phone line connected to an external modem and ISDN through a special phone line Typical dedicated accounts are broadband cable DSL T1 E1 or T3 connected to a terminal adaptor Table 3 1 and Table 3 2 describe the supported connection types including the following...

Page 16: ...ses to you Account types that frequently use DHCP are broadband cable and DSL ISPs may authenticate broadband cable connections using the MAC address or physical address of your computer or gateway Table 3 1 Dial up connection types Connection type Services Network termination types Analog or ISDN Plain Old Telephone Service POTS Analog dial up modem Integrated Services Digital Network ISDN Digita...

Page 17: ...The login may be the same user name and password as the main session or may be different for each session depending on your ISP Up to five sessions or IP addresses are allowed for models 420 and 440 and up to three sessions for each WAN port on models 460 and 460R LAN hosts are bound to a session on the Computers tab in the SGMI Note Multiple IP addresses on a WAN port are only supported for PPPoE...

Page 18: ... Static IP address netmask and default gateway addresses Contact your ISP or IT department for this information DNS addresses You must specify the IP address for at least one and up to three DNS servers Contact your ISP or IT department for this information You do not need DNS IP address entries for dynamic Internet accounts or accounts where a DHCP server assigns the IP addresses If you have a st...

Page 19: ...Setup Wizard again and selecting a different language You cannot change the WAN connectivity information from the SESA Console Before you begin Before proceeding with the Setup Wizard plug in the cable from your modem which is connected to the Internet or from your intranet into the WAN port WAN 1 on models 460 and 460R on the back of your appliance After you plug in the appropriate cables check t...

Page 20: ...tions in Installing the Symantec Gateway Security 400 Series on page 11 2 Open your browser and browse to the appliance IP address By default the IP address is 192 168 0 1 3 In the Symantec Gateway Security 400 Series Language Selection panel select a language When you select a language it is the language in which the Setup Wizard proceeds as well as the language which is used on the appliance 4 C...

Page 21: ...P 3 In the Broadband Cable Connection panel in the Computer or gateway MAC address text boxes type the physical MAC address Change this value only if required to do so by your ISP 4 Click Next 5 Skip to Completing the Setup Wizard on page 23 User Name Type the account user name Password Type the account password Verify Password Retype the account password Dial up Telephone 1 Type the primary dial ...

Page 22: ...e 20 To configure a static IP address connection 1 Run the Setup Wizard See Starting the Setup Wizard on page 20 2 In the Connection Types panel click Static IP 3 In the Broadband connection using a Static IP panel do the following User Name Type the account user name Password Type the account password Verify Password Retype the account password Connect on Demand To establish the connection on an ...

Page 23: ... to translate addresses DNS 3 Optionally type the IP address of an additional DNS server used to translate addresses IP Address Type the static IP address Security Gateway Host Name Type the name of the gateway host You can leave the default value change it if required by your ISP or leave it blank Domain Name Optionally type the domain name admin s Password Type the administrator account password...

Page 24: ...IP address of the appliance This is the default IP address of the appliance Once you have logged in to the SGMI you can change the IP address The administrator user name is always admin The SGMI login is case sensitive To assign or change the admin password click on Administration in the left pane and then click on the Basic Management tab For more information about configuring the appliance see S...

Page 25: ...work resources and services you want to protect It is crucial to have a carefully designed network security policy to guard the valuable resources and information of your organization Ideally you should capture your security policy in a document that describes your organization s network security needs and concerns Creating this document is the first step in building an effective overall network s...

Page 26: ...thentication will you require for external users Symantec recommends strong authentication for any access from public networks If you are implementing VPN tunnels between internal and external hosts what types of traffic will be allowed over these tunnels Will you place your Web server inside or outside of your protected network Becoming security conscious Developing and implementing a security pl...

Page 27: ...al users will be disallowed from accessing certain systems by Telnet consider passing these changes along before implementation Consulting users prior to implementation may save you the time needed to fine tune those policies later Taking a pro active stance Again keep in mind that configuring a set of authorization rules on the security gateway is just one piece of your overall security plan To b...

Page 28: ...the security gateway remotely 11 Do you plan to implement a wireless network 12 Do you have other Symantec security gateways on your network now 13 If Yes what product and version __________________________________________ _____ Yes _____ No ____________________________________ ________________________________________________________________________________ ________________________________________...

Page 29: ...st computers of each type that compose your network 3 List the types of operating system in your network 4 What kind of Internet connection do you have What speed 5 Type the name of your Internet Service Provider ISP ___________________________________________________________ 6 Does your site have or plan to have more than one Internet access point 7 Are there any other Internet connections beside...

Page 30: ...net must have at least one public network address Symantec is not responsible for acquiring or registering public IP addresses The internal behind the firewall addresses do not have to be legal or registered Symantec strongly recommends that you use private RFC 1918 compliant addresses internally 8 List the address ranges you currently use in your network __________________________________________...

Page 31: ...s 2 Use Table A 3 to list the names of any special services you wish to pass through the firewall 3 Use Table A 4 to list your TCP IP services _____ Internal server ________________________________ _____ External news server ____________________________ Table A 2 Allowed TCP IP access type Access group DNS FTP HTTP HTTPS SMTP POP3 RADIUS Auth Telnet IPsec PPTP LiveUpdate SESA Real Audio PCA TFTP S...

Page 32: ...ill you be using a Web server 2 If yes select the location of the Web server 3 Notate the Web server name and IP address 4 Will you be using an external caching proxy server If yes notate the server name and IP address Telnet HTTP Other _____ Yes _____ No Table A 4 TCP IP services Continued Group Authentication _____ Yes _____ No _____ Internal to the Symantec Gateway Security 400 Series _____ Ext...

Page 33: ...ble A 5 to list all allowed entity identifications Users allowed through the Symantec Gateway Security 400 Series Use Table A 6 to list all allowed user identities Allowed Web sites Use Table A 7 to list all Web sites users can view that are specified in content filtering Allow lists Table A 5 Entity identification IP address DNS name Entity type Internal external Table A 6 User identification Use...

Page 34: ...ffected by or connected to the security gateway and its directly connected networks Label each network component with its IP address and network mask Use Table A 9 to create a list of all internal servers Your external network consists of at least the Symantec Gateway Security 400 Series security gateway and a router Table A 8 Denied Web sites Web site name URL Comments Table A 7 Allowed Web sites...

Page 35: ...l Web server Use Table A 12 to list all external network servers Subnet mask Table A 10 Host internal and external IP addresses Host Internal external IP addresses Table A 11 Router IP addresses Router IP addresses Table A 12 External network servers DNS name services Mail server Web server Other server Service Host name IP address Subnet mask Table A 9 Internal network servers Continued DNS name ...

Page 36: ...36 Developing a pre installation security plan Filling out worksheets ...

Page 37: ...T AGREE TO THESE TERMS AND CONDITIONS CLICK ON THE I DO NOT AGREE OR NO BUTTON IF APPLICABLE AND DO NOT USE THE SOFTWARE AND THE APPLIANCE 1 Software License The software the Software which accompanies the appliance You have purchased the Appliance is the property of Symantec or its licensors and is protected by copyright law While Symantec continues to own the Software You will have certain right...

Page 38: ...the event of a breach of this warranty will be that Symantec will at its option repair or replace any defective Software returned to Symantec within the warranty period or refund the money You paid for the Appliance Symantec warrants that the hardware component of the Appliance the Hardware shall be free from defects in material and workmanship under normal use and service and substantially confor...

Page 39: ... AND COUNTRY TO COUNTRY 4 Disclaimer of Damages SOME STATES AND COUNTRIES INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES SO THE BELOW LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ...

Page 40: ...n You and Symantec relating to the Appliance and i supersedes all prior or contemporaneous oral or written communications proposals and representations with respect to its subject matter and ii prevails over any conflicting or additional terms of any quote order acknowledgment or similar communications between the parties This Agreement may only be modified by a License Module or by a written docu...

Page 41: ...censee a nonexclusive nontransferable license to install and use the quantity of each title of the Software and the related user documentation as are set forth opposite the name of such title on the face of this Certificate solely on the Appliance bearing the serial number set forth on the face of this Certificate under the terms and conditions of the EULA solely for Licensee s own internal busine...

Page 42: ...42 Licensing SYMANTEC GATEWAY SECURITY APPLIANCE 300 400 SERIES CLIENT TO GATEWAY VPN ADDITIVE LICENSE AND 8 0 MEDIA KIT ...

Page 43: ... 5 10 100 Ethernet ports 1 WAN and 4 LAN 1 RS 232 serial port 10 10 100 Ethernet ports 2 WAN and 8 LAN 1 RS 232 serial port User interface Security Gateway Management Interface SGMI Symantec Enterprise Security Architecture SESA Console Security Gateway Management Interface SGMI Symantec Enterprise Security Architecture SESA Console Cryptoprocessor 50 MHz on Model 420 170 MHz on Model 440 200 MHz ...

Page 44: ...wer cords if possible from the existing system before connecting the signal cable to that device Warning To prevent a possible electrical shock during an electrical storm do not connect or disconnect cables AC power North American power supply unit Line voltage range 100 V to 120 V AC Current 1 1 Amps at 115 V Frequency 59 61 Hz single phase Power 10 W The multi national power supply unit includes...

Page 45: ...e within the specified limits Ensure there is sufficient air flow around the unit Ensure electrical circuits are not overloaded consider the nameplate ratings of all of the connected equipment and ensure that you have overcurrent protection Ensure the equipment is properly grounded particularly any equipment connected to a power strip Do not place any objects on top of the appliance Remove the pro...

Page 46: ...46 Specifications and safety Product certifications Safety UL 1950 CSA 22 2 No 950 95 EN60950 1 2002 TUV Rh CB ...

Page 47: ...Figure D 1 shows the LEDs on the front panel of models 420 440 460 and 460R Table D 1 describes each LED Figure D 1 LED configuration on models 420 440 460 and 460R Table D 1 LEDs Location Symbol Feature Description 1 Power Illuminates when the appliance is turned on 2 Error Illuminates if there is a problem with the appliance 3 Transmit Illuminates or flashes when traffic is being passed over the...

Page 48: ...id on Normal operation Solid off Flashing Transmitting receiving Data from LAN Flashing Flashing MAC address not assigned Firmware problem Appliance is ready for a forced download Appliance detected an error and cannot recover Flashing Solid on Configuration mode Solid on Solid on Hardware problem Flashing once Solid off RAM error Flashing twice Solid off Timer error Flash three Solid off DMA erro...

Page 49: ...s Guide for more information For normal operation set all the DIP switches to the off down position Writing new image to flash seconds depend on firmware size On Flashing alternately Flashing alternately Write complete Briefly for 1 second before reset On On On Appliance Resets All LEDs flashed ON and end in normal operational pattern On Off On flashing for traffic Table D 3 LED states for LiveUpd...

Page 50: ...50 LEDs and DIP switches DIP switches ...

Page 51: ...t Support enterprise click Continue 4 On the Support enterprise page under Technical Support click knowledge base 5 Under select a knowledge base scroll down and click Symantec Gateway Security 400 Series 6 Click your specific product name and model 7 On the knowledge base page for your appliance model do any of the following On the Hot Topics tab click any of the items in the list to view a detai...

Page 52: ...52 About troubleshooting Accessing troubleshooting information ...

Page 53: ...count 18 dial up connection 13 15 DIP switches 13 49 disconnect idle PPPoE connections 17 documentation supplied 8 DSL 16 17 DSL connectivity 16 DSL configuring 22 E encryption 7 F firewall 7 front panel 47 I installing appliance 11 intrusion detection 7 IP addresses checklist 30 IPSec 7 ISDN connection 15 16 ISDN dial up accounts 18 ISP PPTP connections 17 L LAN ports 12 LEDs flashing 48 LiveUpda...

Page 54: ...hone line ISDN 15 specifications 43 specifications and safety 43 static IP 16 static IP address configuring 22 Symantec Advanced Manager 7 Symantec Event Manager 7 Symantec Management Console 7 T T1 16 TCP IP checklist 30 TCP IP based network 17 troubleshooting 51 U user documentation 8 V Virtual Private Network 7 VPN 7 W WAN ports 12 RJ 45 cables 15 Setup Wizard 15 WAN ISP multiple IP addresses 1...