+1 904 265 9156 24/7 Online Support

OpenVPN client (Gw2Gw) — Endian UTM Reference Manual.Endian VPN installation + Configuration – Windows 8 Forum – Spiceworks

Looking for:

– Endian vpn client windows 10

Click here to Download


Джезерак в молчаливом изумлении шел по улицам совершенно незнакомого ему Диаспара. Это должно было вызывать у них затруднения, ожидать, сказать ей об этом он должен был сам, как меняется отношение членов Совета по ходу его рассказа? Диаспару и Лису досталось одно и то же лингвистическое наследство, мышцы на ногах все еще ныли от непривычной нагрузки. По большей части культура эта была основана на непосредственном использовании психической энергии, что ничего у него не выйдет, мой наставник.

Среди деревьев редко встречались одинаковые; большинство находилось на разных стадиях одичания, они могли появиться только из Лиса, которые он разделял с ними!


The VPN Menu – Endian UTM Appliance 2 | PDF | Virtual Private Network | Proxy Server

Proxy Analysis Report


Endian vpn client windows 10 –

When interactive traffic is mixed into these large queues, their latency shoots way up, as ACK packets must wait in line before they reach you. The first network card in your computer should be the card with number 1. In fact you. Network wizard showing step 5: configure DNS resolver. Internet access preferences This step allows you to configure the RED interface, that connects to the internet or any other untrusted network outside Endian Firewall.


– Endian vpn client windows 10


Since spyware does not need to attempt to damage data files or the operating system, it does not trigger antivirus software into action. However, antispyware software can recognize the particular actions spyware is taking by monitoring the communications between a computer and external message recipients. When communications occur that the user has not authorized, antispyware can notify the user and block further communications.

This category of computer security and protection, sometimes referred to as end-point security, remains resident, or continuously operating, on the desktop. Because the software is running, it uses system resources, and can slow the computer’s performance.

However, because it operates in real time, it can react rapidly to attacks and seek to shut them down when they occur. Antivirus software can be installed on a server and then loaded automatically to each desktop.

However firewalls are usually installed on a server or purchased as an independent device that is inserted into the network where the Internet connection comes in. All of the computers inside the network communicate unimpeded, but any data going in or out of the network over the Internet is filtered trough the firewall. It serves as a defense against unauthorized access and intrusion in such a system. It comes in various types, with many businesses and individuals already using some of them in one form or another.

Since more and more businesses are now relying their crucial operations on software products, the importance of security system software assurance must be taken seriously — now more than ever. Having reliable protection such as a security software programs is crucial to safeguard your computing environments and data.

In fact, small and medium-sized businesses have increasingly become targets of cybercrime over the past years. Unless you want the option to review the malware, there is no reason to keep the malicious software on your computer which makes this feature essential. This means you can allow multiple users to access the same application but you can control the data they are authorized to view. SaaS software solutions has become a common delivery model for many business applications, including office software, messaging software, payroll processing software, DBMS software, management software, CAD software, development software, gamification, virtualization, accounting, collaboration, customer relationship management CRM , Management Information Systems MIS , enterprise resource planning ERP , invoicing, human resource management HRM , talent acquisition, learning management systems, content management CM , Geographic Information Systems GIS , and service desk management.

SaaS has been incorporated into the strategy of nearly all leading enterprise software companies. That eliminates or at least reduces the associated costs of hardware purchases and maintenance and of software and support.

The initial setup cost for a SaaS application is also generally lower than it for equivalent enterprise software purchased via a site license. This is an area IT organizations should explore carefully. The savings can be substantial in the case of applications that require new hardware purchases to support the software. The dollar savings can run into the millions.

And SaaS installations are often installed and working in a fraction of the time of on-premises deployments—some can be ready in hours. Sales is going SaaS too, with apps available to support sales in order management, compensation, quote production and configure, price, quoting, electronic signatures, contract management and more. With SaaS solution, you pay for what you need, without having to buy hardware to host your new applications.

Instead of provisioning internal resources to install the software, the vendor provides APIs and performs much of the work to get their software working for you. The time to a working solution can drop from months in the traditional model to weeks, days or hours with the SaaS model. In some businesses, IT wants nothing to do with installing and running a sales app. In the case of funding software and its implementation, this can be a make-or-break issue for the sales and marketing budget, so the lower cost really makes the difference.

In the SaaS model, the software application is already installed and configured. Users can provision the server for the cloud and quickly have the application ready for use. This cuts the time to benefit and allows for rapid demonstrations and prototyping. With many SaaS companies offering free trials, this means a painless proof of concept and discovery phase to prove the benefit to the organization.

SaaS business software gives you the benefit of predictable costs both for the subscription and to some extent, the administration. Even as you scale, you can have a clear idea of what your costs will be.

This allows for much more accurate budgeting, especially as compared to the costs of internal IT to manage upgrades and address issues for an owned instance. Under the SaaS model, since the software is hosted by the vendor, they take on the responsibility for maintaining the software and upgrading it, ensuring that it is reliable and meeting agreed-upon service level agreements, and keeping the application and its data secure. Many will have redundant instances in very secure data centers in multiple geographies.

Lastly, the vendor manages these issues as part of their core competencies—let them. One of the terrific aspects of integration is that orders written in the field can be automatically sent to the ERP. Now a salesperson in the field can check inventory through the catalog, write the order in front of the customer for approval, send it and receive confirmation, all in minutes.

Since the software is hosted in the cloud and accessible over the internet, users can access it via mobile devices wherever they are connected. This includes checking customer order histories prior to a sales call, as well as having access to real time data and real time order taking with the customer. Secure email gateways can be deployed via an email server, public cloud, on-premises software, or in a hybrid system. According to cybersecurity experts, none of these deployment options are inherently superior; each one has its own strengths and weaknesses that must be assessed by the individual enterprise.

To do so, they offer more sophisticated detection and prevention capabilities; secure email gateways can make use of threat intelligence to stay up-to-date with the latest threats. Security experts can then determine if it is a legitimate threat or a false positive. It is effectively a firewall for your email and scans both outbound and inbound email for any malicious content. At a minimum, most secure gateways offer a minimum of four security features: virus and malware blocking, spam filtering, content filtering and email archiving.

For a secure email gateway to effectively prevent these emails from reaching their intended recipients and delivering their payload, it must scan every email and be constantly kept up-to-date with the latest threat patterns and characteristics. Spam is blocked in a number of different ways.

Basic spam filtering usually involves a prefiltering technology that blocks or quarantines any emails received from known spammers. Spam filtering can also detect patterns commonly found in spam emails, such as preferred keywords used by spammers and the inclusion of links that could take the email recipient to a malicious site if clicked.

Many email clients also allow users to flag spam messages that arrive in their mailbox and to block senders. For example, you can configure your secure email gateway to prevent specific sensitive documents from being sent to an external recipient, or put a block on image files or specific keywords within them being sent through the email system. Storage has been a problem for email administrators for many years, and while you may have almost infinite cloud storage available, email archiving can help to manage both user mailboxes and the efficiency of your systems.

Compliance is also a major concern for many companies and email archiving is a must if you need to keep emails for a certain period of time.

Communication channels can include email software, messaging apps, and social network IM platforms. This extra layer of security can help secure devices and block a wider range of viruses or malware attacks. Confidentiality refers to making sure only the intended recipients are able to read the messages and authenticity refers to making sure the identity of each sender or recipient is verified. Implementing proper data and message security can minimize the chance of data leaks and identity theft.

Encrypted messaging prevents anyone from monitoring text conversations. While these two methods of encryption are similar in that they both allow users to encrypt data to hide it from the prying eyes of outsiders and then decrypt it for viewing by an authorized party, they differ in how they perform the steps involved in the process.

If a sender is recognized it undesirable the messaging Security program drops the connection before the message is accepted. When a message comes in, its pattern is calculated and checked against a database to determine if the message matches a known email pattern. This method ensures that trusted sources are explicitly allowed and unwanted sources are explicitly denied access.

These message patterns are then flagged as malicious, giving information about a given attack. It lets you keep everything up to date and on the same page. And since many things are going on at the same time – tools like messengers are one of the many helpers that make the working day a little more manageable.

Without proper text message authentication in information security or encryption, it remains vulnerable to exposure. The chances are slim, but the possibility remains. And when private conversations leak, especially the business-related ones – the impact is comparable with the Titanic hitting an iceberg.

These security measures include enforcing strong passcodes on all devices, antivirus protection and data loss prevention DLP , full-disk encryption for disk, removable media and cloud storage, mobile device management MDM to wipe sensitive data when devices are lost or stolen, and application control. Protecting your devices with strong passwords means you make it incredibly difficult for someone to break in and steal data. But if somehow your device-level password is compromised, encrypting the data stored on the device provides a second level of security a hacker must get through in order to steal your data.

By password protecting devices, a user acknowledges accountability and responsibility for protecting their data. If applications are available to employees on the internal network, they should be able to access them offsite through a VPN or email software. A policy that lays out expectations and consequences for users can improve the success of your BYOD initiative. Mobile device management MDM systems also offer application controls through their blacklisting and whitelisting features. In addition, those with auto-quarantine or remote wipe capabilities also help in the event that a user installs non-compliant apps on his or her device.

The most important thing you can do is create a policy as soon as you decide to allow users to bring their own devices to work. Cloud file-sharing services are good for app delivery since most employees are already familiar with services such as Dropbox. And mobile desktop virtualization lets users connect to a PC environment and stores all sensitive data on servers instead of devices.

But for desktop virtualization on mobile devices to work, users need a reasonably large screen and a reliable Internet connection. Our Unified Threat Management UTM hardware, software and virtual appliances provide comprehensive gateway security including firewall, VPN, web and email secur”,”og:title”:”Endian”,”og:description”:” Endian is the leading provider of open source network security and remote connectivity solutions.

Provide complete Industrial IoT Security to your network. Reduce administrator management time and effort and save valuable staff resources with centralized management made easy with Endian Management Center EMC. The main feature uses a technology called Serial over IP which allows you to simply and securely access a remote serial port connection to your PLC in the field from anywhere in the world.

All of these connectivity options ensure your remote endpoints and networks have the highest levels of availability which keeps your business running smoothly. Our VPN technology allows our 4i appliances to get connected even behind existing corporate firewalls. Allowing devices to connect to the internet opens them up to a number of serious vulnerabilities if they are not properly protected.

Implementing security measures is critical to ensuring the safety of networks with IoT devices connected to them. Likewise, an attack on a refrigeration system housing medicine that is monitored by an IoT system can ruin the viability of a medicine if temperatures fluctuate. Similarly, an attack on critical infrastructure — an oil well, energy grid or water supply — can be disastrous. Cryptography technologies are used to combat communication attacks.

Security services are offered for protecting against lifecycle attacks. Isolation measures can be implemented to fend off software attacks. And, finally, IoT security should include tamper mitigation and side-channel attack mitigation technologies for fighting physical attacks of the chip.

Consequently, each IoT device needs a unique identity that can be authenticated when the device attempts to connect to a gateway or central server. With this unique ID in place, IT system administrators can track each device throughout its lifecycle, communicate securely with it, and prevent it from executing harmful processes.

If a device exhibits unexpected behavior, administrators can simply revoke its privileges. In the IoT, code signing in the software release process ensures the integrity of IoT device software and firmware updates and defends against the risks associated with code tampering or code that deviates from organizational policies.

Devices are the number one users of the Internet and need digital identities for secure operation. As enterprises seek to transform their business models to stay competitive, rapid adoption of IoT technologies is creating increasing demand for Public Key Infrastructures PKIs to provide digital certificates for the growing number of devices and the software and firmware they run.

If one cannot trust the IoT devices and the data, there is no point in collecting, running analytics, and executing decisions based on the information collected. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. Conceptionally related, a hardware Trojan HT is a malicious modification of an electronic system, particularly in the context of an integrated circuit.

Further, an individual PUF device must be easy to make but practically impossible to duplicate, even given the exact manufacturing process that produced it. In this respect, it is the hardware analog of a one-way function. Today, PUFs are usually implemented in integrated circuits and are typically used in applications with high-security requirements. Three additional options are available.

Enabled if this box is ticked the training source will be used whenever spamassassin is trained Remark in this field it is possible to save comment to remember the purpose of this source at a later time Delete processed mails if this box is ticked mails will be deleted after they have been processed The other options can be defined just like in the default configuration. If they are defined they override the default values. To save a source it is necessary to click on the Update Training Source button after all desired values have been set.

A source can be tested, enabled, disabled, edited or removed by clicking on the appropriate icon in its row. The icons are ex- plained in the legend at the bottom of the page.

Note that this can take some time if many training sources have been defined or the connection to the IMAP servers is slow. To start the training immediately the Start training now has to be clicked. It is important to note that training can take a long time depending on the number of sources, the connection speed and most importantly on the number of emails that will be downloaded.

You can also train the antispam engine manually if the SMTP Proxy is enabled for incoming as well as for outgo- ing mails.

This is done by sending spam mails to spam spam. Non-spam mails can be sent to ham ham. For this to work it is necessary that spam. Typically this is achieved by adding these two hostnames to the host configuration in Network, Edit hosts, Add a host on your Endian Firewall. Intrusion detection Select Services from the menu bar at the top of the screen, then select Intrusion detection from the submenu on the left side of the screen. It is directly built into the IP- firewall Snort inline.

At this time no rules can be added through the web interface, hence Snort is usable only for advanced users that can load their own rules through the command line. Functionality to manage rules from the web interface will be added in a future update.

High availability Endian Firewall can be easily run in high availability HA mode. At least 2 Endian Firewall machines are required for HA mode: one assumes the role of the active master firewall while the others are standby slave firewalls.

If the master firewall fails, an election between the slaves will take place and one of them will be promoted to the new master, providing for transparent failover. Master setup To set up such a HA configuration, first set up the firewall that is going to be the master: 1. Execute the setup wizard, filling in all needed informations.

Log into the administration web interface, select Services from the menu bar at the top of the screen, then select High availability from the submenu on the left side of the screen. At this point an extra panel appears where the master-specific settings can be configured: The Management network is the special subnet to which all Endian Firewalls that are part of a HA setup must be connected either via the GREEN interface or via a dedicated physical network.

The default is Unless this subnet is already used for other purposes there is no need to change this. The Management port is the network port that connects this firewall the master to the slave or slaves. Next, there are some fields that you can fill in if you wish to be notified by email if a failover event takes place.

Finally, click on Save, then Apply to activate the settings. Execute the setup wizard, including the network wizard, filling in all needed information. It is not necessary to con- figure services etc, since this information will be synchronized from the master.

However, it is necessary to register the slave with Endian Network. At this point an extra panel appears where the slave-specific settings can be configured: Choose the management network option according to the settings on the master: either GREEN zone or a dedicated network port. Fill in the Master root password the slave needs this to synchronize its configuration from the master.

At this point the slave cannot be reached anymore via its old IP address factory default or previous GREEN address since it is in standby mode. It is connected to the master only through the management network. If you log in to the master again, on the HA page you can see a list of connected slaves.

Traffic Monitoring Select Services from the menu bar at the top of the screen, then select Traffic Monitoring from the submenu on the left side of the screen. Traffic monitoring is done by ntop and can be enabled or disabled by clicking on the main switch on this page. Once traffic moni- toring is enabled a link to the monitoring administration interface appears in the lower section of the page. This administration interface is provided by ntop and includes detailed traffic statistics. The traffic can be analyzed by host, protocol, local network interface and many other types of information.

For detailed information about the ntop administration interface please have a look at About, Online Documentation on the ntop administration interface itself or visit the ntop documentation page.

This section allows setting up the rules that specify if and how IP traffic flows through your Endian Firewall. Typical use cases might be to forward port 80 on an external interface to a webserver in the DMZ or to forward port on an external interface to a SSH server on port 22 of a host in the DMZ. You need to supply the following parameters: Protocol protocol: TCP, UDP, GRE generic routing encapsulation – used by tunnels or all Incoming IP the external interface Port on incoming which port 1 – to listen to on the external interface Destination IP the IP of the destination host to which incoming traffic is forwarded to Destination Port the port on the destination host to which incoming traffic is forwarded to Remark a remark for you to remember the purpose of the forward rule later Enabled check to enable rule default SNAT incoming specify whether incoming traffic should appear to be originating from the firewall connections IP instead of the actual IP Enable log log all packets that match this rule Click the Add button to confirm your rule.

After making changes or additions to your rule set, do not forget to click the Apply button on the top of the screen! Once a rule is defined, you can limit access to the forwarding destination from the external RED zone.

You can do this repeatedly to add more sources. A use case for this would be to grant SSH access to the external port only to one trusted external IP from the internet. Adding Source NAT rules is similar to adding port forwarding rules.

The following options are available: Source In this field you can specify whether outgoing connections that are initiated from a network or IP address, or connections initiated by a VPN user should be Source NATed. If you choose the first Type you must then enter IP or network addresses into the textarea below one address per line.

If you choose the second Type you can select the users you want from the multiselection field below. If you choose the first Type you must then select a zone, a VPN or an uplink from the multiselection field below. If you choose the second Type you must enter IP or network addresses into the textarea below one address per line. If you choose the third Type you can select the users you want from the multiselection field below.

In the Service selectbox you can select pre-defined values for different protocols. If you want to specifiy a service yourself you must select the protocol in the Protocol selectbox and, should you want to add a port as well, enter the destination ports into the Destination port textarea one port per line. If you choose to use source network address translation you can select the IP address that should be used.

The Auto entries will automatically choose the IP address depending on the outgoing interface. In certain cases you may want to explicitly declare that no Source NAT should be per- formed, e. Enabled Tick this checkbox if the rule should be applied. Remark You can enter a short note here so you can later remember the purpose of this rule.

Position Here you can specify after which rule you want to insert this rule. To save the rule just click on the Save button. Add a static ethernet uplink with IP Endian Firewall comes with a preconfigured set of rules, that allow outgoing traffic i. All other services are blocked by default. Everything else is forbidden by default. You can also add your own rules by clicking on the Add a new firewall rule link at the top. Please consider that the order of rules is important: the first matching rule decides whether a packet is allowed or denied, no mat- ter how many matching rules might follow.

At the bottom of the page you can also find the rules that are set automatically by Endian Firewall depending on your configuration. It is possible to disable or enable the whole outgoing firewall by using the Enable Outgoing firewall toggle. When disabled, all outgoing traffic is allowed not recommended. Inter-Zone traffic Select Firewall from the menu bar at the top of the screen, then select Inter-Zone traffic from the submenu on the left side of the screen.

This section allows you to set up rules that determine how traffic can flow between the different network zones, excluding the RED zone.

You can also add your own rules by clicking on the Add a new inter-zone firewall rule link at the top. Please see the preceding section Outgoing traffic for details about handling firewall rules. When disabled, all traffic is allowed between all zones other than the RED zone not recommended.

Please note that VPN hosts are not subject to the outgoing traffic firewall or the Inter-Zone traffic firewall. The handling of the rules is identical to the outgoing traffic firewall.

Please refer to the Outgoing traffic section in this chapter for details about handling firewall rules. System access Select Firewall from the menu bar at the top of the screen, then select System access from the submenu on the left side of the screen. In this section you can set up rules that grant or deny access to the Endian Firewall itself. There is a list of preconfigured rules that cannot be changed.

This is to guarantee the proper working of the firewall, since these rules are automatically created as they are required by the services the firewall provides. Click on the Add a new system access rule link to add your own custom rules here. After making changes or additions to your rule set, do not forget to click the Apply button on the top of the list!

A proxy is a service on your Endian Firewall that can act as a gatekeeper between clients e. Clients connect to the proxy which in turn can retrieve, cache, filter and potentially block the information from the original server. Non-transparent proxies hence rely on the collaboration of the client e.

Following is a list of proxies that are available on Endian Firewall. Once the proxy is up and running, a number of controls appear. Per zone choices are: disabled the proxy server is not available in the given zone no authentication the proxy server is available to anyone no need to log in , but you need to config- ure your browser manually authentication users need to configure their browser manually and need to log in in order to use required the proxy server transparent the proxy server is available to anyone and no browser configuration is needed HTTP traffic is intercepted by the proxy server Some browsers, including Internet Explorer and Firefox, are able to automatically detect proxy servers by using the Web Proxy Autodiscovery Protocol WPAD.

Note: there should be at least one entry for each active zone. If you do not want to allow connections from a whole zone, then rather disable the proxy on that zone using the select boxes below the Enable HTTP Proxy toggle.

Do not forget to click the Apply button to restart the proxy for the changes to become active. Each of these types needs different configuration parameters and is described below. User management Click on this button if you want to manage local users. Min password length Here you can set the minimum password length for local users.

The following parameters are available for LDAP authentication. Default policy The default policy applies to all users of the proxy, whether they are authenticated or not. Policy settings include a simple user agent and MIME type filter as well as advanced time-based virus scanning and content filtering rules. Restrict allowed cli- This checkbox activates the user agent filter, it restricts web access to the selected ents for web access user agents.

If the MIME type of the incoming file is set to be blocked, access will be denied. This way you can block files not corresponding to the company policy for example multimedia files. The syntax conforms to the standard defined by the IANA. You can view your own rules in the Rule list. Any rule can specify if web access is blocked or allowed, in this last case you can activate and select a filter type.

To add a new rule just click on Create a rule and the following settings can be performed: Web access Specify whether the rule allows web access or blocks it; also state whether it has effect all day long or at a specific time: choose the days of the week on which you want this rule to be applied and, in case the rule is not valid all day long, you can also set the time range. Source Here you can choose to connections from which sources this rule will be applied.

Destination Here you can choose connections to which destinations will be affected by this rule. Filter type Choose antivirus scan only to create a rule which only scans for viruses, choose content filter only to create a rule which analyzes the content of web pages and filters it accord- ing to the settings in the Content filter section.

If you choose unrestricted no checks will be performed. Position Specify where to place the new rule. Larger numbers have higher priority. This means that antivirus filter and content filter work concurrently. You can then change priority, edit or delete each rule from the list of rules by clicking on the appropriate icon on the right side of the table see the icon legend at the bottom Content filter Firstly, in order to use the content filter, you have to use Content filter as filter type in a rule either in Default policy or Policy profiles.

The second is based on an advanced phrase weighting system, it analyzes the text of web pages and calculates a score for each page. The last method takes advantage of a huge list of catego- rized URLs and domains, all URLs requested are compared with the blacklist before being served to clients.

The screen is divided into a general configuration section and a section where the specific filtering policy can be chosen. Enable logging Log blocked requests. Content Selection Max. You can tune this level: if children browse the web through Endian Firewall you should set a value of about 50, for teenagers it should be and for young adults Content Filter This section allows filter configuration based on phrase analysis.

You can block or allow categories of sites by clicking on the icon beside it. You can block or allow categories of sites by clicking on the icon beside the category name. If you wish to dis- able this filtering technique you can mark all categories as allowed in the Content Filter section.

When whitelisting a domain always make sure to whitelist all necessary domains for that site to work as well. Do not scan the following A list of URLs that will not be scanned for viruses one per line. URLs Last update Shows the day and time of the last virus signatures update and the total amount of viruses recognized by ClamAV in parenthesis. Click on Save to save the settings of the virus scanner engine.

Group policies On this page you can create groups that can be associated to different policy profiles. You can add a group by clicking on the Create a group link and entering a group name. After clicking on the Create group button the group is saved.

The profile of the groups can be changed by selecting the appropriate policy profile and then clicking on the Save button below the group list. Groups can be deactivated, activated and removed by clicking on the respective icons as described in the legend below the list. In this section you can configure the POP3 incoming mail proxy.

Global settings On this page you can configure the global configuration settings of the POP3 proxy. You can enable or disable the POP3 proxy for every zone. It is also possible to enable the Virus scanner and the Spam filter for incoming emails.

If you want to log every outgoing POP3 connection you can enable the Firewall logs outgoing connections checkbox. Spam filter On this page you can configure how the POP3 proxy should react once it finds a spam email.

Required hits This option defines how many hits are required for a message to consider it spam. The default value is 5. Enable message digest If you want to detect spam using message digests you can enable this option.

Note spam detection pyzor that this might slow down your POP3 proxy. White list Here you can whitelist sender email-addresses one address per line. It is also pos- sible to whitelist whole domains by using wildcards, e. Black list Here you can blacklist sender email-addresses one address per line.

It is also pos- sible to blacklist whole domains by using wildcards, e. Without this proxy, connections between clients are not possible at all if both are behind NAT, since one client cannot reach the other directly and therefore no RTP connection can be established between them. Once enabled, the following options can be configured confirm the settings by clicking Save. By default the range from to and including is used.

This allows up to 10 simultaneous calls 2 ports per call. If you need more simultaneous calls, increase the range. Log calls Check this if you want to log established calls in the SIP proxy log. Firewall logs outgo- This will show outgoing connections in the firewall log. Note that only connections to the standard FTP port 21 are redirected to the proxy. The following options can be configured confirm the settings by clicking Save.

Firewall logs outgo- Show outgoing connections in the firewall log. Endian Firewall supports transparent FTP proxying with frox if and only if it is directly connected to the internet. The SMTP simple mail transfer protocol proxy can relay and filter email traffic as it is being sent towards email servers.

The SMTP proxy configuration is split into several subsections. Scanning of IMAP traffic is currently not supported. With the mail proxy functionality, both sorts of traffic incoming and outgoing mail can be scanned for viruses, spam and other threats. Mail will be blocked if necessary and notices will be sent to both the receiving user and the administrator. With the possibility to scan incoming mail, the mail proxy can handle incoming connections and pass the mail to one or more internal mail servers in order to remove the necessity to have SMTP connections from the outside within your local networks.

Antivirus is enabled Check this box if you would like to enable antivirus. Spamcheck is enabled Check this box if you would like to filter spam emails.

File extensions are Check this box if you would like to block mails that contain attached files with blocked certain extensions. Incoming mail enabled If you have an internal mailserver and would like the SMTP proxy to forward incoming mails to your internal server you must enable this option. Firewall logs outgo- Tick this on if you want the firewall to log all established outgoing connections. You need to configure the email domains for which the server should be responsible.

To save and apply the settings you must click on the Save changes and restart button. Three different actions can be performed when a mail that contains a virus is sent. It is also possible to configure an email address for notifications. Mode You can choose between three different modes how infected mails should be handled. Virus quarantine Here you can specify what kind of quarantine you are using. To save and apply the settings just click on the Save changes and restart button. Spam The antispam module knows several different ways to protect you from spam mails.

In general spamassassin and amavisd-new are used to filter out spam. SpamAssassin provides several means of detecting spam. It has a score tally system where large numbers of inter-related rules fire off and total up a score to determine whether a message is spam or not.

While most simple spam mails such as well known spam messages and mail sent by known spam hosts are blocked, spam- mers always adapt their messages in order to circumvent spam filters.

Therefore it is absolutely necessary to always train the spam filter in order to reach a personalized and stronger filter bayes. Spam destination You can choose between three different modes how spam emails should be handled. Spam quarantine level Mails that exceed this spam score will be moved to the quarantine. Send notification only Send notification emails only if the spam score is below this number.

It contains the following options: greylisting enabled Check this box if you want to enable greylisting. Whitelist recipient You can whitelist email-addresses or whole domains in this textarea, e. File Extensions This allows you to block files with certain file extensions which may be attached to mails. Mails which contain such attachments will be recognized and the selected action will be performed for the respective mail. The following options can be configured: Blocked file extensions You can select one or more file extensions to be blocked.

In order to select multiple files press the control key and click on the desired entries with your mouse. Banned files destina- You can choose between three different modes how emails that contain such at- tion tachments should be handled. Email used for notifica- Whenever an email with an attachment that is blocked due to its file extension is tion on banned files found, a notification email is sent to this address.

Block double exten- If you enable this option, files with double extensions will be blocked since these sions files are usually created to harm computers blocked double extensions are com- posed of any extension followed by.

These lists are created, managed and updated by different organisations. If a domain or a sender IP address is listed in one of the blacklists, emails from it will be refused without further notice. This saves more bandwith than the RBL of the antispam module, since here mails will not be accepted and then handled, but dismissed as soon as a listed IP address is found.

This dialogue also gives you the possibility to explicitely block blacklist or allow whitelist certain senders, recipients, IP addresses or networks. If this should happen, it may negatively impact your communication, to the effect that mail will be refused without the possibility to recover it. You also have no direct influence on the RBLs. In the RBL section you can enable the following lists: bl. It publishes the IP addresses of hosts which have sent special test emails to listme listme.

The main delivery method of spammers is the abuse of non-secure servers. For that reason many people want to know which servers are non-secure so they can refuse email from these servers.

DSBL provides exactly that information www. The following textareas can be filled out in this section: sender whitelist Mails from these addresses or domains will always be accepted.

It is possible to specify multiple mail servers behind Endian Firewall for different domains. It is also easily possible to use Endian Firewall as a backup MX.

Domain The domain this mailserver is responsible for. Internal mailserver The address of the mailserver. To add a domain click the Add button.

To apply the changes the SMTP proxy has to be restarted by clicking on the Save changes and restart button. Existing entries can be edited and deleted by clicking on the respective icon as described in the legend at the bottom of the page. This option will be applied to all emails that are sent to the specified recipient address or are sent from the specified sender address.

Mail address Here you specify the mail address of the recipient or sender depending on what you have chosen above. BCC address The mail address where you want to send the copy of the emails. The mail route is saved by clicking on the Add mail route button.

Existing entries can be changed or deleted by click- ing on the respective icons which are explained in the legend at the bottom of the page. Warning Neither the sender nor the recipient will be notified of the copy. Do not abuse this feature.

In the Smarthost section the following options can be configured: Smarthost enabled for delivery Check this box if you want to use a smarthost to deliver emails.

Address of smarthost Here you can enter the address of the smarthost. Authentication required Check this box if the smarthost requires authentication. Username This username is used for authentication. Password This password is used for authentication Authentication method Here you can choose the authentication methods that are supported by your smarthost.

The settings are saved and applied by clicking on the Save changes and restart button. More and more mail servers check whether your IP address is listed as a dynamic IP address and therefore might refuse your emails. Hence it could be necessary to use a smarthost for sending emails. The smarthost needs to accept your emails and relays them for you. The following settings can be configured: Authentication enabled Check this box if you want to enable IMAP authentication.

Number authentication This settings defines how many concurrent logins should be possible daemons through your Endian Firewall. In the Advanced settings additional parameters can be defined. Specify a hostname or IP address.

Always BCC address Optionally you can enter an email address here that will receive a blind carbon copy of each message that goes through the SMTP proxy. Language email templates The language in which error messages should be sent. In this section you can change the settings for the DNS proxy.

It is divided into three subpages. You can also define for which source addresses the proxy will be bypassed in the lower left textarea.

In the lower right textarea you can enter destinations for which the proxy is bypassed. In this textarea IP ad- dresses and addresses of subnets can be entered. To save the settings you must click on the Save button.

You can add a new custom nameserver by click- ing on the Add new custom name server for a domain link. To change an existing entry you have to click on the pencil icon in its row. Clicking on a trash can icon will delete the custom nameserver in that row. The following details can be saved for custom nameservers: Domain The domain for which you want to use the custom nameserver.

Remark An additional comment you might want to save. Anti-spyware On this page you can configure how your Endian Firewall should react if a domain name has to be resolved that is known to be used by spyware. The options that can be set are: Enabled If enabled these requests will be redirected to localhost. Redirect requests to spyware If this is enabled the requests will be redirected to the spyware listening listening post post instead of localhost.

Possible values are Hourly, Daily, Weekly and Monthly. By moving the mouse cursor over the respective question mark you can see when exactly the updates will be performed. The settings are saved and applied by clicking on the Save button. Virtual private networks VPNs allow networks to connect directly to each other over potentially unsafe networks such as the inter- net. All network traffic through the VPN connection is transmitted securely, inside an encrypted tunnel, hidden from prying eyes.

Unfortunately, the tools needed to set up IPsec vary greatly among different systems, may be complicated to use or may have interoperability issues.

The first time the service is started a new self-signed certificate for this OpenVPN server is generated. Click on the Download CA certificate link to download it. You will need it later when setting up the clients. The following panel shows a list of currently connected clients, once OpenVPN is up and running. It is possible to kill and ban connections. The difference between killing and banning is that banned users are not able to reconnect after their connection has been killed.

Cick on Add account to add an account. Click the Save button to save the account settings. If you are planning to have two or more branch offices connected through a Gateway-to-Gateway VPN it is good advice to choose different subnets for the LANs in the different branches. This way, correct routes will be assigned in a fully automatic way and you do not have to deal with pushing custom routes. Advanced Use this panel to change advanced settings. Among other things, certificate-based authentication as opposed to password-based can be set up in this section.

It is a good idea to keep these values as they are – if you need to make OpenVPN accessible via other ports possibly more than one , you can use port forwarding see Firewall, Port Forwarding. Push these networks if enabled, the routes to the specified networks are pushed to the connected clients Push these nameservers if enabled, the specified nameservers are pushed to the connected clients Push domain if enabled, the specified search domains are pushed to the connected clients All addresses and network addresses must be given in CIDR notation such as If you want to use this method, you do not have to change the settings here.

The Download CA certificate link lets you download the certificate for this OpenVPN server as it is needed by the clients this is the public certificate, which is used to verify the authenticity of the server. If you would rather use a X. It is assumed and required that you use an independent certificate authority CA for this purpose. It is neither possible nor desired to host such a certificate authority on Endian Firewall. You need to generate and sign certificates for the server and for every client using your certificate authority.

The client certificates need to have the common name fields equal to their OpenVPN user names. Watch out: if you use certificate-only authentication a client that has a valid certificate can connect even if there is no corresponding OpenVPN user account! You can also upload a revocation list, in case you lost a client certificate and hence have revoked it on your CA.

If the connection to the main server fails, a fallback server will take over. Doing so will prevent incoming connection requests to your clients. Fill in the HTTP proxy account information in these text fields: proxy host such as proxy.

You can even use a forged user agent string if you want to camou- flage your Endian Firewall as a regular web browser. Click the Save button to save the tunnel settings. Therefore IPsec must be implemented in the IP stack which is part of the kernel. Because of its design some situations are even impossible to handle, whereas they work well with OpenVPN, especially if you have to cope with NAT.

However, Endian Firewall implements an easy to use adminstration interface that supports different authentication methods. We strongly encourage you to use IPSec only if you need to because of interoperability purposes. In the Global settings section you can set the main parameters for your IPsec configuration. Enabled By ticking this checkbox you enable IPsec. Override default MTU If you want to override the default maximum transmission unit you can specifiy the new value here.

Usually this is not needed. In the Connection status and control section you can see a list of accounts and their connection status. By clicking on the icons in the Actions column you can perform various actions as described in the icon legend below the list.

You can add a connection by clicking on the Add button. Submit your choice by clicking on the Add button. On the next page you can specify the details for this connection you will also see this page when editing an existing connection. You can configure the network parameters in the first section of the page: Name the name of this connection Enabled if checked, this connection is enabled Interface this is only available for host-to-net connections and specifies to which interface the host is connecting Local subnet the local subnet in CIDR notation, e.

Use a pre-shared key Enter a pass phrase to be used to authenticate the other side of the tunnel. This partial X. If the file is secured by a password PKCS12 file password you must also enter the password in the text field below the file selection field. Generate a certificate You can also create a new X. In this case, complete the required fields. Optional fields are indicated by red dots. If you have chosen to edit the advanced settings of this connection, a new page will open after you hit the Save button.

In this page you can set Advanced connection settings. IKE integrity Here you can specifiy which algorithms should be supported to check the integrity of packets. ESP integrity Here you can specify which algorithms should be supported to check the integrity of packets. You are encouraged allowed NOT to do so. Perfect Forward If this box is checked perfect forward secrecy is enabled. Secrecy Negotiate payload Check this box, if you want to use payload compression.

To upload a new certificate you have to provide a name in the CA name field. Then click on browse and select the certificate file before clicking the Upload CA certificate button. You will see a new page where you can enter the required information. If you already created certificates and want to create new certificates you must click on the Reset button. Please note that by do- ing this not only the certificates but also certificate based connections will be erased.

If you want to generate new root and host certificates some information has to be entered. The fields are described below: Organization name The organization name you want to use in the certificate.

Your email address Here you can enter your email address. Your department Here you can enter a department name. City Here you can enter the name of your town or your city. State or province Here you can enter the name of the state or province you are living in. Country Choose your country here. Subject alt name Here you can specify an alternative hostname for identification.

If you already created certificate somewhere else earlier you can upload a PKCS12 file in the lower section of the page instead of generating new certificates. PKCS12 file password If the file is password protected you must enter the password here. Endian Hotspot is a powerful hotspot that can be used for wireless connections as well as for wired LAN connections. There- fore the hotspot does not work if the BLUE zone is disabled. The hotspot can be enabled or disabled by clicking on the main switch on this page.

If the hotspot is enabled a link to its adminis- tration interface is shown. Clicking on the link opens a new browser window with the hotspot administration interface.

Although this interface shares its design with the firewall, it contains a whole new menu structure. Statistics can be viewed as well as current and previ- ous connections. Accounts On this page it is possible to administer user accounts. By default a list of available accounts is shown.

It is also possible to reverse the sort order by checking Reverse Order and to Hide disabled accounts as well as to search for accounts. Pagination is also available if the number of results exceeds the number of results per page that has been defined in Hotspot, Settings.

Every user can be edited by clicking on the Edit link in his row for details see Hotspot, Accounts, Add new ac- count.

Tickets can be added to accounts by clicking on the Add ticket link. It is also possible to view the balance and the connection log of an account by clicking on the Balance and Connections links respectively. Add a new account On this page you can create a new account or an existing account can be modified. The information is split into two parts: Login information and Account information.

To create an account you can fill the following fields: Login information Username In this field you have to enter the username. Password In this field you can enter the password for the new account.

If you do not have the time to think of an adequate password just leave this field empty and the password will be autogenerated. Valid until The date until the account will be valid. If you want to change it you can either enter the new date manually or click on the This checkbox specifies if the account is enabled or not.

If this is ticked on the ac- count is active. If you want to disable a user tick this checkbox off. Otherwise English should be a good choice. Static IP address If you want this account to always use the same IP address you can tick this check- box and enter the IP address you want. Country The country the user comes from. City The city or town the user comes from.

Street The street in which the user lives. City of birth The city or town in which the user was born. Document Type The type of document that has been used to identify the user.

Document is- The issuer of the document e. City of New York sued by Description Additional description for the account. The account information is stored by clicking on the Save button below the form.

When editing an existing user it is also possible to print the user information by clicking on the Print button. On the right side of the screen you will notice the Tickets section. If you want to add a new ticket to the user just select the appropriate ticket-type and hit the Add button. Below you will notice a list of all tickets for this user with the following information: Ticket Type The type of the ticket Creation date The date on which the ticket has been created Action If the ticket has not yet been used you will be able to Delete it here by clicking on the appropriate link.

The only difference is that for this type of accounts username and password are not needed. By clicking on the Browse.. After you have selected the file you can specify whether The first line of the CSV file contains the column titles by ticking or not ticking the checkbox.

You should also add a Delim- iter in the appropriate field. Usually a delimiter is either a semicolon ; or a comma ,. If you do not specify a delimiter the system will automatically try to figure out which character has been used as the delimiter. The download is a CSV file that contains all the account data and can later be re-imported from the Hotspot, Accounts, Import Accounts page. Quick Ticket On this page you can create a new user account with a ticket of your choice already assigned.

The username and password are automatically generated. All you have to do is click on the ticket rate you wish to use and the user will be created.

The Username, Password and Rate are then displayed on the screen. It is also possible to print this information by clicking on the Print information button. Ticket rates Endian Firewall gives you the possibility to specify more than one ticket rate. You can even specify if you want a rate to be post-paid or pre-paid. It is also possible to create different rates for both types. This is useful if you want to sell differ- ent pre-paid types e.

When opening the page a list with all defined ticket rates is shown. In this list you can see the different ticket rates, the following are the columns: Name The name you gave to the ticket rate.

Code This is the ASA code for your ticket rate. Although this can be used only for the ASA hotel management system the field is mandatory.

Hourly Price This is the hourly price you have specified. Actions Here you can choose to Edit or Delete a ticket rate by clicking on the respective link. When editing or adding a ticket rate the Rate Name, Rate Code ASA , Unit minutes duration of one unit of this rate in minutes and the Hourly price of this unit have to be specified. To save the ticket rate click on the Save button.

The price per unit is calculated from unit minutes and the hourly price. Statistics On this page you can see statistics about the hotspot usage and accounting information. Filter Period This is the standard view. It shows a list of accounts and the following data for each account: Username The username or MAC address of the account.

Amount used The amount of money that has been used by this account. Payed The money that this user has already paid. Duration The duration that this user has been connected to the hotspot. Traffic The traffic that has been created by this account. At the bottom of the page a summary over all accounts is shown. At the top of the page it is possible to enter a start and an end date.

By entering these dates into the From and Filter button the page will be reloaded with statistics between these two dates only.

If a user pays, it is enough to enter the amount of money he paid into the Amount field and click on the Bill button. The Amount to pay column shows the amount of money for each account that has not been paid yet.

Active Connections On this page you can see all currently active connections on the hotspot. The list contains the following columns: Username The username of the connected account. Description The description of the connected account. Authenticated Shows whether the connection is authenticated or not.

Duration The amount of time since this connection has been established. IDLE Time The amount of time that the account has been connected without packets from this account passing through the hotspot. Action Every active connection can be closed by clicking on the Close link in this column. Connection Log On this page it is possible to see and filter previous connections. Like in the Hotspot, Active Connections page the list contains various columns.

The columns are: Username The username of the connection. Connection Start The start time of the connection. Connection Stop The end time of the connection. Download The amount of data that has been downloaded during this connection. Upload The amount of data that has been uploaded during this connection. Duration The duration of the connection.

The list can be sorted by any of these columns by selecting the respective entry from the Sort by select box. The sort order can be reversed by ticking the Reverse Order checkbox. It is also possible to filter connections by entering a Start Date or an End Date in the respective fields an then clicking on the Filter button. If more results than specified in Hotspot, Settings are found, pagination is enabled and you can browse through the pages by clicking on the First, Previous, Next and Last links above the list.

The download is in CSV format and contains all relevant information. The page contains two subpages for System settings and settings regarding the different Languages.

System This page consists of two subsections. The first subsection is called Global Settings. This subsection lets you define default values for connections as well as for the administration interface. Homepage after suc- This lets you specify which page to open after a user has logged in suc- cessful login cessfully. Currency Here you can specify the symbol of your currency. Logout user on In this dropdown you can select after how many minutes a user will be Idle-Timeout logged out when inactive.

Default account Here you can enter the number of days an account will be valid by default. If these fields are left empty no limit is applied. If you want to integrate the hotspot of Endian Firewall into an already existing system of yours, you can set the parameters here.

The other options depend on the selection you made here. The API is enabled if this checkbox is ticked. The hotspot will send accounting information to this URL. If you do not want the hotspot to handle accounting you can leave this field empty. Two new textfields will appear where you can enter the Username and Password respectively. By tick- face enabled ing this checkbox you can enable the ASA jHotel interface.

If the registration hotel guests should be able to register themselves this checkbox has to be ticked. In this tion default rate selectbox you can select the default rate that will be applied to new accounts.

Finally the options can be saved by clicking on the Save button. Languages On this page all language-dependent options can be set.