| |
The Network panel lets you configure the appliance to function on the network where it is installed.
Path: Network > IP addresses
Figure 83
IP Addresses Tab
The IP Addresses tab displays the network adapters, which are the physical connectors into the appliance, and the IP addresses associated with each adapter. The list reflects the current appliance hardware configuration.
Using the buttons to the right of the list, you can associate IP addresses with adapters and change IP address information. Each adapter can have multiple subnets associated with it, and each subnet will have one or more IP addresses associated with it. You can either define individual IP addresses and masks, or you can add a subnet address and mask and then add multiple IP addresses from that subnet range.
The IP address and the mask define a subnet. You cannot use the first or last address in any given subnet. You cannot create a subnet that collides with another subnet. You cannot create a subnet that spans multiple adaptors.
The following are valid appliance subnet masks (representing /1 through /31 in common router notation):
Path: Network > IP Addresses > TCP Options
Figure 84
TCP Options Dialog Box
The parameters displayed in the TCP Options dialog box are standard TCP configuration settings. For more information on adjusting these parameters, see one of the TCP/IP references available at any bookstore carrying computer reference manuals.
Connection Timeout: The number of seconds the proxy server attempts to establish a connection before timing out because the other side has not responded. You might want to increase this value if you notice that the remote server is reachable (the ping succeeds) but the load is heavy.
Keep Alive Interval: The number of minutes a connection is idle before the proxy server queries to check if the other server is still responding.
Data Read Timeout: The number of seconds the proxy server waits for expected data to begin arriving before it times out. You might want to increase this value if you notice that the browser receives incomplete data or the connection is disconnected in the middle of data transfer.
Idle Server Timeout: The number of minutes the proxy server keeps the TCP connection between the browser and the proxy server active, even if there is no data flow.
Idle Client Timeout: The number of seconds the proxy server keeps the connection to the origin Web server or another proxy server active, even if there is no data flow.
Reset: Resets the TCP configuration settings to the default values.
Path: Network > IP Addresses > Adapter Options
Figure 85
Adapter Options Dialog Box
The Adapter Options dialog box lets you change settings for the network adapters on the appliance to ensure compatibility with an existing LAN. Modify the default settings only if your LAN requires specialized adapter card changes.
Speed: Options include Default, 10 M, and 100 M.
Duplex: Options include Default, Half, and Full.
IMPORTANT: Some network adapter drivers do not detect duplex settings correctly. This is a general industry problem with Fast Ethernet technology.
If your appliance isn't performing as expected, check to ensure that the duplex settings for its network adapters match your network configuration. It might be necessary to manually configure the duplex settings on both your appliance and your Ethernet switch or hub.
NAT: Options include Dynamic and Disabled.
If the appliance is serving as a router, and your network employs non-unique private IP addresses, you can configure the appliance to provide Network Address Translation (NAT) services.
For example, if you have a 10.0.0.0 private network on eth0 and a registered public network such as 130.0.0.0 on eth1, the clients on the private network can access the Internet through the appliance, provided that the Dynamic option has been selected in the NAT drop-down list for the eth1 adapter.
The appliance then functions as a network address translator and dynamically maps the private, non-routable 10-net addresses to the registered public address assigned to eth1.
IMPORTANT: You cannot configure a transparent proxy service on an IP address assigned to a card that has the Dynamic option set for NAT. NAT and transparent proxy cannot coexist on the same card.
Path: Network > DNS
Figure 86
DNS Tab
The DNS tab lets you configure the domain name service that the appliance will use, including setting a domain name for domain-relative address resolution.
DNS servers are searched in the order listed.
You must specify a domain name for the appliance to use relative domain names.
Domain: Specify the domain of your appliance. Valid ranges include all valid domain names.
DNS Server IP Addresses: Specify the IP addresses of the DNS servers you are using. You can enter up to three.
Appliance Domain Name or Alias: (Optional) Specify a unique domain name or alias for the appliance. This name is used in the Via headers that track packet routes across the network.
Enable DNS Proxy: Because of a potential security risk through the DNS port, the DNS proxy is disabled by default. You can enable the DNS proxy by checking this box.
Advanced DNS Options: See Advanced DNS Options Dialog Box.
DHCP Server IP Addresses: Specify a list of DHCP servers to which the appliance will forward client DHCP requests.
This is critical if DHCP clients cannot directly access their designated DHCP servers. The appliance forwards the DHCP requests from the clients to the servers and forwards the replies back to clients. The appliance does not have to be enabled as a router to forward DHCP requests. However, the DHCP Server IP list must be filled in.
Path: Network > DNS > Advanced Options
Figure 87
Advanced DNS Options Dialog Box
The parameters displayed in the DNS Advanced Options dialog box are standard DNS configuration settings. For more information on adjusting these parameters, see one of the TCP/IP references available at any bookstore carrying computer reference manuals.
Negative Lookup: How long a failed DNS lookup domain name remains in the proxy server cache. If the proxy server cannot resolve a domain name, it stores that information in its cache for the specified amount of time. If the proxy server receives requests for that domain name within this period, it sends a "Bad Gateway" error message to the browser and does not resolve the domain name again. Valid field values include 0 - 3600 seconds.
Minimum Entry Time to Live: The minimum amount of time that DNS entries remain in cache before they expire. This is the minimum value the appliance uses regardless of the value returned by the DNS name server. Valid field values include 0 - 3600 seconds.
Maximum Entry Time to Live: The maximum amount of time that DNS entries remain in cache before they expire. This is the maximum value the appliance uses regardless of the value returned by the DNS name server. Valid field values include 0 - 744 hours.
Maximum Entry Threshold: The maximum number of DNS cache entries. When this number is reached, the proxy server deletes old entries to make room for newer ones. The default is 5000. Valid field values include 2000 - 100000.
DNS Transport Protocol: The transport protocol DNS uses on the network where the appliance is installed.
Monitor DNS Server: The appliance normally monitors DNS server availability by pinging the configured servers every minute. This ensures timely handling of DNS requests. You should uncheck this item if the appliance accesses DNS through a connection that should not be kept continually open, such as a dial-up phone line or ISDN connection. Keep in mind, however, that unchecking the option will cause the DNS configuration on the Health Status Tab to fail.
Path: Network > Gateway/Firewall
Figure 88
Gateway/Firewall Tab
The Gateway/Firewall tab lets you set up both default gateways as well as additional gateways for specific routing to hosts or networks. It also lets you specify RIP and SOCKS information for firewalls.
In order for the appliance to function, you must specify a default gateway (router) whether the appliance is originating packets that need to be routed (from proxy requests or scheduled downloads) or is serving as a router for packets that need to be routed externally.
Default Gateway IP Address: You must have at least one gateway defined for the appliance to function. This is the IP address of the gateway or router being used by the appliance.
Additional Gateways: The appliance uses these only if the Act As Router option is checked. See Additional Gateways Dialog Box.
Enable RIP: Allows you to turn on Routing Information Protocol 1. Through this protocol, the appliance is able to learn routes.
The appliance can also work in a network that uses RIP 2, but you must manually add static routes using the Routes Dialog Box.
Show Routes: See Routes Dialog Box.
Reset Learned Routes: Throws away all information acquired through RIP. RIP must be turned on for this to have any effect.
Act As Router: Check this box if the appliance will function as the default gateway for clients on the network. If you check this option, you can specify additional gateways.
Enable Gateway Monitoring: The appliance normally monitors gateway availability by pinging the configured gateways every minute. You should uncheck this item if the appliance accesses its gateways through a connection that should not be kept continually open, such as a dial-up phone line or ISDN connection. Keep in mind, however, that unchecking the option will cause the gateway configuration on the Health Status Tab to fail.
Enable SOCKS Client: SOCKS is a firewall communication protocol. If there is a firewall preventing the appliance from communicating directly, you can specify information for SOCKS4 or SOCKS5 servers.
Server IP Address: The address of the SOCKS server you want to use.
Server Port: The port number for SOCKS traffic on the network.
SOCKS V4: Enables the SOCKS4 protocol.
Username: Specify a username if the SOCKS4 server requires one for communication.
SOCKS V5: Enables the SOCKS5 protocol. The appliance currently supports only NULL and Username/Password authentications.
No Authentication: If you use SOCKS5 without verification, this box must be checked (where there is no username or password required).
Username/Password Authentication: Enables the entry of a SOCKS5 username and password if your SOCKS server requires authentication.
Username: Enter your SOCKS username.
Password: Enter your SOCKS password.
SOCKS Bypass Web Server List: If the SOCKS client is enabled, all HTTP and FTP server traffic is redirected to the SOCKS firewall. However, requests to origin servers on an intranet within the firewall should not be routed through the SOCKS server. Requests to servers whose IP addresses are inserted into this list will not be sent to the SOCKS server.
Path: Network > Gateway/Firewall > Additional Gateways
Figure 89
Additional Gateways Dialog Box
This dialog box lets you specify additional gateways. The appliance routes requests to specific destinations through these gateways. If a request could be routed through multiple gateways, the appliance chooses the gateway associated with the most restrictive mask (the smallest range of destination addresses). The default gateway is used only when no other routes apply.
IMPORTANT: The appliance uses additional gateways only when the Act As Router option is checked on the Gateway/Firewall tab.
Gateways fall within the following three basic groups:
The syntax for this gateway is often expressed in router configuration tables as follows: The variable i represents the IP address of the default gateway.0.0.0.0 / 0.0.0.0 / iii.iii.iii.iii
IMPORTANT: If the appliance is acting as a router and you don't specify a default gateway, the appliance routes only those requests whose destination addresses are covered by a host or network gateway. Other requests are not routed.
The appliance uses Metric field values to alter the normal gateway use logic depending on a relative cost factor for using the gateway. The default field value is 1. A higher number indicates a higher cost associated with the gateway being referenced. This lets you configure the appliance in such a way that more expensive gateways are not used unless the default or less specific gateway is unavailable.
The appliance determines masking information when you enter the host or network information.
Default Gateway: The default gateway entered on the gateway panel. You can add a metric and specify whether the gateway is active or passive.
Host Gateways: You can define one or more gateways to be used for packets being sent to specific hosts:
Network Gateways: You can define one or more gateways to be used for packets being sent to specific subnets.
Path: Network > Gateway/Firewall > Show Routes
Figure 90
Routes Dialog Box
This dialog box is useful for viewing and troubleshooting the routes the appliance is using. The list contains an entry for each defined gateway, each IP address assigned to an appliance network adapter, and routes discovered through RIP if the Enable RIP box is checked. Clicking Reset Learned Routes clears RIP entries from the list.
Destination: The default route is named and listed first. For other routes, the subnet address is shown.
Next Hop: This is the IP address of appliance network adapters, or the gateway address for all routes that are external to the appliance.
Type: Appliance network adapter routes are direct. All others are remote.
Cost: This is either the metric value you assigned to manually configured additional gateways (including the default gateway), or it is a relative cost factor assigned by the RIP function if the Enable RIP box is checked.
| |