Configuring a Hub-and-Spoke VPN Using the NETGEAR VPN Client
Page 1
... configuration, there is the NETGEAR VPN client. Procedure This procedure was developed and tested using: • NETGEAR FVX538 ProSafe VPN Firewall with the FVX538 router, firmware version 2.x and NETGEAR ProSafe174; VPN client, version 10.7.2 (Build 12). This application note describes how to configure a Hub-and-Spoke VPN when one of the spokes is a gateway-to-gateway VPN tunnel between FVX538 #1 and...
... configuration, there is the NETGEAR VPN client. Procedure This procedure was developed and tested using: • NETGEAR FVX538 ProSafe VPN Firewall with the FVX538 router, firmware version 2.x and NETGEAR ProSafe174; VPN client, version 10.7.2 (Build 12). This application note describes how to configure a Hub-and-Spoke VPN when one of the spokes is a gateway-to-gateway VPN tunnel between FVX538 #1 and...
SRX5308 Product Datasheet
Page 1
... load-balancing as well as failover protection to ensure maximum throughput and reliable connectivity to Use Reliable NETGEAR Hardware 24/7 TECHNICAL S U P P O R T* 1-888-NETGEAR (638-4327) Email: info@NETGEAR.com ProSafe174; Quad WAN Gigabit SSL VPN Firewall SRX5308 Data Sheet Ultra High Performance Business-class Firewall Security The flagship model of -service (DoS) protection, stateful packet inspection (SPI), URL keyword filtering, configurable hardware...
... load-balancing as well as failover protection to ensure maximum throughput and reliable connectivity to Use Reliable NETGEAR Hardware 24/7 TECHNICAL S U P P O R T* 1-888-NETGEAR (638-4327) Email: info@NETGEAR.com ProSafe174; Quad WAN Gigabit SSL VPN Firewall SRX5308 Data Sheet Ultra High Performance Business-class Firewall Security The flagship model of -service (DoS) protection, stateful packet inspection (SPI), URL keyword filtering, configurable hardware...
SRX5308 Product Datasheet
Page 2
ALL RIGHTS RESERVED © 2004 NETGEAR, Inc. ProSafe174; Quad WAN Gigabit SSL VPN Firewall SRX5308 Gigabit Ethernet Fast Ethernet GSM7224-200 ProSafe 24-port Gigabit Managed Switch STM300 ProSecure Web and Email Security Appliance SRX5308 ProSafe Quad WAN Gigabit SSL VPN Firewall Remote Access via Kiosk or Laptop Broadband modems Internet PC with GA311 Laptop with SSL VPN 270 -10263-01 PDA with 10/100/1000 Mbps Gigabit Ethernet PCI Adapter (GA311) TECHNICAL SPECIFICATIONS...
ALL RIGHTS RESERVED © 2004 NETGEAR, Inc. ProSafe174; Quad WAN Gigabit SSL VPN Firewall SRX5308 Gigabit Ethernet Fast Ethernet GSM7224-200 ProSafe 24-port Gigabit Managed Switch STM300 ProSecure Web and Email Security Appliance SRX5308 ProSafe Quad WAN Gigabit SSL VPN Firewall Remote Access via Kiosk or Laptop Broadband modems Internet PC with GA311 Laptop with SSL VPN 270 -10263-01 PDA with 10/100/1000 Mbps Gigabit Ethernet PCI Adapter (GA311) TECHNICAL SPECIFICATIONS...
SRX5308 Reference Manual
Page 5
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Chapter 4 Firewall Protection About Firewall Protection 4-1 Administrator Tips ...4-2 Using Rules to Block or Allow Specific Kinds of Traffic 4-2 Services-Based Rules 4-3 Order of Precedence for Rules 4-10 Setting LAN WAN Rules 4-11 Setting DMZ WAN Rules 4-14 Setting LAN DMZ Rules 4-18 Inbound Rules Examples 4-21 Outbound Rules Example 4-25 Configuring Other Firewall...Specific Traffic 4-40 Content Filtering (Blocking Internet Sites 4-41 Understanding the VPN Firewall's Content Filtering 4-41 Enabling and Configuring ...
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Chapter 4 Firewall Protection About Firewall Protection 4-1 Administrator Tips ...4-2 Using Rules to Block or Allow Specific Kinds of Traffic 4-2 Services-Based Rules 4-3 Order of Precedence for Rules 4-10 Setting LAN WAN Rules 4-11 Setting DMZ WAN Rules 4-14 Setting LAN DMZ Rules 4-18 Inbound Rules Examples 4-21 Outbound Rules Example 4-25 Configuring Other Firewall...Specific Traffic 4-40 Content Filtering (Blocking Internet Sites 4-41 Understanding the VPN Firewall's Content Filtering 4-41 Enabling and Configuring ...
SRX5308 Reference Manual
Page 16
... port number of ports. • DMZ port. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual A Powerful, True Firewall with Content Filtering Unlike simple NAT routers, the SRX5308 is a true firewall, using stateful packet inspection (SPI) to one PC on the LAN, the SRX5308 allows you to direct incoming traffic to access objectionable Internet sites. • Schedule policies. You can configure the...
... port number of ports. • DMZ port. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual A Powerful, True Firewall with Content Filtering Unlike simple NAT routers, the SRX5308 is a true firewall, using stateful packet inspection (SPI) to one PC on the LAN, the SRX5308 allows you to direct incoming traffic to access objectionable Internet sites. • Schedule policies. You can configure the...
SRX5308 Reference Manual
Page 91
...Firewall Protection This chapter describes how to use the firewall features of the VPN firewall to protect your network from attacks and intrusions. For information about how to set up LAN groups, see "Managing Groups and Hosts (LAN Groups)" on page 4-51 About Firewall Protection A firewall...Sites)" on page 4-41 • "Enabling Source MAC Filtering" on page 4-44 • "Setting Up IP/MAC Bindings" on page 4-46 • "Configuring Port Triggering" on page 4-48 • "Configuring Universal Plug and Play" on page 3-14. This chapter contains the following sections: • "About Firewall...
...Firewall Protection This chapter describes how to use the firewall features of the VPN firewall to protect your network from attacks and intrusions. For information about how to set up LAN groups, see "Managing Groups and Hosts (LAN Groups)" on page 4-51 About Firewall Protection A firewall...Sites)" on page 4-41 • "Enabling Source MAC Filtering" on page 4-44 • "Setting Up IP/MAC Bindings" on page 4-46 • "Configuring Port Triggering" on page 4-48 • "Configuring Universal Plug and Play" on page 3-14. This chapter contains the following sections: • "About Firewall...
SRX5308 Reference Manual
Page 92
... the traffic through from outside . 4-2 Firewall Protection v1.0, April 2010 Although using the following operational items: 1. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Administrator Tips Consider the following features and capabilities of the VPN firewall are used to block or allow specific ...Notification of Traffic Firewall rules are : • Inbound. Schedules (see "Using Rules to manage distant sites from the LAN side. • Outbound. You can have to Block or Allow Specific Kinds of Traffic" on the VPN firewall. Allow all access...
... the traffic through from outside . 4-2 Firewall Protection v1.0, April 2010 Although using the following operational items: 1. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Administrator Tips Consider the following features and capabilities of the VPN firewall are used to block or allow specific ...Notification of Traffic Firewall rules are : • Inbound. Schedules (see "Using Rules to manage distant sites from the LAN side. • Outbound. You can have to Block or Allow Specific Kinds of Traffic" on the VPN firewall. Allow all access...
SRX5308 Reference Manual
Page 115
... rules let you have created in Figure 4-15 on page 4-26. LAN WAN Outbound Rule: Blocking Instant Messenger If you want to block Instant Messenger usage by Schedule). 2. You can also enable the VPN firewall to log any attempt to the schedule that application from any internal IP address... users from using applications such as Instant Messenger, Real Audio, or other inbound rules. Place the rule below all other nonessential sites. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 1. Select Any and Allow Always (or Allow by employees during the blocked period.
... rules let you have created in Figure 4-15 on page 4-26. LAN WAN Outbound Rule: Blocking Instant Messenger If you want to block Instant Messenger usage by Schedule). 2. You can also enable the VPN firewall to log any attempt to the schedule that application from any internal IP address... users from using applications such as Instant Messenger, Real Audio, or other inbound rules. Place the rule below all other nonessential sites. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 1. Select Any and Allow Always (or Allow by employees during the blocked period.
SRX5308 Reference Manual
Page 131
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. The schedule is in effect. 3. To the right of the page. A proxy server (or simply, proxy) allows computers to route ...Web components filtering features. Understanding the VPN Firewall's Content Filtering The VPN firewall supports several types of a particular Web component is allowed. You can be routed through the proxy, thus circumventing certain firewall rules. Even sites on the Trusted Domains list will see a "Blocked by NETGEAR" message. Proxy. Firewall Protection v1.0, April 2010 4-41 ...
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. The schedule is in effect. 3. To the right of the page. A proxy server (or simply, proxy) allows computers to route ...Web components filtering features. Understanding the VPN Firewall's Content Filtering The VPN firewall supports several types of a particular Web component is allowed. You can be routed through the proxy, thus circumventing certain firewall rules. Even sites on the Trusted Domains list will see a "Blocked by NETGEAR" message. Proxy. Firewall Protection v1.0, April 2010 4-41 ...
SRX5308 Reference Manual
Page 132
... from being created by websites that , should they appear in the website name (URL) or in order for trusted domains by the VPN firewall. In the Content Filtering section, select the Yes radio button to store tracking information and browsing habits. Requests from being downloaded. -... require login. Cookies. Note: Many websites require that cookies be accepted in a newsgroup name, will be blocked. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual - Blocking does not occur for the PCs that site or newsgroup to be used to the list of trusted domains.
... from being created by websites that , should they appear in the website name (URL) or in order for trusted domains by the VPN firewall. In the Content Filtering section, select the Yes radio button to store tracking information and browsing habits. Requests from being downloaded. -... require login. Cookies. Note: Many websites require that cookies be accepted in a newsgroup name, will be blocked. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual - Blocking does not occur for the PCs that site or newsgroup to be used to the list of trusted domains.
SRX5308 Reference Manual
Page 208
... this check box to apply HTTP meta tag cache control directives to this portal layout. Table 6-1. Portal Site Title The title that appears at https://vpn.company.com/portal/CustomerSupport. Note: For an example, see Figure 6-9 on page 6-24. Note: Only..."Welcome to the portal, for the portal layout. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 4. Note: For an example, see Figure 6-9 on login page the login screen as explained Table 6-1. Cache control directives include: Note: NETGEAR strongly recommends enabling HTTP meta tags for example, "...
... this check box to apply HTTP meta tag cache control directives to this portal layout. Table 6-1. Portal Site Title The title that appears at https://vpn.company.com/portal/CustomerSupport. Note: For an example, see Figure 6-9 on page 6-24. Note: Only..."Welcome to the portal, for the portal layout. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 4. Note: For an example, see Figure 6-9 on login page the login screen as explained Table 6-1. Cache control directives include: Note: NETGEAR strongly recommends enabling HTTP meta tags for example, "...
SRX5308 Reference Manual
Page 248
...on page 7-20 shows an image of the server. Figure 7-12 7-20 Managing Users, Authentication, and Certificates v1.0, April 2010 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. When a security alert is generated, the user can be three reasons why a security alert is generated for validity ...of the security certificate is invalid or does not match the name of the site. If the verification process on the security certificate is invalid. • The name on the VPN firewall approves the digital certificate for a security certificate: • The security certificate ...
...on page 7-20 shows an image of the server. Figure 7-12 7-20 Managing Users, Authentication, and Certificates v1.0, April 2010 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. When a security alert is generated, the user can be three reasons why a security alert is generated for validity ...of the security certificate is invalid or does not match the name of the site. If the verification process on the security certificate is invalid. • The name on the VPN firewall approves the digital certificate for a security certificate: • The security certificate ...
SRX5308 Reference Manual
Page 258
...only the default rule is disabled; For more information, see "Content Filtering (Blocking Internet Sites)" on the WAN side: • LAN WAN inbound rules (also referred to as port forwarding) • DMZ WAN inbound rules (also referred to as port forwarding) • Port triggering • ...load on page 4-41. all access from outside except responses to requests from PCs with the specified MAC addresses. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Content Filtering If you want to reduce outgoing traffic by preventing Internet access by certain PCs on how to...
...only the default rule is disabled; For more information, see "Content Filtering (Blocking Internet Sites)" on the WAN side: • LAN WAN inbound rules (also referred to as port forwarding) • DMZ WAN inbound rules (also referred to as port forwarding) • Port triggering • ...load on page 4-41. all access from outside except responses to requests from PCs with the specified MAC addresses. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Content Filtering If you want to reduce outgoing traffic by preventing Internet access by certain PCs on how to...
SRX5308 Reference Manual
Page 261
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual For information about SSL VPN tunnels, see Chapter 6, "Virtual Private Networking Using SSL Connections." Each tunnel requires extensive processing for each service. After you have created a QoS profile, you ... of service for services that is set individually for encryption and authentication, thereby increasing traffic through the VPN firewall. Configuring VPN Tunnels The VPN firewall supports up to 125 site-to give the service higher or lower priority than it otherwise would have not yet defined. Using ...
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual For information about SSL VPN tunnels, see Chapter 6, "Virtual Private Networking Using SSL Connections." Each tunnel requires extensive processing for each service. After you have created a QoS profile, you ... of service for services that is set individually for encryption and authentication, thereby increasing traffic through the VPN firewall. Configuring VPN Tunnels The VPN firewall supports up to 125 site-to give the service higher or lower priority than it otherwise would have not yet defined. Using ...
SRX5308 Reference Manual
Page 311
...VPN firewall's configuration at https://192.168.1.1. 3. To check the WAN IP address for which you want to view the connection status. Select Network Configuration> WAN Settings from the ISP. Turn off the power to your browser and navigate to an external site such as www.netgear... procedure: 1. The WAN Settings screen displays. 4. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Troubleshooting the ISP Connection If your VPN firewall is unable to access the Internet, you should first determine whether the VPN firewall is able to obtain a WAN IP address from the...
...VPN firewall's configuration at https://192.168.1.1. 3. To check the WAN IP address for which you want to view the connection status. Select Network Configuration> WAN Settings from the ISP. Turn off the power to your browser and navigate to an external site such as www.netgear... procedure: 1. The WAN Settings screen displays. 4. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Troubleshooting the ISP Connection If your VPN firewall is unable to access the Internet, you should first determine whether the VPN firewall is able to obtain a WAN IP address from the...
SRX5308 Reference Manual
Page 372
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual bandwidth profiles assigning to firewall rule 4-37 description 4-37 direction 4-39 shifting traffic mix 8-8 type 4-39 banners, SSL portal 6-6 base distinguished name (DN), LDAP 7-5 blocking ActiveX controls 4-42 browsing access 4-42 cookies 4-42 domains 4-42, 4-44 floods TCP 4-27 UDP 4-28 instant messaging applications 4-25 Internet sites... 2-7 table 2-6 C CA (Certificate Authority) 5-29 cache cleaner 6-7 cache control, SSL VPN 6-6 Index-2 capturing packets, diagnostics 9-28 category 5 cable B-3 Certificate Authority. See CRL...
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual bandwidth profiles assigning to firewall rule 4-37 description 4-37 direction 4-39 shifting traffic mix 8-8 type 4-39 banners, SSL portal 6-6 base distinguished name (DN), LDAP 7-5 blocking ActiveX controls 4-42 browsing access 4-42 cookies 4-42 domains 4-42, 4-44 floods TCP 4-27 UDP 4-28 instant messaging applications 4-25 Internet sites... 2-7 table 2-6 C CA (Certificate Authority) 5-29 cache cleaner 6-7 cache control, SSL VPN 6-6 Index-2 capturing packets, diagnostics 9-28 category 5 cable B-3 Certificate Authority. See CRL...
SRX5308 Reference Manual
Page 375
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual auto-rollover mode 2-28 load balancing mode 2-28 multiple WAN ports 5-1, 5-2, B-1, B-9 SSL VPN, port forwarding 6-3 VPN tunnels 5-2 front panel LEDs 1-8 ports 1-7 fully qualified domain names. See IKE policies. Internet blocking sites 4-41 configuration requirements B-3 connection auto-detecting 2-7 default settings A-1 manually configuring 2-11 filtering content 4-41 form, connection information B-4 Internet Key Exchange. Internet LED 1-9 Internet...
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual auto-rollover mode 2-28 load balancing mode 2-28 multiple WAN ports 5-1, 5-2, B-1, B-9 SSL VPN, port forwarding 6-3 VPN tunnels 5-2 front panel LEDs 1-8 ports 1-7 fully qualified domain names. See IKE policies. Internet blocking sites 4-41 configuration requirements B-3 connection auto-detecting 2-7 default settings A-1 manually configuring 2-11 filtering content 4-41 form, connection information B-4 Internet Key Exchange. Internet LED 1-9 Internet...
SRX5308 Reference Manual
Page 380
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual RADIUS-CHAP 5-28, 5-37, 5-38, 7-4 RADIUS-MSCHAP(v2) 7-4 RADIUS-PAP 5-28, 5-37, 5-38, 7-4 server, configuring 5-39 rate-limiting, traffic 2-34 read/write access 7-9 read-only access 7-9 rebooting, remotely 9-28 reducing traffic blocking sites 8-4 overview 8-2 service blocking 8-2 source MAC filtering 8-4 reference documents E-1 registering product ii regulatory compliance A-3, 1 relay gateway, DHCP 3-9, 3-23...
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual RADIUS-CHAP 5-28, 5-37, 5-38, 7-4 RADIUS-MSCHAP(v2) 7-4 RADIUS-PAP 5-28, 5-37, 5-38, 7-4 server, configuring 5-39 rate-limiting, traffic 2-34 read/write access 7-9 read-only access 7-9 rebooting, remotely 9-28 reducing traffic blocking sites 8-4 overview 8-2 service blocking 8-2 source MAC filtering 8-4 reference documents E-1 registering product ii regulatory compliance A-3, 1 relay gateway, DHCP 3-9, 3-23...