You are on page 1of 422

SANGFOR WAN Accelerator 6.

0 User Manual

WAN Accelerator 6.0 User Manual

April, 2011

0

SANGFOR WAN Accelerator 6.0 User Manual

Table of Contents
TABLE OF CONTENTS..............................................................................................................1
ANNOUNCEMENT......................................................................................................................9
PREFACE....................................................................................................................................10
ABOUT THIS MANUAL...................................................................................................................10
DOCUMENT CONVENTIONS............................................................................................................10
Symbol Conventions......................................................................................................................10
Graphic Interface Conventions.....................................................................................................11
CLI Conventions...........................................................................................................................11
TECHNICAL SUPPORT.....................................................................................................................12
ACKNOWLEDGEMENTS..................................................................................................................12
CHAPTER 1 WAN ACCELERATOR INSTALLATION......................................................13
1.1

ENVIRONMENT REQUIREMENT.....................................................................................13

1.2

POWER..........................................................................................................................13

1.3

PRODUCT APPEARANCE................................................................................................13

1.4

CONFIGURATION AND MANAGEMENT..........................................................................14

1.5

WIRING METHOD..........................................................................................................14

CHAPTER 2 WAN ACCELERATOR DEPLOYMENT........................................................17
2.1

GATEWAY MODE...........................................................................................................17

2.2

BRIDGE MODE..............................................................................................................17

2.3

DOUBLE BRIDGE MODE................................................................................................18

2.4

SINGLE ARM MODE......................................................................................................19

CHAPTER 3 GATEWAY CONSOLE......................................................................................21
3.1

WEB UI LOGIN.............................................................................................................21

3.2

MAIN MENUS................................................................................................................24

3.2.1

Maintenance.................................................................................................................24

3.2.1.1

License..........................................................................................................................24

3.2.1.2

Backup/Restore............................................................................................................26

3.2.1.2.1 System..........................................................................................................................26
3.2.1.2.2 WAN Optimization.......................................................................................................27
3.2.1.3

Reset/Restart/Shutdown...............................................................................................29

3.2.1.4

Web Console.................................................................................................................29

3.2.2

Status............................................................................................................................31

3.2.2.1

WAN Optimization.......................................................................................................31

3.2.2.1.1 Acceleration Status.......................................................................................................32
1

SANGFOR WAN Accelerator 6.0 User Manual
3.2.2.1.2 Acceleration Connections............................................................................................33
3.2.2.1.3 Application Connections..............................................................................................35
3.2.2.2

Logs..............................................................................................................................35

3.2.2.3

Bandwidth Monitor......................................................................................................36

3.2.2.4

Flow Status...................................................................................................................37

3.2.2.4.1 Flow Rankings..............................................................................................................39
3.2.2.4.2 Connections Monitor....................................................................................................39
3.2.2.5

VPN..............................................................................................................................39

3.2.2.6

DHCP Running Status..................................................................................................40

3.2.2.7

Gateway Status.............................................................................................................40

3.2.3

Tools.............................................................................................................................41

3.2.3.1

Ping...............................................................................................................................41

3.2.3.2

Tracert...........................................................................................................................41

3.2.3.3

Show ARP....................................................................................................................42

3.2.4

Wizard...........................................................................................................................42

3.2.5

Data Center..................................................................................................................43

3.2.6

Help..............................................................................................................................44

3.3

HOME............................................................................................................................45

3.4

SYSTEM.........................................................................................................................45

3.4.1

System Settings.............................................................................................................45

3.4.1.1

General.........................................................................................................................46

3.4.1.2

NTP Settings.................................................................................................................46

3.4.1.3

Web UI Settings............................................................................................................47

3.4.1.4

Advanced......................................................................................................................47

Case Study 1: Environment and Configuration For MAC Track.................................................49
3.4.2

Deploy Settings............................................................................................................50

3.4.2.1

Network Interface.........................................................................................................51

3.4.2.1.1 Gateway Mode.............................................................................................................52
3.4.2.1.2 Single Arm Mode.........................................................................................................54
3.4.2.1.3 Bridge Mode.................................................................................................................55
3.4.2.1.4 Double Bridge Mode....................................................................................................57
3.4.2.2

Local Subnet.................................................................................................................60

Case Study 2: Add Subnet In Single-Arm Mode..........................................................................60
3.4.2.3

Static Route..................................................................................................................60

Case Study 3: Add Packet Return Route......................................................................................61
Case Study 4: Add Packet Return Route......................................................................................62

2

SANGFOR WAN Accelerator 6.0 User Manual
3.4.2.4

Dynamic Route.............................................................................................................63

3.4.2.5

Windows Domain.........................................................................................................64

Case Study 5: Join WCC.COM Domain......................................................................................65
3.4.2.6

VPN Interface...............................................................................................................65

3.4.2.7

Vlan Settings................................................................................................................67

Case Study 6: Environment and Configuration of VLAN Restore..............................................68
Case Study 7: Environment and Configuration of VLAN ID Settings........................................70
3.4.2.8

Multi-Line Settings......................................................................................................71

3.4.2.9

CDP Settings.................................................................................................................73

3.4.2.10 WCCP Settings.............................................................................................................74
Case Study 8: WCCP Avoiding Routing Loop in Single Arm Mode...........................................78
3.4.3

Users............................................................................................................................80

Case Study 9: Add Acceleration User...........................................................................................83
3.4.4

Network Objects...........................................................................................................85

3.4.4.1

IP Group.......................................................................................................................85

Case Study 10: Create IP Group with Single IP Addresses..........................................................86
Case Study 11: Create IP Group with IP Range...........................................................................87
Case Study 12: Create IP Group with Subnet...............................................................................88
3.4.4.2

Application List............................................................................................................89

Case Study 13: Add ERP System Application into Application List...........................................91
3.4.4.3

Time Schedule..............................................................................................................92

Case Study 14: Define Office Hours............................................................................................93
3.5

WAN OPTIMIZATION.....................................................................................................94

3.5.1

Application...................................................................................................................94

3.5.1.1

HTTP............................................................................................................................94

3.5.1.2

CIFS..............................................................................................................................95

3.5.1.3

SMTP............................................................................................................................96

3.5.1.4

POP3.............................................................................................................................97

3.5.1.5

Exchange......................................................................................................................97

3.5.1.6

Oracle EBS...................................................................................................................98

3.5.1.7

Citrix.............................................................................................................................98

3.5.1.8

RDP..............................................................................................................................99

3.5.2

Compression.................................................................................................................99

Case Study 15: Type of Data Applicable to Compression..........................................................100
3.5.3

Server.........................................................................................................................100

3.5.3.1

Acceleration Policy....................................................................................................101

3

SANGFOR WAN Accelerator 6.0 User Manual
3.5.3.2

Acceleration Policy Group.........................................................................................103

3.5.3.3

Acceleration User.......................................................................................................105

Case Study 16: Create Acceleration User and Associate Policy Group.....................................107
Case Study 17: Accelerate Exchange Server 2007 Email Delivery...........................................108
Case Study 18: Accelerate Access to Oracle EBS......................................................................109
Case Study 19: Accelerate Access to CITRIX............................................................................112
Case Study 20: Accelerate Access to RDP.................................................................................115
3.5.4

Client..........................................................................................................................118

3.5.4.1

Connect to Central Gateway.......................................................................................118

Case Study 21: Branch Establishes Acceleration Connection With HQ....................................122
Case Study 22: Enable Network Transparency Mode................................................................123
Case Study 23: Use Reverse Acceleration..................................................................................124
3.5.4.2

Prefetch.......................................................................................................................130

Case Study 24: Prefetch Data from FTP Server.........................................................................131
3.5.5

Certificates.................................................................................................................133

3.5.5.1

CA Certificate.............................................................................................................134

3.5.5.2

Server Certificate........................................................................................................135

Case Study 25: Accelerate Access to HTTPS Server.................................................................137
3.5.6

Advanced....................................................................................................................140

3.5.6.1

Exclusion Rule...........................................................................................................141

Case Study 26: Exclusion Rule Defines Acceleration Subnet...................................................143
3.5.6.2

Asymmetric Route......................................................................................................144

3.5.6.3

Keep Alive Settings....................................................................................................146

3.6

BANDWIDTH MANAGEMENT.......................................................................................148

3.6.1

Objects........................................................................................................................148

3.6.1.1

Application Identification..........................................................................................149

3.6.1.2

Intelligent Identification.............................................................................................152

3.6.1.3

URL Group.................................................................................................................153

3.6.1.4

File Type Group..........................................................................................................155

3.6.2

Policy Settings............................................................................................................156

3.6.2.1

User Group.................................................................................................................157

Case Study 27: Add User Group.................................................................................................158
3.6.2.2

Application Control Policy........................................................................................161

3.6.2.2.1 Application Control....................................................................................................161
3.6.2.2.2 Web Filter...................................................................................................................161
3.6.2.2.3 Flow............................................................................................................................162

4

SANGFOR WAN Accelerator 6.0 User Manual
Case Study 28: Configure Application Control Policy for Specific User/User Group..............162
Case Study 29: Configure a Needed Application Control Policy..............................................165
3.6.3

Bandwidth Settings.....................................................................................................169

3.6.3.1

Virtual Line.................................................................................................................170

Case Study 30: Create Virtual Line............................................................................................170
3.6.3.2

Bandwidth Management............................................................................................173

3.6.3.2.1 Bandwidth Channel....................................................................................................173
Case Study 31: Configure Assured Channel for a Specific Application....................................173
Case Study 32: Configure Limited Channel for a Specific Application....................................176
3.6.3.2.2 Exclusion Policy.........................................................................................................178
Case Study 33: Configure Exclusion Policy...............................................................................179
3.6.4

Policy Troubleshooting..............................................................................................180

3.6.5

Advanced....................................................................................................................181

3.6.5.1

Proxy Server...............................................................................................................181

3.6.5.2

Excluded IP................................................................................................................182

3.6.5.3

Auto Update...............................................................................................................183

3.7

FIREWALL....................................................................................................................184

3.7.1

NAT.............................................................................................................................184

3.7.2

SNAT...........................................................................................................................184

Case Study 34: Configure SNAT Rule.......................................................................................184
3.7.3

DNAT..........................................................................................................................185

Case Study 35: Configure DNAT Rule.......................................................................................186
3.7.4

Firewall Rules............................................................................................................188

Case Study 36: Open Port of Local Area Network.....................................................................189
3.7.5

Anti-DoS.....................................................................................................................190

3.7.6

ARP Protection...........................................................................................................191

3.8

SANGFOR VPN............................................................................................................193

3.8.1

Configure HQ WAN Accelerator................................................................................193

3.8.1.1

Basic Settings.............................................................................................................193

3.8.1.2

VPN User....................................................................................................................196

Case Study 37: Configure Tunnel NAT Rule.............................................................................206
3.8.1.3

Virtual IP Pool............................................................................................................209

Case Study 38: Configurations for Mobile VPN Users Connecting In......................................212
3.8.2

Client..........................................................................................................................214

3.8.2.1

VPN Connection.........................................................................................................214

Case Study 39: Only Allow Peer VPN to Access Local WEB Services....................................217

5

SANGFOR WAN Accelerator 6.0 User Manual
3.8.3

Multi-Line...................................................................................................................220

3.8.3.1

Multi-Line Routing Policy.........................................................................................220

Case Study 40: VPN Primary Lines/Secondary Line.................................................................222
Case Study 41: Configure Multi-Line Routing Policy for Single-Arm VPN............................225
3.8.4

Third-Party Authentication........................................................................................229

3.8.4.1

LDAP Server..............................................................................................................229

Case Study 42: Mobile VPN User Connects in By Using LDAP Auth.....................................232
3.8.4.2

Radius Server Settings...............................................................................................235

3.8.5

Advanced....................................................................................................................235

3.8.5.1

VPN Local Subnet......................................................................................................236

Case Study 43: Allow VPN User to Access Multiple Local Subnets.........................................236
3.8.5.2

LAN Service...............................................................................................................238

Case Study 44: Control VPN User’s Privilege to Access LAN Services...................................239
3.8.5.3

Multicast Service........................................................................................................243

3.8.5.4

Tunnel Route..............................................................................................................246

Case Study 45: Tunnel Route Achieves Communication Between Connecting-in Branch VPN
Sites
248
Case Study 46: Access Internet via VPN Destination Route User.............................................250
3.8.5.5

Generate Certificate....................................................................................................252

3.8.6

Configure Sangfor VPN Module in Single-Arm Mode..............................................254

3.8.6.1

Configure Network Interface.....................................................................................254

3.8.6.2

Configure Sangfor VPN.............................................................................................255

3.9

IPSEC CONNECTION....................................................................................................256

3.9.1

IPSec Connection.......................................................................................................256

3.9.1.1

Phase I........................................................................................................................256

3.9.1.2

Phase II.......................................................................................................................258

3.9.1.3

Security Options.........................................................................................................261

Case Study 47: IPSEC VPN Connection with CISCO...............................................................262
CHAPTER 4 INTERNAL DATA CENTER..........................................................................268
4.1

HOME PAGE................................................................................................................269

4.2

HISTORY REPORT........................................................................................................269

4.3

CUSTOMIZE REPORT...................................................................................................272

4.3.1

Customize Wizard.......................................................................................................272

4.3.1.1

Statistic Report...........................................................................................................272

Case Study 48: Generate and View Report.................................................................................277
4.3.1.2

Trend Report...............................................................................................................279

4.3.1.3

Sum Report.................................................................................................................284
6

SANGFOR WAN Accelerator 6.0 User Manual
4.3.2

Report Template.........................................................................................................287

4.4

STATISTICS..................................................................................................................290

4.4.1

IP Flow.......................................................................................................................290

4.4.2

Application Flow........................................................................................................294

4.5

WANO REPORT..........................................................................................................297

4.5.1

IP Connection............................................................................................................297

4.5.2

Application Connection.............................................................................................300

4.5.3

IP Flow Trend.............................................................................................................303

4.5.4

Application Flow Trend.............................................................................................306

4.5.5

Acceleration User Flow Trend...................................................................................309

4.5.6

Device Flow Trend.....................................................................................................312

4.6

TREND REPORT...........................................................................................................315

4.6.1

IP Flow Trend.............................................................................................................315

4.6.2

Application Flow Trend.............................................................................................320

4.7

SEARCH.......................................................................................................................322

4.7.1

Flow Search...............................................................................................................322

4.7.2

Firewall Log...............................................................................................................326

4.7.3

Gateway Operation Log.............................................................................................328

4.8

SYSTEM MANAGEMENT..............................................................................................330

4.8.1

Log Library Mgt.........................................................................................................330

4.8.1.1

Log Library Search.....................................................................................................331

4.8.1.2

Disk Usage.................................................................................................................331

4.8.2

System Configuration.................................................................................................332

4.8.3

Configuration Import/Export.....................................................................................333

CHAPTER 5 CLIENT SOFTWARE......................................................................................335
5.1

ACCELERATION-ONLY CLIENT SOFTWARE.................................................................336

5.1.1

Installation.................................................................................................................336

5.1.2

Deployment................................................................................................................339

5.1.3

Usage..........................................................................................................................340

5.2

VPN-ONLY CLIENT SOFTWARE..................................................................................346

5.2.1

Installation.................................................................................................................346

5.2.2

Deployment................................................................................................................350

5.2.3

Usage..........................................................................................................................351

5.2.3.1

VPN Settings..............................................................................................................357

5.2.3.1.1 System Info.................................................................................................................357
5.2.3.1.2 PDLAN.......................................................................................................................360

7

......3................................................................366 5....3..............1 System Info.................................381 APPENDIX A: UPDATE OF GATEWAY CLIENT.393 APPENDIX B: ACRONYMS AND ABBREVIATIONS....................................................................................................................................403 8 ...............3...................2 Deployment.....................................................378 5.......................1 VPN Settings.......................................................2 Mobile VPN...............................3...........372 5.....0 User Manual 5...371 5.................................................................366 5....1.3....................3.....................3 VPN-PLUS-ACCELERATION CLIENT SOFTWARE......1....3...................................................378 5.............................................................3 Usage................................3...........................1 Installation................................................SANGFOR WAN Accelerator 6.3..................................................................

This manual shall only be used as usage guide. information.0 User Manual Announcement Copyright © 2011 SANGFOR Technology Co. No part of the contents of this document shall be extracted. This manual is subject to change without notice. Ltd. unless otherwise stated. All other trademarks used or mentioned herein belong to their respective owners. or suggestion in it shall be considered as implied or express warranty of any kind. Ltd. reproduced or transmitted in any form or by any means without prior written permission of SANGFOR. To obtain the latest version of this manual. SANGFOR.SANGFOR WAN Accelerator 6... All rights reserved. SANGFOR Technology and the SANGFOR logo are the trademarks or registered trademarks of SANGFOR Technology Co. 9 . please contact the Customer Service of SANGFOR Technology Co. and no statement. Ltd..

function features and performance Installation parameters of SANGFOR WAN Accelerator 6.SANGFOR WAN Accelerator 6. and maintain the Internal Data Center. 3. Document Conventions Symbol Conventions This manual also adopts the following symbols to indicate the parts which need special attention to be paid during the operation: Convention Meaning Description Caution Indicates actions that could cause setting error.0 User Manual includes the following chapters: Chapter Describe… Chapter 1 WAN Accelerator The product appearance.0 and select Deployment deployment mode. wiring and cautions before installation.0 through the gateway console.0 User Manual Preface About This Manual The WAN Accelerator 6.0. Warning Indicates actions that could cause injury to human body. including configurations of the system. IPSec VPN. Chapter 2 WAN Accelerator How to deploy the WAN Accelerator 6. Chapter 3 Gateway Console How to use and configure the WAN Accelerator 6. WAN optimization. etc. firewall. customize report and make WANO/Trend reports on specified objects. bandwidth management (BM). loss of data or damage to the device. Chapter 5 Client Software The installation and usage of the SANGFOR client software.8 Sangfor VPN How to search for needed statistics and logs. 10 .

254.SANGFOR WAN Accelerator 6. suggestion or supplementary Graphic Interface Conventions This manual uses the following typographical conventions for special terms and instructions: Convention Meaning Example boldface Keywords or highlighted items The user name and password are Admin by default. URLs Enter the following address in the IE address bar: http://10. and submenus Select [System] > [Web UI] to open the Web UI page. > Multilevel submenus Go to [System] > [Network Interface] to configure the network interfaces. and then configure the [Webpage Timeout]. for example: configure terminal 11 .254. menus. Directories. ip wccp 60 redirect { in | out } CLI command appears in bold.254:1000 [] Page titles.0 User Manual Note Indicates helpful information. “” Prompts popped up italics menus and The browser may pop up the prompt "Install ActiveX control" CLI Conventions Command syntax on Command Line Interface (CLI) applies the following conventions: Any content in brackets [ ] is optional Any content in {} is necessary If there is more than one option. for example. use vertical bar (|) to separate each option. <> Names of buttons or links on the web interface or key-press Click <Update> to save the settings. names of parameters.

SANGFOR WAN Accelerator 6. If you have any suggestion about our product or user manual. please provide feedback to us through phone or email. 12 .cn Acknowledgements Thanks for using our product and user manual.com  Go to our technical support forum: http://www. use the following methods:  Go to our official website: http://www.com.sangfor. Your suggestion will be much appreciated.sangfor.0 User Manual Variables appear in italic.com/cn/forum  Email us at: support@sangfor. for example: interface e0/1 Technical Support For technical support.

working environment well ventilated and indoor temperature kept stable.0. you can configure and debug the system. 1. This product conforms to the requirements on environment protection. 1. and the placement. Make sure it is well-grounded before providing it with power supply.2 Power The SANGFOR WAN Accelerator uses 110 ~ 230V alternating current (AC) as its power supply.0 Above is the front panel of SANGFOR WAN Accelerator 6.SANGFOR WAN Accelerator 6. usage and discard of the product should comply with relevant national law and regulation. The interfaces and indicators on the front panel (from left to right) are described respectively in the table below: Interface/Indicator Description 13 .0 User Manual Chapter 1 WAN Accelerator Installation This chapter gives a general introduction to the SANGFOR WAN Accelerator and wiring of the system.3 Product Appearance Front Panel of SANGFOR WAN Accelerator 6. 1.1 Environment Requirement The SANGFOR WAN Accelerator requires the following working environment:    Input voltage: 110V-230V Temperature: -10-45℃ Humidity: 5%-90% To ensure long-term and stable running of the WAN Accelerator. the power supply should be well grounded. dustproof measures taken. After correct installation.

1.SANGFOR WAN Accelerator 6. connecting to the DMZ network segment ETH2 Network interface to be defined as WAN1 interface. indicating the device runs normally. connecting to the second Internet line POWER Power indicator of WAN Accelerator ALARM Alarm indicator of WAN Accelerator (it keeps on for one minute while the device is starting up) The product appearance varies from model to model.5 Wiring Method Connect the power cable to the power interface on the rear panel of the WAN Accelerator and switch on the power supply. Then connect the computer to the WAN Accelerator (in a same local area network) and configure the WAN Accelerator on the computer over the established network.0 User Manual CONSOLE Interface used only for debugging by the device supplier USB Standard USB port connecting to the peripheral device ETH0 Network interface to be defined as LAN interface. etc. 1.. Then follow the instructions below to wire the interfaces: Use standard RJ-45 Ethernet cable to connect the ETH0 interface to the local area network (LAN) 14 . please get a computer ready and make sure the web browser (IE browser is supported only. connecting to the LAN network segment ETH1 Network interface to be defined as DMZ interface. The POWER indicator (in green) and ALARM indicator (in red) on the front panel will be lighted. connecting to the first Internet line ETH3 Network interface to be defined as WAN2 interface. such as Internet Explorer. while Opera. Safari and Chrome are not supported) can be used normally. Firefox. Maxthon. The ALARM indicator will go out one or two minutes later.4 Configuration and Management Before configuring the device.

Use standard RJ-45 Ethernet cable to connect the ETH2 interface with the networking device. please switch off the power supply and restart the device. The WAN Accelerator provides secure protection for these servers.0 User Manual and then configure the WAN Accelerator. ADSL Modem. use straight-through cable. optical fiber transceiver.  Keep the followings in mind: while connecting the defined WAN interface with the router. and then go out indicating successful startup of the device.  While WAN Accelerator runs normally. please contact SANGFOR. The ACT indicators (in green) will flicker if there is data flow. If connections cannot be established but the corresponding indicator functions normally. the POWER indicator (in green) will keep on lighted. the ALARM indicator off. If the ALARM indicator stays lighted during startup. etc. please check whether the cables are the right cables used for certain connections. The differences between straightthrough cable and crossover cable are the wire sequences at both ends. If it still keeps on lighted and does not go out. Use standard RJ-45 Ethernet cable to connect ETH1 interface to the DMZ network segment.SANGFOR WAN Accelerator 6. while connecting the defined LAN interface with the switch. The ALARM indicator will be lighted only for about one minute due to system loading when the device is starting up. while connecting the other defined LAN interface with the computer (for logging in to the gateway console). generally. as shown in the figure below: 15 . and the ETH2/3 LINK (WAN) and ETH0 LINK (LAN) indicators (in orange) lighted. to the Web server and Mail server providing services to wide area network (WAN) that are placed at the DMZ network segment. such as router. use crossover cable. use crossover cable.

SANGFOR WAN Accelerator 6.0 User Manual 16 .

2 Bridge Mode The network topology of WAN Accelerator deployed in Bridge mode is as shown below: 17 .0 User Manual Chapter 2 WAN Accelerator Deployment 2.1 Gateway Mode The deployment topology of WAN Accelerator in Gateway mode is as shown below: Step 1: Configure IP addresses of WAN and LAN interfaces.SANGFOR WAN Accelerator 6. Step 3: Configure WAN optimization module. DNS address and firewall rules. Step 2: Configure standard IPSec VPN. 2. Step 4: Add the routes of the different network segments for the WAN Accelerator if there is layer 3 switch and different network segments in the local area network.

Therefore. In Bridge mode.SANGFOR WAN Accelerator 6. default gateway. you have to switch the service mode to [Acceleration only] to enable the bridge function. the two WAN Accelerators must be able to communicate with each other through the VPN established by a VPN device or through a dedicated line. the VPN function is invalid. and the two SANGFOR WAN Accelerators can access each other normally.0 User Manual Step 1: Under the [System] > [Deploy Settings] > [Network Interface] page. Step 2: Configure the IP addresses of the logical interface. In Bridge mode.3 Double Bridge Mode The network topology of WAN Accelerator deployed in Double Bridge mode is as shown below: 18 . select [Service Mode] “Acceleration Only”. and select [Deployment Mode] “Bridge”. MANAGE interface and DNS. 2. Step 3: Configure WAN Optimization module.

0 User Manual Step 1: Under the [System] > [Deploy Settings] > [Network Interface] page. select [Service Mode] “Acceleration Only”. virtual IP address and DNS address. 2. default gateway IP addresses (WAN 1. and select [Deployment Mode] “Double bridge”. WAN 2. LAN and DMZ). Step 3: Configure WAN Optimization module. 19 . select [Deployment Mode] “Single arm”.4 Single Arm Mode The network topology of WAN Accelerator deployed in Single Arm mode is as shown below: Step 1: Under the [System] > [Deploy Settings] > [Network Interface] page. default gateway and DNS address. Step 2: Configure IP address of the LAN interface. Step 2: Configure the interface IP address for Br0 and Br1.SANGFOR WAN Accelerator 6.

0 User Manual Step 3: Configure WAN Optimization module. the following four methods may help to avoid routing loop: a.  Since the WAN Accelerator is deployed in single arm mode ([Acceleration Only] does not support VPN function).  As to a WAN Accelerator deployed in Single Arm mode. Step 5: Configure the gateway IP address on the LAN computers to have the gateway of LAN computers direct to the LAN interface of the WAN Accelerator. have the gateway of the LAN PCs direct to the SANGFOR WAN Accelerator. b. c.SANGFOR WAN Accelerator 6. You can also enable the policybased routing or WCCP function on the frontend switch/router.) In Layer 2 environment. routing loop may appear in the local area network and disable all the data communications between the devices at both ends.) Enable policy-based routing and CDP on the frontend device. add a route for each LAN PC that directs to the peer terminal. you have to ensure that a VPN connection between the two local area networks has been established and the WAN Accelerators of both terminals can access each other. add the subnet segment of the local device. Step 4: Under the [System] > [Deploy Settings] > [Local Subnet] page.) Enable WCCP function on the frontend device. the local single-arm WAN Accelerator as the gateway of the route. 20 . d. Unless the above measures are taken.) In Layer 2 environment.

0.254.255. you can go on configuring the SANGFOR WAN Accelerator through the WEBUI of the gateway console. and the following gateway console login interface appears: Before login..254.254. as shown in the following page: 21 .SANGFOR WAN Accelerator 6.0 User Manual Chapter 3 Gateway Console 3.254.251).g. Ltd’. Configure a valid IP address for the WAN Accelerator (e. Then type the default login IP address and port of the WAN Accelerator in the location box of the IE browser. you may be required to install the pop-up ActiveX control.1 Web UI Login Having completed wiring. Follow the instructions to finish installation.254.. and subnet mask 255. https://10. Click here to install…” and then click “Install ActiveX Control…”.256. as shown below: Click “This site might require the following ActiveX control: ‘WebUI Control’ from ‘Sangfor Technologies Co. Detailed procedures are as described in the following sections of this chapter. 10.

If there is no prompt of installing the ActiveX control. click the <Login> button or press <Enter> key to log in to the gateway console of the WAN Accelerator. click the link <View Version>. you will see the following configuration modules: [Home]: Homepage of the WAN Accelerator. You can maintain the device and view the running status. click the <Download ActiveX> link (on the gateway console login interface) to manually download the ActiveX control and follow the instructions to finish installation. 22 . The version information is displayed as follows: Logging into the Web UI.SANGFOR WAN Accelerator 6. Enter the user name and password. If you want to view the version information.0 User Manual Click the <Install> button to install the ActiveX Control. The user name and password are Admin by default.

This will not be illustrated again in the subsequent parts in this user manual.SANGFOR WAN Accelerator 6. etc. [Wizard]. IP address of each interface. [Maintenance]. At the top of the WEB UI. [Bandwidth Management]: Configures the BM options for the WAN Accelerator. [Status]. of the WAN Accelerator. click it after modifying/configuring the parameters to save or apply the settings of that page/tab. click it to view the brief description of the items or page/tab. [Data Center] and [Help]. [Firewall]: Configures the firewall options of the WAN Accelerator. [Tools]. working mode. 23 . there are six main menus.  Each configuration page has a <Help> link at the top of the console interface. [IPSec VPN]: Configures the IPSec VPN options for the WAN Accelerator. [WAN Optimization]: Configures the WAN Optimization options for the WAN Accelerator.0 User Manual [System]: Configures the system time. If help is wanted.. <Save> or <Save and Apply> button on a configuration page. as shown in the interface below:  In case there is a <OK>.

you can get into the corresponding page directly. Click any of it and select a submenu. [Status]. [Tools]. etc. [Wizard]. The [License] page is as shown below: 24 . IPSec VPN function. These serial numbers determine the availability of the WAN optimization function. the authorized licenses will be generated automatically.1 Maintenance [Maintenance] consists of four submenus. URL library update service.1. namely.2 Main Menus The six main menus are [Maintenance]. The main menus are as shown below: 3.SANGFOR WAN Accelerator 6. [Backup/Restore].0 User Manual 3.2. bandwidth management function. [License]. After the serial numbers have been filled in and the <Save and Apply> button has been clicked. [Data Center] and [Help].2. at the top of gateway console.1 License [License] requires you to enter the serial numbers related to this WAN Accelerator. [Reset/Restart/Shutdown] and [Web Console]. 3.

“Activated” means the function is available. [VPN License]: Enter the VPN license and click the <Save and Apply> button to activate the Sangfor VPN function.0 User Manual [WANO License]: Enter the WANO license and click the <Save and Apply> button to activate the WAN optimization function. “Activated” means the function is available. while “Not activated” indicates the function is unavailable.SANGFOR WAN Accelerator 6. [BM License]: Enter the Bandwidth Management (BM) license and click the <Save and Apply> button to activate the BM function. while “Not activated” indicates the function is unavailable. [Cross-ISP License]: Enter the Cross-ISP license and click the <Save and Apply> button to activate the Cross-ISP function (multiple Internet Service Providers (ISP) are supported). “Activated” means the function is available. 25 . “Activated” means the function is available. [Number of Mobile VPN Users Allowed]: Indicates the number of mobile VPN users supported by this WAN Accelerator. while “Not activated” indicates the function is unavailable. while “Not activate” indicates the function is unavailable.

“Activated” means the update service is available.0 User Manual [Application Identification/URL Library License]: Enter the Application Identification/URL Library license and click the <Save and Apply> button to activate the update service of the Application Identification and URL Library.SANGFOR WAN Accelerator 6. including two configuration pages: [System] and [WAN Optimization].1. “Activated” means the update service is available.1 System On the [System] page.2Backup/Restore [Backup/Restore] page helps to backup and restore the configurations of this WAN Accelerator. check the [Backup Reminder] option and configure [Every( _ )day(s)].2. and the system will remind you to back up the configurations at the configured time interval once you log in to the gateway console. while “Not activated” indicates the update service is unavailable. as shown below: 26 . 3. as shown below: Click the <OK> button and you may enter the [Maintenance] > [Backup/Restore] > [System] page directly.1. 3.2. while “Not activated” indicates the update service is unavailable. [Software Update License]: Enter the software update license and click the <Save and Apply> button to activate the software update service.2.

[Restore Configuration] and [Restore From Auto Backup]. 3. and then click the <Save> button. and these backup configurations are stored in the WAN Accelerator instead of the local computer. [Backup]: Click the <Click to Back Up System Configurations> link and select a saving path to backup the present configurations and save them into the local computer.SANGFOR WAN Accelerator 6. [Backup Configuration].2. only help to back up or restore the configuration of [WAN Optimization] module rather than back up or restore all the configurations of the local WAN Accelerator. namely.0 User Manual [Restore]: Click the <Click to Restore Backup Configurations> link and load the backup configuration file to replace the current configurations with the backed up ones.1.2.2 WAN Optimization On the [WAN Optimization] configuration page. the three options. The related pages are as shown below: The system configurations saved in the local computer include that of the [WAN Optimization] module. 27 .

click the <Restore> button to replace the current WAN optimization configurations with those in the selected file that has been backed up. The tab is as shown below: Select [Restore Configuration] option and select a needed backup file.SANGFOR WAN Accelerator 6. click the <Restore> button to replace the current configurations with those of the selected backup file. and then click the <Save Backup> button to back up the current WAN Optimization configurations into the file or click the <Delete Backup> button to delete the selected backup file. as shown below: 28 .0 User Manual Select [Backup Configuration] option and select a needed backup file in the list. as shown below: Select the [Restore From Auto Backup] option and select a needed backup file.

2.SANGFOR WAN Accelerator 6. The page is as shown below: Some WAN Accelerator models DO NOT support the <Shutdown> function on this page (as shown below): 3.0 User Manual 3.4Web Console [Web Console] page enables you to execute some common commands on Web page (including 29 .2. shutdown of the local WAN Accelerator and recovery the settings to factory default.1.3Reset/Restart/Shutdown [Reset/Restart/Shutdown] is used for fast reboot.1.

0 User Manual Ping. we take the most frequently-used commands ping. You can easily locate some problems by executing these commands. The page is as shown below: Here.) and to inspect the network failure and device failure. ip route. Example 1: Type ping plus a destination IP address on the command line. ip route for examples to illustrate how to use the commands on web console.SANGFOR WAN Accelerator 6. as shown below: 30 . and you can check the connectivity between this destination IP address and the local WAN Accelerator. etc. arp.

[Bandwidth Monitor].254. Example 2: Type ip route on the command line to view the routing table of the WAN Accelerator.2 Status [Status] includes six submenus.254. [Logs]. [VPN]. 31 . namely.SANGFOR WAN Accelerator 6. please type help command on the command line. [DHCP Status] and [Gateway Status].120 is smooth.2. [WAN Optimization]. as shown below: As to other commands that can be executed through the [Web Console] page and the related introduction to each command.0 User Manual From the returned results we can see the connectivity to destination address 10. 3.

3. including CPU usage. [Acceleration Connections] and [Application Connections] pages. flow reduction rate.2. etc.1 Acceleration Status [Acceleration Status] displays the system running status. service uptime. real-time connections over the past 60 seconds and real-time IP flow on this page.2.SANGFOR WAN Accelerator 6.2. as shown below: 32 . memory usage.2.1. You can also view the real-time flow over the past 60 seconds. flow before/after acceleration. disk usage (used/total).0 User Manual 3.1WAN Optimization [WAN Optimization] consists of [Acceleration Status].

SANGFOR WAN Accelerator 6.0 User Manual 33 .

2. 34 . If you are sure to clear the cache. the acceleration connection will resume automatically. After system has cleared the cache. or click the <Disable> button to stop the WAN optimization service.2 Acceleration Connections [Acceleration Connections] page helps to search and display the connection information. WAN optimization services will stop and all the system cache related to WAN optimization will be cleared.0 User Manual 3.SANGFOR WAN Accelerator 6. [Clear All Cache]: Click it to clear all the cached data used by the WAN optimization service. Click the <Enable> button to start the WAN optimization service. and all the sessions of the WAN Accelerator will be disconnected. [Disable]/[Enable]: Click it to stop or start WAN optimization service.2.1. click the <OK> button on the pop-up dialog (as shown below). The page is as shown below: [Refresh]: Click it to refresh the displayed running status of WAN optimization.

the name is PACC. flow throughput caused after acceleration is less than that caused before acceleration. Once you clear the cache. or view the application connections of that user. 35 . which means all the data saved by the byte cache will get lost and afterward have to be cached once again. [Peer IP]: Displays the LAN IP address of the peer WAN Accelerator.0 User Manual [User]: Displays the name of the gateway/user currently connecting in or connecting out. [Status]: Displays the connection status of the corresponding user.SANGFOR WAN Accelerator 6. [Flow(before/after)]: Displays the amount of flow going through the device before and after acceleration. [Sessions/Tunnels]: Displays the total number of sessions and the remaining number of sessions available for acceleration connection. [Speed]: Displays transmission speed of the currently-accelerated data. all the cached files on the WAN Accelerator will be deleted. You can also set some filtering options to view the connection status of specified device(s) or mobile user(s). [Connection Time]: Displays the time when the user connects in to or exits from the WAN Accelerator. Normally. [Operation]: Click the corresponding link and you can view that single user’s real-time flow caused over the past 60 seconds. [Protocol]: Displays the acceleration protocol being used by the user. If it is a mobile user. [Peer Device]: Displays the name of the peer device. [Reduction Rate]: Displays the rate of the flow caused before acceleration to the flow caused after acceleration. [Reverse User]: Displays the name of the user.

The page is as shown below: 3. and enter source IP address (Host IP) and destination IP address (Remote IP).2Logs [Service Logs] displays the running logs and error messages of the WAN Accelerator.1.2.2.3 Application Connections [Application Connections] page enables you to search and display the connection status of various applications. To view the needed logs.SANGFOR WAN Accelerator 6. Choose an application type (Proxy type). select a date and the system will display the corresponding logs generated during the specified time period.2. as shown below: 36 . as shown below: Click the <Log Settings> button to define the display of service logs.2.0 User Manual 3. and then click the <Search/Refresh> button to view the connection status of the specified connection(s) applying the selected application type.

flow information of bandwidth channels and information of exclusion policy (of bandwidth channels).2.SANGFOR WAN Accelerator 6. 3.0 User Manual The SANGFOR WAN Accelerator will only save the logs for 14 days.2. and view the flow information of the external lines and bandwidth channels.2. as shown below: 37 .4Flow Status [Flow Status] page displays the running information of BM module. 3.2. the logs of the earlier days will be deleted automatically.3Bandwidth Monitor [Bandwidth Monitor] enables you to view the running status of the bandwidth management function and of each channel.

[30 minutes]. [1 hour].SANGFOR WAN Accelerator 6. namely. etc. the flow status information to be displayed will be collected according to your display preferences. [Display] and [Over]. [15 minutes]. [Over]: Select a time period based on which the flow and flow speed statistics are to be made. [Display]: Select [All Channels] or [Running Channels] to display the bandwidth and flow information of all the configured bandwidth channels or of the running channels configured. [2 hours].0 User Manual [Running Information of Bandwidth Management]: Displays the running status of the system and the flow information of the external lines. Next time when you view the [Flow Status] page. [Save Settings]: Click this item to save your display preferences. [+] or [-]: Click the icon [+] or [-] to unfold or fold the information of each sub-channel respectively.]: Displays the name of the channels. 38 . the past [5 minutes]. or [6 hours]. The device will calculate the flow information over the selected time period. <Stop Refresh>: Click this button to stop automatically refreshing the flow information. Bandwidth Channel [No.

[History Speed]: Displays the history speed of the selected time period. and view [Uplink and downlink] flow. [Number of Users]: Displays the number of users that are causing flow on the channel. [Assured Bandwidth]: Displays the assured bandwidth of the channel allocated by the system.2. etc. [Status]: Displays the running status of the channel. The page is as shown below: 39 . [History Flow]: Displays the history flow caused during the selected time period.1 Flow Rankings [Flow Rankings] page enables you to view the real-time uplink flow and downlink flow rankings. You can search for (by specifying the IP address) maximum 400 users of their flow rankings.0 User Manual [Realtime Speed]: Displays the real-time uplink and downlink bandwidth of the channel.2. [Max. [Priority]: Displays the priority of the channel. disabled or stopped. as well as select the time interval to have the flow rankings be automatically refreshed. [Stopped] mainly shows up when it is an invalid time for the bandwidth channel to take effect (check the valid time of this bandwidth channel). The page is as shown below: 3. history speed and history flow related to the application(s) and service(s) not included in the bandwidth channel (polices).4.SANGFOR WAN Accelerator 6. The channel that has higher priority will be allocated with more remaining bandwidth from other bandwidth channels. running. Exclusion Policy [Exclusion Policy] displays the real-time speed. [Only uplink] flow or [Only downlink] flow. [Usage]: Displays the ratio of actual bandwidth utilized by the channel to the total bandwidth. Bandwidth]: Displays the configured maximum bandwidth of the channel.

2.2. The page is as shown below: Click the <Stop Service> button to stop the VPN service temporarily.4.2.5VPN [VPN Status] page displays the information of the real-time VPN connections and network flow.0 User Manual 3.2 Connections Monitor [Connections Monitor] page enables you to search for the connection information of the entered IP address. 40 .2.SANGFOR WAN Accelerator 6. The page is as shown below: 3.

2.3 Tools [Tools] includes [Ping].6DHCP Running Status [DHCP Running Status] page displays the IP allocation information of DHCP.7Gateway Status [Gateway Status] page presents the WAN interface IP addresses of the local WAN Accelerator and traffic going through these WAN interfaces.SANGFOR WAN Accelerator 6. [Tracert] and [Show ARP]. Only when the DHCP is enabled and configured will the relevant data be displayed on this page.2.2. and allows you to enable the remote maintenance feature and to start the services.2.2. The page is as shown below: 3.0 User Manual 3. 41 . It is as shown below: 3. etc.

as shown below: Here. 3. as shown below: 42 . <Ping> has exactly the same function as the ping command on Web console. Enter the IP address.2Tracert [Tracert] page mainly helps to check whether there is any route address unreachable between the SANGFOR WAN Accelerator and the destination IP address.3.3.SANGFOR WAN Accelerator 6. and click the <Ping> button.2. Enter the destination IP address and then click the <Tracert> button.2.1Ping [Ping] page mainly helps to check the connectivity of the networks.0 User Manual 3.

0 User Manual Here. 3. Just follow the steps given by the wizard to complete configuring each module.2. 43 . 3. Click the <Show ARP> button.SANGFOR WAN Accelerator 6.4 Wizard [Wizard] page shows you the sequential steps to configure the basic pages quickly.2.3. <Tracert> has exactly the same function as the traceroute command on Web console. and thus check whether ARP spoofing exists. as shown below: Here.3Show ARP [Show ARP] page mainly helps to check the ARP table of the SANGFOR WAN Accelerator. <Show ARP> has exactly the same function as the arp command on Web console.

please refer to the relevant section in this user manual.SANGFOR WAN Accelerator 6.8 Sangfor VPN. The homepage of the Internal Data Center is as shown below: For detailed introduction and usage guide to the Data Center. As for the detailed configuration guide for each page. please refer to 3. 3. 44 .2.5 Data Center Click the main menu [Data Center] and you will enter the Internal Data Center of the WAN Accelerator.0 User Manual The page is as shown below: Click the link (in light blue) to directly enter the corresponding configuration page.

6 Help Click [Help] and you will see the brief introduction to the activated page.2. 45 .0 User Manual 3.SANGFOR WAN Accelerator 6.

[Deploy Settings]. [Web UI Settings] and [Advanced] pages. [NTP Settings]. as shown below: 3.3 Home [Home] page is exactly the same as that of [Status] > [WAN Optimization] page.SANGFOR WAN Accelerator 6.0 User Manual 3. 3.2.2.4. [Network Objects] and [DHCP Settings].1 System Settings [System Settings] consists of [General].1 WAN Optimization. [Users].4 System [System] module includes the configurations of [System Settings]. Please refer to Section 3. as shown below: 46 .

4. Having saved and applied the settings. 3.1General [General] page configures the date.0 User Manual 3.4.1. and choose a most accurate time to synchronize the time of the local device. you have to click the <Save and Apply> button to save the settings.2NTP Settings [NTP Settings] page configures the time synchronization options to have the system time of the WAN Accelerator keep synchronizing with the NTP servers.1. as shown below: Have completed configuring the date. time and time zone. you can get the time of each NTP server. and then click the <Sync Now> button.SANGFOR WAN Accelerator 6. time and time zone on the WAN Accelerator. The page is as shown below: 47 . Enter the addresses for the four servers.

the console user will automatically log out of the gateway console.4. 3. you have to log in to the gateway console through this new port.1. [Operation Timeout]: If a page fails to open during this time interval. [Page Timeout]: If there is no operation on the console during this period of time. If the service port (HTTPS login port) is modified. you have to click the <Save> button to save the settings.0 User Manual Click the <Sync Now> button to have the system time synchronize with the server immediately. the system will think it 48 .3Web UI Settings [Web UI Settings] page configures the Web service port of the gateway console and the timeout options functioning after the user logs in to the gateway console. The page is as shown below: [HTTPS Login Port]: Configures the HTTPS port used for logging in to the gateway console.SANGFOR WAN Accelerator 6. Having completed configuring the page.

0 User Manual timed out and will not try to open this page again. Each WAN Accelerator must be able to access its peer listening port normally. High-speed TCP.4. the device name and functions of MAC Track. 3. It is TCP and UDP 5400 port by default.SANGFOR WAN Accelerator 6. [Listening Port]: Configures the listening port of acceleration service provided by the WAN Accelerator.1. as shown below: 49 . Having completed configuring the page. you have to click the <Save and Apply> button to save and apply the settings. This name will be displayed at the top of WEB UI page. together with the SANGFOR logo.4Advanced [Advanced] page configures the listening port for the acceleration service provided by the WAN Accelerator. distinguishing it from WAN Accelerators of other sites. the two terminals will fail to establish the acceleration connection. [Device Name]: Defines the name of the WAN Accelerator. otherwise.

MAC Track function takes effect only in Bridge mode. as shown below: 50 . If there are other TCP data need access this destination IP address through the acceleration tunnel.0 User Manual [Enable MAC Track]: Check or uncheck this option to enable or disable the MAC Track function respectively. the destination IP address and Destination MAC address will be recorded. the bridge device will directly forward the data from the LAN interface to the host’s MAC address according to the information recorded before. Check the [Enable MAC Track] option and there is no need for you to add a return route in single Bridge mode. in the headquarters’ network.SANGFOR WAN Accelerator 6. Case Study 1: Environment and Configuration For MAC Track The following figure shows the topology of certain company: the WAN Accelerator is deployed in Bridge mode. When the WAN interface of the bridge device receives TCP SYN data from other tunnel (instead of the acceleration tunnel).

Step 4: Configure [WAN Optimization] > [Server] page.168.2/24.SANGFOR WAN Accelerator 6. Step 2: Configure the Br0 IP address as 192.1/24. [Enable High-speed TCP]: Check it to enable the high-speed TCP function. and select [Bridge] as the [Deployment Mode].16.1/24. gateway IP address as 192. As to the configuration on the Branch’s WAN Accelerator. more efficient than TCP 51 . with enhancement on the sliding window and amendment on congestion control algorithm.0. MANAGE interface IP and DNS address according to your case. please follow the steps below: Step 1: On the [System] > [Deploy Settings] > [Network Interface] page.0.0. Step 3: Check the [Enable MAC Track] option on the [System] > [Advanced] page. select [Acceleration Only] as the [Service Mode].0.2/24. and select [Bridge] as the [Deployment Mode]. High-speed TCP function is an improvement of the traditional TCP protocol. default gateway IP address as 172.16. Step 3: Configure [WAN Optimization] > [Client] page.168.0 User Manual Configuration steps on the Headquarters’ WAN Accelerator are as shown below: Step 1: On the [System] > [Deploy Settings] > [Network Interface] page. MANAGE interface IP and DNS address according to your case. Step 2: Configure the Br0 IP address as 172. select [Acceleration Only] as the [Service Mode].

this option is not recommended to be checked. [Static Route]. [Local Subnet].SANGFOR WAN Accelerator 6. 3. in some network environment. the efficiency of high-speed TCP might be lower than that of the traditional TCP.2 Deploy Settings [Deploy Settings] includes configuration pages of [Network Interface].0 User Manual protocol in large bandwidth and high-latency environment.4. as shown below: 52 . Another two configuration pages of [CDP Settings] and [WCCP Settings] are only available in [Acceleration Only] service mode and [Single arm] deployment mode. [Windows Domain]. [Static Route]. and in that case. [VPN Interface] and [Multi-line Settings]. However.

[Acceleration Only]: When this option is selected. the device only enables the acceleration function.SANGFOR WAN Accelerator 6. [Service Mode] falls into [Acceleration Only] and [VPN and Acceleration] service modes. Bridge mode. Working mode includes [Service Mode] and [Deployment Mode]. Under this service mode. etc.0 User Manual 3. you can deploy the WAN Accelerator in Gateway mode.4.1Network Interface [Network Interface] page configures the working mode the WAN Accelerator. interface IP address and DNS address. which means the VPN function is unavailable. Double Bridge mode and Single Arm 53 .2.

In this service mode.2. It is suitable for the environment that both WAN Accelerators are deployed in public network but neither has established any VPN connection. [VPN and Acceleration]: When this option is selected. This selection is suitable for the network environment that is using a dedicated line or that has established VPN with other networks. 3.0 User Manual mode. Bridge mode supports asymmetrical route mode while single arm mode supports deployment combined with PBR+CDP or WCCP. you can only deploy the WAN Accelerator in gateway mode: use the integrated IPSec VPN function of SANGFOR WAN Accelerator to establish VPN connection between the two terminals.1 Gateway Mode The [Network Interface] configuration page of gateway mode is as shown in the following page: 54 .1.SANGFOR WAN Accelerator 6. and then enable the acceleration function to establish acceleration tunnel.4. the device enables both the VPN function and acceleration function.

log in again and then click the <Start Dial-up> button. LAN network segment is a trusted one for the firewall. all the services will restart. fill in the [User Name].SANGFOR WAN Accelerator 6.0 User Manual [LAN] is a network segment that the firewall protects. [Password] and check the [Enable auto dial] option. [Ethernet]. they are 20. select [Line Type] “PPPOE”. click the <Save and Apply> button to save all the settings. 80 and 3 by default. [PPPOE] or [DHCP]. Select a [Line Type]. [Advanced Attribute] consists of the parameters for dial-up. Having completed configuring the page. covering all the devices and hosts of the local area network. If you are connecting to the Internet through PPPOE dial-up. as shown below: 55 . the WAN Accelerator will automatically dial up once it disconnects with the Internet. from then. [WAN] section configures the external lines.

 If WAN interface is using a static IP address. such as web server.0 User Manual [DMZ] defines the small network segment in a local area network of an enterprise. [DNS] shows the DNS addresses provided by the local ISP. the related data packets might be discarded.  The filled in interface IP addresses of LAN. keep the default settings unchanged. as shown below: 56 . you can bind multiple IP addresses with this interface. etc. Fill in the correct address according to your case. DMZ must be coherent with your network. enter the IP addresses and click the <OK> button. In some network environment. in that case. Some servers are located in DMZ network segment. If the DMZ interface (ETH1 on the front panel of device) is not used.. Just click the <Multi-IP Binding> button. WAN. [MTU] configures the MTU value of the interface. mail server. it is the Ethernet standard value 1500 bytes by default. if the MTU of certain network device is lower than 1500. FTP server and external DNS server. you can manually modify this MTU value and keep it relevant with that of the network device.SANGFOR WAN Accelerator 6. providing services for the external networks. The firewall allows the services of this network segment to be delivered to the WAN and protects it from attacks at the same time.

4.  The IP address bound with WAN interface cannot be used again to connect VPN.2.0 User Manual  The IP address bound with the WAN interface must be of a same network segment with that of the WAN interface. 3.SANGFOR WAN Accelerator 6.2 Single Arm Mode The [Network Interface] configuration page of Single Arm mode is as shown below: Under Single Arm mode. 57 . the IP address bound will not work normally. otherwise.1. WAN and DMZ options are unavailable.

4. you have to click the <Save and Apply> button to save the settings.2.1. subnet mask.SANGFOR WAN Accelerator 6. 3. you have to configure the subnet segments of the LAN on the [Local Subnet] page (excluding the subnet segment of the LAN interface IP). default gateway and DNS address. If there are multiple network segments in the local area network where the single-arm mode WAN Accelerator locates.3 Bridge Mode The [Network Interface] configuration page of Bridge mode is as shown below: 58 .0 User Manual Having completed configuring the LAN interface IP.

subnet mask and default gateway of the bridge-mode WAN Accelerator.0 User Manual [Bridge Interface]: Select two interfaces to establish the bridge. You cannot define the interface for bridging.SANGFOR WAN Accelerator 6. 59 . options are [LAN->WAN1]. You can select any of the interface as the MANAGE interface except the interfaces used for bridging. [Logic Interface]: Configures the IP address of the logic interface (Br0). [DMZ->WAN2]. [Manage Interface]: Configures the IP address of the MANAGE interface of the bridge-mode WAN Accelerator.

LAN and WAN direction cannot be mixed up.2. no acceleration effect will be achieved. 3.1.  The MANAGE interface can only be used for managing the SANGFOR WAN Accelerator.4.0 User Manual  Under Bridge mode.SANGFOR WAN Accelerator 6. and as that of the LAN-end core switch. otherwise. not supporting other use such as the WAN Accelerator getting access to the Internet through this MANAGE interface.4 Double Bridge Mode The [Network Interface] configuration page of Double Bridge mode is as shown below: 60 .  The IP address of the logic interface must be of the same subnet segment as that of the WANend firewall/router.

0 User Manual 61 .SANGFOR WAN Accelerator 6.

Once the system detects that any interface of the bridge pair falls out.0 User Manual Under the Double Bridge mode. it will automatically disconnect the other interface of the bridge pair. [Default Gateway(WAN1/WAN2)]: Indicates the interface IP address of other devices at the WAN end of the SANGFOR WAN Accelerator. [Default Gateway(LAN/DMZ)]: Indicates the interface IP address of the core switch at the LAN/DMZ end of the WAN Accelerator. including the logic IP address. 62 . Configure [Default Gateway(LAN/DMZ)] and you will be free from adding a return route when there is layer 3 switch in the local area network and there are divisions of VLAN. you need to configure two bridges (BR0 and BR1). so as to ensure smooth data transmission and switch between the redundant WAN Accelerators.SANGFOR WAN Accelerator 6. Configure [Default Gateway(WAN1/WAN2)] and you will have the WAN Accelerator communicate with the external networks normally to establish acceleration connection. subnet mask. It is this virtual IP address through which other WAN Accelerators establish acceleration connections with this double-bridge WAN Accelerator. default gateway of LAN and default gateway of WAN.  Logic Interface IP of BR0 and BR1 cannot be at a same network segment. [Enable synchronization link]: This function is applied to the redundant network environment (such as VRRP) where the WAN Accelerator is deployed in Double Bridge mode. [Virtual IP Settings]: Configures the virtual IP address of the double-bridge WAN Accelerator.

[Default Gateway(LAN/DMZ)] must be filled in.0) and the subnet mask on the following page.168.168.SANGFOR WAN Accelerator 6.10.168.3Static Route [Static Route] page helps to add a route for the data (both VPN and non-VPN) that are to be forwarded by the WAN Accelerator and the data of the WAN Accelerator itself.0/24 and 192.4. deployed in Single Arm mode.2Local Subnet [Local Subnet] page configures the subnet segments of the local terminal if the WAN Accelerator is deployed in Single Arm mode (the subnet segment where the LAN interface IP locates does not need to be added).0/24.10.4.2.0/24. You need only enter the subnet segment (192. The page is as shown below: Case Study 2: Add Subnet In Single-Arm Mode Suppose there are two network segments in the Intranet of an enterprise: 192. 3. [Default Gateway(LAN/DMZ)] is not required. 63 . as shown below: 3. and then click the <OK> button.  If there is a layer 3 switch in the local area network.0 User Manual  The virtual IP can be or not be in the same network segment of BR0 or BR1.168.20.20.2. The WAN Accelerator locates at 192. if there is only a layer 2 switch.

168.20.168.0/24 and 64 .10.168.168. b.10. Now.254 and the data packets can finally return to the computer located in the 192. Case Study 3: Add Packet Return Route This case study presents how to add packet return route when the device proxies multiple segments for Internet access. including that for 192. suppose there are two network segments in the internal network of an enterprise: 192.168. you need to add a system route so that the WAN Accelerator can return the data packets from different network segments to the right switch or router in the internal network. located in the 192.168.20.10.168.168.X.168.168.168.168.X subnet.X.X subnets want to connect to the Internet through the WAN Accelerator which works as the public network egress. When there are several segments in the Intranet of an enterprise and these segments request accessing the Internet through SANGFOR WAN Accelerator.10. Please follow the steps below to complete the configurations: Step 1: Add multiple rules of source translation.X network segment.254 of the layer 3 switch.20.0 User Manual The page is as shown below: [Static Route] can fulfill the following two functions: a.168. the 192.10.20. For example. you need to add a static route on the WAN Accelerator so that it can return the data packets of 192.X) of WAN Accelerator are not of a same segment.20. configure the packet return route to establish acceleration connection if the target LAN consists of multiple subnets and the [PreConnection] option is checked on the peer’s WAN Accelerator.X and 192.X subnet and LAN interface (192. The computers of each segment direct to their respective gateway 192. The two segments are interconnected and can communicate with each other through the layer 3 switch.SANGFOR WAN Accelerator 6. The WAN interface is connected to the Internet.X to the layer 3 switch 192.) Add packet return route when the WAN Accelerator proxies multiple segments for Internet access.10. The LAN interface IP of WAN Accelerator is 192.) Local WAN Accelerator being deployed in Bridge mode.1.X and 192. Since the 192.20.

168.1 Connect to Central Gateway).168.1.168.0/24 (for details.4.5.20.168.10.10.254 of the layer 3 switch (able to reach subnet 192. The WAN Accelerator of the Headquarters is deployed in Bridge mode.20. when the local WAN Accelerator is deployed in Bridge mode and if the target LAN consists of multiple subnets and the [Pre-Connection] option is checked on the peer WAN Accelerator.X whose gateway directing to the interface 192.SANGFOR WAN Accelerator 6.254.1. On the Branch’s WAN Accelerator.2 SNAT).168. between the core switch and the firewall. Solution: add a route on the [Static Route] page for subnet 192.168. The core switch divides some subnets to several VLANs.10.0/24 ->192. the [Pre-Connection] option is checked (for detailed introduction. in the network segment 192. Step 2: Add static route: 192.x/24) of the core switch.0 User Manual 192. as shown below: Case Study 4: Add Packet Return Route The case study shows how to configure the packet return route to establish acceleration connection.7. please refer to Section 3. and is going to connect to the Headquarters’ WAN Accelerator and access the VLAN 10 (subnet: 192.X).x/24. as shown below: 65 . please see [Firewall] > [Source Translation] or Section 3.168.1.168.

[Port]: Configures the IP address and port of the routing device to which the WAN Accelerator sends routing update information initiatively.2. [Trigger Update]: Check this option and the WAN Accelerator will trigger the update of the 66 . If the WAN Accelerator wants to communicate with other LAN routing devices that have enabled RIP protocol. and the local WAN Accelerator being the gateway of this route. You can configure it according to your specific case. the routing device will update its routing table.4. [Enable Routing Information Protocol]: Check the option and this function will be activated.0 User Manual 3.SANGFOR WAN Accelerator 6.4Dynamic Route [Dynamic Route] page configures the dynamic RIP settings to enable the SANGFOR WAN Accelerator to inform other routing devices of the routing information by using RIPv2 protocol. and therefore. [IP Address]. it must be configured manually with a static route. adding a route that directs to the peer WAN Accelerator. once the VPN connection cuts off. The WAN Accelerator will inform the LAN routing device (configured on the tab above) of the network information of the peer terminal with which the local WAN Accelerator has established VPN connection. the local WAN Accelerator will inform that routing device of the disconnection so that it can delete this route). With that information. The routing device itself does not accept dynamic update implemented by the RIP routing protocol. to ensure that the RIP routing information of the LAN routing devices can be dynamically updated. [Enable Password Authentication]: Configures the password needed for exchanging RIPv2 protocol information.

0 User Manual routing information when the routing information changes. 3. the [Update Frequency] setting will get invalid. [Username]: Configures the admin account used for logging into the windows domain. <Join>: Click this button to have the WAN Accelerator join the configured windows domain. [Status]: Displays the status whether it has been added to the windows domain. [Primary DNS]: Displays the DNS address configured on the [Network Interface] page. The page is as shown below: [Domain Name]: Defines the domain name of windows domain. in that case. [Record Logs]: Check this option and the WAN Accelerator will log the RIP routing update information. 67 .4. This DNS address must be the DNS address of the Intranet domain. Click <Save> button to complete configuring and saving the settings of this page. [Domain Controller]: Configures the domain controller of the windows domain.SANGFOR WAN Accelerator 6. [Confirm Password]: Enter the password again to confirm the correctness of the password.2. so as to improve Exchange 2007 in receiving and sending emails. [Password]: Configures the password of the admin for logging into the windows domain.5Windows Domain [Windows Domain] page helps to add the WAN Accelerator into the windows domain of the intranet. receiving/sending email of Exchange 2007 will not be accelerated. If the WAN Accelerator cannot be added into the windows domain.

you can see the status “In domain wcc.com. Enter the [Windows Domain] configuration page. Case Study 5: Join WCC.com. username Administrator and the password.wcc. <Reset>: Click this button to clear the configurations and configure these items once again.com domain of the Intranet. domain controller sangfor. If it joined successfully.wcc.com”.SANGFOR WAN Accelerator 6. define the domain name wcc.COM Domain Requirement: To add the server WAN Accelerator into www. The page is as shown below: 68 . Only the server WAN Accelerator need join the windows domain.2. as shown below: 3. Make sure that the WAN Accelerator can communicate with the domain controller smoothly. and then click the <Join> button to add the WAN Accelerator into the www.wcc.0 User Manual <Exit>: Click this button to have the WAN Accelerator exit from the windows domain.com domain. the client WAN Accelerator need not join the windows domain.4.6VPN Interface [VPN Interface] page configures the IP address and mask of the virtual network adapter for the IPSec VPN service.

SANGFOR WAN Accelerator 6. the network segments that the LAN interface and DMZ interface locate at both sides (server WAN accelerator and client WAN accelerator) cannot access each other.0 User Manual [VPN Interface Setting]: Configures the local VPN’s network segment and mask which the peer VPN will be informed of. The configuration is as shown below: 69 . If neither is checked and configured. Select the [Default] option if you want to use the default IP address and mask. or define an idle IP address if the default IP address conflicts with any working IP address. If either [LAN Mask] and [DMZ Mask] is checked and configured. the local WAN Accelerator will only inform the peer VPN of the network segment that owns the configured mask (mask of the LAN or/and DMZ interface).

in reality.7Vlan Settings [Enable VLAN Support]: Check this option to enable the VLAN Support feature.SANGFOR WAN Accelerator 6.0 User Manual VPN port is a virtual port of the WAN Accelerator. 3.4. The page is as shown below: VLAN Support function enables the peer WAN Accelerator (peer device) to restore the original VLAN ID of the processed data packet (for the local WAN Accelerator changes the VLAN ID 70 .2. no such physical port exists.

VLAN Support function only works in one type of network. 71 . in Bridge mode. the peer device restores the original VLAN ID of the data packet according to the records taken by the local device. please refer to the case study followed (Case Study 6). the peer device receives the returned packet and also handles the packet. VLAN 1 and VLAN 2 cannot access each other. Detailed configuration procedure is as shown below: Step 1: Under Bridge mode.SANGFOR WAN Accelerator 6. the two switches have enabled trunk. configure the IP addresses of the Br0 interfaces of the two WAN Accelerators. for details.0 User Manual during data processing). we deploy the two WAN Accelerators in between the two switches of the headquarters and the branch. and ensures the peer device to distinguish the data (which VLAN it belongs to). and then forwards the processed data to its local area network. the local device removes the VLAN ID of the packet and sends the processed packet (accelerated) back to the peer device through its WAN interface. Requirement: To accelerate the data transmission from VLAN 1 and VLAN 2 to the Headquarters (HQ). as shown below: The Headquarters and Branch Office are connected to each other by a leased line. after that. at the same time. at each end of the leased line is a switch. To achieve the acceleration effect. the two IP addresses must be of a same network segment. Step 2: Configure the server WAN Accelerator and client WAN Accelerator to have the server and client establish acceleration connection quickly. ensuring the communication between the two WAN Accelerators. Both the Headquarters and Branch Office have VLAN 1 and VLAN 2. When the LAN interface of the local WAN Accelerator (local device) receives a request data packet from the peer device. Case Study 6: Environment and Configuration of VLAN Restore VLAN Support function only takes effect in one type of network.

to add the network segments of VLAN 1 and VLAN 2.0 User Manual Step 3: Check the [Enable VLAN Restore] option on both the server WAN Accelerator and client WAN Accelerator. Step 5: If the [Pre-Connection] option is checked. Click the <New> button and configure [VLAN ID] and [Destination IP] (single IP address or IP range) to have the destination IP address labeled with the VLAN ID. we have to configure the local subnet on the server gateway. 72 . <Search>: Enter a destination IP address into [DST IP Range] textbox and click this button to search the VLAN items that contain this destination IP address. <Delete>: Click this button to delete the selected VLAN Item. As to other VLAN environment and whether it is appliable.SANGFOR WAN Accelerator 6. the IP addresses of a same VLAN or of different VLANs can access each other. will be tagged with the corresponding VLAN ID. after being handled by the WAN Accelerator. The related IP address(es) contained in the data packet that is to be forwarded. Step 4: Configure on the bridge device to bind multiple IP addresses that are at the network segment of VLAN 1 and VLAN 2. [Enable VLAN ID Settings]: Check this option to apply the VLAN ID settings. VLAN restore function only takes effect in the network environment as shown above. please consult the technicians of SANGFOR. In this way. <Save and Apply>: Click this button to save and apply the newly added VLAN settings.

ensuring that each VLAN has at least an IP address being bound. in between the switch and router. at each end of the leased line is a router. which cannot be accessed by other VLAN. these VLANs and HQ VLAN servers can access each other. VLAN 100. To meet the customer’s two requirements. Configurations on WAN Accelerators: 1. 2. and then configure the system as follows: 1.) Bind the server/client WAN Accelerator with IP addresses. Case Study 7: Environment and Configuration of VLAN ID Settings VLAN ID Settings apply to networks of the following topology: The HQ WAN Accelerator and Branch WAN Accelerator are connected to each other with a leased line.) Check the [Enable VLAN ID Settings] option for the server WAN Accelerator and the client WAN Accelerator. please refer to the case study followed (Case Study 7). Requirements: a). accelerate the data transfer between the VLAN (VLAN 100. VLAN 200 and VLAN 300 can access each other. our only choice is to deploy the WAN Accelerator in Bridge mode.SANGFOR WAN Accelerator 6. The router enables single-arm routing function (the interface is configured with multiple sub-interfaces). VLAN 200 and VLAN 300. as shown below: 73 . b).0 User Manual For case study. so that the WAN Accelerator can access every VLAN. Both the headquarters and branch have VLAN 100. VLAN 200 or VLAN 300) and headquarters. and at the same time. and then configure the VLAN settings.

every VLAN is assigned with a subinterface IP address. you need add the lines on this tab.SANGFOR WAN Accelerator 6. Configuration on the Switches 1.) Configure the other necessary settings for the server WAN Accelerator and the client WAN Accelerator. please check the [Enable Multiline] option and add 74 . The default configuration page is as shown below: If your case is any of the two situations above. and ensure that the two WAN Accelerators can establish acceleration connection smoothly. delete and edit the line information and configure the line selection policy.2.) Configure Router The router must be configured with sub-interfaces.8Multi-Line Settings In network that WAN Accelerator is deployed in Gateway mode using multiple WAN lines. or in network that WAN Accelerator is deployed in Single-arm mode with multiline function being enabled.4. 2.) Configure Switch Configure the switch to ensure it supports VLAN.0 User Manual 3. 2. You can add. configure the TRUNK interface and the VLAN data that are allowed to go through it. 3.

If the line type is Ethernet. If it is a dynamic IP address. if the line type is ADSL dial-up. as shown below: 75 . <Advance>: Under the [Multi-Line Settings] tab. <New>: Click this button to add a line. you must configure testing DNS and the DNS IP address must be an accessible Internet IP address. the DNS address can be null. click this button and the [Multi-Line Advanced Settings] dialog pops up.0 User Manual the related lines into the list. Click <Save> button to save the settings.SANGFOR WAN Accelerator 6. uncheck the [Use Static Internet IP] option and leave [Static IP] blank. [Static IP]: Enter the corresponding static Internet IP address according to your case. The pop-up [Edit Multiline] page is as shown below: Select a line and configure the connection mode of the line.

and select [Deployment Mode] “Single arm”.SANGFOR WAN Accelerator 6. as shown below: 76 . [DNS Detection Time]: Specifies the time interval that the multiline status is to be detected. select [Accelerator Only] “Service Mode”.2. It only applies when the option [Enable DNS Detection] is checked. If your network has only one Internet line. UNCHECK the [Enable DNS Detection] option.0 User Manual If you want to close the multiline status detection function when the Internet lines are activated and in good status. 3. and then the [CDP Settings] tab is seen.4. In page [System] > [Deploy Settings] > [Network Interface]. Multi-line advanced settings are only applicable to network that has multiple Internet lines.9CDP Settings [CDP Settings] page configures the options of CDP protocol supported by the WAN Accelerator. you need not configure the advanced settings.

while the router is in association with the Cache Engine redirecting TCP data flow to the Cache Engine. achieving the purpose of improving data transfer efficiency 77 .4.2. ensuring the robustness of the network. 3.0 User Manual Check the [Support CDP Protocol] option and type the gateway name and detection time in the boxes. the only supplier supporting CDP is CISCO. so as to avoid impact caused by the failure of the WAN Accelerator. The Cache Engine is a specific device (such as the SANGFOR WAN Accelerator) for data cache. the frontend device itself will invalidate the policy-based routing and restore the previous data flow direction. It can keep the network structure unchanged when the routing table on the core switch is modified because of the single arm deployment. [WCCP Settings] (Web Cache Communication Protocol) is able to restore the network structure in case of network fault. so as to implement policy-based routing.0.  The purpose of checking the [Support CDP Protocol] option is to enable the single-arm WAN Accelerator (VPN function is not supported) to associate with the CDP-supported frontend device.SANGFOR WAN Accelerator 6.  At present. As the front-end device will be unable to detect the existence of the WAN Accelerator with CDP when the single-arm WAN Accelerator is in failure.10 WCCP Settings WCCP is a newly-added function of SANGFOR WAN Accelerator 6. Introduction to WCCP Protocol WCCP is a communication protocol specifying communcation between a router and Cache Engine.

12. with two versions. will the following configuration page of [WCCP Settings] appear.4(10). Currently. otherwise.2(26). They are subject to change without notice.2(18)SXF12 Catalyst 6500 with Sup2 12.4(9)T1 Catalyst 6500 with Sup720 or Sup32 12. For devices of other venders.2(37)SE * The information in the above table is only for reference. 12. CISCO HARDWARE CISCO IOS ISR and 7200 Routers 12.3(13).0 only supports WCCP V2. SANGFOR WAN Accelerator 6.2(31)SG Catalyst 3750 12. Please refer to the CISCO official website. 12.0 User Manual and shortening TCP process time. To enable the WCCP function. the switch or router must support WCCP protocol. 12.SANGFOR WAN Accelerator 6. as shown below: 78 .1(3)T.2(14)T. 12. please contact your hardware device supplier. The typical network topology of WCCP deployment is as shown below. The following table lists the CISCO device models and hardware versions that support WCCP. Only when both the [Acceleration only] and [Single arm] options (under the [System] > [Deploy Settings] > [Network Interface] page) are checked. the WCCP function is disabled.1(27)E. WCCP V1 and WCCP V2. 12.2(18)SXF10 Catalyst 4500 12. 12.1(14).12.3(14)T5. WCCP uses UDP 2048 port to perform data communication.

and the transmission method of the switch or router supported.SANGFOR WAN Accelerator 6. Selection of transmission mode is subject to the actual topology. according to certain ratio. The following table lists the transmission modes supported by CISCO devices respectively.0 User Manual Click the check box next to [Enable WCCP v2] to enable the WCCP function. if the weight of device A is 100 and the weight of device B is 200. What should be noted is that. device A will take the flow of 100/(100+200) and device B will take the flow of 200/(100+200). Options are GRE and Layer 2. please contact your hardware device supplier: CISCO HARDWARE Redirection and Return Method ISR and 7200 Routers GRE Catalyst 6500 with Sup720 or Sup32 GRE or L2 Catalyst 6500 with Sup2 GRE or L2 Catalyst 4500 L2 Catalyst 3750 L2 * The information in the above table is only for reference. They are subject to change without notice. while [Layer 2] can only communicate in layer 2 environment. you 79 . WCCP and CDP will not be available at the same time. For devices of other venders. you can set the weight as any value. Please refer to the CISCO official website. [Transmission Mode]: Transmission mode specifies the data encapsulation method when the WAN Accelerator and the router are communicating. Click the <New> button to add a new router or switch IP address to enable WCCP protocol. For example. When there is only one WAN Accelerator. [GRE] can work through a layer 3 switch. this parameter helps to allocate weight for these devices with TCP traffic. [Weight]: When there are several local WAN Accelerators deployed in your network.

select the service group policy with higher priority to redirect the data.0 User Manual can also add a number of IP addresses. With this approach. If the password is incorrect. relevant information of WCCP protocol will not be interacted properly. it can avoid the situation that multiple connections originated from a same IP address to a same server are redirected to a different WAN 80 . [Password]: Configures the password for WCCP interaction. otherwise.SANGFOR WAN Accelerator 6. as shown below: [Service Group ID]: Configures WCCP service group to which the WAN Accelerator and router/switch belongs. DO keep the [Password] here the same as the password set on the router/switch. system will redirect the types of data according to the routing table of the router/switch. the WCCP protocol cannot be used. Generally. assigning data redirection by different policies. [Priority]: Priority is accessible if there are several different service groups. This service group IP must be the same as that configured on the router/switch. TCP data is recommended. If no type of data flow is selected. If there is only one service group. while ICMP is mainly used for checking the validity of WCCP function with ping/tracert command. [Policy Mark]: Enable Hash policy when there are several WAN Accelerators. In case that the different service groups have the same redirection policy. [Data Flow Type]: [TCP] and [ICMI] options are available. the priority can be set as any value. It defines the types of data that the router/switch redirects to the WAN Accelerator.

the Headquarters need accelerate its business system. Select [All port] mode and all the data at TCP 1-65535 will be redirected to the WAN Accelerator. The network should be able to recover in case of gateway device failure. and then click the <OK> button to complete configuring the WCCP service. [Route Device Address]: Indicates the IP address of router/switch interacting with WCCP. The WAN Accelerator deployed in single arm mode. click the <Save and Apply> button to save and apply the above settings. Source port. The deployment topology is as shown below 81 . Destination IP. Lastly. In this mode. [Port Mode]: [All port] mode and [Application mode] are available. or Destination port. Hash policies can be created by defining and combining the Source IP. Click the check box next to [Enable]. If there is only one WAN Accelerator. b).0 User Manual Accelerator. and only the data at the allocated 8 TCP ports are to be redirected. This route device address is the same as the route device address configured in [Deploy Settings]. without changing the routing table on the core switch. so as to ensure the normal running of business. ports are separated from each other by comma (. WCCP can define the ports to redirect data. select [Application port] mode.). you can ignore this option.SANGFOR WAN Accelerator 6. CISCO Device Configuration The WCCP configuration commands on CISCO device are shown below: configure terminal ip access-list extended wccp_acl permit tcp sourceIP netmask destinationIP netmask (Better not use permit tcp any any command) exit ip wccp version 2 ip wccp 60 redirect-list wccp_acl password 123456 interface e0/1 ip wccp 60 redirect { in | out } Case Study 8: WCCP Avoiding Routing Loop in Single Arm Mode Requirements are as follows: a).

as shown in the figures below: 82 .0. 1.16.0 0.0 User Manual According to the customer’s requirements.16.2.2.0 0.0.255 ip access-list extended wccp_acl2 permit tcp 172. we need to configure for each VLAN interface). in this section. which means the data received by this interface will be redirected.0.0. There are two configuration methods of WCCP on CISCO device: one is to configure in.SANGFOR WAN Accelerator 6.3.0 0. which means the data sent out by this interface will be redirected.0 0.0.255 192.255 192.0. we only focus on the configuration of WCCP. In this example.2.168. Next. we are going to configure WCCP options on the SANGFOR WAN Accelerator.168.0 0. and other settings are ignored.0.0 0.2.168.0.16. we configure out (as to configure in.255 192. The configuration commands are as shown below: configure terminal ip access-list extended wccp_acl1 permit tcp 172.0. the headquarters must utilize WCCP protocol to meet the needs.0.255 ip access-list extended wccp_acl3 permit tcp 172. the other is to configure out. It is necessary to understand the WCCP configuration on CISCO device. Here.0.0.1.255 exit ip wccp version 2 ip wccp 60 redirect-list wccp_acl1 password 123456 ip wccp 60 redirect-list wccp_acl2 password 123456 ip wccp 60 redirect-list wccp_acl3 password 123456 interface f0/10 ip wccp 60 redirect out 2.

4.0 User Manual 3. Click the <OK> button and we have completed configuring the WCCP router address. 4. as shown below: Click the <New> button to configure [User Name].3 Users [Users] page enables you to set the accounts (administrator or acceleration user) for logging in to the gateway console. 3. click the <Save and Apply> button to save all the above settings. [Password] and [User type]. [User type] falls 83 .SANGFOR WAN Accelerator 6. Finally.

The default account Admin is an administrator account with [Edit] privilege. it cannot be deleted and its privilege cannot be altered. [System Administrator] and [Guest]. as shown below: If [User Type] is [System Administrator]. it indicates that the account is an administrator account for Web page.0 User Manual into [Gateway]. If [User Type] is [Guest]. The system administrator with [View only] privilege cannot fulfill configuring on the WAN Accelerator. You can only modify the password. Only the administrator with [Edit] privilege can do so. [PACC]. you can specify privilege for this account: [Edit] or [View only]. 84 .SANGFOR WAN Accelerator 6.

0 User Manual If [User Type] is [Gateway] or [PACC]. [Gateway] account is used when the networks are connected and accelerated through two WAN Accelerators. These two types of users can be referenced by the acceleration policy group. as shown below: 85 . it indicates that this account only allows the user to log in to the WAN Accelerator to either view or edit. [PACC] account is used when mobile users connect to the WAN Accelerator. you can reference the user when configuring the acceleration policy group. so as to decide which users are able to connect to this WAN Accelerator.SANGFOR WAN Accelerator 6. The pages are as shown below: Having completed configuring an acceleration account. If [User Type] is [Guest]. it indicates that this account is allocated for acceleration users.

to enable the Branch’s WAN Accelerator and Headquarters’ WAN Accelerator to establish an acceleration channel.0 User Manual Click the <Online User> button and you can view the current online user list under administrator account.SANGFOR WAN Accelerator 6. Approach 1: Under the [System] > [Users] > [Users] page. as shown below: Case Study 9: Add Acceleration User Requirement: Add an acceleration user account wanotest for a branch. and select [Gateway] as the [User Type]. as shown below: 86 . type the user name and password.

as shown below: 87 . The [Acceleration User] page is as shown below: Approach 2: Under the [WAN Optimization] > [Server] > [Acceleration User] page. select the newlycreated user wanotest.SANGFOR WAN Accelerator 6. and click <Edit> to edit this user. enter the user name and password. select the user type and then check the [Enable This User] option. check the [Enable This User] option. and then this user can be used by the branch users. enter the [WAN Optimization] > [Server] > [Acceleration User] page.0 User Manual Next. click the <New> button to create a new user wanotest.

4. [Application List] and [Time Schedule].4 Network Objects [Network Objects] consists of three pages. which may be composed of single IP addresses.4.1IP Group [IP Group] defines the IP ranges. IP ranges and 88 .SANGFOR WAN Accelerator 6.4. [IP Group]. as shown below: 3. namely.0 User Manual 3.

The page is as shown below: Click the <New> button and the corresponding options appear. If [Auto Parse] is the selected one.0 User Manual subnets. You can [Select] to [Add] the IP addresses filled in the text box above or to [Auto Parse] the IP address according to the configured domain name followed. as shown below: Enter the name.SANGFOR WAN Accelerator 6. description of this IP group. the options are as shown below: 89 . The defined IP group may be referenced by [WAN Optimization] > [Server] > [Acceleration Policy] page and [Firewall] > [Firewall Rule] page. and the IP addresses to be covered by this IP group.

If [Add] is the selected one. you have to click the <OK> button to save the settings.16. [Address Type]: Configures the type of the IP address.0 User Manual [Try Times]: Configures the try times allowed to parse the domain name. Case Study 10: Create IP Group with Single IP Addresses Create an IP group and have it cover the LAN server 172.SANGFOR WAN Accelerator 6. [IP Range] and [Subnet].1. as shown below: 90 .100 into the [IP Address] text box and select [Add] and [IP Address] as the [Address Type]. you then need select an [Address Type]. Click <Parse> and the corresponding IP address of this domain name will be parsed and be listed in the [IP Address] text box.100. [Domain Name]: Configures the domain name according to which the IP address is parsed.1.16. Options are [Single IP]. Having completed configuring the page. Two approaches are applicable: Approach 1: Type 172.

0 User Manual Approach 2: Select [Add] and [IP Address].1.16.16.100-172. Finally.120 into the [IP Address] text box. as shown below: Case Study 11: Create IP Group with IP Range Create an IP group and have it cover the LAN servers in 172.16.100 into the [IP Address] text box and click <Add> to add this IP address into the [IP Address] list.16. Two approaches are applicable: Approach 1: Type 172.100-172.SANGFOR WAN Accelerator 6.1.120. type 172. select [IP Range] as the [Address 91 . click the <OK> button.16.1.1.1.

as shown below: Approach 2: Select [Add] and [IP Range]. and then click <Add> to add this IP range into the [IP Address] list.16.100 into the [Start IP] text box and 172. as shown below: Case Study 12: Create IP Group with Subnet Create an IP group and have it cover the LAN subnet segment 172.1.16.SANGFOR WAN Accelerator 6.0 User Manual Type] and then click the <OK> button. Two approaches are applicable: 92 . Finally.1.16. click the <OK> button.0/24.120 into the [End IP] text box.1. type 172.

255. as shown below: 3.0 into the [IP Address] text box. type 172.4.1.256.16.0 User Manual Approach 1: Type 172. click the <OK> button.16. and click <Add> to add subnet the into the [IP Address] text box. as shown below: Approach 2: Select [Add] and [Subnet].2Application List [Application List] page defines the protocols and ports of various applications so that they can be referenced on [WAN Optimization] > [Server] > [Acceleration policy] page and [Firewall] > 93 . Finally.256.SANGFOR WAN Accelerator 6.0 into the [Subnet Mask] text box.4.255.0 into the [Subnet Segment] text box and 255.1. select [Subnet] as the [Address Type] and then click the <OK> button.0/255.

as shown below. Click the <New> button and the corresponding options appear.0 User Manual [Firewall Rule] page. [Application]: Configures the name of the application. you can add them by yourself. [Description]: Configures the brief description for this application. The system already includes some frequently used applications. [Port type]: Defines the port type used by the application. as shown below. Name the application and give it a brief description. 94 . For other applications.SANGFOR WAN Accelerator 6. Click the <New> button to add specific protocol and port so that they can be used in acceleration policy configuration.

and have the branch’s access to the headquarters’ ERP system speed up. click the <New> button. as shown below: 95 .0 User Manual [Port operation]: Configures whether to include or exclude the specific port for the application. it is TCP 8000). type in the name and description of the application. as shown below: Click the <OK> button to complete configuring the page. as shown below: Click the <New> button. Under the [Application List] page. [Start port]: Defines the start port of certain application or the start port which is to be excluded. Case Study 13: Add ERP System Application into Application List Requirements: Add an ERP system application into the Application List so that this application can be referenced by [Acceleration Policy] configuration page. Finally. [End port]: Defines the end port of certain application or the end port which is going to be excluded. and enter the port or port range to be used by the ERP system (In this scenario. click the <OK> button to complete configuring the application list.SANGFOR WAN Accelerator 6. click the <New> button again to add the corresponding port. If there is another port used this application.

name the time schedule and give it a brief description. as shown below: 96 .SANGFOR WAN Accelerator 6.4.0 User Manual Finally. click the <OK> button to save all the settings.3Time Schedule [Time Schedule] defines the time schedules which consist of some commonly used time periods.4. select and enable the needed time periods. 3. Click the <New> button and the corresponding options appear. The time is based on the system time of the SANGFOR WAN Accelerator. The defined time schedule may be used in [Bandwidth Management] > [Policy Settings] to set valid time and expiry time of the policy.

Case Study 14: Define Office Hours Define a time schedule named Office Hours which is composed of the hours from 8:30-12:00 and 14:00-17:30. as shown below: Name the time schedule and give it a short description. select the needed time periods and finally click the <OK> button. 97 .SANGFOR WAN Accelerator 6.0 User Manual Green represents valid time and gray stands for invalid time. The other time periods are non-office hours. Monday to Friday. Click the <New> button and the corresponding options appear.

SANGFOR WAN Accelerator 6.0 User Manual

3.5

WAN Optimization

[WAN Optimization] covers the configurations of [Application], [Compression], [Server],
[Client], [Certificates] and [Advanced].

3.5.1 Application
[Application] configures the protocol proxies supported by the SANGFOR WAN Accelerator. It
consists of eight configuration pages, namely, [HTTP], [CIFS], [SMTP], [POP3], [Exchange],
[Oracle EBS], [Citrix] and [RDP].

3.5.1.1HTTP
[HTTP] page configures the proxy function for HTTP protocol, as shown below:

98

SANGFOR WAN Accelerator 6.0 User Manual

Check the [Enable HTTP Proxy] option to enable HTTP protocol proxy.
[Max. Cache Size]: Configures the upper size limit of the object type file.
[Object Timeout]: Configures the timeout of caching object file.
[Cache Object Type]: Configures the HTTP object types that are to be cached by the WAN
Accelerator. The default image file types are bmp, jpg, gif; the default script file type is js.
[First-synchronize-then-respond Object Type]: Configures the HTTP objects that are first to be
synchronized and then be responded. This configuration ensures that the objects requested by the
client terminal are objects from the destination server, but not the outdated objects cached in the
WAN Accelerator.
Having completed configuring the page, you have to click the <Save and Apply> button to save
and apply all the settings of this page.

3.5.1.2CIFS
[CIFS] page configures the proxy function for CIFS protocol, as shown below:

99

SANGFOR WAN Accelerator 6.0 User Manual

Check the [Enable CIFS Proxy] option to enable CIFS protocol proxy.
Check the [Enable SMB Signing] option to enable SMB Signing.
Check the [Enable Open/Read Optimization] option to enable open/read optimization of CIFS.
Check the [Enable Save/Write Optimization] option to enable save/write optimization of CIFS.
Check the [Enable Directory Optimization] option to optimize access to folder.
Check the [Enable Print Optimization] option to optimize printing.
Check the [Enable pre-read data for open(Low bandwidth used with caution)] option to read
ahead the data when opening a file.
[Session Cache Size]: Configures the cache size of a single session over My Network Places. The
higher the value is, the better the acceleration effect shows.
Having completed configuring the page, you have to click the <Save and Apply> button to save
and apply all the settings of this page.

3.5.1.3SMTP
[SMTP] configures the proxy function for the SMTP protocol, as shown below:

100

SANGFOR WAN Accelerator 6.0 User Manual

Check the [Enable SMTP Proxy] option to enable SMTP protocol proxy.
Click the <Save and Apply> button to save and apply the settings of this page.

3.5.1.4POP3
[POP3] page configures the proxy function for the POP3 protocol, as shown below:

Check the [Enable POP3 Proxy] option to enable the POP3 protocol proxy.
Click the <Save and Apply> button to save and apply the settings of this page.

3.5.1.5Exchange
[Exchange] page configures the proxy function for the EXCHANGE protocol, as shown below:

Check the [Enable Exchange Proxy] option to enable the Exchange protocol proxy.

101

SANGFOR WAN Accelerator 6.0 User Manual
Click the <Save and Apply> button to save and apply the settings of this page.

If none of the above protocols applies to the acceleration data, it will use TCP protocol
proxy.

3.5.1.6Oracle EBS
[Oracle EBS] page configures the optimization function of Oracle EBS, as shown below:

Check the [Enable Oracle EBS Optimization] option to enable Oracle EBS optimization.
Check the [Enable HTTP Mode] option to optimize Oracle EBS running in HTTP mode.
Oracle EBS supports connection modes such as HTTP, HTTPS, SOCKET and so on. However, by
default, SANGFOR WAN Accelerator only optimizes Oracle EBS running in SOCKET mode; if
you want to optimize Oracle EBS running in HTTP mode, please check the option [Enable HTTP
Mode].
Click the <Save and Apply> button to save and apply the settings of this page.

If [Enable HTTP Mode] is not checked, the WAN Accelerator will not optimize Oracle
EBS when it is running in HTTP mode.

3.5.1.7Citrix
[Citrix] page configures the optimization function of Citrix applications, as shown below:

102

SANGFOR WAN Accelerator 6.0 User Manual

Check the [Enable Citrix Optimization] option to enable Citrix application optimization .
Click the <Save and Apply> button to save and apply the settings of this page.

3.5.1.8RDP
[RDP] page configures the optimization function of RDP, as shown below:

Check the [Enable RDP Optimization] option to enable RDP optimization.
Click the <Save and Apply> button to save and apply the settings of this page.

3.5.2 Compression
[Compression] consists of only one tab, [Compression Settings], as shown below:

[IP Compression]: Check the options and the corresponding non-acceleration data between the
two WAN Accelerators will be compressed and therefore transmission of them will speed up.
Check the [Enable TCP Packet Compression] option to enable the TCP packets to be compressed.
103

SANGFOR WAN Accelerator 6.0 User Manual
Check the [Enable UDP Packet Compression] option to enable the UDP packets to be compressed.

By default, the TCP compression and UDP compression functions are not enabled, for the
transfer of the compressed TCP or UDP data will get too fast. If there is a frontend firewall device
that can defend against DoS attacks, that data transmission will be misjudged as attack.

[Cache]: Decides whether to load the byte cache index and whether to enable byte cache bypass
when the device reboots.
[Load the data cache index when the device reboots]: Check this option, and it will load the data
cache index when system restarts, and therefore still have the previously-cached data work even
though the acceleration connection is rebuilt; uncheck this option and the previously-cached data
will get invalid for new acceleration connections.
If there are too many WAN Accelerators connecting in or connecting out, this option is not
recommended to be checked, for the time taken by loading data cache index may be long and thus
lower down the data transfer after the new acceleration connection is built.
[Enable Byte Cache Bypass]: Check this option, and the acceleration data will be bypassed
automatically if the system is too busy and the disk I/O meets bottleneck. Byte Cache Bypass
function help to avoid disk I/O bottleneck which lowers down data transfer of the acceleration
data.
Click the <Save and Apply> button to save and apply all the settings of this page.

Case Study 15: Type of Data Applicable to Compression
As shown in the following network topology, there are three types of data going through the WAN
Accelerators: Internet access data, peer server access data (accelerated) and peer LAN access data
(non-accelerated). The [Compression Settings] is only applicable to the last type of data, nonacceleration data accessing the peer LAN.

104

SANGFOR WAN Accelerator 6.0 User Manual

3.5.3 Server
[Server] consists of [Acceleration Policy], [Acceleration Policy Group] and [Acceleration User]
pages, as shown below:

3.5.3.1 Acceleration Policy
[Acceleration Policy] configures policies related to acceleration. The WAN Accelerator is already
built in with some default acceleration policies, as shown below:

Click the <Delete> button to delete the selected acceleraton poicy (policies); or click the <New>
button to define the parameters for the acceleration policy, such as [Dst. IP Group], [Application],
[Application Protocol], [Algorithm], [Enable SNAT], [Session Limit] and [Enable Byte Cache], as
shown below:

105

1 IP Group). Click <Add> to get into the [Network Objects] > [Application List] page or select the needed application (the needed application should be defined on the [Application List] page in advance. options are [Auto proxy].SANGFOR WAN Accelerator 6. [RDP proxy] and [Oracle Forms proxy]). [CIFS proxy].0 User Manual [Policy Name]: Indicates the name of the policy. [SMTP proxy]. Click <Add> to get into the [Network Objects] > [IP Group] page or select the needed group (the needed IP group should be defined on the [IP Group] page in advance. [Application Protocol]: Indicates the protocol to be proxied. please refer to Section 3. [Dst. [EXCHANGE proxy].4. for detailed configuration guide. for detailed configuration guide. [FTP proxy].1 IP Group).4. [Application]: Configures the application to be accelerated. 106 . [POP3 proxy]. [Description]: Gives a brief description to this acceleration policy.4. IP Group]: Configures the host IP address to be accelerated. [Citrix proxy]. [HTTP proxy]. please refer to Section 3.4. [TCP proxy].

You have to check this function if the LAN application masquerades the true source IP address of the data packet. Each policy for PACC user (mobile user) supports at most 50 sessions and the excessive ones will be bypassed.0 User Manual [Algorithm]: Configures the algorithm used by the acceleration tunnel. as shown below: 107 . The default is the maximum value 800.SANGFOR WAN Accelerator 6.2 Acceleration Policy Group [Acceleration Policy Group] is a blend of various acceleration policies. Options are [No compression]. Generally. Having competed configuring this page. but it consumes more performance of the WAN Accelerator.3. GZIP compression is recommended. you have to click the <OK> button to save the settings. or click the <Cancel> button to give up configuring this page. the IP address of the local WAN Accelerator will be taken as the source IP address of the data packet (indicating the data packet is forwarded from this source IP address). Compression effect of LZO compression is 15% higher than that of GZIP compression. To select CIFS proxy. The page is as shown below: Click the <Delete> button to delete the selected policy group. you have to CHECK the [Enable SNAT] option. otherwise. [Session Limit]: Defines the sessions to be accelerated. [LZO compression] and [GZIP compression]. [Enable SNAT]: Check this option. and it will disclose the real source IP address of the data packet when some applications require reserving the source IP. [Enable Byte Cache]: Decides whether to enable the data cache for this policy.5. 3. or click the <New> button to add an acceleration group.

or click the <Cancel> button to give up configuring and back to the previous page. [Select Policy]: Select the needed acceleration policies that are to be included in the policy group.SANGFOR WAN Accelerator 6. If [Allocate automatically] is selected. please enter the [Acceleration Policy] page. Having competed configuring this page. 108 . you have to click the <OK> button to save the settings. [Byte Cache Settings]: Defines the allocation method of data cache. To add a new acceleration policy. you need to specify the [Minimum Disk Quota] and [Maximum Disk Quota] which are used to control the disk space size occupied by the data cache related to these acceleration policies. the remaining disk space will be automatically allocated to the policies of this policy group as the disk space demand gets larger and larger. If [Allocate manually] is selected. [Associate With User]: Select the needed user(s) to associate with the policy. Options are [Allocate automatically] and [Allocate manually].0 User Manual [Policy Group Name]: Configures the name of the policy group.

when a user connects in. and so forth.5. the data cache will reclaim the block of data cache firstly allocated and allocate it once again. as shown below: 109 .3 Acceleration User [Acceleration User] page configures the acceleration access account for the client gateway. as shown below: Click the <Delete> button to delete the selected acceleration policy. the data cache allocator of the device will allocate a block of disk space (128 MB per block) from the remaining disk space to a client gateway as its data cache. After the allocated block of data cache has been used up.SANGFOR WAN Accelerator 6.  The byte cache allocated manually will not be reclaimed. When the entire disk space is used up. and associates the account with acceleration policy. the data cache allocator will continue to allocate another piece from the remaining disk space to the gateway. 3.0 User Manual  If [Allocate automatically] is selected.3. or click the <New> button to add a new connecting-in acceleration user and associate it with an acceleration policy group.

110 . [Policy Group Details]: Displays the acceleration policy information covered by this acceleration policy group. [Gateway] user is the user whose data are accelerated through the acceleration connection established between the WAN Accelerators.0 User Manual [User Name]: Configures the name of the user allowed to access the local WAN Accelerator. [Select Policy Group]: Select the needed acceleration policy group that will reference this user. Options are [Gateway] user and [PACC] user. while [PACC] user is the user whose data are accelerated through the connection established between the WAN Accelerator and the PACC user (for mobile acceleration user). [Confirm Password]: Enter the password again to check the correctness of it. [User Type]: Configures the user type of the connecting-in user.SANGFOR WAN Accelerator 6. [Password]: Configures the password of the user account. [Enable This User]: Check this option to enable this acceleration user account. [Description]: Give this account a brief introduction. Click <Add> to enter the [Acceleration Policy Group] page to add a new acceleration policy group.

you have to click the <OK> button to save the settings. add an acceleration policy group named wanotest group and associate it with the HTTP and FTP acceleration policy group. as shown below: Step 3: Under the [Acceleration User] page.100.0 User Manual Having competed configuring the acceleration user. you need not create acceleration policies for these two applications. you need not associate this acceleration policy group with the acceleration user because you have not added the acceleration user yet.0/24. and have it associate with the HTTP and FTP service of the subnet segment 172. configure the application and destination address. Detailed procedures are as introduced below: Step 1: Under the [Acceleration Policy] page.SANGFOR WAN Accelerator 6. Case Study 16: Create Acceleration User and Associate Policy Group Create an acceleration user wanotest for the Branch WAN Accelerator. As HTTP and FTP are default applications for acceleration. In this step. add a new Gateway user named wanotest and 111 .16. Step 2: Under the [Acceleration Policy Group] policy.

4 Dynamic Route).com domain. providing mail services and locating in the www. c. and the branch users can get access to the Internet through the headquarters with the user account wanotest.wcc. b. Requirement: Accelerate the email sending/receiving for the branch. please refer to Section 3.2.SANGFOR WAN Accelerator 6. Case Study 17: Accelerate Exchange Server 2007 Email Delivery The headquarters has a server for Exchange Server 2007.4. as shown below: Till then.wcc.) Configure an acceleration policy group exchange for the headquarters’ WAN Accelerator and associate it with the corresponding acceleration policies and the related branch gateway user.) Ensure that the WAN Accelerator of the headquarters and WAN Accelerator of the branch can communicate with each other.0 User Manual associate it with the acceleration policy group wanotest group. To accomplish acceleration. 112 .) The headquarters’ WAN Accelerator joins the LAN www. we have completed adding the acceleration user and associating it with the acceleration policy group. the followings should be done: a. and that the received and delivered email data should go through the WAN Accelerators.com domain (for detailed configuration guide. having the HTTP and FTP application accelerated.

SANGFOR WAN Accelerator 6. Requirement: The client-side LAN users’ accesses to the Oracle EBS server are to be accelerated. To meet the requirement.200.225.200.0 User Manual as shown blow: Case Study 18: Accelerate Access to Oracle EBS The headquarters has an Oracle EBS server 192. we are going to configure the headquarters’ WAN Accelerator as follows: 113 .

as shown below: 4. 2.0 User Manual 1.) Go to the [WAN Optimization] > [Server] > [Acceleration Policy] tab.) Go to the [WAN Optimization] > [Application] > [Oracle EBS] tab and check the options [Enable Oracle EBS Optimization] and [Enable HTTP Mode].) Go to the [System] > [Networks Objects] > [IP Group] tab to add the host IP address of the Oracle server into the address list.) Ensure that the two WAN Accelerators (server and client) are well connected and can access each other. Configure an 114 . as shown below: 3. and the flow caused when client user accesses the server goes through the server WAN Accelerator.SANGFOR WAN Accelerator 6.

it is named Oracle). Add a new acceleration policy group (in this scenario. as shown below: 5. it is named Oracle) for Oracle applications: associate this policy with the Oracle server IP address (configured in the above step). as shown below: 115 .SANGFOR WAN Accelerator 6. and have this policy group associate with the Oracle acceleration policy and Oracle IP group (the branch users). and [Application Protocol] “Oracle Forms Proxy”.) Go to the [WAN Optimization] > [Server] > [Acceleration Policy Group] tab.0 User Manual acceleration policy (in this scenario. select [Application] “ebs”.

To meet the requirement. and the flow caused when client-end accesses the server goes through the WAN 116 .226.200.200. we are going to configure the HQ WAN Accelerator as follows: 1. Requirement: Accelerate the users’ accesses to the CITRIX server.0 User Manual Case Study 19: Accelerate Access to CITRIX The headquarters has a CITRIX server 192.SANGFOR WAN Accelerator 6.) Ensure that the two WAN Accelerators (server and client) are well connected and can access each other.

as shown below: 3. as shown below: 4. as shown below: 117 . it is named Citrix): associate this policy with the [Citrix] server IP address (configured in the above step).) Go to the [WAN Optimization] > [Application] > [Citrix] tab and check the options [Enable Citrix Optimization].) Go to the [System] > [Networks Objects] > [IP Group] tab to add the host IP address of the Citrix server into the address list. select [Application] citrix.0 User Manual Accelerator.SANGFOR WAN Accelerator 6. Configure an acceleration policy (in this case. 2.) Go to the [WAN Optimization] > [Server] > [Acceleration Policy] tab. and [Application Protocol] Citrix Proxy.

) Go to the [WAN Optimization] > [Server] > [Acceleration Policy Group] tab.0 User Manual 5. Add a new acceleration policy group (in this case. it is named Citrix). as shown below: 118 . and have this policy group associate with the Citrix acceleration policy and Citrix IP group (the branch users).SANGFOR WAN Accelerator 6.

200. To meet the requirement.200. we are going to configure the headquarters’ WAN Accelerator as follows: 119 .SANGFOR WAN Accelerator 6.0 User Manual Case Study 20: Accelerate Access to RDP The headquarters has a RDP server 192.227. Requirement: To accelerate the users’ accesses to the RDP server.

) Go to the [WAN Optimization] > [Server] > [Acceleration Policy] tab. as shown below: 3.) Go to the [System] > [Networks Objects] > [IP Group] tab to add the host IP address of the RDP server into the address list. as shown below: 4. Configure an acceleration policy (in this scenario.0 User Manual 1.) Ensure that the two WAN Accelerators (server and client) are well connected and can access each other.SANGFOR WAN Accelerator 6. and the flow caused when client user accesses the server goes through the WAN Accelerator. it is named RDP): associate this policy with the RDP server IP address (configured in the above step). as shown below: 120 . select [Application] rdp and [Application Protocol] RDP Proxy.) Go to the [WAN Optimization] > [Application] > [RDP] tab and check the option [Enable RDP Optimization]. 2.

0 User Manual 5. it is named RDP). and have this policy group associate with the RDP acceleration policy and RDP IP group (the branch users). as shown below: 121 .SANGFOR WAN Accelerator 6. Add a new acceleration policy group (in this scenario.) Go to the [WAN Optimization] > [Server] > [Acceleration Policy Group] tab.

[Connect to Gateway] and [Prefetch].0 User Manual 3. as shown below: 122 .4 Client [Client] includes two configuration pages.SANGFOR WAN Accelerator 6.5.

123 . connecting to the peer WAN Accelerator (peer device).1 Connect to Central Gateway [Connect to Central Gateway] page configures on the local WAN Accelerator the parameters of its peer WAN Accelerator.SANGFOR WAN Accelerator 6. The default configuration page is as shown below: Click the <New> button and the following options appear.4.0 User Manual 3. as shown below: [Gateway Name]: Indicates the name of the peer device to be connected by the local device.5. [User Name]: Indicates the gateway account for connecting to the peer device. The local WAN Accelerator (local device) acts as an acceleration client. It is user-defined. [Password]: Indicates the password of the gateway account for connecting to the peer device.

In Single Arm mode.SANGFOR WAN Accelerator 6. The default selection is [Auto select].0 User Manual [IP Address]: Configures the LAN IP address or bridge IP address. [Enable Gateway Settings]: Check this option to enable the settings of this WAN Accelerator. You can click it to set the [Work Mode]: [Normal]. and configure the [UDP Data Packet Size(MTU)] as well. [Set Parameters]: It is only available when the [Transfer Protocol] is [HTP]. which means the WAN Accelerator will detect the network by itself and then decide the transfer mode. while HTP is applicable to network with packet loss or high packet loss. but the CDP or WCCP function is not enabled. according to your network environment. [Enable Network Transparency]: Check this option to enable the network transparency mode. [High packet loss] or [Low latency]. High-speed TCP is generally applied to network with high latency. [Enable Network Transparency] can NOT be checked: a). If the WAN Accelerator is deployed and configured in the following two modes. [Transfer Protocol]: Configures the encapsulation mode of the data packets that are to be transferred and accelerated. as shown below: [Description]: Indicates the description for the peer device to be connected to. 124 . b). <Advanced>: Click it and the options [Enable Network Transparency] and [Pre-Connection] are seen. This function is applicable to the network environment that the application control policy of either WAN Accelerator has referenced the source IP or destination IP and controls the bandwidth of them. and the WAN Accelerator will reveal the real IP addresses of the source IP and destination IP that work for data transmission in the acceleration channel. Options are [High-speed TCP] and [HTP]. [Listening Port]: Indicates the listening port of the peer device (rather than the HTP working port number). In Gateway mode and VPN function is enabled.

the moment the client PC sends the access requests to the server.0 and 6. instead. and as a result it can save one WANO license. The SANGFOR WAN Accelerator 5.0 User Manual [Pre-Connection]: Check this option to enable prefetching connection mode. the problem caused by the pre-connection mode can be avoided. the [Pre-Connection] option will not function.0 is different from the previous versions on connection mode. [Pre-Connection] option can be checked when the acceleration connection is established between two WAN Accelerators. the client WAN Accelerator can respond to and accept the requests for the destination server. the Internet access data) will also be handled by the WAN Accelerator. because the policies allows the WAN Accelerator to proxy all the TCP data sent by the client and to forward the handled data to the destination server. The client WAN Accelerator will not accept the client PC’s connection requests in advance for the destination server. in this way. Reverse acceleration function will have the client WAN Accelerator (local device) inform and allow the server WAN Accelerator (peer device) to actively connect to the acceleration user created by the local device. but the acceleration policies for all the network segments and ports have already been configured and enabled. these TCP applications cannot work normally. 125 . [Enable Reverse Acceleration]: Check this option to enable reverse acceleration between the peers of the established connection. it can shorten the time for establishing connection as well as data transmission. Pre-connection mode indicates that. one problem is inevitable. both sides (server and client) can feel the acceleration effect. The versions issued before WAN Accelerator 5. therefore. However. it accepts the requests and allows data transmission only after the destination server gives the positive response. some other non-acceleration TCP data (for instance. In this way. that in case the server WAN Accelerator and the destination server fails to build the connection. without waiting for the response from the destination server.SANGFOR WAN Accelerator 6. Click <Add> and you will enter the [Acceleration User] page to create or edit a user. if the acceleration connection is established between the PACC user (mobile acceleration user) and WAN Accelerator. when the client WAN Accelerator connecting to the server WAN Accelerator. in this way.0 are of pre-connection mode.

0 into the network of its Beijing Headquarters and configured the corresponding acceleration services. another WAN Accelerator is required to be deployed in the Hong Kong branch’s network. It can solve the problem of high packet loss and high latency of the network. and the acceleration connection must be established between the Hong Kong branch’ WAN Accelerator and Beijing headquarters’ WAN Accelerator. we only focus on the acceleration configuration at the client end. otherwise. Case Study 21: Branch Establishes Acceleration Connection With HQ Suppose a customer has deployed the SANGFOR WAN Accelerator 6. The deployment topology is as shown below: In this scenario. the acceleration connection cannot be established. Now. other configurations being ignored. HTP is a high-speed and reliable transmission protocol based on UDP.SANGFOR WAN Accelerator 6. 126 .0 User Manual The connect-out gateway port of the peer WAN Accelerator must be coherent with the [Listening port] of the local WAN Accelerator. developed by SANGFOR. and accomplish quite good transmission effect both in wireless and Long-Fat-Pipe environment.

0 User Manual First of all. Suppose that. The deployment topology is as shown in the following figure: 127 . confirm the following information with the device administrator of Beijing headquarters: username/password. Username is HongKong. LAN IP of the WAN Accelerator and the port providing acceleration service. Case Study 22: Enable Network Transparency Mode The customer deploys the SANGFOR WAN Accelerator 6.1 and service port is 5400.1. LAN IP of is 10.1. as shown below: Click the <OK> button to save the settings. different bandwidth control policies have been configured for the Intranet IP.SANGFOR WAN Accelerator 6. in its network where a bandwidth management device is deployed at frontend of the WAN Accelerator. Enter the information. In the previous section.0 in Bridge mode. Password is wanacc.

to guarantee that information of Source IP. have the headquarters’ users feel the acceleration effect when they are getting access to the branch’s FTP server. FTP and EXCHANGE servers. and the branch also has FTP server.0 User Manual Now. FTP and EXCHANGE servers. and secondly. the tasks are. Destination port of the data packets keep unchanged when they go through the SANGFOR WAN Accelerator. 128 . firstly. at the same time. Requirements: To have the branch users feel the acceleration effect while they are getting access to the headquarters’ HTTP. Source port.SANGFOR WAN Accelerator 6. as shown below: Case Study 23: Use Reverse Acceleration The headquarters has HTTP. to guarantee that the bandwidth policies configured on the bandwidth management device for each IP still take effect. Destination IP. Check the [Enable Network Transparency] option on the [Connect to Central Gateway] page.

follow the steps below to configure the headquarters’ WAN Accelerator: Step 1: On the [System Setting] > [Network Objects] > [IP Group] page. create corresponding acceleration policies for Exchange. Taking the HTTP for example.0 User Manual The deployment topology is as shown in the following figure: First. the configurations are as shown below: 129 . create an IP group covering the LAN network segments of the headquarters. HTTP and FTP.SANGFOR WAN Accelerator 6. as shown below: Step 2: On the [WAN Optimization] > [Server] > [Acceleration Policy] page.

and associate this user with the acceleration policy group created in the above step.SANGFOR WAN Accelerator 6. HTTP and FTP. as shown below: 130 . create an acceleration user for the branch. create an acceleration policy group which associates with the three acceleration policies on Exchange.0 User Manual Step 3: On the [WAN Optimization] > [Server] > [Acceleration Policy Group] page. as shown below: Step 4: On the [WAN Optimization] > [Server] > [Acceleration User] page.

create an IP group covering the LAN network segments of the branch. create an acceleration policy on FTP. as shown below: Step 2: On the [WAN Optimization] > [Server] > [Acceleration Policy] page.SANGFOR WAN Accelerator 6.0 User Manual Step 5: Add the headquarters’ WAN Accelerator into the domain where the Exchange server locates (for detailed configuration guide. follow the steps below to configure the branch’s WAN Accelerator: Step 1: On the [System Setting] > [Network Objects] > [IP Group] page. The configurations are as shown below: 131 .4. Then.4 Dynamic Route).2. please refer to Section 3.

as shown below: 132 .0 User Manual Step 3: On the [WAN Optimization] > [Server] > [Acceleration Policy Group] page. and associate this user with the acceleration policy group created in the above step. create an acceleration user for the branch. create an acceleration policy group which associates with the acceleration policy FTP. as shown below: Step 4: On the [WAN Optimization] > [Server] > [Acceleration User] page.SANGFOR WAN Accelerator 6.

check the [Enable Reverse Acceleration] option and select the acceleration user (HQ. Get into the [WAN Optimization] > [Client] > [Connect to Central Gateway] page. as shown below: 133 .SANGFOR WAN Accelerator 6. configured in the above step) as the [Reverse User].0 User Manual Step 5: Initiate connection requests to the headquarters.

0 User Manual 3. as shown below: [Address]: Configures the directory/address where server or file is located in.4. The configuration page is as shown below: [Start Time]. [Username]. the device will prefetch data from the remote server.0 provides the prefetching function. You can enable this function so that the device will automatically fetch the data from the server in advance and save it to the byte cache at the preset time. [End Time]: Configures the start time and end time of prefetching respectively. with greatly improved user experience. [Password]: Configures the user name and password used for logging in to the server. 134 . The client PC will acquire the acceleration effect when accessing the server for the first time.2 Prefetch SANFOR WAN Accelerator 6. During this time range. [Days]: Specifies the date implementing prefetch operation. Click the <New> button and the following options appear.SANGFOR WAN Accelerator 6.5.

SANGFOR WAN Accelerator 6.0 User Manual
[Description]: Configures the contents to be prefetched.
[Enable]: Check this option to enable the settings of this page and enable this prefetch rule.
Having completed configuring the page, you have to click the <Save and Apply> button to save
and apply the above settings.

[Days] is based on the system time. Therefore, make sure the system time of the WAN
Accelerator is consistent with the actual time.

[Prefetch] function only supports two protocols, HTTP and FTP, and it only supports login to
FTP server (not HTTP server) with username and password.

The address and file name should be English characters; otherwise, prefetching will fail
because of decoding failure.

Case Study 24: Prefetch Data From FTP Server
From the previous two case studies (Case Study 18 and Case Study 19), we get known that an
acceleration connection between Beijing headquarters and Hong Kong branch has been
established. However, the employees in Hong Kong branch frequently download report files of
the previous day via the limited bandwidth from the FTP server of Beijing headquarters. Since the
report files are very large, the download speed is very slow.
To solve this problem, the customer enables the prefetching function on Hong Kong branch’s
WAN Accelerator and set the prefetching time (early morning every day) so that the device will
prefetch the report files from the FTP server of Beijing headquarters. By doing this, the byte cache
will take effect and the download will speed up when the employees of Hong Kong branch
download these report files from the FTP server for the first time.
The deployment topology is shown below:

135

SANGFOR WAN Accelerator 6.0 User Manual

In this scenario, we only focus on how to configure the prefetch rule, while other
configurations are ignored.

First of all, confirm the following information with the device administrator in Beijing
headquarters: IP address of FTP server and the Username/Password of the FTP server (it is OK if
there is no username/password). Suppose the IP address of the FTP server is 10.1.1.3, username
and password for FTP download are beijing and FTP respectively.
Detailed steps are as stated below:
Step 1: Set the time on the Hong Kong branch’s WAN Accelerator so that the device will
automatically prefetch report files from the FTP server in Beijing headquarters at the preset time
every day.

136

SANGFOR WAN Accelerator 6.0 User Manual
Step 2: Enter the IP address of the FTP server and the username/password for logging in to the
FTP server.

Click the <OK> button to save the above settings.

3.5.5 Certificates
[Certificates] includes the configurations of [CA Certificate] and [Server Certificate]. Here you
can import server certificate or automatically generate server certificate, the device acting as
HTTPS protocol proxy for the client to accelerate the HTTPS protocol.
The page is as shown below:

This function only supports the HTTPS applications that adopts SSL one-way authentication.

If you are accessing this page for the first time, the system may ask you whether to install the
certificate import component. Click the <Install> button to install it, as shown below:
137

SANGFOR WAN Accelerator 6.0 User Manual

3.5.5.1 CA Certificate
[CA Certificate] page helps to import the root certificate provided by the CA. The default
configuration page is as shown below:

Click the <New> button; enter [Name] and select the directory of the [Certificate File], as shown
below:

Check the [Enable] option to enable this root certificate provided by the CA.
Click the <OK> button to save the settings of this page; or click the <Cancel> button to give up
138

SANGFOR WAN Accelerator 6.0 User Manual
configuring and back to the previous page.
On the [CA Certificate] page, you can click the <Delete> button to delete the selected CA
certificate(s).

3.5.5.2 Server Certificate
[Server Certificate] page helps to import the server certificate of the HTTPS server.
The default configuration page is as shown below:

Click the <New> button; enter the [Destination IP] address and [Destination Port] of the HTTPS
server, as shown below:

[SSL Version]: This option is offered for the specific use of Oracle EBS applications. Check the
version according to the SSL version of your Oracle EBS. If Oracle EBS uses digital certificate,
both the WAN Accelerator and the Oracle server should join the domain.
Select the [Import Certificate That Contains Key] option; upload the file for [Certificate File] and
enter corresponding [Encrypted Password] of the certificate, as shown below:

139

SANGFOR WAN Accelerator 6.0 User Manual

Some CA may issue a certificate file without key to a HTTPS server; in that case, you need select
the [Import Certificate With Separate Key] option and configure the [Private Key File] and the
[Encrypted Password], as shown below:

Check the [Enable] options to enable the server certificate.
Click the <OK> button to save the settings of this page; or click the <Cancel> button to give up
configuring and back to the previous page.

140

SANGFOR WAN Accelerator 6.0 User Manual

Case Study 25: Accelerate Access to HTTPS Server
To accelerate the branch’s access to the headquarters’ HTTP server, the network and WAN
Accelerator are deployed as follows:

First, follow the steps below to configure the headquarters’ WAN Accelerator:
Step 1: On the [System Setting] > [Network Objects] > [IP Group] page, create an IP group
covering the LAN network segments of the headquarters.

Step 2: On the [WAN Optimization] > [Server] > [Acceleration Policy] page, create an
acceleration policy on HTTPS and select [HTTP Proxy] application protocol and check the
[Accelerate HTTPS] option, as shown below:

141

SANGFOR WAN Accelerator 6.0 User Manual

Step 3: On the [WAN Optimization] > [Server] > [Acceleration Policy Group] page, create an
acceleration policy group and associate it with the HTTPS acceleration policy, as shown below:

Step 4: On the [WAN Optimization] > [Server] > [Acceleration User] page, create an acceleration
user for the branch and associate it with the HTTPS policy group configured in the previous step,
as shown below:

142

as shown below: Step 6: On the [WAN Optimization] > [Certificates] > [Server Certificate] page. import the HTTPS server’s server certificate issued by the CA. import the CA root certificate of the HTTPS server.SANGFOR WAN Accelerator 6. as shown below: 143 .0 User Manual Step 5: On the [WAN Optimization] > [Certificates] > [CA Certificate] page.

SANGFOR WAN Accelerator 6.0 User Manual In this scenario. 3. The default configuration page is as shown below: 144 . Till then. and import the server certificate and the private key file into the WAN Accelerator. the server certificate that the HTTPS server acquired from the CA contains no private key.6 Advanced [Advanced] include configurations of [Exclusion Rule]. [Asymmetric Route] and [Keep Alive Settings].5. we have completed configuring the HTTPS settings on the headquarters’ WAN Accelerator. The remaining step is creating an acceleration connection to have the branch access the headquarters’ HTTPS application. We select the [Import Certificate With Separate Key] option.

you can enable or disable the acceleration function for specific IP addresses. all of the IP addresses are accelerated. By configuring exclusion policy. subnets or network segments. By default.5.6.0 allows you to configure exclusion policy for acceleration service.0 User Manual 3.1 Exclusion Rule SANGFOR WAN Accelerator 6.SANGFOR WAN Accelerator 6. The configuration page is as shown below: 145 .

the data packet will not be accelerated if the source IP address of the data packet is consistent with that configured in the list. If the WAN Accelerator receives a data packet whose destination port is any of the port in the list. [Disable Acceleration For All IP]: When this option is selected. system default is that the data transmission through some common ports (in the list) cannot be accelerated. As shown in the above figure. Click the <New> button to create a new exclusion rule. the data packet will be accelerated only when the source IP address of the data packet is consistent with that configured in the list. it will be bypassed. instead. this data packet will not be handled by the acceleration channel.0 User Manual [Enable Acceleration For All IP]: When this option is selected.SANGFOR WAN Accelerator 6. as shown below: 146 .

0 User Manual Enter a network segment or a specified IP range. The correct format of network segment is as shown below: The correct format of IP range is as shown below: Fill in the needed source IP address. Finally. click the <Save and Apply> button to complete configuring the page and save the settings. destination IP address. 147 . destination port of the data packet that are to be excluded from.SANGFOR WAN Accelerator 6. Check the [Enable] option and click the <OK> button.

we only focus on how to configure the exclusion policy.0 User Manual Case Study 26: Exclusion Rule Defines Acceleration Subnet Provided the customer has established a VPN connection between Beijing headquarters and Hong Kong branch.SANGFOR WAN Accelerator 6. while other configurations are ignored. it is required that only the network segments where the Hong Kong accountants locate can feel the acceleration effect while they are accessing the Beijing server. However. Specific operations are as follows: Step 1: On the [Exclusion Rule] page of the Hong Kong branch’s WAN Accelerator gateway console. Suppose the computers of accountants are on the 192.0/24 subnet. The deployment topology is as shown below: In this scenario. select the [Disable Acceleration For All IP] option. as shown below: 148 .168.3.

2 Asymmetric Route [Asymmetric Route]: Asymmetric route can solve the problem that acceleration effect is unobvious.0”.SANGFOR WAN Accelerator 6. and then check the [Enable] option. 3.0. port “0”. because that the routes for data back and forth are asymmetric for there may be multiple switches or multiple routers deployed in the Intranet (in redundancy).0 User Manual Step 2: Enter the source IP addresses (subnet).0.6. as shown below: Step 3: Click the <Save and Apply> button to save the settings.5. destination IP “0. Typical deployment topology of asymmetric route is as shown in the following figure: 149 .

and then travel back through the lower route. SANGFOR WAN Accelerator “A” and WAN Accelerator “B” have established an accelaration channel between them. To solve this problem.SANGFOR WAN Accelerator 6. However. To enable the Asymmetric Route function for WAN Accelerator “A” and WAN Accelerator “C”. as there is dual switches and dual routers sharing the loads. Ensure that the two local WAN Accelerators are able to communicate with each other. “C” transmits these data to WAN Accelerator “A”. The truth is that. ensuring both the back-and-forth data always travel through the same line. When there are to-be-accelarated data transmitted to WAN Accelerator “C”. 150 . DMZ interface or bridge (subject to the deployment) of the other WAN Accelerator (of the local terminal). hence enhancing accelarating effect. we deploy an WAN Accelerator C in the headquarters’ network. data from the branch may follow the upper route to get access to the headquarters. the efficiency is not high. the page should be configured as follows: [Peer Gateway Address]: Specifies the IP address of LAN interface.0 User Manual As shown in the above figure.

If no keep-alive packet is received from the asymmetric route during the period of time.0 User Manual [Communication Port]: Configures the data communication port of the WAN Accelerator whose asymmetric route function are to be enabled. and allows a TCP connection to be kept for certain time. before enabling this function. incorrect usage may result in communication failure of the data. [Keep-alive Interval]: Configures the period of time after which the asymmetric route function times out.SANGFOR WAN Accelerator 6.0 facilitates you to configure the keep-alive settings of the TCP connection. etc). 3. DO note that the communication ports of both devices should be consistent with each other. make sure that you have detailed and clear knowledge of the general network infrastructure and the data flow direction. such as ICMP and UDP. Finally.5. [Timeout Counts]: Configures the maximum number of times that a packet is sent. The page is as shown below: [Keep Alive Interval]: Configures the period of time that a packet keeps alive. the asymmetric route will get invalid. If there is still no response from the peer device after the maximum attempts (timeout counts).6. the connection 151 . the flow direction of the original TCP data will change (excluding non-TCP data. Once the asymmetric route function is enabled. Therefore. check the [Enable Asymmetric Route] option and click the <Save and Apply> button to save and apply the settings. and have a thorough communication with the technicians of SANGFOR.3 Keep Alive Settings SANGFOR WAN Accelerator 6.

Having completed configuring the above. 152 .0 User Manual will be broken. you have to click the <Save and Apply> button to save the settings.SANGFOR WAN Accelerator 6.

SANGFOR WAN Accelerator 6. 3.0 is designed with bandwidth management (BM) function. Double Bridge mode and Single Arm mode.0 User Manual 3. The default configuration page is as shown below: 153 . Bridge mode.6. [Intelligent Identification].1 Objects [Objects] consists of [Application Identification]. according to which the WAN Accelerator controls the bandwidth and guarantees the bandwidth for the core businesses of a company.6 Bandwidth Management Different from most of the previous versions.SANGFOR WAN Accelerator 6. Bandwidth management function is available in Gateway mode. Type of the data going through the WAN Accelerator will be automatically identified. [URL Group] and [File Type Group].

WAN Accelerator will detect the features contained in the data packets and determines whether the data packets should be blocked. Though most of the enterprises issue regulations to ban their staff from using these software tools. Application identification rule falls into internal rule and user-defined rule.1.SANGFOR WAN Accelerator 6. port. etc. deleted. etc. however. and the content of the data packets. consume lots of bandwidth resources.0 User Manual 3.0 adopts some patented technologies to efficiently block the above mentioned chat and IM software tools. length of data packet. Because the data packets of each kind of software have unique feature values. for nearly all of these software tools are designed to be able to shy away from the ordinary firewalls.1 Application Identification Download software tools such as BT. Emule. direction. The application identification rules fall into various types and can distinguish the flow of certain application in association with the [Application] configured on [Bandwidth Management] > [Policy Settings] > [Application Control Policy] > [Access Control] page and the [Bandwidth Settings] on [Bandwidth Management] page. MSN and stock trading software.6. IM software tools such as QQ. when the software communicates with the external networks.. Click [Bandwidth Management] > [Objects] > [Application Identification] and the following page is seen: 154 . they can do nothing to prevent their employees from using them. while the user-defined rule can be added. etc.. Application identification rules’ ability of detecting traffic on the basis of protocol. etc. then they will not be sent or received. and edited. can help to identify P2P traffic quite well. definitely occupy the working hours and lowers down working efficiency of the staff. In this way.. The internal rules cannot be modified. If the data packets contain the features we configured. this software will be inaccessible for the LAN users. SANGFOR WAN Accelerator 6.

The page is as shown below: 155 . and you can analyze data packets by yourself and define your own application identification rule by clicking the <New> button and define the features of the packets. SANGFOR will periodically provide the feature values definition of the software tools such as P2P.SANGFOR WAN Accelerator 6. etc. IM.0 User Manual The key to identify the application and block some communications is to analyze the features of these data packets. You can contact SANGFOR and apply for the application identification rule package to manually import the rules.

SANGFOR WAN Accelerator 6. and finally confirm exporting (the internal rule cannot be exported). and click the <Export> button and name the file. [Search Rule]: Type in the keyword of a rule name.  Since BT and IM software tools differ from each other and keep updating. To export the existing user-defined rule(s). [Application Identification] supports [Import] and [Export] of the rules. The rule types of higher priority to be matched are displayed in red. some application 156 . click the <Browse> button and upload the rule (extension of the rule file is *. [Rules Priority]: Click the <Modify> button to switch the priority between the user-defined application identification rules and the internal rules.ccf). and then click the <Import> button. [Import Rule]: To import a rule.0 User Manual Configure in [Data Packet Content Matching] section the feature values according to the analysis on the data packets. click the <Search> button and you can find the rule whose name contains this keyword. just select the rule(s).

1. 3.2 Intelligent Identification [Intelligent Identification] configured in [Bandwidth Management] > [Objects] mainly identifies the plain text or cipher text form P2P applications. SANGFOR will periodically update the application identification rules. it can still successfully identify the plaintext P2P data but be unable to identify the cipher text P2P data. To control and record the Skype data. you can only alter the classification and cannot edit the policy or export the rule. If you disable the [P2P Action] (in the Intelligent Identification Rule List on the [Intelligent Identification] page). you have to select the [Enable] option on the [Intelligent Identification] > [Edit Intelligent Identification Rule] page of Skype. limited to plaintext P2P data. Please make sure that your WAN Accelerator can access the Internet to update these rules online.SANGFOR WAN Accelerator 6. data from proxy tool. The configuration page is as shown below:  [Application Identification] detects the P2P application as well.6. 157 .  For the internal rules.  Skype data are encrypted. identifies the encrypted Skype data according to the Skype actions.0 User Manual identification rules may get invalid for some latest versions of the software tools. and identifies the SSL certificate. SANGFOR VPN data.

[Update Internal URL Library Manually]: If the URL library cannot automatically update for it is disconnected to the Internet. the WAN Accelerator is integrated with large number of categorized URL groups. Just click the <Browse> button and upload the URL library file from the local PC. [Expiry Date of Update Service]: Indicates the latest time the URL library was automatically updated. Click [Bandwidth Management] > [Objects] > [URL Group] and the following page appears: As shown in the above figure. to achieve controlling over the access privilege to certain URL.SANGFOR WAN Accelerator 6. and then click the <Upload> button. URL filtering.1. bandwidth distribution and management. [URL Search]: Enter the domain name into [URL Search] and click the <Search> button to search whether this domain name exists in the URL library and in which URL group this domain name is 158 . you can manually update the URL library.0 User Manual 3.3 URL Group Internal URL group and user-defined URL group can be referenced by the [Bandwidth Management] > [Policy Settings] > [Application Control Policy] > [Web Filter] > [URL Filter] page.6. and the [Bandwidth Management] > [Bandwidth Settings] page.

type in www. For instance. Click the <New> button and configuration page appears. in addition to using the existing and built-in URLs. You can add a new URL into the URL library if necessary. The URL group 159 .google. as shown in the following figure: SANGFOR WAN Accelerator 6.SANGFOR WAN Accelerator 6. the search result is displayed. one URL per row. [Description]: Type in a brief description for this new URL group [URL]: Type the domain name (URL) into the textbox.com and click the <Search> button.0 is built in with a large number of URL groups when it is delivered from the factory.0 User Manual contained. as shown below: [URL Group Name]: Name the new URL group.

[Domain Name Keyword]: URL group is automatically matched if the URL contains the configured domain name keyword.6. you can have at most 10 URL groups enabled at the same time. Multiple URL groups can be disabled as well. Click the <New> button to add a new file type group.SANGFOR WAN Accelerator 6. The page is as shown below: 160 .0 supports at most 100 URL groups (including internal URL and user-defined URL groups). you have to click the <OK> button to save the above settings. As to the user-defined URL groups. One SANGFOR WAN Accelerator 6.0 User Manual consists of the URL(s) in this list.1. Having completed configuring this page. Wildcard character is supported. and be referenced by [Bandwidth Management] > [Bandwidth Settings] to control the upload and download bandwidth of the configured file types (in the file type group).4 File Type Group [File Type Group] configured in [Bandwidth Management] > [Objects] can be referenced by the [Bandwidth] > [Management] > [Policy Settings] > [Application Control Policy] page > [Web Filter] > [File Type Group] configuration to control HTTP/FTP upload and download. 3.

you have to click the <OK> button to save the settings. [File Type]: Configures the extension of file type.SANGFOR WAN Accelerator 6. [Description]: Gives a brief description to this file type group.6. one entry per row. 3.2 Policy Settings [Policy Settings] configured in [Bandwidth Management] defines the access control policy for the LAN users. [Application Control Policy] and [User Group]. The default configuration pages are as shown below: 161 . [Application Control Policy] can be referenced by multiple user groups to control the Internet access and behaviors of the LAN users. It consists of the two pages. Having completed configuring the above. A file type cannot be entered twice.0 User Manual [Name]: Defines the name of the new file type group.

as shown below: 162 .1 User Group [User Group] configured in [Bandwidth Management] > [Policy Settings] takes some LAN users into a group. We first introduce [User Group] which is followed by the introduction to [Application Control Policy].2. facilitating the management of a special group of users. The default configuration page is as shown below: Click the <New> button to add a new user group.SANGFOR WAN Accelerator 6.6. you have to associate it with the user group.0 User Manual To have certain [Application Control Policy] take effect. 3.

The IP address (list) and the MAC address (list) are of “OR” relationship. MAC address can be single MAC address and MAC range. On this page. The IP address can be single IP address. you need use the IP address to add a user group. the client will be regarded as a user of this user group.SANGFOR WAN Accelerator 6. Case Study 27: Add User Group The network environment of a customer is as shown below: 163 .0 User Manual Having completed configuring the above page. you have to click the <OK> button to save the settings. and its requests will match the related policies when they reaches the WAN Accelerator. IP range and subnet. that is to say. the MAC address contained in the header of the data packet will be the MAC address of the layer 3 switch. if a data packet from the client terminal matches either of the conditions (IP address or MAC address) of this user group. for the MAC address of the LAN client configured in this page will NOT take effect. you can relate a user group with an IP address or MAC address. In that case. If there is a layer 3 switch in the local area network.

168.2.SANGFOR WAN Accelerator 6.1.0/24. c). covering the IP addresses of 192. Configuration procedures: Step 1: Add a new user group named Finance Department.) Managers user group. 192. a). The page is as shown below: 164 .168.3.168.0 User Manual Requirements: Add the following three user groups.168.4.100.0. General Staff user group to which the other PCs belong. 192. covering 192.100 and 192.168.100. b. Finance Department user group.100.

as shown below: 165 .SANGFOR WAN Accelerator 6. The page is as shown below: Step 3: Add a new user group named General Staff.0 User Manual Step 2: Add a new user group named Managers.

please note that an IP address or MAC address can belong to several user groups. 166 . a user group covering most of IP addresses of the subnet must be composed of some shorter ranges of IP addresses.SANGFOR WAN Accelerator 6. If you want to distinguish some users from a subnet. as shown below: While creating a new user group.0 User Manual Click the <OK> button after your have configured the page and the three newly-created user groups are seen in the user group list.

Check the [Allow to use other protocol in standard ports of HTTP protocol and SSL protocol] option to prevent some applications from using HTTP port (TCP 80) and SSL port (TCP 443) to transmit their data. and by filtering the keywords contained in the uploaded information and the file types to be uploaded or downloaded via HTTP. The access control rule may be based on [Application].2 Application List). [URL Filter] covers [Basic] and [Advanced] options.1. 3. and then achieves controlling over certain application. you have to create the needed destination IP group on the [System] > [Network Objects] > [IP Group] page. 3. [Web Filter] and [Flow]. protocol number and port of the data packets based on which the Internet access data will be inspected and controlled. hence disallow them to shy away from the control of the WAN Accelerator.2 Application Control Policy [Application Control Policy] covers the configurations of [Access Control]. you can control the applications which the LAN users get access to.2 Web Filter With [WEB Filter] rule. The WAN Accelerator is integrated with a library of identification rules on some common applications (please refer to Section 3.6.2. [Advanced] includes the options of whether to allow HTTP proxy and SOCK proxy.1 Application Control With [Access Control] rule. Before configuring the items.6.2. [Basic] options help to inspect the website of the to-be-browsed URLs and control the user’s web 167 .4.2. The [Service] configuration references the existing application objects and controls the user’s access to these applications. [Application] configures the items based on which the content of data packets are inspected and analyzed.SANGFOR WAN Accelerator 6.6. [Service] configures the IP address. or allow/deny their access to certain application.0 User Manual 3. you can control the Internet access of the LAN user via HTTP protocol. by filtering the keywords to be searched through the search engine.1 Application Identification). [Service] and [Advanced] (proxy).2. and configure the target protocol or port on the [System] > [Network Objects] > [Application List] page (please refer to Section 3.4.2. by filtering the URLs to be browsed. The [Application] configuration references the existing application identification rules and helps to control the user’s access to these applications.6.

the excessive sessions will be disconnected.4 File Type Group). you can reference the internal URL group. weekly or monthly) flow statistics of each application for users of this user group.3 URL Group).0 is integrated with a library of a great many URL groups. If you want to apply an application policy to a single user.2.6.1. [File Type Filter] configures the file types based on which the HTTP/FTP upload and download are filtered.1. [File Type Filter] covers [Upload] option and [Download] option. please refer to 3. 3. please refer to Section 3.SANGFOR WAN Accelerator 6. [Connection] option helps to limit number of sessions of a single IP with the external networks. Case Study 28: Configure Application Control Policy for Specific User/User Group Both user/user group and application control policy are individual objects in the WAN Accelerator.6.6.3 Flow [Flow] covers [Flow] and [Connection] options. define a user group that covers the IP address or MAC address of only that user. 168 . if you need an access control policy that allows some LAN users to browse a website but does not allow them to post on the forum of this website. configure an [Advanced] URL filter policy. you have to associate the application control policy with the corresponding user or user group.0 User Manual browsing behaviors. If number of the concurrent sessions is more than that allowed. The SANGFOR WAN Accelerator 6. the corresponding application control policy will take effect. or define a needed URL group by yourself (for details. The URLs to be referenced are the existing URL groups configured on [Bandwidth Management] > [Objects] > [URL Group] page. In other words. Application control policy is only applicable to user group(s). To make these objects work. [Advanced] options help to inspect the website of the to-be-browsed URLs and control the user’s HTTP POST behaviors when they are browsing websites. [Flow] option helps to make (daily. The to-be-referenced file types are configured on the [Bandwidth Management] > [Objects] > [File Type Group] page (for details. When the user/user group is getting access to the Internet.2.

If you are creating multiple policies. one entry per row.1 User Group). click the <New> button to create a new application control policy. please refer to Section 3. Step 3: Configure [Expiry Date] and the [User Group]. Enter a name for this application control policy.0 User Manual Please follow the steps below to configure an application control policy: Step 1: Create a needed user group (of LAN user) on the [Bandwidth Management] > [Policy Settings] > [User Group] page (for details. as shown below: Select [Single Policy] or [Multiple Policies].SANGFOR WAN Accelerator 6.6. as shown below: 169 . the rules of the policies are exactly the same. enter the policy names.2. Step 2: Under the [Bandwidth Management] > [Policy Settings] > [Application Control Policy] page.

to have this application control policy apply to the selected user group(s). this application policy will automatically get invalid on the preset date. Step 5: Configure the rules of [Access Control].SANGFOR WAN Accelerator 6. Step 6: Click the <OK> button to save all the above settings. 170 . Step 4: Select user group. as shown below: After you have completed configuring an expiry date. [Web Filter] and [Flow]. or select the [Custom] option and select the needed user group(s) from the [Available] user group list to the [Selected] user group list.0 User Manual Options for [Expiry Date] are [Never] and [Expired on]. You can select the [All] option to have this application control policy be applicable to all the LAN users.

as shown below: Configure the required items and then click the <OK> button to save the settings. It backs to the default configuration page of [IP Group]. as shown below: Click the <New> button and the options appear. each user can have maximum 300 concurrent sessions. b.16.) Managers: Allow the LAN users of this group to access the Internet. make flow statistics of this user group.0/16).) General Staff: Allow the LAN users of this user group to access the Internet but deny them to use P2P download tools.) Finance Department: Deny the LAN users of this user group to access the Internet but allow their access to the Intranet of the Headquarters (172. The requirements for each user group are as follows: a.0 User Manual Case Study 29: Configure a Needed Application Control Policy We still take Case Study 23 as the background. c.SANGFOR WAN Accelerator 6. make flow statistics of this user group. Configuration steps are as shown below: Step 1: Click [System] > [Network Objects] > [IP Group] to create an IP group. make flow statistics of this user group. The newly-created IP group is as shown below: 171 .0.

access FTP server or even use video when accessing the headquarters’ network and public networks. as shown below: Internet behaviors of the users involved in a user group can only be distinguished according to the IP addresses instead of their behaviors. [Service] rules have to be configured to control their access to the networks.0 User Manual Step 2: Click [Bandwidth Management] > [Policy Settings] > [Application Control Policy] to create an application control policy named Finance Department. Step 4: Check [Flow] > [Flow] and the [Make Flow Statistics of Each Application for Users of 172 . For instance.SANGFOR WAN Accelerator 6. browse webpage. they may use the ping command. as shown below: Step 3: Configure a rule to deny the user group Finance Department to get access to the Internet. For this reason. select the needed user group Finance Department.

select the user group General Staff. Till then. as shown below: Step 6: Configure a rule to deny the user group General Staff to use the P2P download tools. as shown below: Step 7: Check [Flow] > [Flow] and the [Make Flow Statistics of Each Application for Users of 173 .0 User Manual This User Group] option to make the flow statistics for this user group Finance Department.SANGFOR WAN Accelerator 6. we have completed configuring the application control policy for the user group Finance Department. as shown below: Click the <OK> button to save the above settings. Step 5: Configure an application control policy named General Staff.

SANGFOR WAN Accelerator 6. as shown below: Click the <OK> button to save the above settings. Till then. enable sessions control and configure [Concurrent Sessions Limit Per IP] as 300. configure the [Connection] options. we have completed configuring the application control policy for this user group General Staff. Step 8: Create an access control policy named Managers. as shown below: 174 . check [Flow] > [Flow] and [Make Flow Statistics of Each Application for Users of This User Group] option to make the flow statistics for the user group General Staff.0 User Manual This User Group] option to make the flow statistics for this user group General Staff.

the bandwidth occupied by this channel will be no more than the preset maximum bandwidth.6.SANGFOR WAN Accelerator 6. Till then. and of various applications. with bandwidth limitation. The limitations are fulfilled through configuring assured bandwidth and bandwidth limitation. the minimum bandwidth of this channel will be no less than the preset assured bandwidth. Virtual line: Virtual line is applicable to the bridge-mode WAN Accelerator. you can guarantee enough bandwidth for some key applications. 3. according to the service and application. Each subdivided line can be allocated with some bandwidth. Each smaller part is taken as a bandwidth channel. user/user group. Some Basic Concepts: Bandwidth channel: We divide a bandwidth channel into smaller parts in proportions. One virtual line can be divided into several lines. you can limit the uplink/downlink bandwidth of some user/user group. Limited channel: Configures the options based on the maximum flow speed of the channel.3 Bandwidth Settings Bandwidth management is achieved by building a bandwidth channel to control the flow for various applications. it also configures minimum bandwidth (assured). [Assured Channel] or [Limited Channel]. When the network is busy. and the needs of the customer are satisfied. 175 . all the needed policies have been configured and is seen on the [Bandwidth Management] > [Policy Settings] > [Application Control Policy] page (as shown in the figure below). With assured bandwidth configuration. being regarded as a bandwidth channel. Assured channel: In addition to configuring the maximum bandwidth of the channel. Even when the network is busy.0 User Manual Click the <OK> button to save the above settings.

0. according to the conditions of user/user group. valid time. the data packet can get a bandwidth channel. all the data packets are taken as data of a same line from the viewpoint of the WAN Accelerator.1 Virtual Line Under Bridge mode. the bandwidth of Line1 will be the bandwidth sum of the lines (provided that the frontend device is connected with several external lines from the public network. For example. there is one default line (Line1) shown in [Virtual Line] default configuration page. or the WAN Accelerator is in Double Bridge with multiple egresses). What’s more. you should better move the more detailed and specific rules to the top of the bandwidth channel list. the firewall should have two egresses. Since the bandwidth channels are been matched from top to bottom. 3. 176 . Case Study 30: Create Virtual Line To have the WAN Accelerator work in Bridge mode. If all the conditions are satisfied. If you do not create another virtual line. the data packet going through the WAN Accelerator will try to match a bandwidth channel. you need create virtual lines to achieve your network design and management. Therefore.251.3. Policy routing of the firewall: 202.0/24---Line1. the bandwidth for P2P data going through these two lines must not be higher than 20% of total allocated bandwidth for each line.0. among which Line1 is allocated with 10Mb/s and Line 2 is allocated with 4Mb/s. you cannot accomplish bandwidth managing over the multiple external lines. service and application. if you want to distinguish the lines when doing bandwidth management. 58.SANGFOR WAN Accelerator 6.96. A same data packet will get maximum one bandwidth channel matched. the bandwidth management function is specific for the overall lines of the network by default.6.0 User Manual Priority: When the bandwidth management (BM) function is enabled. or whether the WAN Accelerator is in Double Bridge mode and has two egresses. no matter how many lines the frontend device is connected with. As a result.0/24----Line2 Requirements: Control the bandwidth of the two lines for P2P data. destination IP group.

SANGFOR WAN Accelerator 6. and configure the bandwidth of Line1. therefore. To configure rule for virtual line is to have the data allocated to different virtual lines according to the line selection rule. Go to the [Bandwidth Management] > [Bandwidth Settings] > [Virtual Line] page. you need only configure the virtual line rule with the frontend device’s route settings. the frontend device is configured with line selection rule. 177 . one line with the bandwidth of 10Mb/s and the other line with the bandwidth of 4Mb/s (the actual bandwidth of the two Internet lines). as shown below: In the same way. Generally. and to have the virtual lines and external lines be well associated. click <Add> and configure the bandwidth of Line2.0 User Manual Configuration steps are as follows: Step 1: Configure two virtual lines representing respectively the two external public lines of the firewall. as shown below: Step 2: Configure rule for these two virtual lines. Just follow the route settings on the firewall to configure the virtual line rule.

0.ini.SANGFOR WAN Accelerator 6. [Target Line]: Configures a virtual line that will transfer the data packet if the above four conditions are satisfied.  The virtual line rules are matched from top to button (according to the rule order in the virtual line rule list).0/24. As for the data forwarded to the destination IP address 202. Follow the rule of the firewall. [Protocol Type]: Specifies the protocol used by the data packet. in format of . 178 . so as to keep the virtual line rules exactly the same as the policy routing rules of the firewall.  Virtual line rules can be imported and exported. we define this virtual line as Line1. Step 3: Follow the steps above to configure another virtual line rule. [WAN IP]: Configures the destination IP address and destination port of the data packet. however.0 User Manual Go to the [Bandwidth Management] > [Bandwidth Settings] > [Virtual Line] page. you can only configure the destination IP address and bridge (physical interface) of these rules in batch. [LAN IP]: Configures the source IP address and source port of the data packets. and the interface pops up (as shown below).96. [Physical Interface]: Configures the bridge that forwards the rule-matched data packet (in multibridge mode).  Several virtual line rules are allowed be configured at the same time. Click the <Import> button of [Import Rules in Batches] and then configure the need rules. and click the <New> button.

Requirements: Allocate the members of Finance Department with bandwidth no less than 2Mb/s and no more than 5Mb/s to get access to the headquarters’ data even when the line is busy. Case Study 31: Configure Assured Channel for a Specific Application A company has a leased line. Step 1: Under the [Bandwidth Management] > [Bandwidth Settings] > [Virtual Line] page. Several LAN users access the Internet through this leased line.3.1 Bandwidth Channel Assured Channel [Assured Channel] is configured to guarantee the normal use of some key applications. 10Mb/s. Click [Bandwidth Management] > [Bandwidth Settings] > [Bandwidth Management] > [Bandwidth Channel] and the default [Bandwidth Channel] configuration page is as shown below: 179 . enable the bandwidth management system.0 User Manual 3.6.2 Bandwidth Management 3.6. and therefore make sure the key applications are available and in normal use even when the line is busy. as shown below: Step 3: Configure assured channel.SANGFOR WAN Accelerator 6. configure the bandwidth of the public line. of CHINA TELECOM. as shown below: Step 2: Under the [Bandwidth Management] > [Bandwidth Settings] > [Bandwidth Management] page.2.3. to make sure that the data of certain type is provided with bandwidth (no less than the configured value of bandwidth amount). You can set the minimum bandwidth for the channel. and the bandwidth value of Line1.

[User Group]: Configures the valid users and user groups. it is [Assured channel]. for you are required to guarantee the 180 . In this case study. or select [Custom] to have some of the users or user groups applied to this policy. [Bandwidth Channel Type]: Defines the type of bandwidth channel.0 User Manual Click the <New> button to configure the assured bandwidth and maximum bandwidth for the members of Finance Department. One entry per row. as shown below: [Channel Name]: Type one or more names for the bandwidth channels. You can select [All] to have all the users and user groups applied to this policy.SANGFOR WAN Accelerator 6. length of each name is within 96 characters. If [Custom] is selected. you can define and add services. [Service and Application]: Configures the specific service(s) applied to this bandwidth channel. [Assured Channel] or [Limited Channel].

it does not require bandwidth upper limit to each IP address. [Medium] and [Low].SANGFOR WAN Accelerator 6. When it is over 100%. therefore. configure [Assured Uplink Bandwidth] and [Assured Uplink Bandwidth] ratio as 20%. [Bandwidth Allocation Policy]: Configures the bandwidth for the users and the specific service/application that apply to this bandwidth chancel (policy). The bandwidth channel with higher priority is preferred to be assigned with idle bandwidth (from other bandwidth channels). [Valid Line]: Configures the virtual line to which this bandwidth channel (policy) applies. [Destination IP Group]: Configures the destination IP address to which this bandwidth channel (policy) applies. The only option is [Allocate evenly]. Line 1 is assured with 30% and Line2 is 181 . excluding the users that apply to this channel but are not causing flow traffic. Select the [Assured Channel] option. Please note that the user indicates the user who is causing flow in this channel. assured bandwidth is 2Mb/s and maximum bandwidth is 5Mb/s). For example.0 User Manual members of the Finance Department with at least 2Mb/s and at most 5Mb/s. [Bandwidth Upper Limit Per IP]: Click the [Enable] option and configure the [Uplink] and [Downlink] to limit the [Bandwidth Upper Limit Per IP]. if we configure two channels. and [Max Uplink Bandwidth] and [Max Downlink Bandwidth] ratio as 50% ( because the total bandwidth is 10Mb/s. there is no need to check and configure this option. the assured bandwidth of each channel will reduce according to the proportions. In this case study. as shown below:  The ratio sum of the assured bandwidth ratio might be over 100%. [Valid Time]: Configures the time period during which this bandwidth channel (policy) will get valid. Step 4: Click the <OK> button to save the assured channel settings and this newly-created [Bandwidth Channel] is listed in the bandwidth channel list of the [Bandwidth Channel] default configuration page. [Priority]: Options are [High].

Case Study 32: Configure Limited Channel for a Specific Application A company has a leased line. 75%. 10Mb/s. Requirements: With the bandwidth management system. that is to say. the maximum bandwidth of this channel shall not exceed the preset value. configure a 2Mb/s bandwidth channel for this type of data. P2P. Click [Bandwidth Management] > [Bandwidth Settings] > [Bandwidth Management] > [Bandwidth Channel]. etc. Step 1: Under the [Bandwidth Management] > [Bandwidth Settings] > [Virtual Line] page. of CHINA TELECOM. that is. It is found that the managers use some download tools such as Thunder. Several LAN users access the Internet through this leased line.SANGFOR WAN Accelerator 6. and consume large amount of bandwidth resources. causing great impacts on the office businesses of other departments.. for the P2P and video data). The data that matches the rules of this limited channel will be controlled. enable the bandwidth management system. that is. Limited Channel [Limited Channel] configures the maximum bandwidth of the channel. and the bandwidth actually allocated to Line2 is 90/(90+30)%. and click the <New> button to configure the maximum bandwidth for the members of Managers (no more than 2Mb/s. configure a public line Line1 and its bandwidth. as shown below: 182 .  Channel with higher priority would preferentially use the idle bandwidth of other channels. the bandwidth actually allocated to Line1 is 30/(90+30)%. as shown below: Step 3: Configure the limited channel.0 User Manual assured with 90%. 25%. as shown below: Step 2: Under the [Bandwidth Management] > [Bandwidth Settings] > [Bandwidth Management] page.

[P2P/[All]. the selected services and applications are [File Download]/[All]. [P2P Stream Media]/[All]. [Service and Application]: Configures the specific service(s) applied to this bandwidth channel. 183 . In this case study. One name per row. [Website Type] options control the access to certain type of website. What is more. If [Custom] is selected. Confirm the [Custom Service] items and complete configuring the [Service and Application] options.SANGFOR WAN Accelerator 6. length of each name is within 96 characters. we are going to control the flow for downloading data with P2P and download tools. while [File Type] options control the file types downloaded through HTTP and FTP protocols. you can also select [Website Type] or [File Type].0 User Manual [Channel Name]: Type a name for the bandwidth channel(s). [MEDIA]/[All]. you can define and add services.

[Destination IP Group]: Configures the destination IP address to which this bandwidth channel (policy) applies. you will see the newly-created channel displayed in the bandwidth channel list. therefore. or select [Custom] to have some of the users or user groups applied to this policy. there is no need to check and configure this option.0 User Manual [User Group]: Configures the valid users and user groups. In this case study. Select [Limited Channel] and allocate the [Maximum Uplink Bandwidth] and [Maximum Downlink Bandwidth] with 20% of the total bandwidth. [Assured Channel] or [Limited Channel]. In this case study. [Valid Time]: Configures the time period during which this bandwidth channel (policy) will get valid. [Bandwidth Upper Limit Per IP]: Check the [Enable] option and configure the [Uplink] and [Downlink] to limit the [Bandwidth Upper Limit Per IP]. Having completed configuring this page.2. [Bandwidth Allocation Policy]: Configures the bandwidth for the users and the specific service/application that applies to this bandwidth chancel (policy). [Valid Line]: Configures the virtual line to which this bandwidth channel (policy) applies. it is [Limited Channel] to control the bandwidth of P2P applications.3. The only option is [Allocate evenly]. Please note that the user indicates the user who is causing flow in this channel. Step 4: Having clicked the <OK> button. You can select [All] to have all the user and user groups applied to this policy. it does not require bandwidth upper limit to each IP address. excluding the users that apply to this channel but are not causing flow.SANGFOR WAN Accelerator 6. [Bandwidth Channel Type]: Defines the type of bandwidth channel.2 Exclusion Policy [Exclusion Policy] works in the case that some data are applicable to none of the bandwidth 184 .6. as shown below: 3. you have to click the <OK> button to save the limited channel settings.

185 .0 User Manual channels and that you want to exclude some data from the bandwidth management. as shown below: Step 2: Click [Bandwidth Management] > [Bandwidth Settings] > [Bandwidth Management] > [Exclusion Policy] and the following default configuration page is seen. click the <New> button and then add the needed IP address into the new IP group. Requirement: Have the access data to these servers excluded from the existing bandwidth channels (policies). the applications or IP addresses related to these servers need be excluded from the bandwidth channels (policies) in that the related data accessed by the LAN users have nothing to do with the public network and thus should be excluded from the bandwidth channels configured for the external lines.SANGFOR WAN Accelerator 6. Step 1: Under the [System] > [Network Objects] > [IP Group] page. the WAN acceleration is deployed in Bridge mode and the DMZ network segment of the frontend firewall is connecting to some servers. Case Study 33: Configure Exclusion Policy The WAN Accelerator works in Bridge mode and the DMZ network segment of the frontend firewall is connecting with some servers. Click the <New> button to configure an exclusion policy. For instance.

as shown below: 186 .4 Policy Troubleshooting [Policy Troubleshooting] page enables you to view which module has denied the data packet.6. Enter the [Name]. [Protocol Type] and [Port]. such as [IP Address List]. If the application type is not a specified one. Check the [Configure Conditions] option and the filtering conditions appear.0 User Manual Step 3: Configure the exclusion policy. select [All]. Select a [Destination IP Group] (in this case study. it is the IP group configured in Step 1).SANGFOR WAN Accelerator 6. so as to locate the configuration mistakes made on certain module or test whether some rules is taking effect or not. [Application Type]. for what reason. Step 4: Click the <OK> button to complete configuring the page and save the above settings. 3.

. It defaults including all the network segments. or click the <F5> key to refresh and view the page. etc. and the data packets applicable to the policy (to be denied) will be let pass and the related information will be outputted to a WEB page. Click the <Click here to view packet drop list> button to open the page and view the detailed information of the denied data packets.SANGFOR WAN Accelerator 6. This function helps do troubleshooting quickly and locate the configuration mistakes made on bandwidth management (BM) module (of the WAN Accelerator) which caused faults such as network disconnection. and the packets (to be denied) applicable to the policies will be denied and the related information will be outputted to a WEB page. [Protocol Type]. [Port]: Configures the protocol condition that only when the protocol and port contained in the transmitted data packet are the configured ones will the denied information be recorded. or click the <F5> key to refresh and view the page. and therefore helps the network administrator to quickly correct the configurations. Click the <Enable Drop List and Bypass> button to enable the drop list and enable the bypass function (all the access control policies configured on the WAN Accelerator will get invalid).0 User Manual [IP Address List]: Configures the IP address to which this rule is applied. <Close Drop List>: Click this button to close the Drop list and disable the bypass function. Click the <Click here to view packet drop list> button to open the page and view detailed information of the denied data packets. Click the <Enable Drop List> button to enable the Drop list (all the access control policies configured on the WAN Accelerator are taking effect). 187 .

5. the access of the LAN user to the Internet or to the destination server will not be monitored.2 Excluded IP [Excluded IP List]: If the IP address of a LAN user or the destination IP address of a server is any of the IP addresses configured in the [Excluded IP List]. the data packets getting passed directly. as the firewall module decides whether to allow or deny the data packet only according to the destination address and port To have the firewall module function.0 User Manual 3. The configuration page is as shown below: 188 .5 Advanced 3. The configuration page is as shown below: 3.5. In that case.6. you first need to have the WAN Accelerator to unveil the real IP address and port through which the data packets are forwarded by the proxy. when all the Internet access data are forwarded to the proxy server.6.6. most of the functions of the SANGFOR WAN Accelerator will get invalid.1 Proxy Server [Proxy Server] works in the case that the users of the WAN Accelerator get access to the Internet through proxy. and then enable the firewall to get the information.SANGFOR WAN Accelerator 6.

6.5.0 User Manual If the firewall has configured a rule on any of the IP addresses that are involved in the exclusion rule. 3. <Update Now>: Click this button to immediately update the URL library and Application Identification that have not gotten expired.SANGFOR WAN Accelerator 6. The configuration page is as shown below: [Enable Auto Update]: Tick the check box to have the internal URL library and Application Identification update automatically.3 Auto Update [Auto Update] page configures the update options of the internal [URL Library] and [Application Identification]. 189 . the firewall rule has higher priority.

If the WAN Accelerator cannot access the Internet. Auto update of application identification library is a new update service provided by SANGFOR. the update process will go faster if the ISP server of the update server is the same as that used by the local WAN Accelerator. select an update server. 190 .0 User Manual To update the URL library and Application Identification. [Require Authentication] requires [Username] and [Password]. so as to ensure the WAN Accelerator to access the Internet smoothly and update the URL items. customer needs to purchase the license (serial number) and ensure the WAN Accelerator can access the Internet. [HTTP Proxy] requires server [IP address] and [Port]. you then need to configure [HTTP Proxy] options in [Server Update Settings] (provided there is HTTP proxy). To enable the application identification library of WAN Accelerator to update online.SANGFOR WAN Accelerator 6. the WAN Accelerator should be ensured to connect to the Internet. Generally. To ensure update speed.

3. What’s is more.7 Firewall IPSec SANGFOR WAN Accelerator is integrated with high-performance and enterprise-level firewall fulfilling status inspecting. the built-in anti-DoS function enables the SANGFOR WAN Accelerator to defend against the DoS attacks from external networks. SNAT rule has to be added manually. The default configuration page is as shown below: Case Study 34: Configure SNAT Rule Provided that one network segment of the local area network is 192.7.1.7. 191 . As a result. The SANGFOR WAN Accelerator is about to proxy the LAN users of this network segment to get access to the Internet. This firewall can efficiently protect the internal network from various attacks while it is connecting to the Internet or other local area networks through VPN.168. Follow the steps below to configure the SNAT rule: Click the <New> button and configure the following required options. 3.0/24.SANGFOR WAN Accelerator 6.2 SNAT [SNAT] page configures the SNAT (Source Network Address Translation) rules to have the local area network get access to the Internet through the proxy function of the firewall.0 User Manual 3. as well as to defend the DoS attacks initiated by the Intranet computers.1 NAT [NAT Rules] covers [SNAT] and [DNAT] configurations. The system is built in with no SNAT rule.

0.SANGFOR WAN Accelerator 6.255. [Source Address]: Subnet segment is 192.1.168. as shown below: 192 . as shown below: Or check the [Advanced Settings] option to configure the advanced options.0 and subnet mask is 255. [Translate Source Address To]: Enter the IP address of the WAN interface (the proxy uses a public IP as the WAN interface IP). such as [Destination Address] and [Protocol]. Check the [Enable] option and then click the <OK> button.0 User Manual [Rule name]: Defines the name of the SNAT rule.256.

In case that a LAN server needs to provide the external networks with services.100) of a local area network is to provide the external networks with WEB service.100). using port 80.168. as shown below: 193 . Follow the steps below to configure the DNAT rule: Step 1: On the [Firewall Rules] default configuration page. Requirement: Configure a DNAT rule to deliver the port 80 to the public networks. [Service]: Select the [HTTP] option. [Dst. The default configuration page is as shown below: Case Study 35: Configure DNAT Rule A computer (IP address: 192. IP]: Select server. adding a DNAT rule is a necessity then.3 DNAT [DNAT] page configures the DNAT (Destination Network Address Translation) rules of the firewall.0 User Manual 3.168. IP address of server should be defined in advanced. name it and enter the IP address 192. click the <New> button to add a new firewall rule (to allow the WEB services) and configure the following required options: [Rule Name]: Enter the name of firewall rule DNAT and select [Action] Allow.1. Check the [Enable Rule] option and click the <OK> button. If there is no such IP group. click <Add> followed to add a HTTP application). IP]: Select the [ALL IP] option.7. click <Add> followed to add this IP group. [Src.1.SANGFOR WAN Accelerator 6. If there is no such [HTTP] option.

168.1. [Ingress Interface]: Select WAN1 as the ingress interface. [Source Port] is 0 and [Destination Port] is from 80 to 80.100. [Translate Destination Address To]: Select [IP] and enter 192.SANGFOR WAN Accelerator 6. 194 . [Port] is from 80 to 80. the external networks can access the WEB service provided by the internal network with the help of this DNAT rule. [Protocol]: Select [Protocol] TCP. [Rule Name]: Name this DNAT rule. Check the [Enable] option and click the <OK> button. click the <New> button to add a new DNAT rule.0 User Manual Step 2: Under the [DNAT] page. The configuration page is as shown below: After this DNAT rule takes effect.

0 User Manual The LAN server that uses the DNAT rule (configured on the SANGFOR WAN Accelerator) to provide the external networks with service must be connected to the Internet through the NAT proxy of the device (in other words. otherwise. source IP address and destination IP address. as shown below: 195 . the LAN server’s gateway directs to the WAN Accelerator or the route for Internet access eventually directs to the WAN Accelerator).7.4 Firewall Rules The hardware firewall the SANGFOR WAN Accelerator is integrated with stateful inspection packet filtering technology. Click the <New> button and the configuration page appears. the DNAT rule will not take effect. 3. It allows you to filter data packets according to protocol.SANGFOR WAN Accelerator 6.

2 Application List). 196 .4.SANGFOR WAN Accelerator 6. you can click <Add> to add a new service type (for detailed configuration guide.4. you can click <Add> to add a new IP group (for detailed configuration guide. If the list contains no needed source IP group.4. it gets valid. [Sequence Number]: Configures the sequence number of this firewall rule. The moment you complete configuring this firewall rule. you can click <Add> to add a new time schedule (for detailed configuration guide.4. please refer Section 3. [Dst. please refer Section 3. [Service]: Configures the service type to which this firewall rule is applied.3 Time Schedule). [Description]: Configures a brief description for this firewall rule.1 IP Group). If the list contains no needed service.4.0 User Manual [Rule Name]: Defines the name of the firewall rule. If the list contains no needed destination IP group. If there is no needed time schedule. IP]: Configures the source IP address to which this firewall rule is applied. [Valid Time]: Configures the valid time when this firewall rule is valid.1 IP Group).4. please refer to Section 3.4. you can click <Add> to add a new IP group (for detailed configuration guide. Check the [Enable Rule] option. please refer Section 3. [Src. [Action]: Configures the final measure to be taken once the data matched this firewall rule.4. IP]: Configures the destination IP address to which this firewall rule is applied.

This function will produce massive logs. please refer Section 3.168.200 (for detailed configuration guide.4.0 User Manual Check the [Enable Log] option. and all the information of the applicable data going through the WAN Accelerator will be recorded as logs. [Src. IP]: Select [All IP].4. please refer Section 3.2 Application List).168.4. for detailed configuration guide. click the <New> button and configure the following required options: [Rule Name]: Enter the rule name HTTPS. Check the [Enable Rule] option and click the <OK> button.SANGFOR WAN Accelerator 6. [Sequence Number]: Define the sequence number of the rule as 1. Follow the steps below to configure the firewall rule: Under the default configuration [Firewall Rules]. click <Add> to add it.200) on port 443.1 IP Group). IP]: Select HTTPS SERVER (If the list contains no needed destination IP group. as shown below: 197 . Case Study 36: Open Port of Local Area Network A SSL VPN of a local area network is to be delivered to the external networks.4.1. [Dst. you can click <Add> to add a new IP group HTTPS SERVER whose IP address is 192.1. [Action]: Select [Allow] to allow the data packet go through if it matches this firewall rule. Requirement: Allow the data of external networks to access the SSL device (IP address: 192. [Service]: Select [SSL] as the service (if there is no [SSL] option. it is NOT recommended to be enabled if unnecessary.

5 Anti-DoS Firewall is responsible for protecting the local area network from being attacked by users of the external networks. When number of the data being sent exceeds certain value. most of the time.7.0 User Manual 3. which may result in bandwidth congestion or gateway breakdown. virus-infected computer of a local area network will send large number of data packets to the gateway. please refer to the [Anti-DoS] page. SINGFOR WAN Accelerator 6. the VPN device (SANGFOR WAN Accelerator) will regard it as DoS attack from this IP. But it is well-known that.0 is integrated with an Anti-DoS attack function to monitor the quantity of data packets sent from certain IP address to the gateway in a unit time. and instantly stop the host from transmitting data packets for a while for self-protection.SANGFOR WAN Accelerator 6. For configuration of this function. To solve the aforesaid problems. as shown below: 198 .

the device will calculate and inspect each setting for anti-DoS attack. Please set them according to your case.7. Other optional settings are available.6 ARP Protection To protect the local area network from ARP spoofing.0 User Manual [LAN Address List]: Configures the LAN IP range which gets access to the Internet through the SANGFOR WAN Accelerator. [Max SYN Packets Per IP Within One Second] and [Host Blocking Time After Attack is Detected (minute)]. in order to handle the events accordingly. The configuration page is as shown below: 199 . you can configure the ARP protection options on the SANGFOR WAN Accelerator. such as [Max New TCP Connections Per IP Within One Minute]. If the source IP is in the list.SANGFOR WAN Accelerator 6. 3. The data packets from the IP addresses outside the [LAN Address List] will be dropped by the WAN Accelerator. [Excluded IP List]: Configures the LAN IP addresses that are free from the protection of the antiDoS policy. Function of [LAN Router List] is similar to that of the [LAN Segment List].

0 User Manual [Enable ARP Protection]: Check this option to enable the ARP protection function. 200 . [Static ARP List]: Configures the IP address and MAC address that are to be bound with the LAN device or computer.SANGFOR WAN Accelerator 6. Click the <Save and Apply> button to save and apply the above settings. [Broadcast Interval of The Device MAC Address]: Indicates the frequency broadcasting the IP address and MAC address of the gateway (the LAN interface of the WAN Accelerator) to the local area network.

VPN connection mode.8. such as settings of Webagent information. 201 . VPN listening port.8 Sangfor VPN 3.1 Basic Settings [Basic Settings] on the server WAN Accelerator covers the settings that enable the VPN user to connect in. MTU. minimum compression value. as shown below: 3.1 Configure HQ WAN Accelerator This section describes how to configure the HQ WAN Accelerator (HQ VPN) of the SAGFOR VPN so that the peer branch WAN Accelerator can establish VPN connections with the local end (server end).0 User Manual 3. Related configuration pages are [Basic Settings].8. broadcast and performance.1. [VPN Users] and [Virtual IP Pool].SANGFOR WAN Accelerator 6.

22:4009).133:4009)..  If the [Shared Key] is configured.g.0 User Manual [Primary WebAgent]. <Shared Key>: Configures the shared key needed when VPN connection is established.96. 202. you may click the <Test> button to check the connectivity of the Webagent. all the branch VPN sites have to configure the same shared key to interconnect and communicate with each other.23.134.67. 202 . the Webagent must be in format of “IP address:Port” (e. [Secondary WebAgent]: Specifies the WEB server address where the dynamic addressing file locates. The only solution is to contact the Customer Service of SANGFOR to generate a new file (without Webagent password) and replace the original one. there is no way to get back the lost password. which are written as “IP1#IP2#IP3#IP4:4009”. format of Webagent address is “IP1#IP2:Port” (e.. <Modify Password>: Click this button to change the password of the Webagent.96. the Webagent must be in format of Webpage URL which ends with . which will help to prevent illegal users from using and updating fake IP addresses into the Webagent page.133#58.php (you can apply for Webagent from SANGFOR free of charge. If the server WAN Accelerator uses dynamic IP address. The shared key can prevent illegal devices from connecting in.134. Having typed in the Webagent address.g.SANGFOR WAN Accelerator 6. 202. or obtain Webagent file and deploy Webagent server by yourself).  A Webagent supports maximum 4 static IP addresses. In case there are several lines whose IP addresses are static IP addresses.  If the Webagent password gets lost. If the server WAN Accelerator uses static IP address.

You can change the port according to your case. [Directly connect] or [Indirectly connect]. [Directly connect]. [Modify MSS]: Configures the maximum size of the fragmentation under UDP transmission mode. Generally.0 User Manual [MTU]: Configures the MTU (Maximum Transmission Unit) of the data transmitted among the VPN sites. It is 100 by default. it is recommended to adopt the default [MTU]. [Min Compression Value]: Configures the minimum size of a VPN data packet that is to be compressed. If the Internet IP address can be obtained directly or the Internet users can access the VPN port of the WAN Accelerator with DNAT (destination network address translation) function. select [Directly connect]. It is 1500 by default (recommended). <Advanced>: Click this button and the [Advanced Settings] dialog appears. please follow the instructions given by the SANGFOR technicians. [VPN Listing Port]: Configures the listening port for the VPN service. [Min Compression Value] and [Modify MSS] values. select [Indirectly connect].SANGFOR WAN Accelerator 6. [Indirectly connect]: Select the connecting methods fulfilled between the WAN Accelerator and the Internet. if the Internet IP address cannot be obtained. as shown below: 203 . It is 4009 by default. If you need change the values.

If you need to modify this parameter. whether to enable hardware authentication and DKey.2 VPN User [VPN User] is used for managing the connecting-in VPN user accounts. 204 . Having completed configuring this tab. please DO follow the instructions given by the SANGFOR technicians. [Broadcast Packet]: Configures whether to allow broadcast packets to be transmitted on the VPN channels (some applications.0 User Manual [Threads]: Configures the maximum number of VPN connections. LAN privilege of this account. One WAN Accelerator allows maximum 1280 VPN connections. you have to click the <Save> button to save the settings. so as to avoid broadcast storm from appearing at both ends of a VPN connection. It is 20 by default. You can specify a port to transfer broadcast packets. 3.8. password of the connecting-in VPN user and the algorithm applied to configuring this account. grouping the user and the public attributes of the group users. [Multicast Settings]: Configures wherther to allow multicast packets to be transmitted on the VPN channels (some vedio applications need the support of multicast packet). expiry date of the account. The configurations include user name. tunnel parameter and tunnel flow control.1. multicast settings. virtual IP.SANGFOR WAN Accelerator 6. such as My Network Places need the support of broadcast packet). user type (mobile VPN or branch VPN).

SANGFOR WAN Accelerator 6. <Search>: Click this button to search for the specified username. conflicts between the programs will appear and the DKey driver will fail to be installed. please DO install the DKey driver.0 User Manual The default page is as shown below: <Check DKey>: Click the <Check DKey> button to inspect whether the DKey has inserted into the USB port of the computer (through which you have logged in to the WAN Accelerator console). otherwise the computer cannot recognize the DKey hardware. The matching user will be highlighted in yellow. you will be prompted to download the DKey driver.  During the process of installing the DKey driver. otherwise.  Before generating the DKey. If it has not yet been installed with the DKey driver. as shown below: <Advanced Search>: Click this button to enter the [Advanced Search] webpage dialog and specify 205 . <Download DKey Driver>: Click the <Download DKey Driver> link to download and install the driver. please DO close the third-party anti-virus software and firewall.

<New User>: Click it to add a new user.0 User Manual detailed conditions for searching user. etc. [Local] (hardware authentication). such as conditions of user group. group property (enabled or disabled). as shown below: <Delete>: Click this button to delete the selected user account(s). user status (enabled or disabled). type. DKey (enabled or not enabled).SANGFOR WAN Accelerator 6. password. description and algorithm. Configure the username. user type (mobile VPN or branch VPN). 206 . The [Add User] page is as shown below: [Authentication]: Configures the authentication method. idle time of the account.

Before checking the [Use Group Properties] option. please go to the [Sangfor VPN] > [Third-Party Auth] > [Radius Server Settings] tab or [LDAP Server Settings] tab to configure a corresponding authentication server. you have to add the user group first. once this mobile VPN user connects to the VPN.0.id format). Click the <Browse> button to select and upload the certificate file (in *.0 User Manual [LDAP] or [RADIUS] Before using Radius authentication and LDAP authentication. [Use Group Properties]: Classifies the user into certain group and configures whether to have the user adopt the group properties. [Enable Hardware Auth]: Check this option to configure the hardware-featured certificate for authentication. [Enable DKEY]: Check this option to enable the mobile VPN user(s) to use DKey authentication. [Enable Compression]: Check this option and the WAN Accelerator will compress the data that 207 . [Enable Expiry Time].0.0 indicates that the system will automatically allocate a virtual LAN IP address (from the virtual IP pool) for this user.SANGFOR WAN Accelerator 6. please DO first insert the DKey into the USB port of the computer and then generate the DKey by clicking the <Generate DKEY> button. [Valid Time]: Configures respectively the valid time of the VPN user (connecting-in user account). After the user is added to this group. [Enable My Network Places]: Check this option if the VPN user needs to use My Network Places. IP address 0. Check this option and the user will added to the specified group and adopt the public properties of this selected group. Before enabling the DKey. [Expired At]: Configures the expiry time of the VPN user (connecting-in user account). it will take this allocated IP address as the virtual LAN IP. [Enable My Network Places] and [LAN Privilege] options are unavailable. [Enable Virtual IP]: Mainly used for allocating virtual IP address to the mobile VPN (users). the [Algorithm]. If a user’s user type is defined as “Mobile VPN” and is allocated with a virtual LAN IP address (from the virtual IP pool).

in particularly in network environment with limited bandwidth resources. there is not privilege limitation. By default. Tunnel flow control options help to control the flow of certain connecting-in branch VPN user. not allowing the flow to get too high. and accelerate data transmission. Before configuring [LAN Privilege]. [Deny Internet Access after Connecting to VPN]: This function is only available for the mobile VPN users. The multicast service mainly provides the multicast protocol support required by some applications (such as video. such as the privileges of accessing some services. However. This is a unique technology of SANGFOR VPN. please go to the [VPN Settings] > [Advanced] > [LAN Service] page to add some needed services. this function is not suitable for all the cases. The related tabs are as follows: 208 . [Deny Password Change Online]: Check this option and mobile VPN user cannot modify the login password after it connects to the local VPN.0 User Manual are to be transmitted between the WAN Accelerator and the user. using the selected algorithm. Check this option and the mobile VPN users can only visit the local area network where the server VPN locates (unable to access the Internet). etc. tunnel NAT rules. [Enable Multi-User Login]: Check this option and this user account can be used by multiple users (for logon). <Advanced>: Click this button to enter the [VPN Advanced Properties] page and configure some advanced properties. uncheck this option and the user can modify the login password online. Tunnel NAT mainly solves the problem of IP conflict appearing when two branch VPN users of a same LAN network segment connect in to the HQ VPN at the same time. tunnel flow control.) used by and between the HQ VPN and Branch VPN.SANGFOR WAN Accelerator 6. including multicast service. etc. [LAN Privilege]: Configures the privileges of this user after it connects to the VPN. It will take the best advantage of the bandwidth. Check or uncheck this option according to your case.

3. please refer to Section 3. [Tunnel Parameter] covers VPN tunnel timeout.1 Multi-Line Routing Policy. Timeout of each 209 .SANGFOR WAN Accelerator 6.8. [VPN Tunnel Timeout]: In network environment of high latency and packet loss rate. please refer to Section Step 4. Multicast Service. dynamic detection among tunnels and tunnel flow control options. SANGFOR VPN enables you to configure timeout parameter for some specific networks. For detailed introduction to multicast service.0 User Manual For detailed introduction to line section policy.

SANGFOR WAN Accelerator 6.0 User Manual
channel is determined by the server WAN Accelerator and is 20 (seconds) by default. If your
network is even poorer, you can adjust it to a higher value.
[Enable Dynamic Detection Among Tunnels]: This option takes effect only when the local end or
the peer end has multiple Internet lines. If it is enabled, the SANGFOR WAN Accelerator will
periodically detect the latency and packet loss status of each line and select the optimal line to
transmit data according to the detected information.
[Enable Tunnel Flow Control]: Enable this option and every connecting-in user will be allocated
with a fixed amount of uplink and downlink bandwidth when multiple branch VPN users or
mobile VPN users connecting in. This feature helps to avoid the situation that one branch VPN
user or mobile VPN user uses all the bandwidth resources of the HQ VPN and other branch users
or mobile users’ accesses get slower, and therefore, ensures that every user gets a normal speed to
access the HQ VPN.

[Enable Tunnel Flow Control] defines a value range rather than an exact value. For
instance, if the maximum flow is 100k, the actual flow amount will be controlled within 80-120k,
fluctuating around 100k.

[Tunnel NAT Rule]: It achieves SNAT (source network address translation) function when IP
addresses of multiple branches conflict. It enables those branch VPN sites to connect in and
communicate smoothly with the HQ VPN, without requirement on modifying network segment of
the related branches.

210

SANGFOR WAN Accelerator 6.0 User Manual

Tunnel NAT function is only available for branch VPN users.

<New>: Under the [Tunnel NAT Rule] tab, click this button to enter the [Tunnel NAT] webpage
dialog and create a new tunnel NAT rule. Type in the source subnet segment, subnet mask and the
translate-to subnet segment, and click the <Auto Allocate> button to have the system
automatically allocate it with an IP range from the virtual IP pool, as shown below:

[Source Subnet Segment]: Indicates the real subnet of the branch.
[Translated-to Subnet Segment]: Specifies the virtual IP range that the source subnet segment is to

211

SANGFOR WAN Accelerator 6.0 User Manual
be translated to.
[Subnet Mask]: Indicates the mask of the real subnet of the branch.

Please ensure that the subnet mask matches the source subnet segment. The tunnel NAT rule
only applies to the subnet segment of the configured mask, hostname of the computers
keeping unchanged.

Before configuring the [Tunnel NAT Rule] of [VPN Advanced Properties], please add the
needed virtual IP range for the branch on the [Sangfor VPN] > [Server] > [Virtual IP Pool].

<New Group]: Under the [VPN Users] tab, click this button to add a new user group. Type a name
and description for this user group; define the group properties (includes [Encryption Algorithm],
[Enable My Network Places], [LAN Privilege] and [Advanced]). The page is as shown below:

As for the introductions to [LAN Privilege] and <Advanced> button, please refer to those
described above, for they are the same as those of adding a new user.
212

SANGFOR WAN Accelerator 6.0 User Manual
<Import Domain User>: Click this button to import the user accounts into the local device from
LDAP server (before importing the user, please configure the LDAP server first on the [Sangfor
VPN] > [Third-Party Auth] > [LDAP Server Settings] tab; for details, please refer to Section
3.8.4.1 LDAP Server ). By default, the imported users use LDAP authentication method without
password. The page is as shown below:

Select the needed user and specify user type (mobile VPN or branch VPN), user group, and
encryption algorithm, and decide whether to enable compression and My Network Places; and
then click the <Import> button to import the selected users into the local WAN Accelerator from
the LDAP server. If users are imported successfully, the results are as shown below:

213

SANGFOR WAN Accelerator 6.0 User Manual

<Import Text User>: Under the [VPN Users] tab, click this button to import the TXT or CSV file
that contains the user information. You can specify a user group to import these users into this
group or use the group properties, and classify them as mobile VPN users or branch VPN users.
TXT file should contain very simple user information that is in format of “username,,password”,
other information being unable to be imported; CSV file is similar to TXT file, but the English
commas are replaced by a blank column, as shown below:

214

SANGFOR WAN Accelerator 6.0 User Manual

<Export User>: Click this button to export and save the user information of this WAN Accelerator
to the local computer. You can decide whether to export it as [Plaintext] or as [Cipher text]. The
dialog is as shown below:

Case Study 37: Configure Tunnel NAT Rule
Beijing HQ’s SANGFOR WAN Accelerator is deployed in Route mode.
Requirements: the Shanghai branch (IP:192.168.2.0/24) is able to connect to Beijing HQ via VPN
channel; and the Beijing branch also is able to connect to Beijing HQ via VPN channel.
To achieve the expected results and solve the problem of LAN network segment conflicts faced
by Shanghai branch and Shenzhen branch, we should configure a tunnel NAT rule on the Beijing
SANGFOR WAN Accelerator. Detailed steps are as follows:

215

SANGFOR WAN Accelerator 6.0 User Manual

Step 1: On the Beijing HQ WAN Accelerator, go to [Sangfor VPN] > [Server] > [Virtual IP Pool]
page and add a new virtual IP pool that consists of IP range 192.168.20.0/24, as shown below:

Step 2: Go to the [Sangfor VPN] > [Server] > [VPN User] page and create a VPN user account for
branch VPN user. Under the [Edit User: Branch-ShenZhen] page, click the <Advanced> button to
enter the [VPN Advanced Properties] page; click [Tunnel NAT Rule] tab and check the option
[Enable Tunnel NAT], and click the <New> button to add subnet 192.168.20.0/24 into the rule list
to have this subnet associate with this user account. The page is as shown below:

216

SANGFOR WAN Accelerator 6.0 User Manual

217

in addition. 3. All the operations implemented by this mobile VPN user on the HQ VPN are based on the allocated virtual IP address (source IP).20.SANGFOR WAN Accelerator 6. completely the same as those implemented 218 . If you want to have the two branches access each other.0/24. and destination network ID is the peer’s virtual network segment. the WAN Accelerator allocates a virtual IP address to this mobile VPN user. and then add a tunnel route (on [Sangfor VPN] > [Advanced] > [Tunnel Route] tab of each WAN Accelerator) whose source network IP is the physical IP range. and the Shenzhen branch will be able to connect to the Beijing HQ smoothly. When a mobile VPN user connects in.3 Virtual IP Pool [Virtual IP Pool] contains idle LAN IP addresses specified by the local SANGFOR WAN Accelerator for the use of mobile VPN users or contains IP ranges that specified for the use of branch VPN users when they connect to the gateway device (VPN). the Beijing HQ can access the services provided by Shenzhen branch simply by accessing the corresponding IP address of the subnet 192. The allocation of virtual IP helps to avoid IP conflicts if two branches have the same network segment and connect to the HQ via SANGFOR VPN channels at the same time. without changing its LAN IP address. the Shenzhen branch and Shanghai branch cannot access each other via the tunnel route.168. you first have to enable the tunnel NAT function of the Shenzhen WAN Accelerator and Shanghai WAN Accelerator. meanwhile their subnets being translated to two different IP network segments. In the above case.1.0 User Manual Click the <Save> button one by one to save the settings and have the tunnel NAT rule take effect.8.

the mobile VPN user will be unable to access the HQ VPN’s LAN server even though it has connected in successfully. DNS. otherwise. the mobile VPN user can also be specified with some network attributes such as DNS. and configure the start and end IP.0 User Manual by a HQ VPN LAN user. If the IP addresses are randomly specified. What’s more. as shown below: Then. you should ensure that routing information of these specified IP addresses are forwarded to the SANGFOR WAN Accelerator by the LAN server. The [Virtual IP Pool] tab is as shown below: a. the IP addresses in the virtual IP pool may be idle IP addresses of the local area network.) Create Virtual IP Pool for Mobile VPN Users In this case. Click the <New> button to enter the [Virtual IP Settings] webpage dialog. as shown below: 219 . or be IP addresses randomly specified.SANGFOR WAN Accelerator 6. Select the user type for this IP pool. and WINS servers. click the <Advanced> button on the [Virtual IP Pool] tab and configure the mask of the virtual IP address.

) Create Virtual IP Pool for Branch VPN User Assign the virtual IP addresses of the virtual IP pool to the branch VPN users. which solves the problem of IP conflict when two branches of the same network segment connects in the HQ VPN at the same time. and the [Total Network Segments].0). you can go to the [Sangfor VPN] > [Server] > [VPN Users] tab to create a new VPN user account. and [Subnet Mask] of the virtual IP addresses. we can also type in an IP address to assign a fixed virtual IP address to this mobile VPN user. the “SANGFOR VPN virtual network adapter” of the mobile VPN user’s computer must be configured as [Obtain an IP address automatically] and [Use the following DNS server addresses]. the HQ VPN WAN Accelerator will automatically allocate an idle virtual IP address to this mobile VPN user from the IP pool when the mobile VPN user connects in.SANGFOR WAN Accelerator 6. When a branch VPN user connects in the HQ VPN. b. otherwise. After configuring the [Advanced] options of [Virtual IP Pool].0 User Manual Having configured a virtual IP pool for the mobile VPN user. Except using the default (0.0. as shown below: 220 . selecting user type “Mobile VPN”. and the system will automatically calculate the [End IP] of this virtual IP pool according to the other settings on the page.0. then click the <Calculate> button.0. Enter the [Virtual IP Settings] webpage dialog and configure the [Start IP] of the virtual IP pool.0. the source IP address of the branch VPN user will be replaced by one of the virtual IP addresses of the virtual IP pool. the addresses configured in [Advanced] will not be allocated to the virtual network adapter of the mobile VPN user’s computer.0. If the virtual IP is 0.

you can go to [Sangfor VPN] > [Server] > [VPN Users] tab to add a new user account. and then click the <Advanced> button to enter the [VPN Advanced Properties] > [Tunnel NAT Rule] tab and add a corresponding tunnel NAT rule for the branch VPN. Enter the [Virtual IP Pool] tab. Having configured the virtual IP addresses for the branch VPN user. [Subnet Mask]: Indicates the mask of the virtual IP range. select [Branch VPN]. <Calculate>: Click this button and the system will automatically calculate the last IP address of the virtual IP range. click the <New> button to enter the [Virtual IP Settings] page and configure an IP range (this IP range should be of the same network segment of the LAN 221 . [Total Network Segment]: Specifies the number of network segments of the IP pool. [End IP]: Indicates the last IP address of the virtual IP range assigned to the branch VPN users. This subnet mask should be coherent with the subnet mask of the branch VPN User.SANGFOR WAN Accelerator 6. To achieve the expected results.0 User Manual [Start IP]: Indicates the first IP address of the virtual IP range assigned to the branch VPN users. Case Study 38: Configurations for Mobile VPN Users Connecting In The SANGFOR WAN Accelerator of the HQ VPN is deployed in Route mode. Requirement: To have the remote mobile VPN users connect to the HQ VPN to deal with the business of the company. we have to go through the followings steps: Step 1.

or type in an IP address to assign a fixed virtual IP address to the mobile VPN user.0 User Manual interface IP and be idle) for the use of mobile VPN. Go to the [VPN Users] tab. 222 . click the <New> button to create a user account for the use of mobile VPN user.0.SANGFOR WAN Accelerator 6.0. and check the [Enable Virtual IP] option and use the default virtual IP address 0.0 which indicates that the system will automatically allocate a virtual IP address to the mobile VPN user. as shown below: Step 2.

SANGFOR WAN Accelerator 6.0 User Manual

3.8.2 Client

3.8.2.1 VPN Connection
If you want the local SANGFOR WAN Accelerator to remotely connect to another SANGFOR
WAN Accelerator, you have to go to the [Sangfor VPN] > [Client] > [VPN Connection] tab and
configure a VPN connection for it.
The page is as shown below:

223

SANGFOR WAN Accelerator 6.0 User Manual

Click the <New> button to create a VPN connection that enables the local WAN Accelerator to
connect in the HQ VPN and the [Edit Connection] page pops up, as shown below:

[Connection Name], [Description]: Type respectively the name and the description for this new
connection.
[Primary Webagent], [Secondary Webagent]: Type the primary and secondary Webagent of the tobe-connected HQ VPN. Click the <Test> button followed to check the availability of the
Webagent. The testing results are as shown below:

224

SANGFOR WAN Accelerator 6.0 User Manual

This test request is initiated by the local computer instead of the local WAN Accelerator.

If the Webagent is in format of domain name and testing results show success, the webpage
exists, otherwise, it indicates that the webpage does not exist. If the Webagent is a static IP
address and testing results show success, then the format (IP:PORT) of it is correct. In a
word, successful testing results do not indicate connection success (of the VPN)

[Transfer Type]: Configures the transfer mode of the VPN data packet. Options are “TCP” and
“UDP”. It is UDP by default.
[Data Encryption Key], [Username] and [Password]: Indicates the corresponding account
information provided by the HQ VPN.
[Cross-ISP]: If the HQ VPN and the branch VPN apply different Internet service providers (ISP)
and these different links cause frequent packet loss, this option is recommended to be checked.
You can also tell the system the status of your network environment, by selecting [Low packet
loss], [High packet loss] or [Set manually] and configuring the [Packet Loss Rate].
To enable this function, you have to activate the cross-ISP license. As to the interconnection
between two branch VPN sites, both the WAN Accelerators have to enable cross-ISP function; as
to the interconnection between mobile VPN user and VPN site, only the WAN Accelerator needs
to enable cross-ISP function.

<LAN Privilege>: Click this button to enter the [LAN Privilege] configuration page and configure
the privileges of the peer VPN, that is, to specify the services (provided by the local terminal) that
will be available for the peer VPN.

225

SANGFOR WAN Accelerator 6.0 User Manual

Having completed configuring the VPN connection, you have to check [Enable] to activate this
connection, and click the <Save> button to save all the settings.
If you are to configure LAN services for a VPN site that has enabled tunnel NAT function,
the network segments, no matter to be configured on the HQ VPN device or on the branch VPN
device, must be the network segment or IP addresses of the network segment which has been
translated to (according to the corresponding tunnel NAT rule).

Case Study 39: Only Allow Peer VPN to Access Local WEB Services
Requirement: VPN “A” users access to VPN “B”; VPN “A” controls the access privilege of VPN
“B” users, allowing VPN “B” users to access its WEB server, other servers being unavailable.
To achieve the expected effect, we configure on the WAN Accelerator of VPN “A”, as follows:
Step 1.

Go to the [Sangfor VPN] > [Advanced] > [LAN Service] tab to add a LAN service item

with WEB services, as shown below:

Click the <New> button to enter the [LAN Service] page; type in service name and click the tab

226

SANGFOR WAN Accelerator 6.0 User Manual
name [TCP List], as shown below:

Click the <New> button and enter the [IP Range Settings] page to configure the IP range that can
access to the WEB services, as shown below:

In the above page, the source IP addresses are the LAN network segment of the peer VPN (VPN
“B”), and the port number is between 1 and 65535 because the port from where the VPN
connection request initiated is a random port. The destination IP addresses are LAN network
227

SANGFOR WAN Accelerator 6.0 User Manual
segment of the local VPN (VPN “A”); however, it can also be the IP address of the specified
WEB server of the local VPN, and the destination port is the WEB port 80.
Finally, click the <Save> button to save the LAN service settings.
Step 2.

Go the [Sangfor VPN] > [Client] > [VPN Connection] tab and add a VPN connection to

have VPN “A” connect in VPN “B”.

Click the <LAN Privilege> button to enter the [LAN Privilege] page; configure the LAN
privileges for VPN “B” users accessing VPN “A”, only allowing WEB service, all others services
being denied by default, as shown below:

228

SANGFOR WAN Accelerator 6.0 User Manual

Click <Save> button to save the LAN privilege settings.
Once any LAN privilege is configured, not only the peer VPN’s access to the local VPN
will be restricted, but the local VPN user’s access to the peer VPN will be restricted as well. That
because the LAN privilege option only helps to inspect the IP address and port of the data packets,
without considering whether the VPN connection is initiated by the peer VPN or initiated by the
local VPN, but every packet that matches the rule will be handled in the same way.

3.8.3 Multi-Line

3.8.3.1 Multi-Line Routing Policy
SANGFOR WAN Accelerator offers the powerful multiline routing policy for VPN. Based on
knowing the link status of multiple lines, the system will select the optimal line from others to
transmit data. What’s more, multiple lines can be coupled, which not only ensures that the data are
always transmitted on an Internet line of better link status, and that data transmission is of high
reliability, but enables multiple lines work together for certain data transmission as well,
improving utilization of the lines.
The page is as shown below:

229

SANGFOR WAN Accelerator 6.0 User Manual

Click the <New> button to enter the [Edit Multi-Line Routing Policy] webpage dialog, as shown
below:

[Policy Name]: Type in a unique name for this policy-based routing to distinguish it from others.
[Source IP], [Destination IP]: Configures the source IP, destination IP of the data packet on which
this policy routing applies. Four options are available, namely, [All], [Single IP], [IP range] and
[Subnet].
[Description]: Type in description for this policy.

230

all the primary lines are regarded as in poor status. if the delay difference between two lines or among mores lines are higher than this threshold. the VPN module will switch back to the primary lines to achieve optimal transmission effect. whereas. all the primary lines are regarded as in good status (optimal lines). but if there is only one session. ensuring high reliability of the VPN connections.SANGFOR WAN Accelerator 6. [Valid Load Line Selection Threshold]: Defines the threshold that checks the link status of each link of primary lines. The network topology is as shown in the figure below: 231 . Options are [Evenly Allocate According to Sessions] and [Evenly Allocate According to Packets]. [Primary Lines]: Different from secondary lines. and the data will not be transmitted through these lines. By default. If the delay difference between two lines or among mores lines are less than this threshold. that session will be solely loaded by one line. the remote branch VPN has a CT line and a CNC line. Having configured multi-line routing policy. while the latter indicates that the each VPN data packet is evenly loaded by different lines. Once the primary lines recover from faults. [Secondary Lines]: All the other lines exclusive from the primary lines are secondary lines. primary lines are the lines chosen to transmit the data. [Peer Lines]: Specifies the number of Internet lines of the peer VPN. and the data will be transmitted through these lines. The former indicates that multiple lines take average share of the sessions if multiple sessions exist. the VPN module will automatically switch to the secondary lines and have them load the VPN connections. Once all the VPN connections loaded by the primary lines fall out. unless all the primary lines get fault and are about to disconnect all the VPN connections. CT2). This threshold only applies to all the primary lines. being allocated to each line by method of round robin. you can go to the [Sangfor VPN] > [Server] > [VPN Users] tab to specify routing policy for a specific VPN user (account) Case Study 40: VPN Primary Lines/Secondary Line The HQ VPN of a customer has two CT lines (CT1. the secondary lines are not going to transmit VPN data.0 User Manual [Local Lines]: Specifies the number of Internet lines of the local VPN. [Routing Mode]: Configures the VPN flow allocation method if several primary links are transmitting VPN data.

by going to the [Sangfor VPN] > [Multi-Line] > [Multi-Line Routing Policy] and clicking the <New> button. Detailed configuration steps are as follows: Step 1. as shown below: Step 2.SANGFOR WAN Accelerator 6. Configure the corresponding lines (in [System] > [Deploy Settings] > [Multi-Line Settings]) on the HQ WAN Accelerator and branch WAN Accelerator respectively. while the CNC line and the two CT lines (CT1. The pop-up [Edit Multi-Line Routing Policy] page is as shown below: 232 . CT2) of the HQ VPN are taken as secondary lines. CT2) of the HQ VPN establish VPN connections and transmit data at the same time. Configure multi-line routing policy on the HQ WAN Accelerator.0 User Manual Requirements: the CT line of the branch VPN and the two CT lines (CT1.

SANGFOR WAN Accelerator 6. Go to the [Sangfor VPN] > [Server] > [VPN Users] tab. Select routing mode [Evenly Allocate According to Packets].0 User Manual Select the number of [Local Lines] and [Peer Lines]. local line “CT2” and peer line “CNC” into the secondary lines list. local line “CT2” and peer line “CT” in the primary lines list. 233 . and edit the corresponding user. Click tab name [Routing Policy] and select the routing policy (in this case is test). Step 3. click the <Advanced> button to enter the [VPN Advanced Properties]. and leave local line “CT1” and peer line “CT” (Line 1). as shown below. and move local line “CT1” and line “CNC” (Line 2).

The network topology is as shown below: To use VPN multiple lines in Single-arm mode.SANGFOR WAN Accelerator 6. 234 .0 User Manual Case Study 41: Configure Multi-Line Routing Policy for Single-Arm VPN The network of a customer has two Internet lines. take full use of the two lines of the HQ VPN to do load balancing while the WAN users are connecting in the HQ VPN (WAN Accelerator). enabling the system to forward the packets of different source IP addresses to different outlets of the network. Requirements: To deploy the WAN Accelerator in single-arm mode. using multiple lines in Single-arm mode is unachievable. otherwise. in the local area network. at the same. you need deploy a front-end firewall or switch to do policy routing based on source IP address.

SANGFOR WAN Accelerator 6. configure the LAN interface IP address. and two binding IP addresses (please be noted that the two binding IP addresses and the LAN interface IP address must be of a same LAN network segment). The page is as shown below: 235 .0 User Manual Detailed configuration steps are as follows: Step 1. Configure deployment mode for the HQ WAN Accelerator. select service mode [VPN and Acceleration] and deployment mode [Single Arm]. Go to the [System] > [Deploy Settings] > [Network Interface] tab.

Configure multiple lines. check the option [Use Static Internet IP] and type in the right IP address. as shown below: Step 3. If the mapping IP is a static IP address.0 User Manual Step 2. You will see that the page shows it is in Single arm mode. as shown below: 236 . type in the testing DNS addresses or leave them blank. Go the [System] > [Deploy Settings] > [Multi-Line Settings] tab and configure the Internet lines.SANGFOR WAN Accelerator 6. Click <Edit> to enter the [Edit Multiline] page and edit this line (as shown below). and the outlet lines displayed are “Line 1 (LAN)” and “Line 2 (LAN)”.

as shown below: Step 5.SANGFOR WAN Accelerator 6. Go to the [Sangfor VPN] > [Server] > [VPN Users] tab to apply this routing policy to a 237 . Go to the [Sangfor VPN] > [Multi-Line] > [Multi-Line Routing Policy] page and configure the corresponding multi-line routing policy.0 User Manual Step 4.

4.8. other VPN configurations being ignored. 3.  This section only shows how to configure the multi-line and multi-line routing policy for the Single-arm WAN Accelerator.4 Third-Party Authentication SANGFOR WAN Accelerator supports the VPN connecting-in users to be authenticated by a third party. The two supported authentication methods are LDAP and RADIUS.SANGFOR WAN Accelerator 6.8.0 User Manual specific user. as shown below: 3. configure the [LDAP Server Settings] (including [LDAP Server IP]. If you need to have a third party to fulfill LDAP authentication.1 LDAP Server The VPN service of SANGFOR WAN Accelerator supports third-party LDAP authentication. [Administrator Name] and 238 .  Please remember to map the port 4009 of the two IP addresses (of the front-end firewall) respectively to the two binding IP addresses (not the LAN interface IP address) of this WAN Accelerator. [LDAP Server Port]. so as to enhance the security of the VPN connection.

local). Having completed configuring the LDAP server (domain server). The page is as shown below: On the page above. and be fully written (e. as shown blow: [User Filter] and [Login Name Attr.]: Defaults are recommended to be used.SANGFOR WAN Accelerator 6. 239 . you can click the <Advanced> button to open the [Advanced Settings] dialog.0 User Manual [Administrator Password]).g.. Administrator@Sangfor. [Administrator Name] must be the account name of the domain administrator. Configure the advanced options of the LDAP.

0 User Manual [User Root Dir. LDAP authentication only supports Microsoft Active Directory and Novell eDirectory.SANGFOR WAN Accelerator 6. it is searched and verified according to search directory. The related pages are as shown below: Click <Save> button to save the [LDAP Server Settings]. When a user is connecting in and being verified. you can click the <Test> button (on [LDAP Server Settings] tab) to check the correctness of the entered administrator name and password. the system uses the root directory. If test results show success. the root directory is used only when the search directory is left blank.]: Type in the root directory of the user and the search directory. When importing users. Having configured and saved the above options. the LDAP server settings are correct. 240 .

Go to the [Sangfor VPN] > [Third-Party Auth] > [LDAP Server Settings] tab to configure the LDAP server. it is Administrator@support. Case Study 42: Mobile VPN User Connects in By Using LDAP Auth Requirement: The customer wants the mobile VPN users connect in the HQ VPN by using LDAP authentication.SANGFOR WAN Accelerator 6. Detailed configuration procedures are as follows: Step 1.sangfor. in this scenario.DC=com” into the [User Root Directory] and [Search Directory] textboxes. Type in the full name of the domain administrator account (in this scenario. configure the attribute of the user (which group it belongs to. to ensure the security of its network.0 User Manual others such as OpenLDAP unsupported. as shown below: 241 . it is under group Users).com). and so type in the information “CN=Users. DC=Sangfor.

168.SANGFOR WAN Accelerator 6.168. Select user type “Mobile VPN” and type in the start IP and end IP of the virtual IP range (in this scenario. Step 2. as shown below: 242 . Go to the [Sangfor VPN] > [Server] > [Virtual IP Pool] tab to configure virtual IP pool.10. it is 192.110). click the <Save> button to complete configuring the LDAP server option.10. Click the <New> button to enter the [Virtual IP Settings] page.100192.0 User Manual If the settings are tested correct.

Go to the [Sangfor VPN] > [Server] > [VPN User] tab to import domain users. compression and My Network Places. as shown below: Step 4. Check the needed domain users and select user type [Mobile VPN].0 User Manual Step 3. and enable the user. Finally click the <Import> 243 . The system will automatically upload the domain users from the configured LDAP server. encryption algorithm.SANGFOR WAN Accelerator 6. by clicking the <Import Domain User>.

8. as shown below: 244 .4. [Multicast Service]. 3. After configuring the above.5 Advanced [Advanced] covers configuration of [VPN Local Subnet]. shared key and select the needed authentication protocol. correctly configure the [Radius Server Settings] (including [RADIUS Server IP]. If you want to have a third party fulfill the RADIUS authentication. these mobile VPN users will go through LDAP authentication when they are connecting in the HQ VPN.SANGFOR WAN Accelerator 6. 3.2 Radius Server Settings The VPN service of SANGFOR WAN Accelerator supports third-party RADIUS authentication. [LAN Service].0 User Manual button. [Authentication Shared Key] and [RADIUS Authentication Protocol]). [Tunnel Route] and [Generate Certificate]. and then click the <Save> button to save and apply the settings. The page is as shown below: Configure the correct Radius server IP and port. [RADIUS Server Port].8.

0 User Manual 3.168. Network topology is as shown below: 245 .10.SANGFOR WAN Accelerator 6.168. Requirement: To allow the branch VPN (“B”) users to access the three subnets after they have connected in the HQ VPN. as shown below: Case Study 43: Allow VPN User to Access Multiple Local Subnets The HQ VPN “A” has three subnets (192.8.X).5.168. click the <New> button and you will see the pop-up [Subnet Settings] page. and that the connecting-in VPN users need to access the other LAN subnets and/or to be accessed by other LAN subnets. 192. Under the [VPN Local Subnet] tab.30.1 VPN Local Subnet [VPN Local Subnet] configures the subnets used in the situation that the local area network of the SANGFOR WAN Accelerator has multiple subnets (exclusive of the network segment where the LAN interface IP address locates).X.X and 192.20. type in the subnet segment and mask.

20.168. as shown below: Add the subnets 192.0/24 into the local subnet list. Step 2. as shown below: 246 .168.30. Configurations on the HQ WAN Accelerator are as follows (other VPN setups being ignored in this section): Step 1.168.X and the corresponding static route.X and 192.168.0/24 and 192. by adding the subnets 192.30. we have to configure [VPN Local Subnet].SANGFOR WAN Accelerator 6.0 User Manual To meet the needs of this customer. Go to the [Sangfor VPN] > [Advanced] > [VPN Local Subnet] tab to add the subnets that are to be accessed by the branch VPN users. Go to the [System] > [Deploy Settings] > [Static Rout] tab to configure a static route for the two VPN local subnets.20.

All the data going through the VPN device or software will be encapsulated and transmitted through the VPN tunnels. or even to specify a branch VPN user or mobile VPN user (IP address) to access 247 .5. so as to enable the VPN users to access these subnets. 3. you need to configure the [Static Route].2 LAN Service SANGFOR WAN Accelerator enables you to specify the access privileges of the connecting-in VPN users. The [Local Subnet List] stands for a kind of “declaration”.8.SANGFOR WAN Accelerator 6. the branch users will be able to access the three subnets of the HQ VPN once they connect in.0 User Manual After configuring the above. The subnets defined here will be taken as VPN network segments by the VPN device and the client-end software. Therefore. in addition to adding the related subnets into the [Local Subnet List]].

) allow an IP address of a Shanghai branch VPN to access the SQL server of the HQ VPN (other IP addresses of this branch are unable to access this server) The [LAN Service] tab is as shown below: Configuration of LAN Service Privilege is fulfilled by two setups: 1.20. the SANGFOR WAN Accelerator allows all the connecting-in VPN users to access all the services. you can configure the service parameters of the inbound policy used for connecting to a third-party device For example. so as to ensure the security of the VPN channels and achieve secure management.250) and to ping OA server.168.0/24) to access the TCP port 80 of the OA server (IP: 192.) Specify privilege for a specific user By default. you have to configure the privilege of the relevant VPN user to certain service. Case Study 44: Control VPN User’s Privilege to Access LAN Services Requirements: only allow the connecting-in VPN users (of subnet 192.SANGFOR WAN Accelerator 6. with no privilege restriction on any connecting-in VPN user. The network topology is as shown below: 248 .) Create LAN service 2. a.) only allow a user test to access the OA server (other services are unavailable for this user) b. to meet the following two requirements. besides. all the access requests to others server being denied.0 User Manual certain service(s) provided by a LAN computer.168.10.

0 User Manual Configurations on the local WAN Accelerator are as follows: Step 1. Under the [TCP List] tab. as shown below. type in the service name (e.g.SANGFOR WAN Accelerator 6. they are TCP and ICMP). click the <New> button to enter the [LAN Service] webpage dialog. as shown below: Step 2. type in the IP addresses and port accordingly. click the <New> button to enter the [IP Range Settings] dialog. Under the default configuration page [LAN Service]. OA) and check the needed protocol (in this scenario. as shown below: 249 ..

In this scenario.168.168. [Destination IP]: Fill in the destination IP addresses.168.255 which indicates all the IP addresses.20. 192.20. click the <New> button to enter the [IP Range Settings]. it is the LAN IP addresses of the peer branch VPN. 80-80.10. In this scenario.250. If this OA LAN service is to be referenced by multiple VPN users. Under the [ICMP List] tab. Step 3.255.1-192.255.0.SANGFOR WAN Accelerator 6. [Destination Port]: Service port of the OA system. 192. the source IP address can be 0.0. as shown below: 250 .254. [Source Port]: Type in 1-65535.0 User Manual [Source IP]: Fill in the source IP.0-255. it is the OA server IP address of the local terminal.

0.SANGFOR WAN Accelerator 6.10. to create/edit a VPN user account and configure its [LAN Privilege] to complete configuring the LAN service. 192.255 which indicates all the IP addresses. it is the LAN IP addresses of the peer branch VPN.255.  The LAN services configured here may be referenced by [IPSec Connection] > [IPSec VPN] > [Inbound Policy] and [Outbound Policy].1.  Here you are just “defining” the LAN service.254. [Destination IP]: Fill in the destination IP addresses.168.250.20.168. In this scenario.0-255.0 User Manual [Source IP]: Fill in the source IP address.168. If this OA LAN service is to be referenced by multiple VPN users.20. For details.9. Go to page [Sangfor VPN] > [Server] > [VPN Users] tab to create/edit branch VPN user. 192. 251 . it is the OA server IP address of the local terminal (HQ VPN). click the <LAN Privilege> button.0. you have to go to [Sangfor VPN] > [Server] > [VPN Users] tab. After these configurations. In this scenario. please refer to Section 3.255.1-192.2 Phase II. the source IP address can be 0.

168.168.250 once they connect in the local terminal (HQ VPN) successfully. the branch VPN users whose IP addresses are 192.20. Under the pop-up LAN Privilege Settings] dialog. Check the [Allow] checkbox and select [Default action] Deny. as shown below: After the above five steps. move the OA LAN service to the service list at the right side.0 User Manual Step 4.10. 252 .SANGFOR WAN Accelerator 6. and the requests initiated by the branch VPN users for other services will be denied.0/24 can access the local OA server 192.

0. as shown below: 253 . The applicable IP range is 224. and applicable ports are 1-65535.0 User Manual These settings also disable the access requests initiated by the other computers of the local terminal to access the branch.250 (IP address of the OA server).1-239.255.8.SANGFOR WAN Accelerator 6. You can configure the needed IP addresses and ports for the multicast service.0.255.5.10. The [Multicast Service] tab is as shown below: Click the <New> button and the [Multicast Service] webpage dialog pops up. SANGFOR WAN Accelerator 6.255. 3. Because the [LAN Service] settings will deny the response packet sent from other computers of the local terminal if the destination IP address is not 192.3 Multicast Service To meet the customer’s needs for some applications such as VOIP and video conference.168.0 is designed to support multicast services being transmitted among the SANGFOR VPN channels.

0 User Manual After you have defined the multicast service. you can add/edit user on the [Sangfor VPN] > [Server] > [VPN Users] tab and click the <Advanced> button to enter [VPN Advanced Properties] > [Multicast Service] and enable the selected multicast service(s).SANGFOR WAN Accelerator 6. as shown below: 254 .

as shown below: 255 .0 User Manual Before using the multicast service(s) configured on the [VPN Advanced Properties] > [Multicast Service] tab.SANGFOR WAN Accelerator 6. first you have to check the [Enable Multicast] option on the [Sangfor VPN] > [Server] > [Basic Settings] > [Advanced Settings] tab.

0 User Manual 3.4 Tunnel Route SANGFOR WAN Accelerator offers the powerful VPN tunnel routing function. For example. but now VPN “A” users want to access VPN “C” via VPN “B”. then the username “A” is selected to act as the destination route user for VPN “A”. Click the <New> button to add a new tunnel route. to achieve interconnection among different VPN sites (software or hardware) and establish a true web-like VPN network. You can configure route for the VPN tunnels. [Subnet Mask(destination)]: Configures the mask of the destination subnet. In a word. [Network ID(destination)]: Configures the destination subnet.SANGFOR WAN Accelerator 6. [Subnet Mask (source)]: Configures the mask of the source subnet. suppose that VPN “A” and VPN “B” have established a VPN connection for communication and the [User Name] used by that VPN connection is “A”. The pop-up [Configure Route] dialog is as shown below: [Network ID(source)]: Configures the source subnet.8. the destination route user is the corresponding user account used by the VPN connection that has established between the branch VPN (in this 256 .5. [Destination Route User]: Configures the VPN device to which this tunnel route directs.

1. you have to deploy the remote connecting-in WAN Accelerator (branch VPN) in Gateway mode.1.0 User Manual scenario. Case Study 45: Tunnel Route Achieves Communication Between Connecting-in Branch VPN Sites Both branches (Beijing.16. To achieve the predicted result. [Enable]: Check this option to enable this tunnel route. 172. and the packets are then forwarded to the Internet by the destination route user.0/24). [Connect Internet Through Destination Route User]: Check this option and all the Internet-related packets that are going through the WAN Accelerator will be forwarded to the specified destination route user of that tunnel route. “A” is the branch VPN) and the HQ VPN (in this scenario. we are going to configure a corresponding tunnel route.SANGFOR WAN Accelerator 6. The network topology is as shown below: Detailed configuration procedures are as follows: 257 . 192.0/24.0/24) have established VPN connections (by configuring VPN connection) with their HQ WAN Accelerator (Shenzhen.168. To enable the VPN users to access Internet via the destination route user. and the HQ WAN Accelerator (HQ VPN) in Gateway mode or Single-arm mode. Requirement: To enable the branch Beijing and branch Guangzhou access each other. [Enable]: Check it to enable this tunnel route. and Guangzhou. “B” is the HQ VPN). But no VPN connection has established between branch Beijing and branch Guangzhou. 10.1.1.

16. In this scenario. click the <New> button to add a tunnel route that directs to the Guangzhou branch VPN.255.  [Network ID(source)] and [Network ID(destination)] define respectively the source IP address and destination IP address of the data packet to be transmitted.0. [Subnet Mask(destination)]: Configures the mask of the destination subnet.256. Configure the Beijing WAN Accelerator.  [Destination Route User] determines the VPN device to which the data packets are forwarded by this tunnel route (indicating the corresponding username selected in the [Sangfor VPN] > [Client] > [VPN Connection] > [Edit Connection]). In this scenario. and the data will then be transmitted to the corresponding VPN device.0 User Manual Step 1. check the [Enable] option.1. In this scenario.0. it is beijing. [Subnet Mask (source)]: Configures the mask of the source subnet. it is 172. In this scenario. this route will take effect. it is 255. it is 10.255. [Destination Route User]: Configures the VPN device to which this tunnel route directs. In this scenario. it is 255.0. If the data packet satisfies these two conditions.1.0. In this scenario.256. Go to the [Tunnel Route] tab. [Network ID(destination)]: Configures the destination subnet. Shanghai branch has 258 .SANGFOR WAN Accelerator 6. as shown below: [Network ID(source)]: Configures the source subnet.1.

In this scenario.0.0. check the [Enable] option. Configure the Guangzhou WAN Accelerator.255. SANGFOR VPN tunnel route may also be used to forward all the Internet access data to the HQ VPN.255.  The VPN user account acting as destination route user cannot be used by multiple users to log in to the HQ VPN.SANGFOR WAN Accelerator 6. so that the branch VPN users can only access the Internet via the network outlet of the HQ VPN.0 User Manual established a VPN connection with its Shenzhen HQ VPN (using the username beijing in the [VPN Connection] page). as shown below: [Network ID(source)]: Configures the source subnet. it is 10.1. Go to the [Tunnel Route] tab. [Subnet Mask(destination)]: Configures the mask of the destination subnet. Therefore. it is 172.0. it is 255. [Subnet Mask (source)]: Configures the mask of the source subnet. In this scenario. [Destination Route User]: Configures the VPN device to which this tunnel route directs. it is guangzhou. In this scenario.0.1.1.256.256. it is 255. In this scenario. Step 2. 259 .16. click the <New> button to add a tunnel route that directs to the Beijing branch VPN. we choose the destination route user beijing to forward the tunnel route’s data to the Shenzhen WAN Accelerator. In this scenario. Case Study 46: Access Internet via VPN Destination Route User In addition to the above introduced function. [Network ID(destination)]: Configures the destination subnet.

255. it is Shenzhen. to enable the Shenzhen branch VPN users to access Internet via the Shanghai HQ VPN.20. it is 255. we deploy the WAN Accelerators as follows: Detailed configuration procedures are as shown below: Step 1.0. Configure the Shenzhen WAN Accelerator. click the <New> button to add a tunnel route. and check the [Enable] and [Connect Internet Through Destination Route User] options. as shown below: [Network ID(source)]: Configures the source subnet. [Destination Route User]: Configures the VPN device to which this tunnel route directs. In this scenario. [Subnet Mask (source)]: Configures the mask of the source subnet. Configure the Shanghai WAN Accelerator.0.256.168.SANGFOR WAN Accelerator 6. In this scenario.0 User Manual For instance. In this scenario. Go to the [Firewall] > [NAT] > [SNAT] tab 260 . Go to the [Tunnel Route] tab. Step 2. it is 192. type the local subnet and mask into the [Network ID(source)] and [Subnet Mask (source)] textboxes respectively.

The device that applies this technology can use its certificate to get its identity authenticated among different VPN nodes.5. eliminate the potential security hazards. as shown below: 261 . Click the <Generate> button and select a path to generate the hardware certificate and save it to the local computer. as shown below: 3. the WAN Accelerator can ensure that only certain specified hardware device can get connected to a network.5 Generate Certificate The HARDCA is one of the patents of SANGFOR.8. The certificate of a device is generated with some of the hardware features of this device and is then encrypted.0 User Manual and add a new SNAT (source network address translation) rule so that the source IP addresses of the data packets forwarded from Shenzhen branch are to be translated. Due to the uniqueness of the hardware feature of the device. and therefore. the corresponding certificate is also unique and cannot be counterfeited.SANGFOR WAN Accelerator 6. By requiring authentication the hardware features.

0 User Manual Send this certificate to the administrator of the HQ VPN. upload this hardware certificate and bind it with the user while creating a user account for this VPN user. the administrator can check the [Enable Hardware Auth] option. as shown below: 262 . Then.SANGFOR WAN Accelerator 6.

as shown below: 263 .6 Configure Sangfor VPN Module in Single-Arm Mode In addition to being deployed in Gateway mode with SANGFOR VPN function.6. default gateway and DNS. Select service mode “VPN and Acceleration” and deployment mode “Single arm”.SANGFOR WAN Accelerator 6.8.8. If deployed in Single-arm mode. the WAN Accelerator connects to the customer’s network only through its LAN interface. incurring no change on the original network. SANGFOR WAN Accelerator supports SANGFOR VPN in Single-arm mode. 3.1 Configure Network Interface Go to the [System] > [Deploy Settings] > [Network Interface] tab.0 User Manual 3. mask. as well as the DMZ interface IP and mask. configure the LAN interface IP.

6. As to the detailed configuration guide and usage of multi-line routing policy of single-arm VPN.8.0 User Manual [Single arm setting]: Leave these settings blank unless the single-arm WAN Accelerator involved in multiple lines.8. 3.3. please refer to Case Study 41: Configure Multi-Line Routing Policy for SingleArm VPN in Section 3. you have to add at least one static route on the front-end router or firewall (destination of this static route is the network segment of 264 .SANGFOR WAN Accelerator 6. If the WAN Accelerator is deployed in Single-arm mode.1 Multi-Line Routing Policy.2 Configure Sangfor VPN The configurations are exactly the same as those in Section 3.8 Sangfor VPN .

265 . gateway is the LAN interface of the local WAN Accelerator). otherwise.0 User Manual the peer VPN. the two parties cannot access each other through the SANGFOR VPN.SANGFOR WAN Accelerator 6.

9.1 IPSec Connection [IPSec Connection] consists of configuration pages of [Phase I]. establishing a standard IPSec VPN connection. [IPSec VPN] covers [IPSec Connection] configurations.9.0 User Manual 3. 3. as shown below: 3.1.1 Phase I [Phase I] page configures the peer VPN device which is to establish standard IPSec connection with the SANGFOR WAN Accelerator.9 IPSec Connection SANGFOR WAN Accelerator allows a third-party VPN to interconnect with the existing networks. The default configuration page is as shown below: Click the <New> button and the following options appear: 266 . This is the first phase of standard IPSec protocol negotiation.SANGFOR WAN Accelerator 6. [Phase II] and [Security Options].

[Address Type]: Options are [Static IP]. and under routing mode but is deployed at the egress of the Internet. options are [Main mode] and [Aggressive mode]. [3DES]. both parties have fixed Internet IP address. [Mode]: Defines the mode for Phase I negotiation. The encryption algorithm SANGFOR_DES is available only when both parties are 267 . Options are [DES]. [AES] and [SANGFOR_DES]. [ISAKMP Encryption Algorithm]: Defines an encryption algorithm for Phase I. while the other party has no static IP. at the egress of the Internet. and are deployed in Route mode. [Description]: Gives brief description to this policy. Main mode is applicable to the following situations: a). b). one party has fixed Internet IP address.0 User Manual [Name]: Defines the policy name of the first phase. [Dynamic IP] and [Dynamic Name] (domain name).SANGFOR WAN Accelerator 6.

9.SANGFOR WAN Accelerator 6. Options are group1.2 Phase II [Phase II] page configures the related policies for establishing standard IPSec connection.1. [D-H group]: Defines Differ-Hellman group of the two negotiating parties. [Retry Times]: Configures the retry times of Phase I negotiation.0 User Manual SANGFOR devices. group2 and group5. 3. [ISAKMP Authentication Algorithm]: Select an authentication algorithm for Phase I. Click the <New> button to add new policy. Check the [Enable Rule] option and click the <OK> button. Options are [MD5] and [SHA-1]. This is the second phase of IPSec protocol negotiation. [Pre-shared Key]: Configures the shared key of the two parties. in unit of second. This policy is enabled and applies immediately. the options are as shown below: 268 . [ISAKMP Live Time]: Defines the life time of the Phase I policy. consisting of configurations of [Outbound Policies] and [Inbound Policies] The default configuration page is as shown below: [Outbound Policies]: Configures the rules for delivering the data packet from the local device to the peer device.

[Security Option]: Select the security policy for negotiation of the two parties. [SA Live Time]: Configures the life time of this outbound policy. check the [Enable Perfect Forward Secrecy] option as well.0 User Manual [Name]: Defines the name for the user-defined outbound policy.SANGFOR WAN Accelerator 6. 269 . If the peer device is configured with PFS. The security policies are configured on the [Security Option] page. [Peer Device]: Select a peer device. [Service]: Defines the services allowed by the outbound policy. [Source IP Type]: Configures the IP address or IP range of the local VPN that are allowed to access the peer VPN. Check the [Enable This Policy] option to enable this policy. please refer to the section followed. [Description]: Gives brief description to the outbound policy. The device is defined in Phase I. For detailed configuration guide.

save and apply this inbound policy. [Peer Device]: Select a peer device.SANGFOR WAN Accelerator 6. [Service]: Defines the services allowed by the inbound policy.0 User Manual Click the <OK> button to save the above settings. The device is defined in Phase I. Check the [Enable This Policy] option and click the <OK> button to enable. 270 . [Description]: Gives brief description to the inbound policy. [Inbound Policies] section configures the rules for data transfer from the peer device to the local device. [Source IP Type]: Configures the IP address(es) or IP range(s) of the peer VPN that is allowed to access the local VPN. Click the <New> button to add a new policy. the options are as shown below: [Name]: Defines the name for the user-defined inbound policy.

you have to add the connection policies of each device respectively to 271 . including encapsulation [Protocol] adopted by the peer device (AH or ESP).0 User Manual 3. The default configuration page is as shown below: Click the <New> button and the options appear as shown below: Before establishing IPSec connection with the third-party device.SANGFOR WAN Accelerator 6. the [Authentication] algorithm (MD5 or SHA-1).3 Security Options [Security Options] page configures the related security parameters for establishing the standard IPSec connection. [Encryption] algorithm (DES.9. 3DES. As to interconnecting several devices which adopt different connection policies. specify a policy to connect the peer device. The SANGFOR WAN Accelerator will use these policies to negotiate with the peer to establish an IPSec connection. AES or SANGFOR_DES).1. [Security option] > [Encryption] algorithm is to specify the data encryption algorithm for the standard IPSec PhaseⅡ. Click the <OK> button to save and enable the policy.

0/24).10. in Main mode. The network topology is as shown in the figure below: Follow the commands below to configure the Cisco VPN: crypto ipsec transform-set sangfor esp-des esp-md5-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 102 crypto map mymap 10 set pfs group2 crypto map mymap 10 set peer 222.222. Network segment of the headquarters is 10. Case Study 47: IPSEC VPN Connection with CISCO Cisco device and SANGFOR WAN Accelerator are connected through standard IPSec VPN.3.222 crypto map mymap 10 set transform-set sangfor crypto map mymap interface outside isakmp enable outside isakmp key test123 address 222.222 netmask 255.252 isakmp identity address isakmp policy 10 authentication pre-share 272 .0/16).255.SANGFOR WAN Accelerator 6.0.222.1.222. The branch (network segment: 10.0/16) is to access the server of the Headquarters (subnet: 10.255.0.0 User Manual [Security Options].222.1.

255.0 10.0.0 255.0.0.0.0 255.255.255.0.2 nat (inside) 0 access-list nonat nat (inside) 1 10.3.0 255. as shown below: 273 .255.0 global (outside) 1 111.0 10.SANGFOR WAN Accelerator 6.1.255.0 access-list nonat permit ip 10.111.0.0.0 User Manual isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 28800 access-list 102 permit ip 10.3.0 255.3.0 0 0 Follow the steps below to configure the SANGFOR VPN: Step 1: Configure the first phase.0.0.111.1.0 255.0.

while the other party has no static IP. [ISAKMP Authentication Algorithm]: Select [MD5] authentication algorithm for Phase I. and deployed in Route mode. [Pre-shared Key]: Configure the shared key for the negotiation of both parties. b). [ISAKMP Encryption Algorithm]: Select [DES] encryption algorithm for Phase I.SANGFOR WAN Accelerator 6. one party has fixed Internet IP address.111.111. [D-H group]: Select [MODP1024group2] as the Differ-Hellman group for the negotiation of both 274 . and under routing mode but is deployed at the egress of the Internet. both parties have fixed Internet IP address. [Mode]: Select “Main mode” as the mode for Phase I negotiation.2. Please note that main mode is applicable to the following situations: a). [Address Type]: Select [Static IP]. [Static IP]: Enter 111.0 User Manual [Name]: Enter the name cisco for the Phase I policy. at the egress of the Internet.

The options for the outbound policy are as shown below: 275 . Step 2: Configure security options for Phase Ⅱ. [Protocol]: Select [ESP] protocol. Step 3: Configure the outbound policy and inbound policy for Phase Ⅱ. Check the [Enable Rule] and [Auto Connect] option to have it take effect after completing configuring the page.0 User Manual parties. Click the <OK> button to save the settings. Click the <OK> button to save and apply this policy.SANGFOR WAN Accelerator 6. as shown below: Click the <New> button and configure the followings: [Name]: Enter the name cisco for the [Security Options] policy. [ISAKMP Live Time]: Configure 28800 as the live time of Phase I policy. [Authentication]: Select authentication algorithm [MD5]. [Retry Times]: Configures the retry times of Phase I negotiation as 10. [Encryption]: Select encryption algorithm [DES].

0 and [Subnet Mask] 255. [Security Options]: Select the security options policy named cisco for negotiation between the two 276 . The device cisco has been defined in Phage I.0.1.255.0. [Service]: Select [All Services] as the allowed services by the outbound policy.0 User Manual [Name]: Enter the name cisco for the outbound policy. [Peer Device]: Select the peer device cisco.0 to allow these IP addresses of the local VPN to get access to the peer VPN. [Source IP Type]: Select [Subnet] and enter [Subnet Segment] 10.SANGFOR WAN Accelerator 6.

0 User Manual parties.SANGFOR WAN Accelerator 6. [Source IP Type]: Select [Subnet] and enter [Subnet Segment] 10. for the device cisco is configured with PFS.0 to allow these IP addresses of the peer VPN to get access to the local VPN.0. The device cisco has been defined in Phase I.0. The options for the inbound policy are as shown below: [Name]: Enter the name cisco for the inbound policy. [Service]: Select [All Services] as the allowed services by the inbound policy. Click the <OK> button to save and apply this policy. Check the [Enable This Policy] option to enable this policy. 277 . [Peer Device]: Select the peer device named cisco. [SA Live Time]: Configure the life time of the policy as 28800.0 and [Subnet Mask] 255. Check the [Perfect Forward Secrecy] option.3.255. Check the [Enable This Policy] option to enable the policy.

0 User Manual Click the <OK> button to save and apply this policy.SANGFOR WAN Accelerator 6. 278 .

[WANO Report]. The first time you log in to the Internal Data Center. Click here to install…” and then click “Install ActiveX Control…”. [Statistics]. you may be required to install the pop-up ActiveX control. Click the main menu [Data Center] (at the top of the gateway console) to enter the Internal Data Center of SANGFOR WAN Accelerator 6. and follow the instructions to finish installation. [Trend Report].0 User Manual Chapter 4 Internal Data Center This chapter introduces the function and usage of the Internal Data Center. If there is no prompt of installing the ActiveX control. 279 .SANGFOR WAN Accelerator 6. click the <Download ActiveX> link to manually download the ActiveX control. Ltd’. [Customize Report]. Follow the instructions to finish installation. Click “This site might require the following ActiveX control: ‘WebUI Control’ from ‘Sangfor Technologies Co.. [History Report]. The Internal Data Center includes the following 8 modules: [Home Page]. as shown below: Click the <Install> button to install the ActiveX Control. [Search] and [System Management].0.

1 Home Page Click [Home Page] and you will see the following page: [Login]. The page is as shown below: 280 .0 User Manual 4. [Current User]: Displays the name of the current user who logs in to the Data Center Web UI [Quick Link]: Displays the built-in quick links of this Data Center.2 History Report [History Report] displays the one-off and periodic customized reports and system default reports.SANGFOR WAN Accelerator 6. to some search results or history reports. 4. [Logout]: Click [Login] or [Logout] to log in with another user account or log out the current user respectively.

[Operation information]: Displays number of the reports that match the specified conditions.SANGFOR WAN Accelerator 6. [Generated Report]: Displays all the information of the generated reports. as shown below: 281 . or the matching history reports searched according to the specified conditions.0 User Manual [Generated Report Search]: Searches for the already-generated reports (history reports). The searching is fulfilled by filtering the report name. it is the total number of history reports. The displayed information includes report name. report type. The conditions are as shown below: The optional conditions include the followings: [Report name]: Enter the report name or former part of the report name (fuzzy search supported). user (name) that has generated the report. [Date range]: Specifies the date range during which the reports are generated. If no condition is specified. with the specified conditions. generation time. The matching report(s) will be displayed in the [Generated Report] list. Having specified the conditions. you have to click the <Search> button to search for the needed reports. Only the reports generated during this period will be searched and displayed.

click it to go to the first or last page of the [Generated Report] list. <Select all>: Click this button to select all the report items of the current page. <Delete all>: Click this button to delete all the report items at one time. [Select]: Tick the checkbox of a report record and the report is selected. [User]. <Last>: If there are large numbers of reports. [Generation time]. [Records/page 100 records]: Indicates 100 records (report items) are displayed per page. 50 and 100. <Previous>. you can delete some of them manually. <Delete>: Click this button to delete the selected report(s). <Next>: Click it to go to the previous or next page of the [Generated Report] list. [Operation]. If there are too many reports in the [Generated Report] list. as shown below: 282 . 20. The page is as shown below: <View>: Click this button to view the detailed information of this report. [Report type].0 User Manual <First>. The displayed information includes [Report name]. Other options are 10. <Reverse>: Click this button to deselect report items and select the other unselected report items.SANGFOR WAN Accelerator 6.

The administrator can define statistics report. 4. trend report and summary report. we are not to introduce the chart and table in detail.1 Customize Wizard [Customize Wizard] helps you quickly define. in chart or in table. <Print>: Click it to print this report. <Send mail>: Click it to send the report to the specified email address. including total flow statistics and the behavior counts. in format of PDF.0 User Manual The above figure shows the statistics of a user group. 283 . generate and export the needed report(s). contents and date/time 4.3.SANGFOR WAN Accelerator 6. according to various objects.3 Customize Report The Internal Data Center of SANGFOR WAN Accelerator 6. Each type of statistics is listed.0 facilitates you to customize report. <Export>: Click it to export the report. Here.

Select [Statistic report] and the generated report will be a statistics report. Step 3: Set report filtering conditions.0 User Manual 4. Select [Application ranking] and the ranking statistics will be made on the basis of applications. Click the <Previous> button to back to the previous step. Step 2: Select ranking object. or click the <Next> button to go to the next step. 284 .1. Select [IP ranking] and the ranking statistics will be made on the basis of IP addresses. as shown below: Click the <Next> button to go to the next step.SANGFOR WAN Accelerator 6.3.1 Statistic Report Step 1: Select a needed report type.

[Office hours]. Select 285 .4. at least one report specific for each application.3 Time Schedule). Options are [All day]. for details. Step 4: Configure date and time. or click the <Next> button to go to the next step. This report covers the related statistics of these selected applications. [Non-office hours] and [Internet Access Total Time[Null]].4. please refer to Section 3. [Time object]: Select the time object (the so-called time schedule.SANGFOR WAN Accelerator 6. Options are [Time range] and [Time object]. [Make report on multiple applications] indicates that only one report will be generated even though there are several applications being selected. It can be any time of the day. [Time]: Specifies the time period whose data are to be collected. [Time range]: Specifies the time range whose data are to be collected. Click the <Previous> button to back to the previous step. it is defined on the WAN Accelerator.0 User Manual [Make report on each application] indicates that multiple reports will be generated if there are several applications being selected. [One-off report(generate only once)] indicates that the report will only be generated once.

[Subscribe]: Configures the subscription options. Check [Subscribe the report](Use default SMTP setting) and the generated report will be delivered to the email address of the administrator.SANGFOR WAN Accelerator 6. The default receiver address is the address configured on [System Configuration] page. if you want to have the email delivered to another email address. or click the <Next> button to go to the next step. [Chart type]: Defines the graph type the statistics displayed. Options are [Bar chart] and [Pie chart].0 User Manual [One-off report(generate only once)] and the [Date range] options appears. Or click the <SMTP setting> link to enter the [System Configuration] page. [Weekly] or [Monthly]. Check the [Send report to subscribed mailbox even it is null] option and the generated report will be sent to the receiver address even though the report has no content. Step 5: Complete report settings. Select [Periodic report] and the report will be generated periodically. check this option and enter the [Receiver address]. [Display Ranking]: Defines the top ranking statistics that will be made in the report. [Receiver address]: Configures the email address to receive this report. Maximum 100 supported. [Report name]: Defines the name of the report to be generated. [Date range]: Select the needed date based on which the data are to be collected. [Daily]. 286 . Click the <Previous> button to back to the previous step.

2 System Configuration). click the following button to generate.8. Click the <Finish> button to complete customizing the statistic report. modify the [Report generation time] (for detailed introduction. <Generate Now>: Click this button to generate the report immediately. as shown below: <Previous>: Click this button to back to the previous step. You can adopt System Setting to modify]: Click the <System setting> link and you will enter the [System Configuration] page. Clicking the <Finish> button and it prompts “If one-off report is selected. If you have selected [Periodic report] and [Weekly] options in Step 4. and the report will be added to other generated reports”. you can perform the following operations:” 287 .0 User Manual [The customized are randomly generated from 00:00 to 06:00 everyday. as shown below: Click the <Finish> button and the prompt will be “If periodic report is selected. If necessary. please refer to Section 4. the prompt will be as shown below: Provided that the report name is weekly and others options are defaults.SANGFOR WAN Accelerator 6.

as shown below: 288 . Click the <Save template> button to save this report template to the Report Template List (for details. The generation time of the report will be determined by the time configured on [System Management] > [System Configuration] page. A periodic report is generated according to any of the following frequencies:  [Daily]: The generation time of the report will be determined by the time configured on [System Management] > [System Configuration] page.  [Monthly]: Indicates that the report will be generated on the first day every month.0 User Manual <Previous>: Click this button to back to the previous step.om. The above report generation time options are applicable to periodic report of the other types of reports (such as WANO report.SANGFOR WAN Accelerator 6. Or click the <Save and Generate> button to save the report template to the Report Template List and generate the report immediately.  [Weekly]: Indicates that the report will be generated every Sunday.3. The generation time of the report will be determined by the time configured on [System Management] > [System Configuration] page.2 Report Template). trend report). Case Study 48: Generate and View Report Requirement: Generate statistics report on application every month and send all these reports to the specified email address test@abc. pleaser refer to Section 4. Follow the steps below to customize and generate report: Step 1: Select report type [Statistic report].

[Periodic report] is [Monthly] report.0 User Manual Step 2: Select the ranking object [Application ranking]. as shown below: Step 3: Configure filtering condition [Application] as [All Type].SANGFOR WAN Accelerator 6. [Time object] is [All day]. as shown below: 289 . as shown below: Step 4: Select statistic date and time. which means generating the report every month. [Time range] is [00:00:00]-[23:59:59].

[Display Ranking] is top 30.1.om).com. check the [Send report to subscribed mailbox even it is null] option.0 User Manual Step 5: Complete report setting.2 Trend Report Step 1: Select a needed report type. [Chart type] is [Bar chart].com even though the report has no content.SANGFOR WAN Accelerator 6. 290 . Step 6: Click the <Finish> button to complete customizing the statistic report. and the report will be sent to test@abc. Check the option [Subscribe the report](Use default SMTP setting). 4. Click the <Save and Generate> button to save the report to the Report Template list and generate a report immediately (at the same time. the generated report will be sent to the receiver address test@abc.3. and enter [Receiver address] test@abc. [Report name] is Monthly_All.

or click the <Next> button to go to the next step.0 User Manual Select [Trend report] and the report generated according to this report template will be Trend report.SANGFOR WAN Accelerator 6. Click the <Next> button to go to the next step. Select [Application ranking] and the ranking statistics will be made on the basis of applications. 291 . Select [IP ranking] and the ranking statistics will be made on the basis of IP addresses. Statistics trend falls into two types: [Flow statistic] and [Flow Speed Statistic]. Step 2: Select ranking object. Step 3: Select the statistic content. Click the <Previous> button to back to the previous step.

options are [This 292 . or click the <Next> button to go to the next step. This report covers the statistics of these selected applications. Check [Flow Speed Statistic] and detailed information of the flow speed will be made. [Make report on multiple applications] indicates that only one report will be generated even though there are several applications being selected. [Make report on each application] indicates that multiple reports will be generated if there are several applications being selected. at least one report specific for each application. Step 4: Set report filtering conditions. or click the <Next> button to go to the next step. [Statistic time]: Defines the time range for the data which are to be collected.SANGFOR WAN Accelerator 6. Click the <Previous> button to back to the previous step. Click the <Previous> button to back to the previous step.0 User Manual Check [Flow Statistic] and the detailed statistics of flow will be made. Step 5: Configure date and time. [One-off report(generate only once)] indicates that the report will only be generated once.

You can adopt System Setting to modify]: Click the <System setting> link and you will enter the [System Configuration] page. or click the <Next> button to go to the next step. Select [Periodic report] and the report will be generated periodically. The default receiver address is the address configured on [System Configuration] page. [The customized are randomly generated from 00:00 to 06:00 everyday. [Receiver address]: Configures the email address to receive this report. if you want to have the email delivered to another email address. Click the <Previous> button to back to the previous step. Click the <Finish> button to complete customizing the statistic report.2 System Configuration). [This week] and [This month]. [Subscribe]: Configures the subscription options. If necessary. Step 6: Complete report settings. check this option and enter the [Receiver address]. Check [Subscribe the report](Use default SMTP setting) and the generated report will be delivered to the email address of the administrator. modify the [Report generation time] (for detailed introduction.8. please refer to Section 4. Or click the <SMTP setting> link to enter the [System Configuration] page. of the week or of the month. of the day. Check the [Send report to subscribed mailbox even it is null] option and the generated report will be sent to the receiver address even though the report has no content. [Weekly] or [Monthly]. [Date]: Defines the date based on which the data are to be collected. 293 .SANGFOR WAN Accelerator 6.0 User Manual day]. [Report name]: Defines the name of the report to be generated. [Daily].

as shown below: Click the <Finish> button and the prompt will be “If periodic report is selected. click the following button to generate. and the report will be added to other generated reports”.0 User Manual Click the <Finish> button and it prompts “If one-off report is selected.SANGFOR WAN Accelerator 6. the prompt will be as shown below: Provided that the report name is Periodic report_Weekly and others options are defaults. as shown below: <Previous>: Click this button to back to the previous step. <Generate Now>: Click this button to generate the report immediately. If you have selected [Periodic report] and [Weekly] options in Step 5. you can perform the following operations:” 294 .

SANGFOR WAN Accelerator 6. 295 .2 Report Template). Click the <Save template> button to save this report template to the Report Template List (for details.0 User Manual <Previous>: Click this button to back to the previous step.3. Or click the <Save and Generate> button to save the report template to the Report Template List and generate the report immediately. Click the <Next> button to go to the next step.3 Sum Report Step 1: Select a needed report type. Step 2: Configure date and time.1. Select [Sum report] and the report generated according to this report template will be summary report.3. 4. pleaser refer to Section 4.

Select [Periodic report] and the report will be generated periodically. Step 3: Complete report settings. Click the <Previous> button to back to the previous step. Maximum 100 supported.SANGFOR WAN Accelerator 6. [Date]: Defines the date based on which the data are to be collected for making the trend report.0 User Manual [One-off report(generate only once)] indicates that the report will only be generated once. or click the <Next> button to go to the next step. options are [This day]. [Date range]: Defines the date range based on which the data that are to be collected. [This week] and [This month]. [Display Ranking]: Defines the top ranking statistics will be made in the report. of the day. 296 . of the week or of the month. [Daily]. [Weekly] or [Monthly]. [Statistic time]: Defines the time range for the data which are to be collected for making the trend report.

the configurations are as shown below: 297 . Or click the <SMTP setting> link to enter the [System Configuration] page. [Receiver address]: Configures the email address to receive this report.0 User Manual [Chart type]: Defines the graph type the statistics displayed. If necessary.SANGFOR WAN Accelerator 6. The default receiver address is the address configured on [System Configuration] page. [Subscribe]: Configures the subscription options. [The customized are randomly generated from 00:00 to 06:00 everyday. You can adopt System Setting to modify]: Click the <System setting> link and you will enter the [System Configuration] page. Check [Subscribe the report](Use default SMTP setting) and the generated report will be delivered to the email address of the administrator. click the following button to generate. check this option and enter the [Receiver address]. Check the [Send report to subscribed mailbox even it is null] option and the generated report will be sent to the receiver address even though the report has no content.2 System Configuration). If you have selected [Periodic report] and [Weekly] options in Step 5. please refer to Section 4. if you want to have the email delivered to another email address. Click the <Generate Now> button to generate the report immediately. and the report will be added to other generated reports”. Click the <Finish> button to complete customizing the statistic report. modify the [Report generation time] (for detailed introduction. [Report name]: Defines the name of the report to be generated. Options are [Bar chart] and [Pie chart]. as shown below: Click the <Previous> button to back to the previous step.8. Clicking the <Finish> button and it prompts “If one-off report is selected.

2 Report Template). pleaser refer to Section 4. you can perform the following operations:” Click the <Previous> button to back to the previous step. 298 .3.0 User Manual Provided that the report name is Periodic report _Monthly and others options are defaults. Click the <Save template> button to save this report template to the Report Template List (for details. the configurations are as shown below: Click the <Finish> button and the prompt will be “If periodic report is selected.SANGFOR WAN Accelerator 6. Or click the <Save and Generate> button to save the report template to the Report Template List and generate the report immediately.

Here you can edit and delete the report template. [Default daily summarization report] and [Default weekly summarization report]. as shown below: 299 . please refer to Section 4. [admin]. for instance. <Report wizard>: Click this button to enter the default page of [Customize Wizard]. <View>: Click this button to view the already generated reports of this template. <Import>: Click this button to import the report template settings. <Generate>: Click it to immediately generate a report based on this report template. [Operation]: Indicates the operation that can be executed on this report template. There are to two system default report templates. [Operation information]: Display the [Tips] information and the operation results. [User]: Indicates the administrator of the Data Center who has created this report template. Available options are [Edit]. [Report name]: Indicates the name of the report template. <Edit>: Click it to edit the corresponding report template.2 Report Template [Report Template]: Displays all the user-defined report templates and system default report templates. for instance. [Weekly customized report]. namely. <Delete>: Click it to delete the corresponding report template. [Report type]: Indicates the type of the report template. name of a system default template is [Default weekly summarization report]. it gives the information: You can generate the report of 2010-06-26 and earlier time now.3. for instance.0 User Manual 4.2 History Report). [Generate] and [View]. for instance.SANGFOR WAN Accelerator 6. [Latest generation time]: Indicates the latest time this report template is used to generate a report. The report page is the same as that of the [History Report] (for details. for instance. [Delete]. 2010-06-25.

as shown below: 300 .0 User Manual Click the <Browse> button and the following dialog pops up: Select the needed file and then click the <Open> button to upload the file.SANGFOR WAN Accelerator 6.

and provides quick links to make some commonly needed statistics as well. <Generate all>: Click this button to generate report based on all the report templates listed.SANGFOR WAN Accelerator 6. The pop-up dialog is as shown below: Click the <Save> button and save the configuration file into the local computer.0 mainly helps to make flow statistics of the users that access the Internet.4 Statistics Internal Data Center of the SANGFOR WAN Accelerator 6. <Export>: Click this button to export the report template settings.0 User Manual Click the <Import> button and the following prompt appears: Click the <OK> button to the import the backup report template to the Data Center. 4. 301 .

[Application type]: Specifies the application type whose flow statistics are to be made. [Specific application]: Specifies the application whose flow statistics are to be made. [Office hours].1 IP Flow [IP Flow] indicates that IP address is the object based on which the flow statistics and rankings are made. [Downlink Flow] and [Total Flow]. [Time range]: Specifies the time range and the report will be generated at any time during that time range. for detailed configuration guide. [Date range]: Defines the date range based on which the data are to be collected. Option are [Time range] and [Time object]. based on this report template.4.3 Time Schedule). [Ranking display]: Specifies how many top users will be displayed that caused the most flow with the selected application. [Flow type]: Defines the type of flow statistics.4. Options are [All day]. Options are [Uplink Flow]. according to the selected application type and time range. please refer to Section 3. maximum 100 supported. [Time]: Defines the time range whose data are to be collected. [Non-office hours] and [Internet Access Total[Null]].0 User Manual 4.4. The statistics made are as shown below: 302 .SANGFOR WAN Accelerator 6. [Time object]: Specifies a time schedule and the data caused during that time schedule will be covered (time schedule is defined on the WAN Accelerator. <Statistic>: Click this button to make the flow statistics.

main application flow detail. application. <Generate report>: Click this button to generate a report according to the specified conditions.SANGFOR WAN Accelerator 6. [Click to select the column]: Click it and you can select the needed columns to have them and the corresponding information displayed in the table. and you will enter the flow search page of that record.0 User Manual The flow and related information are shown in graphs or listed in tables. 303 . Click the host IP address. downlink or total flow of a corresponding record. uplink. You can read clearly the detailed searched results.

as shown below: <Subscribe>: Click this button to subscribe this statistics search. Option are [Time range] and [Time object]. Options are [Uplink Flow]. 304 . The statistics report will be automatically made. [Application type]: Specifies the application type whose flow statistics are to be made. for detailed configuration guide. [Specific application]: Specifies the application whose flow statistics are to be made. please refer to Section 3.4.3 Time Schedule). [Downlink Flow] and [Total Flow]. The page is as shown below: [Flow type]: Defines the type of flow statistics. [Non-office hours] and [Internet Access Total[Null]]. [Time object]: Specifies a time schedule and the data caused during that time schedule will be covered (time schedule is defined on the WAN Accelerator.0 User Manual Enter [Report name]. [Office hours]. emailed to the administrator and saved to the Report Template list.4. Options are [All day]. [Time]: Defines the time range whose data are to be collected.SANGFOR WAN Accelerator 6. [Time range]: Specifies a time range and the flow caused during that time range will be collected.

This function facilitates you to save your search preferences. Click the button and name this bookmark. as shown below: <Favorite>: Click this button and the specified conditions will be saved as a report template and listed on the [Quick Link] on the [Home Page]. Having saved the report template. the report will be sent to the designated receiver’s email address. as shown below: Click the <Submit> button and the following prompt appears: 305 . [Report period]: Specifies how often this periodic report is to be generated.0 User Manual [Ranking display]: Specifies how many top users will be displayed that caused the most flow with the selected application.SANGFOR WAN Accelerator 6. [Mail subscription]: Specifies the receiver address. [Weekly] and [Monthly]. Options are [Daily]. Click the <Subscribe> button and the following options appear: [Report name]: Enter a name for the report. <OK>: Click this button to save this report template into the Report Template list on the [Customize Report] > [Report Template] page. it prompts that the template is added successfully. you need only click the corresponding quick link to enter the search page. If you want to get data of the same conditions. maximum 100 supported. Once a report is generated according to this report template.

Options are [Uplink Flow].SANGFOR WAN Accelerator 6.2 Application Flow [Application Flow] indicates that application is the object based on which the flow statistics and rankings are made. [Downlink Flow] and 306 .4. [Host IP]: Configures host IP address whose application flow statistics are to be made. as shown below: 4. according to the selected time range. [Flow type]: Defines the type of flow statistics.0 User Manual As seen on the [Home Page]. the newly added bookmark is listed under [Customized Link].

Options are [All day].3 Time Schedule). please refer to Section 3.4. [Time range]: Specifies a time range and the flow caused during that time range will be collected. [Ranking display]: Specifies how many top application types or applications will be displayed that that caused the most flow. The statistics made are as shown below: 307 . [Application type]: Specifies the application type according to which the flow statistics are to be made. [Office hours]. [Specific application]: Specifies the application according to which the flow statistics are to be made.0 User Manual [Total Flow]. [Time object]: Specifies a time schedule and the data caused during that time schedule will be covered (time schedule is defined on the WAN Accelerator. for detailed configuration guide. Option are [Time range] and [Time object]. [Non-office hours] and [Internet Access Total[Null]].SANGFOR WAN Accelerator 6. maximum 100 supported.4. [Time]: Defines the time range whose data are to be collected. <Statistic>: Click this button to make the flow statistics. [Date range]: Defines the date range based on which the data are to be collected.

4. For details. <Generate report>: Click this button and the report will be generated according to the specified conditions.4. emailed to the administrator and saved to the Report Template list.0 User Manual The flow and related information are shown in graphs or listed in tables. please refer to Section 4.1 IP Flow. please refer to Section 4. For details.1 IP Flow. For details.SANGFOR WAN Accelerator 6. <Subscribe>: Click this button to subscribe this statistics search. <Favorite>: Click this button and the specified conditions will be saved as a report template and listed under [Customized Link] on the [Home Page]. You can read clearly the detailed search results.1 IP Flow.4. The statistics report will be periodically and automatically made. please refer to Section 4. 308 . [Click to select the column]: Click it and you can select the needed columns to have them and the corresponding information displayed in the table.

1 IP Connection [IP Connection] makes statistics of the IP connections accelerated. <Statistic>: Click this button to make the IP connection statistics. [WANO Report] module includes [IP Connection]. [Application type]: Specifies the application type whose related data are to be collected.SANGFOR WAN Accelerator 6. [Ranking display]: Specifies how many top users will be displayed that caused the most connections.0 User Manual 4. [Time]: Specifies the time range whose matching data are to be collected. [Application Flow Trend]. 4. [Specific application]: Specifies the application whose related data are to be collected. [Application Connection]. The statistics made are as shown below: 309 . You can also get trend report and report on acceleration connections.5. [IP Flow Trend].5 WANO Report WANO report mainly collects the information of the data being accelerated. as shown below: [Date range]: Specifies the date range based on which the matching data are to be collected. [Acceleration User Flow Trend] and [Device Flow Trend].

Enter [Report name] (as shown below). As shown in the above figure. the connections of an acceleration tunnel caused by each IP address are displayed and ranked. [Click to select the column]: Click it and you can select the needed columns to have them and the corresponding information displayed in the table. 310 .SANGFOR WAN Accelerator 6. as shown below: <Generate report>: Click this button to generate a report according to the specified conditions. You can read clearly the detailed searched results.0 User Manual The flow and related information are shown in graphs or listed in tables. Click the <Submit> button and a report will be generated according to the specified conditions.

[Report period]: Specifies how often this periodic report is to be generated. Options are [Daily]. The page is as shown below: [Time]: Specifies the time period whose IP connections information are to be collected. [Mail subscription]: Specifies the receiver address. [Ranking display]: Specifies how many top users (IP addresses) will be displayed that caused the most connections with the selected application. emailed to the administrator and saved to the Report Template list. [Weekly] and [Monthly]. [Specific application]: Specifies the application according to which the IP connections statistics are to be made. [Application type]: Specifies the application type according to which the IP connections statistics are to be made.0 User Manual <Subscribe>: Click this button to subscribe this statistics search. Click the <Subscribe> button and the following options appear.SANGFOR WAN Accelerator 6. The statistics report will be periodically and automatically made. Once a report is generated according to this 311 . maximum 100 supported. [Report name]: Defines the name of the report.

under [Customized Link]. [Date range]: Specifies the date range based on which the matching data are to be collected. <Favorite>: Click this button to add the search conditions to the [Home Page] as a report template.0 User Manual report template.SANGFOR WAN Accelerator 6. as shown below: 4.5. [Ranking display]: Specifies how many top users will be displayed that caused the most 312 . [Time]: Specifies the time period of the date range based on which the matching data are to be collected. [Ranking object]: Specifies the application type or application whose related data are to be collected.2 Application Connection [IP Connection] makes statistics of the application connections being accelerated. the report will be sent to the designated receiver’s email address. as shown below: [Host IP]: Configures the host IP address whose application connection statistics are to be made.

as shown below: <Generate report>: Click this button to generate a report according to the specified conditions. 313 .SANGFOR WAN Accelerator 6. [Click to select the column]: Click it and you can select the needed columns to have them and the corresponding information displayed in the table.0 User Manual connections with the selected application. <Statistic>: Click this button to make the application connection statistics. the displayed statistics in the graph and table are number of connections caused by the corresponding application. As shown in the above figures. You can read clearly the detailed searched results. The statistics made are as shown below: The flow and related information are shown in graphs or listed in tables. as well as the connection rankings.

emailed to the administrator and saved to the Report Template list. maximum 100 supported. [Report name]: Defines the name of the report. 314 . The statistics report will be periodically and automatically made. as shown below: <Subscribe>: Click this button to subscribe this statistics search. [Report period]: Specifies how often this periodic report is to be generated. The page is as shown below: [Host IP]: Configures host IP address whose application connections statistics are to be made. Options are [Daily]. Click the <Subscribe> button and the following options appear.SANGFOR WAN Accelerator 6. [Time]: Specifies the time period whose matching data are to be collected. [Ranking object]: Specifies the application type or application whose related data are to be collected. [Weekly] and [Monthly].0 User Manual Enter [Report name]. [Ranking display]: Specifies how many top applications will be displayed that caused the most connections.

<Favorite>: Click this button to add the search conditions to the [Home Page] as a report template.0 User Manual [Mail subscription]: Specifies the receiver address.3 IP Flow Trend [IP Flow Trend] makes trend statistics of the IP flow being accelerated. [Specific application]: Specifies the application whose related data are to be collected. [Date]: Specifies the date based on which the matching data are to be collected. as shown below: [Host IP]: Configures the host IP addresses whose flow trend statistics are to be made. [Application type]: Specifies the application type whose related data are to be collected.SANGFOR WAN Accelerator 6.5. as shown below: 4. the report will be sent to the designated receiver’s email address. under [Customized Link]. Once a report is generated according to this report template. [Statistic Time]: Specifies the time period whose data are to be collected. 315 .

SANGFOR WAN Accelerator 6. Enter [Report name]. [Trend type]: Specifies the type of trend. such as flow of each IP address and flow speed trend. You can read clearly the detailed search results. These results. The statistics made are as shown below: The flow speed and related information are shown in graphs or listed in tables.0 User Manual [Flow type]: Specifies the type of flow. as shown below: 316 . <Statistic>: Click this button to make statistics of IP flow speed trends. <Generate report>: Click this button to generate a report according to the specified conditions. shown in the graph and table are made according to the specified conditions.

SANGFOR WAN Accelerator 6. <Favorite>: Click this button to add the search conditions to the [Home Page] as a report template. [Report name]: Defines the name of the report. emailed to the administrator and saved to the Report Template list. Options are [Daily].0 User Manual <Subscribe>: Click this button to subscribe this statistics search. [Mail subscription]: Specifies the receiver address. [Specific application]: Specifies the application whose related data are to be collected. [Trend type]: Specifies the type of trend. [Weekly] and [Monthly]. as shown below: 317 . Once a report is generated according to this report template. [Flow type]: Specifies the type of flow. the report will be sent to the designated receiver’s email address. The statistics report will be periodically and automatically made. under [Customized Link]. The page is as shown below: [Host IP]: Configures the host IP addresses whose flow trend statistics are to be made. [Application type]: Specifies the application type whose related data are to be collected. [Report period]: Specifies how often this periodic report is to be generated.

as shown below: [Host IP]: Configures the host IP addresses whose application flow trend statistics are to be made. 318 .4 Application Flow Trend [Application Flow Trend] makes trend statistics of the application flow being accelerated. [Specific application]: Specifies the application whose related data are to be collected. [Application type]: Specifies the application type whose related data are to be collected. [Flow type]: Specifies the type of flow.0 User Manual 4. [Statistic time]: Specifies the time period applicable.SANGFOR WAN Accelerator 6. [Date]: Specifies the date based on which the matching data will be collected.5.

bandwidth usage (flow) caused before and after acceleration are in detailed comparison. The statistics made are as shown below: As shown in the above figures.0 User Manual [Trend type]: Specifies the type of trend.SANGFOR WAN Accelerator 6. 319 . and the average flow and reduction ratio information are also provided. <Statistic>: Click this button to make statistics of application flow speed trends.

as shown below: <Subscribe>: Click this button to subscribe this statistics search. emailed to the administrator and saved to the Report Template list. ratio of the uplink flow and downlink flow to the total flow. The page is as shown below: 320 . The statistics report will be periodically and automatically made. <Generate report>: Click this button to generate a report according to the specified conditions. Enter [Report name]. including the flow and bandwidth usage before acceleration (Before Acc) and after acceleration (After Acc). If there are other applications. as well as reduction rate (Discharge Acc). the other charts and tables will show the corresponding data.SANGFOR WAN Accelerator 6.0 User Manual The above graphs and table show the acceleration information of HTTP file download.

the report will be sent to the designated receiver’s email address. under [Customized Link]. [Flow type]: Specifies the type of flow. [Weekly] and [Monthly]. [Report name]: Defines the name of the report. [Trend type]: Specifies the type of trend.SANGFOR WAN Accelerator 6.0 User Manual [Object list]: Specifies the application types whose related data are to be collected. <Favorite>: Click this button to add the search conditions to the [Home Page] as a report template. Options are [Daily]. as shown below: 321 . [Search object]: Specifies the users whose related data are to be collected. Once a report is generated according to this report template. Click the <Subscribe> button and the following options appear. [Report period]: Specifies how often this periodic report is to be generated. [Mail subscription]: Specifies the receiver address.

5 Acceleration User Flow Trend [Acceleration User Trend] makes trend statistics of the flow speed caused by acceleration users.SANGFOR WAN Accelerator 6. [Application type]: Specifies the application type whose related data are to be collected. 322 . as shown below: [User name]: Specifies the acceleration users whose flow speed information will be counted into the statistics.0 User Manual 4.5. [Date]: Specifies the date based on which the matching data will be collected. [Specific application]: Specifies the application whose related data are to be collected. [Statistic time]: Specifies the time period applicable.

SANGFOR WAN Accelerator 6. Enter [Report name]. <Statistic>: Click this button to make statistics of application flow speed trends. The statistics made are as shown below: The searched results and statistics shown in the above graphs and tables are of a specified acceleration user group. as shown below: 323 . <Generate report>: Click this button to generate a report according to the specified conditions.0 User Manual [Flow type]: Specifies the type of flow. and reduction rate. and reduction rate. including the flow and bandwidth used before acceleration and that after acceleration. [Trend type]: Specifies the type of trend. including the flow caused before acceleration and that after acceleration. The searched results and statistics shown in the above graphs and tables are of [All users].

[Specific application]: Specifies the application whose related data are to be collected. Click the <Subscribe> button and the following options appear: [Report name]: Defines the name of the report. The statistics report will be periodically and automatically made. [Application type]: Specifies the application type whose related data are to be collected. [Report period]: Specifies how often this periodic report is to be generated.SANGFOR WAN Accelerator 6.0 User Manual <Subscribe>: Click this button to subscribe this statistics search. [Flow type]: Specifies the type of flow. The page is as shown below: [User name]: Specifies the acceleration users whose flow speed information will be counted into the statistics. [Trend type]: Specifies the type of trend. Options are [Daily]. 324 . emailed to the administrator and saved to the Report Template list. [Weekly] and [Monthly].

325 . as shown below: [Device name]: Specifies the device whose related data are to be collected. [Application type]: Specifies the application type whose related data are to be collected. <Favorite>: Click this button to add the search conditions to the [Home Page] as a report template.5.6 Device Flow Trend [Device Flow Trend] makes trend statistics of the flow acquired by the local WAN Accelerator driver.0 User Manual [Mail subscription]: Specifies the receiver address. [Specific application]: Specifies the application whose related data are to be collected. [Statistic Time]: Specifies the time period whose data are to be collected.SANGFOR WAN Accelerator 6. Once a report is generated according to this report template. the report will be sent to the designated receiver’s email address. as shown below: 4. under [Customized Link]. [Date range]: Specifies the date based on which the matching data are to be collected.

emailed to the administrator and saved to the Report Template list.SANGFOR WAN Accelerator 6.0 User Manual [Flow type]: Specifies the type of flow. The page is as shown below: 326 . [Trend type]: Specifies the type of trend. as shown below: <Subscribe>: Click this button to subscribe this statistics search. <Generate report>: Click this button to generate a report according to the specified conditions. <Statistic>: Click this button to make statistics of device flow trends. reduced flow and reduction rate. The statistics report will be periodically and automatically made. The statistics made are as shown below: The results and statistics shown in the above graph and table are of the local WAN Accelerator. Enter [Report name]. including uplink/downlink flow volume caused before and after acceleration.

Options are [Daily]. [Weekly] and [Monthly]. [Flow type]: Specifies the type of flow. the report will be sent to the designated receiver’s email address. as shown below: 327 . under [Customized Link]. Once a report is generated according to this report template. [Trend type]: Specifies the type of trend. [Report period]: Specifies how often this report is to be generated. [Specific application]: Specifies the application whose related data are to be collected. [Application type]: Specifies the application type whose related data are to be collected. <Favorite>: Click this button to add the search conditions to the [Home Page] as a report template. Click the <Subscribe> button and the following options appear: [Report name]: Defines the name of the report.SANGFOR WAN Accelerator 6. [Mail subscription]: Specifies the receiver address.0 User Manual [Host IP]: Configures the host IP addresses whose device flow statistics are to be made.

These trends information often leads to detailed flow conclusion and analysis of the statistics. A trend chart or table collects the information of flow caused at each time point of certain period of time.6. based on the specified 328 .1 IP Flow Trend [IP Flow Trend] makes trends for flow caused by each IP address. The page is as shown below: 4. and helps the administrator to view visually the utilization of the network.0 User Manual 4.SANGFOR WAN Accelerator 6.6 Trend Report Trend report collects the flow trends of Internet access as well as the trends of Internet behavior counts of the users. [Trend Report] falls into [IP Flow Trend] report and [Application Flow Trend] report.

[Flow Type]: Specifies [Uplink Flow].SANGFOR WAN Accelerator 6. if you select [This month]. etc. it will only collect the flow data of this month (the same month where the specified [Date] belongs) to make the flow trend statistics. [Statistic time]: Specifies the period of time whose flow trends are to be made. [Trend type]: Specifies [Total flow] or [Flow Speed] to make the trends statistics. it will only collect the flow data of this week (the same week where the specified [Date] belongs) to make flow trend statistics. time. if you select [This week]. Enter single IP address.0 User Manual conditions such as application. etc. or IP range. Such as the applications of P2P. [Downlink Flow] or [Total Flow] to make the flow trend statistics. [This week] and [This month]. [Date]: Specifies the date whose flow trends will be covered. It only works in association with the specified [Statistic time]. File Download. [Specific application]: Specifies the application whose related flow trends are to be made. correct format of IP range is IP1-IP2 (instead of the format of subnet/mask). If you select [This day]. The page is as shown below: [Application type]: Specifies the application type whose related flow trends are to be made. while [Flow speed] indicates that it 329 . such as WebMail of HTTP application type. options are [This day]. HTTP. For example. it will only collect the flow data of this day (specified by [Date]) to make flow trend statistics. [Host IP]: Specifies the IP addresses whose flow trends are to be made. among which [Total flow] indicates that it shows the trends of flow volume.

SANGFOR WAN Accelerator 6. You can read 330 . you have to click the <Statistic> button to make the trends statistics. The statistics made are as shown below: The flow speed and related information are shown in graphs or listed in tables.0 User Manual shows the trends of flow speed. Having specified the above conditions.

emailed to the administrator and saved to the Report Template list. 331 . [Specific application]: Specifies the application whose flow trends data are to be collected. The page is as shown below: [Host IP]: Configures the host IP addresses whose flow trend statistics are to be made. [Downlink Flow] or [Total Flow] to make the flow trend statistics. as shown below: <Subscribe>: Click this button to subscribe this statistics search. <Generate report>: Click this button to generate a report according to the specified conditions. [Application type]: Specifies the application type whose flow trends data are to be collected. The trend statistics report will be periodically and automatically made. Enter [Report name] and click the <Submit> button. [Flow Type]: Specifies [Uplink Flow].SANGFOR WAN Accelerator 6.0 User Manual clearly the details from the searched results visually.

while [Flow speed] indicates that it shows the trends of flow speed. Click the <Subscribe> button and the following options appear: [Report name]: Defines the name of the report. Click the button and name this bookmark. The generated trend report will then be sent to the designated receiver email address.2 System Configuration. 0:00~6:00 o’clock is only a default time. You can modify it on the [System Management] > [System Configuration] page of the Data Center. this trend report will be generated during 0:00~6:00 o’clock everyday. you need only click the corresponding quick link to enter the search page. as shown below: Click the <Submit> button and the report template with the newly-specified conditions is seen on 332 . if [Monthly] is the selected [Report period]. Options are [Daily]. if [Weekly] is the selected [Report period]. [Weekly] and [Monthly]. please refer to Section 4. as for detailed configuration guide. among which [Total flow] indicates that it shows the trends of flow volume. [Report period]: Specifies how often this periodic report is to be generated. If [Daily] is the selected [Report period]. this trend report will be generated during 0:00~6:00 o’clock on the first day of the month. [Mail subscription]: Specifies the email address of the receiver. Once a report is generated according to this report template. If you want to get data of the same conditions.SANGFOR WAN Accelerator 6. the report will be sent to the designated receiver’s email address. this trend report will be generated during 0:00~6:00 o’clock on Monday every week.8. This function facilitates you to save your search preferences.0 User Manual [Trend Type]: Specifies [Total Flow] or [Flow Speed] to make the flow trend statistics. <Favorite>: Click this button and the specified conditions will be saved as a report template and listed under [Customized Link] on the [Home Page].

as shown below: [Host IP]: Configures the host IP addresses whose flow trends are to be made. etc. as shown below: 4.2 Application Flow Trend [IP Flow Trend] makes flow trends for the application type being used online. time.SANGFOR WAN Accelerator 6. [Search range]: Options are [Top 5 Applications] and [Specify search object column] [Specify search object column]: Specifies the application whose trends data will be covered in the trend report.6. based on the specified conditions such as host IP. Click the <Select> button and the application type list pops up. 333 .0 User Manual the [Home Page].

options are [This day].SANGFOR WAN Accelerator 6. it will only collect the flow data of this day (specified by [Date]) to make flow trend statistics. Having specified the above conditions. If you select [This day]. it will only collect the flow data of this week (the same week where the specified [Date] belongs) to make flow trend statistics. while [Flow speed] indicates that it shows the trends of flow speed. For example. if you select [This month]. It only works in association with the specified [Statistic time]. [Date]: Specifies the date whose flow trends will be covered.0 User Manual [Statistic time]: Specifies the period of time whose flow trends are to be made. if you select [This week]. among which [Total flow] indicates that it shows the trends of flow volume. 334 . The statistics made are as shown below: The flow speed and related information are shown in graphs or listed in tables. [Trend Type]: Specifies [Total Flow] or [Flow Speed] to make the flow trend statistics. it will only collect the flow day of this month (the same month where the specified [Date] belongs) to make the flow trend statistics. You can read the details from the searched results visually. [This week] and [This month]. you have to click the <Statistic> button to make the trends statistics.

7.6.6. [Gateway Connect-out user] and [Host IP]. You can specify the filtering conditions according to your case and needs. please refer to Section 4. For detailed guide. [Firewall Log] and [Gateway Operation Log] search. For detailed guide.7 Search [Search] includes [Flow Search]. The default page is as shown below: 4.SANGFOR WAN Accelerator 6.0 User Manual <Generate report>: Click this button to generate a report covering the searched results. emailed to the administrator and saved to the Report Template list. For detailed guide. Click the <Submit> button and the report template of newly-specified conditions is seen on the [Home Page]. <Subscribe>: Click this button to subscribe the statistics search.1 IP Flow Trend.6.1 IP Flow Trend . 4. [Gateway Connect-in user].1 Flow Search [Flow Search] specifies the conditions used for searching the flow caused by online activities of the related users.1 IP Flow Trend. The trend statistics report will be periodically and automatically made. 335 . Options are [All user]. please refer to Section 4. please refer to Section 4. [Search object]: Specifies the objects whose flow data are to be searched.

for detailed configuration guide.4. [Specific application]: Specifies the application whose related flow data are to be searched. File Download. [Office hours]. [Gateway Connect-in user]. Options are [All user].4. [Application]: Specifies the application type whose flow data are to be searched. as shown below: 336 . [Non-office hours] and [Internet Access Total[Null]]. Options are [All day]. applications such as P2P.3 Time Schedule). [Time]: Defines the time range of the flow data. such as WebMail of HTTP application type. [Gateway Connect-out user] and [Host IP]. HTTP.0 User Manual [Excluded object]: Specifies the objects excluded from the flow search. etc. The entered objects are generally the objects that are covered by the [Search object]. [Time object]: Specifies a time schedule and the flow data caused during that time schedule will be covered (time schedule is defined on the WAN Accelerator. please refer to Section 3. Click the <Search> button and the details of the matching objects are displayed in the [Flow Search Result] list. Option are [Time range] and [Time object] [Time range]: Specifies a time range and the flow caused during that time range will be covered. for instance.SANGFOR WAN Accelerator 6. [Date range]: Specifies the date range based on which the matching data are to be covered.

Click the <here> link to download and save the excel document to the local computer.xls. under [Customized Link]. as shown below: 337 . as shown below: <Favorite>: Click this button and the specified conditions will be saved as a report template and listed under [Customized Link] on the [Home Page]. This function facilitates you to save your search preferences. Click the button and name this bookmark.0 User Manual <Export log>: Click this button and the search results will be exported in format of . If you want to search data with the same conditions. you need only click the corresponding quick link to enter the search page. as shown below: Enter the name and then click the <Submit> button to save the search template listed on the [Home Page].SANGFOR WAN Accelerator 6.

The data displayed in extended view mode is as shown below: Click the icon to view the search result in list view mode.SANGFOR WAN Accelerator 6.0 User Manual [Flow Search Result]: Displays the results searched according to the specified conditions. as shown below: Click the icon to view the search result in extended mode. The results displayed in list view 338 .

SANGFOR WAN Accelerator 6. The default page is as shown below: 339 .2 Firewall Log [Firewall Log] page enables you to specify the conditions and search for the needed firewall logs.7. 4. Click <Previous> or <Next> to go to the previous page or the next page of the search results.0 User Manual mode are as shown below: Click <First> or <Last> go to the first page or the last page of the search results. [Click to select the column]: Click it and select the needed columns to have them displayed in the table. [Sort by time(desc)] and [Sort by time(asc)] are not available on this version. as shown below: [Records/page 100 records]: Indicates 100 records of searched records are displayed per page.

please refer to Section 3. [Time object]: Specifies a time schedule and the flow data caused during that time schedule will be covered (time schedule is defined on the WAN Accelerator.SANGFOR WAN Accelerator 6. as shown below: 340 . [Office hours]. Option are [Time range] and [Time object] [Time range]: Specifies a time range and the firewall logs recorded during that time range will be covered.3 Time Schedule). [Source IP]: Specifies the source IP address to which the needed firewall logs are related. Options are [All day]. [Time]: Defines the time range of firewall logs. for detailed configuration guide.0 User Manual [Destination port]: Specifies the destination port to which the needed firewall logs are related. [Date range]: Specifies the date range that the matching firewall logs are to be covered.4.4. Check the [Search in detail] option and more filtering conditions appear. [Non-office hours] and [Internet Access Total[Null]].

[Activity]: Specifies the action recorded by the firewall log. For detailed guide. <Export log>: Click this button to generate a report covering the searched results. The default page is as shown below: 341 .1 Flow Search.1 Flow Search. [ICMP] and [Other].7. please refer to the relevant part in Section 4. 4.SANGFOR WAN Accelerator 6.0 User Manual [Rule name]: Specifies the rule name to which the needed firewall logs are related. Click the <Search> button and the details of the matching firewall logs are displayed in the [Firewall Log Search Result] list. For detailed introduction. [UDP]. [Destination IP]: Specifies the destination IP address to which the needed firewall logs are related.1 Flow Search. as shown below: Function and use of [Firewall Log Search Result] is almost the same as that of the [Flow Search Result]. Click the <Favorites> button and the report template of newly-specified search conditions is seen on the [Home Page].7.7. For detailed guide. please refer to Section 4. [Protocol]: Specifies the protocol to which the needed firewall logs are related.7. Options are [TCP]. Options are [Reject] and [Allow].3 Gateway Operation Log [Gateway Operation Log] enables you to specify the conditions and search for the needed gateway operation logs. please refer to Section 4.

[Date range]: Specifies the date range during which the gateway operation logs are recorded. Options are [All day]. Click the <Search> button and the details of the matching firewall logs are displayed in the [Operation Log Search Result] list.4. [Description]: Enter a description for the searched gateway operation logs. Option are [Time range] and [Time object] [Time range]: Specifies a time range and the gateway operation logs recorded during that time range will be covered. as shown below: 342 . Options are [User] and [IP]. please refer to Section 3. [Time]: Defines the time range of gateway operation logs.0 User Manual [Console user]: Specifies the objects whose related gateway operation logs are to be searched. [Non-office hours] and [Internet Access Total[Null]]. [Office hours].SANGFOR WAN Accelerator 6.4.3 Time Schedule). for detailed configuration guide. [Time object]: Specifies a time schedule and the gateway operation logs recorded during that time schedule will be covered (time schedule is defined on the WAN Accelerator.

7. user login to Internal Data Centers and to configure the parameters for the system. [System Configuration] and [Configuration Import/Export].7. For detailed guide. [System Management] includes three parts. please refer to Section 4.1 Flow Search.7. The default page is as shown below: 343 .0 User Manual For the detailed introduction to [Operation Log Search Result]. Click the <Favorites> button and the report template of newly-specified search conditions is seen on the [Home Page]. please refer to Section 4. [Log Library Mgt].1 Flow Search. namely.8 System Management [System Management] configurations help you to manage the log library. <Export log>: Click this button to generate a report covering the searched results. 4. please refer to the relevant part in Section 4.1 Flow Search. For detailed guide.SANGFOR WAN Accelerator 6.

The default page is as shown below: 344 .1 Log Library Mgt [Log Library] consists of [Log Library Search] and [Disk Usage].1.0 User Manual 4. The default page is as shown below: 4. facilitating you to manage and delete the specified log libraries.SANGFOR WAN Accelerator 6.1 Log Library Search [Log Library Search] is used to search for log libraries details.8.8.

The page is as shown below: 345 .0 User Manual [Date range]: Specifies the date range during which the libraries are recorded. <Reverse>: Click the button to deselect the selected libraries and select the other unselected libraries of this page. <Select all>: Click this button to select all the displayed libraries of this page.2 Disk Usage [Disk Usage] shows the disk utilization status in charts and tables.SANGFOR WAN Accelerator 6.1. <Search>: Click this button to search for the needed logs according to the specified date range. 4. <Delete all>: Click it to delete all the log libraries. The search result will be displayed.8. size of the attachment and the log library. <Delete>: Click this button to delete the selected log libraries. including the information of table size.

8. free disk space (Free) and percentage of free disk space. Click [System Management] > [System Configuration] and the following interface appears: 346 .0 User Manual As shown in the above figure. exporting log. such as time for generating the report. the current status of disk usage is shown a pie chart and in a table. etc. including information of total disk space (Total).2 System Configuration [System Configuration] configures for the mail server. used disk space (Used). 4.SANGFOR WAN Accelerator 6.

Domain name is supported. If you want to email the report to the administrator.0 User Manual [Mail server setting]: Configures the receiver email address. [Report generation time]: Configures the time when the periodic report is to be generated.8. indicating that system will generate the report during this period of time randomly. It is 1000 by default. you need check the [Username and password required] option and configure a username and password. 4. sender email address and the mail server address. To have the sender’s mail server require user authentication.3 Configuration Import/Export [Configuration Import/Export] configures the options to back up or restore the system configurations and customized report template. System allows you to export maximum 10000 logs.SANGFOR WAN Accelerator 6. you have to configure the options on this page. It is 00:00-06:00 by default. or enter the number of reports and the system will only save that number of reports. [Generated Report Setting]: Configures the options to manage the generated reports. Type a positive integer into [Auto delete report generated _ days ago(within 31 days)] and the system will automatically delete the reports generated in earlier days. [Mail server address]: Configures the mail server of the email sender. [Log export setting]: Configures a numeric value to define the logs that can be exported. Click [System Management] > [Configuration Import/Export] and the following page appears: 347 .

SANGFOR WAN Accelerator 6. Click the <Import> button to import the configuration file into the Data Center. 348 . <Browse>: Click it to select and upload a configuration file from the local computer. <Export>: Click this button and follow the steps to export the configurations of the Data Center. [Configuration Import]: Helps to import configurations into the Data Center. and the newly-imported customized report templates will be added to the report template list of the corresponding report type.0 User Manual [Configuration Export] helps to export the configurations of the Data Center. including system configuration and customized report templates. The newly-imported system configurations will replace the original configurations of the Data Center.

Windows Vista (32bit) and Windows 7 (32bit) 349 . 512MB or above (VPN-PlusAcceleration client software)  Hard disk: remaining partition 50MB or above (VPN-only client software). At present. Windows XP (32bit). Acceleration-Only client software.SANGFOR WAN Accelerator 6. 1GB or above (VPN-Plus-Acceleration client software)  Operating system: Windows 2000 server.0 User Manual Chapter 5 Client Software In addition to VPN/acceleration connection to be established between two hardware devices (WAN Accelerators). namely. Windows 2003 server (32bit). Detailed installation requirements of the three types of software are as listed below:  Memory: 256MB or above (VPN-only client software). it is also supported that a VPN/acceleration connection is established between client-end software and hardware device(s). VPN-only client software and VPN-PlusAcceleration client software. three types of client software are supported.

You can run the antivirus software after the installation finishes.0 User Manual 5.0_EN.1. 2.) Click the <OK> button and the Wizard page appears.1 Installation 1.1 Acceleration-Only Client Software 5.exe to install the PACC software (alias of SANGFOR acceleration-only client software). as shown below: 350 .) Double-click the program PACC6.SANGFOR WAN Accelerator 6. please terminate the antivirus program on your computer. as shown below: Before continuing the installation of PACC software.

0 User Manual 3.) Enter the username and company name. as shown below: 351 .) Click the <Next> button to go to the next step. as shown below: 4. click the <Next> button to go to the next step.SANGFOR WAN Accelerator 6.

as shown below: 6. it requires restarting the computer.) Select an installation directory.) Click the <Install> button.SANGFOR WAN Accelerator 6. as shown below: 352 . click the <Next> button to go to the next step.0 User Manual 5. Completing installation.

2 Deployment SANGFOR PACC software supports the following two types of network deployments: a.1. as shown below: 5.) Click the <Finish> button and the installation completes.) Bridge Mode The WAN Accelerator is deployed Bridge mode in the local area network (LAN).SANGFOR WAN Accelerator 6. as shown in the network topology below: 353 .0 User Manual 7. the Sangfor PACC software icon will appear on the desktop of your computer. the front-end firewall maps the TCP/UDP 5400 (default) port to SANGFOR WAN Accelerator. After computer reboot.

3 Usage The logon interface of the PACC software of SANGFOR WAN Accelerator is as shown below: 354 . as shown in the network topology below: 5.1. the front-end firewall maps the TCP/UDP 5400 (default) port to the SANGFOR WAN Accelerator.) Single-arm Mode The WAN Accelerator is deployed Single-arm mode in the local area network.SANGFOR WAN Accelerator 6.0 User Manual b.

SANGFOR WAN Accelerator 6. [Login automatic]: Check this option so that the PACC user can automatically log in to the WAN Accelerator next time when the PACC user double-clicks the PACC software icon. as shown below: 355 .0 User Manual [Gateway address]: Specifies the IP address of the SANGFOR WAN Accelerator that is to be connected to. <Setting>: Click this button and the [PACC Setting] dialog appears. port. [Save Profile]: Check this option to save the entered information such as gateway IP address. so that this PACC user will not be bothered to enter the information again next time it logs in. [Port]: Configures the port used by SANGFOR WAN Accelerator that is to be connected to. [Username] and [Password]: Enter the corresponding username and password configured on the server WAN Accelerator for this PACC user. username and password.

GPRS. please select HTP protocol. etc). <Clear>: Click it to clear the byte cache files in the Cache directory. [Enable LSP Service]: Check this option and it will capture the data packets of the applications that are going through the WAN accelerations. However. If packet loss happens.. etc. If it is connected wirelessly (through CDMA. select TCP protocol. [Enable TDI Service]: Check this option and it supports the acceleration of My Network Places and Exchange.SANGFOR WAN Accelerator 6. except those of My Network Places and Exchange. [Enable datacache]: Check this option and select a directory to enable byte cache function of the local terminal. [Transmission type]: Configures the protocol that the PACC software uses for connecting to the SANGFOR WAN Accelerator. 356 . [Cache size]: Configures the size of the local hard disk allocated to the byte cache. otherwise. choose the corresponding option (Wireless network) and it will optimize the wireless networks. The option takes effect after computer reboot. [Auto] is recommended.0 User Manual [Network type]: It specifies the network type that the client’s PC connects to the Internet. yet excluding WiFi.

Click the tab name [Exclusion Rule] and the corresponding options appear. as shown below: Click the <Add> button and the [Exclusion Rule] dialog pops up.SANGFOR WAN Accelerator 6. Configure the [Port Range].0 User Manual [Exclusion Rule]: Configures the server-end IP addresses whose data transmission is not to be optimized. as shown below: 357 .. etc. The PACC users’ requests of accessing these excluded IP addresses will not get into the acceleration channel. [IP type].

[Port]. [Save profile]. and [Start with system]. [IP range] and [Subnet]. [Login Setting] includes [Gateway]. [IP Type]: Specifies the type of the IP addresses to be excluded from the acceleration policies. options are [Single IP]. as shown below: 358 . [Auto login]. [Password]. Click the <Remove> button to delete the existing exclusion rule. Click the <Edit> button to modify the existing exclusion rule. [Username].0 User Manual [Port Range]: Enter the range of the ports to be excluded from the acceleration policies.SANGFOR WAN Accelerator 6.

<Change PW>: Click this button to modify the password for the PACC user. Logging in successfully. etc. [Port]: Indicates the port used by the peer WAN Accelerator for acceleration.0 User Manual [Gateway]: Indicates the IP address of the peer WAN Accelerator. <Stop PACC>: Click this button to stop connecting the PACC software to the server WAN Accelerator. <Help>: Click this button to view the help information of the PACC software. application status. 359 . real-time flow information over the past 60 seconds.SANGFOR WAN Accelerator 6. you will see the acceleration status.

as shown below: 360 .0 User Manual <View Log>: Click this button to view the connection logs of this PACC software.SANGFOR WAN Accelerator 6.

please terminate the antivirus program of your computer.) Click the <Next> button to go to the next step.SANGFOR WAN Accelerator 6.1 Installation 1.2 VPN-Only Client Software 5.0 User Manual 5. 2.) Double-click the program Dlan4. installation will fail. Before installing. as shown below: 361 .2.32_PDLAN_Setup.exe to install the client software. otherwise.

) Select an installation directory and click the <Next> button to go to the next step. as shown below: 362 .0 User Manual 3. 4.SANGFOR WAN Accelerator 6.) Click the <Yes> button to agree to the License Agreement.

) During the installing process.0 User Manual 5. 363 .) Check or uncheck Sinfor Dkey Driver and click the <Next> button to go to the next step.SANGFOR WAN Accelerator 6. as shown below: 6. it will require disconnecting the Internet.

as shown below: 7. You can enable it after installation completes.) Click the <Finish> button and the installation completes. disable the Local Area Connection of the computer.SANGFOR WAN Accelerator 6. as shown 364 . it require restarting the computer. the software icon will appear on the desktop of the computer.) Enable the Local Area Connection to have the computer connect to the Internet. After computer reboot.) Click the <Continue> button. as shown below: 9. as shown below: 8.0 User Manual To ensure that the installation goes smoothly. When installation completes.

as shown in the network topology below: 365 .2.) Single-arm Mode The WAN Accelerator is deployed in Single-arm mode in the local area network.0 User Manual below: Till then.2 Deployment SANGFOR PDLAN (alias of VPN-only client software) supports the following two types of network deployment: a.) Bridge Mode The WAN Accelerator is deployed in Bridge mode. the mobile VPN user and WAN Accelerator have established a VPN connection. 5.SANGFOR WAN Accelerator 6. the front-end firewall maps the TCP/UDP 4009 (default) port to the SANGFOR WAN Accelerator. The network topology is as shown below: b. the mobile VPN user and WAN Accelerator establish VPN connection. installation of the client software completes.

The configuration file that to be imported should be given by the HQ VPN administrator who has used the corresponding VPN user account and exported the configurations of the HQ WAN Accelerator. Generally.2. as shown below: 1. [Manual] or [Import Config File].0 User Manual 5. as shown below: 366 . it is recommended to configure the system manually.3 Usage The first time the PDLAN client software runs. Click the <Next> button to go to the next step.) Select a method of configuring the system.SANGFOR WAN Accelerator 6. the Config Wizard appears.

as shown below: 367 .SANGFOR WAN Accelerator 6.0 User Manual 2. as shown below: If the HQ WAN Accelerator uses one static IP address.) Type in the Webagent of the HQ WAN Accelerator and click the <Test> button to check the validity of the Webagent addresses. type in the Webagent in format of “IP:port”.

as shown below: 368 .SANGFOR WAN Accelerator 6.0 User Manual If the HQ WAN Accelerator uses multiple static IP addresses. type in the IP addresses in format of “IP1#IP2:port”.

3. as shown below: 369 .SANGFOR WAN Accelerator 6.) Click the <Next> button and type in the username and password to be used by this mobile VPN user to connect to the HQ VPN.0 User Manual Please contact the HQ VPN administrator to ask for the Webagent address(es).

as shown below: 370 .SANGFOR WAN Accelerator 6.) Click the <Next> button and then confirm the correctness of the configured options.0 User Manual 4.

) Open the software and the console is as shown below: 371 .) Click the <Finish> button and manual setup completes. 6.SANGFOR WAN Accelerator 6.0 User Manual 5.

3. [Time Schedule Management].1.1 System Info [System Info]: It includes [Console Management].2. <Backup>: Click this button to backup the configuration of the VPN-only client software to the 372 .SANGFOR WAN Accelerator 6. The default page is as shown below: <Change>: Click this button to edit the password of the VPN-only client software. The mobile VPN users who do not know this password will unable to run this software.3. [Algorithm Management] and [Create Certificate].1 VPN Settings 5.0 User Manual 5.2. [Console Management]: Configures the password of the VPN-only client software.

SANGFOR WAN Accelerator 6. Having completed configuring a time schedule.0 User Manual local computer.4.3. [Algorithm Management]: Configures the VPN encryption and authentication algorithms that are supported by this VPN-only client software. [Time Schedule Management]: Configures the time schedule which will be reference by the LAN privilege settings. You can restore the backed up configurations into the software if necessary. The way of configuring time schedule is the same as that in Section 3. otherwise. The default page is as shown below: 373 .4. In general. the time schedule will be referenced when the mobile VPN is configuring LAN privilege for the HQ VPN. the settings will not be saved and take effect. you have to click the <Apply> button to save and apply the settings.

The default page is as shown below: 374 . the user has to send this certificate to the administrator to of the HQ VPN. If you want to add and use your own encryption or authentication algorithm. Having completed configuring the page. can this user establish VPN connection with the HQ VPN smoothly. Only after the HQ VPN administrator has had the hardware-featured certificate bound with the user. you have to click the <Apply> button (at the right bottom of the page) to save and apply the settings. click the <New> button and then manually add the algorithm into the list. If the HQ VPN has defined a user (VPN user account) to use hardware authentication. After generating the hardware-featured certificate. Different encryption/authentication algorithms will incur failure in establishing VPN channel. [Create Certificate]: Helps to generate the hardware-featured certificate of the computer.SANGFOR WAN Accelerator 6. please make sure the encryption/authentication algorithms used on the HQ VPN and the client software are the same.0 User Manual To add an algorithm. otherwise. that user has to go to the [Create Certificate] page of the client software and click the <Create> button to generate the hardware-featured certificate of its computer. the settings will not be saved and take effect.

minimum compression value.2. [Basic config] covers the settings of Webagent information. [LAN service settings] and [Tunnel Route].1.2 PDLAN [PDLAN] includes [Basic config].3. privilege and shared key.SANGFOR WAN Accelerator 6. [Connection Management]. VPN listening port. as shown below: 375 . [Main Connection Parameters].0 User Manual 5. MTU.

you first have to activate the cross-ISP license.SANGFOR WAN Accelerator 6. If you need change these values.0 User Manual Generally. try to alter the transfer mode. by selecting [Low packet loss]. [Cross-ISP Optimization]: This function is recommended to be enabled if the HQ VPN and the branch VPN apply different Internet service providers (ISP) and these different links cause frequent packet loss. Having completed configuring the page. as well as the options for optimizing multiple-ISP network and mobile VPN. You can also tell the system the status of your network environment. you have to click the <Apply> button (at the right bottom 376 . [Password]: Type in the correct username and password that the HQ VPN has configured for this user on the [VPN Connection] tab. [Min Compression Value] values. When the VPN connection appears unstable. [Trans Mode]: Configures the transfer mode of the VPN data packet. [High packet loss] or [Set manually] and configuring the [Packet Loss Rate]. you are recommended to adopt the default [MTU]. as shown below: [Username]. To enable this function. please follow the instructions given by the SANGFOR technicians. Options are “TCP” and “UDP”. [Main connection parameters]: Configures the necessary information used for establishing VPN connections with the HQ VPN.

0 User Manual of the page) to save and apply the settings. The default page is as shown below: If the mobile VPN user is to connect to a second new HQ VPN. [Connection Management]: This page should be configured if this mobile VPN user is connecting to two or more HQ VPN sites at the same time. click the <New> button to add a new VPN connection. otherwise. as shown below: 377 .SANGFOR WAN Accelerator 6. the settings will not be saved and take effect.

0 User Manual Enter the name (MDLAN is an alias of HQ VPN) and description of this VPN connection (better the name of the HQ VPN site). as shown below: 378 .SANGFOR WAN Accelerator 6. and then click the <Next> button to go to the next step.

and then click the <Next> button to go to the next step.SANGFOR WAN Accelerator 6. Webagent and transfer mode.0 User Manual Configure the needed information. as shown below: 379 .

as shown below: 380 .0 User Manual Enter the username and password used for establishing the VPN connection. and click the<Next> button.SANGFOR WAN Accelerator 6.

SANGFOR WAN Accelerator 6.5. For details.4 Tunnel Route in this user’s manual. 381 . [LAN service settings] and [Tunnel Route] are configured in the similar way as that on the WAN Accelerator.5.2 LAN Service and Section 3.8. If the mobile VPN user only connects to one HQ VPN. please refer to Section 3.8.0 User Manual Check the correctness of the configurations and then click the <Finish> button to complete adding a new VPN connection. the [Connection Management] need not be configured.

3. 2. You can run the antivirus software after the installation finishes.0EN.3 VPN-Plus-Acceleration Client Software 5.) Double-click the program PDLAN_PACC6.1 Installation 1.) Click the <OK> button and the Wizard page appears. otherwise. please terminate the antivirus program of your computer. as shown below: Before installing the client software.exe to install the software. installation may fail. as shown below 382 .0 User Manual 5.SANGFOR WAN Accelerator 6.

as shown below: 4.) Click the <Yes> button to go to the next step.SANGFOR WAN Accelerator 6. as shown below: 383 .0 User Manual 3.) Click the <Next> button to go to the next step.

If the user is to use DKey.0 User Manual 5. this option must be 384 .SANGFOR WAN Accelerator 6.) Click the <Browse> button to select an installation directory and then click the <Next> button to go to the next step. as shown below: 6.) Check or uncheck Sangfor Dkey Driver.

You can enable it after installation completes. as shown below: During the installing process. disable the Local Area Connection of the computer. To ensure that installation goes smoothly. it require restarting the computer. it will require disconnect the Internet. if the user is not to use DKey.) Click the <Next>button to go to the next step. as shown below: 385 . When installation completes.0 User Manual checked. it may not be checked. 7.) Click the <Continue> button.SANGFOR WAN Accelerator 6. as shown below: 8.

as shown below: 9. 386 .SANGFOR WAN Accelerator 6. installation of the VPN-Plus-Acceleration software completes. the software icon will appear on the desktop of the computer.) Enable the Local Area Connection to have the computer connect to the Internet. as shown below: Till then.0 User Manual After computer reboot.

0 User Manual 5.) Single-Arm Mode In this deployment mode. the WAN Accelerator is deployed in the local area network.2 Deployment SANGFOR PDLAN_PACC (alias of SANGFOR VPN-plus-acceleration client software) supports the following two types of network deployment: a.SANGFOR WAN Accelerator 6. The network topology is as shown below: b.3.) Gateway Mode The WAN Accelerator is deployed in Gateway mode. as shown in the network topology below: 387 . Mobile VPN user and WAN Accelerator establish VPN connection and acceleration connection at the same time. The mobile VPN user and WAN Accelerator establish VPN connection and acceleration connection at the same time. the frontend firewall maps the TCP/UDP 4009 (default) port to the SANGFOR WAN Accelerator.

[Configure Manually] or [Import Config File]. the Config Wizard appears. The configuration file that to be imported should be sent by the HQ VPN administrator who has used the corresponding VPN user account and exported the configurations of the HQ WAN Accelerator.3 Usage The first time the VPN-Plus-Acceleration client software runs. Generally. Click the <Next> button to go to the next step. as shown below: 1.SANGFOR WAN Accelerator 6.0 User Manual 5. as shown below: 388 .3. it is recommended to import the configuration file manually.) Select a method of importing configuration file.

as shown below: If the HQ WAN Accelerator uses one static IP address. as shown below: 389 .SANGFOR WAN Accelerator 6. type in the Webagent in format of “IP:port”.) Type in the Webagent (primary and secondary Webagent) of the HQ WAN Accelerator and click the <Test> button to check the validity of the Webagent addresses.0 User Manual 2.

type in the IP addresses in format of “IP1#IP2:port”. as shown below: 390 .SANGFOR WAN Accelerator 6.0 User Manual If the HQ WAN Accelerator uses multiple static IP addresses.

SANGFOR WAN Accelerator 6.) Click the <Next> button and type in the username and password that are to be used by this mobile VPN user to connect to the HQ VPN. as shown below: 391 . 3.0 User Manual Please contact the administrator of HQ VPN to ask for the Webagent address(es).

) Click the <Next> button and then confirm the correctness of the configured options. as shown below: 392 .SANGFOR WAN Accelerator 6.0 User Manual 4.

as shown below: 393 .) Click the <OK> button to apply the new configurations.0 User Manual 5.) Click the <Finish> button and manual setup completes.SANGFOR WAN Accelerator 6. Open the software and the console appears. as shown below: 6.

1 VPN Settings 5.SANGFOR WAN Accelerator 6. [Console Management]: Configures the password of the VPN-Plus-Acceleration client software.0 User Manual 5.3.1 System Info [System Info]: It includes [Console Management]. [Algorithm Management] and [Create Certificate]. The default page is as shown below: 394 .3.3.1.3. [Time Schedule Management].

[Time Schedule Management]: Configures the time schedule which will be referenced by the LAN privilege settings.0 User Manual <Change>: Click this button to edit the password of the VPN-Plus-Acceleration client software. After re-installing the software. 395 . The mobile VPN users who do not know this password will unable to run this software. In general. you can restore the backed up configurations if necessary.SANGFOR WAN Accelerator 6. the time schedule will be referenced when the mobile VPN is configuring LAN privilege for the HQ VPN. <Backup>: Click this button to backup the configuration of the VPN-Plus-Acceleration client software to the local computer.

4.0 User Manual The way of configuring time schedule is the same as that in Section 3. you have to click the <Apply> button to save and apply the settings.3 Time Schedule.4. Having completed configuring a time schedule. [Algorithm Management]: Configures the VPN encryption and authentication algorithms that are supported by this VPN-Plus-Acceleration client software. the settings will not be saved and take effect. The default page is as shown below: 396 .SANGFOR WAN Accelerator 6. otherwise.

If the HQ VPN has defined a user (VPN user account) to use hardware authentication. 397 . can this user establish VPN connection with the HQ VPN smoothly.2 Mobile VPN [Mobile VPN] includes [Basic Settings]. [Create Certificate]: Helps to generate the hardware-featured certificate of the computer. [Tunnel Route] and [PACC]. you have to click the <Apply> button (at the right bottom of the page) to save and apply the settings.3. the settings will not be saved and take effect. click the <New> button and then manually add the algorithm into the list. After generating the hardware-featured certificate. the user has to send this certificate to the administrator to of the HQ VPN. [User Settings]. Different encryption/authentication algorithms will incur failure in establishing VPN channel.1.SANGFOR WAN Accelerator 6.3. that user has to go to the [Create Certificate] page of the client software and click the <Create> button to generate the hardware-featured certificate of its computer. [LAN Service Settings]. please make sure the encryption/authentication algorithms used on the HQ VPN and the client software are the same. The default page is as shown below: 5. otherwise. [VPN Connection]. If you want to add and use your own encryption or authentication algorithm. Only after the HQ VPN administrator has had the hardware-featured certificate bound with the user. Having completed configuring the page.0 User Manual To add an algorithm.

as shown below: Generally.0 User Manual [Basic Settings] covers the settings of Webagent information. privilege and shared key. minimum compression value. as shown below: 398 . If you need change these values. [User Settings]: Configures the necessary information used for establishing VPN connections with the HQ VPN. [Min Compression Value] values. it is recommended to adopt the default [MTU].SANGFOR WAN Accelerator 6. please follow the instructions given by the SANGFOR technicians. as well as the options for optimizing multiple-ISP network and mobile VPN. VPN listening port. MTU.

the settings will not be saved and take effect. To enable this function. you have to click the <Apply> button (at the right bottom of the page) to save and apply the settings. otherwise. Options are “TCP” and “UDP”.0 User Manual [Username]. You can also tell the system the status of your network environment. try to alter the transfer mode. [Transfer Mode]: Configures the transfer mode of the VPN data packet. [High packet loss] or [Set manually] and configuring the [Packet Loss Rate]. [VPN Connection]: This page should be configured if this mobile VPN user is connecting to two or more HQ VPN sites at the same time. Having completed configuring the page. you first have to activate the cross-ISP license. When the VPN connection appears unstable.SANGFOR WAN Accelerator 6. The default page is as shown below: 399 . by selecting [Low packet loss]. [Cross-ISP Optimization]: This function is recommended to be enabled if the HQ VPN and the branch VPN apply different Internet service providers (ISP) and these different links cause frequent packet loss. [Password]: Type in the correct username and password that the HQ VPN has configured for this user on the [VPN Connection] tab.

click the <New> button to add a new VPN connection. and 400 . as shown below: Enter the name and description of this VPN connection (better the name of the HQ VPN site).0 User Manual If the mobile VPN user is to connect to a second new HQ VPN.SANGFOR WAN Accelerator 6.

as shown below: 401 .SANGFOR WAN Accelerator 6. as shown below: Configure the needed information. and then click the <Next> button to go to the next step.0 User Manual then click the <Next> button to go to the next step. Webagent and transfer mode.

SANGFOR WAN Accelerator 6.0 User Manual Enter the username and password used for establishing the VPN connection and click the<Next> button. as shown below: 402 .

5.4 Tunnel Route in this user manual.2 LAN Service and Section 3.8.SANGFOR WAN Accelerator 6. For details.0 User Manual Check the correctness of the configurations and then click the <Finish> button to complete adding a new VPN connection. etc.8. [LAN service settings] and [Tunnel Route] are configured in the similar way as that on the WAN Accelerator. If the mobile VPN user only connects to one HQ VPN.. please refer to Section 3. configure the related parameters and change the password. [PACC]: Enables you to enable acceleration function. as shown below: 403 . the [VPN Connection] need not be configured.5.

[Setting] covers [Basic Settings].0 User Manual <Start>: Click this button to apply acceleration function to this PACC user (mobile VPN user).SANGFOR WAN Accelerator 6. as shown below: 404 . [Exclusion Rule] and [Login Setting].

If it is connected wirelessly (through CDMA. “Auto detect” is the default selection. <Clear>: Click it to clear the byte cache files in the Cache directory. The option takes effect after computer reboot. [Cache size]: Configures the size of the local hard disk space allocated to the byte cache. etc.0 User Manual [Network type]: It specifies the network type that the client’s PC connects to the Internet. [Enable datacache]: Check this option and select a directory to enable byte cache function of the local terminal. etc). [Enable LSP Service]: Check this option and it will capture the data packets of the applications that are going through the WAN accelerations. [Enable TDI Service]: Check this option and it supports the acceleration of My Network Places and Exchange. 405 . choose the corresponding option (Wireless network) and it will optimize the wireless networks.. GPRS. except those of My Network Places and Exchange.SANGFOR WAN Accelerator 6. yet excluding WiFi.

. Configure the [Port Range].SANGFOR WAN Accelerator 6. Click the tab name [Exclusion Rule] and the corresponding options appear. etc. [IP type].0 User Manual [Exclusion Rule]: Configures the server-end IP addresses whose data transmission is not to be optimized. as shown below: 406 . as shown below: Click the <Add> button and the [Exclusion Rule] dialog pops up. The PACC users’ requests of accessing these excluded IP addresses will not get into the acceleration channel.

options are [Single IP]. [IP Type]: Specifies the type of the IP addresses to be excluded from the acceleration policies. [Auto login]. [IP range] and [Subnet]. [Password]. [Username].0 User Manual [Port Range]: Enter the range of the ports to be excluded from the acceleration policies. [Save profile]. [Login Setting] covers [Gateway]. Click the <Edit> button to modify the selected exclusion rule. as shown below: 407 . Click the <Remove> button to delete the selected exclusion rule.SANGFOR WAN Accelerator 6. [Start with system]. [Port].

port. [Save profile]: Check this option to save the entered information such as gateway IP address. [Auto login]: Check this option so that you can automatically log in to the HQ WAN Accelerator next time when you double-click the software icon.0 User Manual [Gateway]: Indicates the IP address of the peer WAN Accelerator. so that you will not be bothered to enter the information again next time you logs in. [Username]. [Password]: Type in the correct username and password that have been configured on the server-end WAN Accelerator (HQ VPN) for this mobile user. 408 . username and password. [Port]: Indicates the port used by the peer WAN Accelerator for acceleration.SANGFOR WAN Accelerator 6.

the WAN Accelerator can be restored to factory default configurations via the gateway restoration system. the gateway restoration system can be used to inspect the running status of the network port and configuration of the routing. In addition.0 is the function of synchronizing the PC’s time 409 .0 User Manual Appendix A: Update of Gateway Client The gateway update and restoration system can be used to update the kernel version of SANGFOR WAN Accelerator and backup configuration.0. etc. As to the update of WAN Accelerator 6. When vital errors occur in the system. as well as to modify the working mode and MTU value of the network port. gateway clients have to use Sangfor Gateway Client Gateway Updater 5. The configuration page is as shown below: One of the improvements of Gateway Updater 5.0.SANGFOR WAN Accelerator 6.

[Change password]. you then cannot upgrade the WAN Accelerator directly by using Gateway Updater 5. to make this function work normally. You can use the Gateway Updater 5. without turning off the computer.0. [Update]. you have to synchronize the Internet time to the client software to ensure that update is fulfilled at the expected and right time.0 runs can obtain the Internet time. 410 . [Search]. In this situation. move the computer to the LAN and connect it to the WAN Accelerator to fulfill upgrade. [System]: Submenus are [Connect]. Menus included are [System]. [Updatehistory]. you can move the computer (on which the Gateway Updater 6. [Backup]. for instance. [ManagePackage]. and run the Gateway Updater 5. The later versions are entitled with the function of controlling the expiry time of the software update. if the computer on which the Gateway Updater 5. and then.0 to load the update package to upgrade the software of your WAN Accelerator. [Disconnect] and [Quit].0 runs) to another network segment which can access Internet. both the WAN Accelerator and the computer are in local area network.SANGFOR WAN Accelerator 6. the customer will be unable to update the WAN Accelerator with the software package.0 User Manual with Internet. [Time Sync] [Tools] and [Help].0 to synchronize the PC’s time with Internet. Therefore. If the WAN Accelerator has not been updated when the expiry time is reached. being unable to connect to the Internet. if the network environment of the WAN Accelerator is limited. However.

Logging in successfully. you will see the login success information.0 User Manual [Connect]: Click it and enter the IP address of WAN Accelerator and then type in the password to log in.SANGFOR WAN Accelerator 6. The default password is dlanrecover. as shown below: 411 . The login page is as shown below.

SANGFOR WAN Accelerator 6.0 User Manual [Search]: It will automatically search for the LAN interface IP address of the SANGFOR WAN Accelerator in the local area network (as long as there is no routing devices between the local computer and the WAN Accelerator. and layer 2 broadcast can reach). even though the WAN Accelerator is located in a different network segment (as long as there is no router or layer 3 switch between the local computer and the WAN Accelerator). The search results are as shown below: 412 .

[Update]: Submenus are [Update Firmware]. the client-end will also disconnect automatically. [Restore Default Configuration]. as shown below: 413 . Once the original password is modified. If there is no operation for a certain time. Please DO take care of your modified login password.0 User Manual [Change password]: Click it to modify the login password of the gateway client. [Restore Default Network] and [Check Update SN]. there is no way to get the modified password if you fail to remember it.SANGFOR WAN Accelerator 6. [Disconnect]: Click it to disconnect with the SANGFOR WAN Accelerator.

SANGFOR WAN Accelerator 6. These operations will update the key document of the device. 414 . or will change serial number. [Restore Default Network]: This function is only available when the system is disconnected with the SANGFOR WAN Accelerator. and will apply to all the SANGFOR WAN Accelerators deployed in the local area network (LAN).  Operation of [Restore Default Network] may result in hazardous outcome. The former ([Update Firmware]) is used for updating the kernel Firmware of WAN Accelerator and the latter ([Restore Default Configuration]) for restoration of the default configuration. it does not permit skipping a version to update or degrading. please contact the technicians of SANGFOR and follow the instructions. Please DO NOT perform this operation at will. This operation is realized with the command sent by the broadcast package. [Check Update SN]: Displays the valid period of software update of this WAN Accelerator. Conduct this function and the network configuration of the device will recover to defaults.0 User Manual [Update Firmware] and [Restore Default Configuration]: Both are only available after the user logging in WAN Accelerator. Please DO NOT implement this function without second thought. If update is needed.  WAN Accelerator can only be updated from lower version to higher version.

0 User Manual  Update is also a kind of risk. If update operation is not appropriate. Brief update procedures are: Step1. [Backup]: Submenus are [Backup Configuration]. as shown below: [Backup Config]: Click it to backup all the configuration information of the WAN Accelerator. [Restore Backup]: Click it to restore all the backup configuration information to the WAN Accelerator. Devices of different models and versions are inapplicable. 415 . Both operations are only applied to the same-model and same-version SANGFOR devices. please contact the technicians of SANGFOR for instructions. Please DO NOT update the system by yourself at will. Log in to the gateway client and implement update operations. [Restore Backup].SANGFOR WAN Accelerator 6. If necessary. Step2. Upload the corresponding update package to the gateway client. the device may be damaged.

[Download]: Please visit the SANGFOR official website www. [Load Package]: Click it to upload the downloaded update package.sangfor. [Download]. [Update History]: Submenus are [View Gateway History]. [View Local Records] and [Delete Local Records].SANGFOR WAN Accelerator 6.0 User Manual [Managepackage]: Submenus are [Check Current]. [Load Package]. as shown below: 416 .com to download the corresponding update package to the local computer. and then click [Update]> [Update Firmware]. Before uploading the update package. as shown in the following figure: [Check Current]: Click it to view the information of the currently-loaded update package. first exit from the WAN Accelerator.

SANGFOR WAN Accelerator 6. [View Local Records]: Click it to view the update logs of the local gateway client. 417 . [Delete Local Records]: Click it to clear the update logs of the local gateway client.0 User Manual [View Gateway History]: Click it to view the update logs of the WAN Accelerator. [Time Sync]: Displays and synchronizes the Internet time. as shown below: [View Current Time]: Click it to view the current Internet time.

[Network Config]: Click it to view the network configuration of the WAN Accelerator. [Network Config]. you 418 . if the setting is not coherent to the actual network interface card mode. [Route Table]: Click it to view the routing table of the WAN Accelerator. [View Mode]. [ARP Table]: Click it to view the ARP table of the WAN Accelerator.SANGFOR WAN Accelerator 6. [Tools]: Submenus are [Ping]. [ARP Table]. [Set Net Mode] and [Exchange Net Interface]. originally WAN1 is the optical interface and WAN4 is the electrical interface. [Exchange net interface]: Click it to exchange the logic network interface of the NIC for the WAN Accelerator. ping an external network on the WAN Accelerator to check whether it is connected to the external networks. as shown below: [Ping]: Log in to the WAN Accelerator. [View Mode]: Click it to view the mode the current network interface card (NIC) is working in. etc. [Route Table]. but you need use WAN1 as the electrical interface in the real network.0 User Manual [Sync at once]: Click it to synchronize the Internet time. in that case. including information of interface IP address. For instance. [Set Net Mode]: Click it to configure manually the working mode of NIC for the WAN Accelerator.

you need obtain another serial number. 419 .  Exchanging network interface may lead to unavailability of the serial number of the device. the WAN Accelerator may not work normally. Please DO follow the intructions given by SANGFOR technician to exchange network interface. after exchange.0 User Manual can exchange WAN1 with WAN4. In that case.  Exchanging network interface is risky. If not appropriately exchanged.SANGFOR WAN Accelerator 6. the original WAN1 is an electrical interface and WAN4 is an optical interface.

0 User Manual Appendix B: Acronyms and Abbreviations AC Alternating Current ARP Address Resolution Protocol BM Bandwidth Management CA Certificate Authority CPU Central Processing Unit DMZ Demilitarized Zone DNAT Destination Network Address Translation DNS Domain Name Server DoS Denial of Service Attack HQ Headquarters HTTP Hyper Test Transfer Protocol HTTPS Secure Hyper Text Transfer Protocol ICMP Internet Control Message Protocol IM Instant Message IP Internet Protocol ISP Internet Service Provider LAN Local Area Network LDAP Lightweight Directory Access Protocol MDLAN Alias of HQ VPN MTU Maximum Transmission Unit NIC Network Interface Card OS Operating System OSI Open System Interconnect Reference Model PACC Alias of SANGFOR acceleration-only client software for mobile user PDLAN Alias of Mobile VPN POP3 Post Office Protocol 3 RADIUS Remote Authentication Dial In User Service SMTP Simple Message Transfer Protocol SNAT Source Network Address Translation SSL Secure Sockets Layer TCP Transmission Control Protocol UDP User Datagram Protocol UI User Interface 420 .SANGFOR WAN Accelerator 6.

SANGFOR WAN Accelerator 6.0 User Manual URL Uniform Resource Locator VLAN Virtual Local Area Network VPN Virtual Private Network WAN Wide Area Network WANO Wide Area Network Optimization WCCP Web Cache Communication Protocol 421 .