WebUI Handbook Rel 8.4.6

Array SPX Series
Web User Interface Guide and Help Reference 8.4.6
WebUI Handbook
United States of America:

WARNING: Any modifications made to the Array Networks unit, unless expressly approved by Array Networks, Inc., could void the users authority to operate the equipment.
Declaration of Conformity
We, Array Networks, Inc., 1371 McCarthy Blvd, Milpitas, CA. 95035, 1-866-692-7729, declare under our sole responsibility that the product(s) Array Networks, Inc. Array Appliance complies with Part 15 of FCC Rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation.
WARNING: This is a Class "A" digital device, pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. In a residential area, operation of this equipment is likely to cause harmful interference, in which case the user may be required to take adequate measures. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures. Copyright2009/2010 Array Networks, Inc., 1371 McCarthy Blvd, Milpitas, CA. 95035, USA. All rights reserved. This document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and compilation. No part of this document may be reproduced in any form by any means without prior written authorization of Array Networks, Inc. Documentation is provided as is without warranty of any kind, either expressed or implied, including any kind of implied or expressed warranty of non-infringement or the implied warranties of merchantability or fitness for a particular purpose. Array Networks, Inc. reserves the right to change any products described herein at any time, and without notice. Array Networks, Inc. assumes no responsibility or liability arising from the use of products described herein, except as expressly agreed to in writing by Array Networks, Inc. The use and purchase of this product does not convey a license to any patent copyright, or trademark rights, or any other intellectual property rights of Array Networks, Inc.
2
2009/2010 Array Networks All Rights Reserved
WebUI Handbook
Contents
Contacting Array Networks ................................. 7 Web Users Interface Introduction....................... 7 Setting up the SPX ............................................... 7 Web Users Interface Setup Configuration ....... 8 Browser Basics................................................ 10 Accessing the SPX WebUI ............................. 10 Understanding the Array Pilot WebUI ........... 11 The Array Top Bar .......................................... 12 The Array Side Bar ......................................... 12 The Array Configuration Window .................. 13 Using the SPX WebUI .................................... 14 Configuring with the WebUI .......................... 15 The Global Home Page ...................................... 16 Quick Start ...................................................... 17 System Configuration ........................................ 23 General Settings .............................................. 23 Basic Networking............................................... 24 Interfaces ......................................................... 24 ARP Entries .................................................... 25 Routing............................................................ 26 Name Resolution Host .................................... 27 Advanced Networking ....................................... 30 NAT ................................................................ 30 TCP/UDP ........................................................ 31 Port Forwarding .............................................. 31 Transparent Port Forwarding .......................... 32 Multicast IP Forwarding ................................. 33 TCP IP ............................................................. 34 SSL.................................................................. 35 DNS................................................................. 36 DHCP Settings ................................................ 37 HTTP Compression Settings........................... 38 HTTP Settings ................................................. 39 Clustering ........................................................... 41 Clustering Environments ................................ 42 Active Standby with Stateful Failover ............ 44 Active Active .................................................. 45 Webwall ............................................................. 47 Global Admin.................................................. 48 Site Admin ...................................................... 49 Admin Roles ................................................... 50 Admin Authentication ..................................... 51 3
2009/2010 Array Networks All Rights Reserved
DNS................................................................. 28 WINS .............................................................. 29
WebUI Handbook
Global Resources ............................................... 54 Local Databases .............................................. 54 SecurID Servers .............................................. 55 SSL Backend ................................................... 56 Thin Client Support......................................... 57 Admin Tools ...................................................... 60 System Management ....................................... 60 Config Management........................................ 63 Synchronization for Peer SPX ........................ 67 Monitoring ...................................................... 70 SNMP................................................................. 74 Monitoring Statistics ....................................... 76 Troubleshooting .............................................. 78 Change Password ............................................ 79 Service Management .......................................... 80 Network Separation ........................................ 80 Session Limits ................................................. 81 Site Access ...................................................... 82 Static VLAN ................................................... 83 Virtual Sites ....................................................... 84 Creating a Virtual Site .................................... 84 Creating the Shared Virtual Site ..................... 85 The Shared Virtual Site Home ........................ 86 The Shared Virtual Site Home ........................ 87 Creating the Aliased Virtual Site .................... 88
The Exclusive Virtual Site .............................. 89 Domain Forwarding ........................................ 90 QuickLink ....................................................... 90 The Virtual Site Navigation ............................... 91 Sidebar ............................................................ 92 Home Page ...................................................... 93 Quick Tasks .................................................... 94 Site Configuration .............................................. 95 SSL Certificates .............................................. 95 AAA ................................................................ 97 AAA Authorization ....................................... 104 Group Mapping ............................................. 106 AAA Accounting .......................................... 107 Portal ............................................................. 108 Security Settings ........................................... 113 Site Configuration ......................................... 120 Advanced Networking: DNS ........................ 120 Advanced Networking: WINS ...................... 121 Site2Site ........................................................ 122 Local Users & Groups ..................................... 129 Local Users ................................................... 129 Login Authorization ...................................... 132 Access Methods ............................................... 136 Web Access ................................................... 136 QuickLink ..................................................... 137 LinkDirect ..................................................... 138 4
200-2011 Array Networks All Rights Reserved
WebUI Handbook
Web Resource Mapping: Custom Rewrite ... 140 Web SSH....................................................... 143 NFS Fileshare................................................ 149 Mail Services ................................................ 150 Thin Client Support....................................... 152 TCP Applications .......................................... 157 L3VPN .......................................................... 162 ATF ............................................................... 168 Access Policies................................................. 169 Access Control Lists ..................................... 169 ACL Resources ............................................. 170 URL Filtering ................................................ 174 Admin Tools .................................................... 177 Session Management .................................... 177 Config Management...................................... 178 Monitoring .................................................... 182 Troubleshooting ............................................ 183 Change Password .......................................... 184 System Configuration Help.............................. 185 General Settings ............................................ 185 Basic Networking.......................................... 185 Interface ........................................................ 186 ARP ............................................................... 186 Routing.......................................................... 186 Name Resolution ........................................... 187 Advanced Networking .................................. 187 NAT .............................................................. 188
Port Forwarding ............................................ 188 Clustering ...................................................... 188 Webwall ........................................................ 189 Administrators Help ......................................... 190 Global/Site Admin/Admin Roles .................. 190 Admin Authentication ................................... 191 Global Resources Help .................................... 191 Local Databases ............................................ 191 SecurID Import ............................................. 192 NFS Fileshare................................................ 192 Thin Client Support....................................... 192 Admin Tools Help............................................ 193 Access Control .............................................. 193 Update ........................................................... 193 Shutting Down/ Restarting the SPX ............. 193 System License ............................................. 193 Config Management...................................... 194 Synchronization ............................................ 194 Monitoring .................................................... 195 Logging ......................................................... 195 SNMP............................................................ 195 Troubleshooting ............................................ 196 Change Password .......................................... 196 Virtual Sites Help ............................................. 197 Setting Up a Virtual Site ............................... 197 Site Configuration Help ................................ 198 5
WebUI Handbook
Site2Site ........................................................ 199 AAA .............................................................. 200 AAA Methods ............................................... 201 Authentication and Authentication Servers .. 202 Authorization Servers ................................... 203 Accounting .................................................... 203 Portal Themes ............................................... 204 Creating Portal Themes................................. 205 Importing the Portal Themes ........................ 209 Portal Themes FAQ ...................................... 210 Security Settings ........................................... 216 SSL Settings .................................................. 217 Local Users & Groups Help ............................. 218 Login Authorization ...................................... 219 Access Methods Help ...................................... 219 Web Access ................................................... 219 Advanced ...................................................... 221 Server Access ................................................ 222 URL Policies ................................................. 223 File Access .................................................... 224 Mail Services ................................................ 225 Thin Client Support....................................... 225 TCP Application Support.............................. 225 L3VPN .......................................................... 227
Access Policies Help ..................................... 228 ACLs ............................................................. 228 URL Filtering ................................................ 230 Admin Tools Help............................................ 231 Session Management .................................... 231 Config Management...................................... 231 Monitoring .................................................... 231 Troubleshooting ............................................ 231 Change Password .......................................... 232 Appendix A: Captive Portal Setup ................... 232 Appendix B: QuickLink Deployment .............. 236 Appendix C: Syslog Messages......................... 238 Appendix D: The Array Pilot........................... 239 First Time Boot with DesktopDirect License 239 Switching from Traditional Management Interface to the Array Pilot ........................... 240 Switching from Array Pilot to Traditional Management Interface .................................. 240 Appendix E: HardwareID Authorization ......... 241
6
WebUI Handbook
Contacting Array Networks

http://www.arraynetworks.net/ Our web site includes product information, software updates, white papers, and release information. Telephone: 408-240-8700 408-240-8753 fax
Web Users Interface Introduction

The Array Web Users Interface (WebUI) is designed to maximize the functionality and performance of the Array SPX by allowing administrators to configure and control key functions of the SPX. This WebUI Guide covers the functional elements of the graphical interface as well as very basic setup steps. This WebUI Guide is one of three documentation resources available to administrators from Array Networks, Inc. Also there are the CLI Handbook and Application Guides available, each with a slightly different approach to configuring the SPX. The CLI Handbook is a resource tool that instructs administrators on more detailed operational aspects of the SPX. The Application Guide is a more in-depth configuration strategy resource for complex SPX deployments. Both these texts as well current release notes and installation guides are available on the Documentation CD that accompanied the SPX or from Array Networks directly.
Telephone access to Array Networks, Inc. is available Monday through Friday, 9 to 5 PST. Address: Array Networks, Inc. 1371 McCarthy Blvd. Milpitas, California 95035
Setting up the SPX

Connect to the SPX via the console, making sure to have the terminal software set to the following: Set emulation to VT100 Baud at 9600 Number of bits 8 Parity to no. parity (8-N-1)
The default user name is array The default password is admin
7
WebUI Handbook
Web Users Interface Setup Configuration

Via the console connection, perform these steps to access the SPX via the WebUI. [1] Enter enable mode. The default enable mode password is null (leave blank and enter). enable [2] Enter into config mode. config terminal [3] Assign an IP address and netmask for the outside interface. The WebUI will use this address as the default IP address. ip address <interface_name> <IP_address> <netmask> [4] Assign an IP address and netmask for the inside interface. ip address <interface_name> <IP_address> <netmask> [5] Define the default route or gateway IP address and netmask for the inside interface. ip route default <gateway_ip> [6] Set the system clock. system date <year> <month> <date> system time <hour> <minute> <seconds> OR ntp server <server_IP> ntp on
[7] Turn WebUI on. webui on Example: AN>enable AN#config terminal AN(config)#ip address outside 10.10.0.2 255.255.255.0 AN(config)#ip address inside 192.168.10.1 255.255.255.0 AN(config)#ip route default 10.10.0.1 AN(config)#system date 2007 6 10 AN(config)#system time 14 48 00 AN(config)#webui on AN(config)#quit
8
WebUI Handbook
Array SPX Interface Naming Convention

SPX Model Numbered Interfaces Interface Name SNMP Trap Reference
2000 2000i 3000
1 2
Outside Inside
em0 em1
1 5000 2 3 4
Outside Inside DMZ ENG
em0 em1 em2 em3
1 2800 4800 3 4 1 2 3 5800 6800 4 1F 2F 1T 2T 2
Outside Inside DMZ ENG Outside Inside DMZ ENG DMZ ENG DMZ ENG
em2 em3 em0 em1 em0 em1 em2 em3 em2 em3 ix0 ix1
9
WebUI Handbook
Browser Basics
The ArraySPX WebUI supports the following browsers: IE (version 6.0 or later) Netscape (version 7.0 or later) Firefox (version1.5) Browser resolution should be set to 1024x768 or higher.
Accessing the SPX WebUI

To access the SPX, enter the configured WebUI IP address into the browser. Please note that this is a secure connection and therefore should be entered as an HTTPS address. Example: https://10.10.0.2:8888 If the SPX is correctly configured and WebUI is turned on (see previous page), you will be prompted for the user name [a] and password [b]. If these are still default settings, the user name is array and the password is admin. Click on OK when finished. Once this entered correctly, the SPX will prompt [c] you for an Enable level password. The default password is null (blank). By entering the enable password, you will be taken to the Array Pilot SPX WebUI. Click on Login when finished.
10
WebUI Handbook
Understanding the Array Pilot WebUI

The Array Pilot turns an ordinary browser window into an extraordinary configuration and management tool for the SPX. Illustration [1] represents the Array Pilot as it might look in a standard browser. Illustration [2] separates and labels the Array Pilots three active portions of the interface; top bar [a], sidebar [b] and configuration window [c].
11
WebUI Handbook
The Array Top Bar

The top bar displays basic static information such as users name [a], SPX name/ID [b] and two basic hyperlinks; help [c] and Logout [d].
The Array Side Bar

The Array Pilot Sidebar serves as the principal navigational tool for the web interface. With this sidebar, administrators will be able to switch between global and virtual sites for configuration management as well as general setup. Administrators switch between enable and configure modes via the radio buttons [e]. Administrators may move from one virtual site to another with the selector [f]. Features are presented in groups [g], depending on site and user specifics as well as licensed features. To configure a specific feature, click on the link [h] for the corresponding feature. A white strip [i] will indicate your location within each feature group.
12
WebUI Handbook
The Array Configuration Window

Though individual features will have slightly differing elements for specific configuration windows and tasks, these basic elements remain universal for the WebUI. There are foreground tabs [a] and background tabs [b] for configuration navigation. Current tabs [a] will be displayed with white backgrounds. During configuration you may go through multiple pages under a given tab; to return to the top level, click on the tab [a] again for the desired feature or function. Some configuration pages may have action links [c] for adding, deleting, saving, cancelling or otherwise applying key configuration data. The text of link will outline the action to be taken. Most configured information will be entered through labeled data entry fields [d] or assigned via radio buttons [e]. You will find active tables [f] with sort options [g] available for displaying critical information.
13
WebUI Handbook
Using the SPX WebUI

When you login to the WebUI, please note that you are in enable mode [a] and that the configuration target [b] is set to Base System, referring to the physical SPX as opposed to a virtual site. Once virtual sites are created, they will be accessible via this selector [b]. Also note the default username array and default SPX hostname AN are displayed [c] within the top bar. Finally, notice that the feature link Home [d] is right justified and framed with a white bar. Whenever a feature link like Home [d] is selected, all related features in the feature group [e] will become right justified with the selected feature singled out with the white bar and the previously selected feature link [d] returns to the left side of the sidebar. Note the changes to the sidebar in once the feature link General Settings [f] is selected.
14
WebUI Handbook
Configuring with the WebUI

The SPX offers levels or Modes for global configuration and access to the ArrayOS. The first level is Enable Mode. Users in this mode have access to a majority of view only operations. The second level is Config Mode. It is at this level that the user can make changes to any part of the SPX configuration. No two users may access configuration mode at the same time. To switch from enable to config mode, simply click on the radio button [a]. Once in config mode all data fields will be available for configuration [b] for all licensed features. When changes are made to the existing configuration, Reset and Save Changes buttons [c] will appear within the configuration window.
15
WebUI Handbook
The Global Home Page

When you login to the WebUI the SPX will display a general status Home Page. This home page will vary based on model and licensed features. Global Home The home page will have tabs [a] to switch between the Global Home and Quick Tasks. The General Home will present several pieces of useful information including current system settings [b], a list of licensed features [c], current user manuals [d], feature status (enabled/disabled) [e], general network configuration data [f] and live network statistical graphs displaying the current CPU utilization and system memory utilization [g].
16
WebUI Handbook
Quick Start
The first time you log into the SPX via the WebUI, the Global home page will have an additional actions link Begin Quick Start Wizard [a]. The Quick Start Wizard is designed to lead you through five (5) short steps to get the basic configuration process up and running. Along the way the wizard will also give you the opportunity to test and apply the configuration. To complete these quick start steps you will need some generic networking information available for quick reference including: Inside Interface IP and Netmask Outside Interface IP and Netmask Default Route DNS Server IP and Search Domain (if applicable) WINS Server IP (if applicable) WINS Broadcast Subnet IP and Netmask (if applicable) Virtual Site Host Name Virtual Site IP and Port At least one User and Password At least one destination Web Link (i.e. google.com)
Each of the above settings may be changed later if necessary.
1 2
Click on the action link Begin Quick Start Wizard [a]. The configuration window will display the first page of the wizard. On this page you will general outlines [b] [c] [d] of the steps to follow as well as two buttons toward the bottom of the window [e]. Click the Next button [e] to continue.
17
WebUI Handbook
Quick Start
Step 1 1 Set a given name to identify or differentiate this specific SPX [a]. A name may be entered as a single set of continuous alphanumeric characters up to 64 characters in length. To reach this wizard you will have already entered the Outside Interface and Netmask [b]. It is not recommended that you change this setting at this time. You may have also already configured the Inside Interface and Netmask, if not do so now by entering the values in the respective text fields [c]. The Default Route should have been already configured [d]. Proceed by clicking on the Next button [e].
Step 2 4 Supply the DNS Server IP and Search Domain (if applicable) in the respective fields [f] (the search domain is the search path to resolve non-qualified host names). Supply the WINS Server IP (if applicable) [g]. You may also supply the WINS Broadcast IP and Subnet Netmask [h] (if applicable). 5 Click on the Next button [i] to continue.
18
WebUI Handbook
Quick Start
Step 3 1 A virtual site provides a single interface for external users to access internal content. Each virtual site is associated with a domain name and listens on a specified virtual IP address (VIP) and port. Establish a Virtual Site by supplying the Virtual Site Host Name (fully qualified domain name) [a]. Supply the Virtual Site IP (VIP) and Port [b]. Proceed by clicking on the Next button [c].
2 3
Testing the Virtual Site 4 After setting up the first Virtual Site the wizard will allow you to test its availability by presenting a direct link. By clicking this link your browser will present to you the portal log in page (just as you navigated through to get to this WebUI. You may close the new window. Click on the Next button [d] to continue.
19
WebUI Handbook
Quick Start
Step 4 1 You will now be asked to create a User Account complete with access password [a]. This user account may be deleted later if you simply are creating an account for testing purposes. Assign users to the database (number of users is product and license specific). The user name and passwords are case sensitive. Proceed by clicking on the Next button [b].
Testing the Virtual Site with New User 3 After setting up the first Virtual Site the wizard will allow you to test its availability by presenting a direct link [c]. By clicking this link your browser will present to you the portal log in page (just as you navigated through to get to this WebUI. Now enter the new users name and password to gain access to the default portal. You may close the new window once completed login takes place. Click on the Next button [d] to continue.
20
WebUI Handbook
Quick Start
Step 5 1 You will now be asked to set up a web link as a content link for your portal page. To complete this task, use the selector [a] to set the URL protocol to either HTTP or HTTPS. Next enter the domain name for the URL in text field [b]. You may also add a description for the entered URL within the Link Description text field [c]. 2 Proceed by clicking on the Next button [d].
Testing the Virtual Site with New User and Web Access Link 3 After setting up the first Virtual Site the wizard will allow you to test its availability by presenting a direct link [e]. By clicking this link your browser will present to you the portal log in page (just as you navigated through to get to this WebUI. Now enter the new users name and password to gain access to the default portal. On the default portal page you should see the newly created Web Link. You may close the new window once completed login takes place. Click on the Next button [f] to continue.
21
WebUI Handbook
Quick Start
Finish 1 You have reached the final procedure of the Quick Start Wizard. Take a moment to verify the Virtual Host Name and IP [a]. Click the Finish button to complete the process [b].
After clicking on Finish the SPX will return you to the Global Home Page for you to continue configuring specific features for your network needs.
22
WebUI Handbook
System Configuration
General Settings 1 Make certain that you are in Config Mode and have
clicked on the feature link General Settings. 2 Enter the Hosts Name for the SPX in the field provided [a]. Dont forget to click on the save button when it appears. Click on the Date/Time tab [b]. Enter the date and time as desired [c]. The SPX has the default time zone set to GMT. To change this zone, un-select the time zone box [d]. The time zone check box will be replaced with three pull down menus [e] to configure the proper zone. Dont forget to click on the save button when it appears.
-Click for more-
23
WebUI Handbook
Basic Networking
Interfaces
1 Make certain that you are in Config Mode and have clicked on the feature link Basic Networking. The configuration window will default to the Interface>Outside configuration screen. Configure interfaces and IP addresses for each interface. Select desired interface [a] (including DMZ or ENG if applicable). Set MTU and port speed [b]. Will this interface be Non-VLAN [c]? Set the static IP and netmask [d] in dotted format. If you wish to add an MNET entry, click [e]. Remember to click Save Changes. If you select VLAN [c], then configuration buttons [e] will change from MNET to VLAN. To add either an MNET or VLAN entry, click on button [e]. A new page will appear for you to configure MNET/VLAN names, IP and netmask [f]. Once the configuration is completed click desired action link [g]. The newly configured interface mode will appear in the table seen on the first interface page [i]. Repeat configuration steps for inside, DMZ or ENG interfaces. You may view the current setup by clicking on the Summary sub-tab [j].
-Click for more-
24
WebUI Handbook
Basic Networking ARP Entries

Extreme care should be taken when altering the ARP table. When the SPX is configured with L3VPN the clearing of the ARP table via the SPX may cause L3VPN to fail. Administrators are required to reboot or reconfigure the L3VPN functionality to reinitialize the L3VPN to a working state. Administrators should not clear ARP entries for IP addresses that are already assigned to established tunnels.
Click on the ARP Table tab and the main window will display ARP table. The displayed ARP table contains sort-ready columns [b]. To add an ARP Table entry, click on the Add ARP Entry link [a]. A new configuration window will appear. Enter the appropriate IP and Hardware addresses in the fields [c]. Click on the desired action link [d]. To remove an ARP Entry, select the desired entry form the displayed list [e] and click on Delete Arp Entry action link [f]. Click OK to complete the deletion.
-Click for more-
25
WebUI Handbook
Basic Networking Routing

1 Make certain you are in Config Mode and have selected the Routing tab. Verify and/or change the default route [a]. To add a global static route, click the action link [b] and the configuration window will present configuration fields for the route. Supply the destination IP, netmask and gateway IP in the fields provided [c]. Click on the desired action link [d] to continue. Configured routes are displayed in a sort ready table [e] on the routing configuration page. To remove a global static route, simply select the destination from the displayed list and click on the Delete Global Static Route action link [f]. Click OK to complete the deletion.
-Click for more-
26
WebUI Handbook
Basic Networking Name Resolution Host

1 Make certain you are in Config Mode and have selected the Name Resolution Host tab. To add a new host, click the action link Add Network Host [a]. Within the supplied configuration window, supply the host name and the host IP address in the text fields [b]. Once completed, click the next desired action link [c]. All added Hosts will be displayed in a sort enabled table [d] for editing. To delete a host, select the host name from the table [d] and click on the desired action link [e]. Click OK to complete the deletion.
-Click for more -
27
WebUI Handbook
Basic Networking DNS

1 Make certain you are in Config Mode and have selected the DNS tab. This configuration window is separated into three subsequent sections; DNS IP Addresses, DNS Search Paths and DNS Cache. From this configuration page, you may edit or assign DNS IP addresses by clicking on the action links [a] (go to step 4), you may add or edit DNS search paths by clicking action link [b] (go to step 3), disable DNS cache, you may alter the DNS cache settings with the checkbox and text fields [c] or simply clear the DNS cache by clicking on the action link [d]. Remember that after changing the DNS Cache settings to click the Save Changes button.
Enter the correct search path [e] and click on desired action link [f]. Enter DNS IP address, in dotted IP format [g] and click on desired action link [h].
-Click for more -
28
WebUI Handbook
Basic Networking WINS

1 Make certain you are in Config Mode and have selected the WINS tab. This configuration window is separated into three subsequent sections; WINS IP Addresses, WINS Broadcast Address and WINS Cache. From this configuration page, you may edit or assign WINS IP addresses by clicking on the action links [a] (go to step 3), you may add or edit WINS broadcast addresses by clicking action link [b] (go to step 4), disable WINS cache, you may alter the WINS cache settings with the checkbox and text fields [c] or simply clear the WINS cache by clicking on the action link [d]. Remember that after changing the WINS Cache settings to click the Save Changes button.
Enter WINS IP address, in dotted IP format [e] and click on desired action link [f]. Enter the WINS broadcast address [g] and netmask [h]. Complete the configuration by clicking on the desired action link [i].
-Click for more -
29
WebUI Handbook
Advanced Networking
NAT
NAT converts the address behind the SPX into one IP address for the Internet and vice versa. NAT also keeps individual IP addresses hidden from the outside world. 1 Make certain you selected Advanced Networking from the sidebar, are in Config Mode and have selected the NAT tab (when clicking on Advanced Networking, the NAT page is the default page). The configuration window displays the sort enabled table of previously setup NATs, if applicable. To create the NAT, click on the Add NAT Entry action link [a]. The configuration window will present text fields [b] supply the virtual IP address, network IP and netmask. The optional timeout length should be entered in seconds. Choose the appropriate action link [c].
-Click for more -
30
WebUI Handbook
Advanced Networking TCP/UDP Port Forwarding

Port Forwarding allows the SPX to transparently forward traffic destined for one IP and port to another IP and port on the network. All related network servers should point to the SPX for their gateway routes to take full advantage of port forwarding. 1 Make certain you selected Advanced Networking from the sidebar, are in Config Mode and have selected the Port Forwarding tab (when clicking on Advanced Networking, the NAT page is the default page). Also make certain that the sub tab is set to TCP/UDP. The configuration window displays two sort enabled tables of previously setup TCP and UDP port forwarding schemes. To set up port forwarding, select the desired action link for TCP [a] or UDP [b] and click. To delete schemes, simply select the configuration from the sort ready table and click on delete [a]/[b] respectively. The configuration window will present text fields [ c] supply the local IP address and port, the remote IP and port as well as the timeout length (the configuration fields are the same for UDP and TCP, TCP pictured here.) The optional timeout length should be entered in seconds. Choose the appropriate action link [d].
-Click for more-
31
WebUI Handbook
Advanced Networking Transparent Port Forwarding

You may set the SPX for transparent (default) or nontransparent port forwarding. 1 Make certain you selected Advanced Networking from the sidebar, are in Config Mode and have selected the Port Forwarding tab (when clicking on Advanced Networking, the NAT page is the default page). Also make certain that the sub tab is set to Mode. The configuration window displays two radio buttons to set this feature. Remember this will affect TCP/UDP and SSL Port Forwarding. Select desired mode [a]. Remember that after changing the settings to click the Save Changes button.
2 3
-Click for More-
32
WebUI Handbook
Advanced Networking Multicast IP Forwarding

This feature is used to add a multicast IP address to the specified interface. The interface may be inside, outside, eng or dmz. The configured IP may be anything between 224.0.0.0 to 239.255.255.255. Users can add up to 100 multicast IP address on SPX globally. Only added multicast IP addresses will be forwarded from the internal network to remote L3 clients, from remote L3 clients to other remote L3 clients, from remote L3 clients to internal networks. This configuration is global to all virtual sites and netpools. Each netpool can turn on or off multicast traffic by the command below.
1 Make certain you selected Advanced Networking from

the sidebar, are in Config Mode and have selected the Multicast IP Forwarding tab). You will see existing multicast settings displayed in the table [a]. To add a new multicast entry click the add link [b]. 2 Supply the desired IP address and interface setting [c]. Complete the setup by clicking the desired action link [d].
33
WebUI Handbook
Advanced Networking TCP IP

To tune specific system related TCP IP settings, select the TCP/IP tab. On this page you may set the following: TCP Idle Timeout This allows the user to establish the maximum time, in seconds, before terminating a TCP connection. TCP Retransmit Timeout Allowing the administrator to set a timeout period for retransmissions. The default setting is 1000ms. It is recommended that default settings not be changed without contacting Array Support. Duplicate Acks to Start Fast TCP Retransmission This allows the administrator to set the number duplicate acks to start TCP fast transmission. The default setting is 3. It is recommended that default settings not be changed without contacting Array Support. TCP Retransmit Policy The administrator may change the default algorithm from newreno to adaptive for starting TCP fast retransmission. It is recommended that default settings not be changed without contacting Array Support. Enable Slow Strat TCP It is recommended that default settings not be changed without contacting Array Support. The default status is ON.
34
WebUI Handbook
Advanced Networking SSL

To tune specific system related SSL settings, select the SSL tab. On this page you may set the following: This first option will cause the SPX to ignore the absence of an SSL "close notify" message when a client does not correctly terminate an SSL connection. When this option is disabled, the SPX will require the "close notify" message in all cases. This option is provided to make the SPX more compatible with certain web browsers and servers. The second option is to enable/disable the verification of the server's SSL certificate when SSL is used on the server connection. Verification of the server's certificate is required in order to properly authenticate the identity of the server. Certificate verification is enabled by default. Users are discouraged from disabling certificate verification for security reasons.
Note: It is highly recommended that these settings remain in their default states.
35
WebUI Handbook
Advanced Networking DNS

To set specific DNS server settings, select the DNS tab. 1 The configuration window shows a sort ready table displaying any previously configured DNS servers [a]. To add a server, click on the Add [b] action link. To delete, select the desired server fro table [a] and click the Delete action link [b] when present. Select the desired DNS server from the selector [c]. Click on the action link [d] to continue.
36
WebUI Handbook
Advanced Networking DHCP Settings

You may set the general DCHP connection parameters, including default domains, connection lease times and specifying interface interaction. 1 Make certain you selected Advanced Networking from the sidebar, are in Config Mode and have selected the DHCP tab. Enable the local DHCP feature with checkbox [a]. Set the connection lease time with text fields and selectors [b]. Supply the default domain name in field [c]. Supply up to three default name servers [d]. Furnish the default router IP address [e]. The lower portion of the configuration window displays a sort ready table of previously configured interfaces for listening on [f]. To add a specific interface, click the action link [g]. To delete an interface, select it from the table and click on the Delete action link [g]. To edit an entry, double click on the table entry to be shown the editable fields for the interface. Configure basic interface specifics including name, IP range and enabling the feature via fields, selector and checkbox [h]. Supply domain name and IP name server (up to three) along with the route IP [i]. Complete by selecting the desired action link [j].
37
WebUI Handbook
Advanced Networking HTTP Compression Settings

The SPX supports in-line compression of HTTP objects. By deploying this licensed feature, you may maximize throughput to sites while end-users will experience quicker download speeds. By default Array SPX compresses following mime types for all the browsers: Text (text/plain), HTML (text/HTML), XML (text/XML) and DOC (application/MSWord). You may configure additional file types JavaScript (application/x-javascript), Cascade Style Sheets (text/css, application/x-pointplus) and PDF (application/PDF) documents. 1 Make certain you selected Advanced Networking from the sidebar, are in Config Mode and have selected the HTTP tab. The landing page for this feature is the Data Compression sub tab. To enable compression, select checkbox [a]. You may view the current running statistics for compression by selection action link [b]. The table [c] displays configured MIME Type Policies. The following user agents are configured for compression; MSIE 5.5 css, MSIE 5.5 js, MSIE 6.0 css, MSIE 6.0 js, Netscape 6.0 css, Netscape 6.0 js, Netscape 7.0 css, Netscape 7.0 js. To activate these agents, click on the Add Recommended Defaults link [d]. You may further customize this feature by adding or deleting agents via the action links [d].
38
WebUI Handbook
Advanced Networking HTTP Settings

There exists a group of features designed to manipulate how the SPX will process special HTTP traffic and requests/responses. Select the TCP/IP tab. On this page you may set the following: Buffer You may instruct the SPX to buffer and rewrite HTTP responses without a valid end of response indication. If one encounters a buggy HTTP server that does not send a valid end of response, switching off this feature would allow the client application to work as it would in the absence of the SPX. This feature is active as a default. Please contact customer service personnel before switching off this feature. Mask Server To "hide" the identity of the backend server from the client. Mask Via To prevent the client web browser from knowing that responses were proxied through the SPX. Connection Reuse Not forcefully terminating connections to the backend after one response. If off, the SPX will forcefully terminate connections with a TCP reset. Default is on. Only turn this function off if "http server persist off" doesn't work because the backend server doesn't honor HTTP Connection headers.
39
WebUI Handbook
Persistence You may employ this feature to use persistent connections (HTTP/1.1) to the backend. Default is on. TCP Reset The SPX will immediately send a TCP reset for nonpersistent connections (HTTP/1.0) from the backend after receiving the complete response. If this is disengaged, then the SPX will wait for a TCP FIN. Default is off. X-Forwarded-For Enabling this option will cause the SPX to insert an "XForwarded-For" header into every request that it sends to the backend servers. You must also configure the X-Forwarded-For rule by selecting the X-ForwardedFor subtab, selecting a configured virtual portal and then setting up the rule. Single Sign On When single sign-on is enabled, the SPX will automatically negotiate Basic or NTLM authentication with the backend server for most requests. However, for very large requests exceeding a threshold size, you will need to manually authenticate with the backend server. The "system tune sso" command sets this threshold to <max_size> (note that <max_size> is specified in MB); by default the threshold is set to 10 MB. It is recommended that default settings not be changed without contacting Array Support. The default status is ON.
40
WebUI Handbook
Clustering
The SPX Clustering Technology allows you to maintain high availability with local sites. Virtual clustering provides high availability to SSL VIPs for the outside interface and for redundant gateways via the inside interface. 1 Make certain you selected Clustering from the sidebar are in Config Mode. Select the action link Add Virtual Cluster [a]. The configuration window will present a new screen. Give the virtual cluster an ID (1-255) [b]. Now assign the cluster to an interface via the selector [c]. Finish the creation of the virtual cluster by clicking on the action link [d]. Once youve added a virtual cluster, it will be displayed in the sort ready table. Select the virtual cluster from the table and double click [e]. The configuration window will present a new series of tabs for the completion of the clustering configuration. You may select from created virtual clusters by using the selector [g]. Tabs [h] are for navigating through the configuration steps for Clustering. Use check boxes [i] to enable the individual cluster and or enable preemption. Use text field [j] to adjust the advertisement interval (in seconds). Use the radio buttons [k] to require the use of an authentication code. Remember that after changing the settings to click the Save Changes button.
-Click for more41

WebUI Handbook
Continued from previous page. 6 Make certain you selected Virtual IP (VIP) tab [l]. Previously configured VIPs will be displayed in the sort ready table. Select the action link Add VIP Entry [m]. The configuration window will present a new screen. Supply the VIP in dotted IP format in text field [o]. Next, click on the desired action link [p]. To set PRIORITY XXX X X X X X X X. Click on the Back to top menu link [s] to be taken to the original Clustering page. Once youve added a virtual cluster, it will be displayed in the sort ready table [t]. Use either of the two buttons [u] to universally enable or disable the clusters.
-Click for more-
42
WebUI Handbook
Clustering Environments
Clustering environments allow administrator to set the manner in which clustering will operate within the network deployment. There are three standard modes for clustering; Active Standby without Stateful Failover (default), Active Standby with Stateful Failover and Active Active. 1 2 Select the Clustering Environment tab. The SPX will display a table of all currently configured SPX peers. By default the clustering environment is active standby without stateful failover. In ActiveStandby mode, one SPX in the cluster will be the Master of the VIP and is designated as active. The other SPX in the cluster will be in standby mode. If the active SPX fails, then second SPX will take over the VIP and be designated the Master. Any changes to this configuration need to be made on the virtual cluster page as described earlier [a]. Use the mode selector to change the environment between Active Standby without Stateful Failover, Active Standby with Stateful Failover and Active Active.
43
WebUI Handbook
Active Standby with Stateful Failover

In Active-Standby mode, one SPX in the cluster will be the Master of the VIP and is designated as active. The other SPX in the cluster will be in standby mode, yet the standby SPX will monitor and track all session related data by constantly synchronizing itself wit the Master. If the master SPX fails, then second SPX will take over the VIP and be designated the Master keeping all active sessions alive including most session related tasks. 1 Select the Active-Standby (w/SSF) from the mode selector. The first step is to define the virtual clusters domain. Administrators will name the cluster (up to 32 characters), supply a secret key (up to 20 characters) for encryptions purposes between peers within the cluster as well as supplying an IP, netmask and port for the peers to share session related data [a]. The default port is 443. When this feature is in use, administrators will not be required to use any other synchronization features to bring the peers into proper synchronization. This command will need to be executed on each SPX peer. Click on Save Changes when complete [b].
44
WebUI Handbook
Active Active
Active-Active clustering enables high throughput by hosting identical virtual services with different unique private IP addresses on individual cluster of peers represented collectively by a single VIP for public service. It is this virtual site (along with the configured port) that receives the requests and in turn dispatches the request to the internal virtual services hosted on local or remote clusters. Administrators may establish as many virtual active active groups of peers as permitted by the licensed number of virtual sites. 1 2 Select the Active-Active from the mode selector. The first step is to define the virtual clusters domain. Administrators will name the cluster (up to 32 characters), supply a secret key (up to 20 characters) for encryptions purposes between peers within the cluster as well as supplying an IP, netmask and port for the peers to share session related data [a]. The default port is 443. When this feature is in use, administrators will not be required to use any other synchronization features to bring the peers into proper synchronization. This command will need to be executed on each SPX peer. Click on Save Changes when complete [b]. Configuration information for each configured peer will be displayed in the table [c]. The configured virtual cluster domain information will be displayed at the bottom of the configuration window [d]. To add additional clustered IP groups to the active-active cluster click the action link [e].
45
WebUI Handbook
From the selector [e] select the desired local virtual site. Now select the dispatcher IP, set the port and assign the dispatcher policy (persistent IP or round-robin) [f]. The synchronized peer SPXs with IPs should be listed [g]; assign a unique IP to another peer in the cluster in the last field. Click action link [h] to complete the setup.
46
WebUI Handbook
Webwall
The SPX allows you to create permit/deny rules to filter packets passing through the network infrastructure. The Webwall supports the filtering of TCP, UDP and ICMP packets. Using access lists will define these various permit and deny rules and apply them to access groups. Once the ACLs are configured, administrators may apply or bind the group to an interface within the network. 1 Make certain you selected Webwall from the sidebar are in Config Mode. 2 Select the action link Add Access Group Entry [a]. The configuration window will present a new screen. 3 Assign the access group an ID (1-1000) [b] and assign this group to an interface [c]. Complete this portion by selecting the desired action link [d]. 4 After creating access groups, click on the action link Add Access List Entry [f] to set Permit/Deny rules for the access groups. The configuration window will change. 5 Supply the access group ID [g], permission setting [h], protocol (ICMP, TCP, UDP or GRE) [i], source IP with netmask and source port [j], destination IP with netmask and source port [k] and ICMP Type [l]. Complete this portion by selecting the desired action link [m. 6 Configured access groups will be displayed in the sort ready table and may be enabled on a per-interface basis [e].
-Click for more47

WebUI Handbook
Administrators Global Admin

1 To set up a global administrator make certain that you are in Config Mode and have clicked on the feature link Global Admin. The configuration window will display all current administrators in a sort ready table. To add an administrator, click the action link [a]. To delete an admin, skip to step 3. Enter the administrators User Name [b] and the password [c] in the fields provided. Set the administrators access level to Config or Enable [d]. The default behavior is set to allow the administrator Full Read Access [e]; to configure the SPX for Role Based click the radio button [f] to be presented with a list of preconfigured roles. Select the desired roles from the list [g] (for more information, see Configuring Roles). Once the admin data is set, click the desired action link [h]. All configured administrators are displayed in a sort ready table. To delete an entry, select the entry [i] and click on action link [j].
-Click for more-
48
WebUI Handbook
Administrators Site Admin

1 To set up a site administrator make certain that you are in Config Mode and have clicked on the feature link Site Admin from the sidebar. The configuration window will display all current administrators in a sort ready table. To add an administrator, click the action link [a]. To delete an admin, skip to step 3. Enter the site administrators User Name [b] and the password [c] in the fields provided. Now assign the administrator to the desired virtual site (to set up virtual sites, please refer to VIRTUAL SITES). Set the site administrators access level to Config or Enable [e]. The default behavior is set to allow the administrator Full Read Access [f]; to configure the SPX for Role Based click the radio button [f] to be presented with a list of preconfigured roles. Select the desired roles from the list [g] (for more information, see Configuring Roles). Once the admin data is set, click the desired action link [h]. All configured administrators are displayed in a sort ready table. To delete an entry, select the entry [j] and click on action link [k].
-Click for more-
49
WebUI Handbook
Administrators Admin Roles

The SPX supports Administrator Roles for network management by grouping features and then assigning them to a specific administrator. Multiple administrators may be configured for global or virtual sites. For example, an administrator may assign File Share configuration updates and management to one individual for a specific virtual site which is a configure mode operation while limiting this same individual from other configure mode operations such as Webwall. 1 To create Roles for administrators make certain that you are in Config Mode and have clicked on the feature link Admin Roles from the sidebar. The configuration window will display all configured Roles in a sort ready table. To add another Role, click the action link [a]. To delete a Role, skip to step 3. The configuration widow presents a list of features from which to create the Role. First, supply a name for the Role in the field given [b] and select whether this is to be a global or site role [c]. Now, selecting from the list of features [d] decide those features to grant read and or write access for. Complete the setup by choosing from the action links [e]. All configured Roles are displayed in a sort ready table. To delete an entry, select the entry [f] and click on action link [g].
-Click for more-
50
WebUI Handbook
Administrators Admin Authentication

Within some organizations where there may be many administrators and it may be important to ensure that the correct set of administrators have access to the corresponding set of accessible locations within the SPX protected network. Administrators, like other users, need to be monitored and controlled. Before an administrator is granted access to the network, the user name and password, or token, is verified. 1 To configure administrative authentication make certain that you are in Config Mode and have clicked on the feature link Admin Authentication from the sidebar. The configuration window will display the General tab configuration page. To enable AAA for administrators check box [a]. To set an enable mode password for WebUI login supply the password in text field [b]. Remember there is no default password for the WebUI enable mode login. To define and configure the AAA methods for authentication click on the Method tab [c] and set the methods and ranks via the selectors [d]. Once any changes are made the Reset/Save button appears [e]. Remember to save any changes made.
2 3
-Click for moreContinued Next Page
51
WebUI Handbook
Continued from previous page.
After selecting the methods and ranking them you will have to set up the authentication servers to match the methods configured in the previous step. 5 ACTIVE DIRECTORY: To configure Active Directory click on the action link [f] to add an AD server. Supply the AD server IP, Port and Mail Domain in fields [g]. Complete the task by selecting the desired action link [h]. LDAP: To configure LDAP click on the LDAP tab and click on the action link [i] to add an LDAP server. Supply the LDAP server IP, Port, User Name, Password, Base and Timeout values in the fields supplied [j]. If you want to use SSL/TLS then check box [k]. Complete the task by selecting the desired action link [l]. To configure the LDAP search filter to retrieve authorization records only then define the search filter as a single string [n]; e.g. "cn=<USER>" where <USER> matches the login username. By default, a filter of "uid=<USER>" will be used. Please note that "<USER>" is the only token allowed in the filter and must occur at least once in the filter. To clear the search filter click on action link [m].
-Click for moreContinued Next Page
52
WebUI Handbook
Continued from previous page.
After selecting the methods and ranking them you will have to set up the authentication servers to match the methods configured in the previous step. 7 RADIUS: To configure RADIUS authentication server click on the RADIUS tab and on the action link [p] to add the RADIUS server. Supply the RADIUS server IP, Port, Secret Password, Timeout period and Number of Retries in fields [q]. Complete the task by selecting the desired action link [r].
-Click for more-
53
WebUI Handbook
Global Resources
Local Databases
The SPX allows you to create specific groups of users and authorize only specified content points on the network for these groups. This way, for example, administrators may set up separate, specific network destinations for the sales departments and the marketing group, while granting executive staff access to both. 1 To set up or edit local databases, make certain you are in Config Mode and have selected Local Databases from the sidebar. Note that the configuration window displays a sort ready table of previously set up databases (if applicable) and a Global Resource Limit Summary [a]. To add or create a new database click on the action link [b] and proceed to step 2. To delete a database, select the database from the table [c] and click the action link Delete [d]. You may also edit an existing database by double-clicking the database from the table [c]. The edit page looks virtually the same as the Add configuration page described in step 2. Supply the database name in the field provided [e] and configure the database required limits for data, users and groups [f]. If you would like to enable the strong password feature for this database[g]? To which virtual sites do you wish to associate the newly created/edited database [h]? Complete the setup with action links [i].
-Click for more54

WebUI Handbook
Global Resources SecurID Servers

Administrators will need to import the ACE configuration file into the SPX. Note that the ACE configuration is global and applies to all virtual sites using SecurID as an authentication method. A new ACE configuration file should be imported into the SPX whenever any changes are made to the configuration of the ACE server. Importing a new ACE configuration file will overwrite the existing file. 1 To import a global SecurID configuration file make certain that you are in Config Mode and have clicked on the feature link SecurID Severs from the sidebar. The configuration window will display the current SecurID configuration file (if applicable). Double Click on an entry to edit the existing data. To add a SecurID server, click the action link [a]. To delete a server, select it from the table and click the Delete action link [a]. Supply the SecurID server name in field [b]. Select the file type to be loaded (File or URL) via the radio buttons [c]. Supply the configuration files path [d] or use the browse button to locate the desired file. All configured virtual sites will be listed in a table on this page. Simply select those sites you wish to associate with the SecurID server(s) being setup [e]. Complete the loading by clicking on the action link [f].
-Click for more-
55
WebUI Handbook
Global Resources SSL Backend

The SPX can communicate securely with backend servers using SSL. If someone tries to access a backend server using SSL, and that server has not been explicitly designated as an SSL backend server in the configuration, a message will be displayed indicating that additional setup is required. 1 To set up a backend SSL server, select SSL Backend Server from the sidebar. The SPX will display a sort/edit ready table of previously configured backend servers (if applicable). To edit an entry, simply double click the desired server and make the necessary changes including the updating of certificates and keys. To set up a new server, click on the Add Backend Server link [a] and go to step 2. Supply the servers name, DNS name, IP and port in the text appropriate text fields [b]. Click on the desired action link [c].
-Click for more-
56
WebUI Handbook
Global Resources Thin Client Support

The advantage of using TCS is that administrators will not have to pre-configure secure tunnels for Telnet applications and servers. This feature will allow client Telnet modules to implement the needed functionality and handle the communications from these modules to the proper backend servers. Changing or adding TCS modules is an advanced procedure and great care should be taken when altering this configuration. 1 Make certain that you are in Config Mode and have clicked on the feature link Thin Client Support from the sidebar. The configuration window will display the existing TCS Modules (including the two that ship with the SPX) [a]. To add or import a TCS module, click on the action link Add [b]. If you are importing a TCS package, set the file or URL for the import [g] and supply the file name (or browse [h] for the file name). Once the correct file is selected, click on the desired action [i]. In the text fields supplied, enter the module name [c] and description [d]. Click on the desired action link [e] to cancel, save and add or save. After the named module is saved it will appear in the sort ready table at the end of the list [f]. To complete or otherwise edit the configuration for the module, double click on the module name or description [f]. The configuration window will present a new configuration page.
-Click for more57

WebUI Handbook
Global Resources
4 After selecting the module and double clicking on it, the configuration widow presents the next configuration page including new tabs (General Settings, Configurator* and Resource Files), a TCS Module Selector [g] and a special action link (Back to top menu) [h]. Make sure you are configuring the desired module via the selector [g]. (* the pubapp module comes standard with the SPX and therefore does not require the configurator.) You may customize specific aspects of the TC window including the description [j] and the width and height of the pop module [k] and [l] respectively. You may also set the Resource File (citrix.jar or CVS) via the selector [m] as well as the Resource Type (Java App (jar), Java App (cab) or ActiveX) via the selector [n]. Click on the Resource File tab to import or delete resource files to be found in the selector [m]. After importing any resource file, return to this screen to complete the importation configuration. Import the global resources (TerminalSvcsTCS.cab, TerminalSvcsTCSConfig.cab and msrdp.cab) by selecting the Resource Files tab. By selecting the tab the SPX will display a sort ready table of all existing resource files. Click on the Import action link to continue the configuration. Now supply the source URL or file name for each imported file in the text field [o] and make certain the resource is assigned as a global via the radio buttons [p]. Assign each resource and click the necessary action link [q].
-Click for more58

WebUI Handbook
After importing all of the necessary files, verify the imported status for the files via the sort ready table. Return to step 6 (General Settings) to complete the configuration of the imported resource files.
Click on the Configurator tab. On this screen use the Resource File selector [a] to choose the imported application file to deploy. This step in the process is to assign the application (making certain to verify the version [b]) and verify the configurator GUI settings that will be used as the configurator interface in the following steps. Once the setup is complete, click the red save button [c] to continue.
59
WebUI Handbook
Admin Tools
System Management
This section will discuss various configuration management functions available for the SPX. SYSTEM INFO/ Version: 1 Make certain you are in Config Mode and have selected System Management from the sidebar. The configuration window will present a page with navigational tabs for System Information, Access Control, Update, Shutdown/Reboot and License [a]. There are also three (3) sub tabs for the System Info page; Version [b], Memory [c] and Statistics [d]. The remainder of the window displays the current running version of the ArrayOS powering the SPX [e].
SYSTEM INFO/ Memory: 2 By selecting the Memory sub tab [f] the SPX will display all current memory usage data.
SYSTEM INFO/ Statistics: 3 By selecting the Statistics sub tab [g] the SPX will display all current relevant technical running information.
-Click for more-
60
WebUI Handbook
Admin Tools System Management

ACCESS CONTROL 1 By selecting the Access Control tab the configuration window will present options for altering specific access related settings including WebUI, XMLRPC, SSH and Config Mode.
ACCESS CONTROL/ WebUI: 2 To disable the WebUI uncheck box [a]. To change the current WebUI IP or port settings make those changes in text fields [b] and [c] respectively.
ACCESS CONTROL/ XMLRPC: 3 Enable XMLRPC by selecting checkbox [d] and supply port value [e].
ACCESS CONTROL/ SSH: 4 Use checkbox [f] to enable/disable SSH access to the SPX. Use action link [g] to regenerate an SSH host key.
ACCESS CONTROL/ Config Mode: 5 You may reset the value before Config Mode times out [h] or reset the Config Mode immediately [i]. Resetting Config Mode will terminate the current WebUI session.
-Click for more-
61
WebUI Handbook
Admin Tools System Management

UPDATE 1 By selecting the Update tab [a] the configuration window will present options importing system files and system patches. To import a system update select whether the data will be transferred from a file or URL location [b] and supply the path [c] (a browse button is present to help locate files). Once the update is located and the path is entered click on the Apply Update action link [d]. To import a system patch select whether you are using a new or previous patch [e] and supply the URL for the patch in the text field provided [f]. Click on action link [g] to apply the patch.
SHUTDOWN/REBOOT 3 By selecting the Shutdown/Reboot tab [h] the configuration window will present a system reboot button [i], a system shutdown button [j] as well as the option to fallback to a previous software version [k]. If you check box [k] for fallback, remember to click on the red save button when it appears.
LICENSE 4 By selecting the License tab [l] administrators my import a new license by entering the value in the text field [m] and clicking the Import link [n]. Administrators may also click the Flex License subtab [o] and enter the Flex License value in the text field and click on the import tab. The Flex License allows temporary session usage to exceed the base license allotment of user sessions.
62
WebUI Handbook
Admin Tools Config Management

This section will discuss various configuration management functions available for the SPX. VIEW/ Running Config: 1 Make certain you are in Config Mode [a] and have selected Config Management [b] from the sidebar. The configuration window will present a page with navigational tabs for View, Backup, Load, Clear and Synchronization [d]. There are also three (3) sub tabs for the View page; Running Config [c], Startup Config and Saved File [e]. The remainder of the window displays the current running configuration [g]. If you would like to view the running configuration for all virtual sites (if applicable) select checkbox [f].
VIEW/ Startup Config: 2 By selecting the Startup Config sub tab [h] the SPX will display the startup configuration data.
VIEW/ Saved File: 3 By selecting the Saved File sub tab [i] the SPX will display all currently saved configuration files. Double click on a file name [j] to view the details of the configuration file.
-Click for more-
63
WebUI Handbook

BACKUP 1 By selecting the Backup tab [a] the configuration window will present various options for backing up configuration files. To simply backup the existing running configuration and retain this as the Startup Config then simply click the action link Backup [f]. Make certain to select the checkbox [b] to include all virtual site and database setup in the backed up file. To backup the config using SCP then select the SCP button [c] and proceed to step 2. To backup the config using TFTP then select the TFTP button [d] and proceed to step 3. To backup the config using a saved file then select the Saved File button [e] and proceed to step 4. To backup the configuration file using SCP please supply the SCP server name, user name, password and server path in text fields [g] and click on action link [h] to begin the backup. To backup the configuration file using TFTP please supply the TFTP server IP address and file name in text fields [i] and click on action link [j] to begin the backup. To backup a saved file please supply the file name in text field [k] and click on action link [l] to begin the backup. A list of previously saved files will be displayed in a sort ready table [m]. You may select one of these files to be updated or deleted.
-Click for more64

WebUI Handbook

LOAD 1 By selecting the Load tab [a] the configuration window will present various options for loading configuration files. To load the last running configuration, click the action link Load [g]. Make certain to select the checkbox [b] to load all virtual site and database information as well if needed. To load from a SCP server then select the SCP button [c] and proceed to step 2. To load from a TFTP server then select the TFTP button [d] and proceed to step 3. To load the config from a list of previously saved files then select the Saved File button [e] and proceed to step 4. To upload from a network location, select Upload File [f] and proceed to step 5. To load a file from a SCP server, supply the SCP server name, user name, password and server path in text fields [h] and click on action link [i] to begin the load. To load a file using TFTP please supply the TFTP server IP address and file name in text fields [j] and click on action link [k] to begin loading. To load a saved file please select the file name from list of previously saved files [l] and click on action link [m] to begin loading. To load a file from a network location supply the file name in the field [n] or click on the browse button to locate the necessary file. Then click the load button [o].
-Click for more65

WebUI Handbook

CLEAR Caution should be taken when clearing configurations from the SPX. Make certain that you only clear those configurations you wish to. These commands will clear entire configurations, not specific functions or configuration elements. If you have any questions with clearing a running or saved configuration, please contact Array Networks Customer Support. 1 Select the Clear tab [a] the configuration window will present four buttons for various portions of the configuration. To reset the primary networking functions of the SPX to the default, including all Access Lists and Groups, IP Addresses and Clustering and Synchronization click on Primary Configuration Clear NOW [b]. To reset only those secondary network functions of the configuration such as WebUI, NAT, Proxy Settings, SNMP and Logging click on Secondary Configuration Clear NOW [c]. To clear and delete all locally saved configuration files, except for the default startup file click on Entire Configuration Clear NOW [d]. To reset the SPX to factory default allowing for only console connectivity click on Factory Default Configuration Reset NOW [e].
-Click for more-
66
WebUI Handbook
Admin Tools Config Management Synchronization for Peer SPX

The synchronization feature allows you to transfer configuration information among separate SPXs (referred to as Peers or Nodes) on the same network. Using configuration synchronization, you can also setup an Active-Standby configuration for failover support. The basic configuration must be completed before configuring the virtual clustering functionality. 1 2 Make certain you have selected the Synchronization tab [a]. Notice that there are five (5) sub tabs for this feature; Nodes/Peers [b], Tasks [c], Results [d], Differences [e] and History [f] as well as action links to Delete and Add node/peer entries [g]. Any previously configured peers will be displayed in a sort ready table. The first step with synchronization is to define each peers unique name and IP address. Click on the action link Add Node/Peer Entry [h]. The configuration window will present texts fields for you to supply the peer(s) names [i] and IP addresses [j]. Select the desired action link [k] to continue. All newly added/created peers will appear in the sort ready table [l]. Now that peers are defined click on the Tasks sub tab [m].
-Click for moreContinued next page
67
WebUI Handbook
SYNCHRONIZATION
Continued from previous page The configuration window will display all configured peers in two sort ready tables; one for Configuration Synchronization where all individual SPXs share the same configuration and Synchronization Rollback a feature for once again pulling a specific SPX back out of a clustered group and having the configuration revert to a pre-synchronized configuration (see step 6). 5 Configuration Synchronization- This feature allows you to either push a configuration onto other SPXs in the network via the Synchronization Direction To button [o] or pull a configuration from a specific SPX and place that configuration on the SPX being setup Note: You may push a configuration onto all exiting SPXs, but you may only pull a configuration from one SPX at a time. Once you have selected the SPXs to synchronize, click on the action link [q]. To reset to a previously synchronized configuration that was received from another SPX peer on the network, leave the radio button [r] set to Local and select the SPX peer that originated the configuration form the list and click on the Rollback action link [s]. To reset a peer that received the configuration from the current SPX, select Remote [r], the destination SPX from the list and click [s].
68
WebUI Handbook
SYNCHRONIZATION
The final three sub tabs allow you to check various elements of the synchronized configuration with other SPX peers and configurations elsewhere on the network. 7 RESULTS- The Results sub tab [t] will display the configured peers in a sort ready table. Double click on any peer to view synchronization results for the specified peer or take advantage of the action links View Synch Summary [u] or View All Results [v]. DIFFERENCES- The Differences sub tab [w] will display all configured peers in a sort ready table. Double click on the desired peer to view configuration differences between the selected remote peer SPXs configuration and the SPX where you are currently synchronizing from. HISTORY- The History sub tab [x] will display all synchronization events related to the current SPX being configured.
-Click for more-
69
WebUI Handbook
Admin Tools Monitoring

This section will discuss various configuration management functions available for the SPX. LOGGING/ General: 1 Make certain you are in Config Mode [a] and have selected Monitoring from the sidebar list of features [b]. The configuration window will present tabs (Logging [c], SNMP and Statistics) and six sub tabs (for Logging) including General [d], Syslog Servers, HTTP Logging, L3VPN Logging Email and Buffer. Enable the logging feature via checkbox [e]. Enable the timestamp and or timezone stamp feature for log entries via checkboxes [f]. Set the facility from LOCAL0 to LOCAL7 via selector [g]. Set the log level (any message below the specified level will be ignored) via the selector [h]. You may reset the log setting by clicking on the Clear NOW button [i]. Note: This will return log setting to default. You may generate a test log message by clicking on the Generate NOW button [j].
Continued next page
70
WebUI Handbook
Monitoring
This section will discuss various configuration management functions available for the SPX. LOGGING/ Syslog Servers: 5 By selecting the Syslog Servers sub tab [k] the SPX will display all currently configured servers. To add a server click on the action link Add Server Entry [l]. The configuration window will present text fields for configuration. Supply the server host IP [m], logging protocol (UDP or TCP) via selector [n], host port [o] and source port [p]. The log host is the remote Syslog server receiving messages. Up to three servers may be configured (all messages will be sent to all servers). Source Port default setting is 514. Click on the desired action link [q] to complete configuration.
LOGGING/ HTTP Logging: 6 By selecting the HTTP Logging sub tab [r] the SPX will display a configuration pages allowing you to enable HTTP logging at set the format via radio buttons [s] as well as optional selections to include the VIP and Host in log reports [t]. Click on the Apply action link [u] to complete the configuration.
LOGGING/ L3VPN Logging: Select the subtab L3VPN Logging administrators may enable the logging featre [v] and set a timeout for the logging fuction related to L3 VPN traffic. This timeout parameter [w] is measured in seconds and the default setting is 300 seconds (five minutes). Though the L3 VPN connection may remain open, the log file will terminate for the connection.
-Click for more71

WebUI Handbook

This section will discuss various configuration management functions available for the SPX. LOGGING/ Email: 7 Configure an alert email for reporting issues. Make certain to click the Email sub tab [a]. To add an email alert click on the action link Add Email Alert Entry [b] and proceed to step 8. To configure an email alert set the log/entry ID [e], define the message that accompanies the log alert [f] as a message of importance, the email address for the designated recipient [g], the interval between sending reports (in minutes) [h] and either a data report or a count (number of incident) report [i].
-Click for more-
72
WebUI Handbook

This section will discuss various configuration management functions available for the SPX. LOGGING/ Buffer: 9 The Buffer displays the list of currently logged events on the SPX. By selecting the Buffer sub tab [a] the configuration window will display a scrolling list (if applicable) of logged events based on the logging configuration to this point. You may set the listing of events forward (oldest listed at top), backward (most recent on top) or up date to the list (Reboot) via the radio buttons [b]. You may also clear the log buffer by selecting the action link Clear Log Buffer [c].
-Click for more-
73
WebUI Handbook
SNMP
SNMP, Simple Network Management Protocol, is a widely used network monitoring and control protocol. Data are passed from SNMP agents, which are hardware and/or software processes reporting activity in each network device to the workstation console used to oversee the network. Up to three SNMP hosts may be configured. NOTE: SNMP traps must be enabled to view graphs on the Array Flight Deck. SNMP/ General: 1 By selecting the feature tab SNMP [a] the configuration window will present a configuration page where you may enable the SNMP feature via checkbox [b]. Define a community string (up to 32 characters long) to act as a password to limit or control access from the NMS to the agent [c]. Now enter the contact person [d] and the SPX location [e] in the fields provided (up to 128 characters each). Make certain to click on the red save button when complete.
SNMP/ Traps: 2 Administrators may choose to either enable individual traps by selecting the Traps sub tab [f] and selecting those desirable traps from the list [g]. Make certain to click the red save button [h] when changes are made.
-Click for more74

WebUI Handbook
SNMP
SNMP/ SNMP Servers: 1 By selecting the SNMP Servers sub tab [a] the configuration window will present a list of any configured SNMP servers. To add a new entry, click on the action link Add Server Entry [b]. In the fields provided supply the SNMP server IP address [c] and community string [d]. Complete the task by clicking on the desired action link [e].
SNMP/ MIB File: 3 Users may view any active MIB file by selecting the MIB File sub tab [f]. The configuration window will display the users MID file if applicable.
-Click for more-
75
WebUI Handbook
Admin Tools Monitoring Statistics

Statistics/Compression: 1 Select the tab Statistics [a]. The configuration window will present the Compression [b] statistics as well as sub tabs for IP, Session, SSL, System/CPU, TCP and Virtual Site. You may clear the compression statistics by clicking on the action link Clear Statistics [c].
Statistics/IP: 2 Select the IP sub tab [d] to view and enable IP statistic gathering [e].
Statistics/SSL: 3 Select the SSL sub tab [f] to view statistics. Clear statistics for SSL via action link [g].
Statistics/System CPU: 4 Select the System/CPU sub tab [h] to view statistics.
Statistics/TCP: 5 Select the TCP sub tab [i] to view statistics.
-Click for more-
Continued next page
76
WebUI Handbook
Admin Tools Monitoring Statistics

Statistics/Virtual Site: 6 Select the tab Statistics [a] and sub tab Virtual Site [b] to view all related virtual site statistics [c]. To clear the statistics click on the action link Clear Statistics [d].
-Click for more-
77
WebUI Handbook
Admin Tools Troubleshooting

Selecting the Troubleshooting feature from the sidebar will present administrators with simple tools to ping (generate an echo request), perform packet trace and NS verification. 1 Make certain you are in Config Mode [a] and have selected Troubleshooting from the sidebar [b]. The configuration window will present a page with navigational tabs for Tools [c] and Support Access [d] (skip to step 5 for Support Access). PING- To generates a network connectivity echo request directed toward the specified IP address or ping, enter the IP address or host name and click on the Ping button [e]. TRACEROUTE- Enter the IP address or host name and click on the Traceroute button [f]. NAME SERVER LOOKUP- Enter the IP address or host name for the name server and click on the Lookup button [g]. This feature allows the user to verify the IP address for the given hostname. This is to allow ArrayNetworks Customer Satisfaction personnel access to the SPX directly. You should not configure this operation without first contacting the Customer Satisfaction department at ArrayNetworks (1-866-my-array). By clicking on the Support Access sub tab [h] you will see all configured access points. Click on action link Add Access Entry [i] and complete text fields [j] for IP address and netmask data.
3 4
-Click for more78

WebUI Handbook
Admin Tools Change Password

1 Make certain you are in Config Mode [a] and have selected Change Password from the sidebar [b]. The configuration window will present display a list of all administrators thus far established. By selecting the name from the list [c] you will see this administrators name in the grayed field [d]. To change the password for an administrator, select the name from the list and supply the new password in text fields [e].
-Click for more-
79
WebUI Handbook
Service Management
Network Separation
1 Make certain you are in Config Mode and have selected Service Management from the sidebar. The configuration window will present four tabs (Network Separation, Session Limits, Site Access and Static VLAN) as well as a checkbox for enabling the network separation feature [a]. Also on this page there are two edit ready tables for Global Level Permit and Site Level Permit. For previously configured interfaces or VLANS simply double click the entry to edit. To add an interface or VLAN click on action link [b] (proceed to step 2) to add global level permit or [c] to add a site level permitted interface or VLAN (proceed to step 3). Simply use the selector [d] to add the configured interface or VLAN and click on the desired action link [e] to continue. Use the selector [f] to choose the desired virtual site to be added and specify the configured interface or VLAN with selector [g]. Click on the desired action link [h] to continue.
80
WebUI Handbook
Session Limits
1 By selecting the Session Limits tab [a] the configuration window will present display two edit ready tables for Group Session Limits [b] and Site Session Limits [c]. The group session feature allows the global administrator to define the name of a virtual site that is to be assigned to a group of virtual sites that share specific session resources. A virtual site that belongs to a session group may not have an individual site session limit assigned. Administrators may create up to 128 session limit groups. To add a site to the group click on the action link [d] and proceed to step 2. To set session limits for an individual site click on the action link Add [e] and proceed to step 4. To add a site or sites to a group of shared resources, the group must be created. Supply the group name in text field [f] and click on the desired action link [g]. The newly entered group will appear in the Group Session Limits table [1b]. To set a limit for the group, double click the entry in the table [b] and proceed to step 3. Set the maximum number of concurrent active session in the text field [h] for the group. Note that all members of this group will be displayed in table [i]. To add members to the group to the group click on the Add link [j]. From the next page you will see a selector for choosing configured sites to add to the group. To assign session limits to an individual site use the selector [k] to specify the site and supply the maximum session value in text field [l]. Complete by clicking on the desired link [m].
81
WebUI Handbook
Site Access
1 By selecting the Site Access tab [a] the configuration window will present display a Global Level Lock configuration option [b] and a Site Level Lock table [c]. If the administrator wishes to deny all access to all sites or to deny configuration mode access to all sites simply choose the desired button [d]. To make configuration restrictions to a specific site, double click on the site as listed in the table [c] and proceed to step 2. To limit access to a specific site choose the site from the selector list of configured sites [e] and set the type of lock (access or configuration) [f]. Complete the setup by clicking on the action link [g].
82
WebUI Handbook
Static VLAN
1 By selecting the Static VLAN tab [a] the configuration window will present display the Static VLAN Routing table [b] for all configured VLANs. Click on the Add action link [c] to add a new VLAN static route to the configuration. Use the selector [d] to specify the VLANs interface name. Supply the destination IP address, netmask and gateway IP in the text fields [e]. Complete the setup by clicking on the desired action link [f].
Once static routes are entered into the table [ 1b] they are editable by double clicking on the table entry directly.
83
WebUI Handbook
Virtual Sites
Creating a Virtual Site
The SPX provides secure remote access to internal resources through one or more virtual sites (up to 256). A virtual site provides a single interface for external users to access internal content. Each virtual site is associated with a domain name and listens on a specified virtual IP address (VIP) and port. Virtual sites are designed to be independently configured such that each site has its own portal, SSL settings, AAA methods and servers, file sharing configuration, and TCP application services or to be a part of a shared virtual network. All created virtual site domain names (FQDN) must have a valid A record in DNS or a related hosts file entry. 1 2 Click on Virtual Sites link. The configuration window will display any current virtual sites. Tabs [a] allow navigation to other configuration pages for this feature. Select from the configuration links [b] to add a virtual site. The next pages will show how to set up each type of virtual site. Newly created sites will be displayed in the main configuration window. Newly created sites may be access for further configuration by selected the site via the pull down menu or by double clicking the virtual site name as listed in the sort ready table. It is recommended that you complete the global configuration before continuing the virtual site setup. To continue the virtual site configuration process see CONFIGURING VIRTUAL SITES.
3 4
-Click for more84

WebUI Handbook
Virtual Sites Creating the Shared Virtual Site

1 2 Click on the Add Shared link. Select whether to restrict this virtual site (forbids users from accessing the specified site even when the URL is entered directly into a client browser. When enabled, the site may only be accessed when an authenticated user is redirected to the site by the SPX. The default is setting no meaning users may access the site without being redirected.) Input the virtual sites name, FQDN, IP address with port and an alias name, if necessary, in the text fields supplied. 3 To assign the virtual site to a localdb select New or Existing LocalDB [a]. If configuring a new localdb supply the database file name in text field [b]. If assigning an existing database, text field [b] will become a pull down menu listing all existing databases. 4 Select desired SSL certificate creation method (generate, import or import via TFTP) [c]. Fill out CSR text fields [d]. Will this key be exportable (Y/N)? [e] 5 6 Create users by supplying names and passwords. Complete configuration by selecting the desired action link.
-Click for more-
85
WebUI Handbook
The Shared Virtual Site Home

1 After the creation of the Shared Virtual Site, the site will appear in the main configuration window table along with any Alias Sites associated to the Shared Site. You may test the accessibility of the aliased site by clicking on the Test Site link [a]. To begin configuring the Shared Site, double click on the shared name in the list [b] to be taken to the Shared Site Home configuration window (see step 3 below). Note that aliased sites associated to the shared site will be listed directly below [c]. If you double click on the aliased site [c], you will be taken to the virtual site home page for the configuration of the individual virtual site. 2 This is a sample of a shared site portal. Note the active and configurable elements on this page including the portal logo [d], message [e] and text field to enter the name of a desired virtual site (aliased with this shared site) [f]. Having selected the Shared Site from the table, you will see the Shared Site Home configuration window. You may move from one shared site another via the selector [g]. Basic data for the shared site is displayed [h] and may be corrected or changed. There are also tabs for Alias Sites [i], SSL Certificates, SSL Settings, Portal [j] and Portal Themes. Configuration or display elements for SSL Certificates, SSL Settings and Portal Themes are covered later in this text (click on the link to be taken to the specific configuration information now).
86
WebUI Handbook
The Shared Virtual Site Home

4 By selecting the Alias Site tab, the configuration window will display all alias sites associated with the Shared Site. By double clicking on any of the listed alias sites, you will be taken to the virtual site configuration homepage for that site.
By selecting the Portal tab, the configuration window will display the necessary configuration elements for setting up the main shared portal page. This main shared portal page is the site users will first come to below departing for the specific portals. The individual aliased pages may set their own portal look and feel independent of the main shared portal (See Portal) Also users will enter thei credentials at the individual alised site. Set the main shared portal pages language and greeting message [a]. Set the main shared portal pages logo by specifying the file path or URL [b] and clicking the Import action link. You may also enable the HTML encoding feature via the checkbox [c] or set the SPX to redirect the main Shared Portal to a specified HTML or WML location [d].
87
WebUI Handbook
Virtual Sites Creating the Aliased Virtual Site

1 2 Click on the Add Alias link. Select whether to restrict this virtual site (forbids users from accessing the specified site even when the URL is entered directly into a client browser. When enabled, the site may only be accessed when an authenticated user is redirected to the site by the SPX. The default is setting no meaning users may access the site without being redirected.) Select the shared site from the pull down menu [a] and name the alias site in text field [b]. Select either new or existing [c] localdb to associate the aliased site with the correct database [d]. If existing is selected then text field will change to a pull down menu displaying previously setup databases. 3 4 Create users by supplying names and passwords. Complete configuration by selecting desired action link.
-Click for more-
88
WebUI Handbook
Virtual Sites The Exclusive Virtual Site

1 2 Click on the Add Exclusive link. Select whether to restrict this virtual site (forbids users from accessing the specified site even when the URL is entered directly into a client browser. When enabled, the site may only be accessed when an authenticated user is redirected to the site by the SPX. The default is setting no meaning users may access the site without being redirected.) Input the virtual sites name, FQDN, IP address with port and an alias name, if necessary, in the text fields supplied. 3 To assign the virtual site to a localdb select New or Existing LocalDB [a]. If configuring a new localdb supply the database file name in text field [b]. If assigning an existing database, text field [b] will become a pull down menu listing all existing 4 Select desired SSL certificate creation method (generate, import or import via TFTP) [c]. Fill out CSR databases.text fields [d]. Will this key be exportable (Y/N)? [e] 5 6 Create users by supplying names and passwords. Complete configuration by selecting desired action link action Cancel, Save & Add Another or Save.
-Click for more-
89
WebUI Handbook
Domain Forwarding
The Domain Forwarding feature (also referenced as IP Forwarding as pictured here) allows administrators to establish multiple IP/Port pairs to be directed to a configured, exclusive virtual site. 1 Select the tab IP Forwarding (or Domain For warding) [a]. The SPX will show previously configured IP/Port pairs and the corresponding virtual site in the sort ready table [b]. To add a new rule, click on the Add action link [c]. To edit an existing entry, double click on the desired rule from the table. Supply the rule ID (integer) as well as the listening IP and port in the text fields [d]. Use the selector [e] to assign the IP/Port pair to the desired virtual site. Click on the appropriate action link [f] to complete the configuration.
QuickLink
QuickLink is a clientless access method that allows SPX users instant access to web content originating from the internal network, most times from servers that are not exposed to access from the outside. Rather than doing full content parsing and rewriting, QuickLink uses a unique hostname or a unique port to represent the backend web server. 3 Select the tab QuickLink. The SPX will show previously configured QuickLink settings in the sort ready table [g]. To add a new rule, click on the Add action link [h]. To edit an existing entry, double click on the desired rule from the table. [i]. Click on the appropriate action link [j] to complete the configuration.
4 Supply the resouce ID (integer) IP and and link path 90

WebUI Handbook
The Virtual Site Navigation

The creation of individual virtual sites was discussed earlier in VIRTUAL SITES. From this point it is assumed that the global configuration is complete and that you have already created the virtual site you wish to configure. There are two ways for you to bring up the configuration WebUI for each virtual site. When you have selected a virtual site the WebUI will change slightly to reflect those configurable features/options available (see side-by-side comparison of sidebars on next page). 1 Make certain you are in Config Mode [a] and have selected Virtual Sites [b] from the sidebar. The configuration window will present a sort ready table displaying all created virtual sites [c]. Double click on the site you wish to configure. The WebUI will switch from the Global Mode to Site Mode. 2 You may also select the desired virtual site from the selector [d]. This selector will also be used to bring administrators back from the virtual site configuration pages.
91
WebUI Handbook
The Virtual Site Sidebar

When you switch form the global configuration WebUI to the site configuration WebUI there are some more noticeable and subtle differences that shouldnt lead to any confusion. A B C D Notice that the name of the virtual site now appears in the selector replacing the --Base System--. Notice that the categories of features for the virtual site are slightly different that those in the global section. Notice that the individual features are also different. Though most features and categories are different when comparing the site sidebar to the global sidebar, there are some that are very similar. These features (like those in Admin Tools) are very similar to their global counterparts so special attention maybe required to make sure you are in the proper configuration section for the tasks you are trying to complete.
92
WebUI Handbook
The Virtual Site Home Page

The virtual site home page serves as a quick configuration reference point by offering a general view of pertinent information needed for managing existing configurations as well as a starting point for getting virtual sites up and running. 1 There are two configuration tabs available; Virtual Site Home (shown) and Quick Tasks. The Quick Task page lists a few of the more common configuration operations with links to move the user directly to those configuration pages. The page is broken out into three distinct areas Virtual Site Information [2], Virtual Site Statistics [3] and Virtual Site Feature Status [4]. 2 3 Virtual Site Information: The home page lists general configuration information such as IP, host domain, etc. Virtual Site Statistics: On the left side of the home page there is a very general statistical breakdown concerning the virtual site as well as a selector [a] to jump to the detailed statistical page dedicated to the user specified feature. Virtual Site Feature Status: This offers the administrator a place to quickly enable or disable licensed features.
93
WebUI Handbook
The Virtual Site Quick Tasks

The Quick Tasks page acts as a shortcut to specific configuration operations. These shortcuts will take you directly to the Add page for the desired feature. 1 Click on the Quick Tasks tab [a]. You will be presented with a list of action links [b]. Select the desired shortcut. Upon selecting a task, relevant information will be displayed in the table [c] and a Go button [d] will appear. Click the Go button [d] to continue the configuration.
94
WebUI Handbook
Site Configuration SSL Certificates

1 Make certain you are in Config Mode, have selected the desired virtual site and have selected SSL Certificate [a] from the sidebar. The configuration window will present the CSR/Key [b] configuration page with a total of five tabs; CSR/Key, Certificates, Intermediate CA, Trusted Root CA, CRL CA and Statistics.
CSR/Key 2 3 To generate a CRS/Key make certain you on the CRS page from the selection of configuration page tabs [c]. Supply the country code for the CSR [d]. Fill out the remainder of the CSR by supplying the requested information [e]. Finally, select whether this private key will be exportable (Y/N?) [f].
Certificates (Importing) 4 To import an existing certificate and key pair select the Certificate tab [h] and the method for importing the pair (import or import via TFTP) [i]. For TFTP import skip to step 6. Paste your existing certificate into text field [j] and existing key into field [k]. Supply the password (if necessary) in field [l]. Complete task by clicking the submit link [m]. To import a cert/key pair via TFTP supply server for the certificate [n], key [o] and password [p]. Complete task by clicking the submit link [m].
-Click for more95

WebUI Handbook
Site Configuration SSL Certificates

Intermediate CA (Importing) 7 To import an existing certificate from an Intermediate Certificate Authority select the Intermediate CA tab [a]. You will see a list of existing certificates (if applicable) [b]. Click the action link Import [c] and proceed to step 8. Paste the Intermediate CA in field [d] and click on the desired action link [e] to complete/continue the configuration.
Trusted CA (Importing) 9 To import an existing certificate from a Trusted Certificate Authority select the Trusted CA tab [f]. You will see a list of existing certificates (if applicable) [g]. Click the action link Import [h] and proceed to step 10.
10 Paste the Trusted root CA in field [i] and click on the desired action link [j] to complete/continue the configuration. CRL CA (Importing) For importing CRL CA certificates, the process is the same as outlined above. Click the Import link and paste the certificate into the field an dclick on the Submit link.
-Click for more-
96
WebUI Handbook
Site Configuration AAA

General The SPX supports authentication with external LDAP, RADIUS, Microsoft Active Directory, and RSA SecurID servers. The SPX also provides a local authentication/authorization database (LocalDB) for small to medium-sized installations. Once a virtual site is created, AAA is enabled by default. You do have the option of disabling AAA on a per-virtual-site basis. If AAA is disabled, users will not be required to log in, but will instead be redirected to the portal page where the user connects to the virtual site when Web Resource Mapping is enabled. 1 Make certain you have selected the proper virtual site, are in Config Mode and have selected AAA [a] from the sidebar. The configuration window will present the General configuration page with a total of five tabs; General, Method, Authentication, Authorization and Accounting. General- Make certain you on the General configuration page by selecting the General tab [b]. On this configuration page you will be able to disable AAA or enable two fields for SecurID credentials [c],
2 3
-Click for more-
97
WebUI Handbook

Method AAA methods, servers, and settings are configured on a per-virtual-site basis. In most cases it is only necessary to configure one AAA method for each virtual site. However, the SPX allows you to configure multiple AAA methods for a single virtual site. This provides added flexibility in cases where different users are authenticated with different AAA systems (for example, a small subset of users might have LocalDB accounts while records for other users are stored on a LDAP server.) AAA methods must be ranked in order of decreasing precedence; the method with rank 1 has the highest precedence, and a maximum of 4 methods may be ranked. The SPX will attempt to authenticate each user login with each ranked method or until authentication is successful until all methods have been exhausted. Note that if SecurID is configured as an AAA method it must have rank 1, since the token codes used by SecurID are time-sensitive. 4 By selecting the Method tab [a] the configuration window will present a series of selectors [b, c]. Establish each authentication method based on its rank [b] and choose the desired authorization method [c]. Depending on those method(s) selected from the authentication selector [b] only recommended/licensed authorization methods will be available via selector [c]. Complete the configuration process by clicking on the red save button [d].
-Click for more-
98
WebUI Handbook

Authentication 1 By selecting the Authentication tab [a] the configuration window will present the Active Directory sub tab [b] configuration page with a total of four sub tabs; Active Directory, LDAP, RADIUS and Client Certificate. Any previously configured active directory servers will be displayed in the sort ready table [c]. Select the desired authentication option from the listed sub tabs. Click on the action link Add Active Directory Server [d]. The configuration window presents three text fields [e] for you to enter the AD server IP address, port and mail domain. You may configure up to three AD servers. Complete the task by clicking on the desired action link [f].
Active Directory 2
-Click for more-
Continued next page
99
WebUI Handbook
AAA Authentication
LDAP 3 Select the sub tab LDAP [g] to configure for LDAP authentication. Any configured servers will be listed in a sort ready table. Click on the action link Add LDAP Server [h] (skip to step 4). Some proprietary LDAP implementations, including NDS, do not publish password hash information. For these servers, the SPX must identify the users Distinguished Name (DN) before the user can be authenticated. The SPX provides the administrator with a choice of two different ways to construct the users DN. If all users are direct descendants of a single node in the LDAP directory tree (i.e. if users DNs are identical except for the username portions), the DN can be statically constructed by concatenating the strings <dn_prefix> <USER_NAME> <dn_suffix>, where <USER_NAME> is the username used to log into the SPX. For example, if the DNs are cn=joe, ou=Eng, o=example.com and cn=john, ou=Eng, o=example.com, then the administrator should configure <dn_prefix>=cn= and <dn_suffix>=, ou=Eng, o=example.com. Enter the search path in text field [i] and set this path to be static or dynamic [j]. You may clear the search path with action link [k]. 4 The configuration window presents six text fields [l] & [m] for you to enter the LDAP server IP address, port, user name, password, base and timeout. You may configure up to three LDAP servers. Complete the task by clicking on the desired action link [n].
100
WebUI Handbook
Multiple Domain LDAP Support 5 Select the sub tab Multi-Domain LDAP [g] to configure for LDAP authentication to be performed across multiple domains/servers. Any configured servers will be accessible by selecting the desired domain from the selector [o] and sort ready table. Click on the action link Add LDAP Server [p] (skip to step 6). Administrators may also configure custom search filters and group attributes [q] and [r] (see step 3 on the previous page for related filter and attribute information). The configuration window presents a text filed [s] for administrators to add or associate a new domain (previously configured domains appear in the sort ready table) as well as six text fields [t] & [u] for you to enter the LDAP server IP address, port, user name, password, base and timeout. You may configure up to three LDAP servers. Complete the task by clicking on the desired action link [v].
101
WebUI Handbook
Site Configuration AAA Authentication

RADIUS The SPX is compatible with common RADIUS servers such as Microsoft RADIUS Server. Enter the RADIUS servers IP address, port (default is set to 1812), number of retries, timeout period (default is 5 seconds) as well as the secret password. The password string must match the shared secret configured on the RADIUS server for the SPXs IP address as seen by the RADIUS server. 5 Select the sub tab RADIUS [a] to configure for RADIUS authentication. Any configured servers will be listed in a sort ready table [b]. Click on the action link Add RADIUS Server [c]. The configuration window presents five text fields [d] for you to enter the RADIUS server IP address, port, password, timeout and number of retries. You may configure up to three RADIUS servers. Complete the task by clicking on the desired action link [e].
102
WebUI Handbook
Site Configuration- AAA Authentication

Client Certificate The SPX has the ability to validate a certificate against the specified authentication database (LocalDB or LDAP) and the ability to verify and confirm that a trusted CA has signed it. The SPX will extract an administratively specified field (e.g. "Subject.CN") from the client certificate. If LocalDB contains an account whose username matches the value of this field, the user is successfully authenticated. 7 Select the sub tab Client Certificate [f]. Choose whether the validation method will use LocalDB [g] or LDAP [h] (if LDAP proceed to step 8). Enter the search criteria for the certificate field [i]. If you need to clear the validation method, click on action link Clear Validation Method [j]. The SPX may also validate the certificate against the LDAP server using either: (1) Single attribute match where Administrators define the mapping from a single field of the certificate's Subject (<cert_field>) to a single LDAP attribute (<cert_attribute>) or (2) complete DN match where you configure a list of subject fields to be extracted from the certificate. The SPX will thread these fields with the base configured for the LDAP host to form the user's DN. The SPX will search the LDAP database for a record with a matching DN. If you selected LDAP for the validation method than the configuration window will present three text fields for you to supply the certificate fields, attribute and UID attribute [k].
-Click for more103

WebUI Handbook
Site Configuration AAA Authorization

Unless a separate authorization method is selected when an authentication method is configured, authorization is performed using the same servers that are configured for authentication. If a separate authorization method is selected, authorization will be performed using a separate set of LDAP or RADIUS servers configured under this Authorization submenu. Note that separate authorization servers can be used either to retrieve user-to-group mapping information, or to retrieve complete authorization information. Administrators planning to use the same external servers for both authentication and authorization and store authorization information on LocalDB may skip this section. 1 By selecting the Authorization tab [a] the configuration window will present three sub tabs [b] LDAP, RADIUS and Group Mapping. Select the desired authorization method from the sub tabs [b].
LDAP 2 By default the configuration window will present the LDAP information page. On this page you will see any previously configured LDAP authorization servers displayed in a sort ready table [c]. To add an LDAP server click on the action link [d]. The configuration window will present a screen for you to supply the necessary LDAP data including the server IP, port, user name, user password, LDAP base and timeout [e]. Complete the setup by selecting the desired action link [f].
-Click for more104

WebUI Handbook
Site Configuration AAA Authorization

RADIUS 3 Configuring the SPX for separate RADIUS authorization is very similar to configuring the SPX for RADIUS authentication. Begin by clicking on the RADIUS sub tab [a]. On this page you will see any previously configured RADIUS authorization servers displayed in a sort ready table [b]. To add an RADIUS server click on the action link [c]. The configuration window will present a screen for you to supply the necessary RADIUS data including the server IP, port, secret password, timeout and number of retries [d]. Complete the setup by selecting the desired action link [e].
-Click for more-
105
WebUI Handbook
Group Mapping
1 By selecting the Group Mapping sub tab [a] the configuration window will present configuration elements for completion. In the text fields supplied [b] please supply the LDAP attribute (name) in the form of a searchable string for defining purposes. Also supply an attribute to use as an identifier for the desired external RADIUS group. The attribute should be a numerical integer representing an element in the user profile stored on the server. For example, one would use 25 for the "Class" attribute. Numbers for other attributes are available on the RADIUS RFC (RFC 2865). Assign a default group from the list of previously configured local or LDAP groups [c]. The table displays all existing group mapping configurations [d]. To add a new configuration click on the action link Add [e] and follow the steps as outlined.
3 4
106
WebUI Handbook
AAA Accounting
RADIUS has a well-defined accounting mechanism built into the protocol. RADIUS accounting on the SPX will track all logins and logouts through RADIUS servers. The SPX will log all START and STOP records for each session. The START record is sent once the user has been authenticated. The new session will not begin until the RADIUS server sends confirmation for having received the START record from the SPX. The STOP record is sent when the session is terminated. Session termination includes user logout, timeout (lifetime or session) or the explicit termination of the session by administrators via the session kill command. RADIUS accounting only tracks the START and STOP records, other activities of the session are handled through the standard logging feature of the SPX RADIUS Accounting 1 Begin by clicking on the Accounting tab [a] the configuration window will display a list of previously configured RADIUS accounting servers in a sort ready table [b]. Enable RADIUS accounting by clicking on the enable checkbox [c]. When enabling RADIUS accounting you must also select between Login/Logout or VPN Tunneling or both for proper accounting results [d] To add a RADIUS server click the action link [e]. The configuration window will present a configuration page with text fields [f] for you to supply the RADIUS servers IP, port, secret password, timeout period and number of retries. Select the desired action link [g] to complete the setup.
-Click for more107

WebUI Handbook
Portal
The SPX provides a portal page that allows your users to easily, securely access protected content. After users authenticate using the SPX login page, they are presented with a portal page that serves as a "jumping off" point for accessing all of the internal content available through the SPX. The appearance of the portal page can be customized in several ways. Each virtual site may have its own independent portal page. 1 Make certain are in Config Mode [a], selected the desired virtual site [b] and have selected the Portal feature [c]. The configuration window will present the General Settings configuration page with of three tabs; General Settings, Theme and External Pages [d] and two sub tabs; Common Settings and Portal Pages [e].
General Settings/Common Settings 2 Select the desired language for your portals from the selector [f]. If you intend to use a specific logo on the portal page furnish the URL location or file path of the logo [g] and click the Import action link . Select whether users may change their passwords via the web portal [h] (SPX does not natively support the ability for
users to change their passwords, so this URL must refer to a page on a machine other than the SPX).
Select the desired format for the portal (HTML or WML) [i]. You may configure a specific character set to override the portal language configuration [j]. Enable the HTML Encoding feature [k] 3 Click desired finishing link [l].
108
WebUI Handbook
Portal
General Settings/Portal Pages 4 5 By selecting the sub tab Portal Pages [m] you will be able to setup specific messages for your users. The first message is the Login Message; supply the text for the message in field [n]. To have the SPX remember the user, select checkbox [o] (remembering indicates the placement of the users name within the message). Supply the title and message for the custom welcome page in text fields [p].
Theme You may create/import specialty themes for portal pages. 7 Click on the tab Theme [q]. The configuration window will display a list of all previously entered themes in a sort ready table (if no themes have been entered then only two action links will appear [r]). Once themes have been added, this screen will change slightly (see step 10 next page). To add a theme, click the action link [r]. To add a theme, supply the name in the text field [s] and click on the action link of choice [t]. To import a theme, supply the themes zip file location (file or URL) [u] and name the imported theme [v]. If you choose to import a theme via the URL setting, then make certain the URL resource file is HTML. If you are importing a file, then the file is required The Portal Theme Object Archive should be a .zip file with its contents extractable only in the same directory as the .zip file. Essentially, when the archive is extracted, all the files inside the archive should be extracted to
8 9
109
WebUI Handbook
the same directory where the archive .zip file resides without creating any sub-directories. There should be only one object file in the archive and this object file should be one of the following file types namely, html, css, js, htc, xml, .text or binary. The url sources listed in the object file should always be relative and should also correspond to the current directory, as the assets would be in the current directory. The name of the .zip archive file should be equal to the name of the object file inside the archive including the file extension. For example, if the object file is obj1.html, then the portal theme object archive will have to be obj1.html.zip
Theme 10 You may add or import a portal theme by selecting the desired link [a] and then furnish the specific URL or theme name as required. On this page you will see a listing of all deployed portal themes displayed in a table [b].
-Click for more-
110
WebUI Handbook
Site Configuration Portal

When end users login theres an HTTP POST request is sent to the Array SPX. The data in the request contains several fields. There are fields for the username, password, and SecurID token code of the user. Note that the SecurID token code is only applicable if SecurID is used for authentication. If a custom login page is used, the custom page must specify what the names of these various login fields are, so that the Array SPX can properly authenticate users. If the custom portal content contains references to embedded content (images, applets, style sheets, etc.), administrators may need to define public URL policies that match the URLs of the embedded content. External Pages 1 By selecting the tab External Pages [a] and Portal Pages sub tab you will be able to setup the custom page for your users. You may point to a URL for your companys custom logo [b]. Also you may name the various fields for your users will be required to fill out to gain access [c]. You may point to a URL for the SPX to present a custom welcome page [d]. You may point to a URL for the SPX to present a custom password changing page [e]. You may point to a URL for the SPX to present a custom log out page [f].
3 4 5
111
WebUI Handbook
Site Configuration Portal

Error Pages 1 Make certain you are in Config Mode, selected the desired virtual site and have selected the Portal feature [a]. By selecting the tab External Pages and Error Pages sub tab [b] you will be able to setup the error page for your users should they encounter some sort of issue regarding their session. The configuration window will display any previously configured error pages in a sort ready table [c]. To add a new custom error page click on the action link Add [d]. When configured pages are listed you may delete one or more by selecting the desired pages from the table and click on the action link Delete. Use the selector Type to label the kind of custom error page being created [e]. Now supply the destination URL for the error page to be used in text field [f]. Complete the task by selecting the desired action link [g]. Newly added pages will be displayed in the table described in step 2.
112
WebUI Handbook
Site Configuration Security Settings

Sessions 1 Make certain are in Config Mode [a], selected the desired virtual site and have selected the Security Settings feature. The configuration window will present the Sessions configuration page as well as tabs for Client Security, SSL Settings and Advanced [b]. Set the maximum number of concurrent sessions per unique login username, if the global administrator has disabled session reuse for the site [c]. You may also set the idle timeout period (in seconds) and or the maximum session lifetime (in seconds) [d].
-Click for more-
113
WebUI Handbook

Client Security Client Security allows administrators to scan the remote users PC that is being used to access a virtual portal before a user is allowed to authenticate, and determine whether the PC is allowed to ultimately connect to the virtual portal as well as what type of access methods will be made available to the authenticated user. Host Integrity allows administrators to determine whether the PC the user is using is up to date with company security policies. Administrators may inspect or determine whether a certain anti-virus is installed or up-to-date, personal firewall is sufficient and a variety of other information elements. The Cache Cleaner functionality removes any temporary data stored by the browser during the users session. Any cached credentials, cookies or pages from the beginning of the session to the end are deleted when the session is terminated. Client Security is enabled on a per-virtual portal basis and applies to all users who are trying to connect to that portal. When a user connects to the virtual portal, a CS client-side component is downloaded to their browser (Client Security is not supported on the L3 VPN standalone client). The component is either a Java applet or an ActiveX object (this is determined automatically based on the user OS and browser, so no configuration is required). The Client Security client-side component performs all host-integrity checks and enables cache cleaner.
114
WebUI Handbook

If the administrator already has an exiting configuration file for Client Security saved on the SPX, this file will be automatically updated for the new Client Security feature and may be exported. However, pre 8.4.4.x release CS setting files saved externally cannot be imported to the SPX running 8.4.4.x ArrayOS. TwoStage Security is designed to provide the administrator the opportunity to process a request from an un-secure device for limited access. With the TwoStage feature enabled, if the client is recognized as an admin pre-defined device but failed to pass the Host Integrity check, the client will be given the access configured for the Default Device. Administrators may add multiple devices (Corporate or Home PCs, Employee Laptops, etc) and set each relative access level. Once all the devices are set up, administrators may set the order by which the devices will be checked as well as setting their specific access level. The default device will be created automatically for each virtual site/portal. These default device(s) do not have recognition settings and cannot be deleted. Devices are checked in the order they appear within this table. The order maybe changed by using the up and down arrows. A device may be deleted by clicking on the garbage bin icon. If administrators want to have multiple devices with the same configuration parameters, after the first in setup, click on copy icon. This will require the administrator to name the device, but the entire configuration will be copied from the source device. To modify the device configuration, double chick the desired device from the table.
115
WebUI Handbook

The success URL/Failure URLs are optional settings. If they are left blank, successful logins will pass to the Login page, where failed attempts will get error info about why the connection failed. If administrators want a custom Success or Failure pages, then supply the corresponding URL. Multiple device attributes may be used to define a single device class by using the and and or radio buttons to create a logical condition. The device attributes many include any or all of the following: IP Address DNS IP Range Domain Registry Gateway Operating System
When Host Integrity is enabled, Client Security will first perform all the necessary inspections. If any of the inspections fails then the user will be denied access to the Virtual Portal. Once the Host Integrity inspection is complete, Client Security will enable Cache Cleaner if needed. Host Integrity includes 5 inspection categories that can be performed: Anti-Virus Checking whether a specific anti-virus (multiple products may be specified) is installed and how old is its virus definition database. Personal Firewall Checking whether a specific personal firewall (multiple products may be specified) is installed.
116
WebUI Handbook
Service Pack Checking what service pack is installed on the PC (supported packs include Windows XP SP1, Windows XP SP2, Windows XP SP3, Windows Vista SP1, Windows Vista SP2, Windows Server 2003 SP1 and Windows Server 2003 SP1). Anti-Spyware Checking whether a specific anti-spyware product (multiple products may be specified) is installed. Custom Allowing the administrator to check a Registry value, the existence of a file, the existence of an application (and whether it is running), the OS version of the PC and whether the user is an administrator on the PC. Multiple conditions can be specified to create comprehensive custom rules. When the Cache Cleaner is enabled, it will monitor the virtual portals domain name and once user leave the virtual site, Cache Cleaner is triggered to deleted related cache.
117
WebUI Handbook
SSL Settings
Here you may further custom the SSL security settings of the SPX for a specific virtual site. SSL Settings/General 1 2 3 4 5 6 Make certain you have selected the SSL Settings tab and General sub tab [a]. To enable SSL for the virtual site, select checkbox [b]. Select the SSL version to deploy on this virtual site [c]. SSLv3 and TLSv1 are supported protocol versions. Select checkbox [d] to enable the session reuse feature. Select checkbox [e] to enable the Accept Certificate Chain from Peer feature. Make certain to click the red Save Changes button [f] once the changes are complete.
SSL Settings/Client Authentication 7 Select the Client Authentication sub tab [g]. You may specify the use of a CRL to be used with client authentication. These lists can be downloaded from the specified CRL Distribution Point at the desired time interval (1-24 hours). To enable this feature, select checkbox [h]. The window will display any currently configured CRLs in the sort ready table [i]. To add a new list, click on the action link [j] and go on to step 8. Supply the CRL distribution point URL, CRL distribution point name and refresh rate [k] and click on action link [l] to complete.
-Click for more118

WebUI Handbook
Site Configuration SSL Settings

SSL Settings/Cipher Suites You may set the minimum cipher strength of the browser (in terms of key size) that is required to access the virtual site. If any browser connecting to this virtual site does not support encryption strength specified in Minimum Acceptable Cipher Strength input field, it will be redirected to the URL specified in Redirect URL input field. 1 2 3 Make certain you have selected the SSL Settings tab and Cipher Suites sub tab [a]. To enforce the minimum cipher strength, select checkbox [b] and proceed to step 4. To adjust the list of the supported Cipher suites, assign the desired ciphers with the specific priority using the selector located next to each support cipher suite as listed in the sort ready table [c]. Note: changing the list of SSL ciphers is not generally recommended. If you have questions or think that changing the list is necessary, please call Array Networks technical support. If you selected to enforce minimum cipher strengths supply the minimum number of bits [d] as well as the destination URL for redirected clients who fail to meet the minimum cipher strength. Click the red Save button (when present) to save changes.
-Click for more119

WebUI Handbook
Site Configuration Advanced Networking: DNS

1 Make certain you are in Config Mode and have selected the Networking link. The SPX will display all configured hosts. Check the Use Global DNS/WINS Setting if you wish to have the virtual site configuration for DNS/WINS be the same as the global settings. To add a host, click on the Add link. From this configuration page, you may edit or assign DNS IP addresses by clicking on the action links [a] (go to step 4), you may add or edit DNS search paths by clicking action link [b] (go to step 3), disable DNS cache, you may alter the DNS cache settings with the checkbox and text fields [c] or simply clear the DNS cache by clicking on the action link [d]. Remember that after changing the DNS Cache settings to click the Save Changes button. Enter the correct search path [e] and click on desired action link [f]. Enter DNS IP address, in dotted IP format [g] and click on desired action link [h].
3 4
120
WebUI Handbook
Advanced Networking: WINS

1 Make certain you are in Config Mode and have selected the WINS tab. This configuration window is separated into three subsequent sections; WINS IP Addresses, WINS Broadcast Address and WINS Cache. From this configuration page, you may edit or assign WINS IP addresses by clicking on the action links [a] (go to step 3), you may add or edit WINS broadcast addresses by clicking action link [b] (go to step 4), disable WINS cache, you may alter the WINS cache settings with the checkbox and text fields [c] or simply clear the WINS cache by clicking on the action link [d]. Remember that after changing the WINS Cache settings to click the Save Changes button. Enter WINS IP address, in dotted IP format [e] and click on desired action link [f]. Enter the WINS broadcast address [g] and netmask [h]. Complete the configuration by clicking on the desired action link [i].
3 4
121
WebUI Handbook
Site2Site
With the Site2Site solution, application access may be bidirectional where either end can initiate the connection with SSL tunneling on demand or always enabled as a configurable option. Resources (application, host, or network) to be published are configured on the SPX on the server side network. The server side SPX informs the client side SPX of the resources to be published. The client side SPX provisions an available IP address range for the published resource on the client side network to prevent any network conflicts. (-MORE-) 1 Make certain are in Config Mode and have selected the Site2site feature. The configuration window will present the Site2Site configuration page as well as tabs for Peer, Publishing, Provisioning and Policy [a]. Also on this page are a series of direct links for expediting the site2site configuration. Enable this feature by selecting the checkbox. Supply the site ID in the field provided [b]. The site ID may be up to 20 characters in length. Each side of the site2site tunnel must have a unique site ID. Click on the Peer tab [c]. The configuration window will display a table of previously configured peers. Action links allow you to disconnect all connections, connect/disconnect peers and add/delete peers. Click on the link Add Peer [d]. Define the peer by supplying the name (must match the remote SPX S2S site ID), network IP or host name and port [e]. Select the tunnel preference as being always on or on demand [f] and whether the opening of the tunnel requires additional authentication. Click action link [g] to continue.
122
WebUI Handbook
Select the Publishing tab [a] to configure resources that will be made accessible to the remote SPX peers. Two configuration tables are displayed on this page; one for individual resources [c] and the other for grouped resources [b]. To add a resource click on the action link [d] Add Resource. To add a group, click link [e] and skip to step 7.
Assign resources to be shared among the sites. You may define shared site2site resources host names that need to be resolved by the networks DNS, an entire subnet for the network or a specific service with a defined UDP, ICMP or TCP protocol [f]. Supply the host name and network IP [g] with port ranges [h]. Also specify the published host name that remote users will see [i]. Click desired action link [j] to continue.
Configured resources may be grouped together. Create a group name and entered in the text field/selector [k]. Now assign individual, previously configured resources (see step 6) via the selector [l]. Complete the group setup by clicking on the desired action link [m].
123
WebUI Handbook
Once the resources have been defined, click on the sub-tab Local Address Translation [a]. It is on these configuration pages that you will set up the IPs that will be used to manage incoming requests for services and allocating network IPs to avoid conflicts. The configuration page displays two tables; one for configured DHCP servers and associated peers [b] and one for dedicated service IP ranges [c]. You may assign peers or add/delete DHCP servers (step 9) and IP ranges (step 10) by selecting the desired action links [d, e]. Once IP ranges are set, or mapped, they may be used as default address when assigned using the selector [f].
Supply the DHCP server name and IP in the fields provided [g]. Assign or associate the desired peer to this configured DHCP server with selector [h]. Complete the setup by clicking action link [i].
10 Configure IP ranges for imported resources and remote clients (users) for site2site to map connection requests and service responses. These dedicated ranges will be used to avoid IP conflicts when sharing resources. Name the mapped IPs and specify the starting and ending addresses within the range inclusive [j]. Associate the dedicated IPs to a configured cluster [k] and specified peers [l]. Select the desired action from links [m].
124
WebUI Handbook
11 Select the Published Resources sub tab [a]. The configuration window will display all configured resources. You may limit those resources that are to be displayed by use of the selector [b]. The display table shows the configured services/groups [c], the peers associated with those resources [d], the mapping method, category and status [e]. To make these resources available to remote peers on the site2site network click action link [f]. 12 To publish (or stop publishing) resources, indicate Resource Name or Group Name and specify the resource via the selector [g]. Use the selectors [h] to specify the remote peer being granted access to the resource and whether this access is transparent. Complete setup by selecting desired action [i]. 13 By selecting the Provisioning tab you will be able to view those remote resources that have been made available to the local SPX. The provisions refer to the users on the client side of the site2site tunnel. There are additional sub tabs for Resource Address Assignment, DNS, Resource Statistics and Connection Statistics. Specify the desired resource by selecting it from the table [j] and clicking the desired action link [k]. To assign a static address to a resource, see step 14. 14 If you wish to add a static IP for a network resource you will need to supply the information called for by screen [l] for all other resources you will see screen [m].
125
WebUI Handbook
14 Very similar to the establishment of resources, you will have to now provision client IPs to avoid internal network conflicts. Click on the sub-tab Resource Address Assignment (sometime referred to as Remote Address Translation) [a]. It is on these configuration pages that you will set up the IPs that will be used to manage outbound requests for services. The configuration page displays two tables; one for configured DHCP servers and associated peers [b] and one for dedicated client IP ranges [c]. You may assign peers or add/delete DHCP servers (step 15) and IP ranges (step 16) by selecting the desired action links [d, e]. Once client IP ranges are set, or mapped, they may be used as default address when assigned using the selector [f].
15 Supply the DHCP server name and IP in the fields provided and assign or associate the desired peer to this configured DHCP server with selector [g]. Complete the setup by clicking action link [h].
16 Configure client IP ranges for imported resources and remote clients (users) for site2site to map connection requests and service responses. These dedicated ranges will be used to avoid IP conflicts when sharing resources. Name the mapped IPs and specify the starting and ending addresses within the range inclusive [i]. Associate the dedicated IPs to a configured cluster [j] and specified peers [k]. Select the desired action from links [l].
126
WebUI Handbook
17 Select the DNS sub tab [a] you will be able to view a table of existing DNS suffixes that are combined with the hostnames supplied by the peer SPX to create the site2site hostname. To add or remove a domain suffix, click on the desired action link [b].
18 Enter the new domain suffix that is to be added to the hostname that is received from the peer to form the provisioned hostname for that resource [c] and assign it to the desired peer via the selector. The publishing site specifies the hostname, the provisioning supplies the domain; together this creates the final site2site hostname. Click on the desired action link [d] to complete or continue the configuration.
19 Click on the tab Policy to set up the rules regarding the access to configured resources. The configuration page will display all currently set policies in a standard table. You may use the selector [e] to choose a specific rule to display. Click on the action link Add Policy [f] to continue the configuration.
20 Supply the rule name [g] with associated IP, netmask and port range in text fields [h]. Complete setup by clicking on desired action link [i].
127
WebUI Handbook
21 Select the Policy Config sub tab [a] to continue. The configuration window will display two tables; one for policy groups [b] and the other for individual policies [c]. To configure policy groups, click on the Add Group action link [d] and skip to step 23. For individual policy configuration, click on the action link Add Policy [e] and proceed to step 22.
22 Set the policy name [f] and uses the selectors [g] to set this policy to a source and destination, respectively. Set the protocol and permission action with selectors [h]. Configure a priority value [i] (the lower the number the higher the priority) as well as using the checkbox to indicate the desire to have an alert message sent when the policy is used. Finally, associate this policy with a specific SPX peer via the selector [j]. Complete the policy configuration with action link [k].
23 Supply a name for the policy grouping [l] and use the selector [m] to assign policies to the created group. Use selector [n] to associate this group to a specific SPX peer. Complete the setup by clicking on the desired action link [o].
128
WebUI Handbook
Local Users & Groups Local Users

The SPX allows you to create specific groups of users and authorize only specified content points on the network for these groups. This way, for example, you may set up separate, specific network destinations for the sales department and the marketing group, while granting executive staff access to both. 1 Make certain you are in Config Mode for the desired virtual site and have selected the feature link Local Users [a]. The configuration window presents a sort ready table displaying all currently configured users (a.k.a. accounts). To import an existing file or database of existing accounts, click the Import ink [b] and proceed to step 3. To delete an account or user, select the user from the sort ready table [c] and click on Delete [b]. To add an account, or user, select the Add action link [b]. Proceed to step 4 (next page). 3 Supply the file name [d] and click Import [e].
129
WebUI Handbook
Local Users & Groups
Local Users
Continued from previous page. 4 To add a user, supply the following information: User name [a], user password with confirmation [b] and whether to force a password change [c] upon the users first visit (forcing the user to set their own custom password). All previously configured GROUPS will be listed in the sort ready table [d]. If groups are listed here, you may assign the newly created users to those listed groups. If you have not created any groups, you will be instructed how to create groups and assign users to the groups on the next page. There are four optional fields for granting your users filing sharing preferences (see step 5) Click on the desired action link [e] to complete user setup. 5 OPTIONAL: To assign the newly created user to a work group with a static IP, supply the user an ID [f], Group ID [g], the static internal IP address [h] and netmask [i]. Click on the desired action link [e] to complete user setup.
-Click for more-
130
WebUI Handbook
Local Users & Groups Local Groups

The SPX allows you to create specific groups of users and authorize only specified content points on the network for these groups. This way, for example, you may set up separate, specific network destinations for the sales department and the marketing group, while granting executive staff access to both. 1 Make certain you are in Config Mode for the desired virtual site and have selected the feature link Local Users [a]. The configuration window presents a sort ready table displaying all currently configured users (a.k.a. accounts). To import an existing file or database of existing accounts, click the Import ink [b] and proceed to step 3. To delete an account or user, select the user from the sort ready table [c] and click on Delete [b]. To add an account, or user, select the Add action link [b]. Proceed to step 4 (next page). 3 Supply the file name [d] and click Import [e].
The newly added group will appear in the sort ready table described in step 2 above. To make edits to this newly created group simply double click the group name to be returned to the edit page.
-Click for more-
131
WebUI Handbook
Local Users & Groups Login Authorization

1 Make certain you are in Config Mode for the desired virtual site and have selected the feature link Login Authorization feature link [a]. The configuration window will display with two sort ready tables and a series of configuration tabs running along the top of the window [b]. Any previously configured account names and groups will be displayed in the sort ready tables [c] and [d]. Source IP- Account 2 The first configuration tab is for Source IP. This feature allows you to set additional security restrictions on specific users or groups. Click the Add link [e] to add a specific account/user. If you want to add a group, skip to step 3. Select the Account Name (user) from the selector [f]. Supply the restricted source IP and netmask in fields [g]. To complete this action, select the desired action link [h]. Source IP- Group 3 This feature allows you to set additional security restrictions on specific user group(s). Click the Add link [i] to add a specific group of users. Select the Group Name from the selector [j]. Supply the restricted source IP and netmask in fields [ k]. To complete this action, select the desired action link [l].
-Click for more-
132
WebUI Handbook

MAC Address Authentication 1 To configure MAC based authentication for users, select the feature tab MAC Address [a] (Note: This feature
is only supports browsers using ActiveX (IE) on Windows 2000 and XP editions)
If this is the first time configuring this feature the configuration window will display the screen described in step 2 otherwise the screen will appears as described in step 3. 2 The configuration window for adding or editing a MAC authorization rule will have a selector for choosing a specific user [b] as well as three large data field for entering the users specific MAC addresses [c], Hard Drive ID (serial number) [d] and any specific executable path for ActiveX to obtain necessary IDs [e]. Complete the setup by clicking the desired action link [f]. Users must match one rule for authorization. The configuration window will display a sort ready table with all configured MAC based rules [g]. Double click any entry to edit (see step 2). To enable this feature, click on the enable checkbox [j]. Any changes to this screen will require you to click on the red save button for the changes to take effect. To set the default action concerning users without configured rules to Permit or Deny; choose desired button [k]. Enable the SPX to authorize the users MAC address and/or hard drive ID by selecting [l].
-Click for more133

WebUI Handbook

Date and Time This feature allows you to set a specific date and time range for users to access the network. Users will not be able to access the network except during these times. 1 Click the feature tab Date/Time [a]. The configuration window will display a sort ready table of all configured time sensitive authorization rules. To delete an entry, select the desired entry form the table [b] and click Delete [c]. To add a new entry, click the Add link [c]. To edit an entry, double click on the desired entry in the table [b] and an editing page similar to the page described in step 2. To set or edit a time based authorization rule, first select the desired Group from the selector listing existing groups [d]. Now set the start and end times using the selectors [e] for when the group may access the network. Check all desired days of the week that you will allow this group to login [f]. Set the date (start and end) for this rule to apply [g]. To complete this setup, click on the desired action link [h].
-Click for more-
134
WebUI Handbook

Login Failure Lockout This feature allows you to set a restriction whereby a user that has repeatedly attempted to login unsuccessfully may be locked out permanently or for a specified period of time. 1 2 To configure, select the Login Failure Lockout tab [a]. The enable this feature, click on the enable checkbox [b]. Set the maximum number of consecutive login attempts [c], default is 10. Set the duration of the lockout period, in seconds [d], default is 99999999 (3 years). Any locked out accounts will be listed in a sort ready table. To remove an account from the list of lockout accounts, select the user and click on the action link Unlock or Unlock All.
-Click for more-
135
WebUI Handbook
Access Methods
Web Access
The SPX provides a portal page that allows your users to easily, securely access protected content. After users authenticate using the SPX login page, they are presented with a portal page that serves as a "jumping off" point for accessing all of the internal content available through the SPX. The appearance of the portal page can be customized in several ways. Each virtual site may have its own independent portal page. Basic Settings 1 Make certain you are in Config Mode for the desired virtual site and have selected the feature link Web Access. The configuration window will display configuration tabs [b] (default landing page is Basic Settings). Any previously configured web links will be listed in the sort ready table [c]. 2 To add a web link for your users, click on the Add Weblink link [d] and go to step 3. The bottom of the configuration page has four settings to set browsing rules for virtual site portal [e]. These settings include the displaying of a URL bar on the portal homepage, display the navigational tool (with or without a URL bar), whether to open accessed links in a new window and the allowance of book marking from the virtual site. 3 Supply the web links URL in field [f] and description [g]. Now assign the links position on the portal homepage [h] in ascending order. If no position is given, links will be displayed in the order configured/created. Complete the task by selecting the desired action link [i].
-Click for more136

WebUI Handbook
QuickLink
QuickLink is a clientless access method that allows SPX users instant access to web content originating from the internal network, most times from servers that are not exposed to access from the outside. Rather than doing full content parsing and rewriting, QuickLink uses a unique hostname or a unique port to represent the backend web server. This way parsing and rewriting are greatly simplified and streamlined. When backend web content is going through SPX, only absolute path with hostnames are rewritten to the configured unique hostname or port. This feature is a pure Web based SSLVPN solution requiring no plug-in and no client making QuickLink platform and browser neutral. 1 Clicked on the tab QuickLink [a]. A sort ready table will be displayed showing al previously configured QuickLinks; double click on an entry to edit. To add a new QuickLink, click the Add link. [b]. Configure the links destination ID, mode (path, port or hostname), the URL, the destination path, link description and link position (optional) in the fields provided [c]. Click on the desired action link to complete setup [e] Supported Features with QuickLink include [d]: ACL Support, SSO, Client-Auth Authentication, HTTP Client Certfield, Custom Rewrite, Book Marking, Portal Theme Configuration and SharePoint. Note: URL Masking is NOT supported with QuickLinks. Rewrite must be enabled for QuickLink to work (CLI: rewrite on).
137
WebUI Handbook
Access Methods- Web Access

LinkDirect offers a more streamlined end user experience for web applications that require more robust L4 support, such as Flash based applications that require hardcode internal IP addresses. This feature is only available for IE browsers running on Windows XP/2000/V.
LinkDirect
1 Clicked on the tab LinkDirect [a]. Near the center of the diaply is a checkbox to enable client DNS where the DNS request will go to client DNS system first and only be sent to SPX if local system can not resolve it [b]. The configuration window will display two sort ready tables; one for configured links and the other for configured rules (IP/port designations for L4 tunnels) [c]. To add a link location click on action link Add [d]. To configure a new rule, click on action link Add [e]. To edit existing enteries to either table, double click on the entry. 2 Create a L4/Web Resource Mapping link on the portal page on the virtual site. Note: These links only apply if a custom portal page has not already been specified with the "portal custom" operation. Specify the destination URL, description and optional link_position [f]. If no values are given for link positions, the links will be placed after all of the previously configured links. Click on the action link [g] to complete the setup. 3 Configure 0~10 IP/Port rule. When the portal linkdirect connection request falls within the rule, the connection will be tunneled through L4. This operation should only be used when embedded objects (ActiveX, Java or Flash) need to open connections to backend servers other than the main web server. Enter IP and port range [h]. Complete by selected [i].
138
WebUI Handbook
Access Methods- Web Access

With Arrays Web Resource Mapping (WRM) technology, links embedded in HTML and JavaScript content are rewritten so that client HTTP requests are sent to the virtual site instead of directly to internal servers; in essence this allows administrators to hide the internal network architecture by only exposing one domain and IP address to the public Internet. Web Resource Mapping: Rewrite Parameter 1 By selecting the Web Resource Mapping tab [ a], the configuration window will display sub tabs for Rewrite Parameter (default landing tab), Advanced Settings and Custom Rewrite [b]. There is also a sort enabled table [c] will display any previously established rewrite rules. To edit or change an existing rule, simply double click on the table entry. 2 To add a rewrite rule click on the action link Add Rule [d] and proceed to step 3. The SPX will rewrite parameter tags mainly used by ActiveX and JavaScript objects. For network requirements using custom tag information you may set the matching method to either exact or substring [e]. By setting this feature to exact the SPX will not rewrite the tags unless there is an exact match with the name of the parameter regardless if the values are rewritten. 3 To configure a rewrite rule, supply an ID value [f], HTML parameter name to be rewritten [g], the parameter type to be rewritten (URL or SPX Host Name) [h], separator (specifies how the elements of the list are separated from each other) [i] and index (only rewrite certain items in a list of values that are separated) [j]. Complete the task by selecting the desired action link [k].
139
WebUI Handbook
Web Resource Mapping: Custom Rewrite

1 By selecting the Custom Rewritesub tab [a], the configuration window will presetn sort enabled tables [b] that display any previously established rewrite rules, files and or imports. To edit or change an existing rule, simply double click on the table entry. 2 To add a custom rewrite rule click on the action link Add [c] and proceed to step 3. To add a custom rewrite file, click the Add button [d] and proceed to step 4. To import a custom rewrite, click the Import button [e] and proceed to step 5. 3 To add a custom rewrite rule, supply the following information; rule ID, rewrite position (\"pre\" or \"post\"), The URL pattern and sed script [f]. When complete, click on the desired action link [g]. 4 To add a custom rewrite file supply the URL and file name [h], then click on the desired action link [i]. 5 To import a custom rewrite, supply the local path and file name [j], then click on the desired action link [k].
140
WebUI Handbook
Access Methods Web Access

Web Resource Mapping: Advanced Settings 1 Select the Advanced Settings sub tab [a]. The configuration window will display three distinct sections; Rewrite Settings, HTTP Settings and URL Properties. REWRITE SETTINGS: Web resource mapping is enabled by default. To disable WRM for a specific virtual site, select checkbox [b] and supply the domain host and IP in the fields when they appear [ e]. If you would like to mask the internal URLs, Dynamic Masking and or file names select checkbox(es) [c] and [f] respectively. Other rewrite settings include whether to pass through the expiration clause from backend server, wrap JavaScript event handlers and the rewriting of Etags. Make the desired selections via checkboxes [d]. HTTP SETTINGS: This section has two checkboxes [g]; one for enabling SPX support for OWA when WRM is disabled the other to disable browser caching. URL PROPERTIES: To add a URL property click on the action link [h]. Select either WRM (the URL that will NOT be rewritten) or accept encoding that will disable the insertion of an Accept Encoding header on a per-URL basis [i]. Supply the URL in text field [j]. Complete the task by selecting the desired action link [k].
-Click for more-
141
WebUI Handbook

1 Select the Server Access tab [a] and sub tab General Settings [b].
Server Access: General Settings 2 In this configuration window there are for enable/disable choices relating to the backend servers and web access. Enable Single Sign On (SSO) [c]. By enabling this option, the SPX will attempt to authenticate with backend servers using the end user's login username and password. This feature only works with backend servers that require NTLM or Basic HTTP authentication (or no authentication at all). Various features (including Header insertions, redirections and cookie management) may be enabled via checkboxes [d]. Administrators may wish to insert an x-client-certificate header into the request if the SSL client certificate is given or insert X-SSO-USER Header that inserts into every request made from the SPX to the backend server an X-SSO-USER HTTP header to set the username. This will include requests generated from portal pages. Pass Session Cookie to Origin Server. By default, the SPX strips its session cookie out of every request before it forwards the request to the backend server. Enabling this feature causes the SPX to leave session cookies in proxied requests. Administrators can let user access multiple backend applications without re-entering their credentials. There is an SSO POST table displaying current SSO POST configuration settings. To add a SSO user, click the Add link [f].
142
WebUI Handbook
Administrators may configure multiple pages per virtual site. The <hostname> parameter indicates the host name of the backend server; <login url> refers to the login page (the pair of <hostname> and <login url> should be unique per virtual site); the <username field> and <password field> are required for user authentication. The optional [post host] setting refers to the POST target and should be entered as hostname if the target is indeed the same location as the specified value entered for the <hostname> paramenter; if the POST target is different, administrators should enter the specific target with this optional setting including port designation if needed; i.e. www.testhost.com:8888. The optional parameter [post url] refers to the URL to direct the POST to if different from the <login url>. The optional paramenter [other post fields] refers to a set of fixed attributes that are sent with the POST; i.e. if a fixed domain and department is to be sent along with the POST credential, this would be entered as domain=arraynetworks.net&deptname=eng. The option [bookmark enable] instructs the SPX to resend the POST so that end users will not be prompted to supply credentials to visit multiple locations on the backend; ie. If a users times out while using OWA, and is in the middle of a new message, enabling this feature will allow the user to re-login and return directly to the new message as opposed to going to traditional starting point. [g]. Select and click the desired action link [h]. Make certain to click the red save button when finished.
Web SSH
4 Configure a portal link to a web based SSH resource, click on SSH and enable the feature [i] then supply the Hostname, port and link position [j].
143
WebUI Handbook

Server Access: Proxy Settings You may use the SPX to communicate with HTTP servers through a non-transparent HTTP proxy. When this feature is in use, the SPX sends all HTTP and HTTPS requests to the configured proxy that in turn contacts the appropriate content servers (or the next proxy in the chain). When a proxy is in use, the SPX does not resolve the DNS names of backend servers. This affects the operation of the configured ACLs. If a given ACL matches the host name of a backend server but not the IP address, the SPX will not enforce the ACL if a backend server is accessed via its IP address. 1 2 3 Select the Server Access tab [a] and sub tab Proxy Settings [b]. Supply the HTTP host name (or IP) and port [c] or supply the HTTPS host name (or IP) and port [d]. You can set the SPX to automatically detect forward proxy settings using a script. The SPX will fetch the URL specified in the command, and will execute the script for every request received by the virtual site. It will use the script results to decide which forward proxy to use. Supply the URL for the SPX to fetch the script [e]. Make certain to click the red save button when finished.
-Click for more-
144
WebUI Handbook
Server Access: Compression Settings URL policies for HTTP compression allow the administrator to disable compression on a per URL basis. Please note that the keyword parameter is limited to 200 bytes. 1 Existing policies are displayed in the sort ready table [a]. To edit or delete an entry, double click on the entry to edit or single click and select the action link Delete [b]. To add a policy, click on the action link Add [b]. Assign the policys priority from 0 to 65535, the lower the value the higher the priority. Supply the priority for the policy and keyword in fields [c]. Click on action link [d] to complete the set up.
2 3
Server Access: Application Redirect When redirect rule is configured, the SPX will redirect all the requests that have "external host" in the host header to the configured host of the virtual site. 4 Select the sub tab Application Redirect [e] to see a table of configured redirection policies. Click the Add link [f] to create a new policy or double click on the desired table entry to change an existing policy. Supply the external host name [g], choose the access type (web or L4) [h] and the application identifier with IP and Port values [i]. For access type "L4", the SPX will open L4 tunnel to the redirect target server. Note: for http redirect app to work properly site should have rewrite off and http statefulredirect enabled. Click the desired action link [j] to complete the configuration.
145
WebUI Handbook
Server Access: Certificate Forwarding X-Client-Certificates This feature allows you to forward specific certificate field(s) to backend server as well as customize the field name which could be accepted by backend server. The Header will pass the specific field, with the customized name if it is defined, in HTTP header to backend server. If the customized name is NULL, system will use the default value. The URL setting will pass the specific field, with the customized name if it is defined, in the URL request to backend server. The Field Name is the standard name for the certificate sections. The SPX supports following options: subject, issuer, subject_rev, issuer_rev, serial, notbefore, notafer, common name. The Customized Name specifies the field name to replace the standard name defined in previous parameter. 1 Click the sub tab Certificate Forward [a] and the SPX will display a table of previous configured forwarding policies [b]. Click the Add action link [c]. Set the method for the policy [d]. Supply the backend servers URL [e]. You may customize the policy [f]. Complete the configuration by clicking on the desired action link [g]. Click the sub tab X Client Certificate and the SPX will display a table of previous configured Object IDs (OID). Specify (reset/display) the rdn separate character for client certificate DN transferred to backend server. The <position> of the separate character, pre or post. Click the Add action link to name the OID. Customize the oid name of client certificate field transferred to backend server.
146
WebUI Handbook

URL Policies URL Policies allow administrators to control what web content the SPX will serve. It is usually not desirable for clients to use the SPX to access publicly available Internet content. By setting up URL policies, administrators may insure that the SPX is used only for its intended purpose: secure access to private content. 1 Select the URL Policies tab [a]. The configuration window will display all configured policies in a sort enabled table [b]. Set the default URL policy type to either internal or external [c]. The default policy for the SPX when it receives a request that doesn't match any established policies. To add a new policy click on the action link Add URL Policy [d]. Configure the SPX to proxy requests that match the desired policy [e]. The SPX will not require a session cookie in requests that match a "public" policy. Assign the policys priority from 0 to 65535, the lower the value the higher the priority [f]. If a URL matches two policies, the matching policy with the highest precedence (lower priority means higher precedence) will be used to determine whether the requested URL is internal, external, or public. Configure any keywords to be used to specify what URLs the policy will match [g]. If the requested URL contains the keyword as a sub string, then the policy matches. Make certain to click the red save button when finished.
-Click for more147

WebUI Handbook
Access Methods-File Access

Basic Settings 1 Make certain you are in Config Mode for the desired virtual site and have selected the feature link File Access [a]. The configuration window will display three configuration tabs [b] (default landing page is Basic Settings). The other tabs are CIFS Services and Statistics. 2 To display a navigational bar for users to access files, select checkbox [c]. Enable CIFS or NFS functionality by selecting box [d]. To set up a workgroup for CIFS file sharing per virtual site. If a default workgroup is given for a virtual site, then that workgroup will be used for any CIFS links that do not specify workgroups of their own. Supply the default workgroup or domain name in field [e]. CIFS Services 3 Select the CIFS Services tab [f]. Previously configured services will be displayed in table [g]. 4 To add a service click on the Add Service action link [h]. To configure a CIFS link for file sharing, supply the text for the link in field [i] and define the service in field [j]. The proper format for the service parameter is "//<server>/<share>" where <server> is the name or IP address of a CIFS server, and <share> is the name of a shared folder on that server. The name required is a NetBIOS server name. On systems deploying WINS, the hostname and the NetBIOS server name must be the same. Depending on the specific requirements of the deployed fileserver, the Workgroup parameter for the SPX will have to contain either the fileservers domain name or the fileservers workgroup name [k].
148
WebUI Handbook
NFS Fileshare
The NFS Fileshare feature allows you to create a link to an NFS/Unix shared directory. On systems deploying WINS, the hostname and the NetBIOS server name must be the same. 5 Select the NFS Fileshare tab [a]. Previously configured services will be displayed in table [b]. To edit an entry, double click on the desired link label to enter the screen (same as the Add screen described below). To add a file share link to resources, click on the action link Add NFS Link [c]. To add (or edit) an entry, supply data in fields [d]. Finish by selecting action link [e]. The <remote_host> and <path> parameters specify the location of the shared directory.
149
WebUI Handbook
Access Methods Mail Services

This feature allows you to map one protocol service (IMAPS or SMTPS) from virtual site to backend only when the virtual site host is EXCLUSIVE. The listen port is the port used by SP to listen for protocol IMAPS or SMTPS (typically IMAPS=993, SMTPS=465); server ip is the IP address for the mail server; server port indicates the port used by the mail server for IMAP or SMTP (typically IMAP=143(IMAP3=220), SMTP=25). IMAPS Proxy Server 1 Make certain you are in Config Mode for the desired virtual site and have selected the feature link Mail Services [a]. The configuration window will display three configuration tabs [b] (default landing page is IMAP Proxy Server). 2 Supply the listen port [c], server IP [d] and port [e]. If you would like this feature to deploy AAA settings select checkbox [f]. Select the SMTPS Proxy Server tab [g]. Supply the listen port [h], server IP [i] and port [j].
SMTPS Proxy Server 3
-Click for more-
150
WebUI Handbook
Access Methods Mail Services

Advanced Settings 1 Select the Advanced Settings tab [a]. All configured aliases will be displayed in the sort enabled table [b]. To define additional IPs to be used as source IPs for backend server connections click on the action link Add Alias IP [c]. Supply the alias IP in field [d] and click on the desired action link [e] to complete the configuration.
-Click for more-
151
WebUI Handbook
Access Methods Thin Client Support

1 Make certain you are in Config Mode for the desired virtual site and have selected the feature link Thin Client Support [a]. To enable Thin Client Support click the checkbox [b]. You may specify those modules to be enabled and the order their respective links appear within the TCS popup window by using the Link Order selector [c]. Click the red SAVE CHANGES button to commit these changes to the running configuration.
Published Applications The Published Applications thin client provides simple access to applications published on Microsoft Terminal Services using the SPX. By enabling the TCS feature and the module PubApps (Published Applications) you are ready to continue to the Configurator by double-clicking on the desired module from the displayed list. 4 The Configurator configuration page for PubApp displays tabs and sub tabs for General Settings, Applications & Servers and Folders [e]. On this first page you may set Terminal Services, the URL to a Microsoft Web RDP client cab file and Verify At Startup that instructs the SPX to verify the existence of the Microsoft Web RDP client component, on the end-users host when the user starts the thin client. If the component is not found, the SPX will download the component from the URL specified at the Terminal Services property. [f] Continued on next page
152
WebUI Handbook
Single Sign-On. The logon settings area includes the following parameters: Enabled, the SPX will not prompt the user for credentials upon startup, rather it will extract the user information from the single sign-on information provided by the Array SPX and Default Domain, the default value that will be used as a domain. [g] Click the red SAVE CHANGES button to commit these changes to the running configuration.
Applications & Servers 7 By selecting the Applications & Servers sub tab you may now configure the specific applications to be supported and their locations [h]. Click the action link Add [i] to add applications (proceed to step 8, next page) or click on action link Add [j] to add application servers to the setup (proceed to step 11, next page).
Continued on next page
153
WebUI Handbook
To add applications through the configurator: 8 Click the enable box to make certain the added application will be active [a]. Supply the application information [b] including the applications name, description, location, folder, application window dimensions in pixels (-1 x -1 will open application window to full screen), color depth (default, 256 colors, high color 16 bit and true color 24 bit). You may also associate an icon with this application. Set the redirection strategy controls for where this specific remote application resource will be mapped to: including drivers, ports, printers or smart cards [c].
10 Complete this portion of the configuration by clicking on the desired action link [d].
To add servers through the configurator: 11 Supply the application host servers IP, type and port [e]. 12 Enable this server to be called by users wishing to access the configured application [f]. 13 Complete this portion of the configuration by clicking on the desired action link [g].
Continued on next page
154
WebUI Handbook
Folders Folders are used to create logical groups of applications. Each application can be assigned to one folder (by default all applications are assigned to the root folder). 1 By selecting the Folders sub tab you may now add and name folders to better organize the TCS applications. Any previously configured folders will be displayed beneath the My Applications icon [a]. To add a new folder, click the My Applications icon [a] and then click the action link Add [b]. Supply the name of the newly created folder in the text field [c] and click action link [d]. The newly added folder will appear within the My Applications master folder [e]. You may add folders within the newly created folder in the same manner as this first folder was created as well. Note the icon change when folders are enclosed within other folders [f]. Use the action buttons [g] to open or close all folders contained within the master folder.
2 3 4
155
WebUI Handbook
TCS Configurator Providing simple access to applications published on Microsoft Terminal Services using the SPX. By enabling the TCS feature and the TCS module you are ready to continue to the Configurator by double-clicking on the desired module from the displayed list. 4 The Configurator configuration page for PubApp displays tabs and sub tabs for General Settings, Applications & Servers and Folders [e]. On this first page you may set Terminal Services, the URL to a Microsoft Web RDP client cab file and Verify At Startup that instructs the SPX to verify the existence of the Microsoft Web RDP client component, on the end-users host when the user starts the thin client. If the component is not found, the SPX will download the component from the URL specified at the Terminal Services property. [f]
156
WebUI Handbook
TCP Applications
The SPX provides secure remote access to legacy application servers within the network. This feature supports most fixed-port TCP applications, including common mail applications. Once configured, users may securely access applications from most Windows and recent Macintosh clients running a current Web browser (IE or Netscape) with Java support. General Settings 1 Make certain you are in Config Mode for the desired virtual site and have selected the feature link TCP Applications [a]. The configuration window will display five configuration tabs [b] (default landing page is General Settings). Enable TCP application support by selecting checkbox [c]. The Application Manager listens for TCP traffic from applications running on the client machine, encrypts the packets, and forwards them to the SPX over SSL connections [d]. Set an optional dedicated control port [e]. Select the software support (Java|ActiveX) [f]. To enable Windows Redirector allowing applications to resolve and connect to hostnames on the internal network [g]. The default status for WinRedir is to have the non-user process feature enabled [h] allowing all applications not under the users direct privileges (such as SYSTEM, NETWORK, etc.) to go through the SPX proxy. To set tunneling" (WinRedir is not L3VPN) to split the winredir and secure desktop, meaning that when this feature in enabled both applications are tunneled, select box [i]. Enable client DNS where the DNS request will go to client DNS system first and only be sent to SPX if local system can not resolve it [j]
157
WebUI Handbook
TCP Applications
Host Mapping 3 Select the Host Mapping tab [a]. The configuration window will display existing host entries in the sort ready table [b] (double click table entry to edit). To add a host, click the action link Add [c] and proceed to step 4. To enable the SPX to automatically update the users host file database [d]. The designated user must have full read, write and modify privileges, else operation will be blocked even if enabled on the SPX side. 4 Supply the hostname in field [e]. Supply local host IP [f] Click desired action link [g] to complete this set up.
Services You may specify which TCP services are made available to users through the legacy application proxy. TCP services may only be configured for hosts mapped to local IP addresses (an IP in the form 127.0.0.X where X=1-254). 5 6 Select the Services tab [h]. Existing services are displayed in table [i]. Click Add Service [j]. Configure a new service by supplying a description [ k], attaching the service to a host [l] and furnishing the needed IPs and ports [m-p]. Complete by selecting desired action [q].
158
WebUI Handbook
Access Methods TCP Applications

Windows Redirector: Application Based Redirect For clients running IE on Windows machines you may configure an application where all traffic will be tunneled through the SPX. To secure the application, administrators specify the executable name (for example "telnet.exe") and optionally the MD5 hash value of the exe. Specifying a hash value allows the administrator to restrict redirection to specified versions of the application, and to ensure that "telnet.exe" really is telnet, and not a renamed hacking utility. An entry value of "0" will redirect all traffic from all executables with that name. NOTE: It is strongly recommended
that the user reboot the client machine after upgrading, downgrading or uninstalling the Windows redirector feature of clientapp.
Select the Windows Redirector tab [a]. The configuration window will display three sub tabs [b]. Existing redirection entries are displayed in the sort ready table [c] (double click table entry to edit). To add a redirection entry, click the action link Add [d] and proceed to step 2. Supply the description [e], executable name [f] and MDS Hash Value [g] (An entry value of "0" will redirect all traffic from all executables with that name). Complete the task by selecting the desired action link [h].
159
WebUI Handbook
TCP Applications
Windows Redirector: IP Based Redirect For clients running IE on Windows machines to configure an IP and port range where all traffic will be tunneled through the SPX. 3 Select the Windows Redirector tab [a] and the IP Based Redirection sub tab [b]. Existing redirection entries are displayed in the sort ready table [c] (double click table entry to edit). To add a redirection entry, click the action link Add [d] and proceed to step 4. You may also map external and internal IPs in much the same manner. Supply the description [e], IP address [f] and port range (first port & last port) [g] for all traffic to be tunneled. Complete the task by selecting the desired action link [h].
IP Mapping (External IP to Internal IP) Use this feature to add a rule for mapping a pair of external IPs and ports to a pair of internal IPs and ports. The pair of <external ip> and [external port] must be unique per virtual site. The default value of [external port] and [internal port] are 0 to indicate this is a one-to-one IP redirection for all ports. 5 Select the Windows Redirector tab (as above) and the IP Based Redirection sub tab (as above). Existing redirection entries are displayed in the sort ready table (double click table entry to edit). To add a rule for mapping a pair of external IPs and ports to a pair of internal IPs and ports click on the action link Add Mapping [i]. Supply the external IP and port in fields [j] and the destiniation internal IP and port [k]. Complete by selecting action link [l].
160
WebUI Handbook
Windows Redirector: Network Based Redirect To establish a specific tunneled network for clients running IE on Windows. If no last port is configured, the default will be the first port setting. 5 Select the Windows Redirector tab [i] and the Network Based Redirection sub tab [j]. Existing redirection entries are displayed in the sort ready table [k] (double click table entry to edit). To add a redirection entry, click the action link Add [l] and proceed to step 6. and port range (first port & last port) [o] for all traffic to be tunneled. Complete the task by selecting the desired action link [p].
6 Supply the description [m], IP address/netmask [n]
ALP This feature acts to notify clientapp function to treat connections destined for the backend IP and port as HTTP protocol traffic. These connections may then benefit from SSO rules and will have HTTP ACLs applied to these requests. 1 Select the ALP tab [a] and the SPX will display a table of any previously configured processing rules [b]. To add a new rule click the Add action link [c]. Set the destination IP and Port for the backend [d] and complete the setup by clicking on the desired action link [e].
161
WebUI Handbook
L3VPN
When the VPN feature is activated, a VPN client is automatically installed on the client machine from a Web browser. This VPN client intercepts all network traffic destined for the internal network and securely tunnels it to the SPX. All tunnel data is protected by SSL encryption. Since all IP traffic to the destination networks is tunneled, all IP-based applications should work transparently through the tunnel, including those that use dynamic port TCP and UDP protocols, NetBIOS, or ICMP. L3VPN General Settings 1 Make certain you are in Config Mode for the desired virtual site and have selected the feature link L3VPN [a]. Enable the L3VPN feature [b] (requires AAA to also be enabled). Enable other L3 features such as the autolaunch, Pre-Install of the client, Client Isolate, etc. [c].
Netpools 3 Any existing netpools will be displayed in the sort ready table [d]. To add a netpool for the VPN click on the action link Add Netpool [e] and proceed to step 5. Links are provided at the bottom of this page for you to download the Array VPN standalone client software [f]. Configure netpools by supplying a name [h], tunneling choice (If split tunneling, only traffic destined for accessible
network zones will be tunneled. All other traffic will continue to be routed normally, and the client will continue to have access to local network resources) [i]. You may enable IPSec and StayConnected features [j] (stay connected is disabled when users deploy Secure Desktop). Complete setup [k].
4 5
-Click for more162

WebUI Handbook
L3VPN
Netpool Configuration- Basic Tunneling 1 By selecting and double clicking on a Netpool Name from the sort ready table (previous page) the configuration window will present more configuration options for the VPN. The top of the window has a selector for you to switch between configured netpools or return to the L3VPN General Settings page [a]. On this configuration page there four tabs and two sub tabs [b] and a table [c] to display any configured network zones (defined IP subnets for the VPN). You may change the current tunnel setting for the netpool, if necessary [d]. To add a new network zone, click [e] and proceed to step 3. Supply the network IP and netmask [f] for the network to be accessible via the VPN. Click desired action [g].
163
WebUI Handbook
Access Methods L3VPN

Netpool Configuration- Basic IP Addresses 1 Select the IP Addresses sub tab [a] to assign one or more contiguous IP address ranges from those external IP addresses that may be assigned. Existing dynamic IP ranges will be displayed in table [b]. IP ranges using DHCP will be listed in table [c]. To add a dynamic IP range select link [d] and skip to step 5. Add the range via DHCP click action link [e] and proceed to step 6 (next page). You may deploy dynamic IP address assignment using DHCP. The <leasetime> [f] refers to the time that the allotted IP address may be used (5 minutes through 43,200 minutes (one month)). You may configure the RADIUS attributes containing the client IP and client netmask information to be used by VPN [g]. To set up a dynamic IP range, supply the first and last IP addresses. With clustering configurations, each dynamic IP range can optionally be associated with a particular synconfig node. IP ranges on different nodes can be the same or can be different. For stateful failover configuration in active-active mode administrators must configure disjoint IP ranges to guarantee unique IP addresses for the L3 VPN clients from different nodes [h]. Complete the dynamic setup [i].
-Click for more164

WebUI Handbook
Netpool Configuration- DHCP Server 6 Supply the appropriate address [j] and choose next action [k].
Netpool Configuration- Drive Mapping 7 You may enable automatic drive mapping for the configured VPN netpool by selecting the Drive Mapping tab [a]. Configured drives are displayed in table [b]. To add a drive, click action link [c]. Assign the desired drive via selector [d] and furnish the resource path [e]. Complete the setup [f].
Netpool Configuration- Launch Command 9 You may configure an application or other executables to be launched upon successful L3 connection or termination of a Lay3 connection. Select the Launch Command tab. Double quote is required around the command string and the command string should contain the full path of the command and necessary arguments. If there are spaces in the command itself or in the argument itself, please use single quote, for example:
c:\program files\mycompany\my command.exe. myarg1.
Enter the command [g] or [i]. You may have the have the SPX stop the L3 VPN upon any launching error [h] or [j].
-Click for more-
165
WebUI Handbook
L3VPN
Netpool Configuration- Advanced: General 1 Select the Advanced tab [a] to continue the netpool setup. 2 You may enable the Stay Connected feature (if the client browser is closed, does the VPN stay connected) and or IPSec Tunneling over SSL VPN [b]. This is disabled if user is deploying the secure desktop. 3 To separate source-based routes for VPN tunneled traffic, on a per-netpool basis. If the default flag is specified, the route will be used for tunnel traffic whose destination does not match a globally configured "ip route static". If the all flag is specified, all tunnel traffic for this netpool will use this route, regardless of globally configured static route [c]. 4 Traffic IP broadcasts may be forwarded between the remote clients and the internal network. Enabled is the default behavior [d]. Enable Multicast IP Traffic Forwarding [e]. To enable local DNS services, select checkbo [f]. Note: If you choose to have the Client Local DNS Services feature enabled please make certain that all SPXs and virtual portal hostnames have been added to the local DNS files. 5 To enable L3VPN users to access resources on the local subnet, regardless of whether full or split tunneling is used [i]. To force L3VPN users to logout/terminate the session from the L3VPN client directly [j].
166
WebUI Handbook
Advanced: Windows Administrator
5 To set up a Windows Administrator, select sub tab [a]. The configuration window will display a sort ready table listing any previous administrator accounts [b]. You may edit these entries by double clicking on the account directly. Click on the action link [c] to add an entry. At the bottom of the page is a link [d] for administrators to download standalone VPN clients to distribute to their clients, if necessary. By selecting to Add an administrator account, the SPX will present you with text fields for account ID, username, password and confirm password. The fields <username> and <password> refer to the Windows machine local Admin username and password [e]. They can be maximum 255 characters in length. Password will be displayed in scrambled format (not base64 though). Complete the entry by clicking on the desired action link [f] Please note, according to
Windows convention, the username will be case insensitive and password will be case sensitive, however, this will solely depend on the individual Windows system.
Inside Proxy 6 To assign a proxy to the remote client after the client has a connection to the L3VPN. This proxy setting will be set to the IE browser per the internet options LAN setting.
167
WebUI Handbook
ATF
Authorized Traffic Forwarding is a clientless access method used to authorize traffic and to secure intranet and Internet access. In this clientless access mode, the SPX would act as a gateway, forwarding packets to and from destinations based on authentication and authorization rules. When the end user logs in, that end users attribute values are retrieved from the AAA server. These end users will be directed to a portal page when any DNS query response and send request to is made (similar to the Captive Portal ); there is also an HTTP intercept made, so if any other URL is requested, the user is sent to the login portal. After logging in, the source IP/MAC address pairs are stored in session table to identify and authenticated users. After authentication, the configured authorization ACLs will be assigned to this user. These rules will define those resources this user may access. The outgoing packets from this user will pass through the SPX and be checked against the IP/MAC session table and ACLs. If permitted, the traffic packets will be sent on through, otherwise the packets will be dropped. ATF General Settings 1 2 Make certain you are in Config Mode for the desired virtual site and have selected the feature link ATF. Enable this feature [a], to set authentication method [b], to enable the status/connection indicator on the clients page [c] and to enable logging of ATF traffic and to set the timeout period [d]. Any changes will require you to click on the Save Changes button. Select the Traffic Statistics tab [e] to have the statistics displayed.
168
WebUI Handbook
Access Policies
Access Control Lists
The SPX controls access to Web, file and legacy application resources by enforcing restrictions defined by ACLs. When any user attempts to log into a virtual site, the SPX authenticates that user against the configured AAA server and retrieves all ACL and sourcenet attributes for any groups that the user may belongs to. The SPX will enforce the ACL restrictions on web and file requests for that session, except for requests that match an external URL policy. ACL Rules 1 Make certain you are in Config Mode for the desired virtual site and have selected the feature link ACLs. The configuration window will display two tabs [a] and two subtabs. Any previously configured ACL Rules will be listed in the sort ready table [b]. Double click on a table entry to make changes to the ACL via edit mode. To add a new ACL Rule, click on the Add link [c]. 2 To add an ACL Rule, supply the ACL target (individual user account or group) [d], select the assigned user, set whether the rule is permit or deny and assign the priority [e]. Next, set the resource group to New or Existing [f] and name the resource group with a description [g] (select any exising resources from the pull down menu). Finally assign the resource a type as applying to Network, Web or Fileshare [h].
169
WebUI Handbook
ACL Resources
1 Click on the subtab ACL Resources [a]. Displayed here are the configured resource destinations listed by goup or resource [b] as shown in the sort ready table [c]. To add a new group or resource, click on the desired action link [d]. If adding a group, proceed to step 3 (next page). 2 By selecting the Add Resource link the SPX will present a configuration page for setting up resource type and enter a list of resource destinations. To assist with entering resource destinations, to the right of the Resource List there is a clickable list of example destinations [e]. You may click on any of the examples to automatically add the example to the Resource List field. From there, you can modify the value as necessary (Note that the clickable Examples list changes depending upon which Resource Type is selected). Also note that the Assign To Resource Group(s) table [f] changes depending upon which Resource Type is selected. This table shows all existing resource groups of the selected resource type. Once resources are configured, selected the desired action link [g] to continue.
170
WebUI Handbook
3 This configuration pages allows you to name and provide a description for the resource group [a]. Next, select the resource type and enter a list of resource destinations [b]. To assist with entering resource destinations, to the right of the Resource List there is a clickable list of example destinations. You may click on any of the examples to automatically add the example to the Resource List field. From there, you can modify the value as necessary. Also note that the clickable Examples list changes depending upon which Resource Type is selected. Once resource groups are configured, selected the desired action link [c] to continue.
171
WebUI Handbook
Advanced Options 1 Make certain you are in Config Mode for the desired virtual site and have selected the feature link Advanced Options [a]. The configuration window will display two tabs [b] (default landing page is ACLs). Any previously configured ACLs will be listed in the sort ready table [c]. Double click on a table entry to make changes to the ACL via edit mode. 2 You may search existing ACLs by using the selector and filter fields [d] and [e]. To add an ACL, click on the Add link [f] and go to step 3. 3 Define the list as being for a single user or group of users [g]. Create a new ACL by assigning the list to an exiting group, assign the lists priority (the small the value the greater the priority), assign the type as PERMIT or DENY and assign the list to a virtual site [h]. Define the scheme or protocol via the selector, supply the host IP and resource path [i]. Complete by clicking on desired action link [j].
172
WebUI Handbook
If the users session has no ACLs that apply to a particular virtual service, the user will be allowed unrestricted access to all Web, file and TCP application resources through the virtual site. If the users session contains one or more ACLs that are applicable to a particular virtual site and scheme, the SPX will deny access to any resources of the appropriate scheme that are not specifically permitted by the ACL. The default behavior of the SPX can be adjusted by configuring an ACL with the appropriate scheme with <host><path> of */ with the largest priority value (i.e. lowest precedence). Note that if any keyword or value in the ACL is not recognized (i.e. anything other than http, file, tcp or the other listed forms for the scheme or a non-numeric value for the priority) the Security Manager will reject the ACL and reject the login request. This is intended to prevent security breaches in the event that DENY ACLs are incorrectly formatted. The administrator should NOT configure conflicting ACLs with the same priorities. The administrator must assign different priorities to indicate that one ACL should take precedence over another.
-Click for more-
173
WebUI Handbook
Access Policies URL Filtering

You may set up restrictions or limitations on queries made to your network based on header length, request length, URL and query length as well as ASCII character ranges and keyword matches. All configurations can be made to respond passively or actively. The passive setting will allow the request to pass through the appliance while keeping a transaction record of the violation. The active setting will instruct the appliance to drop any request that violates the URL filtering protocols as configured by the user. By default, the Array is in active mode. 1 Make certain you are in Config Mode for the desired virtual site and have selected the feature link URL Filtering [a]. The configuration window will display five tabs [b] (default landing page is General Settings).
General Settings 2 Enable the URL filtering feature [c]. Assign the default filtering policy as permit or deny [d]. Set the behavior mode for filtering as active or passive [e]. Enable or disable the filtering of %encoded control characters in URLs [f] (control characters are those in the range %00 to %1F, and %7F).
Email Alerts 3 Configure the destination email address [g] for filter related alerts and the threshold for the number of dropped requests before issuing the alert [h].
-Click for more-
174
WebUI Handbook

Length Based Filtering 1 Click on the Length Based tab [a]. Configure the filter length parameters for requests coming into the network [b]. You may reset by clicking action link [c]. Click on the Character Based tab [d]. Existing restrictions will be displayed in the sort ready table [ e]. To add a new character range setting, click the Add Character Range link [f]. Configure the filter character parameters for requests coming into the network. To deny specific requests based on URL character ranges (ASCII values); enter the starting and ending values [g]. Click desired action link [h] to continue. Keyword Based Filtering 3 Click on the Keyword Based tab [i]. Existing restrictions will be displayed in the sort ready table [j]. To add a new keyword rule setting, click the Add Character Range link [k]. Set the policy to permit or deny and supply the desired text [l]. Click desired action link [m] to continue.
Character Based Filtering 2
175
WebUI Handbook

Type Based Filtering You may set up whether the filtering is to be integer or character string based. 4 Click on the Type Based tab [n]. Existing restrictions will be displayed in the sort ready table [o]. To add a new variable, click the Add Variable link [p]. Set the variable type (integer or string) [q]. Name the variable at text field [r].Click desired action link [s] to continue.
-Click for more-
176
WebUI Handbook
Admin Tools
Session Management
Active Sessions 1 Make certain you are in Config Mode for the desired virtual site and have selected the feature link Session Management [a]. The configuration window will display two tabs (Active Sessions and User Lockout) [b]. If you wish to lock out a specific user, click the User Lockout tab and proceed to step 3. Also on this page will be a list of all active sessions [c] presented in a sort ready table. You may use the session user search field [d] to quickly locate or investigate the currently session by name [e]. To terminate a specific users session, select the name from the table and click on the action tab [f]. You may select multiple session for termination. Once you have more than one user logged in a second action link Terminate All Sessions will be available.
User Lockout 3 The feature allows you to add an individual, or individuals, to an active list of locked out users. Any and all active sessions belonging to the locked out user will be terminated and no new sessions will be allowed until the specified user is removed from the locked out list. All locked out users will be listed in a sort enabled table [g]. To add a user to this list click on the action link Add Lockout User [h]. The configuration window will change and present a text filed for to furnish the users name [i]. Complete by clicking on desired action link [j].
-Click for more177

WebUI Handbook

This section will discuss various configuration management functions available for the SPX. VIEW/ Running Config: 1 Make certain you are in Config Mode and have selected Config Management [a] from the sidebar. The configuration window will present a page with navigational tabs for View, Backup, Load and Clear [b]. There are also three (3) sub tabs for the View page; Running Config, Startup Config and Saved File. The remainder of the window displays the current running configuration [c].
VIEW/ Startup Config: 2 By selecting the Startup Config sub tab the SPX will display the startup configuration data.
VIEW/ Saved File: 3 By selecting the Saved File sub tab the SPX will display all currently saved configuration files. Double click on a file name to view the details of the configuration file.
-Click for more-
178
WebUI Handbook

BACKUP 1 By selecting the Backup tab [a] the configuration window will present various options for backing up configuration files. To backup the config using SCP (default setting) supply the SCP server name, user name, password and server path in text fields [c] and click on action link [d] to begin the backup. To backup the configuration file using TFTP select the proper button [b] and proceed to step 2. To save the configuration file to an existing file, select the proper button [b] and skip to step 3. To backup the configuration file using TFTP please supply the TFTP server IP address and file name in text fields [e] and click on action link [f] to begin the backup. To backup a saved file please supply the file name in text field [g] and click on action link [j] to begin the backup. A list of previously saved files will be displayed in a sort ready table [h]. You may select one of these files to be updated or deleted [i].
-Click for more-
179
WebUI Handbook

LOAD 1 By selecting the Load tab [a] the configuration window will present various options for loading configuration files. To load the last running configuration, click the action link Load [g]. To load from a SCP server then select the SCP button [c] and proceed to step 2. To load from a TFTP server then select the TFTP button [d] and proceed to step 3. To load the config from a list of previously saved files then select the Saved File button [e] and proceed to step 4. To upload from a network location, select Upload File [f] and proceed to step 5. To load a file from a SCP server, supply the SCP server name, user name, password and server path in text fields [h] and click on action link [i] to begin the load. To load a file using TFTP please supply the TFTP server IP address and file name in text fields [j] and click on action link [k] to begin loading. To load a saved file please select the file name from list of previously saved files [l] and click on action link [m] to begin loading. To load a file from a network location supply the file name in the field [n] or click on the browse button to locate the necessary file. Then click the load button [o].
-Click for more-
180
WebUI Handbook

CLEAR Caution should be taken when clearing configurations from the SPX. If you have any questions with clearing a running or saved configuration, please contact Array Networks Customer Support. 1 Select the Clear tab the configuration window. To clear and delete all locally saved configuration files, except for the default startup file click on Entire Configuration Clear NOW [a].
-Click for more-
181
WebUI Handbook

Statistics 1 Make certain you are in Config Mode for the desired virtual site and select the feature link Monitoring [a]. The configuration window will present a series of sub tabs for all licensed features with displayable statistical information. You may navigate through these statistic pages by clicking on the desired sub tabs [b].
-Click for more-
1b
182
WebUI Handbook
Admin Tools Troubleshooting

Selecting the Troubleshooting feature from the sidebar will present administrators with simple tools to ping (generate an echo request), perform packet trace and Name Server verification. 1 Make certain you are in Config Mode and have selected Troubleshooting from the sidebar [a]. The configuration window will present a page with navigational tabs for Tools [c]. PING- To generates a network connectivity echo request directed toward the specified IP address or ping, enter the IP address or host name [b] and click on the Ping button [c]. TRACEROUTE- Enter the IP address or host name [d] and click on the Traceroute button [e]. NAME SERVER LOOKUP- Enter the IP address or host name for the name server [f] and click on the Lookup button [g]. This feature allows the user to verify the IP address for the given hostname.
3 4
-Click for more-
183
WebUI Handbook
Change Password
1 Make certain you are in Config Mode and have selected Change Password from the sidebar [a]. The configuration window will present display a list of alladministrators thus far established. By selecting the name from the list [c] you may change the password for an administrator, select the name from the list and supply the new password in text fields [b]
-Click for more-
184
WebUI Handbook
System Configuration Help

General Settings Basic Networking
Hostname This setting allows the user to change the given name for an Array SPX. A name may be entered as a single set of continuous alphanumeric characters or a set of alphanumeric characters housed within double quotation marks. System date In the event that a network does not rely on a NTP server, users may set the date within the Array SPX. The values for each may be entered as one or two digits as necessary. System time In the event that a network does not rely on a NTP server, users may set the time within the Array SPX manually. The values for each may be entered as one or two digits as necessary (Note: The Array SPX runs on a twenty-four hour/military standard clock). System Time Zone When this is executed, the SPX will present the user with a three-step menu driven process to set the correct time zone. The first step/menu in the process is to choose the correct continent (i.e. Asia, Europe or North America). After the desired continent is entered, the next menu will offer the list of support countries within the specified continent (i.e. China, Hong Kong, Japan, South Korea, Singapore or Taiwan). The final step is to choose the specific time zone region from the TM generated list. What you need to know about your network: Host Name: The name of the physical SPX. The host name will appear in CLI mode prompts as well as log reports, etc. The default host name is AN. Giving each SPX a unique designation will help with more complex network deployments where more than one SPX may be in use.
Interface Names: The specific interface names being an inside, outside, DMZ or ENG. The interface name may also be entered with a configurable alphanumeric string for naming specific VLAN or MNET network interfaces. Interface IP: Gateway IP: In dotted IP format. In dotted IP format.
VLAN Name: The specified name for a given VLAN. VLAN Tag: A numeric value inserted in VLAN traffic. This may be any number between 0 and 4095 inclusive. Note that each tag number is exclusive per interface. It is recommended that vlan tag ID not be set to 1. This is a unique name that will be used to identify the MNET interface.
MNET Name:
Destination IP: The static routes destination IP address.
185
WebUI Handbook
Destination Netmask: The static netmask. Domain: Searchable string.
routes
destination Interface Allows you to set interface IP addresses and netmask. If users are planning to use VALN or MNET functionality, then users are required to select the appropriate mnet or vlan button. For VLAN ID purposes you will need to furnish any integer between 0-4095 as a VLAN tag. It is recommended that vlan tag ID not be set to 1.
DNS/WINS IP In dotted IP format. Network IP/netmask: The NAT IP address and netmask. VIP: The IP address to use when translating incoming traffic from the NAT network. In dotted IP format. Server IP: If the network relies on an NTP server then the IP address will be needed. Make certain the server is available on the desired subnet. For networks deploying more than one SPX in a real cluster, an optional specific identifier is given to each SPX to accompany the host name. For single SPX or basic setup, this is an optional parameter.
NTP
ARP
You may create an ARP entry, requiring IP and MAC address. Once an ARP is resolved, it will be valid for five minute. Great care should be taken when modifying an ARP table. This operation allows users to create an ARP entry to the ArrayOS. The IP address and MAC address (XX:XX:XX:XX:XX:XX) are required. Once an ARP is resolved it will be valid for five (5) minutes.
Node ID:
Routing Interface
Port Speed Set to 10half (10 Mbps Ethernet half duplex communications), 100half (100 Mbps Ethernet half duplex communications), 100full (100 Mbps full duplex communications), 1000full (1000 Mbps Ethernet full duplex communications) or auto. MTU This allows the user to set the maximum transmission unit size and bind this definition to the specified interface. Default Route IP This allows the user to set a gateway IP address into the configuration of the Array SPX. The gateway IP must be entered in dotted IP format. Global Static Route This is used to modify the networks routing table as used by the Array SPX. Typically the destination parameter is the network IP address. If you will be using VLANS, you will also have to create a static route for the VLAN.
186
WebUI Handbook
Name Resolution
Network Host This allows the user to preset a DNS hostname and corresponding IP address with the Arrays DNS. The Array SPX can only resolve 128 byte or smaller DNS queries. DNS IP Addresses The user may establish up to three Name Servers. The user may enter only one Name Server IP address, in standard dotted format, at a time. If a user attempts to enter a fourth Name Server, the Array appliance will instruct the user to delete one of the previously entered Name Server addresses before accepting the new data. This allows the user to preset a DNS hostname and corresponding IP address with the Arrays DNS. The Array SPX can only resolve 128 byte or smaller DNS queries. DNS Search Path This allows the administrator to set a search path to resolve query for nonqualified hostnames. Up to six domains may be configured. DNS Cache This enables or disables the DNS cache functionality of the SPX. Administrators may set how long DNS data is cached. WINS Addresses This allows the user to establish up to three (3) WINS servers. This feature is designed for customers with Windows based environments where DNS is not/cannot be configured. NOTE: It is strongly recommended that the user reboot the client machine after upgrading,
downgrading or uninstalling the Windows redirector feature of clientapp. WINS Broadcast This allows the user to define up to three (3) subnets for WINS broadcast resolution; ideally this will be the same as the subnet of the Inside interface, unless the network configuration allows cross-subnet broadcast packets. WINS Cache This allows the user to enable or disable caching of WINS resolutions. WINS Cache Expire This allows the user to configure the expiration time for items stored within the WINS cache. The time parameter is in minutes and can be from 1 to 525,600 (365 days).
Advanced Networking
What you need about your network: Network IP/Netmask: The NAT network IP address and netmask. In dotted IP format. VIP (virtual IP : The IP address to use when translating incoming traffic from the NAT network. In dotted IP format. The name on the certificate associated with an IP/port for SSL traffic. This host will specify the certificate/key pair and other SSL attributes used for decrypting traffic. This should be the FQDN if you are implementing the private key as
SSL Host:
187
WebUI Handbook
supplied by the SPX. Forward Service Name: The name given to the port forwarding setup, could be the user specified name of the VIP. Local IP/Port: This is the IP/Port address received by the SPX that will be forwarded to the remote location.
Clustering
The SPX Clustering Technology allows you to maintain high availability with local sites. Virtual clustering provides high availability to SSL VIPs for the outside interface and for redundant gateways via the inside interface.
Remote IP/Port: This is the destination IP/Port location for traffic forwarded by the SPX. What you need to know about your network: Interface Names: The specific interfaces being an inside or outside for virtual clustering. Virtual Cluster ID: The virtual cluster ID is a unique identifier between 1 and 255. Peer Name: Each SPX will require a unique ASCII string in framed in quotes. This may be the DNS name, but doesnt have to be. This name will only be used for the synchronization process. VIP_IP: A Virtual IP address may be any IP address on the Internet in IP dot format, excluding 0.0.0.0 and 255.255.255.255. Each virtual IP address entered must be unique. All IPs are valid barring reserved IP addresses such as loop back, multicast, and other commonly known specialized ranges.
NAT
NAT converts the address behind the SPX into one IP address for the Internet and vice versa. NAT also keeps individual IP addresses hidden from the outside world. To create the NAT, supply the addresses and netmask. The optional timeout length should be entered in seconds
Port Forwarding
Port Forwarding allows the SPX to transparently forward traffic destined from one IP and port to another elsewhere on the network. All related network servers should point to the SPX for their gateway routes to take full advantage of port forwarding. Set the local IP/port to be forwarded, the remote IP/port (the destination IP) for either TCP or UPD packets. There is an optional parameter to set the timeout for the request (in seconds).
188
WebUI Handbook
Virtual Cluster Configuration

Enables or disables the virtual clustering capabilities for the Array. A virtual cluster ID where the minimum value is 1 and the maximum decimal value is 255.
Webwall
The SPX allows you to create permit/deny rules to filter packets passing through the network infrastructure. The Webwall supports the filtering of TCP, UDP, GRE and ICMP packets. Using access lists will define these various permit and deny rules and apply them to access groups. Once the ACLs are configured, administrators may apply or bind the group to an interface within the network. The Webwall is a default-deny firewall. Default-Deny refers to the notion that if the network doesnt have any permit rules in the access control lists, no packets will be allowed to pass through the SPX. During the initial installation of the SPX, leave the Webwall off until the total configuration is complete. Note: by default the Webwall is turned off. The steps in configuring the Webwall are to create access groups with access lists within those groups. It is suggested that you create separate groups for different uses, i.e. one group for administrators and support, a different group for service permission (such as those using port 80, 443, etc.) and then configure Permit/Deny rules (which allows access to the network or denies it) based on the Protocol (ICMP, TCP, GRE or UDP), and then bind the rule to a destination IP address.
Preemption
Assign priority between the peers. The priority range is 1 255, where 255 has the highest priority. A priority assignment of zero (0) is used to bring a running cluster to an inactive state (the outside interface requires the priority to be zero before updating any of its attributes (excluding priority)). For the inside interface(s), all attributes may be updated without altering the priority. Assign the advertisement interval time (1-60 seconds) before a peer is designated as down and the secondary SPX assume the Master status (default is 5 seconds). Specify the authentication options for the cluster. The password may be up to 8-byte alphanumeric characters long.
Priority
The priority can be from 1 - 255, where 255 is the highest. A priority assignment of zero (0) is used to bring a running VCID to an inactive state. This is done to change one or more attributes before bringing the VCID back into the cluster. The outside interface requires the VCID priority to be zero before updating any of its attributes (excluding priority). For the inside interface(s), all attributes may be updated without altering the priority.
189
WebUI Handbook
What you need to know about your network: Interface Names: The specific interface being an inside, outside, DMZ or ENG. The interface name may also be entered with a configurable alphanumeric string for naming VLAN or MNET network interfaces. Source IP: In dotted IP format. Source Netmask: In dotted IP format. Destination IP: In dotted IP format. Destination Netmask: In dotted IP format. Accesslist ID: The identification number (1-1000) assigned to this grouping of members. This value should match the value established for the access list member created with the access list command.
Administrators Help
The SPX supports Administrator Roles for network management by grouping features and then assigning them to a specific administrator for configuration control access (config mode) or viewing access (enable mode). For example, an administrator may assign File Share configuration updates and management to one individual for a specific virtual site which is a configure mode operation while limiting this same individual from other configure mode operations such as Webwall. This is similar to file sharing insofar that groups are created, files are specified and permissions granted. Multiple administrators may be configured for global or virtual sites. What you need to know about your network: AAA Method: Depending on the AAA method selected for administrative authorization, you will need IPs, ports, etc. AAA methods include RADIUS, LDAP and Active Directory.
Access Control
To form an access group, assign an interface to an access list ID. Now under the Access List Configuration section set the Permit/Deny rules for the new group by configuring rules for a specific IP address and port numbers.
Global/Site Admin/Admin Roles

Create and manage administrator accounts. Note: enable mode passwords must be 8 characters or less. This allows the global administrator to assign any other administrator to a specific role. Administrator Roles must be configured first. The features supported are specific to global or site locations. Global features include (entries are not case sensitive): AAA, webwall, admin, system, log, SNMP, network, fileshare, HTTP, SSL, localdb and site. Site features include (entries are not case sensitive): AAA,
190
WebUI Handbook
admin, appfilter, clientapp, network, fileshare, TCS, localdb, SSL, URL, VPN, portal, site, client and service. Administrators may enter all for the feature setting to enable the complete list for the specified Role Name.
Global Resources Help
Local Databases
Administrators use this feature to create a virtual LocalDB database. The name cannot include the characters space, single quotes (forward and backward), $, (, ), |, \, ;, <, >, ? , /, , *, &, or +. The global administrator may allocate resources for the virtual databases (up to 128 databases). The maximum data limit is 8megs for the SPX. Users may set various limits for various virtual sites as long as cumulative totals remain at or below the stated maximums. Administrators may want to enforce a stringent set of password rules (Strong Password). When this feature is enabled, users are required to create a custom password that must be at lease eight characters in length (maximum length is thirty-two characters), contain at least two classes of character (upper case, lower case, digit and nonalphanumeric) and a minimum number of unique characters (based on the overall password length). Strong Password Requirements:
Length (in characters) No. of Classes Unique Characters
Admin Authentication
Within some organizations, where there may be many administrators, it may be important to ensure that the correct set of administrators have access to the corresponding set of accessible functionality or destination site. Administrators, like other users need to be monitored and controlled. Before an administrator is granted access to the network, the user name and password, or token, is verified against Radius, LDAP or Active Directory. Individual method configuration is similar to AAA methods discussed earlier. Define and rank the AAA method for administrator authentication. Rankings must be 1-3 with 1 being the highest ranking/preference. Configure the AAA host server for the configured method. If the selected method is LDAP, these configuration options are also available. Enable the feature. Default is off. This must be enabled for L3VPN operations.
12-23 24-32 8-32 8-32
2 2 3 4
8 16 6 5
191
WebUI Handbook
Here are examples of suitable passwords based on the previous table: MNmSdstgdArh (2 classes, 2 classes, 8 unique) AlMnMwqgQTEWPpohGbxaQLMehw (26 characters, 2 classes, 21 unique) mN2A3me4t (9 characters, 3 classes, 8 unique) Q%4h*wI9 (8 characters, 4 classed, 8 unique)
Thin Client Support

This feature allows you to configure client modules (such as Telnet, Citrix or PubApps) to implement and handle communications from these configured modules to the proper backend servers. Define a new TCS module with internal name module_name and a description that will appear as an item on the TCS tab page or in the configuration table. The popup and object settings control the appearance of these elements on the users screen. Resource Files To import a resource file for the specified TCS module. NOTE: one resource may be imported into different virtual sites only but can not be imported into both virtual site and global.
SecurID Import
Supply the configuration files path (file or URL) so that the SPX may import the global SecurID configuration file and clean up the local state accordingly.
NFS Fileshare
Enables or disables the NFS file sharing protocol for the specified virtual site. The administrator may create a link to an NFS/Unix shared directory. Configure the link label, the remote host and path to specify the location of the shared directory. This feature adds the link to every virtual site. On systems deploying WINS, the hostname and the NetBIOS server name must be the same.
192
WebUI Handbook
Admin Tools Help
Shutting Down/ Restarting the SPX

The SPX will prompt you with an alert to verify the shutting down process. By entering YES, case sensitive, the SPX commences the shutting down operation. After a brief 15second period, users may turn off the SPX. You may boot the SPX from a secondary root if available by selecting the Fallback option.
Access Control
WebUI Settings
To set the IP that the SPX will accept Web User Interface commands from the web. It is recommended that a management IP and port are used for configuring the WebUI address. The port must be designated greater than 1024. The default port is 8888.
System License
XMLRPC Settings
This feature allows the user to engage the XMLRPC function allowing administrators to gain access and configure the ArrayOS from remote locations. The default port is 9999. The system and software license can be changed and updated by entering the correct license code as supplied by ArrayNetworks. It is only recommended that users change or alter the current license when so directed by a Customer Satisfaction specialist from ArrayNetworks.
Update
You may update the entire ArrayOS package or just a specific component by supplying the URL destination where the file is located.
193
WebUI Handbook
Config Management
Running Config/Startup Config
These selections allow administrators to see the entire running configuration (or simply the startup configuration) for the desired SPX. The configuration specifics are broken out by feature.
Nodes/Peers
Define each peers unique name and IP address.
Tasks/Configuration Synchronization
Define which SPX will send configuration information and which SPX will receive configuration information. Enter the peer name of the sending SPX/peer. Manually synchronize one or all peers on the network and have the configuration written to memory on the receiving peer(s) with this command. To export this configuration to all recognized peers on the network, enter all for the peer name. The related IP settings unaffected include system IP addresses, IP route, hostname, mnet, vlan, Webwall, accesslist, accessgroup and WebUI IP address. At the end of the synchronization, the running configuration for the newly synchronized node is written to the disk as the current configuration. This preserves the configuration across reboots.
Saved File
Allows the viewing of configuration specifics from a separate configuration file.
Backup/Load/Clear
Caution should be taken when clearing configurations from the SPX. Make certain that you only clear those configurations you wish to. These operations will clear entire configurations, not specific functions or configuration elements. If you have any questions with clearing a running or saved configuration, please contact Array Networks Customer Support. You may load and save files to and from SCP TFTP and local file locations on your network.
Tasks/ Synchronization Rollback

To reset to a previously synchronized configuration that was sent to peers on the network. The operation affects the receiving peer(s) only. If <peer_name> is all then all peers previously defined in synconfig to will be affected. This operation is executed from the sending peer. To reset to a previously synchronized configuration that was received from another peer on the network. From the receiving peer SPX, execute this operation listing the peer name of the SPX where the imported configuration originated.
Synchronization
The synchronization feature allows you to transfer configuration information among separate SPXs on the same network. Using configuration synchronization, you can also setup an Active-Standby configuration for failover support. The basic configuration must be completed before configuring the virtual clustering functionality.
194
WebUI Handbook
Differences
This feature will highlight configuration differences between the SPX you are currently logged into and the peer you select from the table.
Email
Configure an alert email for reporting issues. Set the log ID, a message of importance, the email address of recipient, the interval between sending reports and either a data report or a number of incident report. For certain message specific tasks, such as URL Filtering alerts, you may want to set up a specific email strategy for notification.
History
To display the last 50 events for a specific peer, you must be logged into the desired peer for this information.
Monitoring
The current logging mechanism used by the SPX is syslog compliant. See Appendix A for a complete list of Syslog Messages.
SNMP
SNMP, Simple Network Management Protocol, is a widely used network monitoring and control protocol. Data are passed from SNMP agents, which are hardware and/or software processes reporting activity in each network device to the workstation console used to oversee the network. Up to three SNMP hosts may be configured. NOTE: SNMP traps must be enabled to view graphs on the Array Flight Deck. Enable the feature and define the community string. This string acts as a password to control or limit access from the NMS to the agent. The string for this command maybe anywhere from 0 to 32 characters in length. The default string is public. Configure the SNMP contact and location names for each SPX. These strings may be up to 128 ASCII characters long.
Logging
Enable the feature and enable time stamp.
Syslog Servers
Set the log host IP, port and protocol (optional: UDP or TCP). The log host is the remote Syslog server receiving messages. Up to three servers may be configured (all messages will be sent to all servers). Also set the source port (514 is default).
Buffer
Set the log buffer to display the last 100 messages.
195
WebUI Handbook
Traps
To enable individual traps, choose the desired trap: castop coldstart warmstart linkdown linkup syslog cpuoverheat fanfail sslfail compressionfail redundancy
Name Server Lookup

This operation allows the user to verify the IP address for the given hostname. The information that will be displayed by employing this command includes the server from which the data is pulled as well as the hostname and IP address. Results will be displayed in the given table.
Change Password
To set or change enable level passwords. A password string may be up to 8 characters long. Setting the password to empty string is equivalent to having no password.
SNMP Server
Assign the SNMP server IP, port and community string.
Troubleshooting
Ping
This operation generates a network connectivity echo request directed toward the specified IP address. Results will be displayed in the given table.
Traceroute
This operation allows the user to trace the route a packet of information, or the request for that packet travels. When the user supplies the IP address, in dotted format, the Array SPX will display the devices and network locations used to process the request for that IP address. Results will be displayed in the given table.
196
WebUI Handbook
Virtual Sites Help

The SPX provides secure remote access to internal resources through one or more virtual sites (up to 256). A virtual site provides a single interface for external users to access internal content. Each virtual site is associated with a domain name and listens on a specified virtual IP address (VIP) and port. With Arrays Web Resource Mapping technology, links embedded in HTML and JavaScript content are rewritten so that client HTTP requests are sent to the virtual site instead of directly to internal servers; in essence this allows administrators to hide the internal network architecture by only exposing one domain and IP address to the public Internet. Virtual sites are designed to be independently configured such that each site has its own portal, SSL settings, AAA methods and servers, file sharing configuration, and TCP application services or to be a part of a shared virtual network. Each virtual site also maintains its own table of login sessions; (note that a single user may be simultaneously logged into several different sites, but will have a different session on each site). The ability to configure multiple independent virtual sites provides greater flexibility to expose different sets of internal resources to different types of users; for example, a company might have one virtual site for employees to access Web, file, and legacy application resources, and another virtual site for partners to access selected Web resources only.
What you need to know about your network: Type of Virtual Site: You may create an exclusive or shared virtual site (license required for shared sites). Default is exclusive. SSL Host: The name on the certificate associated with an IP/port for SSL traffic. This host will specify the certificate/key pair and other SSL attributes used for decrypting traffic. This should be the FQDN if you are implementing the private key as supplied by the SPX. Domain Names: All FQDN for virtual sites. VIP IP/Port: The virtual site address and port in dotted IP format. Default port is 443. Virtual Site ID: An identifying name for the virtual site. This name will be used to refer to the virtual site in other CLI commands. Note: If the assigned name begins with a numeric character, then the string needs to be framed in double quotes. The name cannot include the characters space, single quotes (forward and backward), $, (, ) , |, , \, ; , <, >, ? , /, *, &, or +.
Setting Up a Virtual Site

Assign the virtual site a unique identifier, domain name, address and type. Up to 256 virtual hosts may be configured. The name cannot include the characters space, single quotes (forward and backward), $, (, ), |, \, ;, <, >, ? , , /, *, &, or +.
197
WebUI Handbook
Local Database
Assign or create a virtual LocalDB database. The name cannot include the characters space, single quotes (forward and backward), $, (, ), |, \, ;, <, >, ? , /, , *, &, or +. Assign users to the database (number of users is product and license specific). The user name is case sensitive.
simply needs to "cut and paste" the key supplied by the certification authority into the CLI. ArrayOS has the capability of importing key formats used by IIS 5, IIS 4, Netscape iPlanet and Apache web servers, via TFTP. To, import the key using TFTP, the optional parameter (TFTP server IP) should be specified and the key should be available for TFTP with the filename <hostname>.key on the TFTP server. Note that this operation can import unencrypted private keys in PEM format also by TFTP but this can be very insecure and should be avoided.
SSL Certificate
This operation allows you to input a certificate to ArrayOS from a TFTP server. The parameter that is required with every command is the host name, where the TFTP server IP is required only if certificates are being imported via TFTP. Once the user has received the certificate via an email, user simply needs to "cut and paste" the certificate supplied by the certification authority into the window provided, if the certificate is in PEM format. ArrayOS has the capability of importing certificates formats used by IIS 5, IIS 4, Netscape iPlanet and Apache web servers, via TFTP. To, import the certificate using TFTP, the optional parameter (TFTP server IP) should be specified and the certificate should be available for TFTP with the filename <hostname>.crt on the TFTP server. If the option default is entered, this certificate will become the default certificate.
Site Configuration Help

General Settings
Only the site administrator will be allowed to configure or modify these settings for the virtual site. Since the global administrator created the site and assigned an SSL Host already, the site administrator needs to address the certificate/key pair for the site and enable SSL.
CSR.
To generate a Certificate Signing Request for the specified host. Administrators will have the option to make this key exportable and to protect this exportable key with an encrypted password for future use. In addition, this operation generates a test certificate for the host. Once this information has been furnished, the SPX will supply the user with a data message that should be copied over to an email message to be sent to a certifying body. WARNING: The test certificate generated by the ssl csr command should not be used for production systems, rather only for testing purposes.
SSL Key
This operation allows you to input a key to ArrayOS from a TFTP server. The parameter that is required with every command is the virtual host name, where the TFTP server IP is required only if keys are being imported via TFTP. Once the user has received the key via an email, user
198
WebUI Handbook
Certificates
Paste certificate and key data in the appropriate windows.
Steps
[1] Assign the name ID (up to 20 alphanumeric characters) to the SPX, framing the ID in double quotation marks. Each site2site location (SPX) within this configuration requires a unique site ID. [2] Assign resources to be shared among the sites. Administrators may define shared site2site resources host names that need to be resolved by the networks DNS, an entire subnet for the network or a specific service with a defined UDP, ICMP or TCP protocol. For multiple resources on the same internal network, Administrators may group these resources. [3] Establish the peer (or peers) to share the configured resources with. All peer names must match the name ID within the remote SPXs within the site2site configuration. Supply the peers IP and port to connect to as well as settle whether the tunnel connection is always active (alwayson) or open for a specific (ondemand) time period (1-1440 minutes, default of 5). [4] Set those resources to be exported to each peer site location by supplying the local resource (as set with the resource host command(s) above), remote peers site ID and whether the mapped connection is transparent or NATted for the end user accessing the exported resource. [5] Configure IP ranges for imported resources and clients (users) for site2site to map connection requests and service responses. These dedicated ranges will be
Site2Site
Site2Site SSL VPN connectivity is a more secure and flexible alternative to IPSec VPNs. This Site2Site solution will give administrators ease of deployment, no change in their internal networks and fine grained access control at the application level. With the Site2Site solution, application access may be bi-directional where either end can initiate the connection with SSL tunneling on demand or always enabled as a configurable option. Resources (application, host, or network) to be published are configured on the SPX on the server side network. The server side SPX informs the client side SPX of the resources to be published. The client side SPX provisions an available IP address range for the published resource on the client side network to prevent any network conflicts. The client side SPX provisions a fully qualified domain name for the resources and resolves these names to provisioned IP addresses. Client machines on the remote network are not allowed access to the server-side network all they see is a virtual application server at the provisioned IP address. By default, an SSL tunnel is established on demand. When the SPX receives traffic destined to a published resource, a secure tunnel is dynamically established. Site2Site provides an option to maintain a persistent connection. In this case, an SSL tunnel is established once SPX devices on both sites are up, and the tunnel remains open. The range of applications supported in both cases is the same.
199
WebUI Handbook
used to avoid IP conflicts when sharing resources. [6] Set the mapping directives for the clients and servers with respect to the configured ranges from above. [6.5] To require the remote clients to login in order to be successfully connected to the site2site resources, administrators will need to have AAA enabled. Within the context of site2site, the exporting location responds as a backend server with respect to the client insofar that the clients user name and password (RADIUS, LDAP or LocalDB) will be used as authentication to gain access to the remote resources just as if they were logging in to the local network. [7] Set the timeout threshold for closing the site2site connection in seconds (default is 300 seconds (5 minutes)). Administrators may choose to add additional access rules to the Site2Site configuration for tighter control over the sharing of resource between peers. [8] Define the rule to be applied and assign the rule to the specific resources and to the specific clients. [9] Now assign the IP rule with desired protocol (TCP, UDP or ICMP), priority (the lower the value the higher the priority setting), the executed action of the rule (permit, deny or drop), the destination and source rules for association and an optional alert log message for when a rule match occurs. [10] Create policy groups as needed and apply the configured rule to the desired peers.
AAA
The SPX supports authentication with external LDAP, RADIUS, Microsoft Active Directory, and RSA SecurID servers. The SPX also provides a local authentication/authorization database (LocalDB) for small to medium-sized installations. Once a virtual site is created, AAA is enabled by default. You do have the option of disabling AAA on a per-virtual-site basis. If AAA is disabled, users will not be required to log in, but will instead be redirected to the portal page where the user connects to the virtual site when Web Resource Mapping is enabled. AAA methods, servers, and settings are configured on a per-virtual-site basis. In most cases it is only necessary to configure one AAA method for each virtual site. However, the SPX allows you to configure multiple AAA methods for a single virtual site. This provides added flexibility in cases where different users are authenticated with different AAA systems (for example, a small subset of users might have LocalDB accounts while records for other users are stored on a LDAP server.) AAA methods must be ranked in order of decreasing precedence; the method with rank 1 has the highest precedence, and a maximum of 4 methods may be ranked. The SPX will attempt to authenticate each user login with each ranked method or until authentication is successful until all methods have been exhausted. This is transparent to the end user. Note that if SecurID is configured as an AAA method it must have rank 1, since the token codes used by SecurID are time-sensitive. Use two fields for SecurID credentials The login page will display a two-field interface for SecurID users.
200
WebUI Handbook
Use default local group as fallback for LocalDB Authorization When this feature is enabled, when using LocalDB as an authorization method, the SPX will fall back to the default group (if one is configured) when it does not find an account to pull authorization data from.
performed. If localdb or ldap is specified, the selected mechanism will be used for authorization.
SecurID LDAP
This setting allows the user to establish SecurID with the LDAP password also presented as the authentication method for the specified virtual site. If no authorization method is selected, no authorization will be performed. If localdb or ldap is specified, the selected mechanism will be used for authorization. LDAP and SecurID user names and passwords need to be exactly the same.
AAA Methods
RADIUS
This setting allows the user to establish RADIUS as the authentication method for the specified virtual site. Rank the AAA methods for the virtual site in order of decreasing preference. Rankings must be1-4 with 1 being the highest ranking/preference. If users do not deploy the authorization method, the SPX will use the same RADIUS server for authorization as well as for authentication.
Certificate Anonymous
This setting instructs the SPX to authenticate users by validating the client certificates against an AAA database. The user is not required to log in with username and password. The selected method must be the first ranked method for authorization.
Active Directory
This setting allows the user to establish AD (Active Directory) as the authentication method for the specified virtual site. Rank the AAA methods for the virtual site in order of decreasing preference. Rankings must be1-4 with 1 being the highest ranking/preference. If no authorization method is selected the SPX will not to use any form of authorization, whereas employing LocalDB or LDAP will instruct the SPX to seek authorization from the specified second server.
Certificate Challenge
This setting allows administrators to deploy a two-factor authentication scheme for an additional layer of security. The SPX will authenticate users by validating both their client certificates and login passwords against an AAA database. The selected method must be the first ranked method for authorization.
LDAP
This setting allows the user to establish LDAP as the authentication method for the specified virtual site. Rank the AAA methods for the virtual site in order of decreasing preference. Rankings must be1-4 with 1 being the highest ranking/preference. If no authorization method is selected, the SPX will use the same LDAP server for authorization
SecurID
This setting allows the user to establish SecurID as the authentication method for the specified virtual site. If no authorization method is selected, no authorization will be
201
WebUI Handbook
as well as for authentication whereas employing LocalDB, LDAP or RADIUS will instruct the SPX to seek authorization from the specified second server.
Authentication and Authentication Servers

Active Directory
A configured Active Directory authentication server can be used for authentication only. If user-to-group mapping information is to be retrieved from an Active Directory server, it must be configured as an LDAP server.
LocalDB
This setting allows the user to establish LocalDB as the authentication method for the specified virtual site. Rank the AAA methods for the virtual site in order of decreasing preference. Rankings must be1-4 with 1 being the highest ranking/preference. If users do not deploy the authorization method, the SPX will use LocalDB for authorization as well as for authentication.
LDAP
To configure the SPX for LDAP, enter the IP address of the LDAP server (if applicable) with the port, base (LDAP server parameter), user name and password. Administrators may configure up to three LDAP servers per virtual site for redundancy. The exact mechanism for authenticating users varies among LDAP server implementations. Most standard LDAP servers, including iPlanet and OpenLDAP, return the users password as a cryptographic one-way hash when this attribute is requested. (Note: Certain LDAP servers, i.e. iPlanet, will not return the users password attribute when queried anonymously. The user name and password in LDAP may be empty strings if anonymous bind is permitted.) Some proprietary LDAP implementations, including DNS, do not publish this password hash information. For these servers, the SPX must identify the users Distinguished Name (DN) before the user can be authenticated. The SPX provides the administrator with a choice of two different ways to construct the users DN. If all users are direct descendants of a single node in the LDAP directory tree (i.e. if users DNs are identical except for the username portions), the DN can be statically constructed
Authorize Only
This setting allows the administrator to use an AAA method that will skip authentication and apply the authorization policies defined for the default LocalDB group to all users. No login page will be presented to the end user, and all sessions will be anonymous. This method must be the only ranked method configured. Session reuse must be disabled when this method is configured.
202
WebUI Handbook
by concatenating the strings <dn_prefix> <USER_NAME> <dn_suffix>, where <USER_NAME> is the username used to log into the SPX. For example, if the DNs are cn=joe, ou=Eng, o=example.com and cn=john, ou=Eng, o=example.com, then the administrator should conf igure <dn_prefix>=cn= and <dn_suffix>=, ou=Eng, o=example.com.
Authorization Servers
The SPX allows you to define policies for restricting any users access to internal network resources. For example, these policies may restrict the internal URLs that users can browse, the internal IP addresses and ports they can connect to, and the client IP addresses they can log in from.
RADIUS
The SPX is compatible with common RADIUS servers such as Microsoft RADIUS Server and Cistron. Enter the RADIUS servers IP address, port (default is set to 1812), number of retries, timeout period (default is 5 seconds) as well as the shared secret. The secret string must match the shared secret configured on the RADIUS server for the SPXs IP address as seen by the RADIUS server. Up to three RADIUS servers may be configured for redundancy. If the SPX fails to receive a response from a server after exhausting the configured number of retries, it will attempt to authenticate with the next configured RADIUS server. If the SPX fails to authenticate with the server(s), it will select the next method of AAA when configured. This is transparent to the end user. It is the responsibility of the administrator to ensure that user accounts and attributes are synchronized across multiple redundant servers.
LDAP
To configure an SPX for LDAP authorization enter the IP address of the LDAP server (if applicable) with the port, base (LDAP server parameter), user name and password. To configure the LDAP search filter to retrieve authorization records only. The <filter> argument is a single string, e.g. "cn=<USER>" where <USER> matches the login username. By default, a filter of "uid=<USER>" will be used. Please note that "<USER>" is the only token allowed in the filter and must occur at least once in the filter.
RADIUS
Configuring the SPX for separate RADIUS authorization is very similar to configuring the SPX for RADIUS authentication. Input the necessary IP address and port, as well as the RADIUS secret string, timeout period and the number of retries that are to be performed.
Accounting
This feature enables or disables the RADIUS account functionality. With this feature enabled, an authenticated session will begin once the RADIUS server confirms reception of the START record.
203
WebUI Handbook
Portal Themes
The SPX provides portal pages that allow your users to easily, securely access protected content. After users authenticate using the SPX login page, they are presented with a welcome page that serves as a "jumping off" point for accessing all of the internal content available through the SPX. The appearance of the portal page can be customized in several ways. Each virtual site may have its own independent portal page. The SPX also allows custom portal page themes to be imported and served directly from the SPX itself. The Portal Theme feature presents a method for web developers to include dynamic SPX data in a static HTML page. By including special tags in the developed webpage content, the developer is able to instruct the SPX to replace those tags with various dynamic contents. By using these tags, customers may now design their own custom portal pages while still taking advantage of SPX security capabilities. The developer of the HTML content for the custom portal pages would insert tags, such as Web Links or L3VPN Client and when the SPX encountered these tags it would replace them with the actual referenced content. Where previously the SPX only supported custom login, logout and error portal pages, Portal Themes allows the customer the flexibility to completely customize their portal pages. (Note: The SPX imports HTML pages and supports dynamic tags. While the actual HTML coding and deployment of these tags is to be completed separately from the SPX configuration.) The portal theme creation process has little to do with the SPX itself. The custom HTML page(s) need be created. Once each HTML page has been created then it will need to be imported to the SPX. Once these HTML files have been imported they will be preserved across reboots and protected/copied during system upgrades. Since the SPX
is not a full web server there are certain limitations including: Foreign Language Support The SPX supports a fixed set of languages: English, Chinese, Japanese, and Korean. For non-English languages, these are encoded using a variety of character sets, i.e. UTF-8 and ShiftJIS. If the portal language is set to one of these languages and encodings the imported content must also be of that same encoding. The HTTP response for non-binary portal theme pages will have the Content-Language and Content-Type: these character set values are automatically inserted. If the actual portal theme page content is of a different encoding the browser may not display the page properly. HTML For of parsing the custom portal content to find all embedded objects, the SPX requires that all code conform strictly to the standard W3C syntax. JavaScript Any JavaScript included on or in the custom portal pages must not dynamically generate additional embedded content. Dynamically generated links may be allowed because they will be handled by the JavaScript rewrite feature of the SPX. HTML Components (HTC) The SPX requires that HTC files not generate or contain embedded content themselves. Flash/ActiveX/Java Applets
204
WebUI Handbook
This category of embedded content is allowed as long as they do not contain internal references to additional files. Flash files must not reference additional Flash resources, ActiveX objects must not download additional objects and Java Applets must contain all required class files inside the JAR/CAB archive. In the event that an ActiveX object or Java Applet needs to make connections to internal servers, the relevant hostnames and URLS must be stored using PARAM tags. See the rewrite param command in the CLI Handbook for configuration use to properly rewrite these values and allow the object to work through the SPX.
This is a list of SPX specific tags to be used within the HTML code for the custom portal page and the corresponding feature and or CLI command on the SPX that needs to be configured to support the custom page. When tags support attributes those values need to be placed with the tag brackets. For example, the tag <_AN_web_links cols=2> needs to be included in the HTML code to present the configured web links in two columns. Additionally, on the SPX the CLI command portal link <URL> <link_text> <position> needs to be used for each link to be listed on the custom page. The illustration below shows three web links added to the custom page as called for by the web link tag; (1) represents the tag location as shown before SPX configuration and (2) shows the populated links. Supported HTML Tags and Related SPX Configuration Requirements
2 1
<_AN_browse> The browse input/button from the default portal page, used for browsing to an arbitrary URL through the SPX.
Creating Portal Themes

When creating the custom portal page, the developer will have to use a series of SPX specific tags within the HTML code. These tags alert the SPX to place preconfigured elements onto the portal pages based exclusively on the credentials of the user logging in to the specific site. This is to say that if an account logs in through the SPX, based on the files/applications that they are approved to use or view, these will be the only elements exposed on the portal to these users.
205
WebUI Handbook
class=class: Specify a style sheet class for the links. <_AN_web_links> The ACL filtered list of configured portal links. Attributes: All options are optional and may be omitted. rows=# or cols=#: How many rows or columns to organize the links into. Only one can be specified. The default portal page is equivalent to cols=2. class=class: Specify a style sheet class for the links. bullet=url: Specify an image to use as a bullet icon. denied=text: Specify text to be used if no links are configured or permitted. bullet=url: Specify an image to use as a bullet icon. denied=text: Specify text to be used if no links are configured or permitted.
<_AN_fileshare_links> Presents a list of the shared files. Attributes: All options are optional and may be omitted. rows=# or cols=#: How many rows or columns to organize the links into. Only one can be specified. The default portal page is equivalent to cols=2. class=class: Specify a style sheet class for the links. bullet=url: Specify an image to use as a bullet icon. denied=text: Specify text to be used if no links are configured or permitted.
<_AN_clientapp_list> The ACL filtered list of configured clientapp services. Attributes: All options are optional and may be omitted. rows=# or cols=#: How many rows or columns to organize the links into. Only one can be specified. The default portal page is equivalent to cols=2. class=class: Specify a style sheet class for the links. bullet=url: Specify an image to use as a bullet icon. denied=text: Specify text to be used if no links are configured or permitted. <_AN_winredir_list> The ACL filtered list of configured clientapp winredir ip/exe entries. Attributes: All options are optional and may be omitted. rows=# or cols=#: How many rows or columns to organize the links into. Only one can be specified. The default portal page is equivalent to cols=2. class=class: Specify a style sheet class for the links. bullet=url: Specify an image to use as a bullet icon. denied=text: Specify text to be used if no links are configured or permitted.
<_AN_tcs_links> The ACL filtered list of configured TCS modules. Attributes: All options are optional and may be omitted. rows=# or cols=#: How many rows or columns to organize the links into. Only one can be specified. The default portal page is equivalent to cols=2.
206
WebUI Handbook
<_AN_fileshare_content> The relevant fileshare content will be inserted. This tag is only valid for the page configured using the keyword fileshare. Attributes: There are no options for this tag. class=class: Specify a style sheet class for the button/input text. Related SPX feature: The fileshare feature needs to be enabled. <_AN_autolaunch> The HTML and JavaScript needed to initiate the Autolaunch for L3VPN or Clientapp. Related SPX feature: The desired Autolaunch needs to be enabled. <_AN_ clientapp_object> Displays the relevant Clientapp object (ActiveX or Java Applet). The clientapp feature must be enabled. <_AN_l3vpn_activex> The L3VPN ActiveX object. Related SPX feature: The VPN feature must be enabled. <_AN_tcs_module> Embeds a TCS module. Attributes: The name attribute is required for this tag. name=name: Specify the specific TCS module to insert. Related SPX feature: The TCS feature must be enabled. <_AN_title> Inserts a context sensitive title for some pages. Only valid for the pages labeled info, login, tcs_page and autolaunch.
<_AN_heading> Inserts a context sensitive header for some pages. Only valid for the pages labeled info, tcs_page and autolaunch. <_AN_message> Inserts a context sensitive message for some pages. Only valid for the pages labeled info, login and autolaunch. In addition, the following JavaScript tags are supported in the same manner that the HTML tags are described previously: <_AN_web_links_var> An array of ACL filtered web link objects containing the text and URL for each link. <_AN_fileshare_links_var> An array of ACL filtered fileshare link objects containing the text and URL for each link. <_AN_tcs_links_var> An array of ACL filtered TCS link objects containing the text and URL for each link. <_AN_clientapp_list_var> An array of ACL filtered clientapp services. <_AN_winredir_list_var> An array of ACL filtered clientapp winredir ip/exe entries. <_AN_clientapp_launch_script> The required JavaScript functions for clientapp operations.
207
WebUI Handbook
The following variables are available through arrayincludes.js:

AN_passchange_enabled Whether or not the password change link should appear on the welcome page. (true/false) AN_passchange_href The URL of the password change link. AN_l3vpn_enabled Whether or not L3VPN is enabled. (true/false) AN_clientapp_enabled Whether or not clientapp is enabled. (true/false) AN_fileshare_enabled Whether or not filesharing is enabled. (true/false) AN_thinclient_enabled Whether or not TCS is enabled (true/false) AN_links_open_in_new_windows Whether or not links clicked from the portal page should open in new windows. (true/false) AN_tcs_module_list This Javascript array lists all configured TCS modules. Each entry is indexed by the module name, and contains the following fields: moduleName: the TCS module name embedStr: the HTML code needed to embed the TCS module in the page moduleDesc: a short description of the module For example,
document.write(AN_tcs_module_list["pubapp"].embed Str); will embed the TCS module named "pubapp" in the page. AN_weblinks_list Javascript array containing all the configured web links. Each entry has two fields: href: the URL of the link description: the description of the link AN_fileshare_links_list Javascript array containing all the configured fileshare links. Each entry has two fields: href: the URL of the fileshare page description: the description of the fileshare
208
WebUI Handbook
Importing the Portal Themes

The package file must be a ZIP format archive. It must have at its base level a file named index.txt that must list all theme object resources included in the theme page. The format for this listing will be multiple lines consisting of:
<keyword> <object name>/<filename> <file_type> These fields correspond to the fields in the portal theme object command (discussed in the Configuration section below). The directory layout for the files must correspond to this listing, i.e. there must be a subdirectory named <object name> containing <filename> and all associated resources. All filenames and path names must be standard ASCII characters; multi-byte characters are not supported. Need to make sure the links point to the appropriate directories. autolaunch choose_site clientapp fileshare fshare_auth info hostcheck antivirus The page for auto launching the Application Manager and L3VPN. The root page for shared virtual sites. The Application Manager template page. The template page for fileshare operation pages. The user credential page for authenticating to fileservers. The template page for information and error pages. A default page for Host Integrity check failures. Host Check antivirus rule failure page.
4 2
209
WebUI Handbook
personalfw servicepack customrule login logout new_pin next_token
Host Check personal firewall rule failure page. Host Check service pack rule failure page. Host Check custom rule failure page. The login page. The logout page. The page for SecurID new pin selection. The page for SecurID next token mode.
Q: I want to dynamically load a resource (for example, image file) through Javascript, but when I import the object, the external resource is not being imported by the SPX. A: The SPX will only import statically defined resources. You can work around this in one of two ways.
passchange The page for changing a user's LocalDB password. tcs_page welcome custom he Thin Client template page. The welcome portal page. An arbitrary resource not associated with an default portal page.
Create a theme zip package and put all necessary resources into the appropriate directory. Define a hidden element in your HTML file containing the external resources you need. For example, <div style="display:none;"> <img src="up.gif"> <img src="down.gif"> </div> may be used to force the SPX to import the files "up.gif" and "down.gif".
The valid file types for the <file_type> parameter are: html, css, js, htc, xml, text and binary. For each <theme name> and <object name> may be at most 20 characters long and containing only ASCII characters a-z, A-Z, 0-9, ., -, and _. All other characters are restricted. Any portal page not assigned a custom object will remain the default page.
Portal Themes FAQ

Q: Why is it that when the SPX serves my HTML file, it gets cut off somewhere in the middle? A: This may happen if your HTML is malformed. Check your file for improperly closed HTML tags or invalid Javascript.
Q: Why is the custom bullet icon I specified for an SPX-generated table not showing up? 210
WebUI Handbook
A: If you specify a tag with a custom icon specify an invisible div to force the SPX to import the image file. <_AN_web_links bullet="image.gif"> <div style="display:none;"> <img src="image.gif"> </div> Q: How do I apply a CSS style to an HTML DOM element generated by the SPX box if it doesn't have a unique class or id? A: You can enclose the SPX tag (such as <_AN_web_links>) inside a div with a unique id, and then apply the CSS style to the HTML element by referencing the unique id. For example: <html> <head> <style type="text/css"> #invisible_links table { display:none; } </style> </head> <body> <div id="invisible_links"> <_AN_web_links cols="2"> </div>
<hr> </body> </html> This will apply the specified style (that makes the table invisible) to the table generated by the <_AN_web_links> tag. Q: How do I include the configured portal logo in my custom page? <img src="http://localhost/images/lock_logo .gif"></img> Q: Why doesn't the <_AN_autolaunch> tag work as expected on the autolaunch page? A: You need to explicitly call the javascript function start_everything_up() to start the client. For the autolaunch page, the following code works: <body onload="start_everything_up();">
211
WebUI Handbook
Q: Why does the <_AN_l3vpn_activex> tag immediately launch the L3 VPN client without waiting for the user to start it manually? A: The tag embeds the ActiveX control directly into the page. If you do not want it to start it manually, you may use Javascript to delay the loading of it until the user performs some action. Q: Why does the "Open links in new window" option not take effect with the <_AN_web_links> tag? A: That option is only valid for the default web links in the non-customized page. If you wish to have that option take effect for portal theme pages, query the AN_links_open_in_new_windows variable and then use the AN_weblinks_list array provided in arrayinclude.js to manually access the links with Javascript and build the links manually. Q: How do I make the choose_site page work? A: Your form must submit the "site_id" option to "/choose_site". The following form is an example: <form action="/choose_site" method ="POST"> <table cellspacing=10> <tr> <td align="right"
class="usermessage">Virtual Site Name:</td> <td> <input type="text" name="site_id" size="20" maxlength="40"> </td> <td>   <input class="usermessage" name="option" type=submit value="Go"> </td> </tr> </table> </form> Q: How do I make the <_AN_clientapp_object> work the same as on the default Array VPN Portal? A: The following code is required: <body onload="object_init(); self.blur();" onbeforeunload="return do_ms_alert();" onunload="do_cleanup();"> Q: How do I make the fshare_auth page work? A: You must manually include the following Javascript function to be available in your page: function AN_inserturlvalue(formid) { 212
WebUI Handbook
var myform = document.getElementById(formid); if (myform == null) return; var result = location.search.match(/^\?url=(http.+)$/); if (result == null) return; var myinput = document.createElement('input'); myinput.setAttribute('type', 'hidden'); myinput.setAttribute('name', 'backend_info'); myinput.setAttribute('value', unescape(result[1])); myform.appendChild(myinput); } You must then call this function and pass it the HTML DOM element id of the authorization form on the page. For example, if the login form is: <form id="authform" method ="post" action="http://localhost/fshare_auth"> <table> <tr> <td>Username:</td> <td><input type="text" name="uname"></td> </tr> <tr>
<td>Password:</td> <td><input type="password" name="pwd"></td> </tr> <tr> <td>Workgroup/Domain:</td> <td><input type="text" name="domain"></td> </tr> <tr> <td> <input type="submit" name="option" value="Sign In">    <input type="submit" name="option" value="Cancel"> </td> </tr> </table> </form> then the relevant id is 'authform', and you have to call AN_inserturlvalue('authform') You must call this function only after the page has 213
WebUI Handbook
fully loaded. The easiest way to do that is to call it from the onload handler for the body HTML tag. Here is a full example: <html> <head> <script> function AN_inserturlvalue(formid) { var myform = document.getElementById(formid); if (myform == null) return; var result = location.search.match(/^\?url=(http.+)$/); if (result == null) return; var myinput = document.createElement('input'); myinput.setAttribute('type', 'hidden'); myinput.setAttribute('name', 'backend_info'); myinput.setAttribute('value', unescape(result[1])); myform.appendChild(myinput); } </script> </head>
<body onload="javascript:AN_inserturlvalue('authform ');"> <form id="authform" method ="post" action="http://localhost/fshare_auth"> <table><tr> <td>Username:</td> <td><input type="text" name="uname"></td> </tr> <tr> <td>Password:</td> <td><input type="password" name="pwd"></td> </tr> <tr> <td>Workgroup/Domain:</td> <td><input type="text" name="domain"></td> </tr> <tr> <td> <input type="submit" name="option" value="Sign In">    <input type="submit" 214
WebUI Handbook
name="option" value="Cancel"> </td> </tr> </table> </form> </body></html> Q: Why do I sometimes see an unexpected host check page (for example, the antivirus page when a customrule page was expected)? A: The Symantec On-Demand agent may sometimes redirect the browser to a failure page that does not exactly correspond to the actual rule that failed. As long as you have configured each of the host check pages (hostcheck, antivirus, personalfw, servicepack, customrule), one of them is guaranteed to trigger on host check failure. Q: Why do I sometimes see "Permission denied" errors for custom pages when I import a theme in SPX 8.0? A: Make sure that the file permissions in the theme zip file allow the file to be world-readable. If you are on a Unix system, make sure to run chmod -R a+r * in the topmost theme files directory before creating the zip file.
Q: How can I include the appropriate Thin Client on the custom tcs_page? A: You will need to parse the URL value in order to get the tcs module name and then include it in the page. In the <head> section of your HTML file, do the following: <script src="/prx/000/http/localhost/arrayinclu de.js"> </script> <script> function AN_insertTCS() { var result = location.search.match(/^\?module=(.+) $/); if (result == null) return; document.write(AN_tcs_module_list[r esult[1]].embedStr); } </script> Then, call the function AN_insertTCS() where you want the thin client module to be placed. Here is a complete example: <html><head> <script src="/prx/000/http/localhost/arrayinclu 215
WebUI Handbook
de.js"> </script> <script> function AN_insertTCS() { var result = location.search.match(/^\?module=(.+) $/); if (result == null) return; document.write(AN_tcs_module_list[r esult[1]].embedStr); } </script> </head> <body> <script> AN_insertTCS(); </script> </body> </html> Q: I imported arrayinclude.js, but it's not working. What do I do? A: If <script src="http://localhost/arrayinclude.js"> </script> isn't working, try
<script src="/prx/000/http/localhost/arrayinclu de.js"> </script>
Security Settings
Session Limit per User This operation allows site administrators to limit the number of concurrent sessions per unique login username, if the global administrator has disabled session reuse for the site. Idle Session Timeout This operation allows administrators to set the time passage before the SPX will terminate an idle connection. The default is 36,000 seconds. Maximum Session Lifetime The session lifetime is the cumulative time that session is allowed to stay open. The default is 86,400 (24 hours). Enable Twostage Security Enable or disable fallback to default location when host integrity fails on primary location. Expiration Timer This operation allows the user to set the expiration timer for Persistent Desktop. Enable Background Color This operation allows the user to enable customization of background color. Color selection is made through virtual desktop WebUI.
216
WebUI Handbook
Background Image This operation allows the user to import custom background image for Virtual Desktop only .BMP format image is supported.
administrator may specify whether clients are allowed to browse to non-configured Web sites and file shares using the SPX navigation bars. By default the browse option is disabled.
Import/Export Settings Configure the Security Manager export-settings, either TFTP or SCP. When users login, the AESA will be imported by the client from this specific location and protocol.
SSL Settings
SSL Protocol Support This selection allows the user to change or set the SSL version supported by the appliance. SSLv3 and TLSv1 are supported. Users may enter either one of these three versions or all of them by entering ALL in the parameter field. NOTE: User cannot make changes to a SSL Host (host) with SSL engaged. Client Authentication. When enabled for SSL port forwarding, the SPX will present a certificate to the server when requested. The certificate, that is to be presented, may be imported through the Import Cert/Key page. You may also specify subject filter so that client authentication is successful only when the subject of client certificate matches the configured filter rule. Subject filtering is an optional configuration. The subject filter must contain one or more entries with form field = value. Spaces around each side of = are ignored. Multiple entries are to be separated by blank space, comma or both. Each field may optionally begin with /. Supported fields include C, ST, L, O, OU, CN, T and E (or email), please note that these entries are not case sensitive. Certification Revocation Lists. Users may specify the use of a CRL to be used with client authentication. These lists can be downloaded from the
Access Levels and Locations Configure client locations and security level (none, low, medium or high). An Access Level of none restricts all access of the remote user. An Access Level of low allows the remote user to access the web locations (WRM) as configured. An Access Level of medium permits remote users to access web locations (WRM), file sharing privileges, TCP Applications based on the administrators existing configuration and Thin Client Support (TCS). The Access Level of high allows remote users to access web locations (WRM) with arbitrary URL browsing, file sharing privileges with arbitrary browsing, TCP Applications, Thin Client Support (TCS) and VPN access. (Note: The location name entered here needs to correspond to those configured using the Sygate On-Demand Manager GUI.)
Security Privileges When an administrator creates a custom access level via the client security level command, use this operation to assign the specific privileges to be associated with the access level created. With the "browse" option, the
217
WebUI Handbook
specified CRL Distribution Point (based on configured name and URL) at the desired time interval (1-24 hours). This time interval is specified in CRL Refresh parameter. HTTP and FTP are supported protocols to fetch the CRL files. This operation is not available for SSL Backend. Cipher Suits This operation sets the minimum key size. If any browser connecting to this host does not support encryption strength, it will be redirected to the specified URL. Starting with the 8.0 release, cipher suites utilizing a key length less than 128 bits will be disabled by default. Supported ciphers include: AES256-SHA, AES128-SHA, RC4-MD5, RC4-SHA and DES-CBC3-SHA. On FIPS enabled SPX systems, support ciphers include: AES256-SHA, AES128-SHA, RC4-MD5, RC4-SHA and DES-CBC3-SHA. SPX's cipher suite name and the standard name and description:
SPX Cipher Name: AES256-SHA Standard Name: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Description: 256-bit AES with SHA SPX Cipher Name: AES128-SHA Standard Name: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Description: 128-bit AES with SHA SPX Cipher Name: RC4-MD5 Standard Name: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Description: 128-bit RC4 with MD5 SPX Cipher Name: RC4-SHA Standard Name: TLS_RSA_WITH_RC4_128_SHA (0x0005) Description: 128-bit RC4 with SHA
SPX Cipher Name: DES-CBC3-SHA Standard Name: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Description: 168-bit Triple-DES with SHA SPX Cipher Name: DES-CBC-SHA Standard Name: TLS_RSA_WITH_DES_CBC_SHA (0x0009) Description: 56-bit DES with SHA *
SPX Cipher Name: EXP-RC4-MD5 Standard Name: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003) Description: 40-bit RC4 with MD5 * SPX Cipher Name: EXP-DES-CBC-SHA Standard Name: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008) Description: 40-bit DES with SHA *
Local Users & Groups Help

The SPX allows you to create specific groups of users and authorize only specified content points on the network for these groups. This way, for example, administrators may set up separate, specific network destinations for the sales departments and the marketing group, while granting executive staff access to both. Local User This operation allows the administrator to assign an individual an account name and password, bind that individual to a NFS ID and NFS group if desired. The user name is case sensitive. Force Password Change This operation forces the first-time user to reset their password. Internal IP and Netmask This operation allows the administrator to assign static IP
218
WebUI Handbook
addresses and netmasks to specific accounts. Local Groups This operation allows the user to establish a group of accounts. You need to have a group created before you can assign accounts to the group. Netpools This option allows administrators to assign/map local DB groups to net pools. Administrators may only assign one net pool to a specified group. If you will be deploying VPN and net pools, then you will need to assign the group to a netpool.
attempts exceeds the lockout threshold (values are between 1 and 999, with a default value of 10), the account is locked out for a configured duration (equal to or greater than 5 seconds; default is to hold record until the SPX is rebooted). A locked-out account can not be used until it is reset by an administrator or until the lockout duration for that account expires.
Access Methods Help
Web Access
Web Links Configure any active links on the portal page with text and URL destination. Optionally you may enter a value for the link position, in ascending order. If no order is specified, links will listed in order they were created. Note that any given user will only see those links that are permitted by their ACLs. Up to 1,000 portal links can be defined for each virtual site: Portal Page URL Bar This feature option is for an URL bar to be displayed on the SPX-generated portal page for the specified virtual site. This allows users to navigate to any arbitrary internal URL. This operation is not applicable if a custom portal page is configured for the virtual site. Note that the URL bar cannot be enabled if URL masking is enabled. Portal Navigational Tool This feature allows the user to set a navigation tool to appear at the top of every Web page browsed through the SPX (except for the SPX-generated pages). This
Login Authorization
Account Client Networks This operation allows the administrator to create and/or manage sourcenet restrictions for individual users. The account name parameter is case sensitive. Group Client Networks This operation allows the administrator to create and manage LocalDB sourcenet restrictions for a specific group of users. MAC Address This feature only supports browsers using ActiveX (IE) on Windows 2000 and XP editions. All MAC address must be current or login will fail. Login Failure Lockout This feature turns on LocalDB account lockout for virtual database. When an account uses LocalDB as the authentication method and the number of failed login
219
WebUI Handbook
navigation tool provides a convenient interface for the end user to log out, return to the portal page, or navigate to an arbitrary internal URL (the latter functionality is provided by a button on the navigation tool that expands into an URL bar). If this option is configured without the "URL bar" option, the URL bar will not be shown. Note that the navigation tool is not displayed on some older browsers (Netscape 4.X and below, IE 4.X and below). Web Resource Mapping must also be enabled for the virtual site. Note that if URL masking is enabled, the portal navtool must be enabled. Browser Bookmarking The SPX may remember or otherwise bookmark/tag visited pages once this feature in enabled. If a user visits a site inside or outside of the SPX controlled network, the user may set a bookmark that will be retained by the SPX. This feature also allows SPX users to continue browsing if one of the SPX machines in a cluster were to go down. The user will be asked to re-login and after successful login the user will be presented with the HTML page they last visited. The maximum URL that may be remembered by the SPX, and used for later redirects is 2-KB. Web Resource Mapping must be enabled to deploy this feature. Web Resource Mapping When objects such as Java Applets or ActiveX objects are embedded in a web page, they may be passed with parameters that are specified via the <PARAM> or <EMBED> HTML tags. These parameters may contain arbitrary values, and in some cases specify URLs or host names. This information (URLs or host names) is relative to the backend server from where the content was downloaded, the SPX needs to rewrite these parameters so that they are relative to the SPX. The first configuration
option allows the administrator to set whether the SPX will match the exact parameter or a merely substring of the parameter. This setting will apply to all rewritten parameters for the virtual site (separate virtual sites may be set differently). The second option allows the administrator to establish a specific rule for rewriting the content and parameters. The administrator is required to set a rule value, supply the name of the HTML parameter to rewrite, set the parameter type as being either URL or host. Rewrite Parameter Rules This feature enables the rewrite of custom embedded object parameters. When objects such as Java Applets or ActiveX objects are embedded in a web page, they can be passed with parameters that are specified via the <PARAM> or <EMBED> HTML tags. Since these URLs or host names are relative to the backend server where the web page was downloaded, the Array SPX needs to rewrite the parameters so that they are relative to the Array SPX. The arguments for this command are: rule_id This value to identify a configured rule.
param_name This value specifies a substring of the name of the HTML parameter to rewrite. The Array SPX will search for the object parameter whose name contains <param_name> as a substring, and will rewrite that parameter's value. param_type This value may either be "url" or "host". If "url" is specified, the HTML parameter value will be rewritten as a URL. If "host" is specified, the value of the HTML parameter will be replaced with the host name of the Array SPX virtual site.
220
WebUI Handbook
separator
This optional parameter refers to a string that specifies a list separator. In some cases, an HTML parameter value may consist of a list of URLs or host names. In this case, the Array SPX must rewrite each element of the list. The separator argument can be up to 10 characters long, and specifies how the elements of the list are separated from each other. This is an optional argument. If no separator is specified, then the HTML parameter value is assumed to be a single URL or host name. The <index> parameter allows the administrator to only rewrite certain items in a list of values that are separated by <list_separator>. This parameter is optional. If no <index> is given, then the rule will apply to all values in the list.
index
URL Mask Enabling this option causes the SPX to apply a hash to the host and path portion of URLs that it translates as rewritable content, instead of leaving the backend server and path in their original form. If the optional Mask Filename option is also selected, the SPX will mask the backend server's hostname, path, and the name of the file being requested. Note that Rewrite Relative URLs must not be disabled when URL masking is enabled for a virtual site. Note that the URL input field on the welcome page must be disabled before URL masking can be enabled. See the "portal urlbar" command. Also, note that the portal navigation tool must be enabled without a URL input field before URL masking can be enabled. See the "portal navtool" command. Wrap Event Handlers This feature allows the administrator to handle a specific situation in IE where if a page contains a <script src="file.js"> tagoutside the <body> section (for example, in the <head>), and the page contains script (vbscript or javascript) which defines a function of the same name as a built-in event handler (for example, "onmouseover()"), and that function is assigned as the event handler for that event (onmouseover). In this event IE will call its built-in event handler function instead of the custom function. This will result in an infinite loop, which will throw a "Stack Overflow" error. Since the ArraySP WRM functionality inserts a <script src=> tag into the <head> section for all web pages (for javascript wrapper libraries), it is possible for the SPX to trigger this condition. Enabling this feature allows the SPX to detect this situation and wrap the call to the event handler function with an Array function that will in turn call the original function. Default is disabled.
Advanced
Disabling this feature will turn URL translation for rewritable content off. When Web Resource Mapping is off, OWA (Outlook Web Access) will not work through the SPX unless this option is specifically configured. Note that when Web Resource Mapping is enabled, OWA works without special consideration. Also, Web Resource Mapping does not rewrite embedded URLs within PDF or Microsoft Office files (including Word, Excel, PowerPoint, etc.) and therefore it is recommended that relative URLs be used within these types of documents whenever possible. Rewrite URLS Enable/disable the rewriting of relative links. Default status is enabled.
221
WebUI Handbook
Cookie Expiration Passthrough Enable/disable pass through of expires clauses in cookies set by backend Web servers. Default status is disabled. Disabling Browser Caching. This feature allows administrators to not allow browsers to store information for the specified virtual site within the browsers cache. Enable OWA Support This feature allows backend OWA server to be accessed through the given virtual service on Array SPX using HTTPS. This configuration is not relevant when Web Resource Mapping is enabled. URL Property Mask WRM This Feature allows the administrator to select the URL that will NOT be rewritten. Using the no version of the command will return the specified URL to the setting where it will be rewritten by the SPX. It is recommended that the URL be framed in double quotes. URL Property Mask Accept Encoding Deploying this feature creates a configurable policy to disable the insertion of the Accept Encoding header on a per-URL basis. This is used as a primarily for Web servers that are non-compliant with the HTTP RFC standards.
Server Access
Single Sign On By enabling this option, the SPX will attempt to authenticate with backend servers using the end user's login username and password. This feature only works with backend servers that require NTLM or Basic HTTP authentication (or no authentication at all). Insert X-Client-Cert Header This operation instructs the Array to insert an x-clientcertificate header into the request if the SSL client certificate is given. This operation works in conjunction with the SSL settings clientauth command. Insert X-SSO-User Header This feature allows the administrator to insert into every request made from the SPX to the backend server an X SSO-USER HTTP header to set the username. This will include requests generated from portal pages. Pass Session Cookie to Origin Server When this feature is in effect, the Array SPX will include the session cookie of the user in every request to the backend servers. By default, no pass session cookie strategy is active. Pass Session Cookie To Origin Server. By default, the SPX strips its session cookie out of every request before it forwards the request to the backend server. Enabling this feature causes the SPX to leave session cookies in proxied requests. Proxy Settings You may use the SPX to communicate with HTTP servers through a non-transparent HTTP proxy. When this feature
222
WebUI Handbook
is in use, the SPX sends all HTTP and HTTPS requests to the configured proxy that in turn contacts the appropriate content servers (or the next proxy in the chain). When a proxy is in use, the SPX does not resolve the DNS names of backend servers. This affects the operation of the configured ACLs. If a given ACL matches the host name of a backend server but not the IP address, the SPX will not enforce the ACL if a backend server is accessed via its IP address. Supposing the content on server "server.example.com", whose IP address is 10.1.2.3. If the administrator has configured an ACL of "0 http:server.example.com/ deny", then users will be prevented from accessing the server using its host name. When a proxy server is *not* in use, the access will be denied even if users try to access the server using "10.1.2.3", the SPX will reverse-resolve "10.1.2.3" to "server.example.com" before applying the ACLs. When a proxy is used between the SPX and the backend server, the SPX will not perform this reverse resolution, and requests for "10.1.2.3" will be allowed. The solution is to create 2 ACLs: "0 http:server.example.com/ deny" "1 http:10.1.2.3/ deny" This will create the desired behavior even in the case where a proxy server is in use. Set the proxy for HTTP or HTTPS and configure the proxy IP (or name) and port. You may also set the SPX to automatically detect forward proxy settings using a script. The SPX will fetch the URL specified and execute the script for every request received by the virtual site. It will use the script results to decide which forward proxy to use. If the requested scheme has a static forward proxy defined using "server site proxy
manual <scheme>", the static proxy will be used instead of the script.
URL Policies
URL Policies allow administrators to control what web content the SPX will serve. It is usually not desirable for clients to use the SPX to access publicly available Internet content. By setting up URL policies, administrators may insure that the SPX is used only for its intended purpose: secure access to private content. URL Policies are matched with the URLs in all requests that the SPX receives. If a URL is classified as external according to the URL Policies, the SPX will redirect the end user's browser to the publicly available web content, instead of having to proxy the request to a backend server The SPX also provides public URL policies. If a request URL matches a public policy, it will be proxied by the SPX, but not require a session cookie for that request. Public URL policies should be used with care, for the obvious reason that they provide unrestricted access to internal content. The common use for public URL policies is to provide public access to content embedded in custom login pages, logout pages, and error pages.
Note that it is not possible to make the default policy public.
Configure the SPX to proxy requests that match the desired policy. The SPX will not require a session cookie in requests that match a "public" policy. Assign the policys priority from 0 to 65535, the lower the value the higher the priority. If a URL matches two policies, the matching policy with the highest precedence (lower priority means higher precedence) will be used to determine whether the requested URL is internal, external, or public. Configure
223
WebUI Handbook
any keywords to be used to specify what URLs the policy will match. If the requested URL contains the keyword as a sub string, then the policy matches.
server. Enable the SPXs special navigational field for end users accessing shared files through the custom portal file sharing pages. The navigational tool will allow users to take advantage of either a dropdown menu populated with the configured file share links for the virtual site or to enter an arbitrary path (Formatted: //<server>/<service>/<path>) for CIFS links to the files. Configure a CIFS Link The proper format for the service parameter is "//<server>/<workgroup>" where <service> is the name or IP address of a CIFS server and <workgroup/domain> is the name of a shared folder on that server. Note that the server name required is NOT necessarily the IP (DNS) hostname of the server. The name required is a NetBIOS server name, which may or may not be the same as the IP hostname of the machine running the server. On systems deploying WINS, the hostname and the NetBIOS server name must be the same. Depending on the specific requirements of the deployed fileserver, the Workgroup parameter for the SPX will have to contain either the fileservers domain name or the fileservers workgroup name. If the fileserver does not require the client to supply a workgroup/domain name for access, then the <workgroup> SPX parameter is optional and may be left blank.
URL Policy When the SPX receives a request for a web resource, the SPX will decide whether to proxy that request, or redirect the client to an external server. The SPX will proxy requests that match an "internal", or "public" policy. It will redirect requests that match an "external" URL policy. The SPX will not require a session cookie in requests that match a "public" policy. The "urlpolicy default" command tells the SPX what to do if it receives a request that doesn't match any established policies. precedence keyword A value between 0 and 65535 inclusive. Sub-string from the URL.
File Access
The SPX provides secure remote access to Windows (SMB/CIFS) file servers utilizing a Web-based interface. This allows you to browse, download, upload, rename and delete files and folders from any client machine on the Internet with an SPX-compatible browser (upload/download up to 500-MB). In order to access shared Windows files, the user must have the appropriate permissions for the file server. The file server will enforce permissions based on the Windows username and password provided by the SPX. The SPX will initially assume that the Windows file server uses the same credentials that were used to log into the SPX. If the Windows file server rejects these credentials, the SPX will prompt the user for the appropriate credentials for the file
224
WebUI Handbook
Mail Services
The SPX can support native email clients that run SSL based IMAP and SMTP to gain access to email via SSL VPN. You need to configure the desired server (SMTPS or IMAPS) ports and IP address. The use of this feature requires that AAA be enabled. Assign one protocol service (IMAPS or SMTPS) from the virtual site to the backend only when the virtual site host is EXCLUSIVE. The listen port is the port used by SPX to listen for protocol IMAPS or SMTPS (typically IMAPS=993, SMTPS=465); server ip is the IP address for the mail server; server port indicates the port used by the mail server for IMAP or SMTP (typically IMAP=143(IMAP3=220), SMTP=25). For very large deployments, you may add an additional IPs to be used as sourcenets for the backend server connections. This is done by adding alias IPs via the Advanced tab.
Thin Client Support

This feature allows you to configure client modules (such as Telnet, Citrix or PubApps) to implement and handle communications from these configured modules to the proper backend servers. Define a new TCS module with internal name <module_name> and a <description> that will appear as an item on the TCS tab page. The ordering of modules is controlled by the [position] value. If [position] is not specified the module will be added to the end of the list. Executing this command again with an existing <module_name> will change the <description> and/or [link order].
TCP Application Support

The SPX provides secure remote access to legacy application servers within the network. This feature supports most fixed-port TCP applications, including common mail applications. Once configured, users may securely access applications from most Windows and recent Macintosh clients running a current Web browser (IE or Netscape) with Java support. All application data is securely transferred between the client and the SPX, and only data from clients logged into and authenticated on the SPX is accepted. The SPX secures legacy applications by running a secure TCP proxy in the form of a Java applet (the Application Manager) on the client machine. The Application Manager listens for TCP traffic from applications running on the client machine, encrypts the packets, and forwards them to the SPX over SSL connections.
225
WebUI Handbook
You may add as many TCP services as required. Please note that each service must have a unique port per hostname; otherwise conflicts would occur on the end user's machine when they attempt to use the legacy application proxy. In order to access non-Web applications through the SPX, you must establish a network environment that allows outbound TCP connections to the SPX via the configured control port. Services with a range of server ports can be used to provide access to some dynamic-port TCP applications (e.g. passive mode FTP) with limited port ranges. However, if an application requires a large range of dynamic ports (several hundred ports or more) or requires server-initiated connections, it will be necessary to use the SPX's VPN capabilities. Use Dedicated Control Port: This optional command sets the port that the legacy application proxy will use to securely tunnel TCP connections through the SPX. This port should be opened on any firewalls between the SPX and end users: Host Mapping Configure the 'local host' to be mapped, and an IP that the hostname will be mapped to. If not specified, the default value of 127.0.0.1 will be used. A host must first be configured using this command before it can be used as part of a 'clientapp service' command. In addition, a hostname can only be mapped to one IP; attempts to map the same hostname to multiple local IP's will be rejected. Services This operation allows you to specify which TCP services are made available to end users through the legacy application proxy. TCP services may only be configured for hosts mapped to local IP addresses (an IP in the form
127.0.0.X where X=1-254). You may choose to use the optional port parameters to establish a range of accepted ports. Windows Redirector Windows Redirector will also tunnel any DNS or WINS requests that the client cannot resolve natively besides tunneling formal connections based on the configured rules (IP, EXE). Requests resolved by the SPX whenever possible and the response are returned to the client. This allows applications to resolve and connect to hostnames on the internal network Executable Name and MD5 Hash Value You use this option for clients running IE on Windows machines to configure an application where all traffic will be tunneled through the SPX. To secure the application, administrators specify the executable name (for example "telnet.exe") and optionally the MD5 hash value of the exe. Specifying a hash value allows the administrator to restrict redirection to specified versions of the application, and to ensure that "telnet.exe" really is Telnet, and not a renamed hacking utility. Setting the value of "0" means to redirect all traffic from all executables with that name. IP Redirect You use this operation for clients running IE on Windows machines to configure an IP and port range where all traffic will be tunneled through the SPX. When port ranges are used, it is advisable to limit the range of ports used by each service to 100 ports or fewer. It is recommended that the Windows redirector feature be enabled when providing access to dynamic-port TCP applications. Note that Administrator privileges on the client machine are required. The Microsoft JVM must be installed on the client machine in order to use the Array Windows Redirector.
226
WebUI Handbook
L3VPN
When the VPN feature is activated, a VPN client is automatically installed on the client machine from a Web browser. This VPN client intercepts all network traffic destined for the internal network and securely tunnels it to the SPX. All tunnel data is protected by SSL encryption. Since all IP traffic to the destination networks is tunneled, all IP-based applications should work transparently through the tunnel, including those that use dynamic port TCP and UDP protocols, NetBIOS, or ICMP. For example, users will have transparent access to FTP, Outlook, and native Windows file sharing when connected to the VPN. Installation of the VPN client is a one-time process; the client is not removed unless explicitly uninstalled by the user.
Note: The user must have Administrator privileges on the client machine in order to initially install the VPN client. Once the VPN client has been installed, Administrator privileges are not required to launch or upgrade the client.
netpool_name A string to identify/specify the netpools. This string will be used as an identifier of netpool for other CLI commands that relate to configured netpools. split|nosplit If split is enabled, only packets whose destinations belong to a configured zone are tunneled. If split is disabled, all traffic leaving the users machine is tunneled. Please note that with full tunneling the client will not have access to its local network.
Network Zone Administrators deploy this feature to define one or more IP subnets, or zones, to which VPN users will have access. Dynamic IP Addresses and Ranges Assign one or more contiguous IP address ranges from those external IP addresses that may be assigned. With configurations where clustering is used, each configured dynamic IP range can optionally be associated with a particular synconfig node. IP ranges on different nodes can be the same or can be different. However, if a stateful failover clustering configuration in active-active mode is deployed, then administrators must configure disjoint IP ranges for each node to guarantee unique IP addresses are being assigned to the L3 VPN clients from different nodes: IP Range DHCP Allows the administrator to deploy dynamic IP address assignment using DHCP. The <leasetime> parameter refers to the time that the allotted IP address may be used (5 minutes through 43,200 minutes (one month)). The
Autolaunch The administrator may choose to have the VPN client automatically launched upon a successful login for the specified virtual site. This feature is disabled by default. Netpools Assign resources for the VPN (netpool name and description). For each netpool, the administrator may select either split tunneling or full tunneling. If split tunneling is selected, only traffic destined for configured, accessible network zones will be tunneled. All other traffic will continue to be routed normally, and the client will continue to have access to local network resources.
227
WebUI Handbook
<Request> parameter refers to the network containing the DHCP server. Launch Command This feature allows the administrator to configure an application or other executables to be launched upon successful L3 connection. The parameter <command> is the actual command to be launched upon successful L3 connection. Double quote is required around the command string and the command string should contain the full path of the command and necessary arguments. If there are spaces in the command itself or in the argument itself, please use single quote, for example: c:\program files\mycompany\my command.exe. myarg1. The optional argument [stop_err] will allow administrator to specify whether L3 should abort connecting if an error happens while launching the command. Network Pool Routing This feature configures a separate source-based route for VPN tunnel traffic, on a per-netpool basis. If the default flag is specified, the route will be used for tunnel traffic whose destination does not match a globally configured "ip route static". If the all flag is specified, all tunnel traffic for this netpool will use this route, regardless of globally configured static route. Windows Administrator This feature allows the user to enable or disable the allowance for the creation of an L3 VPN for a restricted user. The parameters <username> and <password> refer to the Windows machine local Admin username and password. They can be maximum 255 characters in length. Password will be displayed in scrambled format (not base64 though). Please note, according to Windows convention, the username will case insensitive and
password will be case sensitive, however, this will solely depend on the individual Windows system. Inside Proxy This operation assigns a proxy to the remote client after the client has a connection to the L3VPN. This proxy setting will be set to the IE browser per the internet options LAN setting. The parameter <proxy_type> can only be one of two values; "script" and "manual". The setting of "script" means using auto configuration script, "manual" means using manually configured proxy. When configuring "script", the parameter <proxy_server> is the URL or path of executable scripts, for example "c:\windows\system\autorun.pac". When configure "manual", <proxy_server> is the proxy server address and port, for example "10.1.1.1:8080", protocols include HTTP, HTTPS, FTP, Gopher and Socks are using the same proxy server.
Access Policies Help
ACLs
The SPX controls access to Web, file and legacy application resources by enforcing restrictions defined by ACLs. When any user attempts to log into a virtual site, the SPX authenticates that user against the configured AAA server and retrieves all ACL and sourcenet attributes for any groups that the user may belongs to. The SPX will enforce the ACL restrictions on web and file requests for that session, except for requests that match an external URL policy. There are two forms of the ACL, the first is for VPN and Clientapp and will be discussed below; the
228
WebUI Handbook
second pertains to HTTP traffic and Filesharing configurations and will be discussed in those sections. The SPX will accept ACLs that conform to a well-defined format. The same ACL format applies regardless of the AAA method used or the AAA server model. The format is as follows: <priority> ip <protocol>:<host_ip>[/<netmask>][:port] [AND <virtual_site_id>] {PERMIT|DENY} Priority This is a positive (including zero) numerical value indicating the precedence of the ACL. The lower the numeric value the higher the ACL precedence. The first ACL that matches is used to decide whether the request will be permitted or denied. http, tcp, file, IP, udp, gre, icmp as well as any other IP-based protocols. The IP address for the host (or network) that the ACL applies. This specifies the netmask of the network that the ACL applies. This portion of the ACL is used to control those virtual site(s) that the ACL is associated with. If the "AND <virtual_site_id>" portion of the ACL is omitted, or if "all" is given as the virtual name, ACL is assumed to apply to all virtual sites defined on the SPX. Otherwise, the virtual name given in the ACL dictates which virtual site the ACL is associated with. Denotes that if a packet matches the
ACL, the SPX will allow the packet to be processed by the backend server. DENY Denotes that if a packet matches the ACL, the SPX will drop the packet and return an error instead of sending the packet to the backend server.
Scheme Host_IP Netmask Virtual_site_id
If the users session has no ACLs that apply to a particular virtual service, the user will be allowed unrestricted access to all Web, file and TCP application resources through the virtual site. If the users session contains one or more ACLs that are applicable to a particular virtual site and scheme, the SPX will deny access to any resources of the appropriate scheme that are not specifically permitted by the ACL. The default behavior of the SPX can be adjusted by configuring an ACL with the appropriate scheme with <host><path> of */ with the largest priority value (i.e. lowest precedence). Note that if any keyword or value in the ACL is not recognized (i.e. anything other than http, file, tcp or the other listed forms for the scheme or a non-numeric value for the priority) the Security Manager will reject the ACL and reject the login request. This is intended to prevent security breaches in the event that DENY ACLs are incorrectly formatted. The administrator should NOT configure conflicting ACLs with the same priorities. The administrator must assign different priorities to indicate that one ACL should take precedence over another.
PERMIT
229
WebUI Handbook
URL Filtering
You may set up restrictions or limitations on queries made to your network based on header length, request length, URL and query length as well as ASCII character ranges and keyword matches. All configurations can be made to respond passively or actively. Default Filtering Policy This operation allows the administrator to set the filter mode to deny by default or permit by default on the specified VIP. Filtering Mode Set the filter mode. The passive setting will allow the request to pass through the appliance while keeping a transaction record of the violation. The active setting will instruct the appliance to drop any request that violates the URL filtering protocols as configured by the user. By default, the Array is in active mode.
Email Alerts Configure the destination email address, in quotation marks, for filter related alerts and the threshold for the number of dropped requests before issuing the alert. Length Based Configure the filter length parameters for requests coming into the network. Character Based Configure the filter character parameters for requests coming into the network. To deny specific requests based on URL character ranges (ASCII values), then enter the starting and ending values. Keyword Based Configure keyword filtering. It is here that you may choose to enter a word or string for the SPX to be on the lookout for for either allowing the request through to the backend or for stopping the request directly. Type Based You may set up whether the filtering is to be integer or character string based.
Filtering Encoded Control Characters Enable or disable the filtering of %encoded control characters in URLs. Control characters are those in the range %00 to %1F, and %7F. For example: https://array.sp.com/prx/000/http/10.1.1.5/file%02name.ht ml. If "filter control codes" is enabled, this request will be rejected. If "no filter control codes" is used, this request will be permitted.
230
WebUI Handbook
Admin Tools Help Session Management

Terminate Active Session This function allows the administrator to kill a specific session based. User Lockout The feature allows you to add an individual, or individuals, to an active list of locked out users. Any and all active sessions belonging to the locked out user will be terminated and no new sessions will be allowed until the specified user is removed from the locked out list.
elements. If you have any questions with clearing a running or saved configuration, please contact Array Networks Customer Support. You may load and save files to and from SCP TFTP and local file locations on your network.
Monitoring
Select the desired feature to view relevant statistics concerning the SPX.
Troubleshooting
Ping
This operation generates a network connectivity echo request directed toward the specified IP address. Results will be displayed in the given table.
Config Management
Running Config/Startup Config
These selections allow administrators to see the entire running configuration (or simply the startup configuration) for the desired SPX. The configuration specifics are broken out by feature.
Traceroute
This operation allows the user to trace the route a packet of information, or the request for that packet travels. When the user supplies the IP address, in dotted format, the Array SPX will display the devices and network locations used to process the request for that IP address. Results will be displayed in the given table.
Saved File
Allows the viewing of configuration specifics from a separate configuration file.
Backup/Load/Clear
Caution should be taken when clearing configurations from the SPX. Make certain that you only clear those configurations you wish to. These operations will clear entire configurations, not specific functions or configuration
Name Server Lookup

This operation allows the user to verify the IP address for the given hostname. The information that will be displayed by employing this command includes the server from which the data is pulled as well as the hostname and IP address. Results will be displayed in the given table.
231
WebUI Handbook
Appendix A: Captive Portal Setup
Change Password
To set or change enable level passwords. A password string may be up to 8 characters long. Setting the password to empty string is equivalent to having no password.
The Array SPX provides comprehensive secure remote access. However, many user intranets may still be vulnerable due to not properly securing access to resources from users who connect to the LAN directly. For example, a local visitor may gain virtually unrestricted access to sensitive resources by simply plugging in a laptop to an open Ethernet port. In other instances, corporate networks have open wireless access points for on-site guests and do not have a proper network access control solution to secure their resources. The SPX provides remote and local, secure intranet and Internet, access. The SPX controls network access for users who may already have access to the physical network. Rather than being located on the edge of the intranet, the SPX is located inside the LAN. Clients using Ethernet or WAP hotspots are supported while keep the network secure. The captive portal feature (when licensed) encompasses the ability of the SPX to automatically present the login page to unauthenticated users signing onto a wireless hotspot or a wired Ethernet network. Administrators configure the DHCP server to designate the SPX as the DNS serve (the DHCP server may be an external server or the SPXs integrated DHCP server). Then configure the SPX to redirect all DNS requests coming on a chosen DNS service to a specific virtual site for authorization and authentication. This would force any outside user to connect through the SPX regardless of the URL entered into the browser.
NOTE: For extra security, we recommend administrators filter out all outgoing traffic on their routers unless it is originating from the SPX. This way, users who have not been authenticated by the SPX will not have access to Internet resources.
232
WebUI Handbook
NOTE: Users will be able to access WRM links, if present, but will not be able to access any Internet resources directly. If the administrator wants to provide authenticated users with Internet access, use L3 VPN.
Captive Portal may be enabled for any Exclusive or Shared Virtual Site from the Virtual Site Table. In the Enable mode, the administrator can only see whether a virtual site is designated as a Captive Portal or not. The administrator needs to switch to Config mode to enable Captive Portal for any specific Virtual Site. Captive Portal column will only show when the Captive Portal feature is licensed in the SPX.
The following page shows up with the default selection of Internal DHCP Server. The Virtual Site name, the Name server IP address and the Default Gateway IP addresses are pre-determined. The administrator will have to provide the IP Range and optionally supply a Domain name. Click Save to set the specified Virtual Site as the Captive Portal that uses Internal DHCP Server.
Click on Enable link corresponding to the Virtual Site to be made as the Captive Portal.
233
WebUI Handbook
Notice the Virtual Site exclusive1 has the Edit instead of Enable (in the illustration below) as that Virtual Site has already been set as the Captive Portal that uses Internal DHCP Server. Administrators may select on the Edit link to edit the configuration of the Captive Portal or clear the Captive Portal Configuration on the corresponding Virtual Site.
To edit a captive portal configuration, click on Edit link in the Captive Portal column of the corresponding Virtual Site. Notice the Clear link button on the top right portion that only shows when the corresponding Virtual Site is configured as a Captive Portal. You can make a Captive Portal with Internal DHCP Server as a Captive Portal with External DHCP Server by selecting the radio button for External DHCP Server. Once selected, the input fields for IP Range Start, IP Range End and the Domain name disappear. The values for IP Range Start and IP Range End will get deleted when the Configuration is saved in order the change to External DHCP Server based Captive Portal.
To clear the Captive Portal Configuration for a specific Virtual Site, click on Edit link on the Captive Portal column of the corresponding Virtual Site and click on Clear link button. A dialogue window will then notify the user that clearing Captive Portal Configuration will also delete the associated local DNS and local DHCP Settings. When the user clicks OK, the configuration for that corresponding Virtual Site is cleared and the administrator would be redirected to the Virtual Site table. If a Virtual Site was configured as Internal DHCP Server based Captive Portal, no other Virtual Site on the same interface as the former Virtual Site can be made as an Internal DHCP Server based Captive Portal. In this case, when you click Enable link in the Captive Portal column of the Virtual Site table for the Virtual Site which lies on the
234
WebUI Handbook
same interface as the Internal DHCP Server based Captive Portal, the Internal DHCP Server radio button would be disabled, so that user can only make the Virtual Site as the External DHCP Server based Captive Portal.
Editing a Captive Portal Configuration from the Local DHCP table. When the user tries to double-click to edit a local DHCP entry, which is associated with the Captive Portal from the Local DHCP table under the Advanced Networking menu item, a notification will be displayed to the user that the page will be redirected to the Captive Portal Configuration page for that associated local DHCP entry. Also, the Local DHCP table will have the Captive Portal column wherein the corresponding Virtual Site name is shown. When the user clicks OK button, the Captive Portal Configuration page shows up with the appropriate values pre-populated.
Editing a Captive Portal Configuration from the Local DNS table. When the user tries to double-click to edit a local DNS entry, which is associated with the Captive Portal from the Local DNS table under the Advanced Networking menu item, a notification will be displayed to the user that the page will be redirected to the Captive Portal Configuration page for that associated local DNS entry. Also, the Local DNS table will have the Captive Portal column wherein the corresponding Virtual Site name is shown. When the user clicks OK button, the Captive Portal Configuration page shows up with the appropriate values pre-populated.
235
WebUI Handbook
Appendix B: QuickLink Deployment

QuickLink is a clientless access method that allows SPX users instant access to web content originating from the internal network, most times from servers that are not exposed to access from the outside. Rather than doing full content parsing and rewriting, QuickLink uses a unique hostname or a unique port to represent the backend web server. This way parsing and rewriting are greatly simplified and streamlined. When backend web content is going through SPX, only absolute path with hostnames are rewritten to the configured unique hostname or port. This feature is a pure Web based SSLVPN solution requiring no plug-in and no client making QuickLink platform and browser neutral. Consider this deployment scenario; in order to access the web server system hosted on the webserver1 server; users will point their browsers to http://webserver1.company.com. The webserver1 server is only accessible to users who are within the companys network . The webserver1 server is not accessible from the Internet since it does not have a public IP address (and in most cases this is done for security reasons). The QuickLink technology allows administrators to include a link to webserver1 on the portal page that will be presented to users when accessing the virtual portal vpn.company.co m (or any other subsequent pages). Administrators must choose a unique fully qualified domain name or a unique port to map to
webserver1.company.com. In this example, the administrator may choose vpnwebserver1.company.com to be mapped to webserver1.company.com. The link on the vpn.company.com portal page will be configured as http://vpnwebserver1.company.com. DNS needs to be configured so that vpnwebserver1.company.com is resolved to vpn.company.com virtual portals IP address. When the user clicks that link, the request is sent to the SPX (vpn.company.com) and will be mapped and forwarded to the backend server webserver1.company.com. Some web application may have binary objects embedded, for example an applet, Flash or ActiveX. If the binary has hard coded URLs such as "/dir/file.html", QuickLink can support it; however, hard coded absolute URLs such as http://webmail1.company.com/dir/file.html are not supported by QuickLink. Note: It is to be expected that QuickLink might not be able to handle certain cases due to non-standard Web programming, application security flaws, new technology, etc.; therefore it is recommended customers test their applications with QuickLink before deploying them. As described above, each published internal web server or resource needs its own unique hostname or port. When using a unique hostname, users will need to make sure that the hostname is resolved to SPXs virtual portal IP address. It is recommended that administrators deploy a domain wild card certificate (or add the alternative names to the virtual portal certificate) to avoid certificate alerts. When using unique ports, firewalls must be set to allow the traffic through.
236
WebUI Handbook
Supported Features with QuickLink include: ACL Support SSO Client-Auth Authentication HTTP Client Certfield Custom Rewrite Book Marking Portal Theme Configuration SharePoint (need to configure session cookie expire)
To add a new resource, select the Add a new one radio button. Name the resource (Resource ID). Set the Mode to either Hostname or Port If using the Hostname mode, supply the actual hostname, URL path, a description of the resource and the link position (for example a link position of 1 will put that resource at the top of the list). If no link position is specified, the resources are listed in the order they were configured. If using the Port mode, supply the actual port, URL path, a description of the resource and the link position (for example a link position of 1 will put that resource at the top of the list). If no link position is specified, the resources are listed in the order they were configured.
WebUI Configuration
Make certain you are in Configure Mode for the desired virtual portal and have selected Web Access. Click on the second tab, QuickLink. On this first page, there are two sort enabled tables of existing configured links and alias (if applicable). To edit any existing link or alias, simply double click on the desired entry. To add a new QuickLink resource, click on the Add link.
Click on the desired finishing link (Cancel, Save & Add Another or Save) when complete.
237
WebUI Handbook
Appendix C: Syslog Messages

Accounting is provided by the SPXs logging subsystem, which logs relevant access and security events to an external syslog server. The events logged by the SPX include, but are not limited to, the following: Successful logins and logouts Authentication failures HTTP requests with requested URLs Authorization failures for Web requests Connections to TCP application servers Access and security events are logged in WELF format, described below. Other events, including configuration changes, warnings, and errors, are logged in a different format. Log Level Conventions Log levels are generally assigned to log entries in conformance with the following conventions: EMERG: Hardware failures CRIT: System wide software failures ERROR: Non-system wide software failures affecting multiple users 1. This may include configuration, server, network, or internal problems 2. E.g. Virtual site unable to start, Name server unavailable, AAA server unavailable.
NOTICE: Administrator action and failures and errors involving individual requests 1. Administrator logins and configuration changes
2. Authentication failures (AAA and SSL client certificate verification) 3. 4. Authorization failures (ACLs and backend file servers) URL filtering hits
5. Traffic denied by Webwall 6. Bad HTTP requests and responses 7. Name resolution failures INFO: Normal system usage 1. Successful logins, successful logouts, and session timeouts 2. Successful requests and connections DEBUG: Troubleshooting information used for debugging by Array engineers only.
238
WebUI Handbook
msg Audit Logs All accesses to internal network resources through the Array SPX are logged. A single log entry is generated for each attempted access to the internal network resources. These log entries conform to the WebTrends Extended Log Format (WELF), which includes the following fields: id time fw pri vpn user proto src dst Array SPX Time of event Hostname of the Array SPX log level Virtual site ID Username for the user generating the event Network protocol (HTTP, File, TCP, GRE, UDP or ICMP) IP address for the host that had sent request IP address for the server that had sent the response
Description of event
Example: id=Array SPX time=2003-10-20 05:17:22 fw=shakedown pri=6 vpn=example.com user=arraymann src=10.10.0.96 type=vpn msg="Authentication failed - credentials rejected"
Appendix D: The Array Pilot

Administrators will have a choice as to which graphical interface to use to deploy certain features on the SPX. Though not all features are available on the Array Pilot, there are some features (such as DesktopDirect) that are specifically designed to be configured from the Array Pilot. First Time Boot with DesktopDirect Licensed The first time the SPX is booted or restarted after upgrading to 8.4.4.1 or later, and DesktopDirect is a licensed feature, the boot sequence will prompt you with a message asking if you want to proceed to the Traditional Management Interface or to the Array Pilot.
dstname Host name for the server that had sent the response arg op result rcvd sent type URL or file path of the request HTTP of file access method HTTP or file access result code Number of bytes received from the server that handled the request Number of bytes sent to the server that handled the request Type of event
239
WebUI Handbook
If you choose to proceed to the Array Pilot, the SPX will prompt you whether youd prefer to have the Array Pilot be the default WebUI each time your log in. Selecting OK will set the Array Pilot as the default, whereas selecting Cancel will still direct you to the Array Pilot for the active session, the next time you log in you will be take to the Traditional Management Interface.
Switching from Array Pilot to Traditional Management Interface To exit the Array Pilot and return to the traditional management interface is a five step process. (1) Use the Options Selector to access the Troubleshooting Tools page.
(2) Select the Virtual Console tab.
Switching from Traditional Management Interface to the Array Pilot When users wish to leave the traditional management interface, for example to configure DesktopDirect, simply click on the Go to Array Pilot link on the global configuration home page. Once you have made this selection, the SPX will prompt you as to whether or not you would like to save the Array Pilot as your default WebUI. By selecting Cancel or closing the dialogue box, you will be switched to the Array Pilot for this session only. (3) Click the Go to Advanced Management mode link at the bottom of the page.
(4) When prompted, Are you sure you want to go to Advanced Management?, click OK.
240
WebUI Handbook
Appendix E: HardwareID Authorization

(5) The SPX will prompt you as to whether or not you would like to save the Advanced Management as your default WebUI. By selecting Cancel or closing the dialogue box, you will be switched to the Advanced Management/Traditional Management Interface for this session only. To instruct the SPX to authorize users based on the MAC address (one client machine may have multiple MAC addresses assigned to it) or MAC address and hard drive ID (together forming the MachineID). Instead of being based on virtual sites, the HARDWAREID based authorization is group based. For example, administrators can disable HARDWAREID for some groups, while enable HARDWAREID for others. In normal cases, HARDWAREID is mapped to individual users (within a group). However, some times, administrators may need to map HARDWAREID to an entire group. This is called aggregation. If a user belongs to or is mapped to multiple LocalDB groups, each group is checked separately. If any group passes the check, the HardwareID authentication succeeds for that user. Administrators must first define the rules that the users/accounts will be checked against for authorization and then assign these rules to the users/accounts themselves. Once the rules are defined, assign the desired rule to the appropriate account/user. Multiple attributes (such as MAC address or MachineID) may be entered individually creating a rule of only one attribute each for the account to match or multiple attributes may be tied together in a single string forcing the account to match all attributes as a single rule. For MAC authorization, the SPX will try to find a match between the MAC address list from client and the administrator approved MAC address list. If there exists a match, the authorization is successful. For MachineID authorization, the SPX will try to find a match between the MachineID from client and approved MachineID list. If there exists a match, the authorization is successful. To access these pages, make sure you are in the virtual portal configuration pages and in config mode. Click on
241
WebUI Handbook
the Login Authorization feature link and select the Hardware ID tab.
From this page you may enable the HardwareID feature; set the administrator email address, set the limit for how many machines a client may use as well as manage individual groups.
By selecting the Authorization Requests sub tab, you manage individual users as far as approving or denying their access requests or assigning a single Machine ID to an entire group.
242
WebUI Handbook
Supported Browsers
OS\Browser list WinXP(32b) Vsita(32b) Win7(32b) Win7(64b) Win2003(32b) MacOS 10.4 MacOS 10.5 MacOS 10.6(32b) MacOS 10.6(64b) RedHat SUSE Fedora Ubuntu RedHat(64b) Fedora(64b) SUSE(64b) Ubuntu(64b) Y Y Y Y Y Y Y Y Y Y Y Y Y IE 6 Y Y IE 7 IE 8 Y Y Y Y Y Y FF 3.6 Y Safari Standalone Y Y Y Y Y
243

WebUI Handbook Rel 8.4.6

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WebUI Handbook Rel 8.4.6

Uploaded by

Copyright:

Available Formats

Array SPX Series

Web User Interface Guide and Help Reference 8.4.6

United States of America:

DNS................................................................. 28 WINS .............................................................. 29

Contacting Array Networks

Web Users Interface Introduction

Setting up the SPX

The default user name is array The default password is admin

Web Users Interface Setup Configuration

Array SPX Interface Naming Convention

2000 2000i 3000

Outside Inside DMZ ENG

em0 em1 em2 em3

1 2800 4800 3 4 1 2 3 5800 6800 4 1F 2F 1T 2T 2

Accessing the SPX WebUI

Understanding the Array Pilot WebUI

The Array Top Bar

The Array Side Bar

The Array Configuration Window

Using the SPX WebUI

Configuring with the WebUI

The Global Home Page

-Click for more-

-Click for more-

Basic Networking ARP Entries

-Click for more-

Basic Networking Routing

-Click for more-

Basic Networking Name Resolution Host

-Click for more -

Basic Networking DNS

-Click for more -

Basic Networking WINS

-Click for more -

-Click for more -

Advanced Networking TCP/UDP Port Forwarding

-Click for more-

Advanced Networking Transparent Port Forwarding

-Click for More-

Advanced Networking Multicast IP Forwarding

1 Make certain you selected Advanced Networking from

Advanced Networking TCP IP

Advanced Networking SSL

Advanced Networking DNS

Advanced Networking DHCP Settings

Advanced Networking HTTP Compression Settings

Advanced Networking HTTP Settings

-Click for more41

-Click for more-

Active Standby with Stateful Failover

-Click for more47

Administrators Global Admin

-Click for more-

Administrators Site Admin

-Click for more-

Administrators Admin Roles

-Click for more-

Administrators Admin Authentication

-Click for moreContinued Next Page

Continued from previous page.

-Click for moreContinued Next Page

Continued from previous page.

-Click for more-