Lancom Systems 1781A 62012 Benutzerhandbuch
Produktcode
62012
LANCOM 1781A
Scope of features: as of LCOS version 8.5x
VPN
IPSec over HTTPS
Enables IPsec VPN based on TCP (at port 443 like HTTPS) which can go through firewalls in networks where e. g. port 500 for
IKE is blocked. Suitable for client- to- site connections (with LANCOM Advanced VPN Client 2.22 or later) and site- to- site
connections (LANCOM VPN gateways or routers with LCOS 8.0 or later). IPSec over HTTPS is based on the NCP VPN Path Finder
technology
IKE is blocked. Suitable for client- to- site connections (with LANCOM Advanced VPN Client 2.22 or later) and site- to- site
connections (LANCOM VPN gateways or routers with LCOS 8.0 or later). IPSec over HTTPS is based on the NCP VPN Path Finder
technology
Number of VPN tunnels
5 IPSec connections active simultaneously (25 with VPN- 25 Option), unlimited configurable connections. Configuration of all
remote sites via one configuration entry when using the RAS user template or Proadaptive VPN. Max. total sum of concurrently
active IPSec and PPTP tunnels: 5 (25 with VPN 25 Option)
remote sites via one configuration entry when using the RAS user template or Proadaptive VPN. Max. total sum of concurrently
active IPSec and PPTP tunnels: 5 (25 with VPN 25 Option)
Hardware accelerator
Integrated hardware accelerator for 3DES/AES encryption and decryption
Realtime clock
Integrated buffered realtime clock to save the date and time during power failure. Assures timely validation of certificates in any
case
case
Random number generator
Generates real random numbers in hardware, e. g. for improved key generation for certificates immediately after switching- on
1- Click- VPN Client assistant
One click function in LANconfig to create VPN client connections, incl. automatic profile creation for the LANCOM Advanced
VPN Client
VPN Client
1- Click- VPN Site- to- Site
Creation of VPN connections between LANCOM routers via drag and drop in LANconfig
IKE
IPSec key exchange with Preshared Key or certificate
Certificates
X.509 digital multi- level certificate support, compatible with Microsoft Server / Enterprise Server and OpenSSL, upload of
PKCS#12 files via HTTPS interface and LANconfig. Simultaneous support of multiple certification authorities with the
management of up to nine parallel certificate hierarchies as containers (VPN- 1 to VPN- 9). Simplified addressing of individual
certificates by the hierarchy's container name (VPN- 1 to VPN- 9). Wildcards for certificate checks of parts of the identity in the
subject. Secure Key Storage protects a private key (PKCS#12) from theft
PKCS#12 files via HTTPS interface and LANconfig. Simultaneous support of multiple certification authorities with the
management of up to nine parallel certificate hierarchies as containers (VPN- 1 to VPN- 9). Simplified addressing of individual
certificates by the hierarchy's container name (VPN- 1 to VPN- 9). Wildcards for certificate checks of parts of the identity in the
subject. Secure Key Storage protects a private key (PKCS#12) from theft
Certificate rollout
Automatic creation, rollout and renewal of certificates via SCEP (Simple Certificate Enrollment Protocol) per certificate hierarchy
Certificate revocation lists (CRL)
CRL retrieval via HTTP per certificate hierarchy
OCSP Client
Check X.509 certifications by using OCSP (Online Certificate Status Protocol) in real time as an alternative to CRLs
XAUTH
XAUTH client for registering LANCOM routers and access points at XAUTH servers incl. IKE- config mode. XAUTH server enables
clients to register via XAUTH at LANCOM routers. Connection of the XAUTH server to RADIUS servers provides the central
authentication of VPN- access with user name and password. Authentication of VPN- client access via XAUTH and RADIUS
connection additionally by OTP token
clients to register via XAUTH at LANCOM routers. Connection of the XAUTH server to RADIUS servers provides the central
authentication of VPN- access with user name and password. Authentication of VPN- client access via XAUTH and RADIUS
connection additionally by OTP token
RAS user template
Configuration of all VPN client connections in IKE ConfigMode via a single configuration entry
Proadaptive VPN
Automated configuration and dynamic creation of all necessary VPN and routing entries based on a default entry for site- to-
site connections. Propagation of dynamically learned routes via RIPv2 if required
site connections. Propagation of dynamically learned routes via RIPv2 if required
Algorithms
3DES (168 bit), AES (128, 192 or 256 bit), Blowfish (128 bit), RSA (128 or - 448 bit) and CAST (128 bit). OpenSSL implementation
with FIPS- 140 certified algorithms. MD- 5 or SHA- 1 hashes
with FIPS- 140 certified algorithms. MD- 5 or SHA- 1 hashes
NAT- Traversal
NAT- Traversal (NAT- T) support for VPN over routes without VPN passthrough
IPCOMP
VPN data compression based on Deflate compression for higher IPSec throughput on low- bandwidth connections (must be
supported by remote endpoint)
supported by remote endpoint)
LANCOM Dynamic VPN
Enables VPN connections from or to dynamic IP addresses. The IP address is communicated via ISDN B- or D- channel or with
the ICMP or UDP protocol in encrypted form. Dynamic dial- in for remote sites via connection template
the ICMP or UDP protocol in encrypted form. Dynamic dial- in for remote sites via connection template
Dynamic DNS
Enables the registration of IP addresses with a Dynamic DNS provider in the case that fixed IP addresses are not used for the
VPN connection
VPN connection
Specific DNS forwarding
DNS forwarding according to DNS domain, e.g. internal names are translated by proprietary DNS servers in the VPN. External
names are translated by Internet DNS servers
names are translated by Internet DNS servers
Content Filter (optional)
Demo version
Activate the 30- day trial version after free registration under http://www.lancom.eu/routeroptions
URL filter database/rating server
Worldwide, redundant rating servers from IBM Security Solutions for querying URL classifications. Database with over 100
million entries covering about 10 billion web pages. Web crawlers automatically search and classify web sites to provide nearly
150,000 updates per day: They use text classification by optical character recognition, key word searches, classification by word
frequency and combinations, web- site comparison of text, images and page elements, object recognition of special characters,
symbols, trademarks and prohibited images, recognition of pornography and nudity by analyzing the concentration of skin tones
in images, by structure and link analysis, by malware detection in binary files and installation packages
million entries covering about 10 billion web pages. Web crawlers automatically search and classify web sites to provide nearly
150,000 updates per day: They use text classification by optical character recognition, key word searches, classification by word
frequency and combinations, web- site comparison of text, images and page elements, object recognition of special characters,
symbols, trademarks and prohibited images, recognition of pornography and nudity by analyzing the concentration of skin tones
in images, by structure and link analysis, by malware detection in binary files and installation packages
HTTPS filter
Additional filtering of HTTPS requests with separate firewall entries
Categories/category profiles
Filter rules can be defined in each profile by collecting category profiles from 58 categories, for example to restrict Internet
access to business purposes only (limiting private use) or by providing protection from content that is harmful to minors or
hazardous content (e.g. malware sites). Clearly structured selection due to the grouping of similar categories. Content for each
category can be allowed, blocked, or released by override
access to business purposes only (limiting private use) or by providing protection from content that is harmful to minors or
hazardous content (e.g. malware sites). Clearly structured selection due to the grouping of similar categories. Content for each
category can be allowed, blocked, or released by override
Override
Each category can be given an optional manual override that allows the user to access blocked content on a case- by- case basis.
The override operates for a limited time period by blocking the category or domain, or a combination of both. Optional
notification of the administrator in case of overrides
The override operates for a limited time period by blocking the category or domain, or a combination of both. Optional
notification of the administrator in case of overrides
Black- /whitelist
Lists that are manually configured to explicitly allow (whitelist) or block (blacklist) web sites for each profile, independent of the
rating server. Wildcards can be used when defining groups of pages or for filtering sub pages
rating server. Wildcards can be used when defining groups of pages or for filtering sub pages
Profiles
Timeframes, blacklists, whitelists and categories are collected into profiles that can be activated separately for content- filter
actions. A default profile with standard settings blocks racist, pornographic, criminal, and extremist content as well as
anonymous proxies, weapons/military, drugs, SPAM and malware
actions. A default profile with standard settings blocks racist, pornographic, criminal, and extremist content as well as
anonymous proxies, weapons/military, drugs, SPAM and malware