CacheGuard-OS
User's Guide - Version UF-2.0.2


The Network

The first configuration to make on a CacheGuard is to set its IP addresses. The initial network settings is done using the console port. At the first login (via the console port), a command named setup is automatically executed and allows you to configure the IP addresses.

Network interfaces

With CacheGuard, the network is divided in 3 zones: the internal, the external and the auxiliary zones. The external zone should be considered as an untrusted zone (the internet). The internal zone is the zone where users and servers to protect should be placed. You can use the auxiliary zone as per your convenience (for instance as a DMZ or a Back Office zone).

CacheGuard is connected to each zone via a distinct logical interface so CacheGuard has 3 network interfaces: the "internal", the "external" and the "auxiliary" interfaces. Internal users or servers access the internet via the internal interface while the appliance uses its external interface to connect to the internet. In reverse mode Each logical network interface should be associated to at least one physical network interface.

The command "link bond" allows you to associate a physical network interface to a logical network interface. When more than one physical network interface is associated to a logical network interface a like aggregation (or bonding) is made in active/backup mode - See the High Availability section for further information on link bonding.

802.1q VLAN

VLANs allow you to increase the security of a network by isolating each type of traffic (Web, reverse Web, administration...) on the same physical network interface in a separate virtual LAN. When using VLANs a pseudo virtual network interface is implicitly defined for each defined VLAN.

To use VLANs, you have to activate virtual networking with the command "mode vlan on" and configure VLANs with the command "vlan". VLANs are only defined for the internal network interface. Note that when using VLANs, the real internal network interface (ie. "internal") is no longer available and you should configure each pseudo network interface associated to a defined VLAN using the command "ip". The right syntax to use is "ip internal.<vlan-tag> <ip-address> <network-mask>".

IP addresses

To set the internal IP address use the command "ip" followed by the keyword "internal", the desired address and network mask. To set the external IP address use the command "ip" followed by the keyword "extern", the desired IP address and the network mask. For instance to set the internal IP address to 10.20.0.254 / 255.255.0.0 and the external IP address to 192.168.1.254 / 255.255.255.0 use the following commands:

IP Routes

To route Web requests to the internet the appliance needs a default IP route. The gateway for the default to use is usually your internet router. To set the default route use the following commands:

Web users located physically on the network connected to the appliance do not require a route definition to communicate with the appliance as long as they use the appliance as a Web proxy. If the appliance is used an internet gateway, end users should configure the appliance as their default gateway. To connect computers and network equipment that are not physically connected to the appliance, static routes should be defined on the appliance.

Note that an access policy can be installed on the appliance. By default all clients coming from the internal interface are allowed to connect to the appliance (see Security & Access Management).

Domain Name Servers

To connect to the Web, the appliance needs to translate domain names to IP addresses. To do that, it may use its internal Domain Name Server (DNS) or use an external DNS. To activate the internal DNS use the following commands:

To use an external DNS replace the loopback device address (127.0.0.1) by the IP address of your external DNS. Note that several DNSs may be defined and combined with the internal DNS.

A default domain name may be defined on the appliance. This domain name is added to the relative name (a name without dot) of a machine entered in a Web browser. To define a default domain name use the command "domainname" followed by the desired domain name.

When managing several remote appliances there is a utility to identify each appliance by its hostname. To define a hostname use the command "hostname". The hostname is displayed in the prompt when login via SSH or the console port. It is also displayed in the header of the Web administration GUI.

DHCP Server

The appliance integrates an easy to use DHCP server. To activate the DHCP server, set the DHCP server mode to on and add at least one IP address range. The following commands activate the integrated DHCP server and configure it to deliver IP addresses between 10.0.10.100 and 10.0.10.200:

Note that the DHCP server supports a limited number of IP address leases. The maximum number of supported IP address leases is the number of users configured during the installation phase.