KEMBAR78
Config File-Open | PDF | Computer Network | Computer Virus
Scribd
Upload
82 views34 pages

Config File-Open

Uploaded by

jejop5
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
82 views34 pages

Config File-Open

Uploaded by

jejop5
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 34

Product Guide

Fail-Open Unit
®
for McAfee Secure Gateway Appliances

McAfee ®

Network Protection
Industry-leading intrusion prevention solutions
Product Guide

Fail-Open Unit
®
for McAfee Secure Gateway Appliances

McAfee ®

Network Protection
Industry-leading intrusion prevention solutions
COPYRIGHT
Copyright © 2006 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means
without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),
ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION
PREVENTION THROUGH INNOVATION, MCAFEE, MCAFEE (AND IN KATAKANA), MCAFEE AND DESIGN, MCAFEE.COM, MCAFEE VIRUSSCAN, NET TOOLS,
NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS
DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are
registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of
McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE
ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE
AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH
IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR
A FULL REFUND.

Attributions
This product includes or may include:
• Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). • Cryptographic software written by Eric A. Young and
software written by Tim J. Hudson. • Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other
similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access
to the source code. The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the source
code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software
licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights
shall take precedence over the rights and restrictions herein. • Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer.
• Software originally written by Robert Nordier, Copyright © 1996-7 Robert Nordier. • Software written by Douglas W. Sauder. • Software developed by the Apache
Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt.
• International Components for Unicode ("ICU") Copyright ©1995-2002 International Business Machines Corporation and others. • Software developed by
® ®
CrystalClear Software, Inc., Copyright ©2000 CrystalClear Software, Inc. • FEAD Optimizer technology, Copyright Netopsystems AG, Berlin, Germany. • Outside
® ®
In Viewer Technology ©1992-2001 Stellent Chicago, Inc. and/or Outside In HTML Export, © 2001 Stellent Chicago, Inc. • Software copyrighted by Thai Open
Source Software Center Ltd. and Clark Cooper, © 1998, 1999, 2000. • Software copyrighted by Expat maintainers. • Software copyrighted by The Regents of the
University of California, © 1996, 1989, 1998-2000. • Software copyrighted by Gunnar Ritter. • Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle,
Santa Clara, California 95054, U.S.A., © 2003. • Software copyrighted by Gisle Aas. © 1995-2003. • Software copyrighted by Michael A. Chase, © 1999-2000.
• Software copyrighted by Neil Winton, ©1995-1996. • Software copyrighted by RSA Data Security, Inc., © 1990-1992. • Software copyrighted by Sean M. Burke,
© 1999, 2000. • Software copyrighted by Martijn Koster, © 1995. • Software copyrighted by Brad Appleton, © 1996-1999. • Software copyrighted by Michael G.
Schwern, ©2001. • Software copyrighted by Graham Barr, © 1998. • Software copyrighted by Larry Wall and Clark Cooper, © 1998-2000. • Software copyrighted
by Frodo Looijaard, © 1997. • Software copyrighted by the Python Software Foundation, Copyright © 2001, 2002, 2003. A copy of the license agreement for this
software can be found at www.python.org. • Software copyrighted by Beman Dawes, © 1994-1999, 2002. • Software written by Andrew Lumsdaine, Lie-Quan Lee,
Jeremy G. Siek © 1997-2000 University of Notre Dame. • Software copyrighted by Simone Bordet & Marco Cravero, © 2002. • Software copyrighted by Stephen
Purcell, © 2001. • Software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/). • Software copyrighted by International Business
Machines Corporation and others, © 1995-2003. • Software developed by the University of California, Berkeley and its contributors. • Software developed by Ralf
S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http:// www.modssl.org/). • Software copyrighted by Kevlin Henney, © 2000-2002. • Software
copyrighted by Peter Dimov and Multi Media Ltd. © 2001, 2002. • Software copyrighted by David Abrahams, © 2001, 2002. See
http://www.boost.org/libs/bind/bind.html for documentation. • Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, © 2000.
• Software copyrighted by Boost.org, © 1999-2002. • Software copyrighted by Nicolai M. Josuttis, © 1999. • Software copyrighted by Jeremy Siek, © 1999-2001.
• Software copyrighted by Daryle Walker, © 2001. • Software copyrighted by Chuck Allison and Jeremy Siek, © 2001, 2002. • Software copyrighted by Samuel
Krempp, © 2001. See http://www.boost.org for updates, documentation, and revision history. • Software copyrighted by Doug Gregor (gregod@cs.rpi.edu), © 2001,
2002. • Software copyrighted by Cadenza New Zealand Ltd., © 2000. • Software copyrighted by Jens Maurer, ©2000, 2001. • Software copyrighted by Jaakko Järvi
(jaakko.jarvi@cs.utu.fi), ©1999, 2000. • Software copyrighted by Ronald Garcia, © 2002. • Software copyrighted by David Abrahams, Jeremy Siek, and Daryle
Walker, ©1999-2001. • Software copyrighted by Stephen Cleary (shammah@voyager.net), ©2000. • Software copyrighted by Housemarque Oy
<http://www.housemarque.com>, © 2001. • Software copyrighted by Paul Moore, © 1999. • Software copyrighted by Dr. John Maddock, © 1998-2002. • Software
copyrighted by Greg Colvin and Beman Dawes, © 1998, 1999. • Software copyrighted by Peter Dimov, © 2001, 2002. • Software copyrighted by Jeremy Siek and
John R. Bandela, © 2001. • Software copyrighted by Joerg Walter and Mathias Koch, © 2000-2002. • Software copyrighted by Carnegie Mellon University © 1989,
1991, 1992. • Software copyrighted by Cambridge Broadband Ltd., © 2001-2003. • Software copyrighted by Sparta, Inc., © 2003-2004. • Software copyrighted by
Cisco, Inc. and Information Network Center of Beijing University of Posts and Telecommunications, © 2004. • Software copyrighted by Simon Josefsson, © 2003.
• Software copyrighted by Thomas Jacob, © 2003-2004. • Software copyrighted by Advanced Software Engineering Limited, © 2004. • Software copyrighted by
Todd C. Miller, © 1998. • Software copyrighted by The Regents of the University of California, © 1990, 1993, with code derived from software contributed to
Berkeley by Chris Torek.

PATENT INFORMATION
Protected by US Patents 6,496,875; 6,499,109; 6,513,122; 6,668,289; 6,728,885; 6,732,157; 6,772,345.

Issued June 2006 / Fail-Open Unit


DBN-013-EN
Contents

1 Introducing the Fail-Open Unit 7


Product features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Detecting appliance failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Getting product information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Additional documentation for the appliance . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Contact information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2 Installing the Fail-Open Unit 15


Checking the contents of the box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Mounting the unit in a rack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Preparing for cable connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Rear view of the Fail-Open Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Front view of the Fail-Open Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Rear view of the appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Connecting the Fail-Open Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3 Testing the Fail-Open Unit 21


Understanding the indicators on the unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Testing the Fail-Open Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Further testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Configuring the unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Changing settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4 Frequently Asked Questions 27

5
Fail-Open Unit Product Guide Contents

6
1 Introducing the Fail-Open Unit

The Fail-Open Unit enables your network to continue operating if your appliance fails.
The unit is intended for use with a Secure Gateway appliance that is operating in
Transparent Bridge mode.

This section describes:

„ Product features.

„ Using this guide on page 10.

„ Getting product information on page 12.

„ Contact information on page 13.

Product features
In the typical network configuration shown in Figure 1-1, a single appliance operating
in Transparent Bridge mode protects users (shown to the right of a network switch)
who access the Internet or mail servers on the other side of the firewall or a router.
Figure 1-1 Transparent bridge mode configuration

WWW

If the appliance fails, the users have no service.

7
Fail-Open Unit Product Guide Introducing the Fail-Open Unit 1
Product features

The Fail-Open Unit has four ports and can be connected between the devices in this
configuration as shown in the following figure.
Figure 1-2 Configuration with Fail-Open Unit

WWW

When the appliance is working normally, the Fail-Open Unit is in its online state, and it
directs network traffic along two paths — the first port and third port are linked, and the
second port and fourth port are linked:
Figure 1-3 Paths through the unit in online state

If the appliance fails, the Fail-Open Unit detects the failure, then changes to its bypass
state. The unit redirects network traffic along a different path — the first and second
port are linked, isolating the other two ports:
Figure 1-4 Path through the unit in bypass state

The following figures show how the unit directs traffic with this configuration.

When the appliance is working normally, the Fail-Open Unit directs traffic through the
appliance:
Figure 1-5 Connection paths during online state

WWW

8
Fail-Open Unit Product Guide Introducing the Fail-Open Unit 1
Product features

When the appliance fails, the Fail-Open Unit directs traffic through itself, isolating the
appliance:
Figure 1-6 Connection path during bypass state

WWW

Detecting appliance failure


The Fail-Open Unit detects a failure of the appliance by monitoring its response to a
regular signal and optionally detecting link faults on the inside and outside network
links.

The unit sends a regular heartbeat packet to the appliance from its third port (port C).
Figure 1-7 Monitoring the heartbeat

If the Fail-Open Unit does not receive the heartbeat packet in return on its fourth
port (port D) after a specified interval (equivalent to several heartbeats), the
Fail-Open Unit goes into the bypass state.

9
Fail-Open Unit Product Guide Introducing the Fail-Open Unit 1
Using this guide

Using this guide


This guide provides information on installing, configuring and using your product. These
topics are included:

„ Introducing the Fail-Open Unit.


An overview of the product, with a description of new or changed features; an
overview of this guide; McAfee contact information.

„ Installing the Fail-Open Unit on page 15.


How to mount the unit in the rack and connect the cables.

„ Testing the Fail-Open Unit on page 21.


How to test the installed unit.

„ Frequently Asked Questions on page 27.

Audience
This information is intended for network administrators who are responsible for
installing and managing the appliance.

10
Fail-Open Unit Product Guide Introducing the Fail-Open Unit 1
Using this guide

Conventions
This guide uses the following conventions:

Bold All words from the interface, including options, menus, buttons, and dialog
Condensed box names.
Example:
Type the User name and Password of the appropriate account.

Courier The path of a folder or program; text that represents something the user
types exactly (for example, a command at the system prompt).
Examples:
The default location for the program is:
C:\Program Files\McAfee\EPO\3.5.0
Run this command on the client computer:
scan --help

Italic For emphasis or when introducing a new term; for names of product
documentation and topics (headings) within the material.
Example:
Refer to the VirusScan Enterprise Product Guide for more information.

Blue A web address (URL) and/or a live link.


Example:
Visit the McAfee web site at:
http://www.mcafee.com

<TERM> Angle brackets enclose a generic term.


Example:
In the console tree, right-click <SERVER>.

Note: Supplemental information; for example, another method of


Note
executing the same command.

Tip: Suggestions for best practices and recommendations from McAfee for
Tip
threat prevention, performance and efficiency.

Caution: Important advice to protect your computer system, enterprise,


Caution
software installation, or data.

Warning: Important advice to protect a user from bodily harm when using
Warning
a hardware product.

11
Fail-Open Unit Product Guide Introducing the Fail-Open Unit 1
Getting product information

Getting product information


Unless otherwise noted, product documentation comes as Adobe Acrobat .PDF files,
available on the product CD or from the McAfee download site.

Additional documentation for the appliance


Installation Guide — System requirements and instructions for installing the
appliance.

Product Guide — Introduction to the appliance and its features; detailed instructions
for configuring the software; information on deployment, recurring tasks, and operating
procedures.

Concepts Guide — Conceptual information about how you can use the appliance.

Help — High-level and detailed information accessed from the software application
using the Quick Help button for page-level help.

Configuration Guide — For use with ePolicy Orchestrator®. Procedures for deploying
and managing appliances through the ePolicy Orchestrator management software.

Release Notes — ReadMe. Product information, resolved issues, any known issues,
and last-minute additions or changes to the product or its documentation.

License Agreement — The McAfee License Agreement booklet that includes all of
the license types you can purchase for your product. The License Agreement presents
general terms and conditions for use of the licensed product.

Contacts — Contact information for McAfee services and resources: technical


support, customer service, Security Headquarters (AVERT), beta program, and training.

12
Fail-Open Unit Product Guide Introducing the Fail-Open Unit 1
Contact information

Contact information
Threat Center: McAfee Avert® Labs http://www.mcafee.com/us/threat_center/default.asp
Avert Labs Threat Library
http://vil.nai.com
Avert Labs WebImmune & Submit a Sample (Logon credentials required)
https://www.webimmune.net/default.asp
Avert Labs DAT Notification Service
http://vil.nai.com/vil/signup_DAT_notification.aspx

Download Site http://www.mcafee.com/us/downloads/


Product Upgrades (Valid grant number required)
Security Updates (DATs, engine)
HotFix and Patch Releases
„ For Security Vulnerabilities (Available to the public)
„ For Products (ServicePortal account and valid grant number required)
Product Evaluation
McAfee Beta Program

Technical Support http://www.mcafee.com/us/support/


KnowledgeBase Search
http://knowledge.mcafee.com/
McAfee Technical Support ServicePortal (Logon credentials required)
https://mysupport.mcafee.com/eservice_enu/start.swe

Customer Service
Web
http://www.mcafee.com/us/support/index.html
http://www.mcafee.com/us/about/contact/index.html
Phone — US, Canada, and Latin America toll-free:
+1-888-VIRUS NO or +1-888-847-8766 Monday – Friday, 8 a.m. – 8 p.m., Central Time

Professional Services
Enterprise: http://www.mcafee.com/us/enterprise/services/index.html
Small and Medium Business: http://www.mcafee.com/us/smb/services/index.html

13
Fail-Open Unit Product Guide Introducing the Fail-Open Unit 1
Contact information

14
2 Installing the Fail-Open Unit

The Fail-Open kit includes network cables and power cables, enabling it to be
connected and mounted in a standard 19-inch rack. This section describes:

„ Checking the contents of the box.

„ Mounting the unit in a rack on page 16.

„ Preparing for cable connections on page 16.

„ Connecting the Fail-Open Unit on page 19.

Checking the contents of the box


Besides the unit and this guide, the box also contains:

„ Four CAT-5e cables with RJ45 connectors, or four fiber cables with LC connectors.
One cable is a cross-over.

„ RS-232 cable.

„ Power cable(s) to suit your location.

15
Fail-Open Unit Product Guide Installing the Fail-Open Unit 2
Mounting the unit in a rack

Mounting the unit in a rack


Before mounting the unit, observe the following points:

„ When deciding where to put the unit in the rack, remember to load the rack from
the bottom up. If you are installing several units, start with the lowest available
position first.

„ Do not open the unit's case. No user-serviceable parts are inside, and opening the
case might invalidate your warranty.

„ To avoid possible electric shock, or damage to other equipment, do not connect


cables until the unit is mounted in the rack.

„ Ensure that the power cord is suitable for the country of use. Do not modify the
power cord.

„ Ensure that the power outlet connected to the unit meets all electrical standards for
the country of use.

„ When connecting the appliance to the power outlet and other equipment, ensure
that the cables are stowed or grouped safely, so that no one can trip over them.

Mount the unit using the integral thumbscrews. Two units can be mounted side by
side.

Preparing for cable connections


Before connecting cables to the appliance and the Fail-Open Unit, familiarize yourself
with the main components on their front and rear sides.

Rear view of the Fail-Open Unit


The following figure of the rear of the Fail-Open Unit shows the relevant parts for
installing the Fail-Open Unit.
Figure 2-1 Rear view of the Fail-Open Unit

R P

R RS-232 socket P DC power jacks, with retaining clip.

16
Fail-Open Unit Product Guide Installing the Fail-Open Unit 2
Preparing for cable connections

Front view of the Fail-Open Unit


The unit is available with copper ports or fiber ports. The following figures of the front
of the Fail-Open Unit show the relevant parts for installing the Fail-Open Unit.
Figure 2-2 Front view of the copper-port Fail-Open Unit

M S L P B

Figure 2-3 Front view of the fiber-port Fail-Open Unit

P M

B Bypass indicators P Ports, labelled A, B,C, D

L Link and activity indicators S Link speed indicators (The key on


the right of the unit explains the
M Power indicators
colors that represent the speeds.)

For fiber ports:

„ The left port of the pair transmits


light from the unit.

„ The right port of the pair receives


light into the unit.

17
Fail-Open Unit Product Guide Installing the Fail-Open Unit 2
Preparing for cable connections

Rear view of the appliance


This section describes the relevant parts on the appliance for installing the Fail-Open
Unit. The rear panel of an appliance varies according to the type, but can have the
following parts:

„ Power socket

If the appliance has two power modules, one acts as a redundant backup power
system. The second module is in standby mode, and operates if the first module
fails. The indicators on such power modules show their status:

„ Operational (top indicator) — Glows green when the module is in use.

„ Standby mode (bottom indicator) — Flashes green when the module is receiving
standby power but is not in use.

„ No power — The indicators are off when the module is not receiving power from
the power outlet.

„ Copper or fiber ports

For copper cables, the appliance has two RJ45 10/100/1000 Mbps autonegotiating
Ethernet network ports. The ports must be used only with equipment where the
connections are intended for 10 Mbps, 100 Mbps or 1000 Mbps (1 Gbps) Ethernet
networks.

For fiber cables, the appliance has two fiber LC connectors for 1000 BASE-SX
Ethernet network connections. Remove the dust covers before use. To protect the
fibers from dust, replace the dust covers when not in use.

LAN1 and LAN2 ports connect the appliance to your network. They receive and
transmit the inbound and outbound traffic, and they handle communication with the
web browser that remotely manages the appliance.

The labels on the back of the appliance identify the ports, LAN1 and LAN2. For details,
see the Product Guide for your type of appliance.

„ RS-232 serial port

„ System identification button

To locate the appliance within a rack, push the system identification button to flash
indicators on the front and back panels. Push the button again to stop the indicators
flashing.

18
Fail-Open Unit Product Guide Installing the Fail-Open Unit 2
Connecting the Fail-Open Unit

Connecting the Fail-Open Unit


Before connecting the Fail-Open Unit:

„ Configure the ports of attached network terminations (such as those devices


connected to the A and B ports of the Fail-Open Unit) for autonegotiation of speed
and duplex. Mismatches caused by fixed settings can disrupt network traffic.

„ If your appliance is in regular use, choose the least busy time to install the unit, or
warn users of the temporary break in service.

To connect the Fail-Open Unit:

1 Install your appliance and configure it in Transparent Bridge Mode.

2 Connect the Fail-Open Unit to the same power source as the appliance.

3 Power up the Fail-Open Unit.

4 From a browser interface, open the Network | Settings page. Under Bypass Device
Settings, select Copper/Fiber Fail Open 2000.

5 Click Apply All Changes, and type a comment when prompted.

6 Connect the RS-232 serial cable between the Fail-Open Unit and the appliance.

7 Connect LAN 1 port of the appliance to port D of the Fail-Open Unit.

8 Connect LAN 2 port of the appliance to port C of the Fail-Open Unit.

9 Connect a device (typically a router) on the outside network to port B of the


Fail-Open Unit using a cross-over cable. This will act as your DTE interface.

10 Connect a device (typically a network switch) on the inside network to port A of the
Fail-Open Unit using a straight-through cable. This will act as your DCE interface.

The unit should now be operating. See Testing the Fail-Open Unit on page 21 for tests
to ensure that the unit is working correctly.

19
Fail-Open Unit Product Guide Installing the Fail-Open Unit 2
Connecting the Fail-Open Unit

20
3 Testing the Fail-Open Unit

After you have installed the unit and connected the copper or fiber cables, you can test
that the unit is operating correctly. This section describes:

„ Understanding the indicators on the unit on page 22.


Read this first to become familiar with the unit.

„ Testing the Fail-Open Unit on page 23.

„ Further testing on page 24.

„ Configuring the unit on page 24.

For troubleshooting, see Frequently Asked Questions on page 27.

21
Fail-Open Unit Product Guide Testing the Fail-Open Unit 3
Understanding the indicators on the unit

Understanding the indicators on the unit


The indicators on the front panel show the state of the unit.
Figure 3-1 Indicators on the front panel of the Fail-Open Unit
Copper Fiber

M S L B M

Key Label Description

M The unit has two power supplies. The green indicators (labeled 1 and 2)
show which power supply is providing power.

B BYPASS Two green indicators show whether the unit is bypassing traffic:
„ The OFF indicator glows while the appliance is working correctly.
„ The ON indicator glows if the appliance fails, and the unit is
bypassing the traffic.

S LINK The copper unit has a link speed indicator in the top left of each port.
Each indicator glows with a color corresponding to the link speed. See
the key on the right of the unit. The fiber unit has a group of four
indicators — one per port.
Each indicator glows steadily when a good link is established.

L ACT The copper unit has an activity indicator in the top left of each port. The
fiber unit has a group of four indicators — one per port.
The indicator flashes when there is activity on a good link.

22
Fail-Open Unit Product Guide Testing the Fail-Open Unit 3
Testing the Fail-Open Unit

Testing the Fail-Open Unit


This test ensures that a Fail-Open Unit is correctly connected and working. If the test
fails, check the connections, and see Frequently Asked Questions on page 27.

To test the unit:

1 At the front panel, check that the unit is on — the power and the BYPASS OFF
indicators glow.

2 At the appliance interface, open the Network | Settings page, and under Copper/Fiber
Fail-Open 2000:

„ Set Watchdog Polling Rate to 1 second, and Watchdog Time to 10 seconds.

„ Set the line speed.

„ If applicable, select Enable Gigabit, Autonegotiate, and Full Duplex.

3 Click Apply All Changes, and type a comment when prompted.

4 Remove the cable from the C port.

a After approximately 10 seconds (the Watchdog Time), notice that the BYPASS ON
indicator glows.

b Re-insert the cable.

c After approximately one second (the Watchdog Polling Rate), notice that the BYPASS
OFF indicator glows.

5 Repeat Step 4 for the D port.

6 When the test is finished, set the values at the Network | Settings page to suit your
network. See Configuring the unit on page 24.

For further testing, see page 24.

23
Fail-Open Unit Product Guide Testing the Fail-Open Unit 3
Further testing

Further testing
You can run further tests on the unit. During normal operation, the appliance blocks
emails or websites that contain viruses. However, while the unit is bypassing the
appliance, a virus can enter the network. We recommend that you use test files that
can cause a response from the appliance and other anti-virus software in your network.
These files are not viruses and therefore are not harmful.

Try these tests on the unit when it is bypassing the appliance and when it is not. When
an appliance is bypassed, it cannot detect the test files.

„ To test email, use an email message containing a single line, ZQZXJVBVT. The email
can be detected by any McAfee scanner.

„ To test access to the Internet, visit www.eicar.com, and try to view the anti-virus
test file. The file can be detected by any anti-virus scanner. To avoid any misleading
results with your web browser, clear the web cache while viewing.

Configuring the unit


Besides the returned heartbeats, the unit also receives configuration information from
the appliance. To configure the Fail-Open Unit, use the Network | Settings page or
Network | Setup Wizard page of the appliance.

Adjusting the switching times


The unit switches between directing traffic through the appliance or bypassing the
appliance, according to the state of the links or the heartbeat. To prevent spurious
switching, you can configure the Fail-Open Unit from the appliance in the following
ways:

„ Change the Watchdog Polling Rate (the heartbeat rate).

„ Change the Watchdog Time.

„ Change the line speed and autonegotiation.

24
Fail-Open Unit Product Guide Testing the Fail-Open Unit 3
Configuring the unit

Changing settings
The default settings are usually suitable but you can change them at any time from the
appliance interface on the Network | Settings page under Bypass Device Settings.
Table 3-1 Settings at the appliance interface
Label Range Default Description
or value
Setting
Select bypass Off/1000/ Off Select 2000 for this Fail-Open Unit. This enables the
switch 2000 appliance to operate with the Fail-Open Unit. (If you
have an earlier design, select 1000.)
If you select Off, any values that you have set in the
other fields are retained so that you can use them
again later.
Watchdog 1-254 1 second This determines how often the Fail-Open Unit sends
Polling Rate seconds a heartbeat packet to the appliance.
Watchdog 1 - 254 10 If this time has elapsed since the Fail-Open Unit last
Time seconds seconds received a heartbeat, the unit switches into bypass
state.
The Fail-Open Unit switches out of bypass state
upon receiving a heartbeat again.
We recommend that this value is at least three times
the Watchdog Polling Rate. If the appliance is
handling heavy traffic, it might be unable to return the
heartbeat, causing the Fail-Open Unit to bypass all
traffic (unscanned) during busy times.
Line speeds 10 Mbps, All This determines the available line speeds. Select
100 Mb, any of Enable 10 Mbps, Enable 100 Mbps, and Enable
1 Gbps Gigabit.
Full Duplex On or Off On Full Duplex must be on for the 1 Gbps line speed.
Link Fault On or Off On When this is On, the Fail-Open Unit drops the
Detect remaining full-duplex link when one side fails,
alerting connected devices of a failure on both sides
of the link.
Autonegotiate On or Off On If the devices that normally communicate with the
appliance use autonegotiation, set this checkbox.
Autonegotiate must be on for the 1 Gbps line speed.

25
Fail-Open Unit Product Guide Testing the Fail-Open Unit 3
Configuring the unit

26
4 Frequently Asked Questions

This section answers questions that can arise when using the Fail-Open Unit:

„ How can I protect my network if the appliance fails? on page 28

„ How can I check the copper cables? on page 28

„ Why can’t I change any settings on the Fail-Open Unit? on page 29

„ What do I need to do when upgrading the appliance? on page 29

„ After the Fail-Open Unit changes state, why does my network take some time to
recover? on page 29

„ Can I communicate with an appliance when the Fail-Open Unit is in bypass state?
on page 29

„ How do I ensure the correct line speeds and duplex mode? on page 30

„ How can I view the activity of the Fail-Open Unit? on page 31

„ What are the basic specifications of the Fail-Open Unit? on page 31

27
Fail-Open Unit Product Guide Frequently Asked Questions 4

How can I protect my network if the appliance fails?


If the appliance fails, all traffic passes through the Fail-Open Unit instead. Users can
send and receive email or access web sites, as before. However, no scanning takes
place. Spam and phish email can enter your network, viruses are not stopped, and
users can view inappropriate web sites.

Until the appliance is reinstated, your network is vulnerable to viruses and other
potentially unwanted software. Fortunately, your network is likely to have some other
(system) protection, which protects individual computers. For example, on-access
scanners on desktop computers can detect any viruses when a file is opened.
Depending on your traffic and the other protection within your network, you can try the
following methods to protect your network until the appliance is available again:

„ Inform users of the disruption to their service.

„ Warn users that the protection will be less secure during this time. Advise them
against accessing files by portable media such as diskettes, CDs, DVDs, and USB
memory devices, to prevent any propagation to other networks.

„ Advise users against opening or forwarding email from unknown senders.

„ Run extra on-demand scanning on servers.

„ Strengthen the policies that ePolicy Orchestrator applies to individual computers


and servers in your network.

How can I check the copper cables?


Correct cables are important for proper operation of the unit, particularly when using
copper cable. Problems with cables can result in confusing displays on the link
indicators and prevent the unit bypassing the appliance. In general, the copper units are
for use with one straight-through cable and one cross-over cable between a network
switch and a router (or other NIC-type interface). Ports C and D of the Fail-Open Unit
(which connect to the appliance) are intended for NIC-type interfaces, using
straight-through cables.

If you use other network configurations, you must maintain the cable polarity. To check
the cables:

„ Confirm that devices connected to ports A and B can communicate when the
Fail-Open Unit is in bypass state.

In bypass state, the Fail-Open Unit connects each pin of port A to port B.
Figure 4-1 Connections during bypass state

28
Fail-Open Unit Product Guide Frequently Asked Questions 4

To put the Fail-Open Unit into bypass state immediately, remove its power cord.
Confirm that devices connected to ports A and B are communicating. If not, directly
connect the two external cables with a female-female RJ45 coupler.

„ Confirm that the link signals are active.

Connect the RJ45 cables to the Fail-Open Unit one at a time, and check that the link
indicators glow.

Why can’t I change any settings on the Fail-Open Unit?


You can manage the unit only if the appliance is configured to communicate with it.

In the appliance interface, open the Network | Settings page, and under Bypass Device
Settings, select Copper/Fiber Fail Open 2000.

If the appliance is being bypassed by the Fail-Open Unit, you cannot use the browser
interface, and must use the console interface instead.

What do I need to do when upgrading the appliance?


By default, an appliance does not enable the Fail-Open Unit. If you upgrade the
appliance, the Fail-Open Unit will go into bypass state, effectively isolating the
appliance, and preventing access via the browser interface.

When upgrading, you normally provide some basic configuration at the console
interface. At the Bypass option, enable the Fail-Open Unit (version 2000). You can then
configure other features from the browser interface.

After the Fail-Open Unit changes state, why does my network take some time to
recover?
If Spanning Tree Protocol (STP) is enabled in your network switch or Ethernet switch,
clients might experience a 30-second delay before their connections are restored. You
can fix this by setting each client port into PortFast mode.

Can I communicate with an appliance when the Fail-Open Unit is in bypass


state?
If the appliance has not suffered a serious failure, you can normally communicate with
it via the web browser. However, if the Fail-Open Unit has switched to bypass state,
the appliance is isolated from the network, and you cannot communicate with it.

This configuration has some advantage over a configuration that has only a single
appliance with no Fail-Open Unit. Network traffic continues to flow so users still have
their service while you examine why the appliance failed.

29
Fail-Open Unit Product Guide Frequently Asked Questions 4

However, network traffic is not scanned. See How can I protect my network if the
appliance fails? on page 28. The appliance is isolated from the network and cannot be
managed. For example, the appliance cannot fetch updates, and you cannot examine
its logs.

If the appliance is bypassed while operating as an ICAP server, any ICAP client cannot
communicate with the ICAP server, so you must configure the ICAP client to handle
this situation.

If your appliance includes a Remote Access Card, you can communicate with the
appliance remotely using the card even when the appliance is bypassed.

How do I ensure the correct line speeds and duplex mode?


When you are setting up your network, ensure that all networking devices that interact
with the Fail-Open Unit operate in the same speed and duplex mode.

To change the speed and duplex mode of the appliance to be consistent with the DTE
and DCE devices that it interfaces, change the network settings in the appliance, using
one of the following:

„ At the console, run the command, webshield config.

„ At the browser interface, select Network | Settings | Bridge | Advanced LAN1 and
Network | Settings | Bridge | Advanced LAN2.

If you try to connect devices operating at different speeds to the Fail-Open Unit, the
Fail-Open Unit cannot negotiate each interface separately nor run each port in different
speeds and duplex modes.

In the above situation, the Fail-Open Unit will determine the lowest speed and duplex
mode of all the ports, and apply the same speed and duplex mode to all the ports so
that no packets are lost during its normal operation.

The Fail-Open Unit will then start to negotiate the speed with the link partner. The
Fail-Open Unit will bring down the links briefly but still long enough for the link partner
to detect the changes in configuration.

In this way, all the devices connected to the Fail-Open Unit will run at the same speed
and duplex mode.

30
Fail-Open Unit Product Guide Frequently Asked Questions 4

How can I view the activity of the Fail-Open Unit?


To view the activity:

1 In the browser interface, open the Monitor | Logs page.

2 Select Hardware and Resources.

3 Click Next.

4 Look for bypass in the Application column.

5 Select an entry, and click Event Details to view the details of the event.

What are the basic specifications of the Fail-Open Unit?


Parameter Value
Size 29 x 254 x 165 mm (1.125 x 10 x 6.5 inches) — copper
29 x 292 x 165 mm (1.125 x 11.5 x 6.5 inches) — fiber
Operating o o
0 C to 55 C — copper
temperature o o
5 C to 40 C — fiber
Storage temperature o
-10 C to 70 C
o

Relative humidity 10 - 95% maximum, non-condensing


Electrical ratings 100-240 V, 47-63 Hz, 0.5 A
Copper ports IEEE 802.3
Fiber ports IEEE 802.3u 1000 BaseSX (multimode) compatible with LC connectors

31
Fail-Open Unit Product Guide Frequently Asked Questions 4

32
700-1302A00

Copyright © 2006 McAfee, Inc. All Rights Reserved.

mcafee.com

You might also like