Software Bundles

Networking, routing and monitoring
Authentication (SSO, PKI, Kerberos, 2FA* including support for OATH Google and Microsoft Authenticators as well as OneSpan DIGIPASS® technology)
RADIUS server
Directory Services
Firewall with IPS
VPN Server
Client-Server (PPTP, L2TP, OpenVPN)
Site to Site (IPsec, e-tunnel)
Personal AXS GUARD (SSL)
Web Traffic Control
Proxy control
Application Firewall
Web statistics
Advanced networking
Multiple Internet connections
Bandwidth management
Public DNS
Reverse Proxy
SSL VPN Portal
High Availability**

Content Scanning Basic Optional
(per user per year)
(per user per year)
(per user per year)
Relay (Antispam, Antimalware, Antivirus)
E-mail server with webmail
Web Proxy traffic
URL filtering, Blacklists, Antivirus

Content Scanning Standard Optional
(per user per year)
(per user per year)
(per user per year)
Trend Micro Licenses
Web content Scanning

Software Features

The configuration wizards are a user-friendly way to configure your appliance step by step and allow you to carefully review and tweak your system settings, for example:

  • Setup wizard: Create a new administrator, configure essential system settings and network devices.
  • License wizard: Enter your customer information, register online and upload your license to get your appliance to full operational, in-service status.
  • Group and user wizard: Allows you to easily create new users and groups and also to import and synchronize LDAP users and groups.
  • Office 365 wizard: Automatically configures your bandwidth and firewall security for Office 365 applications and services.


Routing is the decision process by which packets are moved from one network to another. Entries in routing tables specify the interface or gateway through which a packet must leave a network to reach another.

Internal DNS

The AXS GUARD appliance is an internal DNS server, which specifically serves the secure LAN and the DMZ. It also caches requests and can be configured to forward DNS and WINS requests to specific servers. The internal DNS automatically collects the following information:

  • Names given to network devices
  • Names assigned to computers in the LAN
  • SRV records

Built-in Time Server

The AXS GUARD appliance has an internal NTP server which can be used by clients in your network. A correct system time is essential for time-sensitive processes such as two-factor and Kerberos authentication, but also for scheduled tasks and system logging.

DHCP Server

The Dynamic Host Configuration Protocol (DHCP) is an application protocol that enables your appliance to dynamically assign IP addresses to computers and other devices in its network. The AXS GUARD appliance supports:

  • PXE
  • DHCP Relay Agents
  • Dynamic Address Allocation (Authoritative DHCP)
  • Static and dynamic leases

Network Tools

The AXS GUARD appliance provides the following web-based tools for basic network troubleshooting:

  • Subnet calculator
  • Ping
  • Traceroute
  • Animated, real-time network flow analysis (netstat)
  • Internet speed test

Network Address Translation

Five NAT types can be configured on the AXS GUARD appliance. The types are defined based on the altered header information:

  • Masquerading
  • SNAT (Source Network Address Translation)
  • (Authenticated) Port Forwarding
  • DNAT (Destination Network Address Translation)
  • Port Redirection
NAT helpers are available for the following protocols: FTP, PPTP, IRC, H.323, SIP, SNMP, TFTP, Amanda, DCCP, SCTP and UDP-lite.

Virtual Local Area Networks (VLAN)

VLANs are used to add one or more segments to your network without the need to add an additional physical network interface.

Channel Bonding

Channel bonding or Ethernet bonding is a computer networking arrangement in which two or more network interfaces on a host are combined for redundancy or increased throughput.

Bonding allows you to effectively combine the bandwidth into a single connection or to create multi-gigabit pipes to transport traffic through the highest traffic areas of your network. The following bonding types are supported:

  • Round Robin: Packets are transmitted in a round robin fashion over the available slave interfaces. This type provides both load balancing and fault tolerance.
  • Active Backup: One slave interface is active at any time. If one interface fails, another interface takes over the MAC address and becomes the active interface. Provides fault tolerance only. Does not require special switch support.
  • XOR Balancing: Tranmissions are balanced across the slave interfaces based on source MAC) XOR (dest MAC modula slave count. The same slave is selected for each destination MAC. Provides load balancing and fault tolerance.
  • Broadcast: Transmits everything on all slave interfaces. Provides fault tolerance.
  • 802.3ad: This is classic IEEE 802.3ad Dynamic link aggregation. This requires 802.3ad support in the switch and driver support for retrieving the speed and duplex of each slave.
  • Balance TLB: Adaptive Transmit Load Balancing. Incoming traffic is received on the active slave only, outgoing traffic is distributed according to the current load on each slave. Doesn2019t require special switch support.
  • Balance ALB: Adaptive Load Balancing provides both transmit load balancing (TLB) and receive load balancing for IPv4 via ARP negotiation. Does not require special switch support, but does require the ability to change the MAC address of a device while it is open.


Sometimes it is useful to divide a physical network (such as an Ethernet segment) into separate network segments. Network bridges do not require separate IP subnets and routers to connect the individual segments. If your appliance has two or more network interfaces, they can be configured as a bridge. There are various use cases:

  • Connecting Networks: Joining two or more network segments together. There are many reasons to use a host-based bridge over plain networking equipment such as cabling constraints, firewalling and routing. A bridge can also connect a wireless interface running in hostap mode to a wired network and act as an access point.
  • Filtering / Traffic Shaping Firewall: A common situation is where firewall functionality is needed without routing or network address translation (NAT).
  • Network Tap: A bridge can be used to inspect all Ethernet frames that pass between the connected network segments. This can be achieved with a traffic analyzer such as tcpdump or by sending a copy of all frames to an additional interface (span port).
  • Layer 2 Redundancy: A network can be connected together with multiple links and use the Spanning Tree Protocol to block redundant paths. For an Ethernet network to function properly, only one active path can exist between two devices. Spanning Tree will detect loops and put the redundant links into a blocked state. Should one of the active links fail then the protocol will calculate a different tree and reenable one of the blocked paths to restore connectivity to all points in the network.

IP Tunnels

IP tunnels are often used for connecting two disjoint IP networks which don't have a native routing path to each other, via an underlying routable protocol across an intermediate transport network. The AXS GUARD appliance supports the following tunnel types:

  • IP in IP, sometimes called ipencap, is IP encapsulation within IP and is described in RFC 2003.
  • GRE in IP. GRE is a tunneling protocol that was originally developed by Cisco and can be used to transport multicast traffic through a GRE tunnel. GRE (defined in RFC 2784 and updated by RFC 2890) goes a step further than IP in IP, adding an additional header of its own between the inside and outside IP headers.

Public DNS

The Domain Name System (DNS) is a crucial component to the Internet. The AXS GUARD appliance supports the following features:

  • DNS Zone Transfers
  • Forward and reverse lookup zones
  • Round Robin

Dynamic DNS

Dynamic DNS, also known as DDNS, solves the problem of ever changing residential IP addresses by associating your address with a consistent domain name without the need to buy a pricey static IP.

Bandwidth management is the process of measuring and controlling communications (traffic, packets) on a network link, to avoid filling the link to its full capacity or even overfilling the link, which would result in network congestion and poor performance.

The AXS GUARD appliance allows administrators to easily classify traffic based on various properties. Bandwidth management policies are enforced through schedules and can also be configured for virtual network devices, such as VPN devices.

The Internet Redundancy module is only available on appliances with two or more Internet interfaces and offers the following features:

  • Load Balancing: Distribute data across two or more Internet interfaces to ensure that a single Internet interface does not get overloaded with network traffic.
  • Internet Failover: The capability to switch over automatically to a redundant or standby Internet interface, upon the failure of the previously active interface.
  • Dedicated Routing: The capability to dedicate an Internet interface to a certain type of traffic, e.g. VoIP.

Dynamic Firewall Policies

Dynamic firewall policies are enforced at the user, group or computer level. User and group policies are enforced after successful authentication with the AXS GUARD appliance. Computer policies are intended for servers which need specific access to the Internet, e.g. to download software updates, and to which physical access is ideally restricted.

Static Firewall Policies

Static firewall policies are always enforced and apply to all users and computers which are physically connected to the network. They must be used to allow access to a service, e.g. the L2TP service.

Advanced Firewall Rules and Policies

The internal firewall system is based on iptables. Advanced firewall rules require specific syntax and have priority over dynamic and static firewall rules configured via the AXS GUARD web-based administration tool.

Block Lists

Block lists are lists of IP addresses or IP ranges that are blocked by the firewall. Predefined lists contain malicious IP addresses and are updated automatically. Custom lists can be added if necessary.

Other Automated Lists

As IP addresses of various cloud applications and services - such as Office 365 apps - may change regularly and without prior notice, automated lists are available to keep your network environment secure and reliable.

Other Features

The following features are also supported by the firewall:

  • Denial Of Service Checks
  • Unclean Packet Checks
  • Global Bad Packet Management


The application control system monitors the application layer (layer 7 of the OSI model) of the network.

This is also known to as Deep Packet Inspection (DPI), a form of computer network packet filtering that examines the data part of a packet as it passes the AXS GUARD appliance, searching for defined criteria, such as protocols or websites, to decide whether the packet may pass or needs to be blocked.

AXS GUARD also collects and reports statistical information about all layer 7 traffic.

Application Types

The following applications can be blocked:

  • Social Media, e.g. Facebook
  • Remote Desktop, e.g. RDP and VNC
  • VPN, e.g. PPTP
  • P2P, e.g. Bittorrent
  • File Sharing, e.g. Dropbox
  • Messaging and VoIP, e.g. Skype, Viber
  • Multimedia, e.g. Spotify, YouTube, avi files
  • Others, e.g. Gmail, FTP


The AXS GUARD proxy server services requests on behalf of clients in the secure LAN by forwarding these requests to the Internet. Web access policies can be configured at the user, group, computer or the system level (a.k.a. a system-wide configuration).

Web Access Filters

Web access filters or Access Control Lists (ACL) define which sites users are allowed to visit and which ones are off limits. ACLs consist of categories which in turn are composed of site or word lists related to specific content.

Basic Content Scanning

  • URL filtering
  • ClamAV antivirus protection
  • Protection against other malware lists

Advanced Content Scanning

  • Filtering based on custom and predefined word lists.
  • Advanced URL filtering
  • Trend Micro antivirus engine.
  • ClamAV antivirus engine for additional protection against malware, trojans and other malicious software.
  • Protection against various other types of malware

Transparent Proxy

The AXS GUARD appliance can be used as a transparent proxy server. Transparent proxies are also commonly known as intercepting proxies.

Transparent or intercepting proxies are commonly used in businesses to prevent avoidance of implemented user policies (ACLs) and to ease administrative burden, since no browser configuration is required on the clients.

Additional Features

  • Customizable WPAD configuration
  • Support for parent proxy
  • Customizable user login page
  • Strong authentication and SSO
  • Advanced logging, reporting and statistics


The Intrusion Prevention System (IPS) is a preemptive approach to network security. IPS identifies potential software exploits and takes immediate action against them. The actions to be taken are based on existing preprocessors and a set of dynamic rules divided in classes.


IPS rules are organized in categories. Each category describes the type of software or protocol used to perform an attack, e.g. pop3, backdoor, etc. Categories contain individual rules, each within their own classification. The AXS GUARD appliance can be configured so rules are updated automatically.


The directory services module allows you to synchronize users and groups by establishing an LDAP connection with a directory server. The imported user accounts and groups remain updated if changes are made to the records on the directory server. The directory services module provides:

  • LDAP back-end authentication
  • Synchronization of users and groups in multiple domains
  • Support for LDAP over SSL
  • SSO for web access and firewall access (SSO tool in domain mode)
  • Support for Microsoft Active Directory, NetIQ eDirectory and POSIX LDAP

Two-factor Authentication

Two-factor authentication (2FA), often referred to as two-step verification, is a security process in which users provide two authentication factors to verify they are who they say they are. 2FA can be contrasted with single-factor authentication (SFA), a security process in which the user provides only one factor, typically a password.

Supported 2FA Technologies

  • OATH Microsoft and Google Authenticators
  • OneSpan DIGIPASS®


Kerberos is a time-sensitive network protocol that uses secret-key cryptography to authenticate client-server applications. The following back-ends are supported:

  • Microsoft Windows Servers
  • Servers running the MIT implementation
  • Servers running the Heimdal implementation


LDAP user authentication is the process of validating a username and password combination with a directory server such MS Active Directory or OpenLDAP. Also see the Directory Services feature.


The Remote Authentication Dial-In User Service (RADIUS) is a widely deployed protocol enabling centralized authentication, authorization, and accounting for network access. RADIUS authentication and authorization are defined in RFC 2865.

EAP-TLS, defined in RFC 2716, is an IETF open standard, and is well-supported among wireless vendors. It offers a good deal of security, since TLS is considered the successor of the SSL standard. It uses PKI to secure communications with the AXS GUARD RADIUS server.

Basic Authentication

HTTP Basic authentication is the simplest technique for enforcing access controls to web resources because it doesn't require cookies, session identifiers, or login pages. Basic authentication uses standard fields in the HTTP header, removing the need for handshakes.


The Ident Protocol, defined in RFC 1413, is an Internet protocol that helps identify the user of a particular TCP connection. This simplifies management in that you do not have to match IP addresses to computers to regulate web traffic.

Brute-force Attack Protection

A brute-force attack is an attack method that relies on one's ability to guess passwords to illegally access a target system. Most typically, the attacker uses software that tries a vast number of username / password combinations until the target system is accessed or the intrusion attempt is detected and blocked.

The AXS GUARD appliance can be configured to block brute-force attempts at the following levels:

  • The user level: consecutive failed logins from the same user are blocked, regardless of the source IP from which a suspected attack originates. Anonymizers are herewith rendered ineffective.
  • The host level: consecutive failed logins from the same source IP are blocked, regardless of the account that is used to launch a suspected attack.

PKI Tool

The AXS GUARD PKI tool allows you to create, manage, store, distribute, and revoke Public Key Certificates for VPN applications, such as IPsec Road Warriors, OpenVPN and L2TP clients. It is also used for secure e-mail relaying and secure web applications (reverse proxy). The following types and standards are supported:

  • PEM certificates, with or without separate key files
  • The PKCS #12 standard


The reverse proxy services Internet client requests by forwarding these requests to the correct server in the LAN, while providing strong authentication, request filtering and SSL offloading.

Supported Protocols

  • TCP/IP protocols: HTTP(S) and FTP
  • Application protocols: WebSocket, RPC over HTTP, MAPI over HTTP, EWS and RDP (via a remote desktop gateway)


  • Base URL Protection
  • RFC Compliance & Request Filtering
  • Predefined & Custom Applications
  • SSL Offloading & Two-factor Authentication
  • Ability to add custom login pages for your application servers


A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. A VPN enables you to send data between two computers across a shared or public internetwork in a manner that emulates the properties of a point-to-point private link.

Personal AXS GUARD

Personal AXS GUARD (PAX) is an appliance based on the VPN security model, designed specifically for remote use. Its integration with home networks is easy and allows telecommuters to safely connect to corporate network resources and the Internet. PAX units are configured and centrally managed on the corporate AXS GUARD appliance which pushes the configuration to each individual unit.

OpenVPN Server

OpenVPN is an open source virtual private network (VPN) program for creating point-to-point or server-to-multiclient encrypted tunnels between hosts. It is capable of establishing direct links between computers across networks which use network address translation (NAT) and firewalls. OpenVPN is popular, easy to use, secure and widely supported on mobile devices. The AXS GUARD implementation also offers the possibility to enforce two-factor authentication.


IPsec is an Internet Engineering Task Force (IETF) open standard suite of protocols (framework) providing data confidentiality, integrity, and authentication. The AXS GUARD appliance only supports ESP in Tunnel Mode. This has to be taken into consideration when connecting other IPsec appliances or clients to the AXS GUARD IPsec server, which offers the following features:

  • Support for IKEv1 and IKEv2 tunnels
  • IPsec Road Warrior setups
  • GRE over IPsec tunnels
  • DHCP over IPsec (IKEv1 only)
  • XAUTH (two-factor authentication for IPsec road warriors)


The Secure Socket Tunneling Protocol (SSTP) provides a mechanism to transport PPP traffic through an SSL/TLS channel. SSL/TLS provides transport-level security with key negotiation, encryption and traffic integrity checking. The SSTP server uses TCP port 443 by default, allowing SSTP clients to traverse virtually all firewalls and proxy servers, except for authenticated web proxies. The AXS GUARD SSTP server can also be configured to enforce strong user authentication.


The Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used with Virtual Private Networks (VPNs) based on the IPsec framework. It enables roaming users to establish a secure connection to the private network of their company HQ using an L2TP client. The L2TP client software is available on any Windows version. The AXS GUARD L2TP server also provides two-factor authentication.


The Point to Point Tunneling Protocol (PPTP) is an extension of the PPP protocol, defined per RFC 1171. The AXS GUARD PPTP server also provides two-factor authentication.

SSL Web Portal

The SSL Web Portal is a browser-based VPN solution that relies on Java. No other software is required on the client side. All network traffic is encrypted (HTTPS). The configuration of applications and users is entirely web-based and centralized. Two-factor authentication is also supported.

Security Features

  • RFC compliance checks
  • Anti-relay check
  • Policy-based Transport Layer Security (TLS)
  • Helo message check.
  • Preventing connections from MTAs with Dynamic IP addresses (potential spam vectors).
  • SPF protection.
  • Bad header checks.
  • Black listing, white listing and grey listing.
  • Anti-spoofing, i.e. validation of e-mail addresses.
  • Validity check of the sender and recipient e-mail address formats.
  • Verification of recipient addresses based on the origin.

Content Filtering

  • Policy-based filtering system.
  • Predefined and custom mail policies.
  • Specific policies can be assigned to users, groups or computers in addition to the system-wide mail policy or to overrule it.
  • Automated blocking of potentially dangerous e-mail attachments, such as executable files, office documents containing macros and encrypted archives.
  • Antivirus.
  • E-mail Quarantine.
  • Automated and manual spam learning.

Webmail Servers

SquirrelMail is a standards-based webmail package written in PHP. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in HTML 4.0 (with no JavaScript required) for maximum compatibility across browsers. It has very few requirements and is very easy to configure.

Roundcube webmail is a browser-based multilingual IMAP client with an application-like user interface. It provides full functionality you expect from an e-mail client, including MIME support, address book, folder manipulation, message searching and spell checking.

POP3 Server

POP3 (Post Office Protocol 3) is the most recent version of a standard protocol for receiving e-mail. POP3 is a client/server protocol in which e-mail is downloaded to the client computer. The AXS GUARD appliance also supports POPS.

IMAP Server

The Internet Message Access Protocol (IMAP) is an Internet standard protocol used by e-mail clients to retrieve e-mail messages from a mail server over a TCP/IP connection. The e-mail messages remain on the e-mail server. IMAP is defined in RFC 3501. The AXS GUARD appliance also supports IMAP over SSL (IMAPS).

Remote Mailboxes

The AXS GUARD MTA can be configured to distribute e-mails collected by a “catch-all” mailbox on the Internet. A “catch-all” mailbox refers to a mailbox in a domain that will "catch all" of the e-mails destined for that domain. A “catch-all” address provides a cheap method for companies to receive e-mail.


Managing log files is a vital part of network administration. The AXS GUARD syslog management engine offers you the ability to log system activities locally and remotely. This capability can be essential if you need to archive log files for a long period of time or simply want log files to be available on other systems in your network.

Supported Delivery Types

  • Local delivery: refers to logs that are generated by and stored on the AXS GUARD appliance.
  • Network delivery: refers to logs that are forwarded by a dedicated log server to the AXS GUARD appliance.
  • Relay delivery: refers to logs that have been delivered to the AXS GUARD appliance (also see network delivery). Once the logs are received, the AXS GUARD appliance relays them to another log server.
  • Mail delivery: the AXS GUARD appliance sends logs by e-mail to the specified addresses.
  • The Sumo Logic log collector: a cloud-based log management and analytics service, which requires a subscription.

Supported Log Types

The log type mainly influences the formatting of log messages.
The following log types are supported:

  • RFC 3164: This is the system default type and is the most human-readable format.
  • RFC 3339: This format contains the most details (e.g. timestaps)
  • Unix: Used by older servers and less detailed than RFC 3164 and 3339.


Network and data protection measures, such as a firewall, an anti-virus engine or an Intrusion Prevention System, are no longer sufficient in a​ GDPR​ world; organizations need to know what data they are collecting and how it's being used.

AXS GUARD is equipped with a threat reporting feature, allowing organizations to get actionable insights from raw data in various system log files.

This reporting feature is also capable of delivering selected reports automatically to administrators and authorized personnel, allowing them to better identify potential cyber threats in a GDPR context.

Firewall and IPS

The reports show information related to traffic that was dropped by the firewall and IPS. Connection tracking allows administrators to view information about active connections, such as the source and destination IP addresses, port number pairs, etc.

Application Control

The reports show detailed information about traffic dropped by the application control system, e.g. blocked Facebook connection attempts. A graphical representation of all connection data is also available.

Web Access

Web access statistics consist of a database from which the following reports can be extracted:

  • Requests per client.
  • Hourly requests.
  • Most frequently accessed websites.
  • Blocked requests.
  • Blocked sites.


The reports contain information about queued, quarantined and blocked messages. The MTA statistics provide information about all e-mail activity including, but not limited to, the total percentage of blocked messages and the number of messages per recipient.

Bandwidth Management

Consists of a graph, showing the averages of outgoing traffic per (sub)class and the total average over an 8-hour period. This graph allows you to monitor and detect unusual traffic peaks and adjust your bandwidth management configuration if needed.

User Authentication

The authentication status report provides information about authenticated and blocked users. Users and hosts which have been blocked by the brute-force protection system are also visible and can be unblocked on the fly.

High-Availability clusters (also known as failover clusters) are implemented primarily for the purpose of improving the availability of services that the cluster provides. They operate by having redundant nodes, which are then used to provide services when system components fail. The most common size for an HA cluster is two nodes, a master and a slave unit, which is the minimum requirement to provide redundancy.

The AXS GUARD fax module is a heavy-duty telecommunication system supporting:

  • Up to 8 Fax Lines.
  • Sending facsimile, including batch jobs via a connected workstation in a Novell, Windows or Unix network.
  • Receiving facsimile via e-mail or a networked printer in a Novell, Windows or Unix network.
  • PCL 5 and PostScript printers.
  • Shared use of the available modem(s).
  • Multiples queues, e.g. organized per department.
  • Fax reporting via e-mail.
  • Advanced logging.
Note that the fax module is sold exclusively in the BENELUX.

Software Revisions

Software revisions correct small, non-blocking software issues and contain minor improvements or features. Revision updates can be installed manually or automatically. Administrators are notified via e-mail when a new software revision is available.

Version Upgrades

Version upgrades include major improvements and introduce new features. They can be installed manually or automatically. Administrators are notified via e-mail when a new system upgrade is available.


Hotfixes occur automatically and transparently. They are used to ensure the optimal operation of appliances in the field and are pushed automatically by our update servers. Hotfix installations are beyond the control of resellers and system administrators.

Backup Download

This method allows you to manually download a backup of the current AXS GUARD configuration via the web-based administrator tool.

Weekly Backup via E-mail

This method allows you to automatically send a backup of the AXS GUARD configuration via e-mail to a dedicated user.

Backup on Network Share

A daily backup on a network share allows you to make a backup of the AXS GUARD configuration and critical user data, such as e-mails and log files. System administrators receive a backup report via e-mail and are also automatically notified in case of errors. Backups can be restored with a few simple clicks.

The CLI is a Linux-based command line interface for advanced troubleshooting. It can be accessed directly by connecting a screen and keyboard to the appliance or remotely with a secure connection (SSH).