3e Technologies International 3e-527A3, User Manual

Page 1: ...ologies Int l 360 Herndon Parkway Model 3e 527A3 Suite 1400 Standards FCC 15 247 RSS 210 ID s QVT 527A3 6780A 527A3 Herndon VA 20170 http www rheintech com Report 2006146 Page 81 of 114 Appendix K User Manual Please refer to the following pages ...

Page 2: ...ntennas respectively and installed with a minimum of 20 cm of separation distance between the antenna and all persons during normal operation Per FCC 1 1310 Table 1B the maximum permissible RF exposure for an uncontrolled environment is 1 mW cm2 for the frequencies used in this device The worst case power at the center frequency of the band of operation is used for the calculation below The power ...

Page 3: ...Wireless Access Point 8 Port User s Guide Model 3e 527A3 3e Technologies International 700 King Farm Blvd Suite 600 Rockville MD 20850 301 670 6779 www 3eti com 29000152 001 B publ 1003 06 ...

Page 4: ...This page intentionally left blank ...

Page 5: ...3e Technologies International s Wireless Access Point 8 Port User s Guide Model 3e 527A3 ...

Page 6: ...If you are unable to locate a copy of the license contact 3e Technologies International and a copy will be provided to you ___________________________________ UNITED STATES GOVERNMENT LEGEND If you are a United States Government agency then this documentation and the product described herein are provided to you subject to the following All technical data and computer software are commercial in nat...

Page 7: ...rdware installation 11 Preparation for Use 11 Installation Instructions 11 Minimum System and Component Requirements 12 Connectors and Cabling 12 Earth Ground Connection 13 The Indicator Lights 14 Chapter 3 Access Point Configuration 15 Introduction 15 Preliminary Configuration Steps 15 Initial Setup using the Local Port 16 Login 17 System Configuration 18 General 18 Operating Mode 19 Submode 19 C...

Page 8: ... Wireless Clients 50 Adjacent AP List 51 DHCP Client List 52 System Log 52 Web Access Log 53 Network Activity 54 Auditing 55 Log 55 Report Query 56 Configuration 56 System Administration 58 Email Notification Configuration 58 Configuration Button 59 System Upgrade 61 Firmware Upgrade 61 Local Configuration Upgrade 62 Remote Configuration Upgrade 64 Factory Default 66 Remote Logging 67 Reboot 67 Ut...

Page 9: ...ng Type 89 Point to Point Bridge Configuration 89 Point to Point Bridging Setup Guide Manual Mode 90 Point to Point Bridging Setup Guide Auto Mode 90 Point to Multipoint Bridge Configuration 94 Point to Multipoint Bridging Setup Guide Manual Mode 95 Point to Multipoint Bridging Setup Guide Auto Mode 95 Repeater Bridge Configuration 96 Repeater Bridging Setup Guide Manual Mode 96 Repeater Bridging ...

Page 10: ...es guidelines when installing and using the 3e 527A3 product WARNING Warnings must be followed carefully to avoid bodily injury CAUTION Cautions must be observed to avoid damage to your equipment NOTE Notes contain important information about this product ...

Page 11: ...or FIPS 802 11i The access point employs state of the art AES or 3DES encryption wireless devices must have the 3e 010F 3e 010F A 2 or 3e 010F C 2 Crypto Client software installed The 3e 010F Crypto Client software is sold with the 3e 110 long range PC Card or sold separately for use with other compatible PC Cards The 3e 527A3 incorporates Power over Ethernet The PoE interface on the 3e 527A3 is c...

Page 12: ...s Point with operating range of 2000 feet Bridge Power over Ethernet PoE Above average temperature range for extreme environments with TEC option AES 3DES DKE or FIPS 802 11i depending on setup HTTPS TLS secure Web DHCP client Access Point or Gateway with Bridging also available in either mode Bandwidth control Adjustable Radio Power MAC address filtering Publicly Secure Packet Forwarding Rogue AP...

Page 13: ...the 2 4 GHz band For wireless devices to communicate with the 3e 527A3 they must meet the following conditions The wireless device and wireless access point must have been configured to recognize each other using the SSID a unique ID as signed in setup so that the wireless device is seen to be part of the network by the 3e 527A3 Encryption and authentication capabilities and types enabled must con...

Page 14: ...nt NOTE Turbo A s channel bonding feature can significantly degrade the performance of neighboring 802 11a channel WLANs that don t use Turbo A because there isn t enough room in the 5GHz wireless LAN spectrum for the increased spectrum used by channel bonding Moreover Turbo A doesn t check to see if 11a standard compliant devices are in range before using its non standard techniques The encryptio...

Page 15: ...me subnetwork as the wired network interface and can be accessed by devices on the wired network Possible AP Topologies 1 An access point can be used as a stand alone AP without any connection to a wired network In this configuration it simply provides a stand alone wireless network for a group of wireless devices 2 The 3e 527A3 can be used as one of a number of APs connected to an existing Ethern...

Page 16: ...3 s default configuration is an Access Point Bridge with FIPS 140 2 submode enabled Data Encryption and Security The 3e 527A3 Wireless Access Point includes advanced wireless secu rity features Over the AP band you have a choice of AES 3DES or DKE Bridging encryption is established between 3e 527A3 s and includes use of AES or 3DES encryption approved by the National Institute of Stan dards and Te...

Page 17: ...t uniquely identifies each node of a network In IEEE 802 networks the Data Link Control DLC layer of the OSI Reference Model is divided into two sub layers the Logical Link Control LLC layer and the Media Access Control MAC layer The MAC layer interfaces directly with the network media Consequently each type of network media requires a unique MAC address Authentication is the process of proving a ...

Page 18: ...e password MUST be changed from the default password The ID and Password are case sensitive Management After initial setup maintenance of the system and programming of security functions are performed by personnel trained in the procedure using the embedded web based management screens The next chapter covers the basic procedure for setting up the hard ware ...

Page 19: ...e Services Settings Services Settings DHCP Server DHCP Server Subnet Roaming Subnet Roaming SNMP Agent SNMP Agent Firewall Firewall Content Filtering IP Filtering Port Filtering Virtual Server DMZ Advanced Admin User Management Admin User Management List All Users Edit Delete List All Users Edit Delete Add New User Add New User User Password Policy End User Authentication End User Authentication G...

Page 20: ...onf Email Notification Conf Configuration Button Configuration Button System Upgrade Firmware Upgrade Local Configuration Upgrade Remote Configuration Upgrade System Upgrade Firmware Upgrade Local Configuration Upgrade Remote Configuration Upgrade Factory Default Factory Default Remote Logging Remote Logging Reboot Reboot Utilities Utilities ...

Page 21: ...cess Point 8 Port Qty 1 omni directional antenna 2 2dBi 2 4GHz and 5dBi 5 75GHz Qty 1 omni directional antenna 3dBi 5 75GHz 2 meter weather resistant WAN Ethernet cable RJ 45 to RJ 45 3 meter standard LAN Ethernet Cable RJ 45 to RJ 45 Documentation as PDF files on CD ROM Registration and Warranty cards The following items are options Power Injector POE 50W model 3e POE 1 p n 90000831 001 Power Cor...

Page 22: ... wireless cards and praticularly if you will be using secure FIPS mode with AES we recommend that you select the 3e 110 PC Card with 3e 010F Crypto Client software sold separately or install the 3e 010F A 2 or 3e 010F C 2 software Access to at least one laptop or PC with an Ethernet card and cable that can be used to complete the initial configuration of the unit A Web browser program such as Micr...

Page 23: ...sed as an AP then those ports are WAN ports If the unit is a gateway then the ports are LAN ports The following diagram demonstrates the setup Connect 802 11b g RF Antenna Black for AP Connect 802 11a RF Antenna Grey for Bridge Power Injector 110V Power Ethernet switch hub LAN Mgmt Ethernet Port WAN Ethernet Port PoE Power Injector Earth Ground Connection Attach the earth ground cable to the ring ...

Page 24: ...iate node on and blinks with traffic Leaf node always off WLAN Signal Strength The Strength LED indicator indicates the strength of the node assigned in the Signal Strength MAC field of the Bridge Configuration screen If there is no assignment the strength of the uplink node is shown 1 LED Off means no connection on the bridge side or the signal is very weak 2 LED blinks slowly every 1 second mean...

Page 25: ...ed in Chapter 5 Preliminary Configuration Steps For preliminary installation the 3e 527A3 network administrator may need the following information IP address a list of IP addresses available on the organization s LAN that are available to be used for assignment to the AP s Subnet Mask for the LAN Default IP address of the 3e 527A3 DNS IP address SSID an ID number letter string that you want to use...

Page 26: ...ton for Obtain an IP address automatically is checked In Windows 2000 XP follow the path Start à Settings à Net work and Dialup Connections à Local Area Connection and select the Properties button In the Properties window highlight the TCP IP protocol and click properties Make sure that the radio button for Obtain an IP address automatically is checked Once the DHCP server has recognized your lapt...

Page 27: ...word Click on Edit and enter your new pass word following the complexity password rule You are also asked to change your password every 30 90 days If you do not change your password then you will be locked out of the system after 150 days NOTE If your login session is in active for more than 10 minutes then you will have to re authenticate your identity If after three times you fail to re authenti...

Page 28: ...ory for default but can optionally be assigned a unique name for each NOTE The CryptoOfficer is the only user who can set the date and time The system date must be set to a date after 01 01 2005 You can also enter a description of the physical location of the unit in the Description field This is useful when deploying units to remote loca tions You can modify the terms and conditions login banner ...

Page 29: ...ll previously entered information will be reset to factory settings Submode If you select the Use IPv6 Mode the AP will be configured to support IPv6 addresses on the WAN and LAN ports In IPv6 mode the AP can be managed and pass traffic using IPv6 addresses Since IPv6 is relatively new in the industry some networking functions that cannot support IPv6 are disabled such as DHCP server and WPA 802 1...

Page 30: ...000152 001 B Configure Wireless Cards The factory default for the two wireless cards are 802 11b g for the AP 802 11a TurboA for the Bridge If you want to swap the cards and make the 802 11a TurboA card for the AP and the 802 11b g card for the Bridge Select the appropriate but ton ...

Page 31: ...l for System Configu ration WAN This directs you to the System Configuration WAN screen If not using DHCP to get an IP address input the static IP information that the access point requires in order to be managed from the wired LAN This will be the IP address Subnet Mask Default Gateway and where needed DNS 1 and 2 Click Apply to accept changes ...

Page 32: ... to the System Configuration LAN screen This sets up the default numbers for the four octets for a possible pri vate LAN function for the access point It also allows changing the default numbers for the LAN Subnet Mask The Local LAN port provides local access for configuration It is not advisable to change the private LAN ad dress while doing the initial setup as you are connected to that LAN ...

Page 33: ...lex or 100M Full Duplex NOTE For best performance it is recommended that you set the same duplex speed on both ends of the link For example set 100M Full Duplex on both the PC and the 3e 527C Encrp Port Setting one end to auto negotiation and the other end to non auto negotiation is strongly discouraged The Encrp port also provides encryption to the data on this port The encrypted data is isolated...

Page 34: ...uterized infor mation With the ability to use even larger 192 bit and 256 bit keys if desired it offers higher security against brute force attacks than the older 56 bit DES keys The Key Generator button automatically generates a randomized key of the appropriate length This key is initially shown in plain text so the user has the opportunity to copy the key Once the key is applied the key is no l...

Page 35: ...e 3DES enter a 192 bit key as 48 hexadecimal digit 0 9 a f or A F The Key Generator button automatically generates a randomized key of the appropriate length This key is initially shown in plain text so the user has the opportunity to copy the key Once the key is applied the key is no longer displayed in plain text ...

Page 36: ... the manufacturer s instructions to set up the PC Card on each wireless device that will be part of the WLAN NOTE The 3e 527A3 is always in FIPS 140 2 secure mode there fore your configuration will have to be accomplished through the LAN port due to the secure nature of the access point There is no direct access from wireless clients The Wireless Access Point General screen lists the MAC Address o...

Page 37: ...re 11 channel numbers that may be assigned If you assign channel number 1 to the first in a series then channel 6 then channel 11 and then continue with 1 6 11 you will have the optimum frequency spread to decrease noise If you click on the button Select the optimal channel a popup screen will display the choices It will select the optimal channel for you You can also set it up to automatically se...

Page 38: ... intervals that broadcast and multicast traffic is buffered for a client in power save mode Basic Rates Basic Rates for 802 11b 1 and 2 Mbps 1 2 5 5 and 11 Mbps The basic rates used and reported by the AP The highest rate specified is the rate that the AP uses when transmitting broadcast multicast and management frames Basis Rates for 802 11g 1 2 5 5 11 6 12 24 Mbps 1 2 5 5 11 Mbps The basic rates...

Page 39: ... Encryption Standard AES was selected by National Institute of Standards and Technology NIST in October 2000 as an up grade from the previous DES standard AES uses a 128 bit block cipher algorithm and encryption technique for protecting computerized infor mation With the ability to use even larger 192 bit and 256 bit keys if desired it offers higher security against brute force attack than the old...

Page 40: ...e 3DES enter a 192 bit key as 48 hexadecimal digit 0 9 a f or A F The Key Generator button automatically generates a randomized key of the appropriate length This key is initially shown in plain text so the user has the opportunity to copy the key Once the key is applied the key is no longer displayed in plain text ...

Page 41: ...certificates based on the CA which will be used by the clients and configuring the 3e Technologies International s Security Server software with the appropriate root certifi cate The Security Server software application is discussed in a separate manual If you have installed the Security Server software Dynamic Key Management is the preferred security setup Configure the IP address and password of...

Page 42: ...ses the transition time when a client roams between APs As an alternative for business applications who have installed Ra dius Servers select 802 1x and input the Primary Radius Server and RFC Backend security settings Use of Radius Server for key management and authentication requires that you have installed a separate certification sys tem and each client must have been issued an authentication ...

Page 43: ...ipped with the authorized MAC addresses will be able to communicate with the access point In this case input the MAC addresses of all the PC cards that will be authorized to access this access point The MAC ad dress is engraved or written on the PC PCMCIA Card If Filtering is enabled and Filter Type is Allow All Except Those Listed Below those devices with a MAC address which has been entered in t...

Page 44: ...ail address for notification of any rogue or non trusted APs The MAC Address for the 3e 527A3 is located on the System Configuration General screen You can also select the following filter options SSID FIlter Check the SSID option to only send rogue APs that match the AP s SSID or wireless bridge s SSID Channel Filter Check the channel filter option to only send rogue APs that match the AP s chann...

Page 45: ...gs are in a conference room depending on the location of the APs all wire less clients could potentially associate with the same AP leaving the other AP unused Load balancing attempts to evenly distribute the wireless clients on both APs When publicly secure packet forwarding is enabled wireless clients can not talk to other wireless clients directly at Layer 2 However they both can have access to...

Page 46: ...m the Local LAN port The default factory setting for the DHCP server function is enabled You can disable the DHCP server function if you wish but it is not recommended You can also set the range of addresses to be assigned The Lease period after which the dynamic address can be reassigned can also be varied The DHCP server function accessible only from the LAN port is used for initial configuratio...

Page 47: ...t is connected to a different subnet than its home subnet If subnet roaming is supported by the wireless infrastructure the client is able to continue its network connectivity without having to change its IP address Therefore to the mobile device roaming is transparent and it will continue to function as if it is in its home subnet The coordinator is a separate server that keeps track of the clien...

Page 48: ...istrator s computer The SNMP Manager function interacts with the SNMP Agent to execute applications to control and manage object variables interface features and devices in the gateway Common forms of managed infor mation include number of packets received on an interface port status dropped packets and so forth SNMP is a simple request and response protocol allowing the manager to interact with t...

Page 49: ...mply the SNMP terminology for password for those functions Source The IP address or name where the information is ob tained Access Control Defines the level of management interaction per mitted If using SNMPv3 enter a username minimum of eight characters authentication type with key and data encryption type with a key In FIPS mode only SHA and AES are supported This configuration information will ...

Page 50: ...All Users The Admin User Management List All Users screen lists the Crypto Officer and administrator accounts configured for the unit You can edit or delete users from this screen If you click on Edit the Admin User Management Edit User screen appears On this screen you can edit the user ID password role and note fields ...

Page 51: ...dd new Administrators and CryptoOfficers assigning and confirming the password Administrators can view the system but this role has limited access to change settings CryptoOfficers can view and change any of the settings on the system The Password complexity check and the Minimal Password length are established on the Admin User Management User Password Policy screen ...

Page 52: ... 150 days of the password age to change the password You will be prompted to change your password from 90 150 days After 150 days the account will be locked and the CryptoOfficer will have to unlock it for you The only exception to this rule is if you are the last ac tive CryptoOfficer user You can also set the password uniqueness depth This means a for mer password can not be reused The depth is ...

Page 53: ...You should delete this cookie Otherwise if the system forces you to re authenticate you may be prompted to delete the cookie General End user authentication needs a private local network to operate This private network should never be the same as the LAN or WAN By default the private network IP is 172 16 0 0 It is configurable from 172 16 0 0 to 172 31 0 0 You can partially enable disable end user...

Page 54: ...ser List The End User Authentication User List screen lists all end user information The CryptoOfficer can edit delete and unlock users from this screen If you click on Edit the End User Authentication Edit User screen appears On this screen you can edit the user ID password role and note fields ...

Page 55: ... Add New User screen allows you to add new end users assigning and confirming the password Administrators can view the system but this role has limited access to change settings CryptoOfficers can view and change any of the settings on the system The password policy is the same as the Admin User Management User Password Policy screen ...

Page 56: ...very 24 hours You can manually set the authenticated MAC in the authenticated list and mark the entry Permanent Another use case would be to mark it as Temporarily trusted PC NOTE If you manually add an authenticated MAC we strongly recommend that you initiate some network activity to hosts that are not attached to the same 8 port switch We also recommend that you not at tach servers and other un ...

Page 57: ... variety of lists and status reports Most of these are self explanatory System Status The Monitoring Report System Status screen displays the status of the 3e 527A3 device the network interface and the routing table There are some pop up informational menus that give detailed infor mation about CPU PCI Interrupts Process and Interfaces ...

Page 58: ...t Chapter 3 Access Point Configuration 48 29000152 001 B Bridging Status The Monitoring Report Bridging Status screen displays the Ether net Port STP status Encryp Port STP status Wireless Port STP status and Wireless Bridging information ...

Page 59: ... of both wired and wireless nodes connected to the network The root STP node is always on top and the nodes of the hierarchy are displayed below it Wired links are double dotted lines and wireless links are single dot ted lines the channel number of this wireless link is also shown This map does not update dynamically You must press the Update button to refresh the map ...

Page 60: ...Client in FIPs mode If Transmit power is disabled either by setting TX Pwr Mode to Off on the management screen or by using the RF Manager Chapter 7 the Wireless Clients page will show the results from each associated client in the EMCON Response column If the client responds to the disable command a Yes is displayed If the column contains a No this can mean either the client didn t receive the co...

Page 61: ...us record is not applicable Adjacent AP List The Monitoring Report Adjacent AP List screen shows all the APs on the network If you select the check box next to any AP shown the AP will thereafter be accepted by the 3e 527A3 as a trusted AP These APs are detected by the AP s wireless card 2 4 GHz band and the wireless bridge s wireless card 5 8GHz band The list of APs are only within the band that ...

Page 62: ...lection and click Remove to confirm the action System Log The Monitoring Report System Log screen displays system facil ity messages with date and time stamp These are messages documenting functions performed internal to the system based on the system s func tionality Generally the Administrator would only use this information if trained as or working with a field engineer or as information provid...

Page 63: ...ing what actions were performed and by whom The Web access log will continue to accumulate listings and rotate by half when it reaches the defined maximum size 10 Kbytes If configured an email notification will be sent when the weblog grows to 50 of the maximum size for the first time You can also set another alert point of 60 90 of the maximum size and an email notification will be sent when this...

Page 64: ...k Activity Log keeps a detailed log of all activities on the network which can be useful to the network administration staff The Network Activities log will continue to accumulate listings and rotates when the log reaches the defined maximum size You can never delete this log but you can export the log to a file on a PC ...

Page 65: ...dentified users the 3e 527A3 shall be able to associate each auditable event with the identity of the user that caused the event The 3e 527A3 shall be able to include or exclude auditable events from the set of audited events based on object identity user identity subject identity host identity and event type The TOE Target of Evaluation provides tools which can be used to review the audit records...

Page 66: ...eport based on start time end time MAC address or unique record IDs Configuration The Auditing Configuration screen is used to configure the auditing settings You can enable and disable the auditing function on this screen You can select which audit event types you wish to log The following figure shows the screen and the table lists event types and descriptions ...

Page 67: ...ode Individual log messages appear from the application and driver since keys are held in both loca tions STA Failed Authentication A station s authentication request is dropped because it doesn t match the MAC address filter STA Associated A station successfully associates to the AP Encryption Algorithm Changed The encryption algorithm is changed including bypass mode Failed FIPS Policy All HMAC ...

Page 68: ...il Notification Configuration screen Your email server must support SMTP protocol If you email server does not require authentication to send email then leave the username password fields blank If your email server does not support SSL Secure Socket Layer then disable SSL on the 3e 527A3 You may also test your email setup us ing the test feature on this screen NOTE Check your connection to the mai...

Page 69: ...n effort of the AP the external RESET button has been converted into a configuration button to perform certain functions This configuration button is programmed to perform the following operations Send the configuration file to other APs that are connected to ports 1 6 and the PoE Uplink port requires a password Note that the configuration file transfer only goes to devices that are connected to t...

Page 70: ...ged by the signal strength LED and wait for one second The WLAN2 LED blinks to acknowledge the first digit was accepted Repeat eight times To reset the unit 1 Push in and hold the Configuration RESET button for five sec onds input is acknowledged by the WLANSS LED turning on 2 After five seconds you can release the button to reset the unit without factory default 3 If you continue to hold the butt...

Page 71: ... from one AP to be transferred to another AP in order to minimize the administration of the APs Only configuration pa rameters that can be shared between APs are downloaded in the configu ration file WAN IP address hostname and bridge priority are not trans ferred in the configuration file Click on the Local Configuration Upgrade and Remote Configuration Upgrade tabs to perform file transfers Only...

Page 72: ...he passphrase for that file The passphrase protects the file from unauthorized users It prevents unauthorized users from applying the system configuration file to an unauthorized AP to gain access to the network Before downloading the system configuration file to a local com puter the user must enter a passphrase to protect the file Before the sys tem configuration file can be uploaded onto anothe...

Page 73: ...l 802 11a random channel in 5 8GHz band DSL encryption key AES 192 Configuration button password CryptoOfficer password The following parameters are set Bridge mode auto Bridge radio freq 11a txpower auto broadcasting ssid disabled AP radio txpower auto broadcasting ssid disabled All other system parameters are unchanged IMPORTANT The three fields that are listed CryptoOfficer Pass word AP Encrypt...

Page 74: ...he site map can be updated and the File Tag will show the status of the units If the tag matches the local tag the unit was updated successfully While files are being transferred press the F5 key to see the status of the transfer Pressing F5 will update the status only not the entire page The status will either be file sent upgrading successful or failure If you click on the Update Site Map button...

Page 75: ... In order to transfer this file select the Generated File radio button check the desired recipients in the Site Map section and click Apply After the file has been successfully transferred to the recipi ents check the status field in the lower section click Install to apply the randomly generated configuration file to the AP Once applied the unit will reboot and start using the new configuration f...

Page 76: ...IP address configuration is set to 10 128 0 0 and the WAN MAC address is 00 07 D5 01 02 03 then the IP address is pushed to the upper range and becomes 10 129 2 3 basically the second byte adds 128 1 The MAC addresses on the WAN port are from the 3eTI s address pool of 16 million addresses There is a small chance for duplicate MACs However if a duplicate IP address is detected the bridge site map ...

Page 77: ... a central remote logging server In the 3e 527A3 this function uses the syslogd daemon If you en able Remote Logging input a System Log Server IP Address and System Log Server Port Click Apply to accept these values Reboot The System Administration Reboot screen allows you to reboot the 3e 527A3 without changing any preset functionality Both Crypto Of ficer and Administrator functions have access ...

Page 78: ...on 68 29000152 001 B Utilities The System Administration Utilities screen gives you ready access to two useful utilities Ping and Traceroute Simply enter the IP Address or hostname you wish to ping or traceroute and click either the Ping or Traceroute button as appropriate ...

Page 79: ... device s desktop type arp d and hit return This reconfigures the MAC address in the wireless device s PC card so that it is now visible to the gateway Chapter 4 Gateway Configuration Introduction Chapter 3 covered the default configuration of the 3e 527A3 Wireless Access Point as an access point for use as part of a host wired network This chapter covers configuration as a gateway If additional s...

Page 80: ...3e 527A3 Wireless Access Point 8 Port Chapter 4 Gateway Configuration 70 29000152 001 B A comparison of gateway and access point setup for the 3e 527A3 ...

Page 81: ... reboot in gateway mode Note that if you change modes from AP to Gateway your configura tion is not lost You can then proceed to change the management screens as necessary to reconfigure the device as a gateway Configuration in gateway mode allows you to set firewall parameters This is the main difference between the screens you will see in gateway mode and those covered in access point setup as d...

Page 82: ...ed The WAN IP address is the Public IP address required to link the pri vate WLAN users to the external enterprise or shipboard network which is to be outside the protected wireless LAN Normally you will be provided with the IP address Subnet Mask Default Gateway and DNS to assign by the Network Administrator for the Ethernet Network There are two ways to configure the WAN IP address 1 Obtain an I...

Page 83: ...WAN port The IP aliasing entries can be used by the virtual server to map a public IP address to a private IP address If the virtual server needs to map multiple public IP addresses to multiple private Ip addresses the IP aliasing entries can be used to create additional public IP addresses These entries are always static entries and can not use DHCP ...

Page 84: ...em Configu ration LAN This directs you to the System Configuration LAN screen This sets up the default numbers for the four octets for a possible pri vate LAN function for the access point You can also change the default subnet mask The Local LAN port provides DHCP server functionality to automatically assign an IP address to a computer Ethernet port ...

Page 85: ...ns it will not communicate to any clients unless the encryption is set by the CryptoOfficer It is recommended that you set encryption as soon as possible Firewall Content Filtering Click the entry on the left hand navigation panel for Firewall Con tent Filtering The Content Filtering screen allows the system adminis trator to identify particular hosts or IPs that will be blocked from access by the...

Page 86: ... certain IPs on the Private LAN from ac cessing your Internet connection It restricts clients to those with a specific IP Address Port Filtering Click the entry on the left hand navigation panel for Firewall Port Filtering Port filtering permits you to configure the Gateway to block outbound traffic on specific ports It can be used to block the wireless network from using specific protocols on the...

Page 87: ... port 23 FTP port 21 and Web server port 80 Client computers on the Private LAN can host these applications and allow users from the Internet to access these applications hosted on the virtual servers This is done by mapping virtual servers to private IP addresses according to the specific TCP port application As the planning table below shows we have identified a Telnet port 23 virtual server for...

Page 88: ...osed to the wired network or Internet for unrestricted two way communication This configuration is typically used when a computer is operating a proprietary client software or 2 way communication such as video teleconferencing where multiple TCP port assignments are required for communication To assign a PC the DMZ host status fill in the Private IP address which is identified as the exposed host ...

Page 89: ... B 79 Advanced Click the entry on the left hand navigation panel for Firewall Ad vanced As advanced firewall functions you can enable disable Block Ping to WAN Web based management from WAN port SNMP management from WAN port These options allow you more control over your environment ...

Page 90: ...3e 527A3 Wireless Access Point 8 Port Chapter 4 Gateway Configuration 80 29000152 001 B This page intentionally left blank ...

Page 91: ...nks Point to multipoint bridging of several Ethernet links Repeater mode The wireless bridging screens are the same whether you are in access point or gateway mode Bridging is a function that is set up in addition to basic access point or gateway setup If you will be using the 3e 527A3 solely as a bridge some of the settings you may have selected for access point gateway use will not be necessary ...

Page 92: ...des of operation Manual wireless bridging Auto forming wireless bridging AWB with a maximum num ber of allowable bridges the default is 40 Auto forming Wireless Bridging When the wireless bridge is in auto forming mode the wireless bridge sniffs for beacons from other wireless bridges and identifies APs that match a policy such as SSID and channel Instead of simply adding the APs with the same SSI...

Page 93: ...ges allowed Bridge Priority 1 40 Determines the root STP node The lowest bridge priority in the network will become the STP root Signal Strength Threshold 27 21 15 9 None Prevents the node under the thresh old from associating and joining the network Broadcast SSID Diable Enable When disabled the AP hides the SSID in outgoing beacon frames and sta tions cannot obtain the SSID through passive scann...

Page 94: ...l Strength LED MAC Not Assigned Allows you to set the number of one of the Remote APs which will be listed at the bottom of the screen once the system is operational This wireless bridge be comes the guiding port that is displayed in the WLANNSS LED on the front of the 3e 527A3 as a signal Spanning Tree Protocol STP Enable Disable Enable STP is there is any possiblity that a bridging loop could oc...

Page 95: ...rmation If you select En able refresh you can set the bridge refresh interval from 5 seconds to 30 minutes Refreshing the screen allows you to see the effect of aiming the antenna to improve signal strength Wireless Bridge Radio The Wireless Bridge Radio screen contains wireless bridging information including the channel number Tx rate Tx power spanning tree protocol 802 1d enable disable and remo...

Page 96: ...y setting the Tx Pwr Mode to Fixed and choosing from 1 5 for Fixed Pwr Level If you want to prevent any radio frequency trans mission from the wireless bridge set the Tx Pwr Mode to OFF This will not turn off RF transmis sions from any associated wireless devices but they will not be able to communicate with the wire less bridge when the Tx Pwr Mode is off Fixed Pwr Level 1 2 3 4 5 Select a range ...

Page 97: ...igure static encryption keys for the wireless bridge This is an important page to set up to ensure that your bridge is working correctly The encryption key that you use on this screen must be the same for any bridge connected to your bridging network in order for communication to occur On this screen you can select Static 3DES 192 bit or Static AES 128 bit 192 bit or 256 bit ...

Page 98: ... Wireless Bridge MAC Address Filtering screen functions just like the AP MAC Address Filter see page 36 but it is only used in auto bridging mode and only controls access to the wireless bridge network The following sections describe the setup for three types of bridging configuration point to point point to multipoint or lastly repeater ...

Page 99: ... bridging there can be a separate WLAN on the AP WLAN card with no loss efficiency as long as you set the channel numbers so there s no conflict or noise with the channel as signed to the bridge Spanning Tree Protocol may be set to Enable if there is any possibility of a bridging loop or to Disable which is more efficient if there s no possibility of a bridging loop Each bridge must contain the ot...

Page 100: ...type length and value Must be the same key as Bridge 2 Select appropriate key type length and value Must be the same key as Bridge 1 Point to Point Bridging Setup Guide Auto Mode Direction Bridge 1 Bridge 2 Wireless Bridge Genral Auto Bridging Mode Bridging Mode Auto bridging selected Auto bridging selected SSID Must be the same as Bridge 2 Must be the same as Bridge 1 Max Auto Bridges 40 range 1 ...

Page 101: ...te Next select the Channel Number The Channel Number must be set to the same frequency in order for each bridge to communicate TX Pwr Mode can be left on Auto unless the power needs to be regulated Select the Propagation Distance which is based on the distance be tween a bridge and the furthest bridge that is connected to it Set the RTS Threshold which is the number of bytes used for the RTS CTS h...

Page 102: ... choose to delete a remote AP s MAC address Click Apply to accept your changes If you choose Auto Bridging mode then you will need to enter the follwoing information Enter the SSID This can be any set of letters and numbers assigned by the network administrator This nomenclature has to be set on the wireless bridge and each wireless device in order for them to communi cate Enter a number from 1 to...

Page 103: ...th and the key value The encryption key value and type for Bridge 1 must be the same as for Bridge 2 For wireless bridging only AES and 3DES are available for encryption You must complete the configuration of your Bridge 1 by following the general instructions in Chapter 3 of this guide to establish any other required configuration options such as General WAN and LAN settings Configure the second ...

Page 104: ...the others BSSIDs while Bridge 2 n must only contain Bridge 1 s BSSID The BSSID of each is equivalent to the MAC address found on the Wireless Bridge Radio page Enter only hexadecimal numbers Data entry is not case sensitive Finally the wireless bridging encryption of each must be set to the appro priate type and key length and must be the same on all Because the 3e 527A3 has two separate WLAN car...

Page 105: ...th and value Must be the same key as Bridge 2 n Select appropriate key type length and value Must be the same key as Bridge 1 Point to Multipoint Bridging Setup Guide Auto Mode Direction Bridge 1 Bridge 2 n Wireless Bridge Radio Wirelss Mode 802 11a 802 11a Tx Rate AUTO AUTO Channel No Same as Bridge 2 n Same as Bridge 1 Tx Power Mode Auto Auto Propagation Distance 5 Miles 5 Miles RTS Threshold 23...

Page 106: ... AUTO Channel No Same as Bridge 2 Same as Bridge 1 Same as Bridge 1 Tx Power Mode Auto Auto Auto Propagation Distance 5 Miles 5 Miles 5 Miles RTS Threshold 2346 2346 2346 BSSID Add Bridge 2 s MAC Add Bridge 1 s and Bridge 3 s MAC Add Bridge 2 s MAC Wireless Bridge General Manual BridgingMode Bridging Mode manual manual manual Signal Strength LED MAC Not Assigned select from drop down list Not Assi...

Page 107: ...ge 1 40 40 range 1 40 Bridge Priority 40 1 40 40 1 40 40 1 40 Signal Strength Threshold 9 9 9 Signal Strength MAC Enter from list at the bottom of the screen Enter from list at the bottom of the screen Enter from list at the bottom of the screen Wireless Bridge Encyption Wireless Configu ration Bridging Encryption Select appropriate key type length and enter key value Must be the same as that on t...

Page 108: ...3e 527A3 Wireless Access Point 8 Port Chapter 5 Wireless Bridge Configuration 98 29000152 001 B This page intentionally left blank ...

Page 109: ...Federal Communications Commission s Rules and Regulations These limits are designed to pro vide reasonable protection against harmful interference when the equip ment is operated in a commercial environment This equipment gener ates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruction manual may cause harmful interference to radio communicati...

Page 110: ...3e 527A3 Wireless Access Point 8 Port Chapter 6 Technical Support 100 29000152 001 B This page intentionally left blank ...

Page 111: ...oped by Belgian cryptographers Joan Daemen and Vincent Rijmen The U S government adopted the algorithm as its encryption technique in October 2000 replacing the DES encryption it used AES works at multiple network layers simultaneously Bridge A device that connects two local area networks LANs or two segments of the same LAN that use the same protocol such as Ethernet or Token Ring DHCP Short for ...

Page 112: ...hey thereafter operate as a group TKIP Temporal Key Integrity Protocol TKIP is a protocol used in WPA It scrambles the keys using a hashing algorithm and by adding an integrity checking feature ensures that the keys haven t been tampered with VPN Virtual Private Network A VPN uses encryption and other security mechanisms to ensure that only authorized us ers can access the network and that the dat...