ZyXEL Communications UAG2100, User Manual

Page 1: ...AG2100 UAG4100 UAG5100 Unified Access Gateway Version 4 10 Edition 1 03 2015 Copyright 2015 ZyXEL Communications Corporation User s Guide Default Login Details LAN IP Address http 172 16 0 1 LAN1 http 172 17 0 1 LAN2 User Name admin Password 1234 ...

Page 2: ...umentation Quick Start Guide The Quick Start Guide shows how to connect the UAG and access the Web Configurator wizards See the wizard real time help for information on configuring each screen It also contains a package contents list CLI Reference Guide The CLI Reference Guide explains how to use the Command Line Interface CLI to configure the UAG Note It is recommended you use the Web Configurato...

Page 3: ...s 154 Trunks 195 Policy and Static Routes 203 DDNS 214 NAT 219 VPN 1 1 Mapping 226 HTTP Redirect 231 SMTP Redirect 235 ALG 239 UPnP 241 IP MAC Binding 248 Layer 2 Isolation 253 IPnP 257 Web Authentication 259 RTLS 286 Security Policy 289 Billing 304 Printer 322 Free Time 332 SMS 336 IPSec VPN 338 Bandwidth Management 366 Application Patrol 376 Content Filtering 381 Zones 395 User Group 399 AP Prof...

Page 4: ...uide 4 Services 447 Schedules 453 AAA Server 459 Authentication Method 464 Certificates 467 ISP Accounts 483 System 486 Log and Report 534 File Manager 549 Diagnostics 560 Packet Flow Explore 572 Reboot 581 Shutdown 582 Troubleshooting 583 ...

Page 5: ...ware Installation and Connection 36 2 1 Rack mounting UAG5100 36 2 2 Wall Mounting UAG2100 and UAG4100 37 2 3 Front Panel 38 2 3 1 Front Panel LEDs 39 2 4 Rear Panel 40 2 4 1 UAG2100 or UAG4100 40 2 4 2 UAG5100 41 Chapter 3 Printer Deployment 42 3 1 Overview 42 3 2 Attach the Printer to the UAG 42 3 3 Set up an Internet Connection on the UAG 42 3 4 Allow the UAG to Monitor and Manage the Printer 4...

Page 6: ... an Ethernet Interface 65 5 2 2 Select WAN Type 65 5 2 3 Configure WAN IP Settings 66 5 2 4 ISP and WAN Connection Settings 66 5 2 5 Quick Setup Interface Wizard Summary 68 5 3 VPN Setup Wizard 70 5 3 1 Welcome 70 5 3 2 VPN Setup Wizard Wizard Type 71 5 3 3 VPN Express Wizard Scenario 71 5 3 4 VPN Express Wizard Configuration 72 5 3 5 VPN Express Wizard Summary 72 5 3 6 VPN Express Wizard Finish 7...

Page 7: ...est Screen 103 7 10 The UPnP Port Status Screen 105 7 11 The USB Storage Screen 106 7 12 The Ethernet Neighbor Screen 107 7 13 The AP List Screen 109 7 13 1 Station Count of AP 110 7 14 The Radio List Screen 112 7 14 1 AP Mode Radio Information 114 7 15 The Station List Screen 115 7 16 Detected Device 116 7 17 The Printer Status Screen 118 7 18 The VPN 1 1 Mapping Status Screen 118 7 18 1 VPN 1 1 ...

Page 8: ...ting and Delaying Connections 147 9 6 DCS 148 9 7 Auto Healing 151 9 8 Technical Reference 152 9 8 1 Dynamic Channel Selection 152 9 8 2 Load Balancing 153 Chapter 10 Interfaces 154 10 1 Interface Overview 154 10 1 1 What You Can Do in this Chapter 154 10 1 2 What You Need to Know 154 10 2 Port Role Screen 156 10 3 Ethernet Summary Screen 157 10 3 1 Ethernet Edit 159 10 3 2 Object References 165 1...

Page 9: ...Overview 203 12 1 1 What You Can Do in this Chapter 203 12 1 2 What You Need to Know 203 12 2 Policy Route Screen 205 12 2 1 Policy Route Add Edit Screen 207 12 3 IP Static Route Screen 211 12 3 1 Static Route Add Edit Screen 211 12 4 Policy Routing Technical Reference 212 Chapter 13 DDNS 214 13 1 DDNS Overview 214 13 1 1 What You Can Do in this Chapter 214 13 1 2 What You Need to Know 214 13 2 Th...

Page 10: ...Edit Screen 233 Chapter 17 SMTP Redirect 235 17 1 Overview 235 17 1 1 What You Can Do in this Chapter 235 17 1 2 What You Need to Know 235 17 2 The SMTP Redirect Screen 236 17 2 1 The SMTP Redirect Edit Screen 237 Chapter 18 ALG 239 18 1 ALG Overview 239 18 1 1 What You Can Do in this Chapter 239 18 1 2 What You Need to Know 239 18 1 3 Before You Begin 240 18 2 The ALG Screen 240 Chapter 19 UPnP 2...

Page 11: ...apter 22 IPnP 257 22 1 Overview 257 22 1 1 What You Can Do in this Chapter 257 22 2 IPnP Screen 258 Chapter 23 Web Authentication 259 23 1 Overview 259 23 1 1 What You Can Do in this Chapter 259 23 1 2 What You Need to Know 260 23 2 Web Authentication 260 23 2 1 General Screen 260 23 2 2 User aware Access Control Example 264 23 2 3 Authentication Type Screen 271 23 2 4 Custom Web Portal User Agree...

Page 12: ...ing 304 26 1 Overview 304 26 1 1 What You Can Do in this Chapter 304 26 1 2 What You Need to Know 304 26 2 The General Screen 305 26 3 The Billing Profile Screen 307 26 3 1 The Account Generator Screen 308 26 3 2 The Account Redeem Screen 311 26 3 3 The Billing Profile Add Edit Screen 313 26 4 The Discount Screen 314 26 4 1 The Discount Add Edit Screen 316 26 5 The Payment Service General Screen 3...

Page 13: ...You Can Do in this Chapter 338 30 1 2 What You Need to Know 339 30 1 3 Before You Begin 339 30 2 The VPN Connection Screen 340 30 2 1 The VPN Connection Add Edit Screen 341 30 3 The VPN Gateway Screen 347 30 3 1 The VPN Gateway Add Edit Screen 348 30 4 IPSec VPN Background Information 354 Chapter 31 Bandwidth Management 366 31 1 Overview 366 31 1 1 What You Can Do in this Chapter 366 31 1 2 What Y...

Page 14: ...nce 393 Chapter 34 Zones 395 34 1 Zones Overview 395 34 1 1 What You Can Do in this Chapter 395 34 1 2 What You Need to Know 395 34 2 The Zone Screen 396 34 2 1 Add Edit Zone 397 Chapter 35 User Group 399 35 1 Overview 399 35 1 1 What You Can Do in this Chapter 399 35 1 2 What You Need To Know 399 35 2 User Summary Screen 401 35 2 1 User Add Edit Screen 402 35 3 User Group Summary Screen 405 35 3 ...

Page 15: ...430 37 2 MON Profile 430 37 2 1 Add Edit MON Profile 431 37 3 Technical Reference 433 Chapter 38 Application 435 38 1 Overview 435 38 1 1 What You Can Do in this Chapter 436 38 2 Application Screen 436 38 2 1 Add Application Rule 437 38 3 Application Group Screen 440 38 3 1 Add Application Group Rule 441 Chapter 39 Addresses 442 39 1 Overview 442 39 1 1 What You Can Do in this Chapter 442 39 1 2 W...

Page 16: ...e Schedule Group Add Edit Screen 457 Chapter 42 AAA Server 459 42 1 Overview 459 42 1 1 RADIUS Server 459 42 1 2 What You Can Do in this Chapter 459 42 1 3 What You Need To Know 459 42 2 RADIUS Server Summary 460 42 2 1 Adding Editing a RADIUS Server 460 Chapter 43 Authentication Method 464 43 1 Overview 464 43 1 1 What You Can Do in this Chapter 464 43 1 2 Before You Begin 464 43 2 Authentication...

Page 17: ... Servers List 491 46 4 2 Time Server Synchronization 491 46 5 Console Port Speed 492 46 6 DNS Overview 493 46 6 1 DNS Server Address Assignment 493 46 6 2 Configuring the DNS Screen 493 46 6 3 Address Record 496 46 6 4 PTR Record 496 46 6 5 Adding an Address PTR Record 496 46 6 6 CNAME Record 497 46 6 7 Adding a CNAME Record 497 46 6 8 Domain Zone Forwarder 498 46 6 9 Adding a Domain Zone Forwarde...

Page 18: ...nguage 531 46 14 ZyXEL One Network ZON Utility 531 46 14 1 ZyXEL One Network ZON System Screen 532 Chapter 47 Log and Report 534 47 1 Overview 534 47 1 1 What You Can Do In this Chapter 534 47 2 Email Daily Report 534 47 3 Log Settings Screens 536 47 3 1 Log Settings Summary 537 47 3 2 Edit System Log Settings 538 47 3 3 Edit Log on USB Storage Setting 542 47 3 4 Edit Remote Server Log Settings 54...

Page 19: ... Capture Screen 569 49 7 1 The Wireless Frame Capture Files Screen 571 Chapter 50 Packet Flow Explore 572 50 1 Overview 572 50 1 1 What You Can Do in this Chapter 572 50 2 The Routing Status Screen 572 50 3 The SNAT Status Screen 578 Chapter 51 Reboot 581 51 1 Overview 581 51 1 1 What You Need To Know 581 51 2 The Reboot Screen 581 Chapter 52 Shutdown 582 52 1 Overview 582 52 1 1 What You Need To ...

Page 20: ... an Internet account already set up and have been given usernames passwords etc required for Internet access You can use web authentication to allow guests to access the network only after they authenticate with the UAG through a specifically designated login web page You can also forward the authenticated client s e mail messages to a specific SMTP server The UAG also provides bandwidth managemen...

Page 21: ...specific name used in your model For example this guide may use the WAN interface rather than P1 Figure 1 Zones Interfaces and Physical Ethernet Ports 1 3 Management Overview You can manage the UAG in the following ways Web Configurator The Web Configurator allows easy UAG setup and management using an Internet browser This User s Guide provides information about the Web Configurator Physical Port...

Page 22: ...the Command Reference Guide for CLI details The default settings for the console port are 1 4 Web Configurator In order to use the Web Configurator you must Use one of the following web browser versions or later Internet Explorer 6 0 Firefox 8 0 Chrome 14 0 Safari 4 0 Allow pop up windows blocked by default in Windows XP Service Pack 2 Enable JavaScripts Java permissions and cookies Table 2 Consol...

Page 23: ...t user name and password the Update Admin Info screen appears Otherwise the dashboard appears 5 Follow the directions in the Update Admin Info screen If you change the default password the Login screen appears after you click Apply If you click Ignore the Installation Setup Wizard opens if the UAG is using its default configuration otherwise the dashboard appears 1 4 2 Web Configurator Screens Ove...

Page 24: ...an overview of links to the Web Configurator screens Object Reference Click this to check which configuration items reference an object Console Click this to open a Java based console window from which you can run command line interface CLI commands You will be prompted to enter your user name and password See the Command Reference Guide for information about the commands CLI Click this to open a ...

Page 25: ...b Configurator screens Click a screen s link to go to that screen Figure 5 Site Map Object Reference Click Object Reference to open the Object Reference screen Select the type of object and the individual object and click Refresh to show which configuration settings reference the object Figure 6 Object Reference ...

Page 26: ...s introduce the UAG s navigation panel menus and their screens Table 5 Object References LABEL DESCRIPTION Object Name This identifies the object for which the configuration settings that use it are displayed Click the object s name to display the object s configuration screen in the main window This field is a sequential value and it is not associated with any entry Service This is the type of se...

Page 27: ...s Traffic Statistics Collect and display traffic statistics Session Monitor Display the status of all current sessions DDNS Status Display the status of the UAG s DDNS domain names IP MAC Binding List the devices that have received an IP address from UAG interfaces using IP MAC binding Login Users List the users currently logged into the UAG Dynamic Guest List the dynamic guest accounts in the UAG...

Page 28: ...Dynamic Users Log Display the UAG s dynamic guest account log messages Table 7 Configuration Menu Screens Summary FOLDER OR LINK TAB FUNCTION Quick Setup Quickly configure WAN interfaces Licensing Registration Registration Register the device and activate trial services Service View the licensed service status and upgrade licensed services Signature Update App Patrol Update application patrol sign...

Page 29: ...Configure FTP pass through settings UPnP enable UPnP and NAT PMP on your UAG IP MAC Binding Summary Configure IP to MAC address bindings for devices connected to each supported interface Exempt List Configure ranges of IP addresses to which the UAG does not apply IP MAC binding Layer 2 Isolation General Enable layer 2 isolation on the UAG and the internal interface s White List Enable and configur...

Page 30: ...ering policies Object Zone Configure zones used to define various policies User Group User Create and manage users Group Create and manage groups of users Setting Manage default settings for all users general settings for user sessions and rules to force user authentication MAC Address Configure the MAC addresses of wireless clients for MAC authentication using the local user database AP Profile R...

Page 31: ...ecords for the UAG WWW Service Control Configure HTTP HTTPS and general authentication Login Page Configure how the login and access user screens look SSH Configure SSH server and SSH service settings TELNET Configure telnet server settings for the UAG FTP Configure FTP server settings SNMP Configure SNMP communities and services Auth Server Configure the UAG to act as a RADIUS server Language Sel...

Page 32: ... operators or or searching for text Diagnostics Diagnostic Collect diagnostic information Packet Capture Capture packets for analysis Core Dump Connect a USB device to the UAG and save a process s core dump to the attached USB storage device if the process terminates abnormally crashes System Log Connect a USB device to the UAG and archive the UAG system logs to it here Network Tool Identify probl...

Page 33: ...r A green check mark displays next to the column s title when you drag the column to a valid new location Figure 12 Moving Columns Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time Figure 13 Navigating Pages of Table Entries The tables have icons for working with table entries You can often use the Shift or ...

Page 34: ...k Edit to open a screen where you can modify the entry s settings In some tables you can just click a table entry and edit it directly in the table For those types of tables small red triangles display for table entries with changes that you have not yet applied Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Activate To turn on an entry ...

Page 35: ...tion UAG Series User s Guide 35 1 5 Stopping the UAG Always use Maintenance Shutdown Shutdown or the shutdown command before you turn off the UAG or remove the power Not doing so can cause the firmware to become corrupt ...

Page 36: ...ke all necessary precautions to anchor the rack securely before installing the unit Note Leave 10 cm of clearance at the sides and 20 cm in the rear Use a 2 Phillips screwdriver to install the screws Note Failure to use the proper screws may damage the unit 1 Align one bracket with the holes on one side of the UAG and secure it with the included bracket screws smaller than the rack mounting screws...

Page 37: ...l two holes for the screw anchors into the wall Push the anchors into the full depth of the holes then insert the screws into the anchors Do not insert the screws all the way in leave a small gap of about 0 5 cm If not using screw anchors use a screwdriver to insert the screws into the wall Do not insert the screws all the way in leave a gap of about 0 5 cm 4 Make sure the screws are fastened well...

Page 38: ...pter 2 Hardware Installation and Connection UAG Series User s Guide 38 Figure 16 Wall Mounting Example 2 3 Front Panel This section introduces the UAG s front panel Figure 17 Front Panel UAG2100 or UAG4100 ...

Page 39: ...ts Connect a USB storage device to a USB port on the UAG to archive the UAG system logs or save the UAG operating system kernel to it Console Port UAG5100 Connect this port to your computer using an RS 232 cable if you want to configure the UAG using the command line interface CLI via the console port For local management you can use a computer with terminal emulation software configured to the fo...

Page 40: ... WLAN UAG2100 or UAG4100 Green On The wireless network is activated Blinking The UAG is communicating with other wireless clients Off The wireless network is not activated P1 P5 Green On This port has a successful link to a 10 100 Mbps Ethernet network Blinking The UAG is sending or receiving packets to from a 10 100 Mbps Ethernet network on this port Orange On This port has a successful link to a...

Page 41: ...er with terminal emulation software configured to the following parameters VT100 terminal emulation 115200 bps No parity 8 data bits 1 stop bit No flow control Connect the male 9 pin end of the RS 232 console cable to the console port of the UAG Connect the female end to a serial port COM1 COM2 or other COM port of your computer 2 4 2 UAG5100 The following figure shows the rear panel of the UAG Th...

Page 42: ... 1 Connect the Ethernet port of the printer to one LAN port of the UAG 2 Connect the power socket of the printer to a power outlet Turn on the printer The printer is acting as a DHCP client by default and will obtain an IP address from the connected UAG Make sure the UAG is turned on already and the DHCP server is enabled on its LAN interface s 3 3 Set up an Internet Connection on the UAG 1 Connec...

Page 43: ...inter to the UAG s printer list check the sticker on the printer s rear panel to see its MAC address 1 Go to the Dashboard of the UAG web configurator 2 Open the DHCP Table to find the IP address which is assigned to the printer s MAC address Make sure the IP address is reserved for the printer Write down the printer s IP address ...

Page 44: ...ter List to create a new entry for your printer Alternatively go to the Configuration Printer Printer Manager screen and click the Discover Printer icon The UAG automatically detects the connected printer s and displays the printer information in the list Select your printer and click Add to Mgnt Printer List to let the UAG manage it ...

Page 45: ...ess is added to the printer list select the Enable Printer Manager checkbox in the Configuration Printer General Setting screen and then click Apply 5 Go to the Configuration Printer Printer Manager screen to check if the UAG can connect to the printer the printer status is sync success ...

Page 46: ...ion Printer General Setting screen 3 5 Turn on Web Authentication on the UAG With web authentication users need to log in through a designated web page or agree to the policy of user agreement before they can access the network s 1 Go to the Configuration Web Authentication General screen Select Enable Web Authentication to turn on this feature 2 Click Add to create a new web authentication policy...

Page 47: ...st box to allow users to authenticate through the default web portal login page 5 Click OK to save your changes 6 Click Apply in the Configuration Web Authentication screen 3 6 Generate a Free Guest Account You can use the buttons on the printer or web based account generator to create guest accounts based on the pre defined billing settings see Section 26 3 on page 307 1 Go to the Configuration F...

Page 48: ...ser tries to access a web page he she will be redirected to the default login page 4 Click the link on the login page to get a free guest account 5 A Welcome screen displays Select the free time service Click OK to generate and show the account information on the web page ...

Page 49: ...Chapter 3 Printer Deployment UAG Series User s Guide 49 6 Now you can use this account to access the Internet through the UAG for free ...

Page 50: ...ettings This chapter provides information on configuring the Web Configurator s installation setup wizard See the feature specific chapters in this User s Guide for background information Figure 21 Installation Setup Wizard Welcome Click the double arrow in the upper right corner to display or hide the help Click Go to Dashboard to skip the installation setup wizard or click Next to start configur...

Page 51: ...on provided by your ISP to know what to enter in each field Leave a field blank if you don t have that information Note Enter the Internet access information exactly as your ISP gave it to you Figure 22 Internet Access Step 1 UAG2100 UAG4100 Figure 23 Internet Access Step 1 UAG5100 ...

Page 52: ...address 4 2 1 Internet Settings Ethernet This screen is read only if you set the previous screen s IP Address Assignment field to Auto and click Next Use this screen to configure your IP address settings Note Enter the Internet access information exactly as given to you by your ISP Figure 24 Internet Access Ethernet Encapsulation Encapsulation This displays the type of Internet connection you are ...

Page 53: ...s given to you by your ISP Figure 25 Internet Access PPPoE Encapsulation ISP Parameters Type the PPPoE Service Name from your service provider PPPoE uses a service name to identify and reach the PPPoE server You can use alphanumeric and _ characters and it can be up to 64 characters long Authentication Type Select an authentication protocol for outgoing connection requests Options are CHAP PAP You...

Page 54: ... previous screen First Second DNS Server These fields display if you selected static IP address assignment The Domain Name System DNS maps a domain name to an IP address and vice versa Enter a DNS server s IP address es The DNS server is extremely important because without it you must know the IP address of a computer before you can access it The UAG uses these in the order you specify here to res...

Page 55: ...D or connection name It must follow the c id and n name format For example C 12 or N My ISP This field is optional and depends on the requirements of your broadband modem or router You can use alphanumeric and _ characters and it can be up to 31 characters long WAN IP Address Assignments First WAN Interface This is the connection type on the interface you are configuring to connect with your ISP Z...

Page 56: ... feature and allow the UAG to manage the connected APs Figure 27 Wireless Settings 4 3 1 Wireless and Radio Settings Use this screen to configure the wireless and wireless security settings when you turn on the local AP The screen varies depending on the security mode you selected Figure 28 Wireless Settings Security Mode WPA2 ...

Page 57: ...ol Select the Enable Intra BSS Traffic Blocking option if you want to prevent crossover traffic from within the same SSID Wireless clients can still access the wired network but cannot communicate with each other Radio Settings Enable 802 11 2 4G 5G Band Select the option to activate the 2 4GHz or 5GHz wireless LAN When using the 2 4 GHz band select b g in the Mode field to let IEEE 802 11b and IE...

Page 58: ...n 23 2 on page 260 to configure a new policy Figure 29 Web Authentication Settings 4 5 Printer Settings If you enable the web authentication feature attach a statement printer and select Yes to have the UAG generate dynamic guest accounts Otherwise select No and click Next to go to the Free Time screen with which you can allow the UAG to create free guest accounts Figure 30 Printer Settings ...

Page 59: ...printer attached to the UAG click Discover Printer to detect the printer that is connected to the UAG and display the printer information Add to Mgnt Printer List Select this to add the printer to the managed printer list IPv4 Address This shows the IP address of the printer MAC This shows the MAC address of the printer Printout Specify how many copies of subscriber statements you want to print 4 ...

Page 60: ...he time that the user is logged in for Internet access Specify the User idle timeout between 1 and 60 minutes The UAG automatically disconnects a computer from the network after a period of inactivity The user may need to enter the username and password again before access to the network is allowed Currency Select the appropriate currency symbol or currency unit If you set Currency code to User De...

Page 61: ...r must be a letter Time Period Set the duration of the billing period When this period expires the user s access will be stopped Price Set each profile s price up to 999999 99 per time unit 4 6 2 Account Generator Settings Use this screen to select the pre defined billing profiles that the UAG can use to automatically create dynamic guest accounts Each button represents a billing profile that defi...

Page 62: ...tings Use this screen to configure the free time settings Figure 35 Free Time Settings Free Time Period Select the duration of time period for which the free time account is allowed to access the Internet Reset Time Select the time in 24 hour format at which the new free time account is allowed to access the Internet ...

Page 63: ...imum Registration Number Before Reset Time to 1 and the Reset Time to 13 00 even the first free guest account has expired at 11 30 the second account still cannot access the Internet until 13 00 4 8 Device Registration Go to http portal myZyXEL com with the UAG s serial number and LAN MAC address to register it if you have not already done so Note You must be connected to the Internet to register ...

Page 64: ...the Web Configurator See the feature specific chapters in this User s Guide for background information In the Web Configurator click Configuration Quick Setup to open the first Quick Setup screen Figure 37 Quick Setup UAG2100 UAG4100 Figure 38 Quick Setup UAG5100 WAN Interface Click this link to open a wizard to set up a WAN Internet connection This wizard creates matching ISP account settings in ...

Page 65: ... WAN Interface Quick Setup Wizard Welcome screen Use these screens to configure an interface to connect to the Internet Click Next Figure 39 WAN Interface Quick Setup Wizard 5 2 1 Choose an Ethernet Interface Select the Ethernet interface that you want to configure for a WAN connection and click Next Figure 40 Choose an Ethernet Interface 5 2 2 Select WAN Type WAN Type Selection Select the type of...

Page 66: ... 5 2 3 Configure WAN IP Settings Use this screen to select whether the interface should use a fixed or dynamic IP address Figure 42 WAN Interface Setup Step 2 WAN Interface This is the interface you are configuring for Internet access Zone This is the security zone to which this interface and Internet connection belong IP Address Assignment Select Auto If your ISP did not assign you a fixed IP add...

Page 67: ... displays the type of Internet connection you are configuring Service Name Enter the PPPoE service name specified in the ISP account This field is not available if the ISP account uses PPTP Authentication Type Use the drop down list box to select an authentication protocol for outgoing calls Options are CHAP PAP Your UAG accepts either CHAP or PAP when requested by this remote node CHAP Your UAG a...

Page 68: ...ptional and depends on the requirements of your DSL modem You can use alphanumeric and _ characters and it can be up to 31 characters long IP Address Assignment WAN Interface This displays the identity of the interface you configure to connect with your ISP Zone This field displays to which security zone this interface and Internet connection will belong IP Address This field is read only when the...

Page 69: ...t This is how many seconds the connection can be idle before the router automatically disconnects from the PPPoE server 0 means no timeout Connection ID If you specified a connection ID it displays here WAN Interface This identifies the interface you configure to connect with your ISP Zone This field displays to which security zone this interface and Internet connection will belong IP Address Assi...

Page 70: ...en the VPN Setup Wizard Welcome screen Figure 45 VPN Setup Wizard UAG5100 5 3 1 Welcome Use wizards to create Virtual Private Network VPN rules After you complete the wizard the Phase 1 rule settings appear in the VPN IPSec VPN VPN Gateway screen and the Phase 2 rule settings appear in the VPN IPSec VPN VPN Connection screen Figure 46 VPN Setup Wizard Welcome ...

Page 71: ...ZLD based UAG using a pre shared key Choose Advanced to change the default settings and or use certificates instead of a pre shared key to create a VPN rule to connect to another IPSec device Figure 47 VPN Setup Wizard Wizard Type 5 3 3 VPN Express Wizard Scenario Click the Express radio button as shown in Figure 47 on page 71 to display the following screen Figure 48 VPN Express Wizard Scenario ...

Page 72: ...ype the password Both ends of the VPN tunnel must use the same password Use 8 to 31 case sensitive ASCII characters or 8 to 31 pairs of hexadecimal 0 9 A F characters Proceed a hexadecimal key with 0x You will receive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Local Policy IP Mask Type the IP address of a computer on your network that can use the ...

Page 73: ...mote IPSec device that can use the tunnel Copy and paste the Configuration for Secure Gateway commands into another ZLD based UAG s command line interface to configure it to serve as the other end of this VPN tunnel You can also use a text editor to save these commands as a shell script file with a zysh filename extension Use the file manager to run the script in order to configure the VPN connect...

Page 74: ...nario Click the Advanced radio button as shown in Figure 47 on page 71 to display the following screen Figure 52 VPN Advanced Wizard Scenario Rule Name Type the name used to identify this VPN connection and VPN gateway You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive ...

Page 75: ... Negotiation Mode Select Main for identity protection Select Aggressive to allow more incoming connections from dynamic IP addresses to use separate passwords Note Multiple SAs connecting through a secure gateway must have the same negotiation mode Encryption Algorithm 3DES and AES use encryption The longer the key the higher the security this may affect throughput Both sender and receiver must us...

Page 76: ...t 15 seconds the UAG sends a message to the remote IPSec device If it responds the UAG transmits the data If it does not respond the UAG shuts down the IKE SA Authentication Method Select Pre Shared Key to use a password or Certificate to use one of the UAG s certificates 5 3 9 VPN Advanced Wizard Phase 2 Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec Figu...

Page 77: ...ou can also specify a subnet This must match the remote IP address configured on the remote IPSec device Remote Policy IP Mask Type the IP address of a computer behind the remote IPSec device You can also specify a subnet This must match the local IP address configured on the remote IPSec device Nailed Up This displays for the site to site and remote access client role scenarios Select this to hav...

Page 78: ...e key size and encryption algorithm to use in the IPSec SA 3DES and AES use encryption The longer the AES key the higher the security this may affect throughput Null uses no encryption Authentication Algorithm The hash algorithm to use to authenticate packet data in the IPSec SA MD5 gives minimal security and SHA512 gives the highest security Key Group The Diffie Hellman key group to use for encry...

Page 79: ...Chapter 5 Quick Setup Wizards UAG Series User s Guide 79 Figure 56 VPN Wizard Finish Click Close to exit the wizard ...

Page 80: ...at the VPN tunnels that are currently established Use the DHCP Table screen see Section 6 2 5 on page 88 to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses Use the Number of Login Users screen see Section 6 2 6 on page 89 to look at a list of the users currently logged into the UAG 6 2 The Dashboard Screen The Dashboard screen di...

Page 81: ...A Use this link to open or close widgets by selecting clearing the associated checkbox Up Arrow B Click this to collapse a widget It then becomes a down arrow Click it again to enlarge the widget again Refresh Time Setting C Set the interval for refreshing the information displayed in the widget Refresh Now D Click this to update the widget s information immediately A B C D E ...

Page 82: ... displays the current IP address and subnet mask assigned to the interface Console speed This field displays the current console port speed Device Information System Name This field displays the name used to identify the UAG on any network Click the icon to open the screen where you can change it Model Name This field displays the model name of this UAG Serial Number This field displays the serial...

Page 83: ... in your existing network without changing the network architecture and use its multiple WAN feature to connect to more than one ISP See the CLI Reference Guide for how to use commands to set the UAG interfaces to work in drop in mode This field is available only on the UAG that supports drop in mode Interface Status Summary If an Ethernet interface does not have any physical ports associated with...

Page 84: ...ws how many licensed services there are Status This is the current status of the license Name This identifies the licensed service Version This is the version number of the service Expiration If the service license is valid this shows when it will expire n a displays if the service license does not have a limited period of validity 0 displays if the service is not licensed or has expired Count Thi...

Page 85: ...ed AP This displays the number of detected unclassified APs Rogue AP This displays the number of detected rogue APs Friendly AP This displays the number of detected friendly APs Top 5 Station Displays the top 5 Access Points AP with the highest number of station aka wireless client connections This field displays the rank of the station AP MAC This field displays the MAC address of the AP to which...

Page 86: ...in the dashboard Message This field displays the actual log message Source This field displays the source address if any in the packet that generated the log Destination This field displays the destination address if any in the packet that generated the log Table 14 Dashboard continued LABEL DESCRIPTION Table 15 Dashboard CPU Usage LABEL DESCRIPTION The y axis represents the percentage of CPU usag...

Page 87: ...on usage To access this screen click Show Active Sessions in the dashboard Figure 60 Dashboard Show Active Sessions Table 16 Dashboard Memory Usage LABEL DESCRIPTION The y axis represents the percentage of RAM usage The x axis shows the time period over which the RAM usage occurred Refresh Interval Enter how often you want this window to be automatically updated Refresh Now Click this to update th...

Page 88: ...tem Status in the dashboard Table 17 Dashboard Show Active Sessions LABEL DESCRIPTION Sessions The y axis represents the number of session The x axis shows the time period over which the session usage occurred Refresh Interval Enter how often you want this window to be automatically updated Refresh Now Click this to update the information in the window right away Table 18 Dashboard VPN Status LABE...

Page 89: ...Name This field displays the name used to identify this device on the network the computer name The UAG learns these from the DHCP client requests None shows here for a static DHCP entry MAC Address This field displays the MAC address to which the IP address is currently assigned or for which the IP address is reserved Click the column s heading cell to sort the table entries by MAC address Click ...

Page 90: ...or an administrator account Remaining Time This field displays the amount of Internet access time remaining for each account This shows n a for an administrator account Remaining Quota T U D This field displays the remaining amount of data that can be transmitted or received by each account You can see the amount of either data in both directions Total or upstream data Upload and downstream data D...

Page 91: ...d an IP address from UAG interfaces with IP MAC binding enabled Use the System Status Login Users screen see Section 7 8 on page 102 to look at a list of the users currently logged into the UAG Use the System Status Dynamic Guest screen see Section 7 9 on page 103 to look at a list of the guest user accounts which are created automatically and allowed to access the UAG s services for a certain per...

Page 92: ...een see Section 7 20 on page 121 to start or stop data collection and view virus statistics Use the UTM Statistics Content Filter screen see Section 7 21 on page 123 to start or stop data collection and view content filter statistics Use the Log View Log screen see Section 7 22 on page 125 to view the UAG s current log messages You can change the way the log is displayed you can e mail the log and...

Page 93: ...ys the physical port number Status This field displays the current status of the physical port Down The physical port is not connected Speed Duplex The physical port is connected This field displays the port speed and duplex setting Full or Half TxPkts This field displays the number of packets transmitted from the UAG on the physical port since it was last connected RxPkts This field displays the ...

Page 94: ...lly updated Refresh Now Click this to update the information in the window right away Port Selection Select the number of the physical port for which you want to display graphics Switch to Grid View Click this to display the port statistics as a table Kbps The y axis represents the speed of transmission or reception time The x axis shows the time period over which the transmission or reception occ...

Page 95: ...us This field displays the current status of each interface The possible values depend on what type of interface it is For Ethernet interfaces Inactive The Ethernet interface is disabled Down The Ethernet interface does not have any physical ports associated with it or the Ethernet interface is enabled but not connected Up The LAN Ethernet interface is enabled and connected Speed Duplex The WAN Et...

Page 96: ... the name click this to look at the statistics for virtual interfaces on top of this interface Status This field displays the current status of each interface The possible values depend on what type of interface it is For Ethernet interfaces Inactive The Ethernet interface is disabled Down The Ethernet interface does not have any physical ports associated with it or the Ethernet interface is enabl...

Page 97: ...not schedule data collection you have to start and stop it manually in the Traffic Statistics screen Figure 67 Monitor System Status Traffic Statistics There is a limit on the number of records shown in the report Please see Table 25 on page 99 for more information The following table describes the labels in this screen Table 24 Monitor System Status Traffic Statistics LABEL DESCRIPTION Data Colle...

Page 98: ... on page 99 These fields are available when the Top is Service Port This field is the rank of each record The protocols and service ports are sorted by the amount of traffic Service Port This field displays the service and port in this record The maximum number of services and service ports in this report is indicated in Table 25 on page 99 Protocol This field indicates what protocol the service w...

Page 99: ...ed Source address Destination address Number of bytes received so far Number of bytes transmitted so far Duration so far You can look at all the active sessions by user service source IP address or destination IP address You can also filter the information by user protocol service or service group source address and or destination address and view it by user Click Monitor System Status Session Mon...

Page 100: ...to the protocol and port of each services that is defined See Chapter 40 on page 447 for more information about services Source Address This field displays when View is set to all sessions Type the source IP address whose sessions you want to view You cannot include the source port Destination Address This field displays when View is set to all sessions Type the destination IP address whose sessio...

Page 101: ...se the arrows to navigate the pages of entries Show x items Select how many entries you want to display on each page Table 26 Monitor System Status Session Monitor continued LABEL DESCRIPTION Table 27 Monitor System Status DDNS Status LABEL DESCRIPTION Update Click this to have the UAG update the profile to the DDNS server The UAG attempts to resolve the IP address for the domain name This field i...

Page 102: ...ng enabled to show to which devices it has assigned an IP address This is the index number of an IP MAC binding entry IP Address This is the IP address that the UAG assigned to a device Host Name This field displays the name used to identify this device on the network the computer name The UAG learns these from the DHCP client requests MAC Address This field displays the MAC address to which the I...

Page 103: ...istrator account Remaining Quota T U D This field displays the remaining amount of data that can be transmitted or received by each account You can see the amount of either data in both directions Total or upstream data Upload and downstream data Download This shows for an administrator account Type This field displays the way the user logged in to the UAG IP Address This field displays the IP add...

Page 104: ...eriod This field displays the total account of time the account can use to access the Internet through the UAG Expiration Time This field displays the date and time the account becomes invalid Note Once the time allocated to a dynamic account is used up or a dynamic account remains un used after the expiration time the account is deleted from the account list Quota T U D This field displays how mu...

Page 105: ...the list This is the index number of the UPnP created NAT mapping rule entry Remote Host This field displays the source IP address on the WAN of inbound IP packets Since this is often a wildcard the field may be blank When the field is blank the UAG forwards all traffic sent to the External Port on the WAN interface to the Internal Client on the Internal Port When this field displays an external I...

Page 106: ...Internal Client Type This field displays the type of the client application on the LAN Description This field displays a text explanation of the NAT mapping rule Delete All Click this to remove all mapping rules from the NAT table Refresh Click this button to update the information in the screen Table 32 Monitor System Status UPnP Port Status continued LABEL DESCRIPTION Table 33 Monitor System Sta...

Page 107: ... same network as the computer on which the ZON utility is installed Click Monitor System Status Ethernet Neighbor to see the following screen Status Ready you can have the UAG use the USB storage device Click Remove Now to stop the UAG from using the USB storage device so you can remove it Unused the connected USB storage device was manually unmounted by using the Remove Now button or for some rea...

Page 108: ... system name of the discovered device Firmware Version This field displays the firmware version of the discovered device Port Description This field displays the first internal port on the discovered device Internal is an interface type displayed in the Network Interface Ethernet Edit screen For example if P1 and P2 are WAN P3 to P4 are LAN and P5 is DMZ then UAG will display P3 as the first inter...

Page 109: ... s MAC Address Registration This indicates whether the AP is registered with the managed AP list CPU Usage This displays what percentage of the AP s processing capability is currently being used IP Address This displays the AP s IP address MAC Address This displays the AP s MAC address Model This displays the AP s model number Mgnt VLAN ID AC AP This displays the Access Controller the UAG manageme...

Page 110: ...at the AP LED suppression mode is disabled and the AP LEDs stay lit after the AP is ready A sun icon signifies that the AP s locator LED is blinking A circle signifies that the AP s locator LED is extinguished Refresh Click this button to update the information in the screen Table 36 Monitor Wireless AP Information AP List Icons LABEL DESCRIPTION This AP is not on the management list This AP is on...

Page 111: ...guration conflicts with the UAG s settings for the AP this field displays which configuration conflicts It displays n a if none of the AP s configuration conflicts with the UAG s settings for the AP Port Status Port This shows the name of the physical Ethernet port on the UAG Status This field displays the current status of each physical port on the AP Down The port is not connected Speed Duplex T...

Page 112: ...tor Wireless AP Information AP List Station Count of AP continued LABEL DESCRIPTION Table 38 Monitor Wireless AP Information Radio List LABEL DESCRIPTION More Information Click this to view additional information about the selected radio s SSID s wireless traffic and wireless clients Information spans a 24 hour period This is the radio s index number in this list Loading This indicates the AP s lo...

Page 113: ... displays the number of stations aka wireless clients associated with the radio Rx PKT This displays the total number of packets received by the radio Tx PKT This displays the total number of packets transmitted by the radio Rx FCS Error Count This indicates the number of received packet errors accrued by the radio Tx Retry Count This indicates the number of times the radio has attempted to re tra...

Page 114: ...o view detailed information about a selected radio s SSID s wireless traffic and wireless clients for the preceding 24 hours To access this window select an entry and click the More Information button in the Radio List screen Figure 79 Monitor Wireless AP Information Radio List AP Mode Radio Information ...

Page 115: ...splays the MAC address associated with the SSID Security Mode This displays the security mode in which the SSID is operating VLAN This displays the VLAN ID associated with the SSID Traffic Statistics This graph displays the overall traffic information about the radio over the preceding 24 hours y axis This axis represents the amount of data moved across this radio in megabytes per second x axis Th...

Page 116: ...which the station is connected A single AP can have multiple SSIDs or networks Security Mode This indicates which secure encryption methods is being used by the station to connect to the network Signal Strength This indicates the strength of the signal The signal strength mainly depends on the antenna output power and the distance between the station and the AP Channel This indicates the number th...

Page 117: ...he detected device s status Device This indicates the detected device s network type such as infrastructure or ad hoc Role This indicates the detected device s role such as friendly or rogue MAC Address This indicates the detected device s MAC address SSID Name This indicates the detected device s SSID Channel ID This indicates the detected device s channel ID 802 11 Mode This indicates the 802 11...

Page 118: ...printer list Mgnt Printer IPv4 Address This field displays the IP address of the printer that you configured in the Configuration Printer Printer Manager screen Update Time This field displays the date and time the UAG last synchronized with the printer This shows n a when the printer status is sync fail Status This field displays whether the UAG can connect to the printer and update the printer i...

Page 119: ...his field displays the user name of each user who is currently logged into the UAG and matches a pre configured VPN 1 1 mapping rule IP Address This field displays the IP address of the computer used to log in to the UAG Mapping IP Interface This field displays the public IP address that the UAG assigns to the user according to the matched VPN 1 1 mapping rule It also displays the interface throug...

Page 120: ...rofile This field displays the name of the IP address pool profile to which the rule is applied Assigned Failed Peak Usage This field displays how many times the UAG applied the rule to a user successfully or failed to apply the rule to a user This also shows the maximum number of times the UAG has applied the rule to a user successfully Table 45 Monitor VPN Monitor IPSec LABEL DESCRIPTION Name En...

Page 121: ... IPSec SA and click this button to check the connection to the remote IPSec router to make sure it is still available Page x of x This is the number of the page of entries currently displayed and the total number of pages of entries Type a page number to go to or use the arrows to navigate the pages of entries Show x items Select how many entries you want to display on each page This field is a se...

Page 122: ... and a new collection start time displays Apply Click Apply to save your changes back to the UAG Reset Click Reset to return the screen to its last saved settings Refresh Click this button to update the report display Flush Data Click this button to discard all of the screen s statistics and update the report display App Patrol Statistics This field is a sequential value and it is not associated w...

Page 123: ...tent filter statistics Figure 87 Monitor UTM Statistics Content Filter Inbound Kbps This field displays the amount of the application s traffic that has gone to the UAG in kilo bits per second Outbound Kbps This field displays the amount of the application s traffic that has gone from the UAG in kilo bits per second Table 46 Monitor UTM Statistics App Patrol LABEL DESCRIPTION ...

Page 124: ...lowed access Category Hit Summary Security Threat unsafe This is the number of requested web pages that the UAG s content filtering service identified as posing a threat to users Managed Web Pages This is the number of requested web pages that the UAG s content filtering service identified as belonging to a category that was selected to be managed Block Hit Summary Web Pages Warned by Category Ser...

Page 125: ... maximum possible number of log messages in the UAG varies by model Events that generate an alert as well as a log message display in red Regular logs display in black Click a column s heading cell to sort the table entries by that column s criteria Click the heading cell again to reverse the sort order Figure 88 Monitor Log The following table describes the labels in this screen Table 48 Monitor ...

Page 126: ... a service protocol whose log messages you would like to see Search This displays when you show the filter Click this button to update the log using the current filter settings Reset This displays when you show the filter Click this button to return the screen to its last saved settings Email Log Now Click this button to send log message s to the Active e mail address es specified in the Send Log ...

Page 127: ... this screen to view the UAG s current wireless AP log messages Click Monitor Log View AP Log to access this screen Figure 89 Monitor Log View AP Log Protocol This field displays the service protocol used by the packet that generated the log message Note This field displays any additional information about the log message Table 48 Monitor Log continued LABEL DESCRIPTION ...

Page 128: ...es that include it Note This criterion only appears when you Show Filter Source Interface Enter a source interface to display only the log messages that include it Note This criterion only appears when you Show Filter Destination Interface Enter a destination interface to display only the log messages that include it Note This criterion only appears when you Show Filter Service Select a service ty...

Page 129: ...ion interface of the log message Protocol This field displays the service protocol of the log message Note This displays any notes associated with the selected log message Table 49 Monitor Log View AP Log continued LABEL DESCRIPTION Table 50 Monitor Log Dynamic Users Log LABEL DESCRIPTION Begin End Date Select the first and last dates to specify a time period The UAG displays log messages only for...

Page 130: ...ount remains un used after the expiration time the account is deleted from the account list Quota T U D This field displays how much data in both directions Total or upstream data Upload and downstream data Download can be transmitted through the WAN interface before the account expires Remaining Quota T U D This field displays the remaining amount of data that can be transmitted or received by ea...

Page 131: ...XEL s online services center where you can register your UAG and manage subscription services available for the UAG To use a subscription service you have to register the UAG and activate the corresponding service at myZyXEL com through the UAG Note You need to create a myZyXEL com account before you can register your device and activate the services at myZyXEL com Go to http portal myZyXEL com wi...

Page 132: ...itional licenses As of this writing each license upgrade allows an additional 8 remote managed APs while the maximum number of remote managed APs a single UAG can support is 8 UAG2100 16 UAG4100 or 32 UAG5100 8 2 Registration Screen Click the link in this screen to register your UAG with myZyXEL com The UAG should already have Internet access before you can register it Click Configuration Licensin...

Page 133: ...It also displays Expired when the service expired or Not Licensed if the service is not activated Registration Type This field displays whether you applied for a trial application Trial or registered a service with your iCard s PIN number Standard This field is blank when a service is not activated It always displays Standard for a default service Expiration Date This field displays the date your ...

Page 134: ... 93 Configuration Licensing Signature Update App Patrol The following table describes the fields in this screen Table 52 Configuration Licensing Signature Update App Patrol LABEL DESCRIPTION Signature Information The following fields display information on the current signature set that the UAG is using Current Version This field displays the signature and anomaly rule set version number This numb...

Page 135: ...ecified time The time format is the 24 hour clock so 23 means 11 PM for example Weekly Select this option to have the UAG check for new signatures once a week on the day and at the time specified Apply Click this button to save your changes to the UAG Reset Click this button to return the screen to its last saved settings Table 52 Configuration Licensing Signature Update App Patrol continued LABEL...

Page 136: ...anaged APs The Auto Healing screen Section 9 7 on page 151 turns on the auto healing feature to extend the wireless service coverage area of the managed APs when one of the APs fails 9 1 2 What You Need to Know The following terms and concepts may help as you read this chapter Station Wireless Client A station or wireless client is any wireless capable device that can connect to an AP using a wire...

Page 137: ...uration Wireless AP Management Table 53 Configuration Wireless Controller LABEL DESCRIPTION Registration Type Select Manual to add each AP to the UAG for management or Always Accept to automatically add APs to the UAG for management Note Select the Manual option for managing a specific set of APs This is recommended as the registration mechanism cannot automatically differentiate between friendly ...

Page 138: ...uppression mode This field is a sequential value and it is not associated with any entry IP Address This field displays the IP address of the AP MAC Address This field displays the MAC address of the AP Model This field displays the AP s hardware model information It displays N A not applicable only when the AP disconnects from the UAG and the information is unavailable as a result R1 Mode Profile...

Page 139: ...ess AP Management Edit AP List LABEL DESCRIPTION Create new Object Use this menu to create a new Radio Profile or MON Profile object to associate with this AP Configuration MAC This displays the MAC address of the selected AP Model This field displays the AP s hardware model information It displays N A not applicable only when the AP disconnects from the UAG and the information is unavailable as a...

Page 140: ...nu VLAN Settings This section is not available when you are editing the local AP s settings Force Overwrite VLAN Config Select this to have the UAG change the AP s management VLAN to match the configuration in this screen Management VLAN ID Enter a VLAN ID for this AP As Native VLAN Select this option to treat this VLAN ID as a VLAN created on the UAG and not one assigned to it from outside the ne...

Page 141: ...the Configuration Wireless AP Management Edit AP List screen Table 56 Configuration Wireless AP Management Edit AP List Edit Port LABEL DESCRIPTION Enable Select this option to activate the port Otherwise deselect it Name This shows the name of the port Native VID PVID A PVID Port VLAN ID is a tag that adds to incoming untagged frames received on a port so that the frames are forwarded to the VLAN...

Page 142: ... 12 bit number uniquely identifies each VLAN Allowed values are 1 4094 0 and 4095 are reserved Member Configuration Use these settings to assign ports to this VLAN as members Edit Click this to edit the selected port s membership values This is sequential indicator of the port number Port Name This indicates the port name Member This indicates whether the selected port is a member or not of the VL...

Page 143: ...o have the managed AP s automatically send broadcast packets to find any other available AP controllers Select Manual to replace the AP controller s IP address configured on the managed AP s with the one s you specified below Primary Controller Specify the IP address of the primary AP controller if you set Override Type to Manual Secondary Controller Specify the IP address of the secondary AP cont...

Page 144: ...ble Rogue AP Containment Select this to enable rogue AP containment Rogue Friendly AP List Add Click this button to add an AP to the list and assign it either friendly or rogue status Edit Select an AP in the list to edit and reassign its status Remove Select an AP in the list to remove Containment Click this button to quarantine the selected AP A quarantined AP cannot grant access to any network ...

Page 145: ...ist you want to import or click the Browse button to locate it Once the File Path field has been populated click Importing to bring the list into the UAG Exporting Click this button to export the current list of either rogue APs or friendly APS Apply Click Apply to save your changes back to the UAG Reset Click Reset to return the screen to its last saved settings Table 59 Configuration Wireless MO...

Page 146: ...another less burdened AP if one is available Max Station Number Enter the threshold number of stations at which an AP begins load balancing its connections Traffic Level Select the threshold traffic level at which the AP begins load balancing its connections low medium high Disassociate station when overloaded Select this option to disassociate wireless clients connected to the AP when it becomes ...

Page 147: ...ion For example here the AP has a balanced bandwidth allotment of 6 Mbps If laptop R connects and it pushes the AP over its allotment say to 7 Mbps then the AP delays the red laptop s connection until it can afford the bandwidth or the laptop is picked up by a different AP with bandwidth to spare Figure 103 Delaying a Connection The second response your AP can take is to kick the connections that ...

Page 148: ...le time If no connections are idle the next criteria the UAG analyzes is signal strength Devices with the weakest signal strength are kicked first 9 6 DCS Use DCS Dynamic Channel Selection in an environment where are many APs and there may be interference DCS allows APs to automatically find a less used channel in such an environment Use this screen to configure dynamic radio channel selection on ...

Page 149: ...broadcasting suddenly comes into use by another AP the UAG will then dynamically select the next available clean channel or a channel with lower interference Enable DCS Client Aware Select this to have the AP wait until all connected clients have disconnected before switching channels If you disable this then the AP switches channels immediately regardless of any client connections In this instanc...

Page 150: ...the UAG uses channels 1 5 9 13 in this configuration Four channel deployment expands your pool of possible channels while keeping the channel interference to a minimum 5 GHz Settings Enable 5 GHz DFS Aware Select this if your APs are operating in an area known to have RADAR devices This allows the device to downgrade its frequency to below 5 GHz in the event a RADAR signal is detected thus prevent...

Page 151: ...borhoods three times in a row and update their neighbor lists to the AP controller UAG Auto Healing Interval Set the time interval in minutes at which the managed APs scan their neighborhoods and report the status of neighbor APs to the AP controller UAG An AP is considered failed if the AP controller obtains the same scan result that the AP is missing from the neighbor list of other APs three tim...

Page 152: ... the area around it looking for the channel with the least amount of interference In the 2 4 GHz spectrum each channel from 1 to 13 is broken up into discrete 22 MHz segments that are spaced 5 MHz apart Channel 1 is centered on 2 412 GHz while channel 13 is centered on 2 472 GHz Figure 107 An Example Three Channel Deployment Three channels are situated in such a way as to create almost no interfer...

Page 153: ...ection is delayed giving it the opportunity to connect to a different neighboring AP If he still connects to the AP regardless of the delay then the AP may boot other people who are already connected in order to associate with the new connection Load balancing by traffic level limits the number of connections to the AP based on maximum bandwidth available If you are uncertain as to the exact numbe...

Page 154: ...TP Internet connections Use the VLAN screens Section 10 5 on page 174 to divide the physical network into multiple logical networks VLAN interfaces receive and send tagged frames The UAG automatically adds or removes the tags as needed Each VLAN can only be associated with one Ethernet interface Use the Bridge screens Section 10 6 on page 181 to combine two or more network segments into a single n...

Page 155: ...groups and trunks have a lot of characteristics that are specific to each type of interface See Section 10 2 on page 156 and Chapter 11 on page 195 for details The other types of interfaces Ethernet PPP VLAN bridge and virtual have a lot of similar characteristics These characteristics are listed in the following table and discussed in more detail below The format of interface names other than the...

Page 156: ...f it Finding Out More See Section 10 8 on page 191 for background information on interfaces See Chapter 11 on page 195 to configure load balancing using trunks 10 2 Port Role Screen To access this screen click Configuration Network Interface Port Role Use the Port Role screen to set the UAG s flexible ports as part of the lan1 lan2 or dmz interfaces This creates a hardware connection between the p...

Page 157: ...G s lan1 IP address and MAC address When you assign more than one physical port to a network you create a port group Port groups have the following characteristics There is a layer 2 Ethernet switch between physical ports in the port group This provides wire speed throughput but no security It can increase the bandwidth between the port group and other interfaces The port group uses a single MAC a...

Page 158: ...on Network Interface Ethernet Each field is described in the following table Table 66 Configuration Network Interface Ethernet LABEL DESCRIPTION Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove a virtual interface select it and click Remove The UAG confirms you want to remove it before doing so Activate To turn on an...

Page 159: ...For example if you change the LAN s IP address the UAG automatically updates the corresponding interface based LAN subnet address object IP Address This field displays the current IP address of the interface If the IP address is 0 0 0 0 in the IPv4 network the interface does not have an IP address yet In the IPv4 network this screen also shows whether the IP address is a static IP address STATIC o...

Page 160: ...Chapter 10 Interfaces UAG Series User s Guide 160 Figure 112 Configuration Network Interface Ethernet Edit External Type ...

Page 161: ...Chapter 10 Interfaces UAG Series User s Guide 161 Figure 113 Configuration Network Interface Ethernet Edit Internal Type ...

Page 162: ...ment MAC Address This field is read only This is the MAC address that the Ethernet interface uses Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long IP Address Assignment These IP address fields configure an IPv4 IP address on the interface itself If you change this IP address on the interface ...

Page 163: ...erform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the number of seconds between connection check attempts Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure Check Fail Tolerance Enter the number of consecutive failures before the UAG stops routing through the gateway Check Default Gateway Select t...

Page 164: ...want to send to the DHCP clients The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using Default Router If you set this interface to DHCP Server you can select to use either the interface s IP address or another IP address as the default router This default router will become the DHCP clients default gateway To use another IP a...

Page 165: ...factory assigned default MAC address a manually specified MAC address or clone the MAC address of another device or computer Use Default MAC Address Select this option to have the interface use the factory assigned default MAC address By default the UAG uses the factory assigned MAC address to identify itself Overwrite Default MAC Address Select this option to have the interface use a different MA...

Page 166: ... DESCRIPTION Object Name This identifies the object for which the configuration settings that use it are displayed Click the object s name to display the object s configuration screen in the main window This field is a sequential value and it is not associated with any entry Service This is the type of setting that references the selected object Click a service s name to display the service s conf...

Page 167: ...e for the selected DHCP option For example if you selected TFTP Server Name 66 and the type is TEXT enter the DNS domain name of a TFTP server here If you selected the Time Offset 2 option the type is Boolean and you have to enter a Boolean value which should be either 0 or 1 where 1 interpreted as true and 0 is interpreted as false This field is mandatory First IP Address Second IP Address Third ...

Page 168: ...as been used for DHCP options The minimum length of the value is 1 SIP Server 120 This option carries either an IPv4 address or a DNS domain name to be used by the SIP client to locate a SIP server VIVC 124 Vendor Identifying Vendor Class option A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running the software in use o...

Page 169: ...interface to use Each ISP account specifies the protocol PPPoE or PPTP as well as your ISP account information If you change ISPs later you only have to create a new ISP account not a new PPPoE PPTP interface You should not have to change any network policies You do not set up the subnet mask or gateway PPPoE PPTP interfaces are interfaces between the UAG and only one computer Therefore the subnet...

Page 170: ...d click Activate Inactivate To turn off an entry select it and click Inactivate Connect To connect an interface select it and click Connect You might use this in testing the interface or to manually establish the connection for a Dial on Demand PPPoE PPTP interface Disconnect To disconnect an interface select it and click Disconnect You might use this in testing the interface Object Reference Sele...

Page 171: ...Chapter 10 Interfaces UAG Series User s Guide 171 Figure 118 Configuration Network Interface PPP Add ...

Page 172: ...nection up all the time Dial on Demand Select this to have the UAG establish the PPPoE PPTP connection only when there is traffic You might use this option if there is little traffic through the interface or if it costs money to keep the connection available ISP Setting Account Profile Select the ISP account that this PPPoE PPTP interface uses The drop down box lists ISP accounts by name Use Creat...

Page 173: ...interface checks the connection how long to wait for a response before the attempt is a failure and how many consecutive failures are required before the UAG stops routing to the gateway The UAG resumes routing to the gateway the first time the gateway passes the connectivity check Enable Connectivity Check Select this to turn on the connection check Check Method Select the method that the gateway...

Page 174: ...the physical networks into three VLANs Figure 120 Example After VLAN Each VLAN is a separate network with separate IP addresses subnet masks and gateways Each VLAN also has a unique identification number ID The ID is a 12 bit value that is stored in the MAC header The VLANs are connected to switches and the switches are connected to the router If one switch has enough connections for the entire ne...

Page 175: ...ch department in the example above These rules are also independent of the physical network so you can change the physical network without changing policies In this example the new switch handles the following types of traffic Inside VLAN 2 Between the router and VLAN 1 Between the router and VLAN 2 Between the router and VLAN 3 VLAN Interfaces Overview In the UAG each VLAN is called a VLAN interf...

Page 176: ...select an interface and click Create Virtual Interface Object References Select an entry and click Object Reference to open a screen that shows which settings use the entry See Section 10 3 2 on page 165 for an example This field is a sequential value and it is not associated with any interface Status This icon is lit when the entry is active and dimmed when the entry is inactive Name This field d...

Page 177: ...Chapter 10 Interfaces UAG Series User s Guide 177 or select an entry in the VLAN summary screen and click the Edit icon The following screen appears Figure 122 Configuration Network Interface VLAN Edit ...

Page 178: ...hich the VLAN interface runs VLAN ID Enter the VLAN ID This 12 bit number uniquely identifies each VLAN Allowed values are 1 4094 0 and 4095 are reserved Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long IP Address Assignment Get Automatically This option appears when Interface Type is externa...

Page 179: ...he gateway you specify to make sure it is still available Check Period Enter the number of seconds between connection check attempts Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure Check Fail Tolerance Enter the number of consecutive failures before the UAG stops routing through the gateway Check Default Gateway Select this to use the default gatewa...

Page 180: ...t to send to the DHCP clients The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using Default Router If you set this interface to DHCP Server you can select to use either the interface s IP address or another IP address as the default router This default router will become the DHCP clients default gateway To use another IP addr...

Page 181: ...ing This section appears when Interface Type is external or general Have the interface use either the factory assigned default MAC address a manually specified MAC address or clone the MAC address of another device or computer Use Default MAC Address Select this option to have the interface use the factory assigned default MAC address By default the UAG uses the factory assigned MAC address to ide...

Page 182: ... in the table There is no entry yet so the bridge broadcasts the packet on ports 1 3 and 4 If computer B responds to computer A bridge X records the source address 0B 0B 0B 0B 0B 0B and port 4 in the table It also looks up 0A 0A 0A 0A 0A 0A in the table and sends the packet to port 2 accordingly Bridge Interface Overview A bridge interface creates a software bridge between the members of the bridg...

Page 183: ... interface is added or removed 10 6 1 Bridge Interface Summary This screen lists every bridge interface and virtual interface created on top of bridge interfaces To access this screen click Configuration Network Interface Bridge Figure 123 Configuration Network Interface Bridge Each field is described in the following table Table 77 Example Routing Table Before and After Bridge Interface br0 Is Cr...

Page 184: ... which settings use the entry See Section 10 3 2 on page 165 for an example This field is a sequential value and it is not associated with any interface Status This icon is lit when the entry is active and dimmed when the entry is inactive Name This field displays the name of the interface IP Address This field displays the current IP address of the interface If the IP address is 0 0 0 0 the inter...

Page 185: ...Chapter 10 Interfaces UAG Series User s Guide 185 Figure 124 Configuration Network Interface Bridge Add ...

Page 186: ... belong You use zones to apply security settings such as security policy control and remote management Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long Member Configuration Available This field displays Ethernet interfaces and VLAN interfaces that can become part of the bridge interface An in...

Page 187: ...lready a DHCP server on the network DHCP Relay the UAG routes DHCP requests to one or more DHCP servers you specify The DHCP server s may be on another network DHCP Server the UAG assigns IP addresses and provides subnet mask gateway and DNS server information to the network The UAG is the DHCP server for the network These fields appear if the UAG is a DHCP Relay Relay Server 1 Enter the IP addres...

Page 188: ...d Click this to create an entry in this table See Section 10 3 3 on page 166 Edit Select an entry in this table and click this to modify it Remove Select an entry in this table and click this to delete it This field is a sequential value and it is not associated with any entry Name This is the name of the DHCP option Code This is the code number of the DHCP option Type This is the type of the set ...

Page 189: ...e UAG resumes routing to the gateway the first time the gateway passes the connectivity check Enable Connectivity Check Select this to turn on the connection check Check Method Select the method that the gateway allows Select icmp to have the UAG regularly ping the gateway you specify to make sure it is still available Select tcp to have the UAG regularly perform a TCP handshake with the gateway y...

Page 190: ...y derived from the underlying Ethernet interface VLAN interface or bridge interface Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long IP Address Assignment IP Address Enter the IP address for this interface Subnet Mask Enter the subnet mask of this interface in dot decimal notation The subnet ...

Page 191: ...also let the IP address and subnet mask be assigned by an external DHCP server on the network In this case the interface is a DHCP client Virtual interfaces however cannot be DHCP clients You have to assign the IP address and subnet mask manually In general the IP address and subnet mask of each interface should not overlap though it is possible for this to happen with DHCP clients Egress Bandwidt...

Page 192: ... network 1 If you set the bandwidth restrictions very high you effectively remove the restrictions The UAG also restricts the size of each data packet The maximum number of bytes in each packet is called the maximum transmission unit MTU If a packet is larger than the MTU the UAG divides it into smaller fragments Each fragment is sent separately and the original packet is re assembled later The sm...

Page 193: ...mask is 255 255 255 0 the starting IP address in the pool is 9 9 9 2 and the pool size is 253 Subnet mask The interface provides the same subnet mask you specify for the interface See IP Address Assignment on page 191 Gateway The interface provides the same gateway you specify for the interface See IP Address Assignment on page 191 DNS servers The interface provides IP addresses for up to three DN...

Page 194: ...ms including RADIUS You can access one of several network services This makes it easier for the service provider to offer the service PPPoE does not usually require any special configuration of the modem PPTP is used to set up virtual private networks VPN in unsecure TCP IP environments It sets up two sessions 1 The first one runs on TCP port 1723 It is used to start and manage the second one 2 Th...

Page 195: ...ce connected to the VoIP service provider set to active and another interface connected to another ISP set to passive This way VoIP traffic goes through the interface connected to the VoIP service provider whenever the interface s connection is up 11 1 1 What You Can Do in this Chapter Use the Trunk summary screen Section 11 2 on page 198 to configure link sticking and view the list of configured ...

Page 196: ...th Here the UAG has two WAN interfaces connected to the Internet The configured available outbound bandwidths for wan1 and ppp0 are 512K and 256K respectively Figure 127 Least Load First Example The outbound bandwidth utilization is used as the load balancing index In this example the measured current outbound throughput of wan1 is 412K and ppp0 is 198K The UAG calculates the load balancing index ...

Page 197: ...AG assigns the traffic of two sessions to wan1 and one session s traffic to ppp0 in each round of 3 new sessions Figure 128 Weighted Round Robin Algorithm Example Spillover The spillover load balancing algorithm sends network traffic to the first interface in the trunk member list until the interface s maximum allowable load is reached then sends the excess network traffic of new sessions to the n...

Page 198: ...f configuration fields Disconnect Connections Before Falling Back Select this to terminate existing connections on an interface which is set to passive mode when any interface set to active mode in the same trunk comes back up Enable Default SNAT Select this to have the UAG use the IP address of the outgoing interface as the source IP address of the packets it sends out through its WAN trunks The ...

Page 199: ...user configured trunk Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove a user configured trunk select it and click Remove The UAG confirms you want to remove it before doing so Object Reference Select an entry and click Object Reference to open a screen that shows which settings use the entry See Section 10 3 2 on pa...

Page 200: ...can add edit remove or move entries for user configured trunks Add Click this to add a member interface to the trunk Select an interface and click Add to add a new member interface after the selected member interface Edit Select an entry and click Edit to modify the entry s settings Remove To remove a member interface select it and click Remove The UAG confirms you want to remove it before doing s...

Page 201: ...ace in the corresponding interface edit screen Total Bandwidth This field displays with the spillover load balancing algorithm It displays the maximum number of kilobits of data the UAG is to send out and allow to come in through the interface per second You can configure the bandwidth of an interface in the corresponding interface edit screen Spillover This field displays with the spillover load ...

Page 202: ...rfaces Mode This field displays Active if the UAG always attempt to use this connection This field displays Passive if the UAG only use this connection when all of the connections set to active are down Only one of a group s interfaces can be set to passive mode Weight This field displays with the weighted round robin load balancing algorithm Specify the weight 1 10 for the interface The weights o...

Page 203: ...policy route to communicate with a separate network behind another router R3 connected to the LAN Figure 133 Example of Policy Routing Topology 12 1 1 What You Can Do in this Chapter Use the Policy Route screens see Section 12 2 on page 205 to list and configure policy routes Use the Static Route screens see Section 12 3 on page 211 to list and configure static routes 12 1 2 What You Need to Know ...

Page 204: ...ersus Static Routes Policy routes are more flexible than static routes You can select more criteria for the traffic to match and can also use schedules and NAT Policy routes are only used within the UAG itself Policy routes take priority over static routes If you need to use a routing policy on the UAG and propagate it to other routers you could configure a policy route and an equivalent static ro...

Page 205: ...different kinds of forwarding Resources can then be allocated according to the DSCP values and the configured policies Finding Out More See Section 12 4 on page 212 for more background information on policy routing 12 2 Policy Route Screen Click Configuration Network Routing to open the Policy Route screen Use this screen to see the configured policy routes A policy route defines the matching crit...

Page 206: ...red when the next hop s connection is down and dimmed when the entry is inactive User This is the name of the user group object from which the packets are sent any means all users Schedule This is the name of the schedule object none means the route is active at all times if enabled Incoming This indicates where the packets are coming from For example it shows the interface on which the packets ar...

Page 207: ... route s outgoing packets preserve means the UAG does not modify the DSCP value of the route s outgoing packets default means the UAG sets the DSCP value of the route s outgoing packets to 0 The af choices stand for Assured Forwarding The number following the af identifies one of four classes and one of three drop preferences See Assured Forwarding AF PHB for DiffServ on page 212 for more details ...

Page 208: ...lowing table describes the labels in this screen Table 89 Configuration Network Routing Policy Route Add Edit LABEL DESCRIPTION Show Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields Create new Object Use this to configure any new settings objects that you need to use in this screen ...

Page 209: ...Defined DSCP Code Use this field to specify a custom DSCP code point Schedule Select a schedule to control when the policy route is active none means the route is active at all times if enabled Service Select a service or service group to identify the type of traffic to which this policy route applies Source Port Select a service or service group to identify the source port of packets to which the...

Page 210: ... is bound the virtual interface and physical interface must be in different subnets Otherwise select a pre defined address group to use as the source IP address es of the packets that match this route Use Create new Object if you need to configure a new address group to use as the source IP address es of the packets that match this route Healthy Check Use this part of the screen to configure a rou...

Page 211: ...r changes back to the UAG Cancel Click Cancel to exit this screen without saving Table 89 Configuration Network Routing Policy Route Add Edit continued LABEL DESCRIPTION Table 90 Configuration Network Routing Static Route LABEL DESCRIPTION Add Click this to create a new static route Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Re...

Page 212: ...rameter specifies the IP network address of the final destination Routing is always based on network number If you need to specify a route to a single host enter the specific IP address here and use a subnet mask of 255 255 255 255 for IPv4 in the Subnet Mask field to force the network number to be identical to the host ID Subnet Mask Enter the IP subnet mask here Gateway IP Select the radio butto...

Page 213: ...maller numbered class is generally given priority Combining the classes and drop precedence produces the following twelve DSCP encodings from AF11 through AF43 The decimal equivalent is listed in brackets Table 92 Assured Forwarding AF Behavior Group CLASS 1 CLASS 2 CLASS 3 CLASS 4 Low Drop Precedence AF11 10 AF21 18 AF31 26 AF41 34 Medium Drop Precedence AF12 12 AF22 20 AF32 28 AF42 36 High Drop ...

Page 214: ...s Note You must have a public WAN IP address to use Dynamic DNS You must set up a dynamic DNS account with a supported DNS service provider before you can use Dynamic DNS services with the UAG When registration is complete the DNS service provider gives you a password or key At the time of writing the UAG supports the following DNS service providers See the listed websites for details about the DN...

Page 215: ...is inactive Profile Name This field displays the descriptive profile name for this entry DDNS Type This field displays which DDNS service you are using Domain Name This field displays each domain name the UAG can route Primary Interface IP This field displays the interface to use for updating the IP address mapped to the domain name followed by how the UAG determines the IP address for the domain ...

Page 216: ... Network DDNS Add The following table describes the labels in this screen Apply Click this button to save your changes to the UAG Reset Click this button to return the screen to its last saved settings Table 94 Configuration Network DDNS continued LABEL DESCRIPTION Table 95 Configuration Network DDNS Add LABEL DESCRIPTION Show Advanced Settings Hide Advanced Settings Click this button to display a...

Page 217: ...g Address if the interface specified by these settings is not available Interface Select the interface to use for updating the IP address mapped to the domain name Select any to let the domain name be used with any interface IP Address The options available in this field vary by DDNS provider Interface The UAG uses the IP address of the specified interface This option appears when you select a spe...

Page 218: ...ed a mail exchanger For example DynDNS routes e mail for john doe yourhost dyndns org to the host record specified as the mail exchanger If you are using this service type the host record of your mail server here Otherwise leave the field blank See www dyndns org for more information about mail exchangers Backup Mail Exchanger This option is only available with a DynDNS account Select this check b...

Page 219: ...e you want to assign ports 21 25 to one FTP Telnet and SMTP server A in the example port 80 to another B in the example and assign a default server IP address of 172 16 0 35 to a third C in the example You assign the LAN IP addresses and the ISP assigns the WAN IP address The NAT network appears as a single host on the Internet Figure 140 Multiple Servers Behind NAT Example 14 1 1 What You Can Do ...

Page 220: ... click Activate Inactivate To turn off an entry select it and click Inactivate Move To change a rule s position in the numbered list select the rule and click Move to display a field to type a number for where you want to put that rule and press ENTER to move the rule to the number that you typed The ordering of your rules is important as they are applied in order of their numbering Status This ic...

Page 221: ... Original Port This field displays the original destination port s of packets for the NAT entry This field is blank if there is no restriction on the original destination port Mapped Port This field displays the new destination port s for the packet This field is blank if there is no restriction on the original destination port Apply Click this button to save your changes to the UAG Reset Click th...

Page 222: ... interface any Select this to use all of the incoming interface s IP addresses including dynamic addresses or those of any virtual interfaces built upon the selected incoming interface User Defined Select this to manually enter an IP address in the User Defined Original IP field For example you could enter a static public IP assigned by the ISP without having to create a virtual interface for it H...

Page 223: ...nter the beginning of the range of translated destination ports if this NAT rule forwards the packet Mapped End Port This field is available if Port Mapping Type is Ports Enter the end of the range of translated destination ports if this NAT rule forwards the packet The original port range and the mapped port range must be the same size Enable NAT Loopback Enable NAT loopback to allow users connec...

Page 224: ...le a LAN user s computer at IP address 172 16 0 89 queries a public DNS server to resolve the SMTP server s domain name xxx LAN SMTP com in this example and gets the SMTP server s mapped public IP address of 1 1 1 1 Figure 143 LAN Computer Queries a Public DNS Server The LAN user s computer then sends traffic to IP address 1 1 1 1 NAT loopback uses the IP address of the UAG s lan1 interface 172 16...

Page 225: ... the original destination address 1 1 1 1 If the SMTP server replied directly to the LAN user without the traffic going through NAT the source would not match the original destination address which would cause the LAN user s computer to shut down the session Figure 145 LAN to LAN Return Traffic 172 16 0 21 LAN 172 16 0 89 Source 172 16 0 89 SMTP NAT Source 172 16 0 1 SMTP 172 16 0 21 LAN 172 16 0 ...

Page 226: ...ss to the user Outgoing traffic from user A will then be sent through the WAN1 interface using the mapped public IP address 10 10 1 35 Outgoing traffic from user B will be sent through the WAN1 interface using the mapped public IP address 10 10 1 36 Figure 146 VPN 1 1 Mapping Example 15 1 1 What You Can Do in this Chapter Use the VPN 1 1 Mapping screens see Section 15 2 on page 227 to enable and c...

Page 227: ...lowed automatically a VPN 1 1 mapping rule to forward any traffic from the user A B through the wan1 interface using a unique public IP address 15 2 The VPN 1 1 Mapping General Screen The VPN 1 1 Mapping summary screen provides a summary of all VPN 1 1 mapping rules and their configuration In addition this screen allows you to create new VPN 1 1 mapping rules and edit and delete existing VPN 1 1 m...

Page 228: ...ate Move To change a rule s position in the numbered list select the rule and click Move to display a field to type a number for where you want to put that rule and press ENTER to move the rule to the number that you typed The ordering of your rules is important as they are applied in order of their numbering This field is a sequential value and it is not associated with a specific entry Status Th...

Page 229: ...bject Click this button to create any new user group objects that you need to use in this screen Enable Policy Use this option to turn the VPN 1 1 mapping rule on or off User Group Use the drop down list box to select the individual or group for which you want to use this rule Select any to have the mapping rule apply to all of the traffic that the UAG receives from any user Pool Profile The Selec...

Page 230: ...equential value and it is not associated with a specific entry Name This field displays a descriptive name for the profile Enter a descriptive name to identify the profile Address This field displays the name of the IP address object the profile is set to use Select an address object that presents the IP address es which can be assigned to the matched users by the UAG Note You cannot select an add...

Page 231: ...che a policy route allows it to access the Internet to get them from a server Proxy server A then forwards the response to the client Figure 150 HTTP Redirect Example 16 1 1 What You Can Do in this Chapter Use the HTTP Redirect screens see Section 16 2 on page 232 to display and edit the HTTP redirect rules 16 1 2 What You Need to Know Web Proxy Server A proxy server helps client devices make indi...

Page 232: ...HTTP requests from the client to the proxy server You also need to manually configure a policy route to forward the HTTP traffic from the proxy server to the Internet To make the example in Figure 150 on page 231 work make sure you have the following settings For HTTP traffic between lan1 and lan2 a from LAN1 to LAN2 security policy to allow HTTP requests from lan1 to lan2 Responses to this reques...

Page 233: ...can modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate This field is a sequential value and it is not associated with a specific entry Status This icon is lit when the entry is active and dimmed...

Page 234: ...may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Interface Select the interface on which the HTTP request must be received for the UAG to forward it to the specified proxy server Proxy Server Enter the IP address of the proxy server Port Enter the port number that the proxy server uses OK Click OK to save your chan...

Page 235: ...here the message will be delivered to the recipient The UAG forwards SMTP traffic using TCP port 25 Figure 153 SMTP Redirect Example 17 1 1 What You Can Do in this Chapter Use the SMTP Redirect screens see Section 17 2 on page 236 to display and edit the SMTP redirect rules 17 1 2 What You Need to Know SMTP Simple Mail Transfer Protocol SMTP is the Internet s message transport standard It controls...

Page 236: ...TP server You also need to manually configure a policy route to forward the SMTP traffic from the SMTP server to the Internet To make the example in Figure 153 on page 235 work make sure you have the following settings For SMTP traffic between lan1 and lan2 a from LAN1 to LAN2 security policy to allow SMTP messages from lan1 to lan2 Responses to this request are allowed automatically a SMTP redire...

Page 237: ...ivate Move To change a rule s position in the numbered list select the rule and click Move to display a field to type a number for where you want to put that rule and press ENTER to move the rule to the number that you typed The ordering of your rules is important as they are applied in order of their numbering This field is a sequential value and it is not associated with a specific entry Status ...

Page 238: ...MTP redirect rule apply to all of the SMTP messages that the UAG receives from any user Interface Select the interface on which the SMTP traffic must be received for the UAG to forward it to the specified SMTP server Source Address Select the source address or address group for whom this rule applies Use Create new Object if you need to configure a new one Select any if the rule is effective for e...

Page 239: ...to the LAN The ALG on the UAG supports all of the UAG s NAT mapping types FTP ALG The FTP ALG allows TCP packets with a specified port destination to pass through If the FTP server is located on the LAN you must also configure NAT port forwarding and security policies if you want to allow access to the server from the WAN ALG and Trunks If you send your ALG managed traffic through an interface tru...

Page 240: ...nsfer Program traffic and help build FTP sessions through the UAG s NAT Enable FTP Transformations Select this option to have the UAG modify IP addresses and port numbers embedded in the FTP data payload to match the UAG s NAT environment Clear this option if you have an FTP device or server that will modify IP addresses and port numbers embedded in the FTP data payload to match the UAG s NAT envi...

Page 241: ...mainly designed for small home networks It allows a client behind a NAT router to retrieve the router s public IP address and port number and make them known to the peer device with which it wants to communicate The client can automatically configure the NAT router to create a port mapping to allow the peer to contact it 19 2 What You Need to Know UPnP hardware is identified as an icon in the Netw...

Page 242: ...ers in some network environments When a UPnP device joins a network it announces its presence with a multicast message For security reasons the UAG allows multicast messages on the LAN only All UPnP enabled devices may communicate freely with each other without additional configuration Disable UPnP if this is not your intention 19 3 UPnP Screen Use this screen to enable UPnP and NAT PMP on your UA...

Page 243: ...ogin screen without entering the UAG s IP address although you must still enter the password to access the web configurator Allow UPnP or NAT PMP to pass through Firewall Select this check box to allow traffic from UPnP enabled or NAT PMP enabled applications to bypass the security policies Clear this check box to have the security policies block all UPnP or NAT PMP application packets for example...

Page 244: ...et Connection Properties window click Settings to see the port mappings there were automatically created Figure 159 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings Figure 160 Internet Connection Properties Advanced Settings ...

Page 245: ...isplays in the system tray Figure 162 System Tray Icon 6 Double click on the icon to display your current Internet connection status Figure 163 Internet Connection Status 19 4 2 Web Configurator Easy Access With UPnP you can access the web based configurator on the UAG without finding out the IP address of the UAG first This comes helpful if you do not know the IP address of the UAG Follow the ste...

Page 246: ...scription for each UPnP enabled device displays under Local Network 5 Right click on the icon for your UAG and select Invoke The web configurator login screen displays Figure 165 Network Connections My Network Places 6 Right click on the icon for your UAG and select Properties A properties window displays with basic information about the UAG ...

Page 247: ...Chapter 19 UPnP UAG Series User s Guide 247 Figure 166 Network Connections My Network Places Properties Example ...

Page 248: ...172 16 1 27 and use static DHCP to assign it to Bob s computer s MAC address of 12 34 56 78 90 AB IP MAC binding drops traffic from any computer trying to use IP address 172 16 1 27 with another MAC address Figure 167 IP MAC Binding Example 20 1 1 What You Can Do in this Chapter Use the Summary and Edit screens Section 20 2 on page 249 to bind IP addresses to MAC addresses Use the Exempt List scre...

Page 249: ...lowing table describes the labels in this screen Table 107 Configuration Network IP MAC Binding Summary LABEL DESCRIPTION Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate This field is a sequential value and it is ...

Page 250: ...ake use only the intended users get to use specific IP addresses Enable Logs for IP MAC Binding Violation Select this option to have the UAG generate a log if a device connected to this interface attempts to use an IP address not assigned by the UAG Static DHCP Bindings This table lists the bound IP and MAC addresses The UAG checks this table when it assigns IP addresses If the computer s MAC addr...

Page 251: ... helps identify the entry OK Click OK to save your changes back to the UAG Cancel Click Cancel to exit this screen without saving Table 108 Configuration Network IP MAC Binding Edit continued LABEL DESCRIPTION Table 109 Configuration Network IP MAC Binding Edit Add LABEL DESCRIPTION Interface Name This field displays the name of the interface within the UAG and the interface s IP address and subne...

Page 252: ...ick Edit to modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so This is the index number of the IP MAC binding list entry Name Enter a name to help identify this entry Start IP Enter the first IP address in a range of IP addresses for which the UAG does not apply IP MAC binding End IP Enter the last IP address in a...

Page 253: ...example layer 2 isolation is enabled on the UAG s interface Vlan1 A printer PC and AP are in the Vlan1 The IP address of network printer C is added to the white list With this setting the connected AP then cannot communicate with the PC D but can access the network printer C server B wireless client A and the Internet Figure 172 Layer 2 Isolation Application 21 1 1 What You Can Do in this Chapter ...

Page 254: ... Network Layer 2 Isolation White List Table 111 Configuration Network Layer 2 Isolation LABEL DESCRIPTION Enable Layer2 Isolation Select this option to turn on the layer 2 isolation feature on the UAG Note You can enable this feature only when the security policy is enabled Member List The Available list displays the name s of the internal interface s on which you can enable layer 2 isolation To e...

Page 255: ...t Select this option to turn on the white list on the UAG Note You can enable this feature only when the security policy is enabled Add Click this to add a new rule Edit Click this to edit the selected rule Remove Click this to remove the selected rule Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate This field is a sequential...

Page 256: ...Layer 2 Isolation White List Add Edit LABEL DESCRIPTION Enable Select this option to turn on the rule Host IP Address Enter an IPv4 address associated with this rule Description Specify a description for the IP address associated with this rule Enter up to 60 characters spaces and underscores allowed OK Click OK to save your changes back to the UAG Cancel Click Cancel to exit this screen without s...

Page 257: ... feature does not apply to a computer using either a dynamic IP address or a static IP address that is in the same subnet as the UAG s IP address Note You must enable NAT to use the IPnP feature The following figure depicts a scenario where a computer is set to use a static private IP address in the corporate environment In a residential house where a UAG is installed you can still use the compute...

Page 258: ...ture on the UAG Note You can enable this feature only when the security policy is enabled Member List The Available list displays the name s of the internal interface s on which you can enable IPnP To enable IPnP on an interface you can double click a single entry to move it or use the Shift or Ctrl key to select multiple entriess and click the right arrow button to add to the Member list To remov...

Page 259: ...s her browser to a web portal page that prompts he she to log in or agree to the policy of user agreement Figure 178 Web Authentication Example The web authentication page only appears once per authentication session Unless a user session times out or he she closes the connection he or she generally will not see it again during the same session 23 1 1 What You Can Do in this Chapter Use the Config...

Page 260: ...et Note This works with HTTP traffic only The UAG does not display the Login screen when users attempt to send other kinds of traffic The UAG does not automatically route the request that prompted the login however so users have to make this request again Finding Out More See Section 23 2 2 on page 264 for an example of using an authentication policy for user aware access control 23 2 Web Authenti...

Page 261: ...nable Web Authentication Select the check box to turn on the web authentication feature Otherwise clear the check box to turn it off Once enabled all network traffic is blocked until a client authenticates with the UAG through the specifically designated web portal or user agreement page Web Portal General Setting Logout IP Specify an IP address that users can use to terminate their sessions manua...

Page 262: ...ove an entry select it and click Remove The UAG confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To move an entry to a different number in the list click the Move icon In the field that appears specify the number to which you want to move the interface Status This icon is lit...

Page 263: ...ted They must manually go to the login screen or or user agreement page The UAG will not redirect them to the login screen force Users need to be authenticated The UAG automatically displays the login screen or user agreement page whenever it routes HTTP traffic for users who have not logged in yet Authentication Type This field displays the name of the authentication type profile used in this pol...

Page 264: ... any if the policy is effective for every source This is any and not configurable for the default policy Destination Address Select a destination address or address group for whom this policy applies Select any if the policy is effective for every destination This is any and not configurable for the default policy Schedule Select a schedule that defines when the policy applies Otherwise select non...

Page 265: ... server and set the User Type to ext user because this user account is authenticated by an external server Click OK Figure 182 Configuration Object User Group User Add 3 Repeat this process to set up the remaining user accounts 23 2 2 2 Set Up User Groups Set up the user groups and assign the users to the user groups 1 Click Configuration Object User Group Group Click the Add icon 2 Enter the name...

Page 266: ...user authentication using the RADIUS server First configure the settings for the RADIUS server Then set up the authentication method and configure the UAG to use the authentication method Finally force users to log into the UAG before it routes traffic for them 1 Click Configuration Object AAA Server RADIUS Double click the radius entry Configure the RADIUS server s address authentication port 181...

Page 267: ...ck the default entry Click the Add icon Select group radius because the UAG should use the specified RADIUS server for authentication Click OK Figure 185 Configuration Object Auth method Edit 3 Click Configuration Web Authentication In the Web Authentication General screen select Enable Web Authentication to turn on the web authentication feature and click Apply ...

Page 268: ...y user to log into the UAG before the UAG routes traffic for them 5 Select Enable Policy Enter a descriptive name default_policy for example Set the Authentication field to required and make sure Force User Authentication is selected Select an authentication type profile default web portal in this example Keep the rest of the default settings and click OK Note The users must log in at the Web Conf...

Page 269: ...groups distinguished by the value of a specific attribute you can make a couple of slight changes in the configuration to have the RADIUS server authenticate groups of user accounts defined in the RADIUS server 1 Click Configuration Object AAA Server RADIUS Double click the radius entry Besides configuring the RADIUS server s address authentication port and key set the Group Membership Attribute f...

Page 270: ...tify groups based on the group identifier values Set up one user account for each group of user accounts in the RADIUS server Click Configuration Object User Group User Click the Add icon Enter a user name and set the User Type to ext group user In the Group Identifier field enter Finance Engineer Sales or Boss and set the Associated AAA Server Object to radius ...

Page 271: ...hentication Type Screen Use this screen to view create and manage the authentication type profiles on the UAG An authentication type profile decides which type of web authentication pages to be used for user authentication Go to Configuration Web Authentication and then select the Authentication Type tab to display the screen Figure 190 Configuration Web Authentication Authentication Type ...

Page 272: ...remove an entry select it and click Remove The UAG confirms you want to remove it before doing so This field is a sequential value and it is not associated with a specific entry Name This field displays the name of the profile default web portal the default login page built into the UAG Note You can also customize the default login page built into the UAG in the System WWW Login Page screen defaul...

Page 273: ...Chapter 23 Web Authentication UAG Series User s Guide 273 Figure 191 Configuration Web Authentication Authentication Type Add Edit Web Portal ...

Page 274: ... up to 31 alphanumeric characters A Z a z 0 9 and underscores _ Spaces are not allowed The first character must be a letter The following fields are available if you set Type to Web Portal Internal Web Portal Select this to use the web portal pages uploaded to the UAG The login page appears whenever the web portal intercepts network traffic preventing unauthorized users from gaining access to the ...

Page 275: ...heck box if you want the UAG to monitor how long each access user is logged in and idle in other words there is no traffic for this access user The UAG automatically logs out the access user once the Idle timeout has been reached Idle timeout This is applicable for access users This field is effective when Enable Idle Detection is checked Type the number of minutes each access user can be logged i...

Page 276: ...Authentication Custom Web Portal File Welcome URL Specify the welcome page s URL for example http IIS server IP Address welcome html The Internet Information Server IIS is the web server on which the user agreement files are installed If you leave this field blank the UAG will use the welcome page of internal user agreement file Download Click this to download an example external user agreement fi...

Page 277: ...o select it and and click Remove to delete it from the UAG Download Click a file s row to select it and and click Download to save the zipped file to your computer This column displays the index number for each file entry This field is a sequential value and it is not associated with a specific entry File Name This column displays the label that identifies a web portal or user agreement file Size ...

Page 278: ...reen Use this screen to configure the walled garden web addresses URLs that use the HTTP or HTTPS protocol for web sites that all users are allowed to access without logging in The web site link s displays in the user login screen by default Click Configuration Web Authentication Walled Garden and then select the URL Base tab to display the screen Table 120 Configuration Web Authentication Walled ...

Page 279: ...r select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To move an entry to a different number in the list click the Move icon In the fi...

Page 280: ...o activate the entry Hide in login page Select this to not display the web site link in the user login screen This is helpful if a user s access to a specific web site is required to stay connected but he or she doesn t need to visit that web site Name Enter a descriptive name for the walled garden link to be displayed in the login screen You can use up to 31 alphanumeric characters A Z a z 0 9 an...

Page 281: ...this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To tu...

Page 282: ...A Z a z 0 9 and underscores _ Spaces are also allowed The first character must be a letter Type Select whether you want to create the link by entering a domain name or an IP address Domain Name IP Address If you select Domain type a Fully Qualified Domain Name FQDN of a web site An FQDN starts with a host name and continues all the way up to the top level domain name For example www zyxel com tw i...

Page 283: ...ple 23 4 Advertisement Screen Use this screen to set the UAG to display an advertisement web page as the first web page whenever the user connects to the Internet Click Configuration Web Authentication Advertisement to display the screen Figure 201 Configuration Web Authentication Advertisement ...

Page 284: ...tion Advertisement LABEL DESCRIPTION Enable Advertisement Select this to turn on the advertisement feature Note This feature works only when you enable web authentication Advertisement Summary Use this table to manage the list of advertisement web pages Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or se...

Page 285: ...site You can use up to 31 alphanumeric characters A Z a z 0 9 and underscores _ Spaces are not allowed The first character must be a letter URL Enter the URL or IP address of the web site Use http followed by up to 262 characters 0 9a zA Z _ For example http www example com or http 172 16 1 35 Preview Click this button to open the specified web site in a new frame OK Click OK to save your changes ...

Page 286: ...ements at the APs Integrated Approach Blink Mode The following example shows the Ekahau RTLS Integrated Approach Blink Mode 1 The Wi Fi tag sends blink packets at specified intervals or triggered by something like motion or button presses 2 The APs pick up the blink packets measure the signal strength and send it to the UAG 3 The UAG forwards the signal measurements to the Ekahau RTLS Controller 4...

Page 287: ... to allow traffic the APs send to reach the Ekahau RTLS Controller The following table lists default port numbers and types of packets RTLS uses 24 3 Configuring RTLS Click Configuration RTLS to open this screen Use this screen to turn RTLS Real Time Location System on or off and specify the IP address and server port of the Ekahau RTLS Controller Figure 204 Configuration RTLS Table 127 RTLS Traff...

Page 288: ...RIPTION Enable Select this to use Wi Fi to track the location of Ekahau Wi Fi tags IP Address Specify the IP address of the Ekahau RTLS Controller Server Port Specify the server port number of the Ekahau RTLS Controller Apply Click Apply to save your changes back to the UAG Reset Click Reset to return the screen to its last saved settings ...

Page 289: ...ol content filter to traffic that matches the criteria above The security policies can also limit the number of user sessions The following example shows the UAG s default security policy behavior for WAN to LAN traffic and how stateful inspection works A LAN user can initiate a Telnet session from within the LAN zone and the UAG allows the response However the UAG blocks Telnet traffic initiated ...

Page 290: ...s to access or manage the UAG The UAG allows DHCP traffic from any interface to the UAG The UAG drops most packets from the WAN zone to the UAG itself and generates a log except for AH ESP GRE HTTPS IKE NATT When you configure a security policy for packets destined for the UAG itself make sure it does not conflict with your service control rule See Chapter 46 on page 486 for more information about...

Page 291: ... schedule to the security policy the user can only access the network at the scheduled time A user aware security policy is activated whenever the user logs in to the UAG and will be disabled after the user logs out of the UAG Session Limits Accessing the UAG or network resources through the UAG requires a NAT session and corresponding security policy session Peer to peer applications such as file...

Page 292: ...5 2 1 Configuring the Security Policy Control Screen Click Configuration Security Policy Policy Control to open the Policy screen Use this screen to enable or disable policy control and asymmetrical routes set a maximum number of sessions per host and display the configured policy control rules Specify from which zone packets come and to which zone packets travel to display only the rules specific...

Page 293: ...This causes the UAG to reset the connection as the connection has not been acknowledged Select this check box to have the UAG permit the use of asymmetrical route topology on the network not reset the connection Note Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the UAG A better solution is to use virtual interfaces to put the UAG and the ...

Page 294: ...of packets to which they apply For example from LAN to LAN means packets traveling from a computer or subnet on the LAN to either another computer or subnet on the LAN From any displays all the policy control rules for traffic going to the selected To Zone To any displays all the policy control rules for traffic coming from the selected From Zone From any to any displays all of the policy control ...

Page 295: ...t allowed The first character must be a letter Description Enter a descriptive name of up to 60 printable ASCII characters for the security policy Spaces are allowed From To For through UAG rules select the direction of travel of packets to which the policy applies any means all interfaces Device means packets destined for the UAG itself Source Select an IPv4 address or address group to apply an I...

Page 296: ... that match this rule Select deny to silently discard the packets without sending a TCP reset packet or an ICMP destination unreachable message to the sender Select allow to permit the passage of the packets Log matched traffic Select whether to have the UAG generate a log log log and alert log alert or not no when the policy is matched See Chapter 47 on page 534 for more on logs UTM Profile Use t...

Page 297: ...le session limit Use this field to set a common limit to the number of concurrent NAT security policy sessions each client computer can have If only a few clients use peer to peer applications you can raise this number to improve their performance With heavy peer to peer application use lower this number to ensure no single client uses too many of the available NAT sessions Create rules below to a...

Page 298: ...and dimmed when the entry is inactive This is the index number of a session limit rule It is not associated with a specific rule User This is the user name or user group name to which this session limit rule applies IPv4 Address This is the IPv4 address object to which this session limit rule applies Description This is the information configured to help you identify the rule Limit This is how man...

Page 299: ...e specified user logs into the system and the rule will be disabled when the user logs out Otherwise select any and there is no need for user logging Note If you specified an IP address or address group instead of any in the field below the user s IP address should be within the IP address range Address Select the IPv4 source address or address group to which this rule applies Select any to apply ...

Page 300: ...s follows and click OK Figure 213 Security Policy Example Create a Service Object 4 Select From WAN and To LAN and enter a name for the security policy Select Dest_1 for the Destination and Doom as the Service Enter a name and configure the rest of the screen as follows Click OK when you are done Figure 214 Security Policy Example Edit a Security Policy 5 The security policy appears in the Securit...

Page 301: ...raffic Example Your security policy would have the following settings The first row blocks LAN access to the IRC service on the WAN The second row is the security policy s default policy that allows all LAN1 to WAN traffic The UAG applies the security policies in order So for this example when the UAG receives traffic from the LAN it checks it against the first rule If the traffic matches if it is...

Page 302: ... for example to go to any destination address You do not need to specify a schedule since you want the security policy to always be in effect The following figure shows the results of your two custom rules Figure 217 Limited LAN to WAN IRC Traffic Example Your security policy would have the following configuration The first row allows the LAN1 computer at IP address 172 16 1 7 to access the IRC se...

Page 303: ...y policy s default policy of allowing all traffic from the LAN1 to go to the WAN The policy for the CEO must come before the policy that blocks all LAN1 to WAN IRC traffic If the policy that blocks all LAN1 to WAN IRC traffic came first the CEO s IRC traffic would match that policy and the UAG would drop it and not check any other security policies Table 136 Limited LAN1 to WAN IRC Traffic Example...

Page 304: ...26 5 on page 316 to enable online payment service and configure the service pages 26 1 2 What You Need to Know Accumulation Accounting Method The accumulation accounting method allows multiple re logins until the allocated time period or until the user account is expired The UAG accounts the time that the user is logged in for Internet access Time to finish Accounting Method The time to finish acc...

Page 305: ...ick Configuration Billing General to open the following screen Figure 218 Configuration Billing General The following table describes the labels in this screen Table 137 Configuration Billing General LABEL DESCRIPTION General Settings Unused account will be deleted after the time Enter the number and select a time unit from the drop down list box to specify how long to wait before the UAG deletes ...

Page 306: ...r and login to disassociate the first user that logged in and allow new user to log in when the Maximum number per billing account is reached Username Password length Select to specify how manay characters the username and password of a newly created dynamic guest account will have after you click Apply Keep user logged in Select to let the users automatically log in without entering their user na...

Page 307: ...ton to open the Account Generator screen where you can generate a dynamic guest account and print the account information using a statement printer connected to the UAG see Section 26 3 1 on page 308 for more information Billing Profile Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To re...

Page 308: ...Time Period This field displays the duration of the billing period Quota T U D This field displays how much data in both directions Total or upstream data Upload and downstream data Download can be transmitted through the WAN interface before the account expires Bandwidth U D This field displays the maximum upstream Upload and downstream Download bandwidth allowed for the user account in kilobits ...

Page 309: ...en This is the number of each discount level The default first level cannot be edited or deleted It is created automatically according to the billing profile of the button you select Name This field displays the conditions of each discount level Unit This field displays the duration of the billing period that should be reached before the UAG charges users at this level Price This field displays th...

Page 310: ...hows the tax rate Grand Total This shows the total price including tax Quantity Specify the number of account to be created Generate Click Generate to generate an account based on the billing settings you configure for the selected button in the Billing Profile screen A window displays showing the SMS message and or a printout preview of the account generated Cancel Click Cancel to exit this scree...

Page 311: ...k Printer to print this subscriber statement Click Cancel to close this window when you are finished viewing it 26 3 2 The Account Redeem Screen The Account Redeem screen allows you to send SMS messages for certain accounts Click the Account Redeem tab in the Account Generator screen to open this screen ...

Page 312: ...her an account expires or not Username This field displays the user name of the account Create Time This field displays when the account was created Remaining Time This field displays the amount of Internet access time remaining for each account Time Period This field displays the total account of time the account can use to access the Internet through the UAG Expiration Time This field displays t...

Page 313: ...of the web configurator This button is available only when you open this screen by logging in with the guest manager account Table 140 Account Redeem continued LABEL DESCRIPTION Table 141 Configuration Billing Billing Profile Add Edit LABEL DESCRIPTION Enable billing profile Select this option to activate the profile Name Enter a name for the billing profile You can use up to 31 alphanumeric chara...

Page 314: ...res 0 means there is no data limit for the user account Upload Quota If you select Upload Download specify how much upstream data in MB Megabytes or GB Gigabytes can be transmitted through the WAN interface before the account expires 0 means there is no data limit for the user account Download Quota If you select Upload Download specify how much downstream data in MB Megabytes or GB Gigabytes can ...

Page 315: ...ive that their total purchase reaches Discount Price Plan Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so This is the number of each discount level The default first level cannot be edited ...

Page 316: ...ize process and manage credit card transactions directly through the Internet You must register with the supported credit card service before you can configure the UAG to handle credit card transactions Click Configuration Billing Payment Service to open the following screen Table 143 Configuration Billing Discount Add Edit LABEL DESCRIPTION Name This field displays the conditions of each discount...

Page 317: ... to access the Internet The link redirects users to a screen where they can make online payments by credit card to purchase access time and get dynamic guest account information Payment Provider Selection Account You should already have a PayPal account to receive credit card payments Enter your PayPal account name Currency Select the currency in which payments are made The available options depen...

Page 318: ...ry Method Specify how the UAG provides dynamic guest account information after the user s online payment is done Select On Screen to display the user account information in the web screen Select SMS to use Short Message Service SMS to send account information in a text message to the user s mobile device Select On Screen and SMS to provide the account information both in the web screen and via SMS...

Page 319: ...Chapter 26 Billing UAG Series User s Guide 319 Figure 226 Configuration Billing Payment Service Desktop View ...

Page 320: ...Chapter 26 Billing UAG Series User s Guide 320 Figure 227 Configuration Billing Payment Service Mobile View ...

Page 321: ...age after the user s online payment is made successfully Use up to 256 printable ASCII characters Spaces are allowed Notification Message Enter the important information you want to display Use up to 256 printable ASCII characters Spaces are allowed Notification Color Specify the font color of the important information You can use the color palette chooser or enter a color value of your own Accoun...

Page 322: ...n Do in this Chapter Use the General Setting General screen see Section 27 2 on page 322 to configure the printer list and enable printer management Use the General Setting Printout Configuration screen see Section 27 3 on page 325 to customize the account printout Use the Printer Manager screen see Section 27 4 on page 326 to manage and view information about the connected statement printer 27 2 ...

Page 323: ...ettings Port Enter the number of port on which the UAG sends data to the printer for it to print Encryption Select the check box to turn on data encryption Data transmitted between the UAG and the printer will be encrypted with a secret key Secret Key Enter four alphanumeric characters A Z a z 0 9 to specify a key for data encryption Printout Number of Copies Select how many copies of subscriber s...

Page 324: ...ddress This field displays the IP address of the printer Description This field displays the descriptive name for the printer Printer Firmware Information Current Version This is the version of the printer firmware currently uploaded to the UAG The UAG automatically installs it in the connected printers to make sure the printers are upgraded to the same version Apply Click this button to save your...

Page 325: ... use a custom account printout format instead of the default one built into the UAG Once this option is selected the custom format controls below become active Preview Click the button to display a preview of account printout format you uploaded to the UAG File Name This shows the file name of account printout format file in the UAG Click Download to download the account printout format file from ...

Page 326: ...General Setting to manually configure a printer s IP address and add it to the managed printer list when the printer is not detected or connected to the UAG Refresh Click this button to update the information in the screen This is the index number of the printer in the list Registration This field displays whether the printer is added to the managed printer list Mgnt Printer or not Un Mgnt Printer...

Page 327: ...rinter Manager Edit LABEL DESCRIPTION General Settings Nickname Enter a nickname for the printer IP Address Assignment Get Automatically Select this to make the printer a DHCP client and automatically get the IP address subnet mask and gateway address from a DHCP server Use Fixed IP Address Select this if you want to specify the printer s IP address subnet mask and gateway manually IP Address Ente...

Page 328: ...conds to print The following sections describe each report printout in detail 27 4 4 Daily Account Summary The daily account report lists the accounts printed during the current day the current day s total number of accounts and the total charge It covers the accounts that have been printed during the current day starting from midnight not the past 24 hours For example if you press the daily accou...

Page 329: ...past one month period For example if you press the monthly account key combination on 2013 05 17 at 20 00 00 the monthly account report includes the accounts created from 2013 05 01 at 00 00 01 to 2013 05 17 at 19 59 59 Key combination A B C B A The following figure shows an example Figure 234 Monthly Account Example Daily Account 2013 05 10 Username Price p2m6pf52 1 00 s4pcms28 2 00 TOTAL ACCOUNT...

Page 330: ...accounts generated on another day or month up to 2000 entries total 27 4 7 System Status This report shows the current system information such as the host name and WAN IP address Key combination A B C C A The following figure shows an example Figure 235 System Status Example The following table describes the labels in this report System Status Item Description SYST 02 02 35 WAST Link up WLST Activ...

Page 331: ...e WAN port on the UAG LAIP This field displays the IP address of the LAN port on the UAG WLIP This field displays the IP address of the wireless LAN interface on the UAG DHSP This field displays the first of the continuous addresses in the IP address pool DHEP This field displays the end of the continuous addresses in the IP address pool CPUS This field displays the UAG s recent CPU usage MEMS Thi...

Page 332: ... of time 28 1 1 What You Can Do in this Chapter Use the Free Time screen see Section 28 2 on page 332 to turn on this feature to allow users to get a free account for Internet surfing during the specified time period 28 2 The Free Time Screen Use this screen to enable and configure the free time settings Click Configuration Free Time to open the following screen Figure 236 Configuration Free Time ...

Page 333: ...ew free time account is allowed to access the Internet If the date you selected is not available in a month such as 30th or 31th the UAG allows the free account access on the last day of the month Maximum Registration Number Before Reset Time Enter the maximum number of the users that are allowed to log in for Internet access with a free guest account before the time specified in the Reset Time fi...

Page 334: ... an example login screen with a link to create a free guest account If you enable both online payment service and free time feature on the UAG the link description in the login screen will be mainly for online payment service You can still click the link to get a free account ...

Page 335: ...de 335 If SMS is enabled on the UAG you have to enter your mobile phone number before clicking OK to get a free guest account The guest account information then displays in the screen and or is sent to the configured mobile phone number EXAMPLE ...

Page 336: ...d SMS messages You must already have a Vianett account in order to use the SMS service 29 1 1 What You Can Do in this Chapter Use the SMS screen see Section 29 2 on page 336 to turn on the SMS service on the UAG 29 2 The SMS Screen Use this screen to enable SMS in order to send dynamic guest account information in text messages Click Configuration SMS to open the following screen Figure 237 Config...

Page 337: ... your password again for confirmation License This section is available only on the UAG that requires SMS service subscription the UAG2100 for example Licensed Service Status This field displays whether the service is activated Licensed or not Not Licensed Note You must subscribe to the SMS service before you can use the service to send a text message License Type This field displays Standard when...

Page 338: ...provide confidentiality data integrity and authentication at the IP layer The UAG can also combine multiple IPSec VPN connections into one secure network Here local UAG X uses an IPSec VPN tunnel to remote peer UAG Y to connect the local A and remote B networks Figure 239 IPSec VPN Example 30 1 1 What You Can Do in this Chapter Use the VPN Connection screens see Section 30 2 on page 340 to specify...

Page 339: ...f the IPSec SA The IPSec SA is secure because routers X and Y established the IKE SA first Finding Out More See Section 30 4 on page 354 for IPSec VPN background information See the help in the IPSec VPN quick setup wizard screens 30 1 3 Before You Begin This section briefly explains the relationship between VPN tunnels and other features It also gives some basic suggestions for troubleshooting Yo...

Page 340: ...ore information Table 155 Configuration VPN IPSec VPN VPN Connection LABEL DESCRIPTION Ignore Don t Fragment setting in IPv4 header Select this to fragment packets larger than the MTU Maximum Transmission Unit that have the don t fragment bit in the IP header turned on When you clear this the UAG drops packets larger than the MTU that have the don t fragment bit in the header turned on Add Click t...

Page 341: ...ot associated with a specific connection Status The activate light bulb icon is lit when the entry is active and dimmed when the entry is inactive The connect icon is lit when the interface is connected and dimmed when it is disconnected Name This field displays the name of the IPSec SA VPN Gateway This field displays the associated VPN gateway s Policy This field displays the local policy and the...

Page 342: ...Chapter 30 IPSec VPN UAG Series User s Guide 342 Figure 242 Configuration VPN IPSec VPN VPN Connection Add Edit ...

Page 343: ...justment Select Custom Size to set a specific number of bytes for the Maximum Segment Size MSS meaning the largest amount of data in a single TCP segment or IP datagram for this VPN connection Select Auto to have the UAG automatically set the MSS for this VPN connection VPN Gateway Application Scenario This field is read only and shows the scenario that the UAG supports Site to site The remote IPS...

Page 344: ...this to be able to modify it Remove Select an entry and click this to delete it This field is a sequential value and it is not associated with a specific proposal The sequence of proposals should not affect performance significantly Encryption This field is applicable when the Active Protocol is ESP Select which key size and encryption algorithm to use in the IPSec SA Choices are NULL no encryptio...

Page 345: ... accept the TCP connection Check Port This field displays when you set the Check Method to tcp Specify the port number to use for a TCP connectivity check Check Period Enter the number of seconds between connection check attempts Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure Check Fail Tolerance Enter the number of consecutive failures allowed bef...

Page 346: ...example the mail server in the local network Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Move To change an entry s position in the numbered list select it and click Move to display a field to type a number for where you...

Page 347: ...ove The UAG confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Object Reference Select an entry and click Object Reference to open a screen that shows which settings use the entry See Section 10 3 2 on page 165 for an example This field is a sequential value and it is not associated...

Page 348: ...d Edit Screen The VPN Gateway Add Edit screen allows you to create a new VPN gateway policy or edit an existing one To access this screen go to the VPN Gateway summary screen see Section 30 3 on page 347 and either click the Add icon or select an entry and click the Edit icon ...

Page 349: ...Chapter 30 IPSec VPN UAG Series User s Guide 349 Figure 244 Configuration VPN IPSec VPN VPN Gateway Add Edit ...

Page 350: ...r You can provide a second IP address or domain name for the UAG to try if it cannot establish an IKE SA with the first one Fall back to Primary Peer Gateway when possible When you select this if the connection to the primary address goes down and the UAG changes to using the secondary connection the UAG will reconnect to the primary address when it becomes available again and stop using the secon...

Page 351: ...he UAG is identified by the string specified in this field Content This field is read only if the UAG and remote IPSec router use certificates to identify each other Type the identity of the UAG during authentication The identity depends on the Local ID Type IPv4 type an IP address if you type 0 0 0 0 the UAG uses the IP address specified in the My Address field This is not recommended in the foll...

Page 352: ...ommended in the following situations There is a NAT router between the UAG and remote IPSec router You want the remote IPSec router to be able to distinguish between IPSec SA requests that come from IPSec routers with dynamic WAN IP addresses In these situations use a different IP address or use a different Peer ID Type Phase 1 Settings SA Life Time Seconds Type the maximum number of seconds the I...

Page 353: ...router must also enable NAT traversal and the NAT routers have to forward packets with UDP port 500 and UDP 4500 headers unchanged Dead Peer Detection DPD Select this check box if you want the UAG to make sure the remote IPSec router is there before it transmits data through the IKE SA The remote IPSec router must support DPD If there has been no traffic for at least 15 seconds the UAG sends a mes...

Page 354: ... router as 0 0 0 0 This means that the remote IPSec router can have any IP address In this case only the remote IPSec router can initiate an IKE SA because the UAG does not know the IP address of the remote IPSec router This is often used for telecommuters IKE SA Proposal The IKE SA proposal is used to identify the encryption algorithm authentication algorithm and Diffie Hellman DH key group that ...

Page 355: ...he strength of DES Advanced Encryption Standard AES is a newer method of data encryption that also uses a secret key AES applies a 128 bit key to 128 bit blocks of data It is faster than 3DES Some UAGs also offer stronger forms of AES that apply 192 bit or 256 bit keys to 128 bit blocks of data In most UAGs you can select one of the following authentication algorithms for each proposal The algorit...

Page 356: ...ow The identities are also encrypted using the encryption algorithm and encryption key the UAG and remote IPSec router selected in previous steps Figure 247 IKE SA Main Negotiation Mode Steps 5 6 Authentication continued You have to create and distribute a pre shared key The UAG and remote IPSec router use it in the authentication process though it is not actually transmitted or exchanged Note The...

Page 357: ... use this if your UAG provides another way to check the identity of the remote IPSec router for example extended authentication or if you are troubleshooting a VPN tunnel Additional Topics for IKE SA This section provides more information about IKE SA Negotiation Mode There are two negotiation modes main mode and aggressive mode Main mode provides better security while aggressive mode is faster Ma...

Page 358: ... establish a VPN tunnel Most routers like router A now have an IPSec pass thru feature This feature helps router A recognize VPN packets and route them appropriately If router A has this feature router X and router Y can establish a VPN tunnel as long as the active protocol is ESP See Active Protocol on page 359 for more information about active protocols If router A does not have an IPSec pass th...

Page 359: ...k the signatures on each other s certificates Unlike pre shared keys the signatures do not have to match The local and peer ID type and content come from the certificates Note You must set up the certificates for the UAG and remote IPSec router first IPSec SA Overview Once the UAG and remote IPSec router have established the IKE SA they can securely negotiate an IPSec SA through which to send data...

Page 360: ...the packet With ESP however the UAG does not include the IP header when it encapsulates the packet so it is not possible to verify the integrity of the source IP address IPSec SA Proposal and Perfect Forward Secrecy An IPSec SA proposal is similar to an IKE SA proposal see IKE SA Proposal on page 354 except that you also have the choice whether or not the UAG and remote IPSec router perform a new ...

Page 361: ...er like the mail server in the local network Each kind of translation is explained below The following example is used to help explain each one Figure 250 VPN Example NAT for Inbound and Outbound Traffic Source Address in Outbound Packets Outbound Traffic Source NAT This translation lets the UAG route packets from computers that are not part of the specified local network local policy through the ...

Page 362: ...page 361 you can configure this kind of translation if you want to forward mail from the remote network to the mail server in the local network A You have to specify one or more rules when you set up this kind of NAT The UAG checks these rules similar to the way it checks security policies The first part of these rules define the conditions in which the rule apply Original IP the original destinat...

Page 363: ...router 172 16 1 0 24 Set Up the VPN Gateway that Manages the IKE SA In Configuration VPN IPSec VPN VPN Gateway Add enable the VPN gateway and name it VPN_GW_EXAMPLE here Set My Address to Interface and select a WAN interface Set Peer Gateway Address to Static Address and enter the remote IPSec router s public IP address 2 2 2 2 here as the Primary Set Authentication to Pre Shared Key and enter 123...

Page 364: ...to create an address object for the remote network Set the Address Type to SUBNET the Network field to 172 16 1 0 and the Netmask to 255 255 255 0 2 Enable the VPN connection and name it VPN_CONN_EXAMPLE Set VPN Gateway to Site to site and select the VPN gateway you configured VPN_GW_EXAMPLE Set Local Policy to LAN1_SUBNET and Remote Policy to VPN_REMOTE_SUBNET for the remote Click OK ...

Page 365: ...Chapter 30 IPSec VPN UAG Series User s Guide 365 ...

Page 366: ...ake sure both the security policy allow the service s packets to go through the UAG Note The UAG checks security policies before it checks bandwidth management rules for traffic going through the UAG Bandwidth management examines every TCP and UDP connection passing through the UAG Then you can specify by port whether or not the UAG continues to route the connection BWM Type The UAG supports three...

Page 367: ...t the need to negotiate paths or remember state information for every flow In addition applications do not have to request a particular service or give advanced notice of where the traffic is going Connection and Packet Directions Bandwidth management looks at the connection direction that is from which interface the connection was initiated and to which interface the connection is going A connect...

Page 368: ...1 so outbound means the traffic traveling from the LAN1 to the WAN Each of the WAN zone s two interfaces can send the limit of 200 kbps of traffic Inbound traffic is limited to 500 kbs The connection initiator is on the LAN1 so inbound means the traffic traveling from the WAN to the LAN1 Figure 253 LAN1 to WAN Outbound 200 kbps Inbound 500 kbps Bandwidth Management Priority The UAG gives bandwidth...

Page 369: ... policies for FTP servers A and B Each server tries to send 1000 kbps but the WAN is set to a maximum outgoing speed of 1000 kbps You configure policy A for server A s traffic and policy B for server B s traffic Figure 254 Bandwidth Management Behavior Configured Rate Effect In the following table the configured rates total less than the available bandwidth and maximize bandwidth usage is disabled...

Page 370: ...inding Out More See DSCP Marking and Per Hop Behavior on page 205 for a description of DSCP marking 31 2 The Bandwidth Management Screen The Bandwidth management screens control the bandwidth allocation for TCP and UDP traffic You can use source interface destination interface destination port schedule user source destination information DSCP code and service type as criteria to create a sequence ...

Page 371: ...ate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To change an entry s position in the numbered list select it and click Move to display a field to type a number for where you want to put that entry and press ENTER to move the entry to the number that you typed Status The activate light bulb icon is lit when the entry is active...

Page 372: ...nds to a connection s initiator If no displays here this policy does not apply bandwidth management for the inbound traffic Out This is how much outgoing bandwidth in kilobits per second this policy allows the matching traffic to use Outbound refers to the traffic the UAG sends out from a connection s initiator If no displays here this policy does not apply bandwidth management for the outbound tr...

Page 373: ...Chapter 31 Bandwidth Management UAG Series User s Guide 373 Figure 256 Configuration BWM Edit For the Default Policy Figure 257 Configuration BWM Add Edit ...

Page 374: ...ource IP you can only select a source address group that contains no more than 256 IP addresses Destination Select a destination address or address group for whom this policy applies Use Create new Object if you need to configure a new one Select any if the policy is effective for every destination DSCP Code Select a DSCP code point value of incoming or outgoing packets to which this policy applie...

Page 375: ...oes not apply bandwidth management for the matching traffic that the UAG sends out from the initiator Traffic with bandwidth management disabled inbound and outbound are both set to 0 is automatically treated as the lowest priority 7 If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed lower priority traffic may not be sent if higher priority...

Page 376: ...o Know If you want to use a service make sure both the Security Policy and application patrol allow the service s packets to go through the UAG Note The UAG checks secure policies before it checks application patrol rules for traffic going through the UAG Application patrol examines every TCP and UDP connection passing through the UAG and identifies what application is using the connection Then yo...

Page 377: ...sitives for a particular application Custom Ports for SIP and the SIP ALG Configuring application patrol to use custom port numbers for SIP traffic also configures the SIP ALG to use the same port numbers for SIP traffic Likewise configuring the SIP ALG to use custom port numbers for SIP traffic also configures application patrol to use the same port numbers for SIP traffic Finding Out More You mu...

Page 378: ...dd to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove Select an entry and click Remove to delete the selected entry Object Reference Select an entry and click Object References to open a screen that shows which settings use the entry Click Refresh to update information on this scree...

Page 379: ...56789012 Description Enter a description of this profile You can use alphanumeric and _ characters and it can be up to 60 characters long Profile Management Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Remove Select an entry and click Remove to delete the selected entry This field is a sequential value showing the number of the p...

Page 380: ...tion UTM Profile App Patrol Profile Add Edit continued LABEL DESCRIPTION Table 169 Configuration UTM Profile App Patrol Profile Add Edit Rule Add Edit Application LABEL DESCRIPTION General Settings Application Select an application to apply the policy You must have configured an application object in the Configuration Object Application screen Action Select the default action for all signatures in...

Page 381: ...ic categories of web site content You can create different content filter policies for different addresses schedules users or groups and content filter profiles For example you can configure one policy that blocks John Doe s access to arts and entertainment web pages during the workday and another policy that lets him access them after work Content Filtering Policies A content filtering policy all...

Page 382: ...ized based on content You can have the UAG block block and or log access to web sites based on these categories Keyword Blocking URL Checking The UAG checks the URL s domain name or IP address and file path separately when performing keyword blocking The URL s domain name or IP address is the characters that come before the first slash in the URL For example with the URL www zyxel com tw news pres...

Page 383: ...Profile Content Filter Profile The following table describes the labels in this screen Table 170 Configuration UTM Profile Content Filter Profile LABEL DESCRIPTION General Settings Enable Content Filter Report Service Select this check box to have the UAG collect category based content filtering statistics Report Server Click this link to choose where your UAG is registered myZyXEL com or myZyXEL ...

Page 384: ...scription This column lists the description of the content filter profile rule Reference This displays the number of times an Object Reference is used in a rule Content Filter Category Service License Status License Status This read only field displays the status of your content filtering database service registration Not Licensed displays if you have not successfully registered and activated the ...

Page 385: ...ick Configuration UTM Content Filter Profile Add Edit to open the Add Filter Profile screen Configure Category Service and Custom Service tabs 33 2 1 1 Category Service Click the Category Service tab Figure 262 Configuration UTM Profile Content Filter Profile Add Edit Filter Profile Category Service ...

Page 386: ...e name You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Description Enter a description for the content filtering profile rule to help identify the purpose of rule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive This field ...

Page 387: ...o allow users to access any requested web page if the external content filtering database is unavailable Select Block to block access to any requested web page if the external content filtering database is unavailable Select Warn to display a warning message before allowing users to access any requested web page if the external content filtering database is unavailable The following are possible c...

Page 388: ...g license to filter these categories Test Web Site Category URL to test You can check which category a web page belongs to Enter a web site URL in the text box When the content filter is active you should see the web page s category The query fails if the content filter is not active Test Against Content Filter Category Server Click this button to see the category recorded in the external content ...

Page 389: ...ase sensitive Description Enter a description for the content filtering profile rule to help identify the purpose of rule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive This field is optional Enable Custom Service Select this check box to allow trusted web sites and block forbidden web sites Content filter li...

Page 390: ...er Allow Java ActiveX Cookies Web proxy to trusted web sites When this box is selected the UAG will permit Java ActiveX and Cookies from sites on the Trusted Web Sites list to the LAN In certain cases it may be desirable to allow Java ActiveX or Cookies from sites that are known and trusted Trusted Web Sites These are sites that you want to allow access to regardless of their content rating can be...

Page 391: ...d to match any string The entry must contain at least one or it will be invalid Blocked URL Keywords This section allows you to block Web sites with URLs that contain certain keywords in the domain name or IP address Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it This displays the index number of t...

Page 392: ... want to allow access to regardless of their content rating can be allowed by adding them to this list Add Click this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it This displays the index number of the trusted web sites Trusted Web Site This column displays the trusted web sites already added Enter host names su...

Page 393: ...lick this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it This displays the index number of the forbidden web sites Forbidden Web Sites This list displays the forbidden web sites already added Enter host names such as www bad site com into this text field Do not enter the complete URL of the site that is do not in...

Page 394: ...G s cache The UAG blocks blocks and logs or just logs the request based on your configuration 3 If the UAG has no record of the web site it queries the external content filter database and simultaneously sends the request to the web server 4 The external content filter server sends the category information back to the UAG which then blocks and or logs access to the web site based on the settings i...

Page 395: ...nterface and PPPoE PPTP interface can be assigned to at most one zone Virtual interfaces are automatically assigned to the same zone as the interface on which they run Figure 267 Example Zones 34 1 1 What You Can Do in this Chapter Use the Zone screens see Section 34 2 on page 396 to manage the UAG s zones 34 1 2 What You Need to Know Effects of Zones on Different Types of Traffic Zones effectivel...

Page 396: ... traffic between VLAN1 and the Internet is inter zone traffic This is the normal case when zone based security and policy settings apply Extra zone Traffic Extra zone traffic is traffic to or from any interface that is not assigned to a zone For example in Figure 267 on page 395 traffic to or from computer C is extra zone traffic Some zone based security and policy settings may apply to extra zone...

Page 397: ...es Add Click this to create a new user configured zone Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove a user configured trunk select it and click Remove The UAG confirms you want to remove it before doing so Object Reference Select an entry and click Object Reference to open a screen that shows which settings use t...

Page 398: ...shes but the first character cannot be a number This value is case sensitive Member List Available lists the interfaces that do not belong to any zone Select the interfaces that you want to add to the zone you are editing and click the right arrow button to add them Member lists the interfaces that belong to the zone Select any interfaces that you want to remove from the zone and click the left ar...

Page 399: ... and other user settings for the UAG You can also use this screen to specify when users must log in to the UAG before it routes traffic for them The MAC Address screen see Section 35 5 on page 411 allows you to configure the MAC addresses of wireless clients for MAC authentication using the local user database 35 1 2 What You Need To Know User Account A user account defines the privileges of a use...

Page 400: ...n the UAG sets the user type for this session to User For the rest of the user attributes such as reauthentication time the UAG checks the following places in order 1 User account in the remote server 2 User account Ext User in the UAG 3 Default user account for RADIUS users radius users in the UAG See Setting up User Attributes in an External Server on page 413 for a list of attributes and how to...

Page 401: ... the same rule for several user accounts instead of creating separate rules for each one Note You cannot put access users and admin users in the same user group Note You cannot put the default admin account into any user group The sequence of members in a user group is not important User Awareness By default users do not have to log into the UAG to use the network services it provides The UAG auto...

Page 402: ...d with a specific user User Name This field displays the user name of each user User Type This field displays the kind of account of each user These are the kinds of user account the UAG supports admin this user can look at and change the configuration of the UAG limited admin this user can look at the configuration of the UAG but not to change it dynamic guest this user has access to the UAG s se...

Page 403: ...enter a user bob but use BOB when connecting via CIFS or FTP it will use the account settings used for BOB not bob User names have to be different than user group names Here are the reserved user names To access this screen go to the User screen see Section 35 2 on page 401 and click either the Add icon or an Edit icon Figure 271 Configuration Object User Group User Add Edit adm admin any bin daem...

Page 404: ...count Specify the value of the RADIUS server s Group Membership Attribute that identifies the group to which this user belongs Associated AAA Server Object This field is available for a ext group user type user account Select the AAA server to use to authenticate this account s users Description Enter the description of each user if any You can use up to 60 printable ASCII characters Default descr...

Page 405: ...cel to exit this screen without saving your changes Table 179 Configuration Object User Group User Add Edit continued LABEL DESCRIPTION Table 180 Configuration Object User Group Group LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click R...

Page 406: ...res _ or dashes but the first character cannot be a number This value is case sensitive User group names have to be different than user names Description Enter the description of the user group if any You can use up to 60 characters punctuation marks and spaces Member List The Member list displays the names of the users and user groups that have been added to the user group The order of members is...

Page 407: ...ttings These authentication timeout settings are used by default when you create a new user account They also control the settings for any existing user accounts that are set to use the default settings You can still manually configure any user account s authentication timeout settings Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings...

Page 408: ...out logging out Miscellaneous Settings Allow renewing lease time automatically Select this check box if access users can renew lease time automatically as well as manually simply by selecting the Updating lease time automatically check box on their screen Enable user idle detection This is applicable for access users Select this check box if you want the UAG to monitor how long each access user is...

Page 409: ... disassociate the first user that logged in and allow new user to log in when the Maximum number per access account is reached User Lockout Settings Enable logon retry limit Select this check box to set a limit on the number of times each user can login unsuccessfully for example wrong password before the IP address is locked out for a specified amount of time Maximum retry count This field is eff...

Page 410: ... screen and create dynamic guest accounts using the Account Generator screen that pops up pre subscriber this user has access to the UAG s services but cannot look at the configuration Lease Time Enter the number of minutes this type of user account has to renew the current session before the user is logged out You can specify 1 to 1440 minutes You can enter 0 to make the number of minutes unlimit...

Page 411: ...ccess users can click this button to reset the lease time the amount of time remaining before the UAG automatically logs them out The UAG sets this amount of time according to the User defined lease time field in this screen Lease time field in the User Add Edit screen see Section 35 2 1 on page 402 Lease time field in the Setting Edit screen see Section 35 4 on page 406 Updating lease time automa...

Page 412: ...remove it before doing so This field is a sequential value and it is not associated with a specific entry MAC Address OUI The wireless client MAC address or OUI Organizationally Unique Identifier The OUI is the first three octets in a MAC address and uniquely identifies the manufacturer of a network device Description This field displays the description for each entry Table 186 Configuration Objec...

Page 413: ...ounts If you plan to create a large number of Ext User accounts you might use CLI commands instead of the Web Configurator to create the accounts Extract the user names from the RADIUS server and create a shell script that creates the user accounts See Chapter 48 on page 549 for more information about shell scripts Table 187 RADIUS Keywords for User Attributes KEYWORD CORRESPONDING ATTRIBUTE IN WE...

Page 414: ...2 radio profiles on the UAG2100 and the UAG4100 or 64 radio profiles on the UAG5100 SSID This profile type defines the properties of a single wireless network signal broadcast by an AP Each radio on a single AP can broadcast up to 8 SSIDs You can have a maximum of 32 SSID profiles on the UAG2100 and the UAG4100 or 64 SSID profiles on the UAG5100 Security This profile type defines the security sett...

Page 415: ... WPA2 Wi Fi Protected Access WPA is a subset of the IEEE 802 11i standard WPA2 IEEE 802 11i is a wireless security standard that defines stronger encryption authentication and key management than WPA Key differences between WPA 2 and WEP are improved data encryption and user authentication IEEE 802 1x The IEEE 802 1x standard outlines enhanced security methods for both the authentication of wirele...

Page 416: ...uential value and it is not associated with a specific profile Status This icon is lit when the entry is active and dimmed when the entry is inactive Profile Name This field indicates the name assigned to the radio profile Frequency Band This field indicates the frequency band which this radio profile is configured to use Channel ID This field indicates the broadcast channel which this radio profi...

Page 417: ... Radio Profile This screen allows you to create a new radio profile or edit an existing one To access this screen click the Add button or select a radio profile from the list and click the Edit button Figure 281 Configuration Object AP Profile Add Edit Radio Profile ...

Page 418: ...channel which this radio profile should use It is recommended that you choose the channel least in use by other APs in the region where this profile will be implemented This will reduce the amount of interference between wireless clients and the AP to which this profile is assigned Some 5 GHz channels include the label indoor use only These are for use with an indoor AP only Do not use them with a...

Page 419: ...eriod after which broadcast and multicast packets are transmitted to mobile clients in the Active Power Management mode A high DTIM value can cause clients to lose connectivity with the network This value can be set from 1 to 255 Output Power Set the output power of the AP in this field If there is a high density of APs in an area decrease the output power of the NWA5160N to reduce interference wi...

Page 420: ... wireless network performance in terms of throughput Multicast Settings Use this section to set a transmission mode and maximum rate for multicast traffic Transmission Mode Set how the AP handles multicast traffic Select Multicast to Unicast to broadcast wireless multicast traffic to all of the wireless clients as unicast traffic Unicast traffic dynamically changes the data rate based on the appli...

Page 421: ...w which other objects are linked to the selected SSID profile for example radio profile This field is a sequential value and it is not associated with a specific profile Profile Name This field indicates the name assigned to the SSID profile SSID This field indicates the SSID name as it appears to wireless clients Security Profile This field indicates which if any security profile is associated wi...

Page 422: ...ement purposes Underscores are allowed SSID Enter the SSID name for this profile This is the name visible on the network to wireless clients Enter up to 32 characters spaces and underscores are allowed Security Profile Select a security profile from this list to associate with this SSID If none exist you can use the Create new Object menu to create one Note It is highly recommended that you create...

Page 423: ...ers connected to it Rate Limiting Downlink Define the maximum incoming transmission data rate either in mbps or kbps on a per station basis Uplink Define the maximum outgoing transmission data rate either in mbps or kbps on a per station basis Band Select To improve network performance and avoid interference in the 2 4 GHz frequency band you can enable this feature to use the 5 GHz band first You ...

Page 424: ...k Cancel to exit this screen without saving your changes Table 191 Configuration Object AP Profile SSID List Add Edit SSID Profile continued LABEL DESCRIPTION Table 192 Configuration Object AP Profile SSID Security List LABEL DESCRIPTION Add Click this to add a new security profile Edit Click this to edit the selected security profile Remove Click this to remove the selected security profile Objec...

Page 425: ...the default screen is displayed here Figure 285 Configuration Object AP Profile SSID Security Profile Add Edit Security Profile The following table describes the labels in this screen Table 193 Configuration Object AP Profile SSID Security Profile Add Edit Security Profile LABEL DESCRIPTION Profile Name Enter up to 31 alphanumeric characters for the profile name This name is only visible in the We...

Page 426: ... Auth Method screen Delimiter Account Select the separator the external server uses for the two character pairs within account MAC addresses Case Account Select the case upper or lower the external server requires for letters in the account MAC addresses Delimiter Calling Station ID RADIUS servers can require the MAC address in the Calling Station ID RADIUS attribute Select the separator the exter...

Page 427: ...his automatically chooses the best available cipher based on the cipher in use by the wireless client that is attempting to make a connection tkip This is the Temporal Key Integrity Protocol encryption method added later to the WEP encryption protocol to further secure Not all wireless clients may support this aes This is the Advanced Encryption Standard encryption method It is a more recent devel...

Page 428: ...een click the Add button or select a MAC filter profile from the list and click the Edit button Table 194 Configuration Object AP Profile SSID MAC Filter List LABEL DESCRIPTION Add Click this to add a new MAC filtering profile Edit Click this to edit the selected MAC filtering profile Remove Click this to remove the selected MAC filtering profile Object Reference Click this to view which other obj...

Page 429: ...sociated SSID select deny to block the wireless clients with the specified MAC addresses Add Click this to add a MAC address to the profile s list Edit Click this to edit the selected MAC address in the profile s list Remove Click this to remove the selected MAC address from the profile s list This field is a sequential value and it is not associated with a specific profile MAC This field specifie...

Page 430: ...lowing terms and concepts may help as you read this chapter Active Scan An active scan is performed when an 802 11 compatible wireless monitoring device is explicitly triggered to scan a specified channel or number of channels for other wireless devices broadcasting on the 802 11 frequencies by sending probe request frames Passive Scan A passive scan is performed when an 802 11 compatible monitori...

Page 431: ...selected monitor mode profile Remove Click this to remove the selected monitor mode profile Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Object Reference Click this to view which other objects are linked to the selected monitor mode profile for example an AP management profile This field is a sequential value and it is not...

Page 432: ...n milliseconds before the AP switches to another channel for monitoring Scan Channel Mode Select auto to have the AP switch to the next sequential channel once the Channel dwell time expires Select manual to set specific channels through which to cycle sequentially when the Channel dwell time expires Selecting this options makes the Scan Channel List options available Set Scan Channel List 2 4 GHz...

Page 433: ... compromised by a rogue AP RG set up by an employee at his workstation in order to allow him to connect his notebook computer wirelessly A The company s legitimate wireless network the dashed ellipse B is well secured but the rogue AP uses inferior security that is easily broken by an attacker X running readily available encryption cracking software In this example the attacker now has access to t...

Page 434: ...re a list of friendly APs Friendly APs are other wireless access points that are detected in your network as well as any others that you know are not a threat those from recognized networks for example It is recommended that you export save your list of friendly APs often especially if you have a network with a large number of access points ...

Page 435: ...tegories of applications include at the time of writing The following table shows the types of categories currently supported A and the associated signatures for each category B Figure 291 Application Categories and Associated Signatures Table 198 Categories of Applications Instant Messaging P2P File Transfer Streaming Media Mail and Collaboration Voice over IP Database Games Network Management Re...

Page 436: ...ration Object Application Application The following table describes the labels in this screen Table 199 Configuration Object Application Application LABEL DESCRIPTION Add Click this to add a new application object Edit Click this to edit the selected application object Remove Click this to remove the selected application object Object Reference Click this to view which other objects are linked to ...

Page 437: ... shows whether you have activated an AppPatrol signatures license License Type This field shows the type of AppPatrol signatures license you have activated Signature Information An activated license allows you to download signatures to the UAG from myZyXEL com These fields show details on the signatures downloaded Current Version The version number increments when signatures are updated at myZyXEL...

Page 438: ...ntify this application rule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Description You may type some extra information on the application object here Add Click this to create a new application rule Remove Click this to remove the selected application rule This field is a sequential value associated with t...

Page 439: ... in the adjacent drop down list box to display all signatures of that category Select By Service type a keyword and click Search to display all signatures containing that keyword Query Result The results of the search are displayed here This field is a sequential value associated with this signature Category This field shows the category to which the signature belongs Select the checkbox to add th...

Page 440: ...with an application group Name This field indicates the name assigned to the application group Description You may type some extra information on the application group here Member This field shows the application objects in this application group Reference This displays the number of times an object reference is used in a profile License You need to buy a license or use a trial license in order to...

Page 441: ...ect Application Application Add Application Group Rule LABEL DESCRIPTION Name Enter a name for the group You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Description This field displays the description of each group if any You can use up to 60 characters punctuation marks and spaces Member List The Member list ...

Page 442: ...rofiles Please see the respective sections for more information about how address objects and address groups are used in each one Address groups are composed of address objects and address groups The sequence of members in the address group is not important 39 2 Address Summary Screen The address screens are used to create maintain and remove addresses There are the types of address objects HOST a...

Page 443: ... entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Object Reference Select an entry and click Object Reference to open a screen that shows which settings use the entry See Section 10 3 2 on page 165 for an example This field is a sequential value and it is not associated with a specific address Name This field displays the ...

Page 444: ...dates the corresponding interface based LAN subnet address object IP Address This field is only available if the Address Type is HOST This field cannot be blank Enter the IP address that this address object represents Starting IP Address This field is only available if the Address Type is RANGE This field cannot be blank Enter the beginning of the range of IP addresses that this address object rep...

Page 445: ...dress Group LABEL DESCRIPTION Configuration Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Object Reference Select an entry and click Object Reference to open a screen that shows which settings use the ent...

Page 446: ... if any You can use up to 60 characters punctuation marks and spaces Member List The Member list displays the names of the address and address group objects that have been added to the address group The order of members is not important Select items from the Available list that you want to be members and move them to the Member list You can double click a single entry to move it or use the Shift o...

Page 447: ...x Some uses are FTP HTTP SMTP and TELNET UDP is simpler and faster but is less reliable Some uses are DHCP DNS RIP and SNMP TCP creates connections between computers to exchange data Once the connection is established the computers exchange data If data arrives out of sequence or is missing TCP puts it in sequence or waits for the data to be re transmitted Then the connection is terminated In cont...

Page 448: ...ating separate rules for each service Service groups may consist of services and other service groups The sequence of members in the service group is not important 40 2 The Service Summary Screen The Service summary screen provides a summary of all services and their definitions In addition this screen allows you to add edit and remove services To access this screen log in to the Web Configurator ...

Page 449: ...k this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Object Reference Select an entry and click Object Reference to open a screen that shows which settings use the entry See Section 10 3 2 on page 165 for an example Thi...

Page 450: ...e first character cannot be a number This value is case sensitive IP Protocol Select the protocol the service uses Choices are TCP UDP ICMP and User Defined Starting Port Ending Port This field appears if the IP Protocol is TCP or UDP Specify the port number s used by this service If you fill in one of these fields the service uses that port If you fill in both fields the service uses the range of...

Page 451: ...ouble click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Object Reference Select an entry and click Object Reference to open a screen that shows which settings use the entry See Section 10 3 2 on page 165 for an example This field is a sequential value and i...

Page 452: ... service group if any You can use up to 60 printable ASCII characters Member List The Member list displays the names of the service and service group objects that have been added to the service group The order of members is not important Select items from the Available list that you want to be members and move them to the Member list You can double click a single entry to move it or use the Shift ...

Page 453: ...schedule Use the Recurring Schedule Add Edit screen Section 41 2 2 on page 456 to create or edit a recurring schedule Use the Schedule Group screen Section 41 3 on page 457 to merge individual schedule objects as one object 41 1 2 What You Need to Know One time Schedules One time schedules begin on a specific start date and time and end on a specific stop date and time One time schedules are usefu...

Page 454: ...an example This field is a sequential value and it is not associated with a specific schedule Name This field displays the name of the schedule which is used to refer to the schedule Start Day Time This field displays the date and time at which the schedule begins Stop Day Time This field displays the date and time at which the schedule ends Recurring Add Click this to create a new entry Edit Doub...

Page 455: ...the one time schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Date Time StartDate Specify the year month and day when the schedule begins Year 1900 2999 Month 1 12 Day 1 31 it is not possible to specify illegal dates such as February 31 StartTime Specify the hour and minute when the schedule begins Hou...

Page 456: ...e describes the remaining labels in this screen Table 214 Configuration Object Schedule Edit Recurring LABEL DESCRIPTION Configuration Name Type the name used to refer to the recurring schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Date Time StartTime Specify the hour and minute when the schedule beg...

Page 457: ...n Object Schedule Schedule Group LABEL DESCRIPTION Configuration Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Object Reference Select an entry and click Object References to open a screen that shows whic...

Page 458: ...iption of the service group if any You can use up to 60 printable ASCII characters Member List The Member list displays the names of the service and service group objects that have been added to the service group The order of members is not important Select items from the Available list that you want to be members and move them to the Member list You can double click a single entry to move it or u...

Page 459: ...rver instead of or in addition to an internal device user database that is limited to the memory capacity of the device In essence RADIUS authentication allows you to validate a large number of users from a central location Figure 311 RADIUS Server Network Example 42 1 2 What You Can Do in this Chapter Use the Configuration Object AAA Server RADIUS screen Section 42 2 on page 460 to configure the ...

Page 460: ...US Server Click Configuration Object AAA Server RADIUS to display the RADIUS screen Click the Add icon or an Edit icon to display the following screen Use this screen to create a new RADIUS entry or edit an existing one Table 217 Configuration Object AAA Server RADIUS LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen wher...

Page 461: ...tings Name Enter a descriptive name up to 63 alphanumerical characters for identification purposes Description Enter the description of each server if any You can use up to 60 printable ASCII characters Authentication Server Settings Server Address Enter the address of the RADIUS authentication server Authentication Port Specify the port number on the RADIUS server to which the UAG sends authentic...

Page 462: ...imes the UAG should reattempt to use the primary RADIUS server before attempting to use the secondary RADIUS server This also sets how many times the UAG will attempt to use the secondary RADIUS server For example you set this field to 3 If the UAG does not get a response from the primary RADIUS server it tries again up to three times If there is no response the UAG tries the secondary RADIUS serv...

Page 463: ...d a group identifier it determines to which group a user belongs You can add ext group user user objects to identify groups based on these group identifier values For example you could have an attribute named memberOf with values like sales RD and management Then you could also create a ext group user user object for each group One with sales as the group identifier another for RD and a third for ...

Page 464: ... objects By default user accounts created and stored on the UAG are authenticated locally 43 1 1 What You Can Do in this Chapter Use the Configuration Object Auth Method screens Section 43 2 on page 464 to create and manage authentication method objects 43 1 2 Before You Begin Configure AAA server objects see Chapter 42 on page 459 before you configure authentication method objects 43 2 Authentica...

Page 465: ...n If two accounts with the same username exist on two authentication servers you specify the UAG does not continue the search on the second authentication server when you enter the username and password that doesn t match the one on the first authentication server Note You can NOT select two server objects of the same type 7 Click OK to save the settings or click Cancel to discard all changes and ...

Page 466: ...list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed The ordering of your methods is important as UAG authenticates the users using the authentication methods in the order they appear in this screen This field displays the index number Method List Select a server object from the drop dow...

Page 467: ...ailable The other key is private and must be kept secure These keys work like a handwritten signature in fact certificates are often referred to as digital signatures Only you can write your signature exactly as it should look When people know what your signature looks like they can verify whether something was signed by you or by someone else In the same way your private key writes your digital s...

Page 468: ...rtificates Certificates offer the following benefits The UAG only has to store the certificates of the certification authorities that you decide to trust no matter how many devices you need to authenticate Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys Self signed Certificates You can have the UAG act as a certific...

Page 469: ...y default 44 1 3 Verifying a Certificate Before you import a trusted certificate into the UAG you should verify that you have the correct certificate You can do this using the certificate s fingerprint A certificate s fingerprint is a message digest calculated using the MD5 or SHA1 algorithm The following procedure describes how to check a certificate s fingerprint to verify that you have the actu...

Page 470: ...ary certificates before adding more certificates Add Click this to go to the screen where you can have the UAG generate a certificate or a certification request Edit Double click an entry or select it and click Edit to open a screen with an in depth list of information about the certificate Remove The UAG keeps all of your certificates unless you specifically delete them Uploading a new firmware o...

Page 471: ...splays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department orga...

Page 472: ...t Domain Name or E Mail The certification authority may add fields such as a serial number to the subject information when it issues a certificate It is recommended that each certificate have unique subject information Select a radio button to identify the certificate s owner by IP address domain name or e mail address Type the IP address in dotted decimal notation domain name or e mail address in...

Page 473: ...orithm public key algorithm Key Length Select a number from the drop down list box to determine how many bits the key should use 512 to 2048 The longer the key the more secure it is A longer key also uses more PKI storage space Extended Key Usage Select Server Authentication to allow a web server to send clients the certificate to authenticate itself Select Client Authentication to use the certifi...

Page 474: ...est Click the Refresh button to have this read only text box display the hierarchy of certification authorities that validate the certificate and the certificate itself If the issuing certification authority is one that you have imported as a trusted certification authority it may be the only certification authority in the list along with the certificate itself If the certificate is a self signed ...

Page 475: ...yption algorithm and the MD5 hash algorithm Valid From This field displays the date that the certificate becomes applicable none displays for a certification request Valid To This field displays the date that the certificate expires The text displays in red and includes an Expired message if the certificate has expired none displays for a certification request Key Algorithm This field displays the...

Page 476: ... and save the file on a management computer for later manual enrollment You can copy and paste a certificate into an e mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution via floppy disk for example Export Certificate Only Use this button to save a copy of the certificate without its priv...

Page 477: ... thus you do not need to import any certificate that is signed by one of these certificates Table 224 Configuration Object Certificate My Certificates Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it You cannot import a certificate with the same name as a certificate that is already in the UAG Browse Click Browse to fin...

Page 478: ...click Object Reference to open a screen that shows which settings use the entry See Section 10 3 2 on page 165 for an example This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate Subject This field displays identifying information about the certificate s owner such as CN Common Name OU...

Page 479: ...con to open the Trusted Certificates Edit screen Use this screen to view in depth information about the certificate change the certificate s name and set whether or not you want the UAG to check a certification authority s list of revoked certificates before trusting a certificate issued by the certification authority Figure 323 Configuration Object Certificate Trusted Certificates Edit ...

Page 480: ...on authority Certificate Information These read only fields display detailed information about the certificate Type This field displays general information about the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the certificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and si...

Page 481: ...ge digest that the UAG calculated using the MD5 algorithm You can use this value to verify with the certification authority over the phone for example that this is actually their certificate SHA1 Fingerprint This is the certificate s message digest that the UAG calculated using the SHA1 algorithm You can use this value to verify with the certification authority over the phone for example that this...

Page 482: ...DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it You cannot import a certificate with the same name as a certificate that is already in the UAG Browse Click Browse to find the certificate file you want to upload OK Click OK to save the certificate on the UAG Cancel Click Cancel to quit and return to the previous screen ...

Page 483: ...a summary of ISP accounts in the UAG To access this screen click Configuration Object ISP Account Figure 325 Configuration Object ISP Account The following table describes the labels in this screen See the ISP Account Edit section below for more information as well Table 228 Configuration Object ISP Account LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select...

Page 484: ...ield displays the protocol used by the ISP account Authentication Type This field displays the authentication type used by the ISP account User Name This field displays the user name of the ISP account Table 228 Configuration Object ISP Account continued LABEL DESCRIPTION Table 229 Configuration Object ISP Account Edit LABEL DESCRIPTION Profile Name This field is read only if you are editing an ex...

Page 485: ...name of the PPTP server Connection ID This field is available if this ISP account uses the PPTP protocol Type your identification name for the PPTP server This field can be blank Service Name If this ISP account uses the PPPoE protocol type the PPPoE service name to access PPPoE uses the specified service name to identify and reach the PPPoE server This field can be blank If this ISP account uses ...

Page 486: ...mand line interface You can specify which zones allow SSH access and from which IP address the access can come Use the System TELNET screen see Section 46 9 on page 523 to configure Telnet to access the UAG s command line interface Specify which zones allow Telnet access and from which IP address the access can come Use the System FTP screen see Section 46 10 on page 524 to specify from which zone...

Page 487: ...ice It must allow writing it cannot be read only and use the FAT16 FAT32 EXT2 or EXT3 file system Click Configuration System USB Storage to open the screen as shown next Table 230 Configuration System Host Name LABEL DESCRIPTION System Name Enter a descriptive name to identify your UAG device This name can be up to 64 alphanumeric characters long Spaces are not allowed but dashes underscores _ and...

Page 488: ...ocal time zone and date click Configuration System Date Time The screen displays as shown You can manually set the UAG s time and date or have the UAG get the date and time from a time server Table 231 Configuration System USB Storage LABEL DESCRIPTION Activate USB storage service Select this if you want to use the connected USB device s Disk full warning when remaining space is less than Set a nu...

Page 489: ...ew time and date time zone and daylight saving at the same time the time zone and daylight saving will affect the new time and date you entered When you enter the time settings manually the UAG uses the new setting once you click Apply New Time hh mm ss This field displays the last updated time from the time server or the last time configured manually When you set Time and Date Setup to Manual ent...

Page 490: ...n the at field Daylight Saving Time starts in the European Union on the last Sunday of March All of the time zones in the European Union start using Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Last Sunday March The time you type in the at field depends on your time zone In Germany for instance you would type 2 because Germany s time zone is on...

Page 491: ...have been tried 46 4 2 Time Server Synchronization Click the Synchronize Now button to get the time and date from the time server you specified in the Time Server Address field When the Loading screen appears you may have to wait up to one minute Figure 330 Synchronization in Process The Current Time and Current Date fields will display the appropriate settings if the synchronization is successful...

Page 492: ...g a terminal emulation program See Table 2 on page 22 for default console port settings Click Configuration System Console Speed to open the Console Speed screen Figure 331 Configuration System Console Speed The following table describes the labels in this screen Table 234 Configuration System Console Speed LABEL DESCRIPTION Console Port Speed Use the drop down list box to change the speed of the ...

Page 493: ...server addresses manually enter them in the DNS server fields If your ISP dynamically assigns the DNS server IP addresses along with the UAG s WAN IP address set the DNS server fields to get the DNS server address from the ISP You can manually enter the IP addresses of other DNS servers 46 6 2 Configuring the DNS Screen Click Configuration System DNS to change your UAG s DNS settings Use the DNS s...

Page 494: ...fied domain name where www is the host zyxel is the third level domain com is the second level domain and tw is the top level domain Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Note that subsequent entr...

Page 495: ...d click Remove The UAG confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This is the index number of the domain zone ...

Page 496: ...Service Control This specifies from which computers and zones you can send DNS queries to the UAG Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it...

Page 497: ...yxel com and you want this subdomain to point to your main domain zyxel com Edit the IP address in record A and all subdomains will follow automatically This eliminates chances for errors and increases efficiency in DNS management 46 6 7 Adding a CNAME Record Click the Add icon in the CNAME Record table to add a record Use as a prefix for a wildcard domain name For example zyxel com Table 236 Conf...

Page 498: ...rder table to add a domain zone forwarder record Table 237 Configuration System DNS CNAME Record Add LABEL DESCRIPTION Alias name Enter an Alias Name Use as a prefix in the Alias name for a wildcard domain name for example example com FQDN Type a Fully Qualified Domain Name FQDN of a server An FQDN starts with a host name and continues all the way up to the top level domain name For example www zy...

Page 499: ...name server IP address Enter if all domain zones are served by the specified DNS server s DNS Server Select DNS Server s from ISP if your ISP dynamically assigns DNS server information You also need to select an interface through which the ISP provides the DNS server IP address es The interface should be activated and set to be a DHCP client The fields below display the read only DNS server IP add...

Page 500: ...ss FQDN Enter the IP address or Fully Qualified Domain Name FQDN of a mail server that handles the mail for the domain specified in the field above OK Click OK to save your customized settings and exit this screen Cancel Click Cancel to exit this screen without saving Table 240 Configuration System DNS Service Control Rule Add LABEL DESCRIPTION Create new Object Use this to configure any new setti...

Page 501: ...ent IP address the UAG disallows the session 3 The IP address address object in the Service Control table is not in the allowed zone or the action is set to Deny 4 There is a security policy that blocks it 46 7 2 System Timeout There is a lease timeout for administrators The UAG automatically logs you out if the management session remains idle for longer than this timeout period The management ses...

Page 502: ...erver the UAG must always authenticate itself to the HTTPS client the computer which requests the HTTPS connection with the UAG whereas the HTTPS client only should authenticate itself when the HTTPS server requires it to do so select Authenticate Client Certificates in the WWW screen Authenticate Client Certificates is optional and if selected means the HTTPS client must send the UAG a certificat...

Page 503: ...s the Internet for example Figure 339 Configuration System WWW Service Control The following table describes the labels in this screen Table 241 Configuration System WWW Service Control LABEL DESCRIPTION HTTPS Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address es in the Service Control table to access the UAG Web Configurator using secure ...

Page 504: ...elect an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbere...

Page 505: ...Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This is the index number of the service control rule The entry with a hyphen instead of a number is the UAG s non configurable default policy The UAG applies this to traffic that does ...

Page 506: ...ystem Service Control Rule Edit LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen Address Object Select ALL to allow or deny any computer to communicate with the UAG using this service Select a predefined address object to just allow or deny the computer with the IP address that you specified to access the UAG using this service ...

Page 507: ...Chapter 46 System UAG Series User s Guide 507 Figure 341 Configuration System WWW Login Page Desktop View ...

Page 508: ...Chapter 46 System UAG Series User s Guide 508 Figure 342 Configuration System WWW Login Page Mobile View The following figures identify the parts you can customize in the login and access pages ...

Page 509: ...play a screen of web safe colors from which to choose Enter the name of the desired color Enter a pound sign followed by the six digit hexadecimal number that represents the desired color For example use 000000 for black Logo Title Message Color Note Message Background last line of text color of all text Logo Title Message Color Note Message last line of text color of all text Background ...

Page 510: ...tion to set how the Web Configurator login screen looks Title Enter the title for the top of the screen Use up to 64 printable ASCII characters Spaces are allowed Title Color Specify the color of the screen s title text Message Color Specify the color of the screen s text Note Message Enter a note to display at the bottom of the screen Use up to 64 printable ASCII characters Spaces are allowed Thi...

Page 511: ...46 7 7 2 Mozilla Firefox Warning Messages When you attempt to access the UAG HTTPS server a The Connection is Untrusted screen appears as shown in the following screen Click Technical Details if you want to verify more information about the certificate from the UAG Background Set how the window s background looks To use a graphic select Picture and upload a graphic Specify the location and file na...

Page 512: ...an do to avoid seeing the warnings The issuing certificate authority of the UAG s HTTPS server certificate is not one of the browser s trusted certificate authorities The issuing certificate authority of the UAG s factory default certificate is the UAG itself since the certificate is a self signed certificate For the browser to trust a self signed certificate import the self signed certificate int...

Page 513: ...ificate if Authenticate Client Certificates is selected on the UAG You must have imported at least one trusted CA to the UAG in order for the Authenticate Client Certificates to be active see the Certificates chapter for details Apply for a certificate from a Certification Authority CA that is trusted by the UAG see the UAG s Trusted CA Web Configurator screen Figure 349 UAG Trusted CA Screen The ...

Page 514: ...icate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix 46 7 7 5 2 Installing Your Personal Certificate s You need a password in advance The CA may issue the password or you may have to specify it during the enrollment Double click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wi...

Page 515: ...port Wizard 1 2 The file name and path of the certificate you double clicked should automatically appear in the File name text box Click Browse if you wish to import a different certificate Figure 352 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA ...

Page 516: ...rd 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location Figure 354 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process ...

Page 517: ...46 7 7 6 Using a Certificate When Accessing the UAG Example Use the following procedure to access the UAG via HTTPS 1 Enter https UAG IP Address in your browser s web address field Figure 357 Access the UAG Via HTTPS 2 When Authenticate Client Certificates is selected on the UAG the following screen asks you to select a personal certificate to send to the UAG This screen displays even if you only ...

Page 518: ...y access the UAG s command line interface Specify which zones allow SSH access and from which IP address the access can come SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network In the following figure computer A on the Internet uses SSH to securely connect to the WAN port of th...

Page 519: ... a connection request to the SSH server The server identifies itself with a host key The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server The client automatically saves any new server public keys In subsequent connections the server public key is checked against the saved version on the client computer 2 Encryption Method Onc...

Page 520: ... program on a client computer Windows or Linux operating system that is used to connect to the UAG over SSH 46 8 4 Configuring SSH Click Configuration System SSH to change your UAG s Secure Shell settings Use this screen to specify from which zones SSH can be used to manage the UAG You can also specify from which IP addresses the access can come Figure 362 Configuration System SSH The following ta...

Page 521: ...tails Service Control This specifies from which computers you can access which UAG zones Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Refer to Table 242 on page 506 for details on the screen that opens Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select...

Page 522: ...SH Example 2 Test 2 Enter ssh 1 172 16 0 1 This command forces your computer to connect to the UAG using SSH version 1 If this is the first time you are connecting to the UAG using SSH a message displays prompting you to save the host information of the UAG Type yes and press ENTER Then enter the password to log in to the UAG Figure 365 SSH Example 2 Log in 3 The CLI screen displays next telnet 17...

Page 523: ...cess the UAG CLI using this service Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Service Control This specifies from which computers you can access which UAG zones Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry ...

Page 524: ... rule The entry with a hyphen instead of a number is the UAG s non configurable default policy The UAG applies this to traffic that does not match any other configured rule It is not an editable rule To apply other behavior configure a rule that traffic will match so the UAG will not have to use the default policy Zone This is the zone on the UAG the user is allowed or denied to access Address Thi...

Page 525: ...om which computers you can access which UAG zones Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Refer to Table 242 on page 506 for details on the screen that opens Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms y...

Page 526: ...icate for the purpose of accessing these objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request and the agent returns responses using the following protocol operations Get Allows the manager to retrieve an object variable from the agent GetNext Allows the manager to retrieve the next object variable from a table or list within an age...

Page 527: ...NMP can be used to access the UAG You can also specify from which IP addresses the access can come Figure 369 Configuration System SNMP Table 247 SNMP Traps OBJECT LABEL OBJECT ID DESCRIPTION Cold Start 1 3 6 1 6 3 1 1 5 1 This trap is sent when the UAG is turned on or an agent restarts linkDown 1 3 6 1 6 3 1 1 5 3 This trap is sent when the Ethernet link is down linkUp 1 3 6 1 6 3 1 1 5 4 This tr...

Page 528: ...ord for incoming Set requests from the management station The default is private and allows all requests Service Control This specifies from which computers you can access which UAG zones Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Refer to Table 242 on page 506 for details on the screen that opens Edit Double click an entry or ...

Page 529: ...ntry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Activate To turn on an entry select it and click Activate I...

Page 530: ...ox to make this profile active Profile Name Enter a descriptive name up to 31 alphanumerical characters for identification purposes IP Address Enter the IP address of the RADIUS client that is allowed to exchange messages with the UAG Netmask Enter the subnet mask of the RADIUS client Secret Enter a password up to 64 alphanumeric characters as the key to be shared between the UAG and the RADIUS cl...

Page 531: ...the query the ZyXEL device responds with basic information including IP address firmware version location system and model name The information is then displayed in the ZON Utility screen and you can perform tasks like basic configuration of the devices and batch firmware upgrade in it You can download the ZON Utility at www zyxel com and install it on a computer The following figure shows the ZON...

Page 532: ...the selected device You must know the current admin password before changing to a new one 8 ZAC Use this icon to run the ZyXEL AP Configurator of the selected AP This is not supported by the UAG at the time of writing 9 Discovery You should use this icon first to display all connected devices in the same network as your computer 10 Save Configuration Use this icon to save configuration changes to ...

Page 533: ...ZDP ZyXEL Discovery Protocol ZDP is the protocol that the ZyXEL One Network ZON utility uses for discovering and configuring ZDP aware ZyXEL devices in the same broadcast domain as the computer on which ZON is installed Enable Select to activate ZDP discovery on the UAG Smart Connect Smart Connect uses Link Layer Discovery Protocol LLDP for discovering and configuring LLDP aware devices in the sam...

Page 534: ...ge 536 to specify settings for recording log messages and alerts e mailing them storing them on a connected USB storage device and sending them to remote syslog servers 47 2 Email Daily Report Use the Email Daily Report screen to start or stop data collection and view various statistics about traffic passing through your UAG Note Data collection may decrease the UAG s traffic throughput rate Click...

Page 535: ...Chapter 47 Log and Report UAG Series User s Guide 535 Figure 375 Configuration Log Report Email Daily Report ...

Page 536: ...ystem name to add the UAG s system name to the subject Append date time Select Append date time to add the UAG s system date and time to the subject Mail From Type the e mail address from which the outgoing e mail is delivered This address is used in replies Mail To Type the e mail address or addresses to which the outgoing e mail is delivered SMTP Authentication Select this check box if it is nec...

Page 537: ...o set for which events to generate alerts and where to email the alerts The first Log Settings screen provides a settings summary Use the Edit screens to configure settings such as log categories e mail addresses and server names for any log Use the Log Category Settings screen to edit what information is included in the system log USB storage e mail profiles and remote servers 47 3 1 Log Settings...

Page 538: ...his field displays the type of log setting entry system log logs stored on a USB storage device connected to the UAG or one of the remote servers Log Format This field displays the format of the log Internal system log you can view the log on the View Log tab VRPT Syslog ZyXEL s Vantage Report syslog compatible format CEF Syslog Common Event Format syslog compatible format Summary This field is a ...

Page 539: ...Chapter 47 Log and Report UAG Series User s Guide 539 Figure 377 Configuration Log Report Log Settings Edit System Log ...

Page 540: ... Full Hourly and When Full Daily and When Full and Weekly and When Full Day for Sending Log This field is available if the log is e mailed weekly Select the day of the week the log is e mailed Time for Sending Log This field is available if the log is e mailed weekly or daily Select the time of day hours and minutes when the log is e mailed Use 24 hour notation SMTP Authentication Select this chec...

Page 541: ...ug logs yellow check mark create log messages alerts and debugging information from this category the UAG does not e mail debugging information however even if this setting is selected E mail Server 1 Select whether each category of events should be included in the log messages when it is e mailed green check mark and or in alerts red exclamation point for the e mail settings specified in E Mail S...

Page 542: ... describes the labels in this screen Table 258 Configuration Log Report Log Settings Edit USB Storage LABEL DESCRIPTION Duplicate logs to USB storage if ready Select this to have the UAG save a copy of its system logs to a connected USB storage device Use the Active Log section to specify what kinds of messages to include Enable log keep duration Select this option to have the UAG save a copy of i...

Page 543: ...information for all log categories This field is a sequential value and it is not associated with a specific entry Log Category This field displays each category of messages The Default category includes debugging messages generated by open source software Selection Select what information you want to log from each Log Category except All Logs see below Choices are disable all logs red X do not lo...

Page 544: ...Chapter 47 Log and Report UAG Series User s Guide 544 Figure 379 Configuration Log Report Log Settings Edit Remote Server ...

Page 545: ...to log the messages to different files in the syslog server Please see the documentation for your syslog program for more information Active Log Selection Use the Selection drop down list to change the log settings for all of the log categories disable all logs red X do not send the remote server logs for any log category enable normal logs green check mark send the remote server log messages and ...

Page 546: ... Log Category Settings This screen provides a different view and a different way of indicating which messages are included in each log and each alert Please see Section 47 3 2 on page 538 where this process is discussed The Default category includes debugging messages generated by open source software ...

Page 547: ... Mail Server 1 drop down list to change the settings for e mailing logs to e mail server 1 for all log categories Using the System Log drop down list to disable all logs overrides your e mail server 1 settings enable normal logs green check mark e mail log messages for all categories to e mail server 1 enable alert logs red exclamation point e mail alerts for all categories to e mail server 1 E ma...

Page 548: ...t is e mailed green check mark and or in alerts red exclamation point for the e mail settings specified in E Mail Server 1 The UAG does not e mail debugging information even if it is recorded in the System log E mail Server 2 E mail Select whether each category of events should be included in log messages when it is e mailed green check mark and or in alerts red exclamation point for the e mail se...

Page 549: ...e Configuration File screen see Section 48 2 on page 551 to store and name configuration files You can also download configuration files from the UAG to your computer and upload configuration files from your computer to the UAG Use the Firmware Package screen see Section 48 3 on page 555 to check your current firmware version and upload firmware to the UAG Use the Shell Script screen see Section 4...

Page 550: ...and mode Note exit or must follow sub commands if it is to make the UAG exit sub command mode Figure 381 Configuration File Shell Script Example enter configuration mode configure terminal change administrator password username admin password 4321 user type admin configure wan1 interface wan1 ip address 10 16 17 240 255 255 255 0 ip gateway 10 16 17 254 metric 1 exit create address objects for rem...

Page 551: ...he configuration file or shell script The UAG ignores any errors in the configuration file or shell script and applies all of the valid commands The UAG still generates a log for any errors 48 2 The Configuration File Screen Click Maintenance File Manager Configuration File to open the Configuration File screen Use the Configuration File screen to store run and name configuration files You can als...

Page 552: ...f there is an error the UAG generates a log and copies the startup config conf configuration file to the startup config bad conf configuration file and tries the existing lastgood conf configuration file If there isn t a lastgood conf configuration file or it also has an error the UAG applies the system default conf configuration file You can change the way the startup config conf file is applied ...

Page 553: ...icate of the configuration file Remove Click a configuration file s row to select it and click Remove to delete it from the UAG You can only delete manually saved configuration files You cannot delete the system default conf startup config conf and lastgood conf files A pop up window asks you to confirm that you want to delete the configuration file Click OK to delete the configuration file or cli...

Page 554: ...is gets the UAG started with a fully valid configuration file as quickly as possible Ignore errors and finish applying the configuration file this applies the valid parts of the configuration file and generates error logs for all of the configuration file s errors This lets the UAG apply most of your configuration and you can refer to the logs for what to fix Ignore errors and finish applying the ...

Page 555: ...his configuration file The UAG applies configuration changes made in the Web Configurator to the configuration file when you click Apply or OK It applies configuration changes made via commands when you use the write command The lastgood conf is the most recently used valid configuration file that was saved when the device last restarted If you upload and apply a configuration file with an error y...

Page 556: ...heck your new firmware version in the Dashboard screen If the upload was not successful the following message appears in the status bar at the bottom of the screen Table 263 Maintenance File Manager Firmware Package LABEL DESCRIPTION Boot Module This is the version of the boot module that is currently on the UAG Current Version This is the firmware version and the date created Released Date This i...

Page 557: ...n Click Maintenance File Manager Shell Script to open the Shell Script screen Use the Shell Script screen to store name download upload and run shell script files You can store multiple shell script files on the UAG at the same time Note You should include write commands in your scripts If you do not use the write command the changes will be lost when the UAG restarts You could use multiple write ...

Page 558: ...en without deleting the shell script file Download Click a shell script file s row to select it and click Download to save the configuration to your computer Copy Use this button to save a duplicate of a shell script file on the UAG Click a shell script file s row to select it and click Copy to open the Copy File screen Figure 392 Maintenance File Manager Shell Script Copy Specify a name for the d...

Page 559: ...le from your computer to your UAG File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the zysh file you want to upload Upload Click Upload to begin the upload process This process may take up to several minutes Table 264 Maintenance File Manager Shell Script continued LABEL DESCRIPTION ...

Page 560: ...cess terminates abnormally crashes so you can send the file to customer support for troubleshooting Use the System Log screens see Section 49 5 on page 567 to download files of system logs from a connected USB storage device to your computer Use the Network Tool screen see Section 49 6 on page 568 to ping an IP address or trace the route packets take to a host Use the Wireless Frame Capture screen...

Page 561: ...ance Diagnostics Files Table 265 Maintenance Diagnostics LABEL DESCRIPTION Filename This is the name of the most recently created diagnostic file Last modified This is the date and time that the last diagnostic file was created The format is yyyy mm dd hh mm ss Size This is the size of the most recently created diagnostic file Copy the diagnostic file to USB storage if ready Select this to have th...

Page 562: ... Table 266 Maintenance Diagnostics Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the UAG Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each file entry The total number of files t...

Page 563: ...tocol IP by which traffic is routed across the networks and Internet Select any to capture packets for traffic sent by either IP version Protocol Type Select the protocol type of traffic for which to capture packets Select any to capture packets for all types of traffic Host IP Select a host IP address object for which to capture packets Select any to capture packets for all hosts Select User Defi...

Page 564: ...capture and overwrite old ones option you may need to set this size larger or delete existing capture files The valid range depends on the available onboard USB storage size The UAG stops the capture and generates the capture file when either the file reaches this size or the time period specified in the Duration field expires Split threshold Specify a maximum size limit in megabytes for individua...

Page 565: ...ormance may be affected while a packet capture is in progress After the UAG finishes the capture it saves a separate capture file for each selected interface The total number of packet capture files that you can save depends on the file sizes and the available flash storage space Once the flash storage space is full adding more packet captures will fail Stop Click this button to stop a currently r...

Page 566: ...each packet capture file entry The total number of packet capture files that you can save depends on the file sizes and the available flash storage space File Name This column displays the label that identifies the file The file name format is interface name file suffix cap Size This column displays the size in bytes of a configuration file Last Modified This column displays the date and time that...

Page 567: ...iagnostics Core Dump Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the UAG Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each packet capture file entry The total number of packet...

Page 568: ...Remove to delete them from the UAG Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each file entry The total number of files that you can save depends on the file sizes and the available storage space File Name This...

Page 569: ...ng files of the same name Change the File Prefix field s setting to avoid this Table 272 Maintenance Diagnostics Network Tool LABEL DESCRIPTION Network Tool Select PING IPv4 to to ping the IP address that you entered Select TRACEROUTE IPv4 to perform the traceroute function This determines the path a packet takes to the specified computer Domain Name or IP Address Type the IPv4 address of a comput...

Page 570: ...plays the monitor mode configured APs selected for wireless frame capture Misc Setting File Size Specify a maximum size limit in kilobytes for the total combined size of all the capture files on the UAG including any existing capture files and any new capture files you generate Note If you have existing capture files you may need to set this size larger or delete existing capture files The valid r...

Page 571: ...zes and the available flash storage space Once the flash storage space is full adding more frame captures will fail Stop Click this button to stop a currently running frame capture and generate a combined capture file for all APs Reset Click this button to return the screen to its last saved settings Table 273 Maintenance Diagnostics Wireless Frame Capture Capture continued LABEL DESCRIPTION Table...

Page 572: ...on s settings 50 2 The Routing Status Screen The Routing Status screen allows you to view the current routing flow and quickly link to specific routing settings Click a function box in the Routing Flow section the related routes activated will display in the Routing Table section To access this screen click Maintenance Packet Flow Explore The order of the routing flow may vary depending on whether...

Page 573: ...Chapter 50 Packet Flow Explore UAG Series User s Guide 573 Figure 403 Maintenance Packet Flow Explore Routing Status Direct Route Figure 404 Maintenance Packet Flow Explore Routing Status Policy Route ...

Page 574: ...ies User s Guide 574 Figure 405 Maintenance Packet Flow Explore Routing Status VPN 1 1 Mapping Route Figure 406 Maintenance Packet Flow Explore Routing Status 1 1 SNAT Figure 407 Maintenance Packet Flow Explore Routing Status SiteToSite VPN ...

Page 575: ...apter 50 Packet Flow Explore UAG Series User s Guide 575 Figure 408 Maintenance Packet Flow Explore Routing Status Static Route Figure 409 Maintenance Packet Flow Explore Routing Status Default WAN Trunk ...

Page 576: ...ination IP address of a route Gateway This is the IP address of the next hop gateway or the interface through which the traffic is routed Interface This is the name of an interface associated with the route Metric This is the route s priority among the displayed routes Flags This indicates additional information for the route The possible flags are A this route is currently activated S this is a s...

Page 577: ...ailable if you click VPN 1 1 Mapping Route in the Routing Flow section This field is a sequential value and it is not associated with any entry Source This is the original source IP address es any means any IP address Destination This is the original destination IP address es any means any IP address Outgoing This is the name of an interface which transmits packets out of the UAG Gateway This is t...

Page 578: ...w Explore SNAT Status The order of the SNAT flow may vary depending on whether you select use default SNAT in the Configuration Network Interface Trunk screen use policy routes to control 1 1 NAT by using the policy control virtual server rules activate command Note Once a packet matches the criteria of an SNAT rule the UAG takes the corresponding action and does not perform any further flow check...

Page 579: ...e UAG Series User s Guide 579 Figure 413 Maintenance Packet Flow Explore SNAT Status 1 1 SNAT Figure 414 Maintenance Packet Flow Explore SNAT Status Loopback SNAT Figure 415 Maintenance Packet Flow Explore SNAT Status Default SNAT ...

Page 580: ...is field is a sequential value and it is not associated with any entry NAT Rule This is the name of an activated NAT rule which uses SNAT Source This is the original source IP address es Destination This is the original destination IP address es Outgoing This is the outgoing interface that the SNAT rule uses to transmit packets SNAT This is the source IP address es that the SNAT rule uses finally ...

Page 581: ...o use the write command to save the configuration before you reboot Otherwise the changes are lost when you reboot Reboot is different to reset see Section 53 1 on page 589 reset returns the device to its default configuration 51 2 The Reboot Screen The Reboot screen allows remote users to restart the device To access this screen click Maintenance Reboot Figure 416 Maintenance Reboot Click the Reb...

Page 582: ...f the UAG or remove the power Not doing so can cause the firmware to become corrupt 52 1 1 What You Need To Know Shutdown writes all cached data to the local storage and stops the system processes 52 2 The Shutdown Screen To access this screen click Maintenance Shutdown Figure 417 Maintenance Shutdown Click the Shutdown button to shut down the UAG Wait for the device to shut down before you manual...

Page 583: ...AG s In the computer click Start All Programs Accessories and then Command Prompt In the Command Prompt window type ping followed by the UAG s LAN IP address 172 16 0 1 or 172 17 0 1 is the default and then press ENTER The UAG should reply If you ve forgotten the UAG s password use the RESET button Press the button in for about 5 seconds or until the PWR LED starts to blink then release it It retu...

Page 584: ...ould also match I cannot enter the interface name I want The format of interface names other than the Ethernet interface names is very strict Each name consists of 2 4 letters interface type followed by a number x limited by the maximum number of each type of interface For example VLAN interfaces are vlan0 vlan1 vlan2 and so on The names of virtual interfaces are derived from the interfaces on whi...

Page 585: ...G is not applying an interface s configured ingress bandwidth limit At the time of writing the UAG does not support ingress bandwidth management The UAG routes and applies SNAT for traffic from some interfaces but not from others The UAG automatically uses SNAT for traffic it routes from internal interfaces to external interfaces For example LAN to WAN traffic You must manually configure a policy ...

Page 586: ...use virtual interfaces to put the UAG and the backup gateway on separate subnets See Asymmetrical Routes on page 291 and the chapter about interfaces for more information I changed the LAN IP address and can no longer access the Internet The UAG automatically updates address objects based on an interface s IP address subnet or gateway if the interface s IP address settings change However you need ...

Page 587: ...M Base 64 encoded X 509 This Privacy Enhanced Mail format uses lowercase letters uppercase letters and numerals to convert a binary X 509 certificate into a printable form Binary PKCS 7 This is a standard that defines the general syntax for data including digital signatures that may be encrypted A PKCS 7 file is used to transfer a public key certificate The private key is not included The UAG curr...

Page 588: ...throughput rate I can only see newer logs Older logs are missing When a log reaches the maximum number of log messages new log messages automatically overwrite existing log messages starting with the oldest existing log message first The commands in my configuration file or shell script are not working properly In a configuration file or shell script use or as the first character of a command line...

Page 589: ...ires My earlier packet capture files are missing New capture files overwrite existing files of the same name Change the File Suffix field s setting to avoid this 53 1 Resetting the UAG If you cannot access the UAG by any method try restarting it by turning the power off and then on again If you still cannot access the UAG by any method or you forget the administrator password s you can reset the U...

Page 590: ...AG Series User s Guide 590 You should be able to access the UAG using the default settings 53 2 Getting More Troubleshooting Help Search for support information for your model at www zyxel com for more troubleshooting suggestions ...

Page 591: ...e have the following information ready when you contact an office Required Information Product model and serial number Warranty Information Date that you received your device Brief description of the problem and the steps you took to solve it Corporate Headquarters Worldwide Taiwan ZyXEL Communications Corporation http www zyxel com Asia China ZyXEL Communications Shanghai Corp ZyXEL Communication...

Page 592: ...Ltd http www zyxel com pk Philipines ZyXEL Philippines http www zyxel com ph Singapore ZyXEL Singapore Pte Ltd http www zyxel com sg Taiwan ZyXEL Communications Corporation http www zyxel com Thailand ZyXEL Thailand Co Ltd http www zyxel co th Vietnam ZyXEL Communications Corporation Vietnam Office http www zyxel com vn vi Europe Austria ZyXEL Deutschland GmbH http www zyxel de ...

Page 593: ...ttp www zyxel com bg bg Czech ZyXEL Communications Czech s r o http www zyxel cz Denmark ZyXEL Communications A S http www zyxel dk Estonia ZyXEL Estonia http www zyxel com ee et Finland ZyXEL Communications http www zyxel fi France ZyXEL France http www zyxel fr Germany ZyXEL Deutschland GmbH http www zyxel de Hungary ZyXEL Hungary SEE http www zyxel hu Latvia ZyXEL Latvia ...

Page 594: ...x http www zyxel nl Norway ZyXEL Communications http www zyxel no Poland ZyXEL Communications Poland http www zyxel pl Romania ZyXEL Romania http www zyxel com ro ro Russia ZyXEL Russia http www zyxel ru Slovakia ZyXEL Communications Czech s r o organizacna zlozka http www zyxel sk Spain ZyXEL Spain http www zyxel es Sweden ZyXEL Communications http www zyxel se Switzerland Studerus AG ...

Page 595: ...yxel com Latin America Argentina ZyXEL Communication Corporation http www zyxel com ec es Ecuador ZyXEL Communication Corporation http www zyxel com ec es Middle East Egypt ZyXEL Communication Corporation http www zyxel com homepage shtml Middle East ZyXEL Communication Corporation http www zyxel com homepage shtml North America USA ZyXEL Communications Inc North America Headquarters http www us z...

Page 596: ...Appendix A Customer Support UAG Series User s Guide 596 Oceania Australia ZyXEL Communications Corporation http www zyxel com au en Africa South Africa Nology Pty Ltd http www zyxel co za ...

Page 597: ...ust accept any interference received including interference that may cause undesired operation Changes or modifications not expressly approved by the party responsible for compliance could void the user s authority to operate the equipment This product has been tested and complies with the specifications for a Class B digital device pursuant to Part 15 of the FCC Rules These limits are designed to...

Page 598: ...terdits pour l exploitation de l émetteur Industry Canada radiation exposure statement This equipment complies with IC radiation exposure limits set forth for an uncontrolled environment This equipment should be installed and operated with a minimum distance of 20cm between the radiator and your body Déclaration d exposition aux radiations Cet équipement est conforme aux limites d exposition aux r...

Page 599: ... Please check http www sviluppoeconomico gov it for more details Questo prodotto è conforme alla specifiche di Interfaccia Radio Nazionali e rispetta il Piano Nazionale di ripartizione delle frequenze in Italia Se non viene installato all interno del proprio fondo l utilizzo di prodotti Wireless LAN richiede una Autorizzazione Generale Consultare http www sviluppoeconomico gov it per maggiori dett...

Page 600: ... or 230V AC in Europe Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution If the power adaptor or cord is damaged remove it from the device and the power source Do NOT attempt to repair the power adaptor or cord Contact...

Page 601: ...ment should be treated separately INFORMAZIONI AGLI UTENTI Ai sensi della Direttiva 2012 19 UE del Parlamento europeo e del Consiglio del 4 luglio 2012 sui rifiuti di apparecchiature elettriche ed elettroniche RAEE Il simbolo del cassonetto barrato riportato sull apparecchiatura o sulla sua confezione indica che il prodotto alla fine della propria vita utile deve essere raccolto separatamente dagl...

Page 602: ...Appendix B Legal Information UAG Series User s Guide 602 Environmental Product Declaration ...

Page 603: ...t product of equal or higher value and will be solely at the discretion of ZyXEL This warranty shall not apply if the product has been modified misused tampered with damaged by an act of God or subjected to abnormal working conditions Note Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or impli...

Page 604: ...P 359 active sessions 85 87 99 ActiveX 390 AD port 461 462 address groups 442 and content filtering 381 382 and FTP 525 and SNMP 528 and SSH 521 and Telnet 524 and WWW 506 address objects 442 and content filtering 381 382 and FTP 525 and NAT 210 222 and policy routes 209 and SNMP 528 and SSH 521 and Telnet 524 and VPN connections 339 and WWW 506 HOST 442 RANGE 442 SUBNET 442 types of 442 address r...

Page 605: ...ion server 459 B backing up configuration files 551 bandwidth limit troubleshooting 585 bandwidth management 366 376 and schedules 371 374 and user groups 371 374 and users 371 374 maximize bandwidth usage 370 see also application patrol 376 boot module 556 bridge interfaces 155 182 and virtual interfaces of members 183 basic characteristics 155 effect on routing table 183 member interfaces 183 vi...

Page 606: ...tax 550 system default conf 555 uploading 555 uploading with FTP 524 use without restart 549 connection troubleshooting 586 connectivity check 163 173 179 189 345 console port speed 492 contact information 591 content filtering 381 382 and address groups 381 382 and address objects 381 382 and registration 384 386 and schedules 381 382 and user groups 381 and users 381 by category 381 382 387 by k...

Page 607: ...elated 2 domain name 487 Domain Name System see DNS DPD 353 DSA 473 DSCP 206 209 372 374 577 Dynamic Domain Name System see DDNS dynamic guest 103 dynamic guest account 103 400 Dynamic Host Configuration Protocol see DHCP DynDNS 214 DynDNS see also DDNS 214 Dynu 214 E Ekahau RTLS 286 e mail daily statistics report 534 Encapsulating Security Payload see ESP encapsulation and active protocol 360 IPS...

Page 608: ...4 vs HTTPS 502 HTTP redirect 231 and interfaces 234 and policy routes 232 and security policy 232 packet flow 232 troubleshooting 586 HTTPS 502 and certificates 502 authenticating clients 502 avoiding warning messages 512 example 511 vs HTTP 502 with Internet Explorer 511 with Netscape Navigator 511 HyperText Transfer Protocol over Secure Socket Layer see HTTPS I ICMP 447 IEEE 802 1q VLAN IEEE 802...

Page 609: ...MP Internet Explorer 22 Internet Protocol Security see IPSec IP policy routing see policy routes IP protocols 447 and service objects 448 ICMP see ICMP TCP see TCP UDP see UDP IP static routes see static routes IP MAC binding example 248 exempt list 251 monitor 101 overview 248 static DHCP 251 IPSec 338 active protocol 344 AH 344 and certificates 340 authentication 344 certificates 351 connections...

Page 610: ... and users 400 port 461 462 least load first load balancing 196 LED suppression mode 138 LED troubleshooting 583 level 4 inspection 377 level 7 inspection 376 licensing 131 Link Layer Discovery Protocol LLDP 107 LLDP Link Layer Discovery Protocol 107 load balancing 195 algorithms 196 200 202 least load first 196 round robin 196 see also trunks 195 session oriented 196 spillover 197 weighted round ...

Page 611: ...ocol Version 2 485 multicast 420 multicast rate 420 My Certificates see also certificates 470 myZyXEL com 131 134 accounts creating 131 N NAT 212 219 ALG see ALG and address objects 210 and address objects HOST 222 and ALG 239 and interfaces 222 and policy routes 204 210 and security policy 292 and to Device security policy 223 and VPN 358 loopback 224 port forwarding see NAT port translation see ...

Page 612: ...195 210 and user groups 209 and users 209 and VPN 1 1 mapping 227 benefits 204 criteria 205 overriding direct routes 206 pop up windows 22 port forwarding see NAT port groups 155 157 port roles 156 and Ethernet interfaces 156 and physical ports 156 port translation see NAT power off 582 PPP 194 troubleshooting 585 PPP interfaces subnet mask 191 PPPoE 194 and RADIUS 194 TCP port 1723 194 PPPoE PPTP...

Page 613: ...3 475 480 RSSI threshold 419 RTLS 286 S schedule troubleshooting 587 schedules 453 and bandwidth management 371 374 and content filtering 381 382 and current date time 453 and policy routes 209 and security policy 296 one time 453 recurring 453 types of 453 screen resolution 22 Secure Hash Algorithm see SHA1 Secure Socket Layer see SSL security associations see IPSec security policy 289 actions 29...

Page 614: ...38 and policy routes 236 and security policy 236 packet flow 236 SNAT 212 troubleshooting 585 SNMP 525 526 agents 526 and address groups 528 and address objects 528 and zones 528 Get 526 GetNext 526 Manager 526 managers 526 MIB 526 network components 526 Set 526 Trap 526 traps 527 versions 525 Source Network Address Translation see SNAT spillover for load balancing 197 SSH 518 and address groups 5...

Page 615: ... Triple Data Encryption Standard see 3DES troubleshooting 560 566 583 admin user 587 bandwidth limit 585 certificate 587 configuration file 588 connection resets 586 DDNS 585 device access 583 ext user 586 firmware upload 589 HTTP redirect 586 interface 584 Internet access 583 586 LEDs 583 logo 588 logs 588 management access 588 packet capture 589 policy route 584 PPP 585 RADIUS server 586 routing...

Page 616: ...00 attributes for RADIUS 413 attributes in AAA servers 413 currently logged in 83 89 default lease time 408 410 default reauthentication time 408 410 default type for Ext User 400 ext group user type 399 Ext User type 400 ext user type 399 groups see user groups guest manager type 400 lease time 404 limited admin type 399 lockout 409 reauthentication time 404 types of 399 user names 402 V Vantage ...

Page 617: ...2 390 see also HTTP redirect weighted round robin for load balancing 197 WEP Wired Equivalent Privacy 415 Wi Fi Protected Access 415 Windows Internet Naming Service see WINS Windows Internet Naming Service see WINS WINS 164 180 188 193 WINS server 164 Wizard Setup 50 64 WPA 415 WPA2 415 WWW 502 and address groups 506 and address objects 506 and authentication method objects 505 and certificates 50...