ZyXEL Communications UAG4100, User Manual

Page 1: ... UAG4100 Unified Access Gateway Version 4 01 Edition 1 08 2014 Copyright 2014 ZyXEL Communications Corporation User s Guide Default Login Details LAN IP Address http 172 16 0 1 LAN1 http 172 17 0 1 LAN2 User Name admin Password 1234 ...

Page 2: ...entation Quick Start Guide The Quick Start Guide shows how to connect the UAG and access the Web Configurator wizards See the wizard real time help for information on configuring each screen It also contains a package contents list CLI Reference Guide The CLI Reference Guide explains how to use the Command Line Interface CLI to configure the UAG Note It is recommended you use the Web Configurator ...

Page 3: ... 112 Trunks 152 Policy and Static Routes 160 Zones 170 DDNS 174 NAT 179 VPN 1 1 Mapping 186 HTTP Redirect 191 SMTP Redirect 195 ALG 199 UPnP 201 IP MAC Binding 208 Layer 2 Isolation 213 IPnP 217 Web Authentication 219 Firewall 238 Billing 252 Printer Manager 269 Free Time 276 SMS 280 Bandwidth Management 282 User Group 292 AP Profile 306 Addresses 321 Services 326 Schedules 331 AAA Server 335 Auth...

Page 4: ...Contents Overview UAG4100 User s Guide 4 System 362 Log and Report 403 File Manager 418 Diagnostics 429 Packet Flow Explore 437 Reboot 445 Shutdown 446 Troubleshooting 447 ...

Page 5: ...ware Installation and Connection 32 2 1 Wall Mounting 32 2 2 Front Panel 33 2 2 1 Front Panel LEDs 34 2 3 Rear Panel 34 Chapter 3 Printer Deployment 36 3 1 Overview 36 3 2 Attach the Printer to the UAG 36 3 3 Set up an Internet Connection on the UAG 36 3 4 Allow the UAG to Monitor and Manage the Printer 37 3 5 Turn on Web Authentication on the UAG 39 3 6 Generate a Free Guest Account 41 Chapter 4 ...

Page 6: ...SP and WAN Connection Settings 60 5 2 5 Quick Setup Interface Wizard Summary 62 Chapter 6 Dashboard 64 6 1 Overview 64 6 1 1 What You Can Do in this Chapter 64 6 2 The Dashboard Screen 64 6 2 1 The CPU Usage Screen 69 6 2 2 The Memory Usage Screen 70 6 2 3 The Active Sessions Screen 70 6 2 4 The DHCP Table Screen 71 6 2 5 The Number of Login Users Screen 72 Chapter 7 Monitor 74 7 1 Overview 74 7 1...

Page 7: ...og 103 Chapter 8 Registration 105 8 1 Overview 105 8 1 1 What You Can Do in this Chapter 105 8 1 2 What you Need to Know 105 8 2 Registration Screen 106 8 3 Service Screen 106 Chapter 9 Wireless 108 9 1 Overview 108 9 1 1 What You Can Do in this Chapter 108 9 2 Controller Screen 108 9 3 AP Management Screen 109 9 3 1 Edit AP List 110 Chapter 10 Interfaces 112 10 1 Interface Overview 112 10 1 1 Wha...

Page 8: ... Trunk Summary Screen 155 11 2 1 Configuring a User Defined Trunk 156 11 2 2 Configuring the System Default Trunk 158 Chapter 12 Policy and Static Routes 160 12 1 Policy and Static Routes Overview 160 12 1 1 What You Can Do in this Chapter 160 12 1 2 What You Need to Know 160 12 2 Policy Route Screen 162 12 2 1 Policy Route Edit Screen 164 12 3 IP Static Route Screen 167 12 3 1 Static Route Add Ed...

Page 9: ...hat You Need to Know 186 16 2 The VPN 1 1 Mapping General Screen 187 16 2 1 The VPN 1 1 Mapping Edit Screen 188 16 3 The VPN 1 1 Mapping Profile Screen 189 Chapter 17 HTTP Redirect 191 17 1 Overview 191 17 1 1 What You Can Do in this Chapter 191 17 1 2 What You Need to Know 191 17 2 The HTTP Redirect Screen 192 17 2 1 The HTTP Redirect Edit Screen 193 Chapter 18 SMTP Redirect 195 18 1 Overview 195...

Page 10: ... 1 What You Can Do in this Chapter 208 21 1 2 What You Need to Know 208 21 2 IP MAC Binding Summary 209 21 2 1 IP MAC Binding Edit 209 21 2 2 Static DHCP Edit 211 21 3 IP MAC Binding Exempt List 211 Chapter 22 Layer 2 Isolation 213 22 1 Overview 213 22 1 1 What You Can Do in this Chapter 213 22 2 Layer 2 Isolation General Screen 214 22 3 White List 214 22 3 1 Add Edit White List Rule 215 Chapter 2...

Page 11: ... 3 The Session Control Screen 245 25 3 1 The Session Limit Add Edit Screen 246 25 4 Firewall Rule Configuration Example 247 25 5 Firewall Rule Example Applications 249 Chapter 26 Billing 252 26 1 Overview 252 26 1 1 What You Can Do in this Chapter 252 26 1 2 What You Need to Know 252 26 2 The General Screen 253 26 3 The Billing Profile Screen 254 26 3 1 The Account Generator Screen 256 26 3 2 The ...

Page 12: ... 30 Bandwidth Management 282 30 1 Overview 282 30 1 1 What You Can Do in this Chapter 282 30 1 2 What You Need to Know 282 30 2 The Bandwidth Management Screen 286 30 2 1 The Bandwidth Management Add Edit Screen 288 Chapter 31 User Group 292 31 1 Overview 292 31 1 1 What You Can Do in this Chapter 292 31 1 2 What You Need To Know 292 31 2 User Summary Screen 294 31 2 1 User Add Edit Screen 295 31 ...

Page 13: ... 321 33 2 Address Summary Screen 321 33 2 1 Address Add Edit Screen 322 33 3 Address Group Summary Screen 323 33 3 1 Address Group Add Edit Screen 324 Chapter 34 Services 326 34 1 Overview 326 34 1 1 What You Can Do in this Chapter 326 34 1 2 What You Need to Know 326 34 2 The Service Summary Screen 327 34 2 1 The Service Add Edit Screen 328 34 3 The Service Group Summary Screen 329 34 3 1 The Ser...

Page 14: ... 1 What You Can Do in this Chapter 343 38 1 2 What You Need to Know 343 38 1 3 Verifying a Certificate 345 38 2 The My Certificates Screen 346 38 2 1 The My Certificates Add Screen 347 38 2 2 The My Certificates Edit Screen 349 38 2 3 The My Certificates Import Screen 352 38 3 The Trusted Certificates Screen 353 38 3 1 The Trusted Certificates Edit Screen 354 38 3 2 The Trusted Certificates Import...

Page 15: ...375 40 7 1 Service Access Limitations 375 40 7 2 System Timeout 375 40 7 3 HTTPS 375 40 7 4 Configuring WWW Service Control 376 40 7 5 Service Control Rules 379 40 7 6 Customizing the WWW Login Page 380 40 7 7 HTTPS Example 384 40 8 SSH 391 40 8 1 How SSH Works 392 40 8 2 SSH Implementation on the UAG 393 40 8 3 Requirements for Using SSH 393 40 8 4 Configuring SSH 393 40 8 5 Secure Telnet Using S...

Page 16: ...reen 424 42 4 The Shell Script Screen 426 Chapter 43 Diagnostics 429 43 1 Overview 429 43 1 1 What You Can Do in this Chapter 429 43 2 The Diagnostics Screen 429 43 2 1 The Diagnostics Files Screen 430 43 3 The Packet Capture Screen 431 43 3 1 The Packet Capture Files Screen 433 43 4 Core Dump Screen 434 43 4 1 Core Dump Files Screen 435 43 5 The System Log Screen 435 Chapter 44 Packet Flow Explor...

Page 17: ...verview 446 46 1 1 What You Need To Know 446 46 2 The Shutdown Screen 446 Chapter 47 Troubleshooting 447 47 1 Resetting the UAG 453 47 2 Getting More Troubleshooting Help 454 Appendix A Customer Support 455 Appendix B Legal Information 461 Index 467 ...

Page 18: ...ey authenticate with the UAG through a specifically designated login web page You can also forward the authenticated client s e mail messages to a specific SMTP server The UAG also provides bandwidth management NAT port forwarding policy routing DHCP server and many other powerful features The UAG s security features include firewall and certificates The UAG lets you set up multiple networks for y...

Page 19: ...u can manage the UAG in the following ways Web Configurator The Web Configurator allows easy UAG setup and management using an Internet browser This User s Guide provides information about the Web Configurator Figure 2 Managing the UAG Web Configurator Physical Ports Interfaces Zones LAN1 lan1 lan2 WAN wan1 P1 P2 P3 P4 P5 LAN2 ...

Page 20: ...rome 14 0 Safari 4 0 Allow pop up windows blocked by default in Windows XP Service Pack 2 Enable JavaScripts Java permissions and cookies The recommended screen resolution is 1024 x 768 pixels 1 4 1 Web Configurator Access 1 Make sure your UAG hardware is properly connected See the Quick Start Guide 2 In your browser go to http 172 16 0 1 or http 172 17 0 1 The Login screen appears 3 Type the user...

Page 21: ...t Click About to display basic information about the UAG A C B Table 2 Title Bar Web Configurator Icons LABEL DESCRIPTION Logout Click this to log out of the Web Configurator Help Click this to open the help page for the current screen About Click this to display basic information about the UAG Site Map Click this to see an overview of links to the Web Configurator screens Object Reference Click t...

Page 22: ...figurator screens Click a screen s link to go to that screen Figure 5 Site Map Table 3 About LABEL DESCRIPTION Boot Module This shows the version number of the software that handles the booting process of the UAG Current Version This shows the firmware version of the UAG Released Date This shows the date yyyy mm dd and time hh mm ss when the firmware is released OK Click this to close the screen ...

Page 23: ...bject Name This identifies the object for which the configuration settings that use it are displayed Click the object s name to display the object s configuration screen in the main window This field is a sequential value and it is not associated with any entry Service This is the type of setting that references the selected object Click a service s name to display the service s configuration scre...

Page 24: ...tion screens Click the arrow in the middle of the right edge of the navigation panel to hide the panel or drag to resize it The following sections introduce the UAG s navigation panel menus and their screens Figure 8 Navigation Panel Dashboard The dashboard displays general device information system status system resource usage licensed service status and interface status in widgets that you can r...

Page 25: ...tails about a USB device connected to the UAG Dynamic Guest List the dynamic guest accounts in the UAG s local database Wireless AP Information AP List Display information about the connected APs Radio List Display information about the radios of the connected APs Station Info Display information about the connected stations Printer Status Printer Status Display information about the connected sta...

Page 26: ...le which defines the public IP address that the UAG assigns to the matched users and the interface through which the user s traffic is forwarded HTTP Redirect Set up and manage HTTP redirection rules SMTP Redirect Set up and manage SMTP redirection rules ALG Configure SIP H 323 and FTP pass through settings UPnP enable UPnP and NAT PMP on your UAG IP MAC Binding Summary Configure IP to MAC address...

Page 27: ...erent APs Address Address Create and manage host range and network subnet addresses Address Group Create and manage groups of addresses Service Service Create and manage TCP and UDP services Service Group Create and manage groups of services Schedule Schedule Create one time and recurring schedules AAA Server RADIUS Configure the RADIUS settings Auth Method Authentication Method Create and manage ...

Page 28: ...end daily reports and what reports to send Log Settings Configure the system log e mail logs and remote syslog servers Table 7 Maintenance Menu Screens Summary FOLDER OR LINK TAB FUNCTION File Manager Configuration File Manage and upload configuration files for the UAG Firmware Package View the current firmware version and to upload firmware Shell Script Manage and run shell script files for the U...

Page 29: ... a column heading cell s right border and drag to re size the column Figure 11 Resizing a Table Column Select a column heading and drag and drop it to change the column order A green check mark displays next to the column s title when you drag the column to a valid new location Figure 12 Moving Columns Use the icons and fields at the bottom of the table to navigate to different pages of entries an...

Page 30: ...cted entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings In some tables you can just click a table entry and edit it directly in the table For those types of tables small red triangles display for table entries with changes that you have not yet applied Remove To remove an entry select it and click Remove The UAG confirms you want...

Page 31: ...User s Guide 31 Figure 15 Working with Lists 1 5 Stopping the UAG Always use Maintenance Shutdown Shutdown or the shutdown command before you turn off the UAG or remove the power Not doing so can cause the firmware to become corrupt ...

Page 32: ... for the screw anchors into the wall Push the anchors into the full depth of the holes then insert the screws into the anchors Do not insert the screws all the way in leave a small gap of about 0 5 cm If not using screw anchors use a screwdriver to insert the screws into the wall Do not insert the screws all the way in leave a gap of about 0 5 cm 4 Make sure the screws are fastened well enough to ...

Page 33: ...Chapter 2 Hardware Installation and Connection UAG4100 User s Guide 33 Figure 16 Wall Mounting Example 2 2 Front Panel This section introduces the UAG s front panel Figure 17 UAG Front Panel ...

Page 34: ... the LEDs 2 3 Rear Panel The following figure shows the rear panel of the UAG The rear panel contains a console port a power switch and a connector for the power receptacle and four antennas Table 10 Front Panel LEDs LED COLOR STATUS DESCRIPTION PWR Off The UAG is turned off Green On The UAG is turned on Red On There is a hardware component failure Shut down the device wait for a few minutes and t...

Page 35: ...e CLI via the console port For local management you can use a computer with terminal emulation software configured to the following parameters VT100 terminal emulation 115200 bps No parity 8 data bits 1 stop bit No flow control Connect the male 9 pin end of the RS 232 console cable to the console port of the UAG Connect the female end to a serial port COM1 COM2 or other COM port of your computer R...

Page 36: ... Connect the Ethernet port of the printer to one LAN port of the UAG 2 Connect the power socket of the printer to a power outlet Turn on the printer The printer is acting as a DHCP client by default and will obtain an IP address from the connected UAG Make sure the UAG is turned on already and the DHCP server is enabled on its LAN interface s 3 3 Set up an Internet Connection on the UAG 1 Connect ...

Page 37: ...nter to the UAG s printer list check the sticker on the printer s rear panel to see its MAC address 1 Go to the Dashboard of the UAG web configurator 2 Open the DHCP Table to find the IP address that is assigned to the printer s MAC address Make sure the IP address is reserved for the printer Write down the printer s IP address ...

Page 38: ...de 38 3 Go to the Configuration Printer Manager screen Click Add in the Printer List to create a new entry for your printer 4 After the printer s IP address is added to the printer list select the Enable Printer Manager checkbox and then click Apply ...

Page 39: ...s Note You may need to wait up to 90 seconds for the UAG to synchronize with the printer successfully after you click Apply in the the Configuration Printer Manager screen 3 5 Turn on Web Authentication on the UAG With web authentication users need to log in through a designated web page before they can access the network s 1 Go to the Configuration Web Authentication screen ...

Page 40: ... Internal Web Portal to use the default login page 4 Click Add to create a new web authentication policy 5 The Auth Policy Add screen displays Set Authentication to required and select Force User Authentication to redirect all HTTP traffic to the default login page 6 Click OK to save your changes ...

Page 41: ...ased account generator to create guest accounts based on the pre defined billing settings see Section 26 3 on page 254 1 Go to the Configuration Free Time screen 2 Select the Enable Free Time checkbox to turn on this feature Click Apply 3 Whenever a user tries to access a web page he she will be redirect to the default login page 4 Click the link on the login page to get a free guest account ...

Page 42: ... UAG4100 User s Guide 42 5 A Welcome screen displays Select the free time service Click OK to generate and show the account information on the web page 6 Now you can use this account to access the Internet through the UAG for free ...

Page 43: ...Chapter 3 Printer Deployment UAG4100 User s Guide 43 ...

Page 44: ...tings This chapter provides information on configuring the Web Configurator s installation setup wizard See the feature specific chapters in this User s Guide for background information Figure 19 Installation Setup Wizard Welcome Click the double arrow in the upper right corner to display or hide the help Click Go to Dashboard to skip the installation setup wizard or click Next to start configurin...

Page 45: ...r a dial up connection according to the information from your ISP First WAN Interface This is the interface you are configuring for Internet access Zone This is the security zone to which this interface and Internet connection belong IP Address Assignment Select Auto if your ISP did not assign you a fixed IP address Select Static if the ISP assigned a fixed IP address 4 2 1 Internet Settings Ether...

Page 46: ...nter the subnet mask for this WAN connection s IP address Gateway IP Address Enter the IP address of the router through which this WAN connection will send traffic the default gateway First Second DNS Server These fields display if you selected static IP address assignment The Domain Name System DNS maps a domain name to an IP address and vice versa Enter a DNS server s IP address es The DNS serve...

Page 47: ...HAP V2 Your UAG accepts MSCHAP V2 only Type the User Name given to you by your ISP You can use alphanumeric and _ characters and it can be up to 31 characters long Type the Password associated with the user name Use up to 64 ASCII characters except the and This field can be blank Select Nailed Up if you do not want the connection to time out Otherwise type the Idle Timeout in seconds that elapses ...

Page 48: ...DNS and the time server Leave the field as 0 0 0 0 if you do not want to configure DNS servers If you do not configure a DNS server you must know the IP address of a machine in order to access it 4 2 3 Internet Settings PPTP Note Enter the Internet access information exactly as given to you by your ISP Figure 23 Internet Access PPTP Encapsulation ISP Parameters Authentication Type Select an authen...

Page 49: ...For example C 12 or N My ISP This field is optional and depends on the requirements of your broadband modem or router You can use alphanumeric and _ characters and it can be up to 31 characters long WAN IP Address Assignments First WAN Interface This is the connection type on the interface you are configuring to connect with your ISP Zone This is the security zone to which this interface and Inter...

Page 50: ...ings Use this screen to configure the wireless and wireless security settings when you turn on the local AP The screen varies depending on the security mode you selected Figure 25 Wireless Settings Security Mode WPA2 Wireless Settings SSID Enter a descriptive name of up to 32 printable characters for the wireless LAN ...

Page 51: ...ffic from within the same SSID Wireless clients can still access the wired network but cannot communicate with each other Radio Settings Enable 802 11 2 4G 5G Band Select the option to activate the 2 4GHz or 5GHz wireless LAN When using the 2 4 GHz band select b g in the Mode field to let IEEE 802 11b and IEEE 802 11g compliant wireless devices associate with the AP Otherwise select b g n to let I...

Page 52: ...rinter Settings If you enable the web authentication feature attach a statement printer and select Yes to have the UAG generate dynamic guest accounts Otherwise select No and click Next to go to the Free Time screen with which you can allow the UAG to create free guest accounts Figure 27 Printer Settings ...

Page 53: ...rinter attached to the UAG click Discover Printer to detect the printer that is connected to the UAG and display the printer information Add to Mgnt Printer List Select this to add the printer to the managed printer list IPv4 Address This shows the IP address of the printer MAC This shows the MAC address of the printer Printout Specify how many copies of subscriber statements you want to print 4 6...

Page 54: ... time that the user is logged in for Internet access Specify the User idle timeout between 1 and 60 minutes The UAG automatically disconnects a computer from the network after a period of inactivity The user may need to enter the username and password again before access to the network is allowed Currency Select the appropriate currency symbol or currency unit If you set Currency code to User Defi...

Page 55: ...must be a letter Time Period Set the duration of the billing period When this period expires the user s access will be stopped Price Set each profile s price up to 999999 99 per time unit 4 6 2 Account Generator Settings Use this screen to select the pre defined billing profiles that the UAG can use to automatically create dynamic guest accounts Each button represents a billing profile that define...

Page 56: ...ings Use this screen to configure the free time settings Figure 32 Free Time Settings Free Time Period Select the duration of time period for which the free time account is allowed to access the Internet Reset Time Select the time in 24 hour format at which the new free time account is allowed to access the Internet ...

Page 57: ...mum Registration Number Before Reset Time to 1 and the Reset Time to 13 00 even the first free guest account has expired at 11 30 the second account still cannot access the Internet until 13 00 4 8 Device Registration Go to http portal myZyXEL com with the UAG s serial number and LAN MAC address to register it if you have not already done so Note You must be connected to the Internet to register U...

Page 58: ...ormation In the Web Configurator click Configuration Quick Setup to open the first Quick Setup screen Figure 34 Quick Setup WAN Interface Click this link to open a wizard to set up a WAN Internet connection This wizard creates matching ISP account settings in the UAG if you use PPPoE or PPTP See Section 5 2 on page 58 5 2 WAN Interface Quick Setup Click WAN Interface in the main Quick Setup screen...

Page 59: ...that you want to configure for a WAN connection and click Next Figure 36 Choose an Ethernet Interface 5 2 2 Select WAN Type WAN Type Selection Select the type of encapsulation this connection is to use Choose Ethernet when the WAN port is used as a regular Ethernet Otherwise choose PPPoE or PPTP for a dial up connection according to the information from your ISP ...

Page 60: ...P address Figure 38 WAN Interface Setup Step 2 WAN Interface This is the interface you are configuring for Internet access Zone This is the security zone to which this interface and Internet connection belong IP Address Assignment Select Auto If your ISP did not assign you a fixed IP address Select Static if you have a fixed IP address 5 2 4 ISP and WAN Connection Settings Use this screen to confi...

Page 61: ...ation protocol for outgoing calls Options are CHAP PAP Your UAG accepts either CHAP or PAP when requested by this remote node CHAP Your UAG accepts CHAP only PAP Your UAG accepts PAP only MSCHAP Your UAG accepts MSCHAP only MSCHAP V2 Your UAG accepts MSCHAP V2 only User Name Type the user name given to you by your ISP You can use alphanumeric and _ characters and it can be up to 31 characters long...

Page 62: ... long WAN Interface Setup WAN Interface This displays the identity of the interface you configure to connect with your ISP Zone This field displays to which security zone this interface and Internet connection will belong IP Address This field is read only when the WAN interface uses a dynamic IP address If your WAN interface uses a static IP address enter it in this field Gateway IP Address This ...

Page 63: ...This is how many seconds the connection can be idle before the router automatically disconnects from the PPPoE server 0 means no timeout Connection ID If you specified a connection ID it displays here WAN Interface This identifies the interface you configure to connect with your ISP Zone This field displays to which security zone this interface and Internet connection will belong IP Address Assign...

Page 64: ...DHCP Table screen see Section 6 2 4 on page 71 to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses Use the Number of Login Users screen see Section 6 2 5 on page 72 to look at a list of the users currently logged into the UAG 6 2 The Dashboard Screen The Dashboard screen displays when you log into the UAG or click Dashboard in the...

Page 65: ...es the labels in this screen Table 13 Dashboard LABEL DESCRIPTION Widget Settings A Use this link to open or close widgets by selecting clearing the associated checkbox Up Arrow B Click this to collapse a widget It then becomes a down arrow Click it again to enlarge the widget again A B C D E ...

Page 66: ...eld displays the port speed and duplex setting Full or Half Ready The USB port is connected Zone This field displays the zone to which the interface is currently assigned IP Address Mask This field displays the current IP address and subnet mask assigned to the interface Console speed This field displays the current console port speed Device Information System Name This field displays the name use...

Page 67: ...ace does not have any physical ports associated with it its entry is displayed in light gray text Name This field displays the name of each interface Status This field displays the current status of each interface The possible values depend on what type of interface it is For Ethernet interfaces Inactive The Ethernet interface is disabled Down The Ethernet interface does not have any physical port...

Page 68: ...tem Resources CPU Usage This field displays what percentage of the UAG s processing capability is currently being used Hover your cursor over this field to display the Show CPU Usage icon that takes you to a chart of the UAG s recent CPU usage Memory Usage This field displays what percentage of the UAG s RAM is currently being used Hover your cursor over this field to display the Show Memory Usage...

Page 69: ...e MAC address of the AP to which the station belongs Max Station Count This field displays the maximum number of wireless clients that have connected to this AP AP Description This field displays the AP s description The default description is AP followed by the AP s MAC address The Latest Alert Logs This section of the screen displays recent logs generated by the UAG This is the entry s rank in t...

Page 70: ...ick Show Active Sessions in the dashboard Table 14 Dashboard CPU Usage LABEL DESCRIPTION The y axis represents the percentage of CPU usage The x axis shows the time period over which the CPU usage occurred Refresh Interval Enter how often you want this window to be automatically updated Refresh Now Click this to update the information in the window right away Table 15 Dashboard Memory Usage LABEL ...

Page 71: ...erved for specific MAC addresses To access this screen click DHCP Table in System Status in the dashboard Figure 45 Dashboard DHCP Table Table 16 Dashboard Show Active Sessions LABEL DESCRIPTION Sessions The y axis represents the number of session The x axis shows the time period over which the session usage occurred Refresh Interval Enter how often you want this window to be automatically updated...

Page 72: ...ost Name This field displays the name used to identify this device on the network the computer name The UAG learns these from the DHCP client requests None shows here for a static DHCP entry MAC Address This field displays the MAC address to which the IP address is currently assigned or for which the IP address is reserved Click the column s heading cell to sort the table entries by MAC address Cl...

Page 73: ...unt Remaining Time This field displays the amount of Internet access time remaining for each account This shows n a for an administrator account Remaining Quota T U D This field displays the remaining amount of data that can be transmitted or received by each account You can see the amount of either data in both directions Total or upstream data Upload and downstream data Download This shows for a...

Page 74: ...devices that have received an IP address from UAG interfaces with IP MAC binding enabled Use the System Status Login Users screen see Section 7 8 on page 85 to look at a list of the users currently logged into the UAG Use the System Status UPnP Port Status screen see Section 7 9 on page 86 to look at a list of the NAT port mapping rules that UPnP creates on the UAG Use the System Status USB Storag...

Page 75: ...2 on page 103 to view the UAG s dynamic guest account log messages 7 2 The Port Statistics Screen Use this screen to look at packet statistics for each Gigabit Ethernet port To access this screen click Monitor System Status Port Statistics Figure 47 Monitor System Status Port Statistics The following table describes the labels in this screen Table 19 Monitor System Status Port Statistics LABEL DES...

Page 76: ...om the UAG on the physical port since it was last connected RxPkts This field displays the number of packets received by the UAG on the physical port since it was last connected Collisions This field displays the number of collisions on the physical port since it was last connected Tx B s This field displays the transmission speed in bytes per second on the physical port in the one second interval...

Page 77: ... window right away Port Selection Select the number of the physical port for which you want to display graphics Switch to Grid View Click this to display the port statistics as a table Kbps The y axis represents the speed of transmission or reception time The x axis shows the time period over which the transmission or reception occurred TX This line represents traffic transmitted from the UAG on t...

Page 78: ...plays Inactive For PPP interfaces Inactive The PPP interface is disabled Connected The PPP interface is connected Disconnected The PPP interface is not connected Zone This field displays the zone to which the interface is assigned IP Addr Netmask This field displays the current IP address and subnet mask assigned to the interface If the IP address and subnet mask are 0 0 0 0 the interface is disab...

Page 79: ...e any physical ports associated with it or the Ethernet interface is enabled but not connected Up The LAN Ethernet interface is enabled and connected Speed Duplex The WAN Ethernet interface is enabled and connected This field displays the port speed and duplex setting Full or Half For virtual interfaces this field always displays Up or Down If the virtual interface is disabled it displays Inactive...

Page 80: ...hernet VLAN bridge and PPPoE PPTP interfaces Top Select the type of report to display Choices are Host IP Address User displays the IP addresses or users with the most traffic and how much traffic has been sent to and from each one Service Port displays the most used protocols or service ports and the amount of traffic for each one Web Site Hits displays the most visited Web sites and how many tim...

Page 81: ...Direction This field indicates whether the indicated protocol or service port is sending or receiving traffic Ingress traffic is coming into the router through the interface Egress traffic is going out from the router through the interface Amount This field displays how much traffic was sent or received from the indicated service port If the Direction is Ingress a red bar is displayed if the Direc...

Page 82: ...tor LABEL DESCRIPTION View Select how you want the information to be displayed Choices are sessions by users display all active sessions grouped by user sessions by services display all active sessions grouped by service or protocol sessions by source IP display all active sessions grouped by source IP address sessions by destination IP display all active sessions grouped by destination IP address...

Page 83: ...iteria in the User Service Source Address and Destination Address fields Active Sessions This is the total number of active sessions that matched the search criteria Show Select the number of active sessions displayed on each page You can use the arrow keys on the right to change pages User This field displays the user in each active session If you are looking at the sessions by users or all sessi...

Page 84: ...e 25 Monitor System Status DDNS Status LABEL DESCRIPTION Update Click this to have the UAG update the profile to the DDNS server The UAG attempts to resolve the IP address for the domain name Profile Name This field displays the descriptive profile name for this entry Domain Name This field displays each domain name the UAG can route Effective IP This is the resolved IP address of the domain name ...

Page 85: ...e The UAG learns these from the DHCP client requests MAC Address This field displays the MAC address to which the IP address is currently assigned Last Access This is when the device last established a session with the UAG through this interface Description This field displays the descriptive name that helps identify the entry Refresh Click this button to update the information in the screen Table...

Page 86: ...s the way the user logged in to the UAG IP Address This field displays the IP address of the computer used to log in to the UAG User Info This field displays the types of user accounts the UAG uses If the user type is ext user external user this field will show its external group information when you move your mouse over it If the external user matches two external group objects both external grou...

Page 87: ...isplays the port number that the UAG listens on on the WAN port for connection requests destined for the NAT rule s Internal Port and Internal Client The UAG forwards incoming packets from the WAN with this port number to the Internal Client on the Internal Port on the LAN If the field displays 0 the UAG ignores the Internal Port value and forwards requests on all external port numbers that are ot...

Page 88: ...file system of the USB storage device is not supported by the UAG such as NTFS Speed This field displays the connection speed the USB storage device supports Status Ready you can have the UAG use the USB storage device Click Remove Now to stop the UAG from using the USB storage device so you can remove it Unused the connected USB storage device was manually unmounted by using the Remove Now button...

Page 89: ...me the account can use to access the Internet through the UAG Expiration Time This field displays the date and time the account becomes invalid Note Once the time allocated to a dynamic account is used up or a dynamic account remains un used after the expiration time the account is deleted from the account list Quota T U D This field displays how much data in both directions Total or upstream data...

Page 90: ...ed but is offline now This guest account expired This guest account has been deleted Table 32 Monitor Wireless AP Information AP List LABEL DESCRIPTION Add to Mgnt AP List Click this to add the selected AP to the managed AP list More Information Click this to view a daily station count about the selected AP The count records station activity on the AP over a consecutive 24 hour period This is the ...

Page 91: ...nt On line Time This displays the most recent time the AP came on line N A displays if the AP has not come on line since the UAG last started up Last Off line Time This displays the most recent time the AP went off line N A displays if the AP has either not come on line or gone off line since the UAG last started up Table 33 Monitor Wireless AP Information AP List Icons LABEL DESCRIPTION This AP i...

Page 92: ...ount of AP LABEL DESCRIPTION Configuration Status This displays whether or not any of the AP s configuration is in conflict with the UAG s settings for the AP Non Support If any of the AP s configuration conflicts with the UAG s settings for the AP this field displays which configuration conflicts It displays n a if none of the AP s configuration conflicts with the UAG s settings for the AP Statio...

Page 93: ... This displays the model of the AP to which the radio belongs MAC Address This displays the MAC address of the radio Radio This indicates the radio number on the AP to which it belongs OP Mode This indicates the radio s operating mode such as AP access point Profile This indicates the profile name to which the radio belongs Frequency Band This indicates the wireless frequency currently being used ...

Page 94: ...view detailed information about a selected radio s SSID s wireless traffic and wireless clients for the preceding 24 hours To access this window select an entry and click the More Information button in the Radio List screen Figure 61 Monitor Wireless AP Information Radio List AP Mode Radio Information ...

Page 95: ...lays the MAC address associated with the SSID Security Mode This displays the security mode in which the SSID is operating VLAN This displays the VLAN ID associated with the SSID Traffic Statistics This graph displays the overall traffic information about the radio over the preceding 24 hours y axis This axis represents the amount of data moved across this radio in megabytes per second x axis This...

Page 96: ...ected to the network SSID Name This indicates the name of the wireless network to which the station is connected A single AP can have multiple SSIDs or networks Security Mode This indicates which secure encryption methods is being used by the station to connect to the network Signal Strength This indicates the strength of the signal The signal strength mainly depends on the antenna output power an...

Page 97: ...ther the printer is added to the managed printer list Mgnt Printer or not Un Mgnt Printer IPv4 Address This field displays the IP address of the printer that you configured in the Configuration Printer Manager screen Update Time This field displays the date and time the UAG last synchronized with the printer This shows n a when the printer is not in the managed printer list or the printer status i...

Page 98: ... which the outgoing traffic is forwarded Rule This field displays the index number of the matched VPN 1 1 mapping rule that you configured in the Configuration VPN 1 1 Mapping screen Pool This field displays the name of the pool profile that you configured for the VPN 1 1 mapping rule Force Logout Select a user ID and click this icon to end a user s session Refresh Click this button to update the ...

Page 99: ...s have the same priority To access this screen click Monitor Log The log is displayed in the following screen Note When a log reaches the maximum number of log messages new log messages automatically overwrite existing log messages starting with the oldest existing log message first The maximum possible number of log messages in the UAG varies by model Events that generate an alert as well as a lo...

Page 100: ...isplays when you show the filter Select the service whose log messages you would like to see The Web Configurator uses the protocol and destination port number s of the service to select which log messages you see Keyword This displays when you show the filter Type a keyword to look for in the Message Source Destination and Note fields If a match is found in any field the log message is displayed ...

Page 101: ... Monitor Log View AP Log to access this screen Figure 67 Monitor Log View AP Log Source This field displays the source IP address and the port number in the event that generated the log message Destination This field displays the destination IP address and the port number of the event that generated the log message Note This field displays any additional information about the log message Table 41 ...

Page 102: ... a destination IP address to display only the log messages that include it Note This criterion only appears when you Show Filter Source Interface Enter a source interface to display only the log messages that include it Note This criterion only appears when you Show Filter Destination Interface Enter a destination interface to display only the log messages that include it Note This criterion only ...

Page 103: ...og View AP Log continued LABEL DESCRIPTION Table 43 Monitor Log Dynamic Users Log LABEL DESCRIPTION Begin End Date Select the first and last dates to specify a time period The UAG displays log messages only for the accounts created during the specified time period after you click Search Begin End Time Select the begin time of the first date and the end time of the last date to specify a time perio...

Page 104: ... This field displays how much data in both directions Total or upstream data Upload and downstream data Download can be transmitted through the WAN interface before the account expires Remaining Quota T U D This field displays the remaining amount of data that can be transmitted or received by each account You can see the amount of either data in both directions Total or upstream data Upload and d...

Page 105: ...at myZyXEL com through the UAG Note You need to create a myZyXEL com account before you can register your device and activate the services at myZyXEL com Go to http portal myZyXEL com with the UAG s serial number and LAN MAC address to register it Refer to the web site s on line help for details Note To activate a service on a UAG you need to access myZyXEL com via that UAG Subscription Services A...

Page 106: ... this screen to display the status of your service registrations To activate or extend a standard service subscription purchase an iCard and enter the iCard s PIN number license key at myZyXEL com Click Configuration Licensing Registration Service to open the screen as shown next Figure 70 Configuration Licensing Registration Service The following table describes the labels in this screen Table 44...

Page 107: ... expires This field is blank when a service does not expire Count This field displays the maximum number of wired and wireless users that may connect to the UAG at the same time or how many managed APs the UAG can support with your current license Service License Refresh Click this button to renew service license information such as the registration status and expiration day Table 44 Configuration...

Page 108: ... The Controller screen Section 9 2 on page 108 sets how the UAG allows new APs to connect to the network The AP Management screen Section 9 3 on page 109 manages all of the APs connected to the UAG 9 2 Controller Screen Use this screen to set how the UAG allows new APs to connect to the network Click Configuration Wireless Controller to access this screen Figure 71 Configuration Wireless Controlle...

Page 109: ...t automatically differentiate between friendly and rogue APs APs must be connected to the UAG by a wired connection or network Apply Click Apply to save your changes back to the UAG Reset Click Reset to return the screen to its last saved settings Table 46 Configuration Wireless AP Management LABEL DESCRIPTION Edit Select an AP and click this button to edit its properties Remove Select an AP and c...

Page 110: ...s the operating mode AP and AP profile name for Radio 2 It displays n a for the profile for a radio not using an AP profile Mgnt VLAN ID AC This displays the Access Controller the UAG management VLAN ID setting for the AP Mgnt VLAN ID AP This displays the runtime management VLAN ID setting on the AP VLAN Conflict displays if the AP s management VLAN ID does not match the Mgnt VLAN ID AC This field...

Page 111: ...ubsequently passed on to an upstream gateway for managing Radio 1 2 Profile Select a profile from the list If no profile exists you can create a new one through the Create new Object menu VLAN Settings This section is not available when you are editing the local AP s settings Force Overwrite VLAN Config Select this to have the UAG change the AP s management VLAN to match the configuration in this ...

Page 112: ...P Internet connections Use the VLAN screens Section 10 5 on page 132 to divide the physical network into multiple logical networks VLAN interfaces receive and send tagged frames The UAG automatically adds or removes the tags as needed Each VLAN can only be associated with one Ethernet interface Use the Bridge screens Section 10 6 on page 139 to combine two or more network segments into a single ne...

Page 113: ... are specific to each type of interface See Section 10 2 on page 114 and Chapter 11 on page 152 for details The other types of interfaces Ethernet PPP VLAN bridge and virtual have a lot of similar characteristics These characteristics are listed in the following table and discussed in more detail below The format of interface names other than the Ethernet and ppp interface names is strict Each nam...

Page 114: ...or background information on interfaces See Chapter 11 on page 152 to configure load balancing using trunks 10 2 Port Role Screen To access this screen click Configuration Network Interface Port Role Use the Port Role screen to set the UAG s flexible ports as part of the lan1 or lan2 interfaces This creates a hardware connection between the physical ports at the layer 2 data link MAC address level...

Page 115: ...an one physical port to a network you create a port group Port groups have the following characteristics There is a layer 2 Ethernet switch between physical ports in the port group This provides wire speed throughput but no security It can increase the bandwidth between the port group and other interfaces The port group uses a single MAC address Click Apply to save your changes and apply them to t...

Page 116: ...he UAG confirms you want to remove it before doing so Activate To turn on an interface select it and click Activate Inactivate To turn off an interface select it and click Inactivate Create Virtual Interface To open the screen where you can create a virtual Ethernet interface select an Ethernet interface and click Create Virtual Interface Object References Select an entry and click Object Referenc...

Page 117: ...n entry in the Ethernet summary screen and click the Edit icon See Section 10 3 on page 115 Note If you create IP address objects based on an interface s IP address subnet or gateway the UAG automatically updates every rule or setting that uses the object whenever the interface s IP address settings change For example if you change the LAN s IP address the UAG automatically updates the correspondi...

Page 118: ...Chapter 10 Interfaces UAG4100 User s Guide 118 Figure 76 Configuration Network Interface Ethernet Edit External Type ...

Page 119: ...Chapter 10 Interfaces UAG4100 User s Guide 119 Figure 77 Configuration Network Interface Ethernet Edit Internal Type ...

Page 120: ...ed to change a related address object for the network connected to the interface For example if you use this screen to change the IP address of your LAN interface you should also change the corresponding LAN subnet address object Get Automatically This option appears when Interface Type is external Select this to make the interface a DHCP client and automatically get the IP address subnet mask and...

Page 121: ... the default gateway for the connectivity check Check this address Select this to specify a domain name or IP address for the connectivity check Enter that domain name or IP address in the field next to it Check Port This field only displays when you set the Check Method to tcp Specify the port number to use for a TCP connectivity check DHCP Setting This section appears when Interface Type is inte...

Page 122: ... Defined and enter the IP address Lease time Specify how long each computer can use the information especially the IP address before it has to request the information again Choices are infinite select this if IP addresses never expire days hours and minutes select this to enter how long IP addresses are valid Extended Options This table is available if you selected DHCP server Configure this table...

Page 123: ...s Setting This section appears when Interface Type is external Have the interface use either the factory assigned default MAC address a manually specified MAC address or clone the MAC address of another device or computer Use Default MAC Address Select this option to have the interface use the factory assigned default MAC address By default the UAG uses the factory assigned MAC address to identify...

Page 124: ...s is the type of setting that references the selected object Click a service s name to display the service s configuration screen in the main window Priority If it is applicable this field lists the referencing configuration item s position in its list otherwise N A displays Name This field identifies the configuration item that references the object Description If the referencing configuration it...

Page 125: ... industry consortium compliance First Information Second Information If you selected VIVS 125 enter additional information for the corresponding enterprise number in these fields First FQDN Second FQDN Third FQDN If the Type is FQDN you have to enter at least one domain name of the corresponding servers in these fields The servers should be listed in order of your preference OK Click this to close...

Page 126: ...way PPPoE PPTP interfaces are interfaces between the UAG and only one computer Therefore the subnet mask is always 255 255 255 255 In addition the UAG always treats the ISP as a gateway 10 4 1 PPP Interface Summary This screen lists every PPPoE PPTP interface To access this screen click Configuration Network Interface PPP VIVS 125 Vendor Identifying Vendor Specific option DHCP clients and servers ...

Page 127: ...nd click Connect You might use this in testing the interface or to manually establish the connection for a Dial on Demand PPPoE PPTP interface Disconnect To disconnect an interface select it and click Disconnect You might use this in testing the interface Object Reference Select an entry and click Object Reference to open a screen that shows which settings use the entry See Section 10 3 2 on page ...

Page 128: ... Add or Edit Note You have to set up an ISP account before you create a PPPoE PPTP interface This screen lets you configure a PPPoE or PPTP interface To access this screen click the Add icon or select an entry in the PPP interface summary screen and click the Edit icon ...

Page 129: ...Chapter 10 Interfaces UAG4100 User s Guide 129 Figure 82 Configuration Network Interface PPP Add ...

Page 130: ...ction up all the time Dial on Demand Select this to have the UAG establish the PPPoE PPTP connection only when there is traffic You might use this option if there is little traffic through the interface or if it costs money to keep the connection available ISP Setting Account Profile Select the ISP account that this PPPoE PPTP interface uses The drop down box lists ISP accounts by name Use Create ...

Page 131: ...nterface checks the connection how long to wait for a response before the attempt is a failure and how many consecutive failures are required before the UAG stops routing to the gateway The UAG resumes routing to the gateway the first time the gateway passes the connectivity check Enable Connectivity Check Select this to turn on the connection check Check Method Select the method that the gateway ...

Page 132: ...e physical networks into three VLANs Figure 84 Example After VLAN Each VLAN is a separate network with separate IP addresses subnet masks and gateways Each VLAN also has a unique identification number ID The ID is a 12 bit value that is stored in the MAC header The VLANs are connected to switches and the switches are connected to the router If one switch has enough connections for the entire netwo...

Page 133: ... department in the example above These rules are also independent of the physical network so you can change the physical network without changing policies In this example the new switch handles the following types of traffic Inside VLAN 2 Between the router and VLAN 1 Between the router and VLAN 2 Between the router and VLAN 3 VLAN Interfaces Overview In the UAG each VLAN is called a VLAN interfac...

Page 134: ...lect an interface and click Create Virtual Interface Object References Select an entry and click Object Reference to open a screen that shows which settings use the entry See Section 10 3 2 on page 123 for an example This field is a sequential value and it is not associated with any interface Status This icon is lit when the entry is active and dimmed when the entry is inactive Name This field dis...

Page 135: ...Chapter 10 Interfaces UAG4100 User s Guide 135 or select an entry in the VLAN summary screen and click the Edit icon The following screen appears Figure 86 Configuration Network Interface VLAN Edit ...

Page 136: ...on the model Zone Select the zone to which the VLAN interface belongs Base Port Select the Ethernet interface on which the VLAN interface runs VLAN ID Enter the VLAN ID This 12 bit number uniquely identifies each VLAN Allowed values are 1 4094 0 and 4095 are reserved Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be u...

Page 137: ...ou specify to make sure it is still available Check Period Enter the number of seconds between connection check attempts Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure Check Fail Tolerance Enter the number of consecutive failures before the UAG stops routing through the gateway Check Default Gateway Select this to use the default gateway for the co...

Page 138: ...to send to the DHCP clients The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using Default Router If you set this interface to DHCP Server you can select to use either the interface s IP address or another IP address as the default router This default router will become the DHCP clients default gateway To use another IP addres...

Page 139: ...this to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it This field is a sequential value and it is not associated with a specific entry IP Address Enter the IP address to assign to a device with this entry s MAC address MAC Enter the MAC address to which to assign this entry s IP address Description Enter a descripti...

Page 140: ...fic between some interfaces while it routes traffic for other interfaces The bridge interfaces also support more functions like interface bandwidth parameters DHCP settings and connectivity check To use the whole UAG as a transparent bridge add all of the UAG s interfaces to a bridge interface A bridge interface may consist of the following members Zero or one VLAN interfaces and any associated vi...

Page 141: ...nd click Activate Inactivate To turn off an entry select it and click Inactivate Create Virtual Interface To open the screen where you can create a virtual interface select an interface and click Create Virtual Interface Object Reference Select an entry and click Object Reference to open a screen that shows which settings use the entry See Section 10 3 2 on page 123 for an example This field is a ...

Page 142: ... IP address assignment interface bandwidth parameters DHCP settings and connectivity check for each bridge interface To access this screen click the Add icon or select an entry in the Bridge summary screen and click the Edit icon The following screen appears Figure 88 Configuration Network Interface Bridge Add ...

Page 143: ...all and remote management Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long Member Configuration Available This field displays Ethernet interfaces and VLAN interfaces that can become part of the bridge interface An interface is not available in the following situations There is a virtual inter...

Page 144: ...s of a DHCP server for the network Relay Server 2 This field is optional Enter the IP address of another DHCP server for the network These fields appear if the UAG is a DHCP Server IP Pool Start Address Enter the IP address from which the UAG begins allocating IP addresses If you want to assign a static IP address to a specific computer click Add Static DHCP If this field is blank the Pool Size mu...

Page 145: ... this option to have this interface enforce links between specific IP addresses and specific MAC addresses This stops anyone else from manually using a bound IP address on another device connected to this interface Use this to make use only the intended users get to use specific IP addresses Enable Logs for IP MAC Binding Violation Select this option to have the UAG generate a log if a device conn...

Page 146: ... to have the UAG regularly ping the gateway you specify to make sure it is still available Select tcp to have the UAG regularly perform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the number of seconds between connection check attempts Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure Check Fail T...

Page 147: ...e You can use alphanumeric and _ characters and it can be up to 60 characters long IP Address Assignment IP Address Enter the IP address for this interface Subnet Mask Enter the subnet mask of this interface in dot decimal notation The subnet mask indicates what part of the IP address is the same for all computers in the network Gateway Enter the IP address of the gateway The UAG sends packets to ...

Page 148: ...hese interfaces you can only enter the IP address In many interfaces you can also let the IP address and subnet mask be assigned by an external DHCP server on the network In this case the interface is a DHCP client Virtual interfaces however cannot be DHCP clients You have to assign the IP address and subnet mask manually In general the IP address and subnet mask of each interface should not overl...

Page 149: ...network 1 If you set the bandwidth restrictions very high you effectively remove the restrictions The UAG also restricts the size of each data packet The maximum number of bytes in each packet is called the maximum transmission unit MTU If a packet is larger than the MTU the UAG divides it into smaller fragments Each fragment is sent separately and the original packet is re assembled later The sma...

Page 150: ...sk is 255 255 255 0 the starting IP address in the pool is 9 9 9 2 and the pool size is 253 Subnet mask The interface provides the same subnet mask you specify for the interface See IP Address Assignment on page 148 Gateway The interface provides the same gateway you specify for the interface See IP Address Assignment on page 148 DNS servers The interface provides IP addresses for up to three DNS ...

Page 151: ...stems including RADIUS You can access one of several network services This makes it easier for the service provider to offer the service PPPoE does not usually require any special configuration of the modem PPTP is used to set up virtual private networks VPN in unsecure TCP IP environments It sets up two sessions 1 The first one runs on TCP port 1723 It is used to start and manage the second one 2...

Page 152: ... connected to the VoIP service provider set to active and another interface connected to another ISP set to passive This way VoIP traffic goes through the interface connected to the VoIP service provider whenever the interface s connection is up 11 1 1 What You Can Do in this Chapter Use the Trunk summary screen Section 11 2 on page 155 to configure link sticking and view the list of configured tr...

Page 153: ...h Here the UAG has two WAN interfaces connected to the Internet The configured available outbound bandwidths for wan1 and ppp0 are 512K and 256K respectively Figure 91 Least Load First Example The outbound bandwidth utilization is used as the load balancing index In this example the measured current outbound throughput of wan1 is 412K and ppp0 is 198K The UAG calculates the load balancing index as...

Page 154: ...G assigns the traffic of two sessions to wan1 and one session s traffic to ppp0 in each round of 3 new sessions Figure 92 Weighted Round Robin Algorithm Example Spillover The spillover load balancing algorithm sends network traffic to the first interface in the trunk member list until the interface s maximum allowable load is reached then sends the excess network traffic of new sessions to the nex...

Page 155: ...configuration fields Disconnect Connections Before Falling Back Select this to terminate existing connections on an interface which is set to passive mode when any interface set to active mode in the same trunk comes back up Enable Default SNAT Select this to have the UAG use the IP address of the outgoing interface as the source IP address of the packets it sends out through its WAN trunks The UA...

Page 156: ...er configured trunk Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove a user configured trunk select it and click Remove The UAG confirms you want to remove it before doing so Object Reference Select an entry and click Object Reference to open a screen that shows which settings use the entry See Section 10 3 2 on page...

Page 157: ...n add edit remove or move entries for user configured trunks Add Click this to add a member interface to the trunk Select an interface and click Add to add a new member interface after the selected member interface Edit Select an entry and click Edit to modify the entry s settings Remove To remove a member interface select it and click Remove The UAG confirms you want to remove it before doing so ...

Page 158: ...e in the corresponding interface edit screen Total Bandwidth This field displays with the spillover load balancing algorithm It displays the maximum number of kilobits of data the UAG is to send out and allow to come in through the interface per second You can configure the bandwidth of an interface in the corresponding interface edit screen Spillover This field displays with the spillover load ba...

Page 159: ...aces Mode This field displays Active if the UAG always attempt to use this connection This field displays Passive if the UAG only use this connection when all of the connections set to active are down Only one of a group s interfaces can be set to passive mode Weight This field displays with the weighted round robin load balancing algorithm Specify the weight 1 10 for the interface The weights of ...

Page 160: ...olicy route to communicate with a separate network behind another router R3 connected to the LAN Figure 97 Example of Policy Routing Topology 12 1 1 What You Can Do in this Chapter Use the Policy Route screens see Section 12 2 on page 162 to list and configure policy routes Use the Static Route screens see Section 12 3 on page 167 to list and configure static routes 12 1 2 What You Need to Know Po...

Page 161: ...sus Static Routes Policy routes are more flexible than static routes You can select more criteria for the traffic to match and can also use schedules and NAT Policy routes are only used within the UAG itself Policy routes take priority over static routes If you need to use a routing policy on the UAG and propagate it to other routers you could configure a policy route and an equivalent static rout...

Page 162: ...ifferent kinds of forwarding Resources can then be allocated according to the DSCP values and the configured policies Finding Out More See Section 12 4 on page 169 for more background information on policy routing 12 2 Policy Route Screen Click Configuration Network Routing to open the Policy Route screen Use this screen to see the configured policy routes A policy route defines the matching crite...

Page 163: ...f their numbering This is the number of an individual policy route Status This icon is lit when the entry is active red when the next hop s connection is down and dimmed when the entry is inactive User This is the name of the user group object from which the packets are sent any means all users Schedule This is the name of the schedule object none means the route is active at all times if enabled ...

Page 164: ... s outgoing packets preserve means the UAG does not modify the DSCP value of the route s outgoing packets default means the UAG sets the DSCP value of the route s outgoing packets to 0 The af choices stand for Assured Forwarding The number following the af identifies one of four classes and one of three drop preferences See Assured Forwarding AF PHB for DiffServ on page 169 for more details SNAT T...

Page 165: ... or lesser number of configuration fields Create new Object Use this to configure any new settings objects that you need to use in this screen Configuration Enable Select this to activate the policy Description Enter a descriptive name of up to 31 printable ASCII characters for the policy Criteria User Select a user name or user group from which the packets are sent Incoming Select where the packe...

Page 166: ... source port of packets to which the policy route applies Next Hop Type Select Auto to have the UAG use the routing table to find a next hop and forward the matched packets automatically Select Gateway to route the matched packets to the next hop router or switch you specified in the Gateway field You have to set up the next hop router or switch as a HOST address object first Select Trunk to route...

Page 167: ...e the UAG set the DSCP value of the packets to 0 User Defined DSCP Marking Use this field to specify a custom DSCP value Address Translation Use this section to configure NAT for the policy route Source Network Address Translation Select none to not use NAT for the route Select outgoing interface to use the IP address of the outgoing interface as the source IP address of the packets that matches t...

Page 168: ...e IP address of the next hop gateway or the interface through which the traffic is routed The gateway is a router or switch on the same segment as your UAG s interface s The gateway helps forward packets to their destinations Metric This is the route s priority among the UAG s routes The smaller the number the higher priority the route has Table 75 Configuration Network Routing Static Route Add LA...

Page 169: ...on occurs between classes the traffic in the higher class smaller numbered class is generally given priority Combining the classes and drop precedence produces the following twelve DSCP encodings from AF11 through AF43 The decimal equivalent is listed in brackets Metric Metric represents the cost of transmission for routing purposes IP routing uses hop count as the measurement of cost with a minim...

Page 170: ...rface and PPPoE PPTP interface can be assigned to at most one zone Virtual interfaces are automatically assigned to the same zone as the interface on which they run Figure 102 Example Zones 13 1 1 What You Can Do in this Chapter Use the Zone screens see Section 13 2 on page 171 to manage the UAG s zones 13 1 2 What You Need to Know Effects of Zones on Different Types of Traffic Zones effectively d...

Page 171: ...ffic between VLAN1 and the Internet is inter zone traffic This is the normal case when zone based security and policy settings apply Extra zone Traffic Extra zone traffic is traffic to or from any interface that is not assigned to a zone For example in Figure 102 on page 170 traffic to or from computer C is extra zone traffic Some zone based security and policy settings may apply to extra zone tra...

Page 172: ...e your own User Configuration zones Add Click this to create a new user configured zone Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove a user configured trunk select it and click Remove The UAG confirms you want to remove it before doing so Object Reference Select an entry and click Object Reference to open a scree...

Page 173: ...the first character cannot be a number This value is case sensitive Member List Available lists the interfaces that do not belong to any zone Select the interfaces that you want to add to the zone you are editing and click the right arrow button to add them Member lists the interfaces that belong to the zone Select any interfaces that you want to remove from the zone and click the left arrow butto...

Page 174: ...ent IP address Note You must have a public WAN IP address to use Dynamic DNS You must set up a dynamic DNS account with a supported DNS service provider before you can use Dynamic DNS services with the UAG When registration is complete the DNS service provider gives you a password or key At the time of writing the UAG supports the following DNS service providers See the listed websites for details...

Page 175: ...s inactive Profile Name This field displays the descriptive profile name for this entry DDNS Type This field displays which DDNS service you are using Domain Name This field displays each domain name the UAG can route Primary Interface IP This field displays the interface to use for updating the IP address mapped to the domain name followed by how the UAG determines the IP address for the domain n...

Page 176: ...Network DDNS Add The following table describes the labels in this screen Apply Click this button to save your changes to the UAG Reset Click this button to return the screen to its last saved settings Table 80 Configuration Network DDNS continued LABEL DESCRIPTION Table 81 Configuration Network DDNS Add LABEL DESCRIPTION Show Advanced Settings Hide Advanced Settings Click this button to display a ...

Page 177: ...t the interface to use for updating the IP address mapped to the domain name Select any to let the domain name be used with any interface IP Address The options available in this field vary by DDNS provider Interface The UAG uses the IP address of the specified interface This option appears when you select a specific interface in the Primary Binding Address Interface field Auto If the interface ha...

Page 178: ...alias subdomains to be aliased to the same IP address as your dynamic domain name This feature is useful if you want to be able to use for example www yourhost dyndns org and still reach your hostname Mail Exchanger This option is only available with a DynDNS account DynDNS can route e mail for your domain name to a mail server called a mail exchanger For example DynDNS routes e mail for john doe ...

Page 179: ... you want to assign ports 21 25 to one FTP Telnet and SMTP server A in the example port 80 to another B in the example and assign a default server IP address of 172 16 0 35 to a third C in the example You assign the LAN IP addresses and the ISP assigns the WAN IP address The NAT network appears as a single host on the Internet Figure 107 Multiple Servers Behind NAT Example 15 1 1 What You Can Do i...

Page 180: ...equential value and it is not associated with a specific entry Status This icon is lit when the entry is active and dimmed when the entry is inactive Name This field displays the name of the entry Mapping Type This field displays what kind of NAT this entry performs Virtual Server 1 1 NAT or Many 1 1 NAT Interface This field displays the interface on which packets for the NAT entry are received Or...

Page 181: ...gure 109 Configuration Network NAT Add The following table describes the labels in this screen Apply Click this button to save your changes to the UAG Reset Click this button to return the screen to its last saved settings Table 82 Configuration Network NAT continued LABEL DESCRIPTION Table 83 Configuration Network NAT Add LABEL DESCRIPTION Create new Object Use to configure any new settings objec...

Page 182: ...nterface any Select this to use all of the incoming interface s IP addresses including dynamic addresses or those of any virtual interfaces built upon the selected incoming interface User Defined Select this to manually enter an IP address in the User Defined Original IP field For example you could enter a static public IP assigned by the ISP without having to create a virtual interface for it Hos...

Page 183: ...ype is Ports Enter the beginning of the range of translated destination ports if this NAT rule forwards the packet Mapped End Port This field is available if Port Mapping Type is Ports Enter the end of the range of translated destination ports if this NAT rule forwards the packet The original port range and the mapped port range must be the same size Enable NAT Loopback Enable NAT loopback to allo...

Page 184: ...e a LAN user s computer at IP address 172 16 0 89 queries a public DNS server to resolve the SMTP server s domain name xxx LAN SMTP com in this example and gets the SMTP server s mapped public IP address of 1 1 1 1 Figure 110 LAN Computer Queries a Public DNS Server The LAN user s computer then sends traffic to IP address 1 1 1 1 NAT loopback uses the IP address of the UAG s lan1 interface 172 16 ...

Page 185: ...he original destination address 1 1 1 1 If the SMTP server replied directly to the LAN user without the traffic going through NAT the source would not match the original destination address which would cause the LAN user s computer to shut down the session Figure 112 LAN to LAN Return Traffic 172 16 0 21 LAN 172 16 0 89 Source 172 16 0 89 SMTP NAT Source 172 16 0 1 SMTP 172 16 0 21 LAN 172 16 0 89...

Page 186: ...ress to the user Outgoing traffic from user A will then be sent through the WAN1 interface using the mapped public IP address 10 10 1 35 Outgoing traffic from user B will be sent through the WAN1 interface using the mapped public IP address 10 10 1 36 Figure 113 VPN 1 1 Mapping Example 16 1 1 What You Can Do in this Chapter Use the VPN 1 1 Mapping screens see Section 16 2 on page 187 to enable and...

Page 187: ...tomatically a VPN 1 1 mapping rule to forward any traffic from the user A B through the wan1 interface using a unique public IP address 16 2 The VPN 1 1 Mapping General Screen The VPN 1 1 Mapping summary screen provides a summary of all VPN 1 1 mapping rules and their configuration In addition this screen allows you to create new VPN 1 1 mapping rules and edit and delete existing VPN 1 1 mapping r...

Page 188: ...e Move To change a rule s position in the numbered list select the rule and click Move to display a field to type a number for where you want to put that rule and press ENTER to move the rule to the number that you typed The ordering of your rules is important as they are applied in order of their numbering This field is a sequential value and it is not associated with a specific entry Status This...

Page 189: ...ject Click this button to create any new user group objects that you need to use in this screen Enable Policy Use this option to turn the VPN 1 1 mapping rule on or off User Group Use the drop down list box to select the individual or group for which you want to use this rule Select any to have the mapping rule apply to all of the traffic that the UAG receives from any user Pool Profile The Select...

Page 190: ...uential value and it is not associated with a specific entry Name This field displays a descriptive name for the profile Enter a descriptive name to identify the profile Address This field displays the name of the IP address object the profile is set to use Select an address object that presents the IP address es which can be assigned to the matched users by the UAG Note You cannot select an addre...

Page 191: ...he a policy route allows it to access the Internet to get them from a server Proxy server A then forwards the response to the client Figure 117 HTTP Redirect Example 17 1 1 What You Can Do in this Chapter Use the HTTP Redirect screens see Section 17 2 on page 192 to display and edit the HTTP redirect rules 17 1 2 What You Need to Know Web Proxy Server A proxy server helps client devices make indir...

Page 192: ...ests from the client to the proxy server You also need to manually configure a policy route to forward the HTTP traffic from the proxy server to the Internet To make the example in Figure 117 on page 191 work make sure you have the following settings For HTTP traffic between lan1 and lan2 a from LAN1 to LAN2 firewall rule to allow HTTP requests from lan1 to lan2 Responses to this request are allow...

Page 193: ...n modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate This field is a sequential value and it is not associated with a specific entry Status This icon is lit when the entry is active and dimmed w...

Page 194: ...y use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Interface Select the interface on which the HTTP request must be received for the UAG to forward it to the specified proxy server Proxy Server Enter the IP address of the proxy server Port Enter the port number that the proxy server uses OK Click OK to save your change...

Page 195: ...ere the message will be delivered to the recipient The UAG forwards SMTP traffic using TCP port 25 Figure 120 SMTP Redirect Example 18 1 1 What You Can Do in this Chapter Use the SMTP Redirect screens see Section 18 2 on page 196 to display and edit the SMTP redirect rules 18 1 2 What You Need to Know SMTP Simple Mail Transfer Protocol SMTP is the Internet s message transport standard It controls ...

Page 196: ...r You also need to manually configure a policy route to forward the SMTP traffic from the SMTP server to the Internet To make the example in Figure 120 on page 195 work make sure you have the following settings For SMTP traffic between lan1 and lan2 a from LAN1 to LAN2 firewall rule to allow SMTP messages from lan1 to lan2 Responses to this request are allowed automatically a SMTP redirect rule to...

Page 197: ... click Inactivate Move To change a rule s position in the numbered list select the rule and click Move to display a field to type a number for where you want to put that rule and press ENTER to move the rule to the number that you typed The ordering of your rules is important as they are applied in order of their numbering This field is a sequential value and it is not associated with a specific e...

Page 198: ...o have the SMTP redirect rule apply to all of the SMTP messages that the UAG receives from any user Incoming Interface Select the interface on which the SMTP traffic must be received for the UAG to forward it to the specified SMTP server Source Address Select the source address or address group for whom this rule applies Use Create new Object if you need to configure a new one Select any if the ru...

Page 199: ...The ALG on the UAG supports all of the UAG s NAT mapping types FTP ALG The FTP ALG allows TCP packets with a specified port destination to pass through If the FTP server is located on the LAN you must also configure NAT port forwarding and firewall rules if you want to allow access to the server from the WAN ALG and Trunks If you send your ALG managed traffic through an interface trunk and all of ...

Page 200: ...Program traffic and help build FTP sessions through the UAG s NAT Enable FTP Transformations Select this option to have the UAG modify IP addresses and port numbers embedded in the FTP data payload to match the UAG s NAT environment Clear this option if you have an FTP device or server that will modify IP addresses and port numbers embedded in the FTP data payload to match the UAG s NAT environmen...

Page 201: ...ainly designed for small home networks It allows a client behind a NAT router to retrieve the router s public IP address and port number and make them known to the peer device with which it wants to communicate The client can automatically configure the NAT router to create a port mapping to allow the peer to contact it 20 2 What You Need to Know UPnP hardware is identified as an icon in the Netwo...

Page 202: ...n some network environments When a UPnP device joins a network it announces its presence with a multicast message For security reasons the UAG allows multicast messages on the LAN only All UPnP enabled devices may communicate freely with each other without additional configuration Disable UPnP if this is not your intention 20 3 UPnP Screen Use this screen to enable UPnP and NAT PMP on your UAG Cli...

Page 203: ...tor s login screen without entering the UAG s IP address although you must still enter the password to access the web configurator Allow UPnP or NAT PMP to pass through Firewall Select this check box to allow traffic from UPnP enabled or NAT PMP enabled applications to bypass the firewall Clear this check box to have the firewall block all UPnP or NAT PMP application packets for example MSN packet...

Page 204: ... Connection Properties window click Settings to see the port mappings there were automatically created Figure 126 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings Figure 127 Internet Connection Properties Advanced Settings ...

Page 205: ...plays in the system tray Figure 129 System Tray Icon 6 Double click on the icon to display your current Internet connection status Figure 130 Internet Connection Status 20 4 2 Web Configurator Easy Access With UPnP you can access the web based configurator on the UAG without finding out the IP address of the UAG first This comes helpful if you do not know the IP address of the UAG Follow the steps...

Page 206: ...cription for each UPnP enabled device displays under Local Network 5 Right click on the icon for your UAG and select Invoke The web configurator login screen displays Figure 132 Network Connections My Network Places 6 Right click on the icon for your UAG and select Properties A properties window displays with basic information about the UAG ...

Page 207: ...Chapter 20 UPnP UAG4100 User s Guide 207 Figure 133 Network Connections My Network Places Properties Example ...

Page 208: ...72 16 1 27 and use static DHCP to assign it to Bob s computer s MAC address of 12 34 56 78 90 AB IP MAC binding drops traffic from any computer trying to use IP address 172 16 1 27 with another MAC address Figure 134 IP MAC Binding Example 21 1 1 What You Can Do in this Chapter Use the Summary and Edit screens Section 21 2 on page 209 to bind IP addresses to MAC addresses Use the Exempt List scree...

Page 209: ...twork IP MAC Binding Edit to open the IP MAC Binding Edit screen Use this screen to configure an interface s IP to MAC address binding settings Table 93 Configuration Network IP MAC Binding Summary LABEL DESCRIPTION Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Activate To turn on an entry select it and click Activate Inactivate T...

Page 210: ...ected to this interface attempts to use an IP address not assigned by the UAG Static DHCP Bindings This table lists the bound IP and MAC addresses The UAG checks this table when it assigns IP addresses If the computer s MAC address is in the table the UAG assigns the corresponding IP address You can also access this table from the interface s edit screen Add Click this to create a new entry Edit D...

Page 211: ...figure ranges of IP addresses to which the UAG does not apply IP MAC binding Figure 138 Configuration Network IP MAC Binding Exempt List Table 95 Configuration Network IP MAC Binding Edit Add LABEL DESCRIPTION Interface Name This field displays the name of the interface within the UAG and the interface s IP address and subnet mask IP Address Enter the IP address that the UAG is to assign to a devi...

Page 212: ...ettings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so This is the index number of the IP MAC binding list entry Name Enter a name to help identify this entry Start IP Enter the first IP address in a range of IP addresses for which the UAG does not apply IP MAC binding End IP Enter the last IP address in a range of IP addresses for which...

Page 213: ...quency band can t be blocked But traffic between wireless clients in the 2 4 GHz WLAN and 5 GHz WLAN can be blocked even when they are connected to the same AP Note The firewall must be enabled before you can use layer 2 isolation In the following example layer 2 isolation is enabled on the UAG s interface Vlan1 A printer PC and AP are in the Vlan1 The IP address of network printer C is added to t...

Page 214: ...l interface s except for broadcast packets Table 97 Configuration Network Layer 2 Isolation LABEL DESCRIPTION Enable Layer2 Isolation Select this option to turn on the layer 2 isolation feature on the UAG Note You can enable this feature only when the firewall is enabled Member List The Available list displays the name s of the internal interface s on which you can enable layer 2 isolation To enab...

Page 215: ...e List LABEL DESCRIPTION Enable White List Select this option to turn on the white list on the UAG Note You can enable this feature only when the firewall is enabled Add Click this to add a new rule Edit Click this to edit the selected rule Remove Click this to remove the selected rule Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Ina...

Page 216: ...yer 2 Isolation White List Add Edit LABEL DESCRIPTION Enable Select this option to turn on the rule Host IP Address Enter an IPv4 address associated with this rule Description Specify a description for the IP address associated with this rule Enter up to 60 characters spaces and underscores allowed OK Click OK to save your changes back to the UAG Cancel Click Cancel to exit this screen without sav...

Page 217: ...eature does not apply to a computer using either a dynamic IP address or a static IP address that is in the same subnet as the UAG s IP address Note You must enable NAT to use the IPnP feature The following figure depicts a scenario where a computer is set to use a static private IP address in the corporate environment In a residential house where a UAG is installed you can still use the computer ...

Page 218: ...eature on the UAG Note You can enable this feature only when the firewall is enabled Member List The Available list displays the name s of the internal interface s on which you can enable IPnP To enable IPnP on an interface you can double click a single entry to move it or use the Shift or Ctrl key to select multiple entriess and click the right arrow button to add to the Member list To remove an ...

Page 219: ...s his her browser to a web portal page that prompts he she to log in Figure 145 Web Authentication Example The web authentication page only appears once per authentication session Unless a user session times out or he she closes the connection he or she generally will not see it again during the same session 24 1 1 What You Can Do in this Chapter Use the Configuration Web Authentication screens Se...

Page 220: ...display the Login screen when users attempt to send other kinds of traffic The UAG does not automatically route the request that prompted the login however so users have to make this request again Finding Out More See Section 24 2 2 on page 227 for an example of using an authentication policy for user aware access control 24 2 Web Authentication Screen The Web Authentication screen displays the we...

Page 221: ...Chapter 24 Web Authentication UAG4100 User s Guide 221 Figure 146 Configuration Web Authentication Web Portal ...

Page 222: ...Chapter 24 Web Authentication UAG4100 User s Guide 222 Figure 147 Configuration Web Authentication User Agreement ...

Page 223: ...d to the welcome page after authentication This field is optional The Internet Information Server IIS is the web server on which the web portal files are installed Preview Click a button to display the Terms of Service page you uploaded to the UAG File Name This shows the file name of the Terms of Service page in the UAG Click Download to download the Terms of Service page from the UAG to your com...

Page 224: ... the UAG Preview Click a button to display the corresponding page you uploaded to the UAG File Name This shows the file name of the zipped user agreement file in the UAG Click Download to download the user agreement file from the UAG to your computer File Path Browse Upload Browse for the user agreement file or enter the file path in the available input box then click the Upload button to put it o...

Page 225: ...remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To move an entry to a different number in the list click the Move icon In the field that appears specify the number to which you want to move the interface Status This icon is ...

Page 226: ...t redirect them to the login screen force Users need to be authenticated The UAG automatically displays the login screen whenever it routes HTTP traffic for users who have not logged in yet Description If the entry has a description configured it displays here This is n a for the default policy Apply Click this button to save your changes to the UAG Reset Click this button to return the screen to ...

Page 227: ...m this policy applies Select any if the policy is effective for every source This is any and not configurable for the default policy Destination Address Select a destination address or address group for whom this policy applies Select any if the policy is effective for every destination This is any and not configurable for the default policy Schedule Select a schedule that defines when the policy ...

Page 228: ...s to the user groups 1 Click Configuration Object User Group Group Click the Add icon 2 Enter the name of the group In this example it is Finance Then select Object Leo and click the right arrow to move him to the Member list This example only has one member in this group so click OK Of course you could add more members later Figure 151 Configuration Object User Group Group Add 3 Repeat this proce...

Page 229: ...method Finally force users to log into the UAG before it routes traffic for them 1 Click Configuration Object AAA Server RADIUS Double click the radius entry Configure the RADIUS server s address authentication port 1812 if you were not told otherwise and key Click OK Figure 152 Configuration Object AAA Server RADIUS Add 2 Click Configuration Object Auth Method Double click the default entry Click...

Page 230: ...r s Guide 230 Figure 153 Configuration Object Auth method Edit 3 Click Configuration Web Authentication In the Web Authentication screen select Web Portal to enable web authentication and click Apply Figure 154 Configuration Web Authentication ...

Page 231: ...in the RADIUS server 24 2 2 4 User Group Authentication Using the RADIUS Server The previous example showed how to have a RADIUS server authenticate individual user accounts If the RADIUS server has different user groups distinguished by the value of a specific attribute you can make a couple of slight changes in the configuration to have the RADIUS server authenticate groups of user accounts defi...

Page 232: ...fy groups based on the group identifier values Set up one user account for each group of user accounts in the RADIUS server Click Configuration Object User Group User Click the Add icon Enter a user name and set the User Type to ext group user In the Group Identifier field enter Finance Engineer Sales or Boss and set the Associated AAA Server Object to radius ...

Page 233: ...ver with a walled garden you can define one or more web site addresses that all users can access without logging in These can be used for advertisements for example Use this screen to configure walled garden web addresses for web sites that all users are allowed to access without logging in The web site link s then displays in the user login screen Click Configuration Web Authentication Walled Gar...

Page 234: ...n entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click...

Page 235: ... site link in the user login screen This is helpful if a user s access to a specific web site is required to stay connected but he or she doesn t need to visit that web site Name Enter a descriptive name for the walled garden link to be displayed in the login screen You can use up to 31 alphanumeric characters A Z a z 0 9 and underscores _ Spaces are also allowed The first character must be a lett...

Page 236: ...ry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inac...

Page 237: ...ication Advertisement Add Edit The following table gives an overview of the objects you can configure Table 106 Configuration Web Authentication Advertisement Add Edit LABEL DESCRIPTION Enable Select this to activate the entry Name Enter a descriptive name for the advertisement web site You can use up to 31 alphanumeric characters A Z a z 0 9 and underscores _ Spaces are not allowed The first char...

Page 238: ...e the Firewall screens Section 25 2 on page 240 to enable or disable the firewall and asymmetrical routes and manage and configure firewall rules Use the Session Control screens see Section 25 3 on page 245 to limit the number of concurrent NAT firewall sessions a client can use 25 1 2 What You Need to Know Stateful Inspection The UAG has a stateful inspection firewall The UAG restricts access by ...

Page 239: ...le applies to traffic from an interface which is not in a zone Global Firewall Rules Firewall rules with from any and or to any as the packet direction are called global firewall rules The global firewall rules are the only firewall rules that apply to an interface that is not included in a zone The from any rules apply to traffic coming from the interface and the to any rules apply to traffic goi...

Page 240: ...it the number of concurrent NAT firewall sessions a client can use Finding Out More See Section 25 4 on page 247 for an example of creating firewall rules as part of configuring user aware access control 25 2 The Firewall Screen Asymmetrical Routes If an alternate gateway on the LAN has an IP address in the same subnet as the UAG s LAN IP address return traffic may not go through the UAG This is c...

Page 241: ...rom which zone packets come and to which zone packets travel to display only the rules specific to the selected direction Note the following Besides configuring the firewall you also need to configure NAT rules to allow computers on the WAN to access LAN devices See Chapter 15 on page 179 for more information The UAG applies NAT Destination NAT settings before applying the firewall rules So for ex...

Page 242: ...he network not reset the connection Note Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the UAG A better solution is to use virtual interfaces to put the UAG and the backup gateway on separate subnets From Zone To Zone This is the direction of travel of packets Select from which zone the packets come and to which zone they go Firewall rules...

Page 243: ...nactive Priority This is the position of your firewall rule in the global rule list including all through UAG and to UAG rules The ordering of your rules is important as rules are applied in sequence Default displays for the default firewall behavior that the UAG performs on traffic that does not match any other firewall rule From To This is the direction of travel of packets to which the firewall...

Page 244: ...ct none and the rule is always effective User This field is not available when you are configuring a to UAG rule Select a user name or user group to which to apply the rule The firewall rule is activated only when the specified user logs into the system and the rule will be disabled when the user logs out Otherwise select any and there is no need for user logging Note If you specified a source IP ...

Page 245: ...firewall is to do with packets that match this rule Select deny to silently discard the packets without sending a TCP reset packet or an ICMP destination unreachable message to the sender Select reject to deny the packets and send a TCP reset packet to the sender Any UDP packets are dropped without sending a response packet Select allow to permit the passage of the packets Log Select whether to ha...

Page 246: ...rules below to apply other limits for specific users or addresses Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing s...

Page 247: ...this rule Use up to 60 printable ASCII characters Spaces are allowed User Select a user name or user group to which to apply the rule The rule is activated only when the specified user logs into the system and the rule will be disabled when the user logs out Otherwise select any and there is no need for user logging Note If you specified an IP address or address group instead of any in the field b...

Page 248: ...wall Example Create an Address Object 3 Click Create new Object Service to configure a service object for Doom UDP port 666 Configure it as follows and click OK Figure 171 Firewall Example Create a Service Object 4 Select From WAN and To LAN and enter a name for the firewall rule Select Dest_1 for the Destination and Doom as the Service Enter a description and configure the rest of the screen as f...

Page 249: ...l Rule Example Applications Suppose you decide to block LAN users from using IRC Internet Relay Chat through the Internet To do this you would configure a LAN to WAN firewall rule that blocks IRC traffic from any source IP address from going to any destination address You do not need to specify a schedule since you need the firewall rule to always be in effect The following figure shows the result...

Page 250: ...t allows IRC traffic from the IP address of the CEO s computer You can also configure a LAN to WAN rule that allows IRC traffic from any computer through which the CEO logs into the UAG with his her user name In order to make sure that the CEO s computer always uses the same IP address make sure it either Has a static IP address or You configure a static DHCP entry for it so the UAG always assigns...

Page 251: ...ss the IRC service on the WAN by logging into the UAG with the CEO s user name The second row blocks LAN1 access to the IRC service on the WAN The third row is the firewall s default policy of allowing all traffic from the LAN1 to go to the WAN The rule for the CEO must come before the rule that blocks all LAN1 to WAN IRC traffic If the rule that blocks all LAN1 to WAN IRC traffic came first the C...

Page 252: ... 5 on page 264 to enable online payment service and configure the service pages 26 1 2 What You Need to Know Accumulation Accounting Method The accumulation accounting method allows multiple re logins until the allocated time period or until the user account is expired The UAG accounts the time that the user is logged in for Internet access Time to finish Accounting Method The time to finish accou...

Page 253: ...k Configuration Billing General to open the following screen Figure 176 Configuration Billing General The following table describes the labels in this screen Table 115 Configuration Billing General LABEL DESCRIPTION General Settings Unused account will be deleted after the time Enter the number and select a time unit from the drop down list box to specify how long to wait before the UAG deletes an...

Page 254: ...users that are allowed to log in with the same account Reach maximum number per billing account Select Block to stop new users from logging in when the Maximum number per billing account is reached Select Kick previous user and login to disassociate the first user that logged in and allow new user to log in when the Maximum number per billing account is reached Username Password length Select to s...

Page 255: ...ick Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate This field is a sequential value and it is not associated with a specific entry Status This icon is lit...

Page 256: ...Click Configuration Billing Billing Profile and then the Preview button to open this screen You can also open this screen by logging into the Web Configurator with the guest manager account Figure 178 Account Generator Price This field displays each profile s price per time unit Apply Click this button to save your changes to the UAG Reset Click this button to return the screen to its last saved s...

Page 257: ...tions of each discount level Unit This field displays the duration of the billing period that should be reached before the UAG charges users at this level Price This field displays the price per time unit for each level Default Thermal Printer Select a statement printer that is attached to the UAG It displays n a if there is no printer attached Summary Total This shows the total price for the acco...

Page 258: ...ing UAG4100 User s Guide 258 mobile phone number and click Send SMS to send the account information in an SMS text message to the user s mobile phone Click Cancel to close this window when you are finished viewing it ...

Page 259: ... Printer to print this subscriber statement Click Cancel to close this window when you are finished viewing it 26 3 2 The Account Redeem Screen The Account Redeem screen allows you to send SMS messages for certain accounts Click the Account Redeem tab in the Account Generator screen to open this screen ...

Page 260: ...r an account expires or not Username This field displays the user name of the account Create Time This field displays when the account was created Remaining Time This field displays the amount of Internet access time remaining for each account Time Period This field displays the total account of time the account can use to access the Internet through the UAG Expiration Time This field displays the...

Page 261: ... the web configurator This button is available only when you open this screen by logging in with the guest manager account Table 118 Account Redeem continued LABEL DESCRIPTION Table 119 Configuration Billing Billing Profile Add Edit LABEL DESCRIPTION Enable billing profile Select this option to activate the profile Name Enter a name for the billing profile You can use up to 31 alphanumeric charact...

Page 262: ...es 0 means there is no data limit for the user account Upload Quota If you select Upload Download specify how much upstream data in MB Megabytes or GB Gigabytes can be transmitted through the WAN interface before the account expires 0 means there is no data limit for the user account Download Quota If you select Upload Download specify how much downstream data in MB Megabytes or GB Gigabytes can b...

Page 263: ...e that their total purchase reaches Discount Price Plan Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so This is the number of each discount level The default first level cannot be edited or...

Page 264: ...e process and manage credit card transactions directly through the Internet You must register with the supported credit card service before you can configure the UAG to handle credit card transactions Click Configuration Billing Payment Service to open the following screen Table 121 Configuration Billing Discount Add Edit LABEL DESCRIPTION Name This field displays the conditions of each discount l...

Page 265: ...o access the Internet The link redirects users to a screen where they can make online payments by credit card to purchase access time and get dynamic guest account information Payment Provider Selection Account You should already have a PayPal account to receive credit card payments Enter your PayPal account name Currency Select the currency in which payments are made The available options depend ...

Page 266: ... s online payment is done Select On Screen to display the user account information in the web screen Select SMS to use Short Message Service SMS to send account information in a text message to the user s mobile device Select On Screen and SMS to provide the account information both in the web screen and via SMS text messages Note You should have enabled SMS in the Configuration SMS screen to send...

Page 267: ...Chapter 26 Billing UAG4100 User s Guide 267 Figure 184 Configuration Billing Payment Service Custom Service ...

Page 268: ...user s online payment is made successfully Use up to 1024 printable ASCII characters Spaces are allowed Notification Message Enter the important information you want to display Use up to 1024 printable ASCII characters Spaces are allowed Notification Color Specify the font color of the important information You can use the color palette chooser or enter a color value of your own Account Message En...

Page 269: ...ng paper in the printer Refer to the printer s documentation for details 27 1 1 What You Can Do in this Chapter Use the General screen see Section 27 2 on page 269 to configure the printer list and enable printer management Use the Printout Configuration screen see Section 27 3 on page 271 to customize the account printout 27 2 The General Screen Use this screen to configure a printer list and all...

Page 270: ...gs Port Enter the number of port on which the UAG sends data to the printer for it to print Encryption Select the check box to turn on data encryption Data transmitted between the UAG and the printer will be encrypted with a secret key Secret Key Enter four alphanumeric characters A Z a z 0 9 to specify a key for data encryption Printout Number of Copies Select how many copies of subscriber statem...

Page 271: ...To turn off an entry select it and click Inactivate This field is a sequential value and it is not associated with any entry Status This icon is lit when the entry is active and dimmed when the entry is inactive IPv4 Address This field displays the IP address of the printer Description This field displays the descriptive name for the printer Printer Firmware Information Current Version This is the...

Page 272: ...format as it is saved indefinitely Use Customized Printout Configuration Select this to use a custom account printout format instead of the default one built into the UAG Once this option is selected the custom format controls below become active Preview Click the button to display a preview of account printout format you uploaded to the UAG File Name This shows the file name of account printout f...

Page 273: ...nt Example 27 3 4 Monthly Account Summary The monthly account report lists the accounts printed during the current month the current month s total number of accounts and the total charge It covers the accounts that have been printed during the current month starting from midnight of the first day of the current month not the past one month period For example if you press the monthly account key co...

Page 274: ...5 01 00 00 00 to 2013 05 31 19 59 59 the monthly account report includes the latest 2000 accounts so the total would be 2 000 instead of 2 030 Use the Monitor System Status Dynamic Guest screen to see the accounts generated on another day or month up to 2000 entries total 27 3 6 System Status This report shows the current system information such as the host name and WAN IP address Key combination ...

Page 275: ...LAN FWVR This field displays the version of the firmware on the UAG BTVR This field displays the version of the bootrom WAMA This field displays the MAC address of the UAG on the WAN LAMA This field displays the MAC address of the UAG on the LAN WAIP This field displays the IP address of the WAN port on the UAG LAIP This field displays the IP address of the LAN port on the UAG WLIP This field disp...

Page 276: ...f time 28 1 1 What You Can Do in this Chapter Use the Free Time screen see Section 28 2 on page 276 to turn on this feature to allow users to get a free account for Internet surfing during the specified time period 28 2 The Free Time Screen Use this screen to enable and configure the free time settings Click Configuration Free Time to open the following screen Figure 190 Configuration Free Time ...

Page 277: ...re Reset Time Enter the maximum number of the users that are allowed to log in for Internet access with a free guest account before the time specified in the Reset Time field For example if you set the Maximum Registration Number Before Reset Time to 1 and the Reset Time to 13 00 even the first free guest account has expired at 11 30 the second account still cannot access the Internet until 13 00 ...

Page 278: ...e and free time feature on the UAG the link description in the login screen will be mainly for online payment service You can still click the link to get a free account If SMS is enabled on the UAG you have to enter your mobile phone number before clicking OK to get a free guest account ...

Page 279: ...Chapter 28 Free Time UAG4100 User s Guide 279 The guest account information then displays in the screen and or is sent to the configured mobile phone number EXAMPLE ...

Page 280: ...rvice 29 1 1 What You Can Do in this Chapter Use the SMS screen see Section 29 2 on page 280 to turn on the SMS service on the UAG 29 2 The SMS Screen Use this screen to enable SMS in order to send dynamic guest account information in text messages Click Configuration SMS to open the following screen Figure 191 Configuration SMS The following table describes the labels in this screen Table 129 Con...

Page 281: ...ViaNett Configuration User Name Enter the user name for your ViaNett account Password Type the Password associated with the user name Retype to Confirm Type your password again for confirmation Apply Click this button to save your changes to the UAG Reset Click this button to return the screen to its last saved settings Table 129 Configuration SMS continued LABEL DESCRIPTION ...

Page 282: ... manage the bandwidth of TCP and UDP traffic If you want to use a service make sure both the firewall allow the service s packets to go through the UAG Note The UAG checks firewall rules before it checks bandwidth management rules for traffic going through the UAG Bandwidth management examines every TCP and UDP connection passing through the UAG Then you can specify by port whether or not the UAG ...

Page 283: ... the need to negotiate paths or remember state information for every flow In addition applications do not have to request a particular service or give advanced notice of where the traffic is going Connection and Packet Directions Bandwidth management looks at the connection direction that is from which interface the connection was initiated and to which interface the connection is going A connecti...

Page 284: ... so outbound means the traffic traveling from the LAN1 to the WAN Each of the WAN zone s two interfaces can send the limit of 200 kbps of traffic Inbound traffic is limited to 500 kbs The connection initiator is on the LAN1 so inbound means the traffic traveling from the WAN to the LAN1 Figure 193 LAN1 to WAN Outbound 200 kbps Inbound 500 kbps Bandwidth Management Priority The UAG gives bandwidth ...

Page 285: ...policies for FTP servers A and B Each server tries to send 1000 kbps but the WAN is set to a maximum outgoing speed of 1000 kbps You configure policy A for server A s traffic and policy B for server B s traffic Figure 194 Bandwidth Management Behavior Configured Rate Effect In the following table the configured rates total less than the available bandwidth and maximize bandwidth usage is disabled ...

Page 286: ...g Out More See DSCP Marking and Per Hop Behavior on page 162 for a description of DSCP marking 30 2 The Bandwidth Management Screen The Bandwidth management screens control the bandwidth allocation for TCP and UDP traffic You can use source interface destination interface destination port schedule user source destination information DSCP code and service type as criteria to create a sequence of sp...

Page 287: ...it when the entry is active and dimmed when the entry is inactive The status icon is not available for the default bandwidth management policy Priority This is the position of your bandwidth management policy in the list The ordering of your rules is important as rules are applied in sequence This field displays default for the default bandwidth management policy that the UAG performs on traffic t...

Page 288: ...n kilobits per second this policy allows the matching traffic to use Outbound refers to the traffic the UAG sends out from a connection s initiator If no displays here this policy does not apply bandwidth management for the outbound traffic Pri This is the priority for the incoming the first Pri value or outgoing the second Pri value traffic that matches this policy The smaller the number the high...

Page 289: ...Chapter 30 Bandwidth Management UAG4100 User s Guide 289 Figure 196 Configuration BWM Edit For the Default Policy Figure 197 Configuration BWM Add Edit ...

Page 290: ...destination address or address group for whom this policy applies Use Create new Object if you need to configure a new one Select any if the policy is effective for every destination DSCP Code Select a DSCP code point value of incoming or outgoing packets to which this policy applies or select User Define to specify another DSCP code point The lower the number the higher the priority with the exce...

Page 291: ...e actual transmission speed lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth Priority Enter a number between 1 and 7 to set the priority for traffic that matches this policy The smaller the number the higher the priority Traffic with a higher priority is given bandwidth before traffic with a lower priority The UAG uses a fairness based round robin ...

Page 292: ...ttings and other user settings for the UAG You can also use this screen to specify when users must log in to the UAG before it routes traffic for them 31 1 2 What You Need To Know User Account A user account defines the privileges of a user logged into the UAG User accounts are used in firewall rules in addition to controlling access to configuration and services in the UAG User Types These are th...

Page 293: ...on to User For the rest of the user attributes such as reauthentication time the UAG checks the following places in order 1 User account in the remote server 2 User account Ext User in the UAG 3 Default user account for RADIUS users radius users in the UAG See Setting up User Attributes in an External Server on page 304 for a list of attributes and how to set up the attributes in an external serve...

Page 294: ... You cannot put the default admin account into any user group The sequence of members in a user group is not important User Awareness By default users do not have to log into the UAG to use the network services it provides The UAG automatically routes packets for everyone If you want to restrict network services that certain users can use via the UAG you can require them to log in to the UAG first...

Page 295: ...d with a specific user User Name This field displays the user name of each user User Type This field displays the kind of account of each user These are the kinds of user account the UAG supports admin this user can look at and change the configuration of the UAG limited admin this user can look at the configuration of the UAG but not to change it dynamic guest this user has access to the UAG s se...

Page 296: ...re User names are case sensitive If you enter a user bob but use BOB when connecting via CIFS or FTP it will use the account settings used for BOB not bob User names have to be different than user group names Here are the reserved user names To access this screen go to the User screen see Section 31 2 on page 294 and click either the Add icon or an Edit icon Figure 199 Configuration User Group Use...

Page 297: ...ecify the value of the RADIUS server s Group Membership Attribute that identifies the group to which this user belongs Associated AAA Server Object This field is available for a ext group user type user account Select the AAA server to use to authenticate this account s users Description Enter the description of each user if any You can use up to 60 printable ASCII characters Default descriptions ...

Page 298: ...e your changes back to the UAG Cancel Click Cancel to exit this screen without saving your changes Table 138 Configuration User Group User Add continued LABEL DESCRIPTION Table 139 Configuration Object User Group Group LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To re...

Page 299: ...res _ or dashes but the first character cannot be a number This value is case sensitive User group names have to be different than user names Description Enter the description of the user group if any You can use up to 60 characters punctuation marks and spaces Member List The Member list displays the names of the users and user groups that have been added to the user group The order of members is...

Page 300: ...tings These authentication timeout settings are used by default when you create a new user account They also control the settings for any existing user accounts that are set to use the default settings You can still manually configure any user account s authentication timeout settings Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings ...

Page 301: ...ut logging out Miscellaneous Settings Allow renewing lease time automatically Select this check box if access users can renew lease time automatically as well as manually simply by selecting the Updating lease time automatically check box on their screen Enable user idle detection This is applicable for access users Select this check box if you want the UAG to monitor how long each access user is ...

Page 302: ...sassociate the first user that logged in and allow new user to log in when the Maximum number per access account is reached User Lockout Settings Enable logon retry limit Select this check box to set a limit on the number of times each user can login unsuccessfully for example wrong password before the IP address is locked out for a specified amount of time Maximum retry count This field is effect...

Page 303: ...en and create dynamic guest accounts using the Account Generator screen that pops up pre subscriber this user has access to the UAG s services but cannot look at the configuration Lease Time Enter the number of minutes this type of user account has to renew the current session before the user is logged out You can specify 1 to 1440 minutes You can enter 0 to make the number of minutes unlimited Ad...

Page 304: ...n Lease time field in the User Add Edit screen see Section 31 2 1 on page 295 Lease time field in the Setting Edit screen see Section 31 4 on page 299 Updating lease time automatically This box appears if you checked the Allow renewing lease time automatically box in the Setting screen See Section 31 4 on page 299 Access users can select this check box to reset the lease time automatically 30 seco...

Page 305: ...lan to create a large number of Ext User accounts you might use CLI commands instead of the Web Configurator to create the accounts Extract the user names from the RADIUS server and create a shell script that creates the user accounts See Chapter 42 on page 418 for more information about shell scripts ...

Page 306: ...SID This profile type defines the properties of a single wireless network signal broadcast by an AP Each radio on a single AP can broadcast up to 8 SSIDs You can have a maximum of 32 SSID profiles on the UAG Security This profile type defines the security settings used by a single SSID It controls the encryption method required for a wireless client to associate itself with the SSID You can have a...

Page 307: ...key management than WPA Key differences between WPA 2 and WEP are improved data encryption and user authentication IEEE 802 1x The IEEE 802 1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key management Authentication is done using an external RADIUS server 32 2 Radio Screen This screen allows you to create radio profiles for the APs o...

Page 308: ...ential value and it is not associated with a specific profile Status This icon is lit when the entry is active and dimmed when the entry is inactive Profile Name This field indicates the name assigned to the radio profile Frequency Band This field indicates the frequency band which this radio profile is configured to use Channel ID This field indicates the broadcast channel which this radio profil...

Page 309: ...Radio Profile This screen allows you to create a new radio profile or edit an existing one To access this screen click the Add button or select a radio profile from the list and click the Edit button Figure 207 Configuration Object AP Profile Add Edit Radio Profile ...

Page 310: ...ess channel which this radio profile should use It is recommended that you choose the channel least in use by other APs in the region where this profile will be implemented This will reduce the amount of interference between wireless clients and the AP to which this profile is assigned Some 5 GHz channels include the label indoor use only These are for use with an indoor AP only Do not use them wi...

Page 311: ...u enter here Set the RTS CTS equal to or higher than the fragmentation threshold to turn RTS CTS off Beacon Interval When a wirelessly networked device sends a beacon it includes with it a beacon interval This specifies the time period before the device sends the beacon again The interval tells receiving devices on the network how long they can wait in low power mode before waking up to handle the...

Page 312: ...dulation and Coding Scheme This is an 802 11n feature that increases the wireless network performance in terms of throughput Multicast Settings Use this section to set a transmission mode and maximum rate for multicast traffic Transmission Mode Set how the AP handles multicast traffic Select Multicast to Unicast to broadcast wireless multicast traffic to all of the wireless clients as unicast traf...

Page 313: ...ch other objects are linked to the selected SSID profile for example radio profile This field is a sequential value and it is not associated with a specific profile Profile Name This field indicates the name assigned to the SSID profile SSID This field indicates the SSID name as it appears to wireless clients Security Profile This field indicates which if any security profile is associated with th...

Page 314: ...aces and underscores are allowed SSID Enter the SSID name for this profile This is the name visible on the network to wireless clients Enter up to 32 characters spaces and underscores are allowed Security Profile Select a security profile from this list to associate with this SSID If none exist you can use the Create new Object menu to create one Note It is highly recommended that you create secur...

Page 315: ...ute it can without displacing higher priority traffic This is good for activities that do not require the best bandwidth throughput such as surfing the Internet WMM_BACKGROUND All wireless traffic to the SSID is tagged as low priority or background traffic meaning all other access categories take precedence over this one If traffic from an SSID does not have strict throughput requirements then thi...

Page 316: ...dd Click this to add a new security profile Edit Click this to edit the selected security profile Remove Click this to remove the selected security profile Object Reference Click this to view which other objects are linked to the selected security profile for example SSID profile This field is a sequential value and it is not associated with a specific profile Profile Name This field indicates the...

Page 317: ...fault screen is displayed here Figure 211 Configuration Object AP Profile SSID Security Profile Add Edit Security Profile The following table describes the labels in this screen Table 150 Configuration Object AP Profile SSID Security Profile Add Edit Security Profile LABEL DESCRIPTION Profile Name Enter up to 31 alphanumeric characters for the profile name This name is only visible in the Web Conf...

Page 318: ...64 Enter 10 hexadecimal digits in the range of A F a f and 0 9 for example 0x11AA22BB33 for each Key used or Enter 5 ASCII characters case sensitive ranging from a z A Z and 0 9 for example MyKey for each Key used If you select WEP 128 Enter 26 hexadecimal digits in the range of A F a f and 0 9 for example 0x00112233445566778899AABBCC for each Key used or Enter 13 ASCII characters case sensitive r...

Page 319: ...allow the AP to send authentication information to other APs on the network allowing connected wireless clients to switch APs without having to re authenticate their network connection OK Click OK to save your changes back to the UAG Cancel Click Cancel to exit this screen without saving your changes Table 150 Configuration Object AP Profile SSID Security Profile Add Edit Security Profile LABEL DE...

Page 320: ...t allow to permit the wireless client with the MAC addresses in this profile to connect to the network through the associated SSID select deny to block the wireless clients with the specified MAC addresses Add Click this to add a MAC address to the profile s list Edit Click this to edit the selected MAC address in the profile s list Remove Click this to remove the selected MAC address from the pro...

Page 321: ...ing profiles Please see the respective sections for more information about how address objects and address groups are used in each one Address groups are composed of address objects and address groups The sequence of members in the address group is not important 33 2 Address Summary Screen The address screens are used to create maintain and remove addresses There are the types of address objects H...

Page 322: ...ck an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Object Reference Select an entry and click Object Reference to open a screen that shows which settings use the entry See Section 10 3 2 on page 123 for an example This field is a sequential value and it is not ...

Page 323: ...updates the corresponding interface based LAN subnet address object IP Address This field is only available if the Address Type is HOST This field cannot be blank Enter the IP address that this address object represents Starting IP Address This field is only available if the Address Type is RANGE This field cannot be blank Enter the beginning of the range of IP addresses that this address object r...

Page 324: ... 155 Configuration Object Address Address Group LABEL DESCRIPTION Configuration Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Object Reference Select an entry and click Object Reference to open a screen t...

Page 325: ...to 60 characters punctuation marks and spaces Member List The Member list displays the names of the address and address group objects that have been added to the address group The order of members is not important Select items from the Available list that you want to be members and move them to the Member list You can double click a single entry to move it or use the Shift or Ctrl key to select mu...

Page 326: ...Some uses are FTP HTTP SMTP and TELNET UDP is simpler and faster but is less reliable Some uses are DHCP DNS RIP and SNMP TCP creates connections between computers to exchange data Once the connection is established the computers exchange data If data arrives out of sequence or is missing TCP puts it in sequence or waits for the data to be re transmitted Then the connection is terminated In contra...

Page 327: ...ch service Service groups may consist of services and other service groups The sequence of members in the service group is not important 34 2 The Service Summary Screen The Service summary screen provides a summary of all services and their definitions In addition this screen allows you to add edit and remove services To access this screen log in to the Web Configurator and click Configuration Obj...

Page 328: ... associated with a specific service Name This field displays the name of each service Content This field displays a description of each service Table 158 Configuration Object Service Service Edit LABEL DESCRIPTION Name Type the name used to refer to the service You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive I...

Page 329: ...ee Section 34 3 on page 329 and click either the Add icon or an Edit icon Table 159 Configuration Object Service Service Group LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Object Refere...

Page 330: ...ervice group if any You can use up to 60 printable ASCII characters Member List The Member list displays the names of the service and service group objects that have been added to the service group The order of members is not important Select items from the Available list that you want to be members and move them to the Member list You can double click a single entry to move it or use the Shift or...

Page 331: ...n 35 2 1 on page 333 to create or edit a one time schedule Use the Recurring Schedule Add Edit screen Section 35 2 2 on page 334 to create or edit a recurring schedule 35 1 2 What You Need to Know One time Schedules One time schedules begin on a specific start date and time and end on a specific stop date and time One time schedules are useful for long holidays and vacation periods Recurring Sched...

Page 332: ...n example This field is a sequential value and it is not associated with a specific schedule Name This field displays the name of the schedule which is used to refer to the schedule Start Day Time This field displays the date and time at which the schedule begins Stop Day Time This field displays the date and time at which the schedule ends Recurring Add Click this to create a new entry Edit Doubl...

Page 333: ...e one time schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Date Time StartDate Specify the year month and day when the schedule begins Year 1900 2999 Month 1 12 Day 1 31 it is not possible to specify illegal dates such as February 31 StartTime Specify the hour and minute when the schedule begins Hour ...

Page 334: ...describes the remaining labels in this screen Table 163 Configuration Object Schedule Edit Recurring LABEL DESCRIPTION Configuration Name Type the name used to refer to the recurring schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Date Time StartTime Specify the hour and minute when the schedule begin...

Page 335: ...er instead of or in addition to an internal device user database that is limited to the memory capacity of the device In essence RADIUS authentication allows you to validate a large number of users from a central location Figure 225 RADIUS Server Network Example 36 1 2 What You Can Do in this Chapter Use the Configuration Object AAA Server RADIUS screen Section 36 2 on page 336 to configure the de...

Page 336: ... Server Click Configuration Object AAA Server RADIUS to display the RADIUS screen Click the Add icon or an Edit icon to display the following screen Use this screen to create a new RADIUS entry or edit an existing one Table 164 Configuration Object AAA Server RADIUS LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where ...

Page 337: ...ngs Name Enter a descriptive name up to 63 alphanumerical characters for identification purposes Description Enter the description of each server if any You can use up to 60 printable ASCII characters Authentication Server Settings Server Address Enter the address of the RADIUS authentication server Authentication Port Specify the port number on the RADIUS server to which the UAG sends authenticat...

Page 338: ...es the UAG should reattempt to use the primary RADIUS server before attempting to use the secondary RADIUS server This also sets how many times the UAG will attempt to use the secondary RADIUS server For example you set this field to 3 If the UAG does not get a response from the primary RADIUS server it tries again up to three times If there is no response the UAG tries the secondary RADIUS server...

Page 339: ... a group identifier it determines to which group a user belongs You can add ext group user user objects to identify groups based on these group identifier values For example you could have an attribute named memberOf with values like sales RD and management Then you could also create a ext group user user object for each group One with sales as the group identifier another for RD and a third for m...

Page 340: ...bjects By default user accounts created and stored on the UAG are authenticated locally 37 1 1 What You Can Do in this Chapter Use the Configuration Object Auth Method screens Section 37 2 on page 340 to create and manage authentication method objects 37 1 2 Before You Begin Configure AAA server objects see Chapter 36 on page 335 before you configure authentication method objects 37 2 Authenticati...

Page 341: ... If two accounts with the same username exist on two authentication servers you specify the UAG does not continue the search on the second authentication server when you enter the username and password that doesn t match the one on the first authentication server Note You can NOT select two server objects of the same type 7 Click OK to save the settings or click Cancel to discard all changes and r...

Page 342: ...ist select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed The ordering of your methods is important as UAG authenticates the users using the authentication methods in the order they appear in this screen This field displays the index number Method List Select a server object from the drop down...

Page 343: ...lable The other key is private and must be kept secure These keys work like a handwritten signature in fact certificates are often referred to as digital signatures Only you can write your signature exactly as it should look When people know what your signature looks like they can verify whether something was signed by you or by someone else In the same way your private key writes your digital sig...

Page 344: ...ificates Certificates offer the following benefits The UAG only has to store the certificates of the certification authorities that you decide to trust no matter how many devices you need to authenticate Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys Self signed Certificates You can have the UAG act as a certificat...

Page 345: ...default 38 1 3 Verifying a Certificate Before you import a trusted certificate into the UAG you should verify that you have the correct certificate You can do this using the certificate s fingerprint A certificate s fingerprint is a message digest calculated using the MD5 or SHA1 algorithm The following procedure describes how to check a certificate s fingerprint to verify that you have the actual...

Page 346: ...y certificates before adding more certificates Add Click this to go to the screen where you can have the UAG generate a certificate or a certification request Edit Double click an entry or select it and click Edit to open a screen with an in depth list of information about the certificate Remove The UAG keeps all of your certificates unless you specifically delete them Uploading a new firmware or ...

Page 347: ...plays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organ...

Page 348: ...t information when it issues a certificate It is recommended that each certificate have unique subject information Select a radio button to identify the certificate s owner by IP address domain name or e mail address Type the IP address in dotted decimal notation domain name or e mail address in the field provided The domain name or e mail address is for identification purposes only and can be any...

Page 349: ...an public key algorithm Select DSA to use the Digital Signature Algorithm public key algorithm Key Length Select a number from the drop down list box to determine how many bits the key should use 512 to 2048 The longer the key the more secure it is A longer key also uses more PKI storage space Enrollment Options These radio buttons deal with how and when the certificate is to be generated Create a...

Page 350: ...t Click the Refresh button to have this read only text box display the hierarchy of certification authorities that validate the certificate and the certificate itself If the issuing certification authority is one that you have imported as a trusted certification authority it may be the only certification authority in the list along with the certificate itself If the certificate is a self signed ce...

Page 351: ...s expired none displays for a certification request Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair the UAG uses RSA encryption and the length of the key set in bits 1024 bits for example Subject Alternative Name This field displays the certificate owner s IP address IP domain name DNS or e mail address EMAIL Key Usage This field display...

Page 352: ...se this button to save a copy of the certificate without its private key Click this button and then Save in the File Download screen The Save As screen opens browse to the location that you want to use and click Save Password If you want to export the certificate with its private key create a password and type it here Make sure you keep this password in a safe place You will need to use it if you ...

Page 353: ...Browse Click Browse to find the certificate file you want to upload Password This field only applies when you import a binary PKCS 12 format file Type the file s password that was created when the PKCS 12 file was exported OK Click OK to save the certificate on the UAG Cancel Click Cancel to quit and return to the My Certificates screen Table 172 Configuration Object Certificate Trusted Certificat...

Page 354: ... certificate Subject This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name orga...

Page 355: ...Chapter 38 Certificates UAG4100 User s Guide 355 Figure 237 Configuration Object Certificate Trusted Certificates Edit ...

Page 356: ...n authority Certificate Information These read only fields display detailed information about the certificate Type This field displays general information about the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the certificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and sig...

Page 357: ...e digest that the UAG calculated using the MD5 algorithm You can use this value to verify with the certification authority over the phone for example that this is actually their certificate SHA1 Fingerprint This is the certificate s message digest that the UAG calculated using the SHA1 algorithm You can use this value to verify with the certification authority over the phone for example that this ...

Page 358: ...ESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it You cannot import a certificate with the same name as a certificate that is already in the UAG Browse Click Browse to find the certificate file you want to upload OK Click OK to save the certificate on the UAG Cancel Click Cancel to quit and return to the previous screen ...

Page 359: ...summary of ISP accounts in the UAG To access this screen click Configuration Object ISP Account Figure 239 Configuration Object ISP Account The following table describes the labels in this screen See the ISP Account Edit section below for more information as well Table 175 Configuration Object ISP Account LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select i...

Page 360: ...ld displays the protocol used by the ISP account Authentication Type This field displays the authentication type used by the ISP account User Name This field displays the user name of the ISP account Table 175 Configuration Object ISP Account continued LABEL DESCRIPTION Table 176 Configuration Object ISP Account Edit LABEL DESCRIPTION Profile Name This field is read only if you are editing an exis...

Page 361: ...PPTP server Connection ID This field is available if this ISP account uses the PPTP protocol Type your identification name for the PPTP server This field can be blank Service Name If this ISP account uses the PPPoE protocol type the PPPoE service name to access PPPoE uses the specified service name to identify and reach the PPPoE server This field can be blank If this ISP account uses the PPTP pro...

Page 362: ...91 to configure SSH Secure SHell used to securely access the UAG s command line interface You can specify which zones allow SSH access and from which IP address the access can come Use the System TELNET screen see Section 40 9 on page 396 to configure Telnet to access the UAG s command line interface Specify which zones allow Telnet access and from which IP address the access can come Use the Syst...

Page 363: ...ad only and use the FAT16 FAT32 EXT2 or EXT3 file system Click Configuration System USB Storage to open the screen as shown next Table 177 Configuration System Host Name LABEL DESCRIPTION System Name Enter a descriptive name to identify your UAG device This name can be up to 64 alphanumeric characters long Spaces are not allowed but dashes underscores _ and periods are accepted Domain Name Enter t...

Page 364: ...al time zone and date click Configuration System Date Time The screen displays as shown You can manually set the UAG s time and date or have the UAG get the date and time from a time server Table 178 Configuration System USB Storage LABEL DESCRIPTION Activate USB storage service Select this if you want to use the connected USB device s Disk full warning when remaining space is less than Set a numb...

Page 365: ... time and date time zone and daylight saving at the same time the time zone and daylight saving will affect the new time and date you entered When you enter the time settings manually the UAG uses the new setting once you click Apply New Time hh mm ss This field displays the last updated time from the time server or the last time configured manually When you set Time and Date Setup to Manual enter...

Page 366: ...the at field Daylight Saving Time starts in the European Union on the last Sunday of March All of the time zones in the European Union start using Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Last Sunday March The time you type in the at field depends on your time zone In Germany for instance you would type 2 because Germany s time zone is one ...

Page 367: ...ve been tried 40 4 2 Time Server Synchronization Click the Synchronize Now button to get the time and date from the time server you specified in the Time Server Address field When the Loading screen appears you may have to wait up to one minute Figure 244 Synchronization in Process The Current Time and Current Date fields will display the appropriate settings if the synchronization is successful I...

Page 368: ... a terminal emulation program See Table 1 on page 20 for default console port settings Click Configuration System Console Speed to open the Console Speed screen Figure 245 Configuration System Console Speed The following table describes the labels in this screen Table 181 Configuration System Console Speed LABEL DESCRIPTION Console Port Speed Use the drop down list box to change the speed of the c...

Page 369: ...nually enter them in the DNS server fields If your ISP dynamically assigns the DNS server IP addresses along with the UAG s WAN IP address set the DNS server fields to get the DNS server address from the ISP You can manually enter the IP addresses of other DNS servers 40 6 2 Configuring the DNS Screen Click Configuration System DNS to change your UAG s DNS settings Use the DNS screen to configure ...

Page 370: ...umbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This is the index number of the domain zone forwarder record The ordering of your rules is important as rules are applied in sequence A hyphen displays for the default domain zone forwarder record The default record is not conf...

Page 371: ...is to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry...

Page 372: ...the Domain Zone Forwarder table to add a domain zone forwarder record Table 183 Configuration System DNS Address PTR Record Edit LABEL DESCRIPTION FQDN Type a Fully Qualified Domain Name FQDN of a server An FQDN starts with a host name and continues all the way up to the top level domain name For example www zyxel com tw is a fully qualified domain name where www is the host zyxel is the third lev...

Page 373: ... qualified domain name For example whenever the UAG receives needs to resolve a zyxel com tw domain name it can send a query to the recorded name server IP address Enter if all domain zones are served by the specified DNS server s DNS Server Select DNS Server s from ISP if your ISP dynamically assigns DNS server information You also need to select an interface through which the ISP provides the DN...

Page 374: ... in the field above OK Click OK to save your customized settings and exit this screen Cancel Click Cancel to exit this screen without saving Table 186 Configuration System DNS Service Control Rule Add LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen Address Object Select ALL to allow or deny any computer to send DNS queries to t...

Page 375: ...AG disallows the session 3 The IP address address object in the Service Control table is not in the allowed zone or the action is set to Deny 4 There is a firewall rule that blocks it 40 7 2 System Timeout There is a lease timeout for administrators The UAG automatically logs you out if the management session remains idle for longer than this timeout period The management session does not time out...

Page 376: ... server requires it to do so select Authenticate Client Certificates in the WWW screen Authenticate Client Certificates is optional and if selected means the HTTPS client must send the UAG a certificate You must apply for a certificate for the browser from a CA that is a trusted CA on the UAG Please refer to the following figure 1 HTTPS connection requests from an SSL aware web browser go to port ...

Page 377: ...ck box to allow or disallow the computer with the IP address that matches the IP address es in the Service Control table to access the UAG Web Configurator using secure HTTPs connections Server Port The HTTPS server listens on port 443 by default If you change the HTTPS server port to a different number on the UAG for example 8443 then you must notify people who need to access the UAG Web Configur...

Page 378: ...hod and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This is the index number of the service control rule The entry with a hyphen instead of a number is the UAG s non configurable default policy The UAG applies this to traffic that does not match any other configured rule It is not an editable rule To appl...

Page 379: ...n instead of a number is the UAG s non configurable default policy The UAG applies this to traffic that does not match any other configured rule It is not an editable rule To apply other behavior configure a rule that traffic will match so the UAG will not have to use the default policy Zone This is the zone on the UAG the user is allowed or denied to access Address This is the object name of the ...

Page 380: ...s to configure any new settings objects that you need to use in this screen Address Object Select ALL to allow or deny any computer to communicate with the UAG using this service Select a predefined address object to just allow or deny the computer with the IP address that you specified to access the UAG using this service Zone Select ALL to allow or prevent any UAG zones from being accessed using...

Page 381: ...Chapter 40 System UAG4100 User s Guide 381 Figure 254 Configuration System WWW Login Page The following figures identify the parts you can customize in the login and access pages ...

Page 382: ...lay a screen of web safe colors from which to choose Enter the name of the desired color Enter a pound sign followed by the six digit hexadecimal number that represents the desired color For example use 000000 for black Logo Title Message Color Note Message Background last line of text color of all text Logo Title Message Color Note Message last line of text color of all text Background ...

Page 383: ... Spaces are allowed Title Color Specify the color of the screen s title text Message Color Specify the color of the screen s text Note Message Enter a note to display at the bottom of the screen Use up to 64 printable ASCII characters Spaces are allowed Background Set how the screen background looks To use a graphic select Picture and upload a graphic Specify the location and file name of the logo...

Page 384: ...bsite to proceed to the Web Configurator login screen Otherwise select Click here to close this webpage to block the access 40 7 7 2 Mozilla Firefox Warning Messages When you attempt to access the UAG HTTPS server a The Connection is Untrusted screen appears as shown in the following screen Click Technical Details if you want to verify more information about the certificate from the UAG Select I U...

Page 385: ...uthorities The issuing certificate authority of the UAG s factory default certificate is the UAG itself since the certificate is a self signed certificate For the browser to trust a self signed certificate import the self signed certificate into your operating system as a trusted certificate To have the browser trust the certificates issued by a certificate authority import the certificate authori...

Page 386: ...lient Certificates to be active see the Certificates chapter for details Apply for a certificate from a Certification Authority CA that is trusted by the UAG see the UAG s Trusted CA Web Configurator screen Figure 261 UAG Trusted CA Screen The CA sends you a package containing the CA s trusted certificate s your personal certificate s and a password to install the personal certificate s 40 7 7 5 1...

Page 387: ...wn earlier in this appendix 40 7 7 5 2 Installing Your Personal Certificate s You need a password in advance The CA may issue the password or you may have to specify it during the enrollment Double click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard ...

Page 388: ...ort Wizard 1 2 The file name and path of the certificate you double clicked should automatically appear in the File name text box Click Browse if you wish to import a different certificate Figure 264 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA ...

Page 389: ...d 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location Figure 266 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process ...

Page 390: ... 7 7 6 Using a Certificate When Accessing the UAG Example Use the following procedure to access the UAG via HTTPS 1 Enter https UAG IP Address in your browser s web address field Figure 269 Access the UAG Via HTTPS 2 When Authenticate Client Certificates is selected on the UAG the following screen asks you to select a personal certificate to send to the UAG This screen displays even if you only ha...

Page 391: ...access the UAG s command line interface Specify which zones allow SSH access and from which IP address the access can come SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network In the following figure computer A on the Internet uses SSH to securely connect to the WAN port of the ...

Page 392: ... connection request to the SSH server The server identifies itself with a host key The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server The client automatically saves any new server public keys In subsequent connections the server public key is checked against the saved version on the client computer 2 Encryption Method Once ...

Page 393: ...program on a client computer Windows or Linux operating system that is used to connect to the UAG over SSH 40 8 4 Configuring SSH Click Configuration System SSH to change your UAG s Secure Shell settings Use this screen to specify from which zones SSH can be used to manage the UAG You can also specify from which IP addresses the access can come Figure 274 Configuration System SSH The following tab...

Page 394: ...ils Service Control This specifies from which computers you can access which UAG zones Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Refer to Table 188 on page 380 for details on the screen that opens Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select i...

Page 395: ...H Example 2 Test 2 Enter ssh 1 172 16 0 1 This command forces your computer to connect to the UAG using SSH version 1 If this is the first time you are connecting to the UAG using SSH a message displays prompting you to save the host information of the UAG Type yes and press ENTER Then enter the password to log in to the UAG Figure 277 SSH Example 2 Log in 3 The CLI screen displays next telnet 172...

Page 396: ...ess the UAG CLI using this service Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Service Control This specifies from which computers you can access which UAG zones Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry R...

Page 397: ...ule The entry with a hyphen instead of a number is the UAG s non configurable default policy The UAG applies this to traffic that does not match any other configured rule It is not an editable rule To apply other behavior configure a rule that traffic will match so the UAG will not have to use the default policy Zone This is the zone on the UAG the user is allowed or denied to access Address This ...

Page 398: ...m which computers you can access which UAG zones Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Refer to Table 188 on page 380 for details on the screen that opens Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms yo...

Page 399: ...cate for the purpose of accessing these objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request and the agent returns responses using the following protocol operations Get Allows the manager to retrieve an object variable from the agent GetNext Allows the manager to retrieve the next object variable from a table or list within an agen...

Page 400: ...P can be used to access the UAG You can also specify from which IP addresses the access can come Figure 281 Configuration System SNMP Table 193 SNMP Traps OBJECT LABEL OBJECT ID DESCRIPTION Cold Start 1 3 6 1 6 3 1 1 5 1 This trap is sent when the UAG is turned on or an agent restarts linkDown 1 3 6 1 6 3 1 1 5 3 This trap is sent when the Ethernet link is down linkUp 1 3 6 1 6 3 1 1 5 4 This trap...

Page 401: ...G zones Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Refer to Table 188 on page 380 for details on the screen that opens Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Note ...

Page 402: ...on System Language The following table describes the labels in this screen Table 195 Configuration System Language LABEL DESCRIPTION Language Setting Select a display language for the UAG s Web Configurator screens You also need to open a new browser session to display the screens in the new language Apply Click Apply to save your changes back to the UAG Reset Click Reset to return the screen to i...

Page 403: ... 405 to specify settings for recording log messages and alerts e mailing them storing them on a connected USB storage device and sending them to remote syslog servers 41 2 Email Daily Report Use the Email Daily Report screen to start or stop data collection and view various statistics about traffic passing through your UAG Note Data collection may decrease the UAG s traffic throughput rate Click C...

Page 404: ...Chapter 41 Log and Report UAG4100 User s Guide 404 Figure 283 Configuration Log Report Email Daily Report ...

Page 405: ...in the TLS handshake Mail Subject Type the subject line for the outgoing e mail Select Append system name to add the UAG s system name to the subject Select Append date time to add the UAG s system date and time to the subject Mail From Type the e mail address from which the outgoing e mail is delivered This address is used in replies Mail To Type the e mail address or addresses to which the outgo...

Page 406: ...what information is included in the system log USB storage e mail profiles and remote servers 41 3 1 Log Settings Summary To access this screen click Configuration Log Report Log Settings Figure 284 Configuration Log Report Log Settings The following table describes the labels in this screen Table 197 Configuration Log Report Log Settings LABEL DESCRIPTION Edit Double click an entry or select it a...

Page 407: ... or one of the remote servers Log Format This field displays the format of the log Internal system log you can view the log on the View Log tab VRPT Syslog ZyXEL s Vantage Report syslog compatible format CEF Syslog Common Event Format syslog compatible format Summary This field is a summary of the settings for each log Please see Section 41 3 2 on page 407 for more information Log Category Setting...

Page 408: ...Chapter 41 Log and Report UAG4100 User s Guide 408 Figure 285 Configuration Log Report Log Settings Edit System Log ...

Page 409: ...heck box if it is necessary to provide a user name and password to the SMTP server User Name This box is effective when you select the SMTP Authentication check box Type the user name to provide to the SMTP server when the log is e mailed Password This box is effective when you select the SMTP Authentication check box Type the password to provide to the SMTP server when the log is e mailed Retype ...

Page 410: ...n from this category the UAG does not e mail debugging information however even if this setting is selected E mail Server 1 Select whether each category of events should be included in the log messages when it is e mailed green check mark and or in alerts red exclamation point for the e mail settings specified in E Mail Server 1 The UAG does not e mail debugging information even if it is recorded ...

Page 411: ...a copy of its system logs to a connected USB storage device on a daily basis Keep duration Specify how long the UAG is to keep the copy of system logs in the connected USB storage device before discarding it Active Log Selection Use the Selection drop down list to change the log settings for all of the log categories disable all logs red X do not send the remote server logs for any log category en...

Page 412: ... Selection Select what information you want to log from each Log Category except All Logs see below Choices are disable all logs red X do not log any information from this category enable normal logs green check mark log regular information and alerts from this category enable normal logs and debug logs yellow check mark log regular information alerts and debugging information from this category O...

Page 413: ...Chapter 41 Log and Report UAG4100 User s Guide 413 Figure 287 Configuration Log Report Log Settings Edit Remote Server ...

Page 414: ... log the messages to different files in the syslog server Please see the documentation for your syslog program for more information Active Log Selection Use the Selection drop down list to change the log settings for all of the log categories disable all logs red X do not send the remote server logs for any log category enable normal logs green check mark send the remote server log messages and al...

Page 415: ...Log Category Settings This screen provides a different view and a different way of indicating which messages are included in each log and each alert Please see Section 41 3 2 on page 407 where this process is discussed The Default category includes debugging messages generated by open source software ...

Page 416: ...ail Server 1 drop down list to change the settings for e mailing logs to e mail server 1 for all log categories Using the System Log drop down list to disable all logs overrides your e mail server 1 settings enable normal logs green check mark e mail log messages for all categories to e mail server 1 enable alert logs red exclamation point e mail alerts for all categories to e mail server 1 E mail...

Page 417: ...is e mailed green check mark and or in alerts red exclamation point for the e mail settings specified in E Mail Server 1 The UAG does not e mail debugging information even if it is recorded in the System log E mail Server 2 E mail Select whether each category of events should be included in log messages when it is e mailed green check mark and or in alerts red exclamation point for the e mail sett...

Page 418: ...Configuration File screen see Section 42 2 on page 420 to store and name configuration files You can also download configuration files from the UAG to your computer and upload configuration files from your computer to the UAG Use the Firmware Package screen see Section 42 3 on page 424 to check your current firmware version and upload firmware to the UAG Use the Shell Script screen see Section 42 ...

Page 419: ...and mode Note exit or must follow sub commands if it is to make the UAG exit sub command mode Figure 289 Configuration File Shell Script Example enter configuration mode configure terminal change administrator password username admin password 4321 user type admin configure wan1 interface wan1 ip address 10 16 17 240 255 255 255 0 ip gateway 10 16 17 254 metric 1 exit create address objects for rem...

Page 420: ... configuration file or shell script The UAG ignores any errors in the configuration file or shell script and applies all of the valid commands The UAG still generates a log for any errors 42 2 The Configuration File Screen Click Maintenance File Manager Configuration File to open the Configuration File screen Use the Configuration File screen to store run and name configuration files You can also ...

Page 421: ...there is an error the UAG generates a log and copies the startup config conf configuration file to the startup config bad conf configuration file and tries the existing lastgood conf configuration file If there isn t a lastgood conf configuration file or it also has an error the UAG applies the system default conf configuration file You can change the way the startup config conf file is applied In...

Page 422: ...cate of the configuration file Remove Click a configuration file s row to select it and click Remove to delete it from the UAG You can only delete manually saved configuration files You cannot delete the system default conf startup config conf and lastgood conf files A pop up window asks you to confirm that you want to delete the configuration file Click OK to delete the configuration file or clic...

Page 423: ... gets the UAG started with a fully valid configuration file as quickly as possible Ignore errors and finish applying the configuration file this applies the valid parts of the configuration file and generates error logs for all of the configuration file s errors This lets the UAG apply most of your configuration and you can refer to the logs for what to fix Ignore errors and finish applying the co...

Page 424: ...s configuration file The UAG applies configuration changes made in the Web Configurator to the configuration file when you click Apply or OK It applies configuration changes made via commands when you use the write command The lastgood conf is the most recently used valid configuration file that was saved when the device last restarted If you upload and apply a configuration file with an error you...

Page 425: ...eck your new firmware version in the Dashboard screen If the upload was not successful the following message appears in the status bar at the bottom of the screen Table 204 Maintenance File Manager Firmware Package LABEL DESCRIPTION Boot Module This is the version of the boot module that is currently on the UAG Current Version This is the firmware version and the date created Released Date This is...

Page 426: ...Click Maintenance File Manager Shell Script to open the Shell Script screen Use the Shell Script screen to store name download upload and run shell script files You can store multiple shell script files on the UAG at the same time Note You should include write commands in your scripts If you do not use the write command the changes will be lost when the UAG restarts You could use multiple write co...

Page 427: ... without deleting the shell script file Download Click a shell script file s row to select it and click Download to save the configuration to your computer Copy Use this button to save a duplicate of a shell script file on the UAG Click a shell script file s row to select it and click Copy to open the Copy File screen Figure 300 Maintenance File Manager Shell Script Copy Specify a name for the dup...

Page 428: ...e from your computer to your UAG File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the zysh file you want to upload Upload Click Upload to begin the upload process This process may take up to several minutes Table 205 Maintenance File Manager Shell Script continued LABEL DESCRIPTION ...

Page 429: ...see Section 43 4 on page 434 to have the UAG save a process s core dump to an attached USB storage device if the process terminates abnormally crashes so you can send the file to customer support for troubleshooting Use the System Log screens see Section 43 5 on page 435 to download files of system logs from a connected USB storage device to your computer 43 2 The Diagnostics Screen The Diagnostic...

Page 430: ... the diagnostic file to USB storage if ready Select this to have the UAG create an extra copy of the diagnostic file to a connected USB storage device Apply Click Apply to save your changes Collect Now Click this to have the UAG create a new diagnostic file Download Click this to save the most recent diagnostic file to a computer Table 207 Maintenance Diagnostics Files LABEL DESCRIPTION Remove Sel...

Page 431: ...the UAG s interfaces Studying these packet captures may help you identify network problems Click Maintenance Diagnostics Packet Capture to open the packet capture screen Note New capture files overwrite existing files of the same name Change the File Suffix field s setting to avoid this Figure 303 Maintenance Diagnostics Packet Capture ...

Page 432: ...e packet capture entries only on a USB storage device connected to the UAG Status Unused the connected USB storage device was manually unmounted by using the Remove Now button or for some reason the UAG cannot mount it none no USB storage device is connected available you can have the UAG use the USB storage device The available storage capacity also displays service deactivated the USB storage fe...

Page 433: ...re per packet The UAG automatically truncates packets that exceed this size As a result when you view the packet capture files in a packet analyzer the actual size of the packets may be larger than the size of captured packets Capture Click this button to have the UAG capture packets according to the settings configured in this screen You can configure the UAG while a packet capture is in progress...

Page 434: ... to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each packet capture file entry The total number of packet capture files that you can save depends on the file sizes and the available flash storage space File Name This column displays the label that identifies the file The file name format is in...

Page 435: ...n a connected USB storage device The files are in comma Table 211 Maintenance Diagnostics Core Dump Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the UAG Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column di...

Page 436: ...em from the UAG Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each file entry The total number of files that you can save depends on the file sizes and the available storage space File Name This column displays th...

Page 437: ...ce IP address conversion SNAT flow and each SNAT function s settings 44 2 The Routing Status Screen The Routing Status screen allows you to view the current routing flow and quickly link to specific routing settings Click a function box in the Routing Flow section the related routes activated will display in the Routing Table section To access this screen click Maintenance Packet Flow Explore The ...

Page 438: ... User s Guide 438 Figure 308 Maintenance Packet Flow Explore Routing Status Direct Route Figure 309 Maintenance Packet Flow Explore Routing Status Policy Route Figure 310 Maintenance Packet Flow Explore Routing Status VPN 1 1 Mapping Route ...

Page 439: ...G4100 User s Guide 439 Figure 311 Maintenance Packet Flow Explore Routing Status 1 1 SNAT Figure 312 Maintenance Packet Flow Explore Routing Status Default WAN Trunk Figure 313 Maintenance Packet Flow Explore Routing Status Main Route ...

Page 440: ...are available if you click Policy Route in the Routing Flow section This field is a sequential value and it is not associated with any entry PR This is the number of an activated policy route If you have configured a schedule for the route this screen only displays the route at the scheduled time Incoming This is the interface on which the packets are received Source This is the source IP address ...

Page 441: ...This field is a sequential value and it is not associated with any entry NAT Rule This is the name of an activated 1 1 or Many 1 1 NAT rule in the NAT table Source This is the original source IP address es any means any IP address Destination This is the original destination IP address es any means any IP address Outgoing This is the name of an interface which transmits packets out of the UAG Gate...

Page 442: ...4100 User s Guide 442 Figure 314 Maintenance Packet Flow Explore SNAT Status Policy Route SNAT Figure 315 Maintenance Packet Flow Explore SNAT Status VPN 1 1 Mapping Route Figure 316 Maintenance Packet Flow Explore SNAT Status 1 1 SNAT ...

Page 443: ...he SNAT Table section SNAT Table The table fields in this section vary depending on the function box you select in the SNAT Flow section The following fields are available if you click Policy Route SNAT in the SNAT Flow section This field is a sequential value and it is not associated with any entry PR This is the number of an activated policy route which uses SNAT Outgoing This is the outgoing in...

Page 444: ...e name of an activated NAT rule which uses SNAT and enables NAT loopback Source This is the original source IP address es any means any IP address Destination This is the original destination IP address es any means any IP address SNAT This indicates which source IP address the SNAT rule uses finally For example Outgoing Interface IP means that the UAG uses the IP address of the outgoing interface...

Page 445: ... use the write command to save the configuration before you reboot Otherwise the changes are lost when you reboot Reboot is different to reset see Section 47 1 on page 453 reset returns the device to its default configuration 45 2 The Reboot Screen The Reboot screen allows remote users to restart the device To access this screen click Maintenance Reboot Figure 319 Maintenance Reboot Click the Rebo...

Page 446: ... the UAG or remove the power Not doing so can cause the firmware to become corrupt 46 1 1 What You Need To Know Shutdown writes all cached data to the local storage and stops the system processes 46 2 The Shutdown Screen To access this screen click Maintenance Shutdown Figure 320 Maintenance Shutdown Click the Shutdown button to shut down the UAG Wait for the device to shut down before you manuall...

Page 447: ... s In the computer click Start All Programs Accessories and then Command Prompt In the Command Prompt window type ping followed by the UAG s LAN IP address 172 16 0 1 or 172 17 0 1 is the default and then press ENTER The UAG should reply If you ve forgotten the UAG s password use the RESET button Press the button in for about 5 seconds or until the PWR LED starts to blink then release it It return...

Page 448: ...also match I cannot enter the interface name I want The format of interface names other than the Ethernet interface names is very strict Each name consists of 2 4 letters interface type followed by a number x limited by the maximum number of each type of interface For example VLAN interfaces are vlan0 vlan1 vlan2 and so on The names of virtual interfaces are derived from the interfaces on which th...

Page 449: ...is not applying an interface s configured ingress bandwidth limit At the time of writing the UAG does not support ingress bandwidth management The UAG routes and applies SNAT for traffic from some interfaces but not from others The UAG automatically uses SNAT for traffic it routes from internal interfaces to external interfaces For example LAN to WAN traffic You must manually configure a policy ro...

Page 450: ...rtual interfaces to put the UAG and the backup gateway on separate subnets See Asymmetrical Routes on page 240 and the chapter about interfaces for more information I changed the LAN IP address and can no longer access the Internet The UAG automatically updates address objects based on an interface s IP address subnet or gateway if the interface s IP address settings change However you need to man...

Page 451: ...Base 64 encoded X 509 This Privacy Enhanced Mail format uses lowercase letters uppercase letters and numerals to convert a binary X 509 certificate into a printable form Binary PKCS 7 This is a standard that defines the general syntax for data including digital signatures that may be encrypted A PKCS 7 file is used to transfer a public key certificate The private key is not included The UAG curren...

Page 452: ...oughput rate I can only see newer logs Older logs are missing When a log reaches the maximum number of log messages new log messages automatically overwrite existing log messages starting with the oldest existing log message first The commands in my configuration file or shell script are not working properly In a configuration file or shell script use or as the first character of a command line to...

Page 453: ...es My earlier packet capture files are missing New capture files overwrite existing files of the same name Change the File Suffix field s setting to avoid this 47 1 Resetting the UAG If you cannot access the UAG by any method try restarting it by turning the power off and then on again If you still cannot access the UAG by any method or you forget the administrator password s you can reset the UAG...

Page 454: ... UAG4100 User s Guide 454 You should be able to access the UAG using the default settings 47 2 Getting More Troubleshooting Help Search for support information for your model at www zyxel com for more troubleshooting suggestions ...

Page 455: ...have the following information ready when you contact an office Required Information Product model and serial number Warranty Information Date that you received your device Brief description of the problem and the steps you took to solve it Corporate Headquarters Worldwide Taiwan ZyXEL Communications Corporation http www zyxel com Asia China ZyXEL Communications Shanghai Corp ZyXEL Communications ...

Page 456: ...com pk Philipines ZyXEL Philippines http www zyxel com ph Singapore ZyXEL Singapore Pte Ltd http www zyxel com sg Taiwan ZyXEL Communications Corporation http www zyxel com Thailand ZyXEL Thailand Co Ltd http www zyxel co th Vietnam ZyXEL Communications Corporation Vietnam Office http www zyxel com vn vi Europe Austria ZyXEL Deutschland GmbH http www zyxel de Belarus ZyXEL BY http www zyxel by ...

Page 457: ...munications Czech s r o http www zyxel cz Denmark ZyXEL Communications A S http www zyxel dk Estonia ZyXEL Estonia http www zyxel com ee et Finland ZyXEL Communications http www zyxel fi France ZyXEL France http www zyxel fr Germany ZyXEL Deutschland GmbH http www zyxel de Hungary ZyXEL Hungary SEE http www zyxel hu Latvia ZyXEL Latvia http www zyxel com lv lv homepage shtml ...

Page 458: ...L Communications http www zyxel no Poland ZyXEL Communications Poland http www zyxel pl Romania ZyXEL Romania http www zyxel com ro ro Russia ZyXEL Russia http www zyxel ru Slovakia ZyXEL Communications Czech s r o organizacna zlozka http www zyxel sk Spain ZyXEL Spain http www zyxel es Sweden ZyXEL Communications http www zyxel se Switzerland Studerus AG http www zyxel ch ...

Page 459: ...atin America Argentina ZyXEL Communication Corporation http www zyxel com ec es Ecuador ZyXEL Communication Corporation http www zyxel com ec es Middle East Egypt ZyXEL Communication Corporation http www zyxel com homepage shtml Middle East ZyXEL Communication Corporation http www zyxel com homepage shtml North America USA ZyXEL Communications Inc North America Headquarters http www us zyxel com ...

Page 460: ...Appendix A Customer Support UAG4100 User s Guide 460 Oceania Australia ZyXEL Communications Corporation http www zyxel com au en Africa South Africa Nology Pty Ltd http www zyxel co za ...

Page 461: ... device off and on the user is encouraged to try to correct the interference by one or more of the following measures 1 Reorient or relocate the receiving antenna 2 Increase the separation between the equipment and the receiver 3 Connect the equipment into an outlet on a circuit different from that to which the receiver is connected 4 Consult the dealer or an experienced radio TV technician for he...

Page 462: ...exempts de licence Son fonctionnement est sujet aux deux conditions suivantes 1 le dispositif ne doit pas produire de brouillage préjudiciable et 2 ce dispositif doit accepter tout brouillage reçu y compris un brouillage susceptible de provoquer un fonctionnement indésirable Radiation Exposure Statement This equipment complies with IC radiation exposure limits set forth for an uncontrolled environ...

Page 463: ...lst Direktīvas 1999 5 EK būtiskajām prasībām un citiem ar to saistītajiem noteikumiem Lithuanian Šiuo ZyXEL deklaruoja kad šis įranga atitinka esminius reikalavimus ir kitas 1999 5 EB Direktyvos nuostatas Dutch Hierbij verklaart ZyXEL dat het toestel uitrusting in overeenstemming is met de essentiële eisen en de andere relevante bepalingen van richtlijn 1999 5 EC Maltese Hawnhekk ZyXEL jiddikjara ...

Page 464: ...tdiensten en telecommunicatie BIPT Zie http www bipt be voor meer gegevens Les liaisons sans fil pour une utilisation en extérieur d une distance supérieure à 300 mètres doivent être notifiées à l Institut Belge des services Postaux et des Télécommunications IBPT Visitez http www ibpt be pour de plus amples détails Denmark In Denmark the band 5150 5350 MHz is also allowed for outdoor usage I Danma...

Page 465: ...electronic equipment For detailed information about recycling of this product please contact your local city office your household waste disposal service or the store where you purchased the product Do NOT obstruct the device ventilation slots as insufficient airflow may harm your device Your product is marked with this symbol which is known as the WEEE mark WEEE stands for Waste Electronics and E...

Page 466: ...Appendix B Legal Information UAG4100 User s Guide 466 Environmental Product Declaration ...

Page 467: ... FTP 398 and SNMP 401 and SSH 394 and Telnet 397 and WWW 380 address objects 321 and firewall 227 and FTP 398 and NAT 167 182 and policy routes 166 and SNMP 401 and SSH 394 and Telnet 397 and WWW 380 HOST 321 RANGE 321 SUBNET 321 types of 321 address record 371 admin user troubleshooting 451 admin users 292 multiple logins 301 see also users 292 AF 169 alerts 409 410 412 414 415 416 ALG 199 and fi...

Page 468: ...es of 344 and CA 344 and FTP 398 and HTTPS 376 and SSH 394 and WWW 378 certification path 344 350 356 expired 344 factory default 344 file formats 344 fingerprints 351 357 importing 347 not used for encryption 344 revoked 344 self signed 344 349 serial number 351 356 storage space 346 353 thumbprint algorithms 345 thumbprints 345 used for authentication 344 verifying fingerprints 345 certification...

Page 469: ...n name 363 and interfaces 150 client list 71 pool 150 static DHCP 150 diagnostics 429 434 DiffServ 169 Digital Signature Algorithm public key algorithm see DSA direct routes 163 disclaimer 461 DNS 369 address records 371 domain name forwarders 372 domain name to IP address 371 IP address to domain name 371 Mail eXchange MX records 373 pointer PTR records 371 DNS servers 62 369 372 and interfaces 1...

Page 470: ...le see boot module current version 66 425 getting updated 424 uploading 424 425 uploading with FTP 397 firmware upload troubleshooting 453 flash usage 68 forcing login 220 FQDN 371 free guest account 276 free time 276 configuration 276 enable 276 FTP 397 additional signaling port 200 ALG 199 and address groups 398 and address objects 398 and certificates 398 and zones 398 signaling port 200 with T...

Page 471: ...es prerequisites 114 relationships between 114 static DHCP 150 subnet mask 148 trunks see also trunks types 113 virtual see also virtual interfaces VLAN see also VLAN interfaces Internet access troubleshooting 447 450 Internet Control Message Protocol see ICMP Internet Explorer 20 IP policy routing see policy routes IP protocols 326 and service objects 327 ICMP see ICMP TCP see TCP UDP see UDP IP ...

Page 472: ... messages CLI 23 metrics see reports Microsoft Challenge Handshake Authentication Protocol MSCHAP 361 Challenge Handshake Authentication Protocol Version 2 MSCHAP V2 361 Point to Point Encryption MPPE 361 model name 66 MPPE Microsoft Point to Point Encryption 361 MSCHAP Microsoft Challenge Handshake Authentication Protocol 361 MSCHAP V2 Microsoft Challenge Handshake Authentication Protocol Version...

Page 473: ...and NAT 161 and schedules 166 287 290 and service objects 327 and SMTP redirect 196 and trunks 152 166 and user groups 165 166 287 290 and users 165 166 287 290 and VPN 1 1 mapping 187 benefits 161 criteria 162 overriding direct routes 163 pop up windows 20 port forwarding see NAT port groups 113 115 port roles 114 and Ethernet interfaces 114 and physical ports 114 port translation see NAT power o...

Page 474: ... 349 round robin 153 routing troubleshooting 449 routing protocols and Ethernet interfaces 116 RSA 349 351 356 RSSI threshold 311 S schedule troubleshooting 451 schedules 331 and current date time 331 and firewall 227 244 287 290 and policy routes 166 287 290 one time 331 recurring 331 types of 331 screen resolution 20 Secure Socket Layer see SSL security settings troubleshooting 448 serial number...

Page 475: ...or secure Telnet 394 how connection is established 392 versions 393 with Linux 395 with Microsoft Windows 394 SSL 376 stac compression 361 startup config conf 424 if errors 421 missing at restart 421 present at restart 421 startup config bad conf 421 static DHCP 211 static routes 161 and interfaces 168 metric 169 statistics daily e mail report 403 traffic 79 status 64 subscription services status ...

Page 476: ...so certificates 353 U UDP 326 messages 326 port numbers 326 Universal Plug and Play 201 Application 201 security issues 202 upgrading firmware 424 uploading configuration files 424 firmware 424 shell scripts 426 UPnP 201 usage CPU 68 69 flash 68 memory 68 70 onboard flash 68 sessions 68 70 USB storage status 87 user authentication 292 external 293 local user database 335 user awareness 294 User Da...

Page 477: ...so ALG 199 VPN 1 1 mapping 186 and firewall 187 and policy routes 187 example 186 introduction 186 packet flow 186 pool profile 189 VRPT Vantage Report 414 W warranty 462 note 462 Web Configurator 19 access 20 access users 303 requirements 20 supported browsers 20 web proxy servers 192 see also HTTP redirect weighted round robin for load balancing 154 WEP Wired Equivalent Privacy 307 Wi Fi Protect...