ZyXEL Communications UAG5100, User Manual

Page 1: ... UAG5100 Unified Access Gateway Version 4 00 Edition 1 02 2014 Copyright 2014 ZyXEL Communications Corporation User s Guide Default Login Details LAN IP Address http 172 16 0 1 LAN1 http 172 17 0 1 LAN2 User Name admin Password 1234 ...

Page 2: ...entation Quick Start Guide The Quick Start Guide shows how to connect the UAG and access the Web Configurator wizards See the wizard real time help for information on configuring each screen It also contains a package contents list CLI Reference Guide The CLI Reference Guide explains how to use the Command Line Interface CLI to configure the UAG Note It is recommended you use the Web Configurator ...

Page 3: ...s 118 Trunks 158 Policy and Static Routes 166 Zones 176 DDNS 180 NAT 185 VPN 1 1 Mapping 192 HTTP Redirect 197 SMTP Redirect 201 ALG 205 UPnP 207 IP MAC Binding 214 Layer 2 Isolation 219 IPnP 223 Web Authentication 225 Firewall 245 Billing 259 Printer Manager 275 Free Time 282 SMS 286 IPSec VPN 288 Bandwidth Management 315 User Group 325 AP Profile 339 Addresses 354 Services 359 Schedules 364 AAA ...

Page 4: ...Contents Overview UAG5100 User s Guide 4 ISP Accounts 391 System 394 Log and Report 435 File Manager 450 Diagnostics 461 Packet Flow Explore 469 Reboot 478 Shutdown 479 Troubleshooting 480 ...

Page 5: ...on 32 2 1 Rack mounting 32 2 2 Front Panel 33 2 2 1 Front Panel LEDs 34 2 3 Rear Panel 34 Chapter 3 Printer Deployment 35 3 1 Overview 35 3 2 Attach the Printer to the UAG 35 3 3 Set up an Internet Connection on the UAG 35 3 4 Allow the UAG to Monitor and Manage the Printer 36 3 5 Turn on Web Authentication on the UAG 38 3 6 Generate a Free Guest Account 40 Chapter 4 Installation Setup Wizard 43 4...

Page 6: ... 59 5 3 5 VPN Express Wizard Summary 59 5 3 6 VPN Express Wizard Finish 60 5 3 7 VPN Advanced Wizard Scenario 61 5 3 8 VPN Advanced Wizard Phase 1 Settings 62 5 3 9 VPN Advanced Wizard Phase 2 63 5 3 10 VPN Advanced Wizard Summary 64 5 3 11 VPN Advanced Wizard Finish 65 Chapter 6 Dashboard 66 6 1 Overview 66 6 1 1 What You Can Do in this Chapter 66 6 2 The Dashboard Screen 66 6 2 1 The CPU Usage S...

Page 7: ... 15 The Printer Status Screen 100 7 16 The VPN 1 1 Mapping Status Screen 101 7 16 1 VPN 1 1 Mapping Statistics 102 7 17 The IPSec Monitor Screen 103 7 17 1 Regular Expressions in Searching IPSec SAs 104 7 18 The Log Screen 104 7 18 1 View AP Log 107 7 18 2 Dynamic Users Log 109 Chapter 8 Registration 111 8 1 Overview 111 8 1 1 What You Can Do in this Chapter 111 8 1 2 What you Need to Know 111 8 2...

Page 8: ...10 6 2 Bridge Interface Add Edit 148 10 7 Virtual Interfaces 152 10 7 1 Virtual Interfaces Add Edit 153 10 8 Interface Technical Reference 154 Chapter 11 Trunks 158 11 1 Overview 158 11 1 1 What You Can Do in this Chapter 158 11 1 2 What You Need to Know 158 11 2 The Trunk Summary Screen 161 11 2 1 Configuring a User Defined Trunk 162 11 2 2 Configuring the System Default Trunk 164 Chapter 12 Poli...

Page 9: ...er 185 15 1 2 What You Need to Know 185 15 2 The NAT Screen 186 15 2 1 The NAT Add Edit Screen 187 15 3 NAT Technical Reference 190 Chapter 16 VPN 1 1 Mapping 192 16 1 VPN 1 1 Mapping Overview 192 16 1 1 What You Can Do in this Chapter 192 16 1 2 What You Need to Know 193 16 2 The VPN 1 1 Mapping General Screen 193 16 2 1 The VPN 1 1 Mapping Add Edit Screen 194 16 3 The VPN 1 1 Mapping Profile Scr...

Page 10: ...sal 207 20 2 2 Cautions with UPnP 208 20 3 UPnP Screen 208 20 4 Technical Reference 209 20 4 1 Using UPnP in Windows XP Example 209 20 4 2 Web Configurator Easy Access 211 Chapter 21 IP MAC Binding 214 21 1 IP MAC Binding Overview 214 21 1 1 What You Can Do in this Chapter 214 21 1 2 What You Need to Know 214 21 2 IP MAC Binding Summary 215 21 2 1 IP MAC Binding Edit 216 21 2 2 Static DHCP Add Edi...

Page 11: ... Chapter 25 Firewall 245 25 1 Overview 245 25 1 1 What You Can Do in this Chapter 245 25 1 2 What You Need to Know 245 25 2 The Firewall Screen 247 25 2 1 Configuring the Firewall Screen 248 25 2 2 The Firewall Add Edit Screen 251 25 3 The Session Control Screen 252 25 3 1 The Session Control Add Edit Screen 253 25 4 Firewall Rule Configuration Example 254 25 5 Firewall Rule Example Applications 2...

Page 12: ... System Status 280 Chapter 28 Free Time 282 28 1 Overview 282 28 1 1 What You Can Do in this Chapter 282 28 2 The Free Time Screen 282 Chapter 29 SMS 286 29 1 Overview 286 29 1 1 What You Can Do in this Chapter 286 29 2 The SMS Screen 286 Chapter 30 IPSec VPN 288 30 1 Virtual Private Networks VPN Overview 288 30 1 1 What You Can Do in this Chapter 288 30 1 2 What You Need to Know 289 30 1 3 Before...

Page 13: ...t Screen 335 32 4 2 User Aware Login Example 336 32 5 User Group Technical Reference 337 Chapter 33 AP Profile 339 33 1 Overview 339 33 1 1 What You Can Do in this Chapter 339 33 1 2 What You Need To Know 339 33 2 Radio Screen 340 33 2 1 Add Edit Radio Profile 342 33 3 SSID Screen 345 33 3 1 SSID List 345 33 3 2 Add Edit SSID Profile 347 33 3 3 Security List 348 33 3 4 Add Edit Security Profile 35...

Page 14: ...edule Add Edit Screen 366 36 2 2 The Recurring Schedule Add Edit Screen 367 Chapter 37 AAA Server 368 37 1 Overview 368 37 1 1 RADIUS Server 368 37 1 2 What You Can Do in this Chapter 368 37 1 3 What You Need To Know 368 37 2 RADIUS Server Summary 369 37 2 1 Adding Editing a RADIUS Server 369 Chapter 38 Authentication Method 372 38 1 Overview 372 38 1 1 What You Can Do in this Chapter 372 38 1 2 B...

Page 15: ...e 395 41 4 Date and Time 396 41 4 1 Pre defined NTP Time Servers List 399 41 4 2 Time Server Synchronization 399 41 5 Console Port Speed 400 41 6 DNS Overview 401 41 6 1 DNS Server Address Assignment 401 41 6 2 Configuring the DNS Screen 401 41 6 3 Address Record 403 41 6 4 PTR Record 403 41 6 5 Adding Editing an Address PTR Record 403 41 6 6 Domain Zone Forwarder 404 41 6 7 Adding Editing a Domai...

Page 16: ... 1 1 What You Can Do In this Chapter 435 42 2 Email Daily Report 435 42 3 Log Settings Screens 437 42 3 1 Log Settings Summary 438 42 3 2 Edit System Log Settings 439 42 3 3 Edit Log on USB Storage Setting 442 42 3 4 Edit Remote Server Log Settings 444 42 3 5 Log Category Settings Screen 446 Chapter 43 File Manager 450 43 1 Overview 450 43 1 1 What You Can Do in this Chapter 450 43 1 2 What you Ne...

Page 17: ...469 45 1 1 What You Can Do in this Chapter 469 45 2 The Routing Status Screen 469 45 3 The SNAT Status Screen 474 Chapter 46 Reboot 478 46 1 Overview 478 46 1 1 What You Need To Know 478 46 2 The Reboot Screen 478 Chapter 47 Shutdown 479 47 1 Overview 479 47 1 1 What You Need To Know 479 47 2 The Shutdown Screen 479 Chapter 48 Troubleshooting 480 48 1 Resetting the UAG 487 48 2 Getting More Troubl...

Page 18: ...t s e mail messages to a specific SMTP server The UAG also provides bandwidth management NAT port forwarding policy routing DHCP server and many other powerful features The UAG s security features include firewall VPN and certificates The UAG lets you set up multiple networks for your company The De Militarized Zone DMZ increases LAN security by providing separate ports for connecting publicly acc...

Page 19: ...manage the UAG in the following ways Web Configurator The Web Configurator allows easy UAG setup and management using an Internet browser This User s Guide provides information about the Web Configurator Figure 2 Managing the UAG Web Configurator Physical Ports Interfaces Zones LAN1 DMZ lan1 dmz LAN2 lan2 WAN wan1 wan2 P1 P2 P3 P4 P5 ...

Page 20: ...and later versions Mozilla Firefox 9 0 and later versions Safari 4 0 and later versions or Google Chrome 10 0 and later versions Allow pop up windows blocked by default in Windows XP Service Pack 2 Enable JavaScripts Java permissions and cookies The recommended screen resolution is 1024 x 768 pixels and higher 1 4 1 Web Configurator Access 1 Make sure your UAG hardware is properly connected See th...

Page 21: ...ar icons in the upper right corner provide the following functions About Click About to display basic information about the UAG A C B Table 2 Title Bar Web Configurator Icons LABEL DESCRIPTION Logout Click this to log out of the Web Configurator Help Click this to open the help page for the current screen About Click this to display basic information about the UAG Site Map Click this to see an ove...

Page 22: ...figurator screens Click a screen s link to go to that screen Figure 5 Site Map Table 3 About LABEL DESCRIPTION Boot Module This shows the version number of the software that handles the booting process of the UAG Current Version This shows the firmware version of the UAG Released Date This shows the date yyyy mm dd and time hh mm ss when the firmware is released OK Click this to close the screen ...

Page 23: ...Object Name This identifies the object for which the configuration settings that use it are displayed Click the object s name to display the object s configuration screen in the main window This field is a sequential value and it is not associated with any entry Service This is the type of setting that references the selected object Click a service s name to display the service s configuration scr...

Page 24: ...tion screens Click the arrow in the middle of the right edge of the navigation panel to hide the panel or drag to resize it The following sections introduce the UAG s navigation panel menus and their screens Figure 8 Navigation Panel Dashboard The dashboard displays general device information system status system resource usage licensed service status and interface status in widgets that you can r...

Page 25: ... on the UAG USB Storage Display details about a USB device connected to the UAG Dynamic Guest List the dynamic guest accounts in the UAG s local database Wireless AP Information AP List Display information about the connected APs Radio List Display information about the radios of the connected APs Station Info Display information about the connected stations Printer Status Printer Status Display i...

Page 26: ...ssign a public IP address to each of users that match the rules Profile Configure a pool profile which defines the public IP address that the UAG assigns to the matched users and the interface through which the user s traffic is forwarded HTTP Redirect Set up and manage HTTP redirection rules SMTP Redirect Set up and manage SMTP redirection rules ALG Configure SIP H 323 and FTP pass through settin...

Page 27: ...SSID Create and manage wireless SSID security and MAC filtering settings files that can be associated with different APs Address Address Create and manage host range and network subnet addresses Address Group Create and manage groups of addresses Service Service Create and manage TCP and UDP services Service Group Create and manage groups of services Schedule Schedule Create one time and recurring...

Page 28: ...send Log Settings Configure the system log e mail logs and remote syslog servers Table 7 Maintenance Menu Screens Summary FOLDER OR LINK TAB FUNCTION File Manager Configuration File Manage and upload configuration files for the UAG Firmware Package View the current firmware version and to upload firmware Shell Script Manage and run shell script files for the UAG Diagnostics Diagnostic Collect diag...

Page 29: ...d Show entries in groups Filter by mathematical operators or or searching for text Figure 10 Common Table Column Options Select a column heading cell s right border and drag to re size the column Figure 11 Resizing a Table Column Select a column heading and drag and drop it to change the column order A green check mark displays next to the column s title when you drag the column to a valid new loc...

Page 30: ...w entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings In some tables you can just click a table entry and edit it directly in the table For those types of tables small red triangles display for table entries with changes that you have not yet applied Remove To remove an entry select it and click Remove The...

Page 31: ...User s Guide 31 Figure 15 Working with Lists 1 5 Stopping the UAG Always use Maintenance Shutdown Shutdown or the shutdown command before you turn off the UAG or remove the power Not doing so can cause the firmware to become corrupt ...

Page 32: ...l necessary precautions to anchor the rack securely before installing the unit Note Leave 10 cm of clearance at the sides and 20 cm in the rear Use a 2 Phillips screwdriver to install the screws Note Failure to use the proper screws may damage the unit 1 Align one bracket with the holes on one side of the UAG and secure it with the included bracket screws smaller than the rack mounting screws 2 At...

Page 33: ...low control setting but the UAG can negotiate with the peer and turn it off if needed The color coded Ethernet port supports the IEEE 802 3at High Power over Ethernet PoE standard and can receive power of up to 30W per Ethernet port from a PoE switch via an 8 pin CAT 5 Ethernet cable This helps eliminate the need for power sockets USB 2 0 Ports Connect a USB storage device to a USB port on the UAG...

Page 34: ...a few minutes and then restart the device see Section 1 5 on page 31 If the LED turns red again then please contact your vendor SYS Green Off The UAG is not ready or has failed On The UAG is ready and running Blinking The UAG is booting Red On The UAG had an error or has failed P1 P5 Green On This port has a successful link to a 10 100 Mbps Ethernet network Blinking The UAG is sending or receiving...

Page 35: ... Connect the Ethernet port of the printer to one LAN port of the UAG 2 Connect the power socket of the printer to a power outlet Turn on the printer The printer is acting as a DHCP client by default and will obtain an IP address from the connected UAG Make sure the UAG is turned on already and the DHCP server is enabled on its LAN interface s 3 3 Set up an Internet Connection on the UAG 1 Connect ...

Page 36: ...nter to the UAG s printer list check the sticker on the printer s rear panel to see its MAC address 1 Go to the Dashboard of the UAG web configurator 2 Open the DHCP Table to find the IP address that is assigned to the printer s MAC address Make sure the IP address is reserved for the printer Write down the printer s IP address ...

Page 37: ...de 37 3 Go to the Configuration Printer Manager screen Click Add in the Printer List to create a new entry for your printer 4 After the printer s IP address is added to the printer list select the Enable Printer Manager checkbox and then click Apply ...

Page 38: ...nter that is connected to the UAG and then click Add to Mgnt Printer List to add the selected AP to the managed printer list automatically Note You may need to wait up to 90 seconds for the UAG to synchronize with the printer successfully after you click Apply in the Configuration Printer Manager screen 3 5 Turn on Web Authentication on the UAG With web authentication users need to log in through ...

Page 39: ...ion to Web Portal 3 Select Internal Web Portal to use the default login page 4 Click Add to create a new web authentication policy 5 The Auth Policy Add screen displays Set Authentication to required and select Force User Authentication to redirect all HTTP traffic to the default login page 6 Click OK to save your changes ...

Page 40: ...ased account generator to create guest accounts based on the pre defined billing settings see Section 26 3 on page 261 1 Go to the Configuration Free Time screen 2 Select the Enable Free Time checkbox to turn on this feature Click Apply 3 Whenever a user tries to access a web page he she will be redirect to the default login page 4 Click the link on the login page to get a free guest account ...

Page 41: ...nt UAG5100 User s Guide 41 5 A Welcome screen displays Select the free time service Click OK to generate and show the account information on the web page 6 Now you can use this account to access the Internet through the UAG for ...

Page 42: ...Chapter 3 Printer Deployment UAG5100 User s Guide 42 ...

Page 43: ...for background information Figure 18 Installation Setup Wizard Click the double arrow in the upper right corner to display or hide the help Click Go to Dashboard to skip the installation setup wizard or click Next to start configuring for Internet access 4 1 1 Internet Access Setup WAN Interface Use this screen to set how many WAN interfaces to configure and the first WAN interface s type of encap...

Page 44: ...P for a dial up connection according to the information from your ISP First WAN Interface This is the interface you are configuring for Internet access Zone This is the security zone to which this interface and Internet connection belong IP Address Assignment Select Auto if your ISP did not assign you a fixed IP address Select Static if the ISP assigned a fixed IP address 4 1 2 Internet Access Eth...

Page 45: ...Enter the subnet mask for this WAN connection s IP address Gateway IP Address Enter the IP address of the router through which this WAN connection will send traffic the default gateway First Second DNS Server These fields display if you selected static IP address assignment The Domain Name System DNS maps a domain name to an IP address and vice versa Enter a DNS server s IP address es The DNS serv...

Page 46: ...HAP V2 Your UAG accepts MSCHAP V2 only Type the User Name given to you by your ISP You can use alphanumeric and _ characters and it can be up to 31 characters long Type the Password associated with the user name Use up to 64 ASCII characters except the and This field can be blank Select Nailed Up if you do not want the connection to time out Otherwise type the Idle Timeout in seconds that elapses ...

Page 47: ... and the time server Leave the field as 0 0 0 0 if you do not want to configure DNS servers If you do not configure a DNS server you must know the IP address of a machine in order to access it 4 1 4 Internet Access PPTP Note Enter the Internet access information exactly as given to you by your ISP Figure 22 Internet Access PPTP Encapsulation 4 1 4 1 ISP Parameters Authentication Type Select an aut...

Page 48: ...ts of your broadband modem or router You can use alphanumeric and _ characters and it can be up to 31 characters long 4 1 4 3 WAN IP Address Assignments First WAN Interface This is the connection type on the interface you are configuring to connect with your ISP Zone This is the security zone to which this interface and Internet connection will belong IP Address Enter your static public IP address...

Page 49: ...ond WAN Interface 4 1 6 Internet Access Finish You have set up your UAG to access the Internet A screen displays with your settings If they are not correct click Back Figure 24 Internet Access Finish Click Next and use the following screen to perform a basic registration see Section 4 2 on page 50 ...

Page 50: ...rd 4 2 Device Registration Go to http portal myZyXEL com with the UAG s serial number and LAN MAC address to register it if you have not already done so Note You must be connected to the Internet to register Use the Registration Service screen to update your service subscription status Figure 25 Registration ...

Page 51: ...the first Quick Setup screen Figure 26 Quick Setup WAN Interface Click this link to open a wizard to set up a WAN Internet connection This wizard creates matching ISP account settings in the UAG if you use PPPoE or PPTP See Section 5 2 on page 51 VPN Setup Use VPN Setup to configure a VPN Virtual Private Network rule for a secure connection to another computer or network See Section 5 3 on page 56...

Page 52: ...that you want to configure for a WAN connection and click Next Figure 28 Choose an Ethernet Interface 5 2 2 Select WAN Type WAN Type Selection Select the type of encapsulation this connection is to use Choose Ethernet when the WAN port is used as a regular Ethernet Otherwise choose PPPoE or PPTP for a dial up connection according to the information from your ISP ...

Page 53: ...P address Figure 30 WAN Interface Setup Step 2 WAN Interface This is the interface you are configuring for Internet access Zone This is the security zone to which this interface and Internet connection belong IP Address Assignment Select Auto If your ISP did not assign you a fixed IP address Select Static if you have a fixed IP address 5 2 4 ISP and WAN Connection Settings Use this screen to confi...

Page 54: ...e node CHAP Your UAG accepts CHAP only PAP Your UAG accepts PAP only MSCHAP Your UAG accepts MSCHAP only MSCHAP V2 Your UAG accepts MSCHAP V2 only User Name Type the user name given to you by your ISP You can use alphanumeric and _ characters and it can be up to 31 characters long Password Type the password associated with the user name above Use up to 64 ASCII characters except the and This field...

Page 55: ...This field displays to which security zone this interface and Internet connection will belong IP Address This field is read only when the WAN interface uses a dynamic IP address If your WAN interface uses a static IP address enter it in this field First DNS Server Second DNS Server These fields only display for an interface with a static IP address Enter the DNS server IP address es in the field s...

Page 56: ...ut Yes means the UAG uses the idle timeout Idle Timeout This is how many seconds the connection can be idle before the router automatically disconnects from the PPPoE server 0 means no timeout Connection ID If you specified a connection ID it displays here WAN Interface This identifies the interface you configure to connect with your ISP Zone This field displays to which security zone this interfa...

Page 57: ... screen and the Phase 2 rule settings appear in the VPN IPSec VPN VPN Connection screen Figure 34 VPN Wizard Welcome 5 3 2 VPN Setup Wizard Wizard Type Choose Express to create a VPN rule with the default phase 1 and phase 2 settings to connect to another ZLD based UAG using a pre shared key Choose Advanced to change the default settings and or use certificates instead of a pre shared key to creat...

Page 58: ...Figure 35 on page 58 to display the following screen Figure 36 VPN Express Wizard Scenario Rule Name Type the name used to identify this VPN connection and VPN gateway You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Application Scenario This shows the scenario that the UAG supports ...

Page 59: ...cimal 0 9 A F characters Proceed a hexadecimal key with 0x You will receive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Local Policy IP Mask Type the IP address of a computer on your network that can use the tunnel You can also specify a subnet This must match the remote IP address configured on the remote IPSec device Remote Policy IP Mask Type th...

Page 60: ...te IPSec device that can use the tunnel Copy and paste the Configuration for Secure Gateway commands into another ZLD based UAG s command line interface to configure it to serve as the other end of this VPN tunnel You can also use a text editor to save these commands as a shell script file with a zysh filename extension Use the file manager to run the script in order to configure the VPN connectio...

Page 61: ...rio Click the Advanced radio button as shown in Figure 35 on page 58 to display the following screen Figure 40 VPN Advanced Wizard Scenario Rule Name Type the name used to identify this VPN connection and VPN gateway You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive ...

Page 62: ...egotiation Mode Select Main for identity protection Select Aggressive to allow more incoming connections from dynamic IP addresses to use separate passwords Note Multiple SAs connecting through a secure gateway must have the same negotiation mode Encryption Algorithm 3DES and AES use encryption The longer the key the higher the security this may affect throughput Both sender and receiver must use ...

Page 63: ... 15 seconds the UAG sends a message to the remote IPSec device If it responds the UAG transmits the data If it does not respond the UAG shuts down the IKE SA Authentication Method Select Pre Shared Key to use a password or Certificate to use one of the UAG s certificates 5 3 9 VPN Advanced Wizard Phase 2 Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec Figur...

Page 64: ...s configured on the remote IPSec device Nailed Up This displays for the site to site and remote access client role scenarios Select this to have the UAG automatically renegotiate the IPSec SA when the SA life time expires 5 3 10 VPN Advanced Wizard Summary This is a read only summary of the VPN tunnel settings Figure 43 VPN Advanced Wizard Summary Rule Name Identifies the VPN connection and the VP...

Page 65: ...anced Wizard Finish Now the rule is configured on the UAG The Phase 1 rule settings appear in the VPN IPSec VPN VPN Gateway screen and the Phase 2 rule settings appear in the VPN IPSec VPN VPN Connection screen Figure 44 VPN Wizard Finish Click Close to exit the wizard ...

Page 66: ...t the VPN tunnels that are currently established Use the DHCP Table screen see Section 6 2 5 on page 74 to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses Use the Number of Login Users screen see Section 6 2 6 on page 75 to look at a list of the users currently logged into the UAG 6 2 The Dashboard Screen The Dashboard screen dis...

Page 67: ...es the labels in this screen Table 12 Dashboard LABEL DESCRIPTION Widget Settings A Use this link to open or close widgets by selecting clearing the associated checkbox Up Arrow B Click this to collapse a widget It then becomes a down arrow Click it again to enlarge the widget again A B C D E ...

Page 68: ...ress and subnet mask assigned to the interface Device Information System Name This field displays the name used to identify the UAG on any network Click the icon to open the screen where you can change it Model Name This field displays the model name of this UAG Serial Number This field displays the serial number of this UAG The serial number is used for device tracking and control MAC Address Ran...

Page 69: ...rchitecture and use its multiple WAN feature to connect to more than one ISP See the CLI Reference Guide for how to use commands to set the UAG interfaces to work in drop in mode Interface Status Summary If an Ethernet interface does not have any physical ports associated with it its entry is displayed in light gray text Name This field displays the name of each interface Status This field display...

Page 70: ...nsed service Version This is the version number of the service Expiration If the service license is valid this shows when it will expire n a displays if the service license does not have a limited period of validity 0 displays if the service is not licensed or has expired System Resources CPU Usage This field displays what percentage of the UAG s processing capability is currently being used Hover...

Page 71: ...connected to this AP AP Description This field displays the AP s description The default description is AP followed by the AP s MAC address Top 5 IPv4 Firewall Rules that blocked Traffic This section displays the most triggered five firewall rules that caused the UAG to block This is the entry s rank in the list of the most commonly triggered firewall rules From This shows the zone from which pack...

Page 72: ...y RAM usage To access this screen click Memory Usage in the dashboard Figure 47 Dashboard Memory Usage Table 13 Dashboard CPU Usage LABEL DESCRIPTION The y axis represents the percentage of CPU usage The x axis shows the time period over which the CPU usage occurred Refresh Interval Enter how often you want this window to be automatically updated Refresh Now Click this to update the information in...

Page 73: ...VPN Status in System Status in the dashboard Table 14 Dashboard Memory Usage LABEL DESCRIPTION The y axis represents the percentage of RAM usage The x axis shows the time period over which the RAM usage occurred Refresh Interval Enter how often you want this window to be automatically updated Refresh Now Click this to update the information in the window right away Table 15 Dashboard Show Active S...

Page 74: ... System Status in the dashboard Figure 50 Dashboard DHCP Table Table 16 Dashboard VPN Status LABEL DESCRIPTION This field is a sequential value and it is not associated with a specific SA Name This field displays the name of the IPSec SA Encapsulation This field displays how the IPSec SA is encapsulated Algorithm This field displays the encryption and authentication algorithms used in the SA Refre...

Page 75: ...ost Name This field displays the name used to identify this device on the network the computer name The UAG learns these from the DHCP client requests None shows here for a static DHCP entry MAC Address This field displays the MAC address to which the IP address is currently assigned or for which the IP address is reserved Click the column s heading cell to sort the table entries by MAC address Cl...

Page 76: ...and the amount of lease time remaining for each user See Chapter 32 on page 325 for more information Type This field displays the way the user logged in to the UAG IP address This field displays the IP address of the computer used to log in to the UAG User Info This field displays the types of user accounts the UAG uses If the user type is ext user external user this field will show its external g...

Page 77: ...evices that have received an IP address from UAG interfaces with IP MAC binding enabled Use the System Status Login Users screen see Section 7 8 on page 89 to look at a list of the users currently logged into the UAG Use the System Status UPnP Port Status screen see Section 7 9 on page 90 to look at a list of the NAT port mapping rules that UPnP creates on the UAG Use the System Status USB Storage...

Page 78: ...the Log Dynamic Users Log screen see Section 7 18 2 on page 109 to view the UAG s dynamic guest account log messages 7 2 The Port Statistics Screen Use this screen to look at packet statistics for each Gigabit Ethernet port To access this screen click Monitor System Status Port Statistics Figure 52 Monitor System Status Port Statistics The following table describes the labels in this screen Table ...

Page 79: ...om the UAG on the physical port since it was last connected RxPkts This field displays the number of packets received by the UAG on the physical port since it was last connected Collisions This field displays the number of collisions on the physical port since it was last connected Tx B s This field displays the transmission speed in bytes per second on the physical port in the one second interval...

Page 80: ...election Select the number of the physical port for which you want to display graphics Switch to Grid View Click this to display the port statistics as a table Kbps The y axis represents the speed of transmission or reception time The x axis shows the time period over which the transmission or reception occurred TX This line represents traffic transmitted from the UAG on the physical port since it...

Page 81: ... this button to show or hide statistics for all the virtual interfaces on top of the Ethernet interfaces Name This field displays the name of each interface If there is an Expand icon plus sign next to the name click this to look at the status of virtual interfaces on top of this interface Port This field displays the physical port number If an Ethernet interface does not have any physical ports a...

Page 82: ...ask This field displays the current IP address and subnet mask assigned to the interface If the IP address and subnet mask are 0 0 0 0 the interface is disabled or did not receive an IP address and subnet mask via DHCP IP Assignment This field displays how the interface gets its IP address Static This interface has a static IP address DHCP Client This interface gets its IP address from a DHCP serv...

Page 83: ...d Duplex The Ethernet interface is enabled and connected This field displays the port speed and duplex setting Full or Half Port Group Inactive The Ethernet interface does not have any physical ports associated with it Port Group Up The Ethernet interface is part of a port group and is connected Port Group Down The Ethernet interface is part of a port group and is not connected For virtual interfa...

Page 84: ...hernet VLAN bridge and PPPoE PPTP interfaces Top Select the type of report to display Choices are Host IP Address User displays the IP addresses or users with the most traffic and how much traffic has been sent to and from each one Service Port displays the most used protocols or service ports and the amount of traffic for each one Web Site Hits displays the most visited Web sites and how many tim...

Page 85: ...Direction This field indicates whether the indicated protocol or service port is sending or receiving traffic Ingress traffic is coming into the router through the interface Egress traffic is going out from the router through the interface Amount This field displays how much traffic was sent or received from the indicated service port If the Direction is Ingress a red bar is displayed if the Direc...

Page 86: ...tor LABEL DESCRIPTION View Select how you want the information to be displayed Choices are sessions by users display all active sessions grouped by user sessions by services display all active sessions grouped by service or protocol sessions by source IP display all active sessions grouped by source IP address sessions by destination IP display all active sessions grouped by destination IP address...

Page 87: ...iteria in the User Service Source Address and Destination Address fields Active Sessions This is the total number of active sessions that matched the search criteria Show Select the number of active sessions displayed on each page You can use the arrow keys on the right to change pages User This field displays the user in each active session If you are looking at the sessions by users or all sessi...

Page 88: ...e 25 Monitor System Status DDNS Status LABEL DESCRIPTION Update Click this to have the UAG update the profile to the DDNS server The UAG attempts to resolve the IP address for the domain name Profile Name This field displays the descriptive profile name for this entry Domain Name This field displays each domain name the UAG can route Effective IP This is the resolved IP address of the domain name ...

Page 89: ...hese from the DHCP client requests MAC Address This field displays the MAC address to which the IP address is currently assigned Last Access This is when the device last established a session with the UAG through this interface Description This field displays the descriptive name that helps identify the entry Refresh Click this button to update the information in the screen Table 27 Monitor System...

Page 90: ...st This is the index number of the UPnP created NAT mapping rule entry Remote Host This field displays the source IP address on the WAN of inbound IP packets Since this is often a wildcard the field may be blank When the field is blank the UAG forwards all traffic sent to the External Port on the WAN interface to the Internal Client on the Internal Port When this field displays an external IP addr...

Page 91: ...d displays a text explanation of the NAT mapping rule Delete All Click this to remove all mapping rules from the NAT table Refresh Click this button to update the information in the screen Table 28 Monitor System Status UPnP Port Status continued LABEL DESCRIPTION Table 29 Monitor System Status USB Storage LABEL DESCRIPTION Device description This is a basic description of the type of USB device U...

Page 92: ...w to stop the UAG from using the USB storage device so you can remove it Unused the connected USB storage device was manually unmounted by using the Remove Now button or for some reason the UAG cannot mount it Click Use It to have the UAG mount a connected USB storage device This button is grayed out if the file system is not supported unknown by the UAG none no USB storage device is connected Det...

Page 93: ...ning for each account Time Period This field displays the total account of time the account can use to access the Internet through the UAG Expiration Time This field displays the date and time the account becomes invalid Note Once the time allocated to a dynamic account is used up or a dynamic account remains un used after the expiration time the account is deleted from the account list Charge Thi...

Page 94: ...egistered with the managed AP list IP Address This displays the AP s IP address MAC Address This displays the AP s MAC address Model This displays the AP s model number Mgnt VLAN ID AC AP This displays the Access Controller the UAG management VLAN ID setting for the AP and the runtime management VLAN ID setting on the AP VLAN Conflict displays if the AP s management VLAN ID does not match the UAG ...

Page 95: ...tion AP List Station Count of AP Table 33 Monitor Wireless AP Information AP List Icons LABEL DESCRIPTION This AP is not on the management list This AP is on the management list and online This AP is in the process of having its firmware updated This AP is on the management list but offline This indicates one of the following cases This AP has a runtime management VLAN ID setting that conflicts wi...

Page 96: ...one of the AP s configuration conflicts with the UAG s settings for the AP Station Count The y axis represents the number of connected stations The x axis shows the time over which a station was connected Last Update This field displays the date and time the information in the window was last updated Table 35 Monitor Wireless AP Information Radio List LABEL DESCRIPTION More Information Click this ...

Page 97: ...ions aka wireless clients associated with the radio Rx PKT This displays the total number of packets received by the radio Tx PKT This displays the total number of packets transmitted by the radio Rx FCS Error Count This indicates the number of received packet errors accrued by the radio Tx Retry Count This indicates the number of times the radio has attempted to re transmit packets Table 35 Monit...

Page 98: ...view detailed information about a selected radio s SSID s wireless traffic and wireless clients for the preceding 24 hours To access this window select an entry and click the More Information button in the Radio List screen Figure 66 Monitor Wireless AP Information Radio List AP Mode Radio Information ...

Page 99: ...lays the MAC address associated with the SSID Security Mode This displays the security mode in which the SSID is operating VLAN This displays the VLAN ID associated with the SSID Traffic Statistics This graph displays the overall traffic information about the radio over the preceding 24 hours y axis This axis represents the amount of data moved across this radio in megabytes per second x axis This...

Page 100: ...ected to the network SSID Name This indicates the name of the wireless network to which the station is connected A single AP can have multiple SSIDs or networks Security Mode This indicates which secure encryption methods is being used by the station to connect to the network Signal Strength This indicates the strength of the signal The signal strength mainly depends on the antenna output power an...

Page 101: ...on This field displays whether the printer is added to the managed printer list Mgnt Printer or not Un Mgnt Printer IPv4 Address This field displays the IP address of the printer that you configured in the Configuration Printer Manager screen Update Time This field displays the date and time the UAG last synchronized with the printer This shows n a when the printer is not in the managed printer li...

Page 102: ... which the outgoing traffic is forwarded Rule This field displays the index number of the matched VPN 1 1 mapping rule that you configured in the Configuration VPN 1 1 Mapping screen Pool This field displays the name of the pool profile that you configured for the VPN 1 1 mapping rule Force Logout Select a user ID and click this icon to end a user s session Refresh Click this button to update the ...

Page 103: ... information you specified above Disconnect Select an IPSec SA and click this button to disconnect it Total Connection This field displays the total number of associated IPSec SAs Page x of x This is the number of the page of entries currently displayed and the total number of pages of entries Type a page number to go to or use the arrows to navigate the pages of entries Show x items Select how ma...

Page 104: ...7 18 The Log Screen Log messages are stored in two separate logs one for regular log messages and one for debugging messages In the regular log you can look at all the log messages by selecting All Logs or you can select a specific category of log messages for example firewall or user You can also look at the debugging log by selecting Debug Log All debugging messages have the same priority To acc...

Page 105: ...hoices are any emerg alert crit error warn notice and info from highest priority to lowest priority This field is read only if the Category is Debug Log Source Address This displays when you show the filter Type the source IP address of the incoming packet that generated the log message Do not include the port in this filter Destination Address This displays when you show the filter Type the IP ad...

Page 106: ...k this button to clear the whole log regardless of what is currently displayed on the screen This field is a sequential value and it is not associated with a specific log message Time This field displays the time the log message was recorded Priority This field displays the priority of the log message It has the same range of values as the Priority field above Category This field displays the log ...

Page 107: ...ick Monitor Log View AP Log to access this screen Figure 73 Monitor Log View AP Log The following table describes the labels in this screen Table 43 Monitor Log View AP Log LABEL DESCRIPTION Show Hide Filter Click this to show or hide the AP log filter Select an AP Select an AP from the list and click Query to view its log messages ...

Page 108: ...appears when you Show Filter Destination Interface Enter a destination interface to display only the log messages that include it Note This criterion only appears when you Show Filter Service Select a service type to display only the log messages related to it Note This criterion only appears when you Show Filter Keyword Enter a keyword to display only the log messages that include it Note This cr...

Page 109: ...ESCRIPTION Begin End Date Select the first and last dates to specify a time period The UAG displays log messages only for the accounts created during the specified time period after you click Search Begin End Time Select the begin time of the first date and the end time of the last date to specify a time period The UAG displays log messages only for the accounts created during the specified time p...

Page 110: ... the Internet through the UAG Expiration Time This field displays the date and time the account becomes invalid Note Once the time allocated to a dynamic account is used up or a dynamic account remains un used after the expiration time the account is deleted from the account list Charge This field displays the total cost of the account Payment Info This field displays the method of payment for eac...

Page 111: ... service at myZyXEL com through the UAG Note You need to create a myZyXEL com account before you can register your device and activate the services at myZyXEL com Go to http portal myZyXEL com with the UAG s serial number and LAN MAC address to register it Refer to the web site s on line help for details Note To activate a service on a UAG you need to access myZyXEL com via that UAG Subscription S...

Page 112: ...stration 8 3 Service Screen Use this screen to display the status of your service registrations To activate or extend a standard service subscription purchase an iCard and enter the iCard s PIN number license key at myZyXEL com Click Configuration Licensing Registration Service to open the screen as shown next Figure 76 Configuration Licensing Registration Service The following table describes the...

Page 113: ... PIN number Standard This field is blank when a service is not activated Expiration Date This field displays the date your service expires Count This field displays the maximum number of wired and wireless users that may connect to the UAG at the same time or how many managed APs the UAG can support with your current license Service License Refresh Click this button to renew service license inform...

Page 114: ... The Controller screen Section 9 2 on page 114 sets how the UAG allows new APs to connect to the network The AP Management screen Section 9 3 on page 115 manages all of the APs connected to the UAG 9 2 Controller Screen Use this screen to set how the UAG allows new APs to connect to the network Click Configuration Wireless Controller to access this screen Figure 77 Configuration Wireless Controlle...

Page 115: ...t automatically differentiate between friendly and rogue APs APs must be connected to the UAG by a wired connection or network Apply Click Apply to save your changes back to the UAG Reset Click Reset to return the screen to its last saved settings Table 47 Configuration Wireless AP Management LABEL DESCRIPTION Edit Select an AP and click this button to edit its properties Remove Select an AP and c...

Page 116: ... AP and AP profile name for Radio 2 It displays n a for the profile for a radio not using an AP profile Mgnt VLAN ID AC This displays the Access Controller the UAG management VLAN ID setting for the AP Mgnt VLAN ID AP This displays the runtime management VLAN ID setting on the AP VLAN Conflict displays if the AP s management VLAN ID does not match the Mgnt VLAN ID AC This field displays n a if the...

Page 117: ...to be managed or subsequently passed on to an upstream gateway for managing Radio 1 2 Profile Select a profile from the list If no profile exists you can create a new one through the Create new Object menu Force Overwrite VLAN Config Select this to have the UAG change the AP s management VLAN to match the configuration in this screen Management VLAN ID Enter a VLAN ID for this AP As Native VLAN Se...

Page 118: ...PTP Internet connections Use the VLAN screens Section 10 5 on page 138 to divide the physical network into multiple logical networks VLAN interfaces receive and send tagged frames The UAG automatically adds or removes the tags as needed Each VLAN can only be associated with one Ethernet interface Use the Bridge screens Section 10 6 on page 145 to combine two or more network segments into a single ...

Page 119: ...are specific to each type of interface See Section 10 3 on page 122 and Chapter 11 on page 158 for details The other types of interfaces Ethernet PPP VLAN bridge and virtual have a lot of similar characteristics These characteristics are listed in the following table and discussed in more detail below The format of interface names other than the Ethernet and ppp interface names is strict Each name...

Page 120: ...the member interface has a virtual interface or PPP interface on top of it Finding Out More See Section 10 8 on page 154 for background information on interfaces See Chapter 11 on page 158 to configure load balancing using trunks 10 2 Port Grouping This section introduces port groups and then explains the screen for port groups Table 50 Relationships Between Different Types of Interfaces INTERFACE...

Page 121: ...speed throughput but no security It can increase the bandwidth between the port group and other interfaces 10 2 2 Port Grouping Screen To access this screen click Configuration Network Interface Port Grouping Define the relationship between physical ports port groups and Ethernet interfaces in the Port Grouping screen Figure 80 Configuration Network Interface Port Grouping The physical Ethernet po...

Page 122: ...ces to control which physical ports exchange routing information with other routers and how much information is exchanged through each one The more routing information is exchanged the more efficient the routers should be However the routers also generate more network traffic and some routing protocols require a significant amount of configuration and management Figure 81 Configuration Network Int...

Page 123: ...rence to open a screen that shows which settings use the entry See Section 10 3 2 on page 129 for an example This field is a sequential value and it is not associated with any interface Status This icon is lit when the entry is active and dimmed when the entry is inactive Name This field displays the name of the interface IP Address This field displays the current IP address of the interface If th...

Page 124: ...Chapter 10 Interfaces UAG5100 User s Guide 124 Figure 82 Configuration Network Interface Ethernet Edit External Type ...

Page 125: ...Chapter 10 Interfaces UAG5100 User s Guide 125 Figure 83 Configuration Network Interface Ethernet Edit Internal Type ...

Page 126: ...Address This field is read only This is the MAC address that the Ethernet interface uses Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long IP Address Assignment These IP address fields configure an IPv4 IP address on the interface itself If you change this IP address on the interface you may a...

Page 127: ...rform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the number of seconds between connection check attempts Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure Check Fail Tolerance Enter the number of consecutive failures before the UAG stops routing through the gateway Check Default Gateway Select th...

Page 128: ...ant to send to the DHCP clients The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using Default Router If you set this interface to DHCP Server you can select to use either the interface s IP address or another IP address as the default router This default router will become the DHCP clients default gateway To use another IP ad...

Page 129: ...nterface use either the factory assigned default MAC address a manually specified MAC address or clone the MAC address of another device or computer Use Default MAC Address Select this option to have the interface use the factory assigned default MAC address By default the UAG uses the factory assigned MAC address to identify itself Overwrite Default MAC Address Select this option to have the inte...

Page 130: ...ect References LABEL DESCRIPTION Object Name This identifies the object for which the configuration settings that use it are displayed Click the object s name to display the object s configuration screen in the main window This field is a sequential value and it is not associated with any entry Service This is the type of setting that references the selected object Click a service s name to displa...

Page 131: ...for the selected DHCP option For example if you selected TFTP Server Name 66 and the type is TEXT enter the DNS domain name of a TFTP server here If you selected the Time Offset 2 option the type is Boolean and you have to enter a Boolean value which should be either 0 or 1 where 1 interpreted as true and 0 is interpreted as false This field is mandatory First IP Address Second IP Address Third IP...

Page 132: ...s been used for DHCP options The minimum length of the value is 1 SIP Server 120 This option carries either an IPv4 address or a DNS domain name to be used by the SIP client to locate a SIP server VIVC 124 Vendor Identifying Vendor Class option A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running the software in use or...

Page 133: ...terface to use Each ISP account specifies the protocol PPPoE or PPTP as well as your ISP account information If you change ISPs later you only have to create a new ISP account not a new PPPoE PPTP interface You should not have to change any network policies You do not set up the subnet mask or gateway PPPoE PPTP interfaces are interfaces between the UAG and only one computer Therefore the subnet m...

Page 134: ...lick Activate Inactivate To turn off an entry select it and click Inactivate Connect To connect an interface select it and click Connect You might use this in testing the interface or to manually establish the connection for a Dial on Demand PPPoE PPTP interface Disconnect To disconnect an interface select it and click Disconnect You might use this in testing the interface Object Reference Select ...

Page 135: ...Chapter 10 Interfaces UAG5100 User s Guide 135 Figure 88 Configuration Network Interface PPP Add ...

Page 136: ...nnection up all the time Dial on Demand Select this to have the UAG establish the PPPoE PPTP connection only when there is traffic You might use this option if there is little traffic through the interface or if it costs money to keep the connection available ISP Setting Account Profile Select the ISP account that this PPPoE PPTP interface uses The drop down box lists ISP accounts by name Use Crea...

Page 137: ...rface checks the connection how long to wait for a response before the attempt is a failure and how many consecutive failures are required before the UAG stops routing to the gateway The UAG resumes routing to the gateway the first time the gateway passes the connectivity check Enable Connectivity Check Select this to turn on the connection check Check Method Select the method that the gateway all...

Page 138: ...physical networks into three VLANs Figure 90 Example After VLAN Each VLAN is a separate network with separate IP addresses subnet masks and gateways Each VLAN also has a unique identification number ID The ID is a 12 bit value that is stored in the MAC header The VLANs are connected to switches and the switches are connected to the router If one switch has enough connections for the entire network...

Page 139: ... department in the example above These rules are also independent of the physical network so you can change the physical network without changing policies In this example the new switch handles the following types of traffic Inside VLAN 2 Between the router and VLAN 1 Between the router and VLAN 2 Between the router and VLAN 3 VLAN Interfaces Overview In the UAG each VLAN is called a VLAN interfac...

Page 140: ...lect an interface and click Create Virtual Interface Object References Select an entry and click Object Reference to open a screen that shows which settings use the entry See Section 10 3 2 on page 129 for an example This field is a sequential value and it is not associated with any interface Status This icon is lit when the entry is active and dimmed when the entry is inactive Name This field dis...

Page 141: ...Chapter 10 Interfaces UAG5100 User s Guide 141 or select an entry in the VLAN summary screen and click the Edit icon The following screen appears Figure 92 Configuration Network Interface VLAN Add ...

Page 142: ...s on the model Zone Select the zone to which the VLAN interface belongs Base Port Select the Ethernet interface on which the VLAN interface runs VLAN ID Enter the VLAN ID This 12 bit number uniquely identifies each VLAN Allowed values are 1 4094 0 and 4095 are reserved Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be...

Page 143: ... specify to make sure it is still available Check Period Enter the number of seconds between connection check attempts Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure Check Fail Tolerance Enter the number of consecutive failures before the UAG stops routing through the gateway Check Default Gateway Select this to use the default gateway for the conn...

Page 144: ... send to the DHCP clients The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using Default Router If you set this interface to DHCP Server you can select to use either the interface s IP address or another IP address as the default router This default router will become the DHCP clients default gateway To use another IP address ...

Page 145: ...is to create a new entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it This field is a sequential value and it is not associated with a specific entry IP Address Enter the IP address to assign to a device with this entry s MAC address MAC Enter the MAC address to which to assign this entry s IP address Description Enter a description...

Page 146: ...fic between some interfaces while it routes traffic for other interfaces The bridge interfaces also support more functions like interface bandwidth parameters DHCP settings and connectivity check To use the whole UAG as a transparent bridge add all of the UAG s interfaces to a bridge interface A bridge interface may consist of the following members Zero or one VLAN interfaces and any associated vi...

Page 147: ...nd click Activate Inactivate To turn off an entry select it and click Inactivate Create Virtual Interface To open the screen where you can create a virtual interface select an interface and click Create Virtual Interface Object Reference Select an entry and click Object Reference to open a screen that shows which settings use the entry See Section 10 3 2 on page 129 for an example This field is a ...

Page 148: ... IP address assignment interface bandwidth parameters DHCP settings and connectivity check for each bridge interface To access this screen click the Add icon or select an entry in the Bridge summary screen and click the Edit icon The following screen appears Figure 94 Configuration Network Interface Bridge Add ...

Page 149: ...ewall and remote management Description Enter a description of this interface It is not used elsewhere You can use alphanumeric and _ characters and it can be up to 60 characters long Member Configuration Available This field displays Ethernet interfaces and VLAN interfaces that can become part of the bridge interface An interface is not available in the following situations There is a virtual int...

Page 150: ...of a DHCP server for the network Relay Server 2 This field is optional Enter the IP address of another DHCP server for the network These fields appear if the UAG is a DHCP Server IP Pool Start Address Enter the IP address from which the UAG begins allocating IP addresses If you want to assign a static IP address to a specific computer click Add Static DHCP If this field is blank the Pool Size must...

Page 151: ...his option to have this interface enforce links between specific IP addresses and specific MAC addresses This stops anyone else from manually using a bound IP address on another device connected to this interface Use this to make use only the intended users get to use specific IP addresses Enable Logs for IP MAC Binding Violation Select this option to have the UAG generate a log if a device connec...

Page 152: ...o have the UAG regularly ping the gateway you specify to make sure it is still available Select tcp to have the UAG regularly perform a TCP handshake with the gateway you specify to make sure it is still available Check Period Enter the number of seconds between connection check attempts Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure Check Fail Tol...

Page 153: ...e You can use alphanumeric and _ characters and it can be up to 60 characters long IP Address Assignment IP Address Enter the IP address for this interface Subnet Mask Enter the subnet mask of this interface in dot decimal notation The subnet mask indicates what part of the IP address is the same for all computers in the network Gateway Enter the IP address of the gateway The UAG sends packets to ...

Page 154: ...hese interfaces you can only enter the IP address In many interfaces you can also let the IP address and subnet mask be assigned by an external DHCP server on the network In this case the interface is a DHCP client Virtual interfaces however cannot be DHCP clients You have to assign the IP address and subnet mask manually In general the IP address and subnet mask of each interface should not overl...

Page 155: ...network 1 If you set the bandwidth restrictions very high you effectively remove the restrictions The UAG also restricts the size of each data packet The maximum number of bytes in each packet is called the maximum transmission unit MTU If a packet is larger than the MTU the UAG divides it into smaller fragments Each fragment is sent separately and the original packet is re assembled later The sma...

Page 156: ...sk is 255 255 255 0 the starting IP address in the pool is 9 9 9 2 and the pool size is 253 Subnet mask The interface provides the same subnet mask you specify for the interface See IP Address Assignment on page 154 Gateway The interface provides the same gateway you specify for the interface See IP Address Assignment on page 154 DNS servers The interface provides IP addresses for up to three DNS ...

Page 157: ...stems including RADIUS You can access one of several network services This makes it easier for the service provider to offer the service PPPoE does not usually require any special configuration of the modem PPTP is used to set up virtual private networks VPN in unsecure TCP IP environments It sets up two sessions 1 The first one runs on TCP port 1723 It is used to start and manage the second one 2...

Page 158: ... connected to the VoIP service provider set to active and another interface connected to another ISP set to passive This way VoIP traffic goes through the interface connected to the VoIP service provider whenever the interface s connection is up 11 1 1 What You Can Do in this Chapter Use the Trunk summary screen Section 11 2 on page 161 to configure link sticking and view the list of configured tr...

Page 159: ...h Here the UAG has two WAN interfaces connected to the Internet The configured available outbound bandwidths for wan1 and ppp0 are 512K and 256K respectively Figure 97 Least Load First Example The outbound bandwidth utilization is used as the load balancing index In this example the measured current outbound throughput of wan1 is 412K and ppp0 is 198K The UAG calculates the load balancing index as...

Page 160: ...G assigns the traffic of two sessions to wan1 and one session s traffic to ppp0 in each round of 3 new sessions Figure 98 Weighted Round Robin Algorithm Example Spillover The spillover load balancing algorithm sends network traffic to the first interface in the trunk member list until the interface s maximum allowable load is reached then sends the excess network traffic of new sessions to the nex...

Page 161: ... configuration fields Disconnect Connections Before Falling Back Select this to terminate existing connections on an interface which is set to passive mode when any interface set to active mode in the same trunk comes back up Enable Default SNAT Select this to have the UAG use the IP address of the outgoing interface as the source IP address of the packets it sends out through its WAN trunks The U...

Page 162: ...user configured trunk Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove a user configured trunk select it and click Remove The UAG confirms you want to remove it before doing so Object Reference Select an entry and click Object Reference to open a screen that shows which settings use the entry See Section 10 3 2 on pa...

Page 163: ... add edit remove or move entries for user configured trunks Add Click this to add a member interface to the trunk Select an interface and click Add to add a new member interface after the selected member interface Edit Select an entry and click Edit to modify the entry s settings Remove To remove a member interface select it and click Remove The UAG confirms you want to remove it before doing so M...

Page 164: ...nterface in the corresponding interface edit screen Total Bandwidth This field displays with the spillover load balancing algorithm It displays the maximum number of kilobits of data the UAG is to send out and allow to come in through the interface per second You can configure the bandwidth of an interface in the corresponding interface edit screen Spillover This field displays with the spillover ...

Page 165: ...aces Mode This field displays Active if the UAG always attempt to use this connection This field displays Passive if the UAG only use this connection when all of the connections set to active are down Only one of a group s interfaces can be set to passive mode Weight This field displays with the weighted round robin load balancing algorithm Specify the weight 1 10 for the interface The weights of ...

Page 166: ...licy route to communicate with a separate network behind another router R3 connected to the LAN Figure 103 Example of Policy Routing Topology 12 1 1 What You Can Do in this Chapter Use the Policy Route screens see Section 12 2 on page 168 to list and configure policy routes Use the Static Route screens see Section 12 3 on page 173 to list and configure static routes 12 1 2 What You Need to Know Po...

Page 167: ...sus Static Routes Policy routes are more flexible than static routes You can select more criteria for the traffic to match and can also use schedules and NAT Policy routes are only used within the UAG itself Policy routes take priority over static routes If you need to use a routing policy on the UAG and propagate it to other routers you could configure a policy route and an equivalent static rout...

Page 168: ...fferent kinds of forwarding Resources can then be allocated according to the DSCP values and the configured policies Finding Out More See Section 12 4 on page 175 for more background information on policy routing 12 2 Policy Route Screen Click Configuration Network Routing to open the Policy Route screen Use this screen to see the configured policy routes A policy route defines the matching criter...

Page 169: ...f their numbering This is the number of an individual policy route Status This icon is lit when the entry is active red when the next hop s connection is down and dimmed when the entry is inactive User This is the name of the user group object from which the packets are sent any means all users Schedule This is the name of the schedule object none means the route is active at all times if enabled ...

Page 170: ...route s outgoing packets preserve means the UAG does not modify the DSCP value of the route s outgoing packets default means the UAG sets the DSCP value of the route s outgoing packets to 0 The af choices stand for Assured Forwarding The number following the af identifies one of four classes and one of three drop preferences See Assured Forwarding AF PHB for DiffServ on page 175 for more details S...

Page 171: ... or lesser number of configuration fields Create new Object Use this to configure any new settings objects that you need to use in this screen Configuration Enable Select this to activate the policy Description Enter a descriptive name of up to 31 printable ASCII characters for the policy Criteria User Select a user name or user group from which the packets are sent Incoming Select where the packe...

Page 172: ...xt hop and forward the matched packets automatically Select Gateway to route the matched packets to the next hop router or switch you specified in the Gateway field You have to set up the next hop router or switch as a HOST address object first Select VPN Tunnel to route the matched packets via the specified VPN tunnel Select Trunk to route the matched packets through the interfaces in the trunk g...

Page 173: ...ts to 0 User Defined DSCP Marking Use this field to specify a custom DSCP value Address Translation Use this section to configure NAT for the policy route This section does not apply to policy routes that use a VPN tunnel as the next hop Source Network Address Translation Select none to not use NAT for the route Select outgoing interface to use the IP address of the outgoing interface as the sourc...

Page 174: ...e IP address of the next hop gateway or the interface through which the traffic is routed The gateway is a router or switch on the same segment as your UAG s interface s The gateway helps forward packets to their destinations Metric This is the route s priority among the UAG s routes The smaller the number the higher priority the route has Table 76 Configuration Network Routing Static Route Add Ed...

Page 175: ... occurs between classes the traffic in the higher class smaller numbered class is generally given priority Combining the classes and drop precedence produces the following twelve DSCP encodings from AF11 through AF43 The decimal equivalent is listed in brackets Metric Metric represents the cost of transmission for routing purposes IP routing uses hop count as the measurement of cost with a minimum...

Page 176: ...interface PPPoE PPTP interface and VPN tunnel can be assigned to at most one zone Virtual interfaces are automatically assigned to the same zone as the interface on which they run Figure 108 Example Zones 13 1 1 What You Can Do in this Chapter Use the Zone screens see Section 13 2 on page 177 to manage the UAG s zones 13 1 2 What You Need to Know Effects of Zones on Different Types of Traffic Zone...

Page 177: ... traffic between VLAN 1 and the Internet is inter zone traffic This is the normal case when zone based security and policy settings apply Extra zone Traffic Extra zone traffic is traffic to or from any interface or VPN tunnel that is not assigned to a zone For example in Figure 108 on page 176 traffic to or from computer C is extra zone traffic Some zone based security and policy settings may appl...

Page 178: ... You can create your own User Configuration zones Add Click this to create a new user configured zone Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove a user configured trunk select it and click Remove The UAG confirms you want to remove it before doing so Object References Select an entry and click Object References...

Page 179: ...ot be a number This value is case sensitive Member List Available lists the interfaces and VPN tunnels that do not belong to any zone Select the interfaces and VPN tunnels that you want to add to the zone you are editing and click the right arrow button to add them Member lists the interfaces and VPN tunnels that belong to the zone Select any interfaces that you want to remove from the zone and cl...

Page 180: ...ent IP address Note You must have a public WAN IP address to use Dynamic DNS You must set up a dynamic DNS account with a supported DNS service provider before you can use Dynamic DNS services with the UAG When registration is complete the DNS service provider gives you a password or key At the time of writing the UAG supports the following DNS service providers See the listed websites for details...

Page 181: ...s inactive Profile Name This field displays the descriptive profile name for this entry DDNS Type This field displays which DDNS service you are using Domain Name This field displays each domain name the UAG can route Primary Interface IP This field displays the interface to use for updating the IP address mapped to the domain name followed by how the UAG determines the IP address for the domain n...

Page 182: ...work DDNS Add The following table describes the labels in this screen Apply Click this button to save your changes to the UAG Reset Click this button to return the screen to its last saved settings Table 81 Configuration Network DDNS continued LABEL DESCRIPTION Table 82 Configuration Network DDNS Add Edit LABEL DESCRIPTION Show Advanced Settings Hide Advanced Settings Click this button to display ...

Page 183: ...the interface to use for updating the IP address mapped to the domain name Select any to let the domain name be used with any interface IP Address The options available in this field vary by DDNS provider Interface The UAG uses the IP address of the specified interface This option appears when you select a specific interface in the Primary Binding Address Interface field Auto If the interface has ...

Page 184: ...ias subdomains to be aliased to the same IP address as your dynamic domain name This feature is useful if you want to be able to use for example www yourhost dyndns org and still reach your hostname Mail Exchanger This option is only available with a DynDNS account DynDNS can route e mail for your domain name to a mail server called a mail exchanger For example DynDNS routes e mail for john doe yo...

Page 185: ... you want to assign ports 21 25 to one FTP Telnet and SMTP server A in the example port 80 to another B in the example and assign a default server IP address of 172 16 0 35 to a third C in the example You assign the LAN IP addresses and the ISP assigns the WAN IP address The NAT network appears as a single host on the Internet Figure 113 Multiple Servers Behind NAT Example 15 1 1 What You Can Do i...

Page 186: ...equential value and it is not associated with a specific entry Status This icon is lit when the entry is active and dimmed when the entry is inactive Name This field displays the name of the entry Mapping Type This field displays what kind of NAT this entry performs Virtual Server 1 1 NAT or Many 1 1 NAT Interface This field displays the interface on which packets for the NAT entry are received Or...

Page 187: ...ing screen Figure 115 Configuration Network NAT Add The following table describes the labels in this screen Apply Click this button to save your changes to the UAG Reset Click this button to return the screen to its last saved settings Table 83 Configuration Network NAT continued LABEL DESCRIPTION Table 84 Configuration Network NAT Add Edit LABEL DESCRIPTION Create new Object Use to configure any ...

Page 188: ...erface any Select this to use all of the incoming interface s IP addresses including dynamic addresses or those of any virtual interfaces built upon the selected incoming interface User Defined Select this to manually enter an IP address in the User Defined Original IP field For example you could enter a static public IP assigned by the ISP without having to create a virtual interface for it Host ...

Page 189: ...e is Ports Enter the beginning of the range of translated destination ports if this NAT rule forwards the packet Mapped End Port This field is available if Port Mapping Type is Ports Enter the end of the range of translated destination ports if this NAT rule forwards the packet The original port range and the mapped port range must be the same size Enable NAT Loopback Enable NAT loopback to allow ...

Page 190: ...e a LAN user s computer at IP address 172 16 0 89 queries a public DNS server to resolve the SMTP server s domain name xxx LAN SMTP com in this example and gets the SMTP server s mapped public IP address of 1 1 1 1 Figure 116 LAN Computer Queries a Public DNS Server The LAN user s computer then sends traffic to IP address 1 1 1 1 NAT loopback uses the IP address of the UAG s lan1 interface 172 16 ...

Page 191: ...he original destination address 1 1 1 1 If the SMTP server replied directly to the LAN user without the traffic going through NAT the source would not match the original destination address which would cause the LAN user s computer to shut down the session Figure 118 LAN to LAN Return Traffic 172 16 0 21 LAN 172 16 0 89 Source 172 16 0 89 SMTP NAT Source 172 16 0 1 SMTP 172 16 0 21 LAN 172 16 0 89...

Page 192: ... UAG and both want to use a unique WAN IP address to access a public server through the UAG s WAN1 interface After the user is authenticated by the UAG and meets the criteria in a VPN 1 1 mapping rule the UAG applies the rule settings and assigns a public IP address to the user Outgoing traffic from user A will then be sent through the WAN1 interface using the mapped public IP address 10 10 1 35 O...

Page 193: ...traffic between lan1 lan2 or dmz and wan1 a from LAN1 LAN2 DMZ to WAN1 firewall rule default to allow any traffic from the user A B from lan1 lan2 or dmz to wan1 Responses to this request are allowed automatically a VPN 1 1 mapping rule to forward any traffic from the user A B through the wan1 interface using a unique public IP address 16 2 The VPN 1 1 Mapping General Screen The VPN 1 1 Mapping su...

Page 194: ...e The UAG confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To change a rule s position in the numbered list select the rule and click Move to display a field to type a number for where you want to put that rule and press ENTER to move the rule to the number that you typed The...

Page 195: ... Object Click this button to create any new user group objects that you need to use in this screen Enable Policy Use this option to turn the VPN 1 1 mapping rule on or off User Group Use the drop down list box to select the individual or group for which you want to use this rule Select any to have the mapping rule apply to all of the traffic that the UAG receives from any user Pool Profile The Sel...

Page 196: ...uential value and it is not associated with a specific entry Name This field displays a descriptive name for the profile Enter a descriptive name to identify the profile Address This field displays the name of the IP address object the profile is set to use Select an address object that presents the IP address es which can be assigned to the matched users by the UAG Note You cannot select an addre...

Page 197: ...he a policy route allows it to access the Internet to get them from a server Proxy server A then forwards the response to the client Figure 123 HTTP Redirect Example 17 1 1 What You Can Do in this Chapter Use the HTTP Redirect screens see Section 17 2 on page 198 to display and edit the HTTP redirect rules 17 1 2 What You Need to Know Web Proxy Server A proxy server helps client devices make indir...

Page 198: ...ests from the client to the proxy server You also need to manually configure a policy route to forward the HTTP traffic from the proxy server to the Internet To make the example in Figure 123 on page 197 work make sure you have the following settings For HTTP traffic between lan1 and lan2 a from LAN1 to LAN2 firewall rule to allow HTTP requests from lan1 to lan2 Responses to this request are allow...

Page 199: ...where you can modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate This field is a sequential value and it is not associated with a specific entry Status This icon is lit when the entry is active ...

Page 200: ...may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Interface Select the interface on which the HTTP request must be received for the UAG to forward it to the specified proxy server Proxy Server Enter the IP address of the proxy server Port Enter the port number that the proxy server uses OK Click OK to save your chan...

Page 201: ...ere the message will be delivered to the recipient The UAG forwards SMTP traffic using TCP port 25 Figure 126 SMTP Redirect Example 18 1 1 What You Can Do in this Chapter Use the SMTP Redirect screens see Section 18 2 on page 202 to display and edit the SMTP redirect rules 18 1 2 What You Need to Know SMTP Simple Mail Transfer Protocol SMTP is the Internet s message transport standard It controls ...

Page 202: ...r You also need to manually configure a policy route to forward the SMTP traffic from the SMTP server to the Internet To make the example in Figure 126 on page 201 work make sure you have the following settings For SMTP traffic between lan1 and lan2 a from LAN1 to LAN2 firewall rule to allow SMTP messages from lan1 to lan2 Responses to this request are allowed automatically a SMTP redirect rule to...

Page 203: ...ect it and click Inactivate Move To change a rule s position in the numbered list select the rule and click Move to display a field to type a number for where you want to put that rule and press ENTER to move the rule to the number that you typed The ordering of your rules is important as they are applied in order of their numbering This field is a sequential value and it is not associated with a ...

Page 204: ...ny to have the SMTP redirect rule apply to all of the SMTP messages that the UAG receives from any user Incoming Interface Select the interface on which the SMTP traffic must be received for the UAG to forward it to the specified SMTP server Source Address Select the source address or address group for whom this rule applies Use Create new Object if you need to configure a new one Select any if th...

Page 205: ...The ALG on the UAG supports all of the UAG s NAT mapping types FTP ALG The FTP ALG allows TCP packets with a specified port destination to pass through If the FTP server is located on the LAN you must also configure NAT port forwarding and firewall rules if you want to allow access to the server from the WAN ALG and Trunks If you send your ALG managed traffic through an interface trunk and all of ...

Page 206: ...Program traffic and help build FTP sessions through the UAG s NAT Enable FTP Transformations Select this option to have the UAG modify IP addresses and port numbers embedded in the FTP data payload to match the UAG s NAT environment Clear this option if you have an FTP device or server that will modify IP addresses and port numbers embedded in the FTP data payload to match the UAG s NAT environmen...

Page 207: ...ainly designed for small home networks It allows a client behind a NAT router to retrieve the router s public IP address and port number and make them known to the peer device with which it wants to communicate The client can automatically configure the NAT router to create a port mapping to allow the peer to contact it 20 2 What You Need to Know UPnP hardware is identified as an icon in the Netwo...

Page 208: ...n some network environments When a UPnP device joins a network it announces its presence with a multicast message For security reasons the UAG allows multicast messages on the LAN only All UPnP enabled devices may communicate freely with each other without additional configuration Disable UPnP if this is not your intention 20 3 UPnP Screen Use this screen to enable UPnP and NAT PMP on your UAG Cli...

Page 209: ...tor s login screen without entering the UAG s IP address although you must still enter the password to access the web configurator Allow UPnP or NAT PMP to pass through Firewall Select this check box to allow traffic from UPnP enabled or NAT PMP enabled applications to bypass the firewall Clear this check box to have the firewall block all UPnP or NAT PMP application packets for example MSN packet...

Page 210: ... Connection Properties window click Settings to see the port mappings there were automatically created Figure 132 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings Figure 133 Internet Connection Properties Advanced Settings ...

Page 211: ...plays in the system tray Figure 135 System Tray Icon 6 Double click on the icon to display your current Internet connection status Figure 136 Internet Connection Status 20 4 2 Web Configurator Easy Access With UPnP you can access the web based configurator on the UAG without finding out the IP address of the UAG first This comes helpful if you do not know the IP address of the UAG Follow the steps...

Page 212: ...cription for each UPnP enabled device displays under Local Network 5 Right click on the icon for your UAG and select Invoke The web configurator login screen displays Figure 138 Network Connections My Network Places 6 Right click on the icon for your UAG and select Properties A properties window displays with basic information about the UAG ...

Page 213: ...Chapter 20 UPnP UAG5100 User s Guide 213 Figure 139 Network Connections My Network Places Properties Example ...

Page 214: ...72 16 1 27 and use static DHCP to assign it to Bob s computer s MAC address of 12 34 56 78 90 AB IP MAC binding drops traffic from any computer trying to use IP address 172 16 1 27 with another MAC address Figure 140 IP MAC Binding Example 21 1 1 What You Can Do in this Chapter Use the Summary and Edit screens Section 21 2 on page 215 to bind IP addresses to MAC addresses Use the Exempt List scree...

Page 215: ...owing table describes the labels in this screen Table 94 Configuration Network IP MAC Binding Summary LABEL DESCRIPTION Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate This field is a sequential value and it is no...

Page 216: ...IP address on another device connected to this interface Use this to make use only the intended users get to use specific IP addresses Enable Logs for IP MAC Binding Violation Select this option to have the UAG generate a log if a device connected to this interface attempts to use an IP address not assigned by the UAG Static DHCP Bindings This table lists the bound IP and MAC addresses The UAG che...

Page 217: ...which the UAG assigns the entry s IP address Description This helps identify the entry OK Click OK to save your changes back to the UAG Cancel Click Cancel to exit this screen without saving Table 95 Configuration Network IP MAC Binding Summary Edit continued LABEL DESCRIPTION Table 96 Configuration Network IP MAC Binding Summary Edit Add Edit LABEL DESCRIPTION Interface Name This field displays t...

Page 218: ...try Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so This is the index number of the IP MAC binding list entry Name Enter a name to help identify this entry Start IP Enter the first IP address in a range of IP addresses for which the UAG does n...

Page 219: ... enabled on the UAG s interface lan2 A printer PC and AP are connected to lan2 The IP address of the network printer C is added to the white list The connected AP then cannot communicate with the PC D but can access the network printer C server B wireless client A and the Internet Figure 145 Layer 2 Isolation Application 22 1 1 What You Can Do in this Chapter Use the General screen Section 22 2 on...

Page 220: ... Network Layer 2 Isolation White List Table 98 Configuration Network Layer 2 Isolation LABEL DESCRIPTION Enable Layer2 Isolation Select this option to turn on the layer 2 isolation feature on the UAG Note You can enable this feature only when the firewall is enabled Member List The Available list displays the name s of the internal interface s on which you can enable layer 2 isolation To enable la...

Page 221: ...st Select this option to turn on the white list on the UAG Note You can enable this feature only when the firewall is enabled Add Click this to add a new rule Edit Click this to edit the selected rule Remove Click this to remove the selected rule Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate This field is a sequential value...

Page 222: ...yer 2 Isolation White List Add Edit LABEL DESCRIPTION Enable Select this option to turn on the rule Host IP Address Enter an IPv4 address associated with this rule Description Specify a description for the IP address associated with this rule Enter up to 60 characters spaces and underscores allowed OK Click OK to save your changes back to the UAG Cancel Click Cancel to exit this screen without sav...

Page 223: ...eature does not apply to a computer using either a dynamic IP address or a static IP address that is in the same subnet as the UAG s IP address Note You must enable NAT to use the IPnP feature The following figure depicts a scenario where a computer is set to use a static private IP address in the corporate environment In a residential house where a UAG is installed you can still use the computer ...

Page 224: ...eature on the UAG Note You can enable this feature only when the firewall is enabled Member List The Available list displays the name s of the internal interface s on which you can enable IPnP To enable IPnP on an interface you can double click a single entry to move it or use the Shift or Ctrl key to select multiple entries and click the right arrow button to add to the Member list To remove an i...

Page 225: ...s his her browser to a web portal page that prompts he she to log in Figure 151 Web Authentication Example The web authentication page only appears once per authentication session Unless a user session times out or he she closes the connection he or she generally will not see it again during the same session 24 1 1 What You Can Do in this Chapter Use the Configuration Web Authentication screens Se...

Page 226: ...display the Login screen when users attempt to send other kinds of traffic The UAG does not automatically route the request that prompted the login however so users have to make this request again Finding Out More See Section 24 2 2 on page 233 for an example of using an authentication policy for user aware access control 24 2 Web Authentication Screen The Web Authentication screen displays the we...

Page 227: ...Chapter 24 Web Authentication UAG5100 User s Guide 227 Figure 152 Configuration Web Authentication Web Portal ...

Page 228: ...Chapter 24 Web Authentication UAG5100 User s Guide 228 Figure 153 Configuration Web Authentication User Agreement ...

Page 229: ...rected to the welcome page after authentication This field is optional The Internet Information Server IIS is the web server on which the web portal files are installed Preview Click a button to display the Terms of Service page you uploaded to the UAG File Name This shows the file name of the Terms of Service page in the UAG Click Download to download the Terms of Service page from the UAG to you...

Page 230: ...he UAG Preview Click a button to display the corresponding page you uploaded to the UAG File Name This shows the file name of the zipped user agreement file in the UAG Click Download to download the user agreement file from the UAG to your computer File Path Browse Upload Browse for the user agreement file or enter the file path in the available input box then click the Upload button to put it on ...

Page 231: ...remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Move To move an entry to a different number in the list click the Move icon In the field that appears specify the number to which you want to move the interface Status This icon is ...

Page 232: ...rs when their traffic matches this policy unnecessary Users do not need to be authenticated required Users need to be authenticated They must manually go to the login screen The UAG will not redirect them to the login screen force Users need to be authenticated The UAG automatically displays the login screen whenever it routes HTTP traffic for users who have not logged in yet Description If the en...

Page 233: ...t an interface on which packets for the policy must be received Select any if the policy is effective for every interface Source Address Select a source address or address group for whom this policy applies Select any if the policy is effective for every source This is any and not configurable for the default policy Destination Address Select a destination address or address group for whom this po...

Page 234: ... Configuration Object User Group User Add 3 Repeat this process to set up the remaining user accounts 24 2 2 2 Set Up User Groups Set up the user groups and assign the users to the user groups 1 Click Configuration Object User Group Group Click the Add icon 2 Enter the name of the group In this example it is Finance Then select Object Leo and click the right arrow to move him to the Member list Th...

Page 235: ...r authentication using the RADIUS server First configure the settings for the RADIUS server Then set up the authentication method and configure the UAG to use the authentication method Finally force users to log into the UAG before it routes traffic for them 1 Click Configuration Object AAA Server RADIUS Double click the radius entry Configure the RADIUS server s address authentication port 1812 i...

Page 236: ...Method Double click the default entry Click the Add icon Select group radius because the UAG should use the specified RADIUS server for authentication Click OK Figure 159 Configuration Object Auth method Edit 3 Click Configuration Web Authentication In the Web Authentication screen select Web Portal to enable web authentication and click Apply ...

Page 237: ... 5 Set up a default policy that forces every user to log into the UAG before the UAG routes traffic for them Select Enable Policy Set the Authentication field to required and make sure Force User Authentication is selected Keep the rest of the default settings and click OK Note The users must log in at the Web Configurator login screen before they can use HTTP or MSN ...

Page 238: ...s distinguished by the value of a specific attribute you can make a couple of slight changes in the configuration to have the RADIUS server authenticate groups of user accounts defined in the RADIUS server 1 Click Configuration Object AAA Server RADIUS Double click the radius entry Besides configuring the RADIUS server s address authentication port and key set the Group Membership Attribute field ...

Page 239: ...r account for each group of user accounts in the RADIUS server Click Configuration Object User Group User Click the Add icon Enter a user name and set the User Type to ext group user In the Group Identifier field enter Finance Engineer Sales or Boss and set the Associated AAA Server Object to radius Figure 163 Configuration Object User Group User Add 3 Repeat this process to set up the remaining g...

Page 240: ...e Walled Garden Select this to turn on the walled garden feature Note This feature works only when you set web authentication to Web Portal Walled Garden Summary Use this table to manage the list of walled garden links Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a sc...

Page 241: ...to return the screen to its last saved settings Table 104 Configuration Web Authentication Walled Garden continued LABEL DESCRIPTION Table 105 Configuration Web Authentication Walled Garden Add Edit LABEL DESCRIPTION Enable Select this to activate the entry Hide in login page Select this to not display the web site link in the user login screen This is helpful if a user s access to a specific web ...

Page 242: ...rden links The links are named WalledGardenLink1 through 2 for demonstration purposes Figure 166 Walled Garden Login Example 24 4 Advertisement Screen Use this screen to set the UAG to display an advertisement web page as the first web page whenever the user connects to the Internet Click Configuration Web Authentication Advertisement to display the screen ...

Page 243: ...is to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn...

Page 244: ...ntication Advertisement Add Edit LABEL DESCRIPTION Enable Select this to activate the entry Name Enter a descriptive name for the advertisement web site You can use up to 31 alphanumeric characters A Z a z 0 9 and underscores _ Spaces are not allowed The first character must be a letter URL Enter the URL or IP address of the web site Use http followed by up to 262 characters 0 9a zA Z _ For exampl...

Page 245: ...apter Use the Firewall screens Section 25 2 on page 247 to enable or disable the firewall and asymmetrical routes and manage and configure firewall rules Use the Session Control screens see Section 25 3 on page 252 to limit the number of concurrent NAT firewall sessions a client can use 25 1 2 What You Need to Know Stateful Inspection The UAG has a stateful inspection firewall The UAG restricts ac...

Page 246: ...es are the only firewall rules that apply to an interface or VPN tunnel that is not included in a zone The from any rules apply to traffic coming from the interface and the to any rules apply to traffic going to the interface Table 108 Default Firewall Behavior FROM ZONE TO ZONE BEHAVIOR From any to Device DHCP traffic from any interface to the UAG is allowed From LAN1 to any other than the UAG Tr...

Page 247: ... between the VPN zone and other zones or From VPN To Device rules for VPN traffic destined for the UAG Session Limits Accessing the UAG or network resources through the UAG requires a NAT session and corresponding firewall session Peer to peer applications such as file sharing applications may use a large number of NAT sessions A single client could use all of the available NAT sessions and preven...

Page 248: ...he Firewall screen Use this screen to enable or disable the firewall and asymmetrical routes set a maximum number of sessions per host and display the configured firewall rules Specify from which zone packets come and to which zone packets travel to display only the rules specific to the selected direction Note the following Besides configuring the firewall you also need to configure NAT rules to ...

Page 249: ... the LAN has an IP address in the same subnet as the UAG s LAN IP address return traffic may not go through the UAG This is called an asymmetrical or triangle route This causes the UAG to reset the connection as the connection has not been acknowledged Select this check box to have the UAG permit the use of asymmetrical route topology on the network not reset the connection Note Allowing asymmetri...

Page 250: ...les is important as they are applied in order of their numbering The following read only fields summarize the rules you have created that apply to traffic traveling in the selected packet direction Status This icon is lit when the entry is active and dimmed when the entry is inactive Priority This is the position of your firewall rule in the global rule list including all through UAG and to UAG ru...

Page 251: ...he UAG itself Description Enter a descriptive name of up to 60 printable ASCII characters for the firewall rule Spaces are allowed Schedule Select a schedule that defines when the rule applies Otherwise select none and the rule is always effective User This field is not available when you are configuring a to UAG rule Select a user name or user group to which to apply the rule The firewall rule is...

Page 252: ...ce Select a service or service group from the drop down list box Access Use the drop down list box to select what the firewall is to do with packets that match this rule Select deny to silently discard the packets without sending a TCP reset packet or an ICMP destination unreachable message to the sender Select reject to deny the packets and send a TCP reset packet to the sender Any UDP packets ar...

Page 253: ...vailable NAT sessions Create rules below to apply other limits for specific users or addresses Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you wan...

Page 254: ...ntify this rule Use up to 60 printable ASCII characters Spaces are allowed User Select a user name or user group to which to apply the rule The rule is activated only when the specified user logs into the system and the rule will be disabled when the user logs out Otherwise select any and there is no need for user logging Note If you specified an IP address or address group instead of any in the f...

Page 255: ...wall Example Create an Address Object 3 Click Create new Object Service to configure a service object for Doom UDP port 666 Configure it as follows and click OK Figure 177 Firewall Example Create a Service Object 4 Select From WAN and To LAN and enter a name for the firewall rule Select Dest_1 for the Destination and Doom as the Service Enter a description and configure the rest of the screen as f...

Page 256: ...l Rule Example Applications Suppose you decide to block LAN users from using IRC Internet Relay Chat through the Internet To do this you would configure a LAN to WAN firewall rule that blocks IRC traffic from any source IP address from going to any destination address You do not need to specify a schedule since you need the firewall rule to always be in effect The following figure shows the result...

Page 257: ...t allows IRC traffic from the IP address of the CEO s computer You can also configure a LAN to WAN rule that allows IRC traffic from any computer through which the CEO logs into the UAG with his her user name In order to make sure that the CEO s computer always uses the same IP address make sure it either Has a static IP address or You configure a static DHCP entry for it so the UAG always assigns...

Page 258: ...ss the IRC service on the WAN by logging into the UAG with the CEO s user name The second row blocks LAN1 access to the IRC service on the WAN The third row is the firewall s default policy of allowing all traffic from the LAN1 to go to the WAN The rule for the CEO must come before the rule that blocks all LAN1 to WAN IRC traffic If the rule that blocks all LAN1 to WAN IRC traffic came first the C...

Page 259: ... 5 on page 270 to enable online payment service and configure the service pages 26 1 2 What You Need to Know Accumulation Accounting Method The accumulation accounting method allows multiple re logins until the allocated time period or until the user account is expired The UAG accounts the time that the user is logged in for Internet access Time to finish Accounting Method The time to finish accou...

Page 260: ...k Configuration Billing General to open the following screen Figure 182 Configuration Billing General The following table describes the labels in this screen Table 116 Configuration Billing General LABEL DESCRIPTION General Settings Unused account will be deleted after the time Enter the number and select a time unit from the drop down list box to specify how long to wait before the UAG deletes an...

Page 261: ...Logon Settings Maximum number per billing account Enter the maximum number of the users that are allowed to log in with the same account Reach maximum number per billing account Select Block to stop new users from logging in when the Maximum number per billing account is reached Select Kick previous user and login to disassociate the first user that logged in and allow new user to log in when the ...

Page 262: ...lick this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate This field is a sequentia...

Page 263: ...t manager account Figure 184 Account Generator The following table describes the labels in this screen Table 118 Account Generator LABEL DESCRIPTION Account Generator Settings Button Each button represents a billing profile that defines maximum Internet access time and charge per time unit Selection Select a button for new account Service Name This field displays the descriptive name of the billin...

Page 264: ... UAG charges users at this level Price This field displays the price per time unit for each level Default Thermal Printer This displays the information of the printer that is attached to the UAG It displays n a if there is no printer attached Summary Tax This shows the tax rate Total This shows the total price for the account Quantity This shows the number of account to be created Generate Click G...

Page 265: ... 26 Billing UAG5100 User s Guide 265 mobile phone number and click Send SMS to send the account information in an SMS text message to the user s mobile phone Close this window when you are finished viewing it ...

Page 266: ... a printout preview example Close this window when you are finished viewing it 26 3 2 The Account Redeem Screen The Account Redeem screen allows you to send SMS messages for certain accounts Click the Account Redeem tab in the Account Generator screen to open this screen ...

Page 267: ...er an account expires or not Username This field displays the user name of the account Create Time This field displays when the account was created Remaining Time This field displays the amount of Internet access time remaining for each account Time Period This field displays the total account of time the account can use to access the Internet through the UAG Expiration Time This field displays th...

Page 268: ... logging in with the guest manager account Table 119 Account Redeem continued LABEL DESCRIPTION Table 120 Configuration Billing Billing Profile Add Edit LABEL DESCRIPTION Enable billing profile Select this option to activate the profile Name Enter a name for the billing profile You can use up to 31 alphanumeric characters A Z a z 0 9 and underscores _ Spaces are not allowed The first character mus...

Page 269: ...iguration Billing Discount LABEL DESCRIPTION Discount Settings Enable Discount Select the check box to activate the discount price plan Button Select Select a button from the drop down list box to assign the base charge Charge by levels Select this to charge the rate at each successive level from the first level most expensive per unit to the highest level least expensive per unit that the total p...

Page 270: ...ed It is created automatically according to the billing profile of the button you select Name This field displays the conditions of each discount level Unit This field displays the duration of the billing period that should be reached before the UAG charges users at this level Price This field displays the price per time unit for each level Apply Click this button to save your changes to the UAG R...

Page 271: ...service on the UAG a link displays in the login screen when users try to access the Internet The link redirects users to a screen where they can make online payments by credit card to purchase access time and get dynamic guest account information Payment Provider Selection Account You should already have a PayPal account to receive credit card payments Enter your PayPal account name Currency Selec...

Page 272: ... s online payment is done Select On Screen to display the user account information in the web screen Select SMS to use Short Message Service SMS to send account information in a text message to the user s mobile device Select On Screen and SMS to provide the account information both in the web screen and via SMS text messages Note You should have enabled SMS in the Configuration SMS screen to send...

Page 273: ...Chapter 26 Billing UAG5100 User s Guide 273 Figure 190 Configuration Billing Payment Service Custom Service ...

Page 274: ...the user s online payment is made successfully Use up to 1024 printable ASCII characters Spaces are allowed Notification Message Enter the important information you want to display Use up to 1024 printable ASCII characters Spaces are allowed Notification Color Specify the font color of the important information You can use the color palette chooser or enter a color value of your own Account Messag...

Page 275: ...ng paper in the printer Refer to the printer s documentation for details 27 1 1 What You Can Do in this Chapter Use the General screen see Section 27 2 on page 275 to configure the printer list and enable printer management Use the Printout Configuration screen see Section 27 3 on page 277 to customize the account printout 27 2 The General Screen Use this screen to configure a printer list and all...

Page 276: ...ta to the printer for it to print Encryption Select the check box to turn on data encryption Data transmitted between the UAG and the printer will be encrypted with a secret key Secret Key Enter four alphanumeric characters A Z a z 0 9 to specify a key for data encryption Printout Number of Copies Select how many copies of subscriber statements you want to print 1 is the default Printer List Use t...

Page 277: ...field is a sequential value and it is not associated with any entry Status This icon is lit when the entry is active and dimmed when the entry is inactive IPv4 Address This field displays the IP address of the printer Description This field displays the descriptive name for the printer Printer Firmware Information Current Version This is the version of the printer firmware currently uploaded to th...

Page 278: ...format as it is saved indefinitely Use Customized Printout Configuration Select this to use a custom account printout format instead of the default one built into the UAG Once this option is selected the custom format controls below become active Preview Click the button to display a preview of account printout format you uploaded to the UAG File Name This shows the file name of account printout f...

Page 279: ...nt Example 27 3 4 Monthly Account Summary The monthly account report lists the accounts printed during the current month the current month s total number of accounts and the total charge It covers the accounts that have been printed during the current month starting from midnight of the first day of the current month not the past one month period For example if you press the monthly account key co...

Page 280: ...5 01 00 00 00 to 2013 05 31 19 59 59 the monthly account report includes the latest 2000 accounts so the total would be 2 000 instead of 2 030 Use the Monitor System Status Dynamic Guest screen to see the accounts generated on another day or month up to 2000 entries total 27 3 6 System Status This report shows the current system information such as the host name and WAN IP address Key combination ...

Page 281: ...LAN FWVR This field displays the version of the firmware on the UAG BTVR This field displays the version of the bootrom WAMA This field displays the MAC address of the UAG on the WAN LAMA This field displays the MAC address of the UAG on the LAN WAIP This field displays the IP address of the WAN port on the UAG LAIP This field displays the IP address of the LAN port on the UAG WLIP This field disp...

Page 282: ...f time 28 1 1 What You Can Do in this Chapter Use the Free Time screen see Section 28 2 on page 282 to turn on this feature to allow users to get a free account for Internet surfing during the specified time period 28 2 The Free Time Screen Use this screen to enable and configure the free time settings Click Configuration Free Time to open the following screen Figure 196 Configuration Free Time ...

Page 283: ...re Reset Time Enter the maximum number of the users that are allowed to log in for Internet access with a free guest account before the time specified in the Reset Time field For example if you set the Maximum Registration Number Before Reset Time to 1 and the Reset Time to 13 00 even the first free guest account has expired at 11 30 the second account still cannot access the Internet until 13 00 ...

Page 284: ...e and free time feature on the UAG the link description in the login screen will be mainly for online payment service You can still click the link to get a free account If SMS is enabled on the UAG you have to enter your mobile phone number before clicking OK to get a free guest account ...

Page 285: ...Chapter 28 Free Time UAG5100 User s Guide 285 The guest account information then displays in the screen and or is sent to the configured mobile phone number EXAMPLE ...

Page 286: ...rvice 29 1 1 What You Can Do in this Chapter Use the SMS screen see Section 29 2 on page 286 to turn on the SMS service on the UAG 29 2 The SMS Screen Use this screen to enable SMS in order to send dynamic guest account information in text messages Click Configuration SMS to open the following screen Figure 197 Configuration SMS The following table describes the labels in this screen Table 130 Con...

Page 287: ...ViaNett Configuration User Name Enter the user name for your ViaNett account Password Type the Password associated with the user name Retype to Confirm Type your password again for confirmation Apply Click this button to save your changes to the UAG Reset Click this button to return the screen to its last saved settings Table 130 Configuration SMS continued LABEL DESCRIPTION ...

Page 288: ...rovide confidentiality data integrity and authentication at the IP layer The UAG can also combine multiple IPSec VPN connections into one secure network Here local UAG X uses an IPSec VPN tunnel to remote peer UAG Y to connect the local A and remote B networks Figure 198 IPSec VPN Example 30 1 1 What You Can Do in this Chapter Use the VPN Connection screens see Section 30 2 on page 290 to specify ...

Page 289: ...the IPSec SA The IPSec SA is secure because routers X and Y established the IKE SA first Finding Out More See Section 30 4 on page 303 for IPSec VPN background information See the help in the IPSec VPN quick setup wizard screens 30 1 3 Before You Begin This section briefly explains the relationship between VPN tunnels and other features It also gives some basic suggestions for troubleshooting You ...

Page 290: ...CRIPTION Use Policy Route to control dynamic IPSec rules Select this to be able to use policy routes to manually specify the destination addresses of dynamic IPSec rules You must manually create these policy routes The UAG automatically obtains source and destination addresses for dynamic IPSec rules that do not match any of the policy routes Clear this to have the UAG automatically obtain source ...

Page 291: ... an example This field is a sequential value and it is not associated with a specific connection Status The activate light bulb icon is lit when the entry is active and dimmed when the entry is inactive The connect icon is lit when the interface is connected and dimmed when it is disconnected Name This field displays the name of the IPSec SA VPN Gateway This field displays the associated VPN gatew...

Page 292: ...Chapter 30 IPSec VPN UAG5100 User s Guide 292 Figure 201 Configuration VPN IPSec VPN VPN Connection Add Edit ...

Page 293: ...stment Select Custom Size to set a specific number of bytes for the Maximum Segment Size MSS meaning the largest amount of data in a single TCP segment or IP datagram for this VPN connection Select Auto to have the UAG automatically set the MSS for this VPN connection VPN Gateway Application Scenario This field is read only and shows the scenario that the UAG supports Site to site The remote IPSec...

Page 294: ...his to be able to modify it Remove Select an entry and click this to delete it This field is a sequential value and it is not associated with a specific proposal The sequence of proposals should not affect performance significantly Encryption This field is applicable when the Active Protocol is ESP Select which key size and encryption algorithm to use in the IPSec SA Choices are NULL no encryption...

Page 295: ...accept the TCP connection Check Port This field displays when you set the Check Method to tcp Specify the port number to use for a TCP connectivity check Check Period Enter the number of seconds between connection check attempts Check Timeout Enter the number of seconds to wait for a response before the attempt is a failure Check Fail Tolerance Enter the number of consecutive failures allowed befo...

Page 296: ...ample the mail server in the local network Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Select an entry and click this to be able to modify it Remove Select an entry and click this to delete it Move To change an entry s position in the numbered list select it and click Move to display a field to type a number for where you w...

Page 297: ...ck this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate Object Reference Select an ...

Page 298: ...Chapter 30 IPSec VPN UAG5100 User s Guide 298 Figure 203 Configuration VPN IPSec VPN VPN Gateway Add Edit ...

Page 299: ... Static Address to enter the domain name or the IP address of the remote IPSec router You can provide a second IP address or domain name for the UAG to try if it cannot establish an IKE SA with the first one Fall back to Primary Peer Gateway when possible When you select this if the connection to the primary address goes down and the UAG changes to using the secondary connection the UAG will recon...

Page 300: ...ends on the Local ID Type IP type an IP address if you type 0 0 0 0 the UAG uses the IP address specified in the My Address field This is not recommended in the following situations There is a NAT router between the UAG and remote IPSec router You want the remote IPSec router to be able to distinguish between IPSec SA requests that come from IPSec routers with dynamic WAN IP addresses In these sit...

Page 301: ...nded in the following situations There is a NAT router between the UAG and remote IPSec router You want the remote IPSec router to be able to distinguish between IPSec SA requests that come from IPSec routers with dynamic WAN IP addresses In these situations use a different IP address or use a different Peer ID Type Phase 1 Settings SA Life Time Seconds Type the maximum number of seconds the IKE S...

Page 302: ...t also enable NAT traversal and the NAT routers have to forward packets with UDP port 500 and UDP 4500 headers unchanged Dead Peer Detection DPD Select this check box if you want the UAG to make sure the remote IPSec router is there before it transmits data through the IKE SA The remote IPSec router must support DPD If there has been no traffic for at least 15 seconds the UAG sends a message to th...

Page 303: ...router as 0 0 0 0 This means that the remote IPSec router can have any IP address In this case only the remote IPSec router can initiate an IKE SA because the UAG does not know the IP address of the remote IPSec router This is often used for telecommuters IKE SA Proposal The IKE SA proposal is used to identify the encryption algorithm authentication algorithm and Diffie Hellman DH key group that t...

Page 304: ... strength of DES Advanced Encryption Standard AES is a newer method of data encryption that also uses a secret key AES applies a 128 bit key to 128 bit blocks of data It is faster than 3DES Some UAGs also offer stronger forms of AES that apply 192 bit or 256 bit keys to 128 bit blocks of data In most UAGs you can select one of the following authentication algorithms for each proposal The algorithm...

Page 305: ... The identities are also encrypted using the encryption algorithm and encryption key the UAG and remote IPSec router selected in previous steps Figure 206 IKE SA Main Negotiation Mode Steps 5 6 Authentication continued You have to create and distribute a pre shared key The UAG and remote IPSec router use it in the authentication process though it is not actually transmitted or exchanged Note The U...

Page 306: ...se this if your UAG provides another way to check the identity of the remote IPSec router for example extended authentication or if you are troubleshooting a VPN tunnel Additional Topics for IKE SA This section provides more information about IKE SA Negotiation Mode There are two negotiation modes main mode and aggressive mode Main mode provides better security while aggressive mode is faster Main...

Page 307: ...stablish a VPN tunnel Most routers like router A now have an IPSec pass thru feature This feature helps router A recognize VPN packets and route them appropriately If router A has this feature router X and router Y can establish a VPN tunnel as long as the active protocol is ESP See Active Protocol on page 308 for more information about active protocols If router A does not have an IPSec pass thru...

Page 308: ... the signatures on each other s certificates Unlike pre shared keys the signatures do not have to match The local and peer ID type and content come from the certificates Note You must set up the certificates for the UAG and remote IPSec router first IPSec SA Overview Once the UAG and remote IPSec router have established the IKE SA they can securely negotiate an IPSec SA through which to send data ...

Page 309: ...e packet With ESP however the UAG does not include the IP header when it encapsulates the packet so it is not possible to verify the integrity of the source IP address IPSec SA Proposal and Perfect Forward Secrecy An IPSec SA proposal is similar to an IKE SA proposal see IKE SA Proposal on page 303 except that you also have the choice whether or not the UAG and remote IPSec router perform a new DH...

Page 310: ... like the mail server in the local network Each kind of translation is explained below The following example is used to help explain each one Figure 209 VPN Example NAT for Inbound and Outbound Traffic Source Address in Outbound Packets Outbound Traffic Source NAT This translation lets the UAG route packets from computers that are not part of the specified local network local policy through the IP...

Page 311: ...e 310 you can configure this kind of translation if you want to forward mail from the remote network to the mail server in the local network A You have to specify one or more rules when you set up this kind of NAT The UAG checks these rules similar to the way it checks rules for a firewall The first part of these rules define the conditions in which the rule apply Original IP the original destinat...

Page 312: ...uter 172 16 1 0 24 Set Up the VPN Gateway that Manages the IKE SA In Configuration VPN IPSec VPN VPN Gateway Add enable the VPN gateway and name it VPN_GW_EXAMPLE here Set My Address to Interface and select a WAN interface Set Peer Gateway Address to Static Address and enter the remote IPSec router s public IP address 2 2 2 2 here as the Primary Set Authentication to Pre Shared Key and enter 12345...

Page 313: ... create an address object for the remote network Set the Address Type to SUBNET the Network field to 172 16 1 0 and the Netmask to 255 255 255 0 2 Enable the VPN connection and name it VPN_CONN_EXAMPLE Set VPN Gateway to Site to site and select the VPN gateway you configured VPN_GW_EXAMPLE Set Local Policy to LAN1_SUBNET and Remote Policy to VPN_REMOTE_SUBNET for the remote Click OK ...

Page 314: ...Chapter 30 IPSec VPN UAG5100 User s Guide 314 ...

Page 315: ...manage the bandwidth of TCP and UDP traffic If you want to use a service make sure both the firewall allow the service s packets to go through the UAG Note The UAG checks firewall rules before it checks bandwidth management rules for traffic going through the UAG Bandwidth management examines every TCP and UDP connection passing through the UAG Then you can specify by port whether or not the UAG c...

Page 316: ... the need to negotiate paths or remember state information for every flow In addition applications do not have to request a particular service or give advanced notice of where the traffic is going Connection and Packet Directions Bandwidth management looks at the connection direction that is from which interface the connection was initiated and to which interface the connection is going A connecti...

Page 317: ... so outbound means the traffic traveling from the LAN1 to the WAN Each of the WAN zone s two interfaces can send the limit of 200 kbps of traffic Inbound traffic is limited to 500 kbs The connection initiator is on the LAN1 so inbound means the traffic traveling from the WAN to the LAN1 Figure 212 LAN1 to WAN Outbound 200 kbps Inbound 500 kbps Bandwidth Management Priority The UAG gives bandwidth ...

Page 318: ...policies for FTP servers A and B Each server tries to send 1000 kbps but the WAN is set to a maximum outgoing speed of 1000 kbps You configure policy A for server A s traffic and policy B for server B s traffic Figure 213 Bandwidth Management Behavior Configured Rate Effect In the following table the configured rates total less than the available bandwidth and maximize bandwidth usage is disabled ...

Page 319: ...g Out More See DSCP Marking and Per Hop Behavior on page 168 for a description of DSCP marking 31 2 The Bandwidth Management Screen The Bandwidth management screens control the bandwidth allocation for TCP and UDP traffic You can use source interface destination interface destination port schedule user source destination information DSCP code and service type as criteria to create a sequence of sp...

Page 320: ...it when the entry is active and dimmed when the entry is inactive The status icon is not available for the default bandwidth management policy Priority This is the position of your bandwidth management policy in the list The ordering of your rules is important as rules are applied in sequence This field displays default for the default bandwidth management policy that the UAG performs on traffic t...

Page 321: ...ng bandwidth in kilobits per second this policy allows the matching traffic to use Outbound refers to the traffic the UAG sends out from a connection s initiator If no displays here this policy does not apply bandwidth management for the outbound traffic Pri This is the priority for the incoming the first Pri value or outgoing the second Pri value traffic that matches this policy The smaller the n...

Page 322: ...Chapter 31 Bandwidth Management UAG5100 User s Guide 322 Figure 215 Configuration BWM Edit For the Default Policy Figure 216 Configuration BWM Add Edit ...

Page 323: ...destination address or address group for whom this policy applies Use Create new Object if you need to configure a new one Select any if the policy is effective for every destination DSCP Code Select a DSCP code point value of incoming or outgoing packets to which this policy applies or select User Define to specify another DSCP code point The lower the number the higher the priority with the exce...

Page 324: ...e actual transmission speed lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth Priority Enter a number between 1 and 7 to set the priority for traffic that matches this policy The smaller the number the higher the priority Traffic with a higher priority is given bandwidth before traffic with a lower priority The UAG uses a fairness based round robin ...

Page 325: ...ttings and other user settings for the UAG You can also use this screen to specify when users must log in to the UAG before it routes traffic for them 32 1 2 What You Need To Know User Account A user account defines the privileges of a user logged into the UAG User accounts are used in firewall rules in addition to controlling access to configuration and services in the UAG User Types These are th...

Page 326: ...on to User For the rest of the user attributes such as reauthentication time the UAG checks the following places in order 1 User account in the remote server 2 User account Ext User in the UAG 3 Default user account for RADIUS users radius users in the UAG See Setting up User Attributes in an External Server on page 337 for a list of attributes and how to set up the attributes in an external serve...

Page 327: ...u cannot put the default admin account into any user group The sequence of members in a user group is not important User Awareness By default users do not have to log into the UAG to use the network services it provides The UAG automatically routes packets for everyone If you want to restrict network services that certain users can use via the UAG you can require them to log in to the UAG first Th...

Page 328: ...ciated with a specific user User Name This field displays the user name of each user User Type This field displays the kind of account of each user These are the kinds of user account the UAG supports admin this user can look at and change the configuration of the UAG limited admin this user can look at the configuration of the UAG but not to change it dynamic guest this user has access to the UAG...

Page 329: ...ase sensitive If you enter a user bob but use BOB when connecting via CIFS or FTP it will use the account settings used for BOB not bob User names have to be different than user group names Here are the reserved user names To access this screen go to the User screen see Section 32 2 on page 327 and either click the Add icon or select an entry and click the Edit icon Figure 218 Configuration Object...

Page 330: ...unt Specify the value of the RADIUS server s Group Membership Attribute that identifies the group to which this user belongs Associated AAA Server Object This field is available for a ext group user type user account Select the AAA server to use to authenticate this account s users Description Enter the description of each user if any You can use up to 60 printable ASCII characters Default descrip...

Page 331: ...K to save your changes back to the UAG Cancel Click Cancel to exit this screen without saving your changes Table 145 Configuration Object User Group User Add Edit continued LABEL DESCRIPTION Table 146 Configuration Object User Group Group LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s s...

Page 332: ...ers underscores _ or dashes but the first character cannot be a number This value is case sensitive User group names have to be different than user names Description Enter the description of the user group if any You can use up to 60 characters punctuation marks and spaces Member List The Member list displays the names of the users and user groups that have been added to the user group The order o...

Page 333: ...tings These authentication timeout settings are used by default when you create a new user account They also control the settings for any existing user accounts that are set to use the default settings You can still manually configure any user account s authentication timeout settings Edit Double click an entry or select it and click Edit to open a screen where you can modify the entry s settings ...

Page 334: ...ut logging out Miscellaneous Settings Allow renewing lease time automatically Select this check box if access users can renew lease time automatically as well as manually simply by selecting the Updating lease time automatically check box on their screen Enable user idle detection This is applicable for access users Select this check box if you want the UAG to monitor how long each access user is ...

Page 335: ...associate the first user that logged in and allow new user to log in when the Maximum number per access account is reached User Lockout Settings Enable logon retry limit Select this check box to set a limit on the number of times each user can login unsuccessfully for example wrong password before the IP address is locked out for a specified amount of time Maximum retry count This field is effecti...

Page 336: ...en and create dynamic guest accounts using the Account Generator screen that pops up pre subscriber this user has access to the UAG s services but cannot look at the configuration Lease Time Enter the number of minutes this type of user account has to renew the current session before the user is logged out You can specify 1 to 1440 minutes You can enter 0 to make the number of minutes unlimited Ad...

Page 337: ...n Lease time field in the User Add Edit screen see Section 32 2 1 on page 328 Lease time field in the Setting Edit screen see Section 32 4 on page 332 Updating lease time automatically This box appears if you checked the Allow renewing lease time automatically box in the Setting screen See Section 32 4 on page 332 Access users can select this check box to reset the lease time automatically 30 seco...

Page 338: ...lan to create a large number of Ext User accounts you might use CLI commands instead of the Web Configurator to create the accounts Extract the user names from the RADIUS server and create a shell script that creates the user accounts See Chapter 43 on page 450 for more information about shell scripts ...

Page 339: ...SID This profile type defines the properties of a single wireless network signal broadcast by an AP Each radio on a single AP can broadcast up to 8 SSIDs You can have a maximum of 64 SSID profiles on the UAG Security This profile type defines the security settings used by a single SSID It controls the encryption method required for a wireless client to associate itself with the SSID You can have a...

Page 340: ... 802 1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key management Authentication is done using an external RADIUS server 33 2 Radio Screen This screen allows you to create radio profiles for the APs on your network A radio profile is a list of settings that a supported managed AP NWA5121 N for example can use to configure either one ...

Page 341: ...us This icon is lit when the entry is active and dimmed when the entry is inactive Profile Name This field indicates the name assigned to the radio profile Frequency Band This field indicates the frequency band which this radio profile is configured to use Channel ID This field indicates the broadcast channel which this radio profile is configured to use Apply Click Apply to save your changes back...

Page 342: ...dit Radio Profile This screen allows you to create a new radio profile or edit an existing one To access this screen click the Add button or select a radio profile from the list and click the Edit button Figure 226 Configuration Object AP Profile Radio Add Edit ...

Page 343: ...t WLAN devices associate with the AP Channel Select the wireless channel which this radio profile should use It is recommended that you choose the channel least in use by other APs in the region where this profile will be implemented This will reduce the amount of interference between wireless clients and the AP to which this profile is assigned Some 5 GHz channels include the label indoor use onl...

Page 344: ...CTS equal to or higher than the fragmentation threshold to turn RTS CTS off Beacon Interval When a wirelessly networked device sends a beacon it includes with it a beacon interval This specifies the time period before the device sends the beacon again The interval tells receiving devices on the network how long they can wait in low power mode before waking up to handle the beacon A high value help...

Page 345: ...or Modulation and Coding Scheme This is an 802 11n feature that increases the wireless network performance in terms of throughput Multicast Settings Use this section to set a transmission mode and maximum rate for multicast traffic Transmission Mode Set how the AP handles multicast traffic Select Multicast to Unicast to broadcast wireless multicast traffic to all of the wireless clients as unicast...

Page 346: ...w which other objects are linked to the selected SSID profile for example radio profile This field is a sequential value and it is not associated with a specific profile Profile Name This field indicates the name assigned to the SSID profile SSID This field indicates the SSID name as it appears to wireless clients Security Profile This field indicates which if any security profile is associated wi...

Page 347: ...Spaces and underscores are allowed SSID Enter the SSID name for this profile This is the name visible on the network to wireless clients Enter up to 32 characters spaces and underscores are allowed Security Profile Select a security profile from this list to associate with this SSID If none exist you can use the Create new Object menu to create one Note It is highly recommended that you create sec...

Page 348: ...ic to the SSID is tagged as best effort meaning the data travels the best route it can without displacing higher priority traffic This is good for activities that do not require the best bandwidth throughput such as surfing the Internet WMM_BACKGROUND All wireless traffic to the SSID is tagged as low priority or background traffic meaning all other access categories take precedence over this one I...

Page 349: ...dd Click this to add a new security profile Edit Click this to edit the selected security profile Remove Click this to remove the selected security profile Object Reference Click this to view which other objects are linked to the selected security profile for example SSID profile This field is a sequential value and it is not associated with a specific profile Profile Name This field indicates the...

Page 350: ...selected Only the default screen is displayed here Figure 230 Configuration Object AP Profile SSID Security List Add Edit The following table describes the labels in this screen Table 157 Configuration Object AP Profile SSID Security List Add Edit LABEL DESCRIPTION Profile Name Enter up to 31 alphanumeric characters for the profile name This name is only visible in the Web Configurator and is only...

Page 351: ... WEP 64 Enter 10 hexadecimal digits in the range of A F a f and 0 9 for example 0x11AA22BB33 for each Key used or Enter 5 ASCII characters case sensitive ranging from a z A Z and 0 9 for example MyKey for each Key used If you select WEP 128 Enter 26 hexadecimal digits in the range of A F a f and 0 9 for example 0x00112233445566778899AABBCC for each Key used or Enter 13 ASCII characters case sensit...

Page 352: ...n to allow the AP to send authentication information to other APs on the network allowing connected wireless clients to switch APs without having to re authenticate their network connection OK Click OK to save your changes back to the UAG Cancel Click Cancel to exit this screen without saving your changes Table 157 Configuration Object AP Profile SSID Security List Add Edit continued LABEL DESCRIP...

Page 353: ... Action Select allow to permit the wireless client with the MAC addresses in this profile to connect to the network through the associated SSID select deny to block the wireless clients with the specified MAC addresses Add Click this to add a MAC address to the profile s list Edit Click this to edit the selected MAC address in the profile s list Remove Click this to remove the selected MAC address...

Page 354: ...ing profiles Please see the respective sections for more information about how address objects and address groups are used in each one Address groups are composed of address objects and address groups The sequence of members in the address group is not important 34 2 Address Summary Screen The address screens are used to create maintain and remove addresses There are the types of address objects H...

Page 355: ...dit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Object Reference Select an entry and click Object Reference to open a screen that shows which settings use the entry See Section 10 3 2 on page 129 for an example This field is a sequential value ...

Page 356: ...updates the corresponding interface based LAN subnet address object IP Address This field is only available if the Address Type is HOST This field cannot be blank Enter the IP address that this address object represents Starting IP Address This field is only available if the Address Type is RANGE This field cannot be blank Enter the beginning of the range of IP addresses that this address object r...

Page 357: ...ss Group Add Edit Table 162 Configuration Object Address Address Group LABEL DESCRIPTION Configuration Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Object Reference Select an entry and click Object Refer...

Page 358: ...an use up to 60 characters punctuation marks and spaces Member List The Member list displays the names of the address and address group objects that have been added to the address group The order of members is not important Select items from the Available list that you want to be members and move them to the Member list You can double click a single entry to move it or use the Shift or Ctrl key to...

Page 359: ...Some uses are FTP HTTP SMTP and TELNET UDP is simpler and faster but is less reliable Some uses are DHCP DNS RIP and SNMP TCP creates connections between computers to exchange data Once the connection is established the computers exchange data If data arrives out of sequence or is missing TCP puts it in sequence or waits for the data to be re transmitted Then the connection is terminated In contra...

Page 360: ...ch service Service groups may consist of services and other service groups The sequence of members in the service group is not important 35 2 The Service Summary Screen The Service summary screen provides a summary of all services and their definitions In addition this screen allows you to add edit and remove services To access this screen log in to the Web Configurator and click Configuration Obj...

Page 361: ... and it is not associated with a specific service Name This field displays the name of each service Content This field displays a description of each service Table 165 Configuration Object Service Service Add Edit LABEL DESCRIPTION Name Type the name used to refer to the service You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value i...

Page 362: ...3 on page 362 and either click the Add icon or select an entry and click the Edit icon Table 166 Configuration Object Service Service Group LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so ...

Page 363: ...he service group if any You can use up to 60 printable ASCII characters Member List The Member list displays the names of the service and service group objects that have been added to the service group The order of members is not important Select items from the Available list that you want to be members and move them to the Member list You can double click a single entry to move it or use the Shif...

Page 364: ...n 36 2 1 on page 366 to create or edit a one time schedule Use the Recurring Schedule Add Edit screen Section 36 2 2 on page 367 to create or edit a recurring schedule 36 1 2 What You Need to Know One time Schedules One time schedules begin on a specific start date and time and end on a specific stop date and time One time schedules are useful for long holidays and vacation periods Recurring Sched...

Page 365: ...n example This field is a sequential value and it is not associated with a specific schedule Name This field displays the name of the schedule which is used to refer to the schedule Start Day Time This field displays the date and time at which the schedule begins Stop Day Time This field displays the date and time at which the schedule ends Recurring Add Click this to create a new entry Edit Doubl...

Page 366: ...sed to refer to the one time schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Date Time StartDate Specify the year month and day when the schedule begins Year 1900 2999 Month 1 12 Day 1 31 it is not possible to specify illegal dates such as February 31 StartTime Specify the hour and minute when the sch...

Page 367: ...describes the remaining labels in this screen Table 170 Configuration Object Schedule Add Edit Recurring LABEL DESCRIPTION Configuration Name Type the name used to refer to the recurring schedule You may use 1 31 alphanumeric characters underscores _ or dashes but the first character cannot be a number This value is case sensitive Date Time StartTime Specify the hour and minute when the schedule b...

Page 368: ...er instead of or in addition to an internal device user database that is limited to the memory capacity of the device In essence RADIUS authentication allows you to validate a large number of users from a central location Figure 244 RADIUS Server Network Example 37 1 2 What You Can Do in this Chapter Use the Configuration Object AAA Server RADIUS screen Section 37 2 on page 369 to configure the de...

Page 369: ... Configuration Object AAA Server RADIUS to display the RADIUS screen Click the Add icon or select an entry and click the Edit icon to display the following screen Use this screen to create a new RADIUS entry or edit an existing one Table 171 Configuration Object AAA Server RADIUS LABEL DESCRIPTION Add Click this to create a new entry Edit Double click an entry or select it and click Edit to open a...

Page 370: ...ation requests Enter a number between 1 and 65535 Backup Server Address If the RADIUS server has a backup server enter its address here Backup Authentication Port Specify the port number on the RADIUS server to which the UAG sends authentication requests Enter a number between 1 and 65535 Timeout Specify the timeout period between 1 and 300 seconds before the UAG disconnects from the RADIUS server...

Page 371: ...gs If it does not display select User Defined and specify the attribute s number This attribute s value is called a group identifier it determines to which group a user belongs You can add ext group user user objects to identify groups based on these group identifier values For example you could have an attribute named memberOf with values like sales RD and management Then you could also create a ...

Page 372: ...bjects By default user accounts created and stored on the UAG are authenticated locally 38 1 1 What You Can Do in this Chapter Use the Configuration Object Auth Method screens Section 38 2 on page 372 to create and manage authentication method objects 38 1 2 Before You Begin Configure AAA server objects see Chapter 37 on page 368 before you configure authentication method objects 38 2 Authenticati...

Page 373: ... If two accounts with the same username exist on two authentication servers you specify the UAG does not continue the search on the second authentication server when you enter the username and password that doesn t match the one on the first authentication server Note You can NOT select two server objects of the same type 7 Click OK to save the settings or click Cancel to discard all changes and r...

Page 374: ...ist select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed The ordering of your methods is important as UAG authenticates the users using the authentication methods in the order they appear in this screen This field displays the index number Method List Select a server object from the drop down...

Page 375: ...lable The other key is private and must be kept secure These keys work like a handwritten signature in fact certificates are often referred to as digital signatures Only you can write your signature exactly as it should look When people know what your signature looks like they can verify whether something was signed by you or by someone else In the same way your private key writes your digital sig...

Page 376: ...ificates Certificates offer the following benefits The UAG only has to store the certificates of the certification authorities that you decide to trust no matter how many devices you need to authenticate Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys Self signed Certificates You can have the UAG act as a certificat...

Page 377: ...default 39 1 3 Verifying a Certificate Before you import a trusted certificate into the UAG you should verify that you have the correct certificate You can do this using the certificate s fingerprint A certificate s fingerprint is a message digest calculated using the MD5 or SHA1 algorithm The following procedure describes how to check a certificate s fingerprint to verify that you have the actual...

Page 378: ...y certificates before adding more certificates Add Click this to go to the screen where you can have the UAG generate a certificate or a certification request Edit Double click an entry or select it and click Edit to open a screen with an in depth list of information about the certificate Remove The UAG keeps all of your certificates unless you specifically delete them Uploading a new firmware or ...

Page 379: ...plays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organ...

Page 380: ...t information when it issues a certificate It is recommended that each certificate have unique subject information Select a radio button to identify the certificate s owner by IP address domain name or e mail address Type the IP address in dotted decimal notation domain name or e mail address in the field provided The domain name or e mail address is for identification purposes only and can be any...

Page 381: ...an public key algorithm Select DSA to use the Digital Signature Algorithm public key algorithm Key Length Select a number from the drop down list box to determine how many bits the key should use 512 to 2048 The longer the key the more secure it is A longer key also uses more PKI storage space Enrollment Options These radio buttons deal with how and when the certificate is to be generated Create a...

Page 382: ...t Click the Refresh button to have this read only text box display the hierarchy of certification authorities that validate the certificate and the certificate itself If the issuing certification authority is one that you have imported as a trusted certification authority it may be the only certification authority in the list along with the certificate itself If the certificate is a self signed ce...

Page 383: ...s expired none displays for a certification request Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair the UAG uses RSA encryption and the length of the key set in bits 1024 bits for example Subject Alternative Name This field displays the certificate owner s IP address IP domain name DNS or e mail address EMAIL Key Usage This field display...

Page 384: ...se this button to save a copy of the certificate without its private key Click this button and then Save in the File Download screen The Save As screen opens browse to the location that you want to use and click Save Password If you want to export the certificate with its private key create a password and type it here Make sure you keep this password in a safe place You will need to use it if you ...

Page 385: ...Browse Click Browse to find the certificate file you want to upload Password This field only applies when you import a binary PKCS 12 format file Type the file s password that was created when the PKCS 12 file was exported OK Click OK to save the certificate on the UAG Cancel Click Cancel to quit and return to the My Certificates screen Table 179 Configuration Object Certificate Trusted Certificat...

Page 386: ... certificate Subject This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name orga...

Page 387: ...Chapter 39 Certificates UAG5100 User s Guide 387 Figure 256 Configuration Object Certificate Trusted Certificates Edit ...

Page 388: ...n authority Certificate Information These read only fields display detailed information about the certificate Type This field displays general information about the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the certificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and sig...

Page 389: ...e digest that the UAG calculated using the MD5 algorithm You can use this value to verify with the certification authority over the phone for example that this is actually their certificate SHA1 Fingerprint This is the certificate s message digest that the UAG calculated using the SHA1 algorithm You can use this value to verify with the certification authority over the phone for example that this ...

Page 390: ...ESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it You cannot import a certificate with the same name as a certificate that is already in the UAG Browse Click Browse to find the certificate file you want to upload OK Click OK to save the certificate on the UAG Cancel Click Cancel to quit and return to the previous screen ...

Page 391: ...Account screens Section 40 2 on page 391 to create and manage ISP accounts in the UAG 40 2 ISP Account Summary This screen provides a summary of ISP accounts in the UAG To access this screen click Configuration Object ISP Account Figure 258 Configuration Object ISP Account The following table describes the labels in this screen See the ISP Account Add Edit section below for more information as wel...

Page 392: ...th a specific entry Profile Name This field displays the profile name of the ISP account This name is used to identify the ISP account Protocol This field displays the protocol used by the ISP account Authentication Type This field displays the authentication type used by the ISP account User Name This field displays the user name of the ISP account Table 182 Configuration Object ISP Account conti...

Page 393: ...TP server Connection ID This field is available if this ISP account uses the PPTP protocol Type your identification name for the PPTP server This field can be blank Service Name If this ISP account uses the PPPoE protocol type the PPPoE service name to access PPPoE uses the specified service name to identify and reach the PPPoE server This field can be blank If this ISP account uses the PPTP proto...

Page 394: ...23 to configure SSH Secure SHell used to securely access the UAG s command line interface You can specify which zones allow SSH access and from which IP address the access can come Use the System TELNET screen see Section 41 9 on page 428 to configure Telnet to access the UAG s command line interface Specify which zones allow Telnet access and from which IP address the access can come Use the Syst...

Page 395: ...ad only and use the FAT16 FAT32 EXT2 or EXT3 file system Click Configuration System USB Storage to open the screen as shown next Table 184 Configuration System Host Name LABEL DESCRIPTION System Name Enter a descriptive name to identify your UAG device This name can be up to 64 alphanumeric characters long Spaces are not allowed but dashes underscores _ and periods are accepted Domain Name Enter t...

Page 396: ...al time zone and date click Configuration System Date Time The screen displays as shown You can manually set the UAG s time and date or have the UAG get the date and time from a time server Table 185 Configuration System USB Storage LABEL DESCRIPTION Activate USB storage service Select this if you want to use the connected USB device s Disk full warning when remaining space is less than Set a numb...

Page 397: ... time and date time zone and daylight saving at the same time the time zone and daylight saving will affect the new time and date you entered When you enter the time settings manually the UAG uses the new setting once you click Apply New Time hh mm ss This field displays the last updated time from the time server or the last time configured manually When you set Time and Date Setup to Manual enter...

Page 398: ... the at field Daylight Saving Time starts in the European Union on the last Sunday of March All of the time zones in the European Union start using Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Last Sunday March The time you type in the at field depends on your time zone In Germany for instance you would type 2 because Germany s time zone is one...

Page 399: ...ve been tried 41 4 2 Time Server Synchronization Click the Synchronize Now button to get the time and date from the time server you specified in the Time Server Address field When the Loading screen appears you may have to wait up to one minute Figure 263 Synchronization in Process The Current Time and Current Date fields will display the appropriate settings if the synchronization is successful I...

Page 400: ... a terminal emulation program See Table 1 on page 20 for default console port settings Click Configuration System Console Speed to open the Console Speed screen Figure 264 Configuration System Console Speed The following table describes the labels in this screen Table 188 Configuration System Console Speed LABEL DESCRIPTION Console Port Speed Use the drop down list box to change the speed of the c...

Page 401: ...ally enter them in the DNS server fields If your ISP dynamically assigns the DNS server IP addresses along with the UAG s WAN IP address set the DNS server fields to get the DNS server address from the ISP You can manually enter the IP addresses of other DNS servers 41 6 2 Configuring the DNS Screen Click Configuration System DNS to change your UAG s DNS settings Use the DNS screen to configure th...

Page 402: ...tion Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This is the index number of the domain zone forwarder record The ordering of your rules is important as rules are applied in sequence A hyphen displays for the default domain zone...

Page 403: ... Control This specifies from which computers and zones you can send DNS queries to the UAG Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before...

Page 404: ... click the Edit icon in the Domain Zone Forwarder table to configure a domain zone forwarder record Table 190 Configuration System DNS Address PTR Record Add Edit LABEL DESCRIPTION FQDN Type a Fully Qualified Domain Name FQDN of a server An FQDN starts with a host name and continues all the way up to the top level domain name For example www zyxel com tw is a fully qualified domain name where www ...

Page 405: ... domain zones are served by the specified DNS server s DNS Server Select DNS Server s from ISP if your ISP dynamically assigns DNS server information You also need to select an interface through which the ISP provides the DNS server IP address es The interface should be activated and set to be a DHCP client The fields below display the read only DNS server IP address es that the ISP assigns N A di...

Page 406: ...figuration System DNS MX Record Add Edit LABEL DESCRIPTION Domain Name Enter the domain name where the mail is destined for IP Address FQDN Enter the IP address or Fully Qualified Domain Name FQDN of a mail server that handles the mail for the domain specified in the field above OK Click OK to save your customized settings and exit this screen Cancel Click Cancel to exit this screen without saving...

Page 407: ...in the Service Control table is not in the allowed zone or the action is set to Deny 4 There is a firewall rule that blocks it 41 7 2 System Timeout There is a lease timeout for administrators The UAG automatically logs you out if the management session remains idle for longer than this timeout period The management session does not time out when a statistics screen is polling Each user is also fo...

Page 408: ...rver the UAG must always authenticate itself to the HTTPS client the computer which requests the HTTPS connection with the UAG whereas the HTTPS client only should authenticate itself when the HTTPS server requires it to do so select Authenticate Client Certificates in the WWW screen Authenticate Client Certificates is optional and if selected means the HTTPS client must send the UAG a certificate...

Page 409: ...the Internet for example Figure 271 Configuration System WWW Service Control The following table describes the labels in this screen Table 194 Configuration System WWW Service Control LABEL DESCRIPTION HTTPS Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address es in the Service Control table to access the UAG Web Configurator using secure HT...

Page 410: ...lect an entry and click Add to create a new entry after the selected entry Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Note that subsequent entries move up by one when you take this action Move To change an entry s position in the numbered...

Page 411: ...hen you take this action Move To change an entry s position in the numbered list select the method and click Move to display a field to type a number for where you want to put it and press ENTER to move the rule to the number that you typed This is the index number of the service control rule The entry with a hyphen instead of a number is the UAG s non configurable default policy The UAG applies t...

Page 412: ...his to configure any new settings objects that you need to use in this screen Address Object Select ALL to allow or deny any computer to communicate with the UAG using this service Select a predefined address object to just allow or deny the computer with the IP address that you specified to access the UAG using this service Zone Select ALL to allow or prevent any UAG zones from being accessed usi...

Page 413: ...Chapter 41 System UAG5100 User s Guide 413 Figure 273 Configuration System WWW Login Page The following figures identify the parts you can customize in the login and access pages ...

Page 414: ...lay a screen of web safe colors from which to choose Enter the name of the desired color Enter a pound sign followed by the six digit hexadecimal number that represents the desired color For example use 000000 for black Logo Title Message Color Note Message Background last line of text color of all text Logo Title Message Color Note Message last line of text color of all text Background ...

Page 415: ... Spaces are allowed Title Color Specify the color of the screen s title text Message Color Specify the color of the screen s text Note Message Enter a note to display at the bottom of the screen Use up to 64 printable ASCII characters Spaces are allowed Background Set how the screen background looks To use a graphic select Picture and upload a graphic Specify the location and file name of the logo...

Page 416: ...bsite to proceed to the Web Configurator login screen Otherwise select Click here to close this webpage to block the access 41 7 7 2 Mozilla Firefox Warning Messages When you attempt to access the UAG HTTPS server a The Connection is Untrusted screen appears as shown in the following screen Click Technical Details if you want to verify more information about the certificate from the UAG Select I U...

Page 417: ...uthorities The issuing certificate authority of the UAG s factory default certificate is the UAG itself since the certificate is a self signed certificate For the browser to trust a self signed certificate import the self signed certificate into your operating system as a trusted certificate To have the browser trust the certificates issued by a certificate authority import the certificate authori...

Page 418: ...lient Certificates to be active see the Certificates chapter for details Apply for a certificate from a Certification Authority CA that is trusted by the UAG see the UAG s Trusted CA Web Configurator screen Figure 280 UAG Trusted CA Screen The CA sends you a package containing the CA s trusted certificate s your personal certificate s and a password to install the personal certificate s 41 7 7 5 1...

Page 419: ...wn earlier in this appendix 41 7 7 5 2 Installing Your Personal Certificate s You need a password in advance The CA may issue the password or you may have to specify it during the enrollment Double click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard ...

Page 420: ...ort Wizard 1 2 The file name and path of the certificate you double clicked should automatically appear in the File name text box Click Browse if you wish to import a different certificate Figure 283 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA ...

Page 421: ...d 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location Figure 285 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process ...

Page 422: ... 7 7 6 Using a Certificate When Accessing the UAG Example Use the following procedure to access the UAG via HTTPS 1 Enter https UAG IP Address in your browser s web address field Figure 288 Access the UAG Via HTTPS 2 When Authenticate Client Certificates is selected on the UAG the following screen asks you to select a personal certificate to send to the UAG This screen displays even if you only ha...

Page 423: ...access the UAG s command line interface Specify which zones allow SSH access and from which IP address the access can come SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network In the following figure computer A on the Internet uses SSH to securely connect to the WAN port of the ...

Page 424: ... connection request to the SSH server The server identifies itself with a host key The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server The client automatically saves any new server public keys In subsequent connections the server public key is checked against the saved version on the client computer 2 Encryption Method Once ...

Page 425: ...program on a client computer Windows or Linux operating system that is used to connect to the UAG over SSH 41 8 4 Configuring SSH Click Configuration System SSH to change your UAG s Secure Shell settings Use this screen to specify from which zones SSH can be used to manage the UAG You can also specify from which IP addresses the access can come Figure 293 Configuration System SSH The following tab...

Page 426: ...ils Service Control This specifies from which computers you can access which UAG zones Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Refer to Table 195 on page 412 for details on the screen that opens Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select i...

Page 427: ...H Example 2 Test 2 Enter ssh 1 172 16 0 1 This command forces your computer to connect to the UAG using SSH version 1 If this is the first time you are connecting to the UAG using SSH a message displays prompting you to save the host information of the UAG Type yes and press ENTER Then enter the password to log in to the UAG Figure 296 SSH Example 2 Log in 3 The CLI screen displays next telnet 172...

Page 428: ...ess the UAG CLI using this service Server Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Service Control This specifies from which computers you can access which UAG zones Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry R...

Page 429: ...ule The entry with a hyphen instead of a number is the UAG s non configurable default policy The UAG applies this to traffic that does not match any other configured rule It is not an editable rule To apply other behavior configure a rule that traffic will match so the UAG will not have to use the default policy Zone This is the zone on the UAG the user is allowed or denied to access Address This ...

Page 430: ...m which computers you can access which UAG zones Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Refer to Table 195 on page 412 for details on the screen that opens Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms yo...

Page 431: ...purpose of accessing these objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request and the agent returns responses using the following protocol operations Get Allows the manager to retrieve an object variable from the agent GetNext Allows the manager to retrieve the next object variable from a table or list within an agent In SNMPv1 w...

Page 432: ...P can be used to access the UAG You can also specify from which IP addresses the access can come Figure 300 Configuration System SNMP Table 200 SNMP Traps OBJECT LABEL OBJECT ID DESCRIPTION Cold Start 1 3 6 1 6 3 1 1 5 1 This trap is sent when the UAG is turned on or an agent restarts linkDown 1 3 6 1 6 3 1 1 5 3 This trap is sent when the Ethernet link is down linkUp 1 3 6 1 6 3 1 1 5 4 This trap...

Page 433: ...G zones Add Click this to create a new entry Select an entry and click Add to create a new entry after the selected entry Refer to Table 195 on page 412 for details on the screen that opens Edit Double click an entry or select it and click Edit to be able to modify the entry s settings Remove To remove an entry select it and click Remove The UAG confirms you want to remove it before doing so Note ...

Page 434: ...on System Language The following table describes the labels in this screen Table 202 Configuration System Language LABEL DESCRIPTION Language Setting Select a display language for the UAG s Web Configurator screens You also need to open a new browser session to display the screens in the new language Apply Click Apply to save your changes back to the UAG Reset Click Reset to return the screen to i...

Page 435: ... 437 to specify settings for recording log messages and alerts e mailing them storing them on a connected USB storage device and sending them to remote syslog servers 42 2 Email Daily Report Use the Email Daily Report screen to start or stop data collection and view various statistics about traffic passing through your UAG Note Data collection may decrease the UAG s traffic throughput rate Click C...

Page 436: ...Chapter 42 Log and Report UAG5100 User s Guide 436 Figure 302 Configuration Log Report Email Daily Report ...

Page 437: ...Mail Server Type the name or IP address of the outgoing SMTP server Mail Subject Type the subject line for the outgoing e mail Select Append system name to add the UAG s system name to the subject Select Append date time to add the UAG s system date and time to the subject Mail From Type the e mail address from which the outgoing e mail is delivered This address is used in replies Mail To Type the...

Page 438: ...pen a screen where you can modify it Activate To turn on an entry select it and click Activate Inactivate To turn off an entry select it and click Inactivate This field is a sequential value and it is not associated with a specific log Status This icon is lit when the entry is active and dimmed when the entry is inactive Name This field displays the type of log setting entry system log logs stored...

Page 439: ...en see Section 42 3 1 on page 438 and click the system log Edit icon Summary This field is a summary of the settings for each log Please see Section 42 3 2 on page 439 for more information Log Category Settings Click this button to open the Log Category Settings screen Apply Click this button to save your changes activate and deactivate logs and make them take effect Table 204 Configuration Log Re...

Page 440: ...Chapter 42 Log and Report UAG5100 User s Guide 440 Figure 304 Configuration Log Report Log Settings Edit System Log ...

Page 441: ...heck box if it is necessary to provide a user name and password to the SMTP server User Name This box is effective when you select the SMTP Authentication check box Type the user name to provide to the SMTP server when the log is e mailed Password This box is effective when you select the SMTP Authentication check box Type the password to provide to the SMTP server when the log is e mailed Retype ...

Page 442: ...n from this category the UAG does not e mail debugging information however even if this setting is selected E mail Server 1 Select whether each category of events should be included in the log messages when it is e mailed green check mark and or in alerts red exclamation point for the e mail settings specified in E Mail Server 1 The UAG does not e mail debugging information even if it is recorded ...

Page 443: ...a copy of its system logs to a connected USB storage device on a daily basis Keep duration Specify how long the UAG is to keep the copy of system logs in the connected USB storage device before discarding it Active Log Selection Use the Selection drop down list to change the log settings for all of the log categories disable all logs red X do not send the remote server logs for any log category en...

Page 444: ... Selection Select what information you want to log from each Log Category except All Logs see below Choices are disable all logs red X do not log any information from this category enable normal logs green check mark log regular information and alerts from this category enable normal logs and debug logs yellow check mark log regular information alerts and debugging information from this category O...

Page 445: ...Chapter 42 Log and Report UAG5100 User s Guide 445 Figure 306 Configuration Log Report Log Settings Edit Remote Server ...

Page 446: ... log the messages to different files in the syslog server Please see the documentation for your syslog program for more information Active Log Selection Use the Selection drop down list to change the log settings for all of the log categories disable all logs red X do not send the remote server logs for any log category enable normal logs green check mark send the remote server log messages and al...

Page 447: ...Log Category Settings This screen provides a different view and a different way of indicating which messages are included in each log and each alert Please see Section 42 3 2 on page 439 where this process is discussed The Default category includes debugging messages generated by open source software ...

Page 448: ...ail Server 1 drop down list to change the settings for e mailing logs to e mail server 1 for all log categories Using the System Log drop down list to disable all logs overrides your e mail server 1 settings enable normal logs green check mark e mail log messages for all categories to e mail server 1 enable alert logs red exclamation point e mail alerts for all categories to e mail server 1 E mail...

Page 449: ...is e mailed green check mark and or in alerts red exclamation point for the e mail settings specified in E Mail Server 1 The UAG does not e mail debugging information even if it is recorded in the System log E mail Server 2 E mail Select whether each category of events should be included in log messages when it is e mailed green check mark and or in alerts red exclamation point for the e mail sett...

Page 450: ...Configuration File screen see Section 43 2 on page 452 to store and name configuration files You can also download configuration files from the UAG to your computer and upload configuration files from your computer to the UAG Use the Firmware Package screen see Section 43 3 on page 456 to check your current firmware version and upload firmware to the UAG Use the Shell Script screen see Section 43 ...

Page 451: ...and mode Note exit or must follow sub commands if it is to make the UAG exit sub command mode Figure 308 Configuration File Shell Script Example enter configuration mode configure terminal change administrator password username admin password 4321 user type admin configure wan1 interface wan1 ip address 10 16 17 240 255 255 255 0 ip gateway 10 16 17 254 metric 1 exit create address objects for rem...

Page 452: ... configuration file or shell script The UAG ignores any errors in the configuration file or shell script and applies all of the valid commands The UAG still generates a log for any errors 43 2 The Configuration File Screen Click Maintenance File Manager Configuration File to open the Configuration File screen Use the Configuration File screen to store run and name configuration files You can also ...

Page 453: ...there is an error the UAG generates a log and copies the startup config conf configuration file to the startup config bad conf configuration file and tries the existing lastgood conf configuration file If there isn t a lastgood conf configuration file or it also has an error the UAG applies the system default conf configuration file You can change the way the startup config conf file is applied In...

Page 454: ...cate of the configuration file Remove Click a configuration file s row to select it and click Remove to delete it from the UAG You can only delete manually saved configuration files You cannot delete the system default conf startup config conf and lastgood conf files A pop up window asks you to confirm that you want to delete the configuration file Click OK to delete the configuration file or clic...

Page 455: ... gets the UAG started with a fully valid configuration file as quickly as possible Ignore errors and finish applying the configuration file this applies the valid parts of the configuration file and generates error logs for all of the configuration file s errors This lets the UAG apply most of your configuration and you can refer to the logs for what to fix Ignore errors and finish applying the co...

Page 456: ...s configuration file The UAG applies configuration changes made in the Web Configurator to the configuration file when you click Apply or OK It applies configuration changes made via commands when you use the write command The lastgood conf is the most recently used valid configuration file that was saved when the device last restarted If you upload and apply a configuration file with an error you...

Page 457: ...eck your new firmware version in the Dashboard screen If the upload was not successful the following message appears in the status bar at the bottom of the screen Table 211 Maintenance File Manager Firmware Package LABEL DESCRIPTION Boot Module This is the version of the boot module that is currently on the UAG Current Version This is the firmware version and the date created Released Date This is...

Page 458: ...Click Maintenance File Manager Shell Script to open the Shell Script screen Use the Shell Script screen to store name download upload and run shell script files You can store multiple shell script files on the UAG at the same time Note You should include write commands in your scripts If you do not use the write command the changes will be lost when the UAG restarts You could use multiple write co...

Page 459: ... without deleting the shell script file Download Click a shell script file s row to select it and click Download to save the configuration to your computer Copy Use this button to save a duplicate of a shell script file on the UAG Click a shell script file s row to select it and click Copy to open the Copy File screen Figure 319 Maintenance File Manager Shell Script Copy Specify a name for the dup...

Page 460: ...e from your computer to your UAG File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the zysh file you want to upload Upload Click Upload to begin the upload process This process may take up to several minutes Table 212 Maintenance File Manager Shell Script continued LABEL DESCRIPTION ...

Page 461: ...see Section 44 4 on page 466 to have the UAG save a process s core dump to an attached USB storage device if the process terminates abnormally crashes so you can send the file to customer support for troubleshooting Use the System Log screens see Section 44 5 on page 467 to download files of system logs from a connected USB storage device to your computer 44 2 The Diagnostics Screen The Diagnostic...

Page 462: ... the diagnostic file to USB storage if ready Select this to have the UAG create an extra copy of the diagnostic file to a connected USB storage device Apply Click Apply to save your changes Collect Now Click this to have the UAG create a new diagnostic file Download Click this to save the most recent diagnostic file to a computer Table 214 Maintenance Diagnostics Files LABEL DESCRIPTION Remove Sel...

Page 463: ...the UAG s interfaces Studying these packet captures may help you identify network problems Click Maintenance Diagnostics Packet Capture to open the packet capture screen Note New capture files overwrite existing files of the same name Change the File Suffix field s setting to avoid this Figure 322 Maintenance Diagnostics Packet Capture ...

Page 464: ...e packet capture entries only on a USB storage device connected to the UAG Status Unused the connected USB storage device was manually unmounted by using the Remove Now button or for some reason the UAG cannot mount it none no USB storage device is connected available you can have the UAG use the USB storage device The available storage capacity also displays service deactivated the USB storage fe...

Page 465: ...re per packet The UAG automatically truncates packets that exceed this size As a result when you view the packet capture files in a packet analyzer the actual size of the packets may be larger than the size of captured packets Capture Click this button to have the UAG capture packets according to the settings configured in this screen You can configure the UAG while a packet capture is in progress...

Page 466: ... to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each packet capture file entry The total number of packet capture files that you can save depends on the file sizes and the available flash storage space File Name This column displays the label that identifies the file The file name format is in...

Page 467: ...n a connected USB storage device The files are in comma Table 218 Maintenance Diagnostics Core Dump Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the UAG Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column di...

Page 468: ...em from the UAG Use the Shift and or Ctrl key to select multiple files A pop up window asks you to confirm that you want to delete Download Click a file to select it and click Download to save it to your computer This column displays the number for each file entry The total number of files that you can save depends on the file sizes and the available storage space File Name This column displays th...

Page 469: ... s settings 45 2 The Routing Status Screen The Routing Status screen allows you to view the current routing flow and quickly link to specific routing settings Click a function box in the Routing Flow section the related routes activated will display in the Routing Table section To access this screen click Maintenance Packet Flow Explore The order of the routing flow may vary depending on whether y...

Page 470: ...G5100 User s Guide 470 Figure 327 Maintenance Packet Flow Explore Routing Status Direct Route Figure 328 Maintenance Packet Flow Explore Routing Status Dynamic VPN Figure 329 Maintenance Packet Flow Explore Routing Status Policy Route ...

Page 471: ...0 User s Guide 471 Figure 330 Maintenance Packet Flow Explore Routing Status VPN 1 1 Mapping Route Figure 331 Maintenance Packet Flow Explore Routing Status 1 1 SNAT Figure 332 Maintenance Packet Flow Explore Routing Status SiteToSite VPN ...

Page 472: ...100 User s Guide 472 Figure 333 Maintenance Packet Flow Explore Routing Status Static Route Figure 334 Maintenance Packet Flow Explore Routing Status Default WAN Trunk Figure 335 Maintenance Packet Flow Explore Routing Status Main Route ...

Page 473: ... down to zero The following fields are available if you click Dynamic VPN or SiteToSite VPN in the Routing Flow section This field is a sequential value and it is not associated with any entry Source This is the IP address es of the local VPN network Destination This is the IP address es for the remote VPN network VPN Tunnel This is the name of the VPN tunnel The following fields are available if ...

Page 474: ...s packets out of the UAG Gateway This is the IP address of the gateway in the same network of the outgoing interface The following fields are available if you click 1 1 SNAT in the Routing Flow section This field is a sequential value and it is not associated with any entry NAT Rule This is the name of an activated 1 1 or Many 1 1 NAT rule in the NAT table Source This is the original source IP add...

Page 475: ...5100 User s Guide 475 Figure 336 Maintenance Packet Flow Explore SNAT Status Policy Route SNAT Figure 337 Maintenance Packet Flow Explore SNAT Status VPN 1 1 Mapping Route Figure 338 Maintenance Packet Flow Explore SNAT Status 1 1 SNAT ...

Page 476: ...he SNAT Table section SNAT Table The table fields in this section vary depending on the function box you select in the SNAT Flow section The following fields are available if you click Policy Route SNAT in the SNAT Flow section This field is a sequential value and it is not associated with any entry PR This is the number of an activated policy route which uses SNAT Outgoing This is the outgoing in...

Page 477: ...e name of an activated NAT rule which uses SNAT and enables NAT loopback Source This is the original source IP address es any means any IP address Destination This is the original destination IP address es any means any IP address SNAT This indicates which source IP address the SNAT rule uses finally For example Outgoing Interface IP means that the UAG uses the IP address of the outgoing interface...

Page 478: ... use the write command to save the configuration before you reboot Otherwise the changes are lost when you reboot Reboot is different to reset see Section 48 1 on page 487 reset returns the device to its default configuration 46 2 The Reboot Screen The Reboot screen allows remote users to restart the device To access this screen click Maintenance Reboot Figure 341 Maintenance Reboot Click the Rebo...

Page 479: ... the UAG or remove the power Not doing so can cause the firmware to become corrupt 47 1 1 What You Need To Know Shutdown writes all cached data to the local storage and stops the system processes 47 2 The Shutdown Screen To access this screen click Maintenance Shutdown Figure 342 Maintenance Shutdown Click the Shutdown button to shut down the UAG Wait for the device to shut down before you manuall...

Page 480: ... s In the computer click Start All Programs Accessories and then Command Prompt In the Command Prompt window type ping followed by the UAG s LAN IP address 172 16 0 1 or 172 17 0 1 is the default and then press ENTER The UAG should reply If you ve forgotten the UAG s password use the RESET button Press the button in for about 5 seconds or until the PWR LED starts to blink then release it It return...

Page 481: ...also match I cannot enter the interface name I want The format of interface names other than the Ethernet interface names is very strict Each name consists of 2 4 letters interface type followed by a number x limited by the maximum number of each type of interface For example VLAN interfaces are vlan0 vlan1 vlan2 and so on The names of virtual interfaces are derived from the interfaces on which th...

Page 482: ...is not applying an interface s configured ingress bandwidth limit At the time of writing the UAG does not support ingress bandwidth management The UAG routes and applies SNAT for traffic from some interfaces but not from others The UAG automatically uses SNAT for traffic it routes from internal interfaces to external interfaces For example LAN to WAN traffic You must manually configure a policy ro...

Page 483: ...t interfaces for more information I cannot set up an IPSec VPN tunnel to another device If the IPSec tunnel does not build properly the problem is likely a configuration error at one of the IPSec routers Log into both ZyXEL IPSec routers and check the settings in each field methodically and slowly Make sure both the UAG and remote IPSec router have the same security settings for the VPN tunnel It ...

Page 484: ...pts them This depends on the zone to which you assign the VPN tunnel and the zone from which and to which traffic may be routed If you set up a VPN tunnel across the Internet make sure your ISP supports AH or ESP whichever you are using If you have the UAG and remote IPSec router use certificates to authenticate each other You must set up the certificates for the UAG and remote IPSec router first ...

Page 485: ...and admin users in the same user group I cannot add the default admin account to a user group You cannot put the default admin account into any user group The schedule I configured is not being applied at the configured times Make sure the UAG s current date and time are correct I cannot get a certificate to import into the UAG 1 For My Certificates you can import a certificate that matches a corr...

Page 486: ...contents when you import the file into the UAG Note Be careful not to convert a binary file to text during the transfer process It is easy for this to occur since many programs use text files by default I cannot access the UAG from a computer connected to the Internet Check the service control rules and to UAG firewall rules I uploaded a logo to display on the upper left corner of the Web Configur...

Page 487: ...command line interface if you need to recover the firmware See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it My packet capture captured less than I wanted or failed The packet capture screen s File Size sets a maximum size limit for the total combined size of all the capture files on the UAG including any existing capture files and any new c...

Page 488: ...default conf file Note This procedure removes the current configuration If you want to reboot the device without changing the current configuration see Chapter 46 on page 478 1 Make sure the SYS LED is on and not blinking 2 Press the RESET button and hold it until the SYS LED begins to blink This usually takes about five seconds 3 Release the RESET button and wait for the UAG to restart You should...

Page 489: ...erence to radio communications Operation of this device in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense CE Mark Warning This is a class A product In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures Taiwanese BSMI Burea...

Page 490: ...e the product where anyone can walk on the power adaptor or cord Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution If the power adaptor or cord is damaged remove it from the device and the power source Do NOT attempt to repair the power adaptor or cord Contact your local vendor to order a new one Do not use the device outside and make sure all the connec...

Page 491: ...Appendix A Legal Information UAG5100 User s Guide 491 Environmental Product Declaration ...

Page 492: ...ns 70 73 85 address groups 354 and FTP 430 and SNMP 433 and SSH 426 and Telnet 429 and web authentication 233 and WWW 412 address objects 354 and FTP 430 and NAT 173 188 and policy routes 172 and SNMP 433 and SSH 426 and Telnet 429 and VPN connections 289 and web authentication 233 and WWW 412 HOST 354 RANGE 354 SUBNET 354 types of 354 address record 403 admin user troubleshooting 485 admin users ...

Page 493: ...mbers 147 basic characteristics 119 effect on routing table 146 member interfaces 146 virtual 152 bridges 145 C CA and certificates 376 CA Certificate Authority see certificates capturing packets 463 CEF Common Event Format 438 446 certificate troubleshooting 485 Certificate Authority CA see certificates Certificate Revocation List CRL 376 certificates 375 advantages of 376 and CA 376 and FTP 430 ...

Page 494: ...64 daylight savings 398 setting manually 399 time server 400 custom access user page 412 login page 412 D Data Encryption Standard see DES date 396 daylight savings 398 DDNS 180 backup mail exchanger 184 mail exchanger 184 service providers 180 troubleshooting 482 Dead Peer Detection see DPD default firewall behavior 246 Denial of Service Dos attacks 293 DES 304 device access troubleshooting 480 D...

Page 495: ...ed Service Set IDentification 339 ext user troubleshooting 485 F FCC interference statement 489 file extensions configuration files 450 shell scripts 450 file manager 450 Firefox 20 firewall 245 actions 252 and ALG 205 and HTTP redirect 198 and IPSec SA 247 and IPSec VPN 484 and logs 252 and NAT 248 and schedules 251 323 and service groups 252 and service objects 360 and services 252 and SMTP redi...

Page 496: ... Layer see HTTPS I ICMP 359 IEEE 802 1q VLAN IEEE 802 1x 340 IKE SA aggressive mode 303 306 307 and certificates 308 and RADIUS 308 and to Device firewall 484 authentication algorithms 303 304 content 305 Dead Peer Detection DPD 302 Diffie Hellman key group 305 encryption algorithms 304 extended authentication 307 ID type 305 IP address remote IPSec router 303 IP address ZyXEL device 303 local ide...

Page 497: ...tificates 300 connections 289 connectivity check 295 encapsulation 294 encryption 294 ESP 294 established in two phases 289 local network 288 local policy 293 NetBIOS 293 peer 288 Perfect Forward Secrecy 295 PFS 295 phase 2 settings 293 policy enforcement 293 remote IPSec router 288 remote network 288 remote policy 293 replay detection 293 SA life time 293 SA monitor 103 SA see also IPSec SA 308 s...

Page 498: ... troubleshooting 486 log messages categories 442 444 446 447 448 debugging 104 regular 104 types of 104 logged in users 75 login custom page 412 logo troubleshooting 486 logout Web Configurator 21 logs and firewall 252 and web authentication 233 e mail profiles 437 e mailing log messages 106 441 formats 438 log consolidation 442 settings 437 syslog servers 437 system 437 types of 437 M MAC address...

Page 499: ...rver 370 Network Address Translation see NAT Network Time Protocol NTP 399 No IP 180 O objects AAA server 368 addresses and address groups 354 authentication method 372 certificates 375 schedules 364 services and service groups 359 users user groups 325 other documentation 2 P packet statistics 78 79 95 packet capture 463 files 462 465 467 troubleshooting 487 packet captures downloading files 462 ...

Page 500: ... 100 printer firmware 275 printer list 275 printer management 275 problems 480 product registration 490 proxy servers 197 web see web proxy servers PTR record 403 Public Key Infrastructure PKI 376 public private key pairs 375 Q QoS 167 316 Quick Start Guide 2 R RADIUS 368 369 advantages 368 and IKE SA 308 and PPPoE 157 and users 326 port 370 user attributes 337 RADIUS server troubleshooting 485 re...

Page 501: ...ers 407 limitations 407 timeouts 407 service groups 360 and firewall 252 service objects 359 and firewall 360 and IP protocols 360 and policy routes 360 Service Set 339 service subscription status 113 services 359 and firewall 252 session limits 247 252 sessions 85 sessions usage 70 73 SHA1 304 shell script troubleshooting 487 shell scripts 450 and users 338 downloading 459 editing 458 how applied...

Page 502: ...m uptime 68 system default conf 456 T TCP 359 connections 359 port numbers 359 Telnet 428 and address groups 429 and address objects 429 and zones 429 with SSH 426 throughput rate troubleshooting 486 time 396 time servers default 399 to Device firewall 246 and NAT 189 and NAT traversal VPN 484 and remote management 246 and service control 407 and VPN 484 global rules 246 see also firewall 245 traf...

Page 503: ...roup objects 325 user groups 325 327 and bandwidth management 320 and firewall 251 254 and policy routes 171 172 323 user name rules 329 user objects 325 user sessions see sessions user aware 233 users 325 access see also access users admin type 325 admin see also admin users and AAA servers 326 and authentication method objects 326 and bandwidth management 320 and firewall 251 254 and LDAP 326 an...

Page 504: ...d address objects 289 and policy routes 172 484 VPN gateways and certificates 290 and extended authentication 289 and interfaces 289 and to Device firewall 484 VRPT Vantage Report 446 W warranty 489 note 490 web authentication and address groups 233 and address objects 233 and logs 233 and schedules 233 Web Configurator 19 access 20 access users 336 requirements 20 supported browsers 20 web proxy ...

Page 505: ...Index UAG5100 User s Guide 505 extra zone traffic 177 inter zone traffic 177 intra zone traffic 177 types of traffic 176 ...