Zyxel UAG4100 [299/617] Security policy configuration example

Click cli to look at the cli commands sent by the web configurator open the pop up window and then click some menus in the web configurator to dislay the corresponding commands 26

Figure 7 cli messages 26

Label description 26

Navigation panel 26

See the command reference guide for information about the commands 26

Table 5 object references 26

The fields vary with the type of object the following table describes labels that can appear in this screen 26

Uag series user s guide 26

Use the navigation panel menu items to open status and configuration screens click the arrow in the middle of the right edge of the navigation panel to hide the panel or drag to resize it the following sections introduce the uag s navigation panel menus and their screens 26

Chapter 1 introduction 27

Dashboard 27

Figure 8 navigation panel 27

Folder or link tab function 27

Monitor menu 27

Table 6 monitor menu screens summary 27

The dashboard displays general device information system status system resource usage licensed service status and interface status in widgets that you can re arrange to suit your needs see chapter 6 on page 80 for details on the dashboard 27

The monitor menu screens display status and statistics information 27

Uag series user s guide 27

Chapter 1 introduction 28

Configuration menu 28

Folder or link tab function 28

Table 6 monitor menu screens summary continued 28

Table 7 configuration menu screens summary 28

Uag series user s guide 28

Use the configuration menu screens to configure the uag s features 28

Chapter 1 introduction 29

Folder or link tab function 29

Table 7 configuration menu screens summary continued 29

Uag series user s guide 29

Chapter 1 introduction 30

Folder or link tab function 30

Table 7 configuration menu screens summary continued 30

Uag series user s guide 30

Chapter 1 introduction 31

Folder or link tab function 31

Maintenance menu 31

Table 7 configuration menu screens summary continued 31

Table 8 maintenance menu screens summary 31

Uag series user s guide 31

Use the maintenance menu screens to manage configuration and firmware files run diagnostics and reboot or shut down the uag 31

Chapter 1 introduction 32

Click a column heading to sort the table s entries according to that column s criteria 32

Click the down arrow next to a column heading for more options about how to display the entries the options available vary depending on the type of fields in the column here are some examples of what you can do 32

Figure 9 sorting table entries by a column s criteria 32

Folder or link tab function 32

Group entries by field 32

Or or searching for text 32

Select which columns to display 32

Show entries in groups 32

Sort in ascending or descending reverse alphabetical order 32

Table 8 maintenance menu screens summary continued 32

Tables and lists 32

Uag series user s guide 32

Web configurator tables and lists are flexible with several options for how to display their entries 32

Chapter 1 introduction 34

Figure 14 common table icons 34

Figure 15 working with lists 34

Here are descriptions for the most common table icons 34

Label description 34

Table 9 common table icons 34

Uag series user s guide 34

When a list of available entries displays next to a list of selected entries you can often just double click an entry to move it from one list to the other in some lists you can also use the shift or ctrl key to select multiple entries and then use the arrow button to move them to the other list 34

Working with lists 34

Stopping the uag 35

Hardware installation and connection 36

Rack mounting uag5100 36

Be careful to avoid damaging pipes or cables located inside the wall when drilling holes for the screws 37

Wall mounting uag2100 and uag4100 37

Front panel 38

Base t ports 39

Console port uag5100 39

Front panel leds 39

Usb 2 ports 39

Chapter 2 hardware installation and connection 40

Led color status description 40

Rear panel 40

Table 11 front panel leds continued 40

The following figure shows the rear panel of the uag 40

The rear panel contains a console port a power switch and a connector for the power receptacle and four antennas 40

Uag series user s guide 40

Uag2100 or uag4100 40

Console port 41

Figure 20 rear panel uag5100 41

Radio 1 2 ghz 41

Radio 2 5 ghz 41

Uag5100 41

Attach the printer to the uag 42

Overview 42

Printer deployment 42

Set up an internet connection on the uag 42

Allow the uag to monitor and manage the printer 43

General setting screen 46

Turn on web authentication on the uag 46

Generate a free guest account 47

Installation setup wizard 50

Internet settings 50

Welcome screen 50

Note enter the internet access information exactly as your isp gave it to you 51

Internet settings ethernet 52

Note enter the internet access information exactly as given to you by your isp 52

Internet settings pppoe 53

Isp parameters 53

Note enter the internet access information exactly as given to you by your isp 53

Internet settings pptp 54

Note enter the internet access information exactly as given to you by your isp 54

Wan ip address assignments 54

Internet settings second wan interface 55

Isp parameters 55

Pptp configuration 55

Wan ip address assignments 55

Wireless and radio settings 56

Wireless settings 56

Note a view mobile version or view desktop version link displays on the login page if you enable web authentication 57

Radio settings 57

Web authentication settings 57

Wireless settings 57

Printer settings 58

Billing settings 59

Printer list 59

Printer list and printout settings 59

Printout 59

Accounting method 60

Accumulatio 60

Billing profile 60

Currency 60

Account generator settings 61

Free time settings 62

Device registration 63

Service screen to update your service subscription status 63

Quick setup overview 64

Quick setup wizards 64

Choose an ethernet interface 65

Select wan type 65

Wan interface quick setup 65

Configure wan ip settings 66

Isp and wan connection settings 66

Note enter the internet access information exactly as your isp gave it to you 66

Assignment to static and or select pptp or pppoe enter the internet access information exactly as your isp gave it to you 67

Chapter 5 quick setup wizards 67

Figure 43 wan and isp connection settings pptp shown 67

Label description 67

Table 12 wan and isp connection settings 67

The following table describes the labels in this screen 67

Uag series user s guide 67

Chapter 5 quick setup wizards 68

Label description 68

Quick setup interface wizard summary 68

Table 12 wan and isp connection settings continued 68

This screen displays the wan interface s settings 68

Uag series user s guide 68

Chapter 5 quick setup wizards 69

Figure 44 interface wizard summary wan ethernet shown 69

Label description 69

Table 13 interface wizard summary wan 69

The following table describes the labels in this screen 69

Uag series user s guide 69

Vpn setup wizard 70

Welcome 70

Vpn express wizard scenario 71

Vpn setup wizard wizard type 71

Vpn express wizard configuration 72

Vpn express wizard summary 72

Vpn express wizard finish 73

Vpn advanced wizard scenario 74

Note multiple sas connecting through a secure gateway must have the same negotiation mode 75

Vpn advanced wizard phase 1 settings 75

Note the remote ipsec device must also have nat traversal enabled see the help in the main ipsec vpn screens for more information 76

Vpn advanced wizard phase 2 76

Vpn advanced wizard summary 77

Vpn advanced wizard finish 78

Dashboard 80

Overview 80

The dashboard screen 80

What you can do in this chapter 80

Chapter 6 dashboard 81

Figure 57 dashboard 81

Label description 81

Table 14 dashboard 81

The following table describes the labels in this screen 81

Uag series user s guide 81

Chapter 6 dashboard 82

Label description 82

Table 14 dashboard continued 82

Uag series user s guide 82

Chapter 6 dashboard 83

Label description 83

Table 14 dashboard continued 83

Uag series user s guide 83

Chapter 6 dashboard 84

Label description 84

Table 14 dashboard continued 84

Uag series user s guide 84

Chapter 6 dashboard 85

Label description 85

Table 14 dashboard continued 85

Uag series user s guide 85

The cpu usage screen 86

The memory usage screen 86

The active sessions screen 87

The dhcp table screen 88

The vpn status screen 88

Chapter 6 dashboard 89

Dhcp table 89

Label description 89

The following table describes the labels in this screen 89

The number of login users screen 89

Uag series user s guide 89

Use this screen to look at a list of the users currently logged into the uag users who close their browsers without logging out are still shown as logged in here to access this screen click number of login users in system status in the dashboard 89

Chapter 6 dashboard 90

Label description 90

Number of login users 90

The following table describes the labels in this screen 90

Uag series user s guide 90

Monitor 91

Overview 91

What you can do in this chapter 91

The port statistics screen 92

Chapter 7 monitor 93

Label description 93

Port statistics 93

The following table describes the labels in this screen 93

The port statistics graph screen 93

Uag series user s guide 93

Use this screen to look at a line graph of packet statistics for each physical port to access this screen click port statistics in the status screen and then the switch to graphic view button 93

Chapter 7 monitor 94

Interface status to access this screen 94

Label description 94

Switch to graphic view 94

The following table describes the labels in this screen 94

The interface status screen 94

Uag series user s guide 94

Chapter 7 monitor 95

Each field is described in the following table 95

Interface status 95

Label description 95

Uag series user s guide 95

Chapter 7 monitor 96

Interface status continued 96

Label description 96

Uag series user s guide 96

The traffic statistics screen 97

Chapter 7 monitor 98

Label description 98

Traffic statistics continued 98

Uag series user s guide 98

The session monitor screen 99

Chapter 7 monitor 100

Label description 100

Session monitor 100

The following table describes the labels in this screen 100

Uag series user s guide 100

The ddns status screen 101

The ip mac binding monitor screen 101

Chapter 7 monitor 102

Ip mac binding 102

Label description 102

Login users 102

The following table describes the labels in this screen 102

The login users screen 102

Uag series user s guide 102

Chapter 7 monitor 103

Dynamic guest accounts can be automatically generated for guest users by using a connected statement printer or the web configurator with the guest manager account see section 26 on page 308 for more information a dynamic guest account has a dynamically created user name 103

Label description 103

Login users 103

Note you cannot use this button to terminate a user s session when he she accesses the uag through the console port 103

The dynamic guest screen 103

The following table describes the labels in this screen 103

Uag series user s guide 103

Chapter 7 monitor 104

Dynamic guest 104

Label description 104

Note if you delete a valid user account which is in use the uag ends the user session 104

Note once the time allocated to a dynamic account is used up or a dynamic account remains un used after the expiration time the account is deleted from the account list 104

The following table describes the labels in this screen 104

Uag series user s guide 104

Chapter 7 monitor 105

Dynamic guest icons 105

Label description 105

The following table describes the icons in this screen 105

The following table describes the labels in this screen 105

The upnp port status screen 105

Uag series user s guide 105

Upnp port status 105

Chapter 7 monitor 106

Label description 106

The following table describes the labels in this screen 106

The usb storage screen 106

Uag series user s guide 106

Upnp port status continued 106

Usb storage 106

Usb storage to display this screen 106

Chapter 7 monitor 107

Ethernet neighbor to see the following screen 107

It uses smart connect that is link layer discovery protocol lldp for discovering and configuring lldp aware devices in the same broadcast domain as the uag that you re logged into using the web configurator 107

Label description 107

Lldp is a layer 2 protocol that allows a network device to advertise its identity and capabilities on the local network it also allows the device to maintain and store information from adjacent devices which are directly connected to the network device this helps you discover network changes and perform necessary network reconfiguration and management 107

The ethernet neighbor screen 107

The ethernet neighbor screen allows you to view the uag s neighboring devices in one place 107

Uag series user s guide 107

Usb storage continued 107

Zon for more information on the zyxel one network zon utility that uses the zyxel discovery protocol zdp for discovering and configuring zdp aware zyxel devices in the same network as the computer on which the zon utility is installed 107

Zon screen 107

Chapter 7 monitor 108

Ethernet neighbor 108

Label description 108

The following table describes the labels in this screen 108

Uag series user s guide 108

Ap list 109

Chapter 7 monitor 109

Label description 109

The ap list screen 109

The following table describes the labels in this screen 109

Uag series user s guide 109

Ap list continued 110

Ap list icons 110

Chapter 7 monitor 110

Label description 110

Station count of ap 110

The following table describes the icons in this screen 110

Uag series user s guide 110

Use this screen to look at station statistics for the connected ap to access this screen select an entry and click the more information button in the ap list screen use this screen to look at 110

Chapter 7 monitor 111

Configuration information port status and station statistics for the connected ap to access this screen select an entry and click the more information button in the ap list screen 111

Label description 111

Station count of ap 111

The following table describes the labels in this screen 111

Uag series user s guide 111

Chapter 7 monitor 112

Label description 112

Radio list 112

Station count of ap continued 112

The following table describes the labels in this screen 112

The radio list screen 112

Uag series user s guide 112

Chapter 7 monitor 113

Label description 113

Radio list continued 113

Uag series user s guide 113

Ap mode radio information 114

Ap mode radio information 115

Chapter 7 monitor 115

Label description 115

Station info to access this screen 115

Station list 115

The following table describes the labels in this screen 115

The station list screen 115

Uag series user s guide 115

Ap management screen in order to detect other wireless devices in its vicinity 116

Chapter 7 monitor 116

Detected device 116

Detected device to access this screen 116

Label description 116

Station list 116

The following table describes the labels in this screen 116

Uag series user s guide 116

Chapter 7 monitor 117

Detected device 117

Label description 117

The following table describes the labels in this screen 117

Uag series user s guide 117

Chapter 7 monitor 118

Label description 118

Printer status 118

Printer status to display this screen 118

The following table describes the labels in this screen 118

The printer status screen 118

The vpn 1 1 mapping status screen 118

This screen displays the status of the active users to which the uag applied a vpn 1 1 mapping rule 118

Uag series user s guide 118

Vpn 1 1 mapping to open the following screen 118

Chapter 7 monitor 119

Label description 119

Statistics 119

Statistics to display this screen 119

The following table describes the labels in this screen 119

Uag series user s guide 119

Vpn 1 1 mapping 119

Vpn 1 1 mapping statistics 119

Chapter 7 monitor 120

Each field is described in the following table 120

Ipsec the following screen appears click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order 120

Label description 120

Statistics 120

The following table describes the labels in this screen 120

The ipsec monitor screen 120

Uag series user s guide 120

A in the middle of a vpn connection or policy name has the uag check the beginning and end and ignore the middle for example with abc 123 any vpn connection or policy name starting with abc and ending in 123 matches no matter how many characters are in between 121

A question mark lets a single character in the vpn connection or policy name vary for example use a c without the quotation marks to specify abc acc and so on 121

Application patrol provides a convenient way to manage the use of various applications on the network it manages general protocols for example http and ftp and instant messenger im peer to peer p2p voice over ip voip and streaming rstp applications you can even control 121

Chapter 7 monitor 121

Ipsec continued 121

Label description 121

Regular expressions in searching ipsec sas 121

The app patrol screen 121

The whole vpn connection or policy name has to match if you do not use a question mark or asterisk 121

Uag series user s guide 121

Wildcards let multiple vpn connection or policy names match the pattern for example use abc without the quotation marks to specify any vpn connection or policy name that ends with abc a vpn connection named testabc would match there could be any number of any type of characters in front of the abc at the end and the vpn connection or policy name would still match a vpn connection or policy name named testacc for example would not match 121

App patrol 122

App patrol to display the following screen this screen displays application patrol statistics based on the app patrol profiles bound to security policy profiles 122

Chapter 7 monitor 122

Label description 122

The following table describes the labels in this screen 122

The use of a particular application s individual features like text messaging voice video conferencing and file transfers 122

Uag series user s guide 122

Label description 123

The content filter screen 123

Chapter 7 monitor 124

Content filter 124

Label description 124

The following table describes the labels in this screen 124

Uag series user s guide 124

Chapter 7 monitor 125

Events that generate an alert as well as a log message display in red regular logs display in black click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order 125

Label description 125

Log messages are stored in two separate logs one for regular log messages and one for debugging messages in the regular log you can look at all the log messages by selecting all logs or you can select a specific category of log messages for example security policy control or user you can also look at the debugging log by selecting debug log all debugging messages have the same priority 125

Log the log is displayed in the following screen 125

Note when a log reaches the maximum number of log messages new log messages automatically overwrite existing log messages starting with the oldest existing log message first 125

The following table describes the labels in this screen 125

The log screen 125

The maximum possible number of log messages in the uag varies by model 125

Uag series user s guide 125

Chapter 7 monitor 126

Label description 126

Log continued 126

Uag series user s guide 126

View ap log 127

Chapter 7 monitor 128

Label description 128

Note this criterion only appears when you show filter 128

The following table describes the labels in this screen 128

Uag series user s guide 128

View ap log 128

Chapter 7 monitor 129

Dynamic users log 129

Dynamic users log to access this screen 129

Label description 129

The following table describes the labels in this screen 129

Uag series user s guide 129

View ap log continued 129

Chapter 7 monitor 130

Dynamic users log continued 130

Label description 130

Note once the time allocated to a dynamic account is used up or a dynamic account remains un used after the expiration time the account is deleted from the account list 130

Uag series user s guide 130

Licensing 131

Overview 131

What you can do in this chapter 131

What you need to know 131

Maximum number of managed aps 132

Registration screen 132

Service screen 132

App patrol signature update screen 133

Chapter 8 licensing 133

Label description 133

Service 133

The following table describes the labels in this screen 133

The uag comes with signatures for the application patrol feature these signatures are continually updated as new attack types evolve new signatures can be downloaded to the uag periodically if you have subscribed for the apppatrol signatures service 133

Uag series user s guide 133

Note the uag does not have to reboot when you upload new signatures 134

App patrol continued 135

Chapter 8 licensing 135

Label description 135

Uag series user s guide 135

Overview 136

What you can do in this chapter 136

What you need to know 136

Wireless 136

Ap management screen 137

Controller screen 137

Ap management 138

Chapter 9 wireless 138

Controller screen you set the registration type to always accept then as soon as you remove an ap from this list it reconnects 138

Each field is described in the following table 138

Label description 138

Uag series user s guide 138

Ap management table to display this screen 139

Chapter 9 wireless 139

Each field is described in the following table 139

Edit ap list 139

Label description 139

Uag series user s guide 139

Chapter 9 wireless 140

Edit ap list continued 140

Edit ap list screen 140

Label description 140

Note ensure you restart the managed ap after you change its operating mode 140

Port setting edit 140

Uag series user s guide 140

Use this screen to enable or disable a port on the managed ap and configure the port s pvid 140

Vlan add edit 141

Chapter 9 wireless 142

Each field is described in the following table 142

Edit vlan 142

Label description 142

Uag series user s guide 142

Ap policy 143

Ap policy to access this screen 143

Chapter 9 wireless 143

Each field is described in the following table 143

Label description 143

Uag series user s guide 143

Chapter 9 wireless 144

Each field is described in the following table 144

Label description 144

Mon mode 144

Mon mode to access this screen 144

Uag series user s guide 144

Use this screen to assign aps either to the rogue ap list or the friendly ap list a rogue ap is a wireless access point operating in a network s coverage area that is not under the control of the network administrator and which can potentially open up holes in a network s security 144

Add edit rogue friendly 145

Add edit rogue friendly list 145

Chapter 9 wireless 145

Each field is described in the following table 145

Label description 145

Mon mode continued 145

Mon mode table to display this screen 145

Uag series user s guide 145

Chapter 9 wireless 146

Each field is described in the following table 146

Label description 146

Load balancing 146

Load balancing to access this screen 146

Note if you enable this function you should ensure that there are multiple aps within the broadcast radius that can accept any rejected or kicked wireless clients otherwise a wireless client attempting to connect to an overloaded ap will be kicked continuously and never be allowed to connect 146

Uag series user s guide 146

Disassociating and delaying connections 147

Chapter 9 wireless 149

Each field is described in the following table 149

Label description 149

Uag series user s guide 149

Chapter 9 wireless 150

Dcs continued 150

Label description 150

Uag series user s guide 150

Auto healing 151

Auto healing to access this screen 151

Chapter 9 wireless 151

Each field is described in the following table 151

Label description 151

Uag series user s guide 151

Dynamic channel selection 152

Technical reference 152

Load balancing 153

Interface overview 154

Interfaces 154

What you can do in this chapter 154

What you need to know 154

Bridge interfaces create a software connection between ethernet or vlan interfaces at the layer 2 data link mac address level unlike port groups bridge interfaces can take advantage of some security features in the uag you can also assign an ip address and subnet mask to the bridge 155

Chapter 10 interfaces 155

Characteristics ethernet ethernet ppp vlan bridge virtual 155

Ethernet interfaces are the foundation for defining other interfaces and network policies 155

Layer 3 virtualization ip alias for example is a kind of interface 155

Port groups and trunks have a lot of characteristics that are specific to each type of interface see section 10 on page 156 and chapter 11 on page 195 for details the other types of interfaces ethernet ppp vlan bridge and virtual have a lot of similar characteristics these characteristics are listed in the following table and discussed in more detail below 155

Port roles screen to set multiple physical ports to be part of the same interface 155

Ppp interfaces support point to point protocols ppp isp accounts are required for pppoe pptp interfaces 155

Table 64 ethernet ppp vlan bridge and virtual interface characteristics 155

Trunk interfaces manage load balancing between interfaces 155

Types of interfaces 155

Uag series user s guide 155

Virtual interfaces provide additional routing information in the uag there are three types virtual ethernet interfaces virtual vlan interfaces and virtual bridge interfaces 155

Vlan interfaces receive and send tagged frames the uag automatically adds or removes the tags as needed each vlan can only be associated with one ethernet interface 155

You can create several types of interfaces in the uag 155

Chapter 10 interfaces 156

Finding out more 156

In the uag interfaces are usually created on top of other interfaces only ethernet interfaces are created directly on top of the physical ports or port groups the relationships between interfaces are explained in the following table 156

Interface required port interface 156

Port role screen 156

Port role use the port role screen to set the uag s flexible ports as part of the lan1 lan2 or dmz interfaces this creates a hardware connection between the physical ports at the layer 2 data link mac address level this provides wire speed throughput but no security 156

Relationships between interfaces 156

See chapter 11 on page 195 to configure load balancing using trunks 156

See section 10 on page 191 for background information on interfaces 156

Table 65 relationships between different types of interfaces 156

Uag series user s guide 156

Ethernet summary screen 157

Interfaces 157

Physical ports 157

Chapter 10 interfaces 158

Each field is described in the following table 158

Ethernet 158

Ethernet interfaces are similar to other types of interfaces in many ways they have an ip address subnet mask and gateway used to make routing decisions they restrict the amount of bandwidth and packet size they can provide dhcp services and they can verify the gateway is available 158

Label description 158

On page 156 the ethernet interface is effectively removed from the uag but you can still configure it 158

Uag series user s guide 158

Use ethernet interfaces to control which physical ports exchange routing information with other routers and how much information is exchanged through each one the more routing information is exchanged the more efficient the routers should be however the routers also generate more network traffic and some routing protocols require a significant amount of configuration and management 158

Chapter 10 interfaces 159

Ethernet continued 159

Ethernet edit 159

Label description 159

Note if you create ip address objects based on an interface s ip address subnet or gateway the uag automatically updates every rule or setting that uses the object whenever the interface s ip address settings change for example if you change the lan s ip address the uag automatically updates the corresponding interface based lan subnet address object 159

The ethernet edit screen lets you configure ip address assignment interface parameters dhcp settings connectivity check and mac address settings to access this screen select an entry in the ethernet summary screen and click the edit icon see section 10 on page 157 159

Uag series user s guide 159

Chapter 10 interfaces 162

Label description 162

This screen s fields are described in the table below 162

Uag series user s guide 162

Chapter 10 interfaces 163

Edit continued 163

Label description 163

Uag series user s guide 163

Chapter 10 interfaces 164

Edit continued 164

Label description 164

Uag series user s guide 164

Chapter 10 interfaces 165

Edit continued 165

Label description 165

Object references 165

Uag series user s guide 165

When a configuration screen includes an object reference icon select a configuration object and click object reference to open the object reference screen this screen displays which configuration settings reference the selected object the fields shown vary with the type of object 165

Add edit dhcp extended options 166

Add edit extended options 167

Chapter 10 interfaces 167

Label description 167

The following table describes labels that can appear in this screen 167

Uag series user s guide 167

Add edit extended options 168

Chapter 10 interfaces 168

Label description 168

Option name code description 168

Ppp interfaces 168

Table 70 dhcp extended options 168

The following table lists the available dhcp extended options defined in rfcs on the uag see rfcs for more information 168

Uag series user s guide 168

Use pppoe pptp interfaces to connect to your isp this way you do not have to install or manage pppoe pptp software on each computer in the network 168

Ppp interface summary 169

Chapter 10 interfaces 170

Each field is described in the table below 170

Label description 170

Note you have to set up an isp account before you create a pppoe pptp interface 170

Ppp interface add or edit 170

This screen lets you configure a pppoe or pptp interface to access this screen click the add icon or select an entry in the ppp interface summary screen and click the edit icon 170

Uag series user s guide 170

Chapter 10 interfaces 172

Each field is explained in the following table 172

Label description 172

Note multiple ppp interfaces can use the same base interface 172

Uag series user s guide 172

Add continued 173

Chapter 10 interfaces 173

Label description 173

Uag series user s guide 173

Vlan interfaces 174

Note each vlan interface is created on top of only one ethernet interface 175

Vlan interface summary screen 175

Vlan interfaces overview 175

Chapter 10 interfaces 176

Each field is explained in the following table 176

Label description 176

This screen lets you configure ip address assignment interface bandwidth parameters dhcp settings and connectivity check for each vlan interface to access this screen click the add icon 176

Uag series user s guide 176

Vlan interface add edit 176

Chapter 10 interfaces 178

Each field is explained in the following table 178

Label description 178

Uag series user s guide 178

Chapter 10 interfaces 179

Edit continued 179

Label description 179

Uag series user s guide 179

Chapter 10 interfaces 180

Edit continued 180

Label description 180

Uag series user s guide 180

Bridge interfaces 181

Chapter 10 interfaces 181

Edit continued 181

Label description 181

This section introduces bridges and bridge interfaces and then explains the screens for bridge interfaces 181

Uag series user s guide 181

Bridge interface overview 182

Bridge overview 182

Bridge interface summary 183

Bridge continued 184

Bridge interface add edit 184

Chapter 10 interfaces 184

Label description 184

This screen lets you configure ip address assignment interface bandwidth parameters dhcp settings and connectivity check for each bridge interface to access this screen click the add icon or select an entry in the bridge summary screen and click the edit icon the following screen appears 184

Uag series user s guide 184

Chapter 10 interfaces 186

Each field is described in the table below 186

Label description 186

Uag series user s guide 186

Chapter 10 interfaces 187

Edit continued 187

Label description 187

Uag series user s guide 187

Chapter 10 interfaces 188

Edit continued 188

Label description 188

Uag series user s guide 188

Chapter 10 interfaces 189

Edit continued 189

Label description 189

Like other interfaces virtual interfaces have an ip address subnet mask and gateway used to make routing decisions however you have to manually specify the ip address and subnet mask virtual interfaces cannot be dhcp clients like other interfaces you can restrict bandwidth through virtual interfaces but you cannot change the mtu the virtual interface uses the same mtu that the 189

Uag series user s guide 189

Use virtual interfaces to tell the uag where to route packets 189

Virtual interfaces 189

Virtual interfaces can be created on top of ethernet interfaces vlan interfaces or bridge interfaces virtual vlan interfaces recognize and use the same vlan id otherwise there is no difference between each type of virtual interface network policies for example security policy control rules that apply to the underlying interface automatically apply to the virtual interface as well 189

Chapter 10 interfaces 190

Create virtual interface 190

Each field is described in the table below 190

Label description 190

This screen lets you configure ip address assignment and interface parameters for virtual interfaces to access this screen click the create virtual interface icon in the ethernet vlan or bridge interface summary screen 190

Uag series user s guide 190

Underlying interface uses unlike other interfaces virtual interfaces do not provide dhcp services and they do not verify that the gateway is available 190

Virtual interfaces add edit 190

Interface technical reference 191

Ip address assignment 191

Dhcp settings 192

Interface parameters 192

Pppoe pptp overview 194

Overview 195

Trunks 195

What you can do in this chapter 195

What you need to know 195

Least load first 196

Load balancing algorithms 196

Weighted round robin 196

Spillover 197

Chapter 11 trunks 198

Label description 198

The following table describes the items in this screen 198

The trunk summary screen 198

Trunk to open the trunk screen this screen lists the configured trunks and the load balancing algorithm that each is configured to use 198

Uag series user s guide 198

Add or edit 199

Chapter 11 trunks 199

Configuring a user defined trunk 199

Label description 199

Trunk continued 199

Trunk in the user configuration table click the add or edit icon to open the following screen use this screen to create or edit a wan trunk entry 199

Uag series user s guide 199

Add or edit 200

Chapter 11 trunks 200

Each field is described in the table below 200

Label description 200

Note you can configure the bandwidth of an interface in the corresponding interface edit screen 200

Uag series user s guide 200

Add or edit continued 201

Chapter 11 trunks 201

Configuring the system default trunk 201

Edit system default 201

Label description 201

Note the available bandwidth is allocated to each member interface equally and is not allowed to be changed for the default trunk 201

Note you can configure the bandwidth of an interface in the corresponding interface edit screen 201

Trunk screen and the system default section select the default trunk entry and click edit to open the following screen use this screen to change the load balancing algorithm and view the bandwidth allocations for each member interface 201

Uag series user s guide 201

Chapter 11 trunks 202

Each field is described in the table below 202

Edit system default 202

Label description 202

Uag series user s guide 202

Policy and static routes 203

Policy and static routes overview 203

What you can do in this chapter 203

What you need to know 203

Diffserv 204

How you can use policy routing 204

Note the uag automatically uses snat for traffic it routes from internal interfaces to external interfaces for example lan to wan traffic 204

Policy routes versus static routes 204

Static routes 204

Dscp marking and per hop behavior 205

Finding out more 205

Policy route screen 205

Chapter 12 policy and static routes 206

Label description 206

Policy route 206

The following table describes the labels in this screen 206

Uag series user s guide 206

Chapter 12 policy and static routes 207

Label description 207

Policy route add edit screen 207

Policy route continued 207

Routing to open the policy route screen then click the add icon or select an entry and click the edit icon the add policy route or policy route edit screen opens use this screen to configure or edit a policy route 207

Uag series user s guide 207

Add edit continued 209

Chapter 12 policy and static routes 209

Label description 209

Uag series user s guide 209

Add edit continued 210

Chapter 12 policy and static routes 210

Label description 210

Uag series user s guide 210

Add edit continued 211

Chapter 12 policy and static routes 211

Ip static route screen 211

Label description 211

Select a static route index number and click add or edit the screen shown next appears use this screen to configure the required information for a static route 211

Static route 211

Static route add edit screen 211

Static route to open the static route screen this screen displays the configured static routes configure static routes to be able to propagate the routing information to other routers 211

The following table describes the labels in this screen 211

Uag series user s guide 211

Assured forwarding af behavior is defined in rfc 2597 the af behavior group defines four af classes inside each class packets are given a high medium or low drop precedence the drop 212

Assured forwarding af phb for diffserv 212

Chapter 12 policy and static routes 212

Here is more detailed information about some of the features you can configure in policy routing 212

Label description 212

Nat and snat 212

Nat network address translation nat rfc 1631 is the translation of the ip address in a packet in one network to a different ip address in another network use snat source nat to change the source ip address in one network to a different ip address in another network 212

Policy routing technical reference 212

The following table describes the labels in this screen 212

Uag series user s guide 212

Chapter 12 policy and static routes 213

Class 1 class 2 class 3 class 4 213

Precedence determines the probability that routers in the network will drop packets when congestion occurs if congestion occurs between classes the traffic in the higher class smaller numbered class is generally given priority combining the classes and drop precedence produces the following twelve dscp encodings from af11 through af43 the decimal equivalent is listed in brackets 213

Table 92 assured forwarding af behavior group 213

Uag series user s guide 213

Ddns overview 214

What you can do in this chapter 214

What you need to know 214

Chapter 13 ddns 215

Ddns to open the following screen 215

Label description 215

The ddns screen 215

The following table describes the labels in this screen 215

Uag series user s guide 215

The dynamic dns add edit screen 216

Add continued 217

Chapter 13 ddns 217

Label description 217

Note the uag may not determine the proper ip address if there is an http proxy server between the uag and the ddns server 217

Uag series user s guide 217

Add continued 218

Chapter 13 ddns 218

Label description 218

Note the uag may not determine the proper ip address if there is an http proxy server between the uag and the ddns server 218

Uag series user s guide 218

Nat overview 219

What you can do in this chapter 219

What you need to know 219

Chapter 14 nat 220

Label description 220

Nat the following screen appears providing a summary of the existing nat rules 220

The following table describes the labels in this screen 220

The nat screen 220

Uag series user s guide 220

The nat add edit screen 221

Add continued 222

Chapter 14 nat 222

Label description 222

Uag series user s guide 222

Add continued 223

Chapter 14 nat 223

Label description 223

Uag series user s guide 223

Nat loopback 224

Nat technical reference 224

Xxx lan smtp com 224

Xxx lan smtp com 1 224

Vpn 1 1 mapping 226

Vpn 1 1 mapping overview 226

What you can do in this chapter 226

What you need to know 226

The vpn 1 1 mapping general screen 227

Chapter 15 vpn 1 1 mapping 228

General screen then click the add or edit icon to open the vpn 1 1 mapping add edit policy screen where you can configure the rule 228

Label description 228

The vpn 1 1 mapping edit screen 228

Uag series user s guide 228

Vpn 1 1 mapping continued 228

Chapter 15 vpn 1 1 mapping 229

Label description 229

Profile 229

Profile the following screen appears providing a summary of the existing ip address pool profiles 229

The following table describes the labels in this screen 229

The vpn 1 1 mapping profile screen 229

Uag series user s guide 229

Chapter 15 vpn 1 1 mapping 230

Label description 230

Note it s recommended that the ip addresses of the selected address object and the wan interface are in the same subnet so that the uag can receive response packets from the remote node 230

Note you cannot select an address group object at the time of writing 230

Profile 230

The following table describes the labels in this screen 230

Uag series user s guide 230

Http redirect 231

Overview 231

What you can do in this chapter 231

What you need to know 231

Http redirect security policy and policy route 232

Note you can configure up to one http redirect rule for each incoming interface 232

The http redirect screen 232

Chapter 16 http redirect 233

Http redirect 233

Http redirect to open the http redirect screen then click the add or edit icon to open the http redirect edit screen where you can configure the rule 233

Label description 233

The following table describes the labels in this screen 233

The http redirect edit screen 233

Uag series user s guide 233

Chapter 16 http redirect 234

Label description 234

The following table describes the labels in this screen 234

Uag series user s guide 234

Overview 235

Smtp redirect 235

What you can do in this chapter 235

What you need to know 235

Note you can configure up to one smtp redirect rule for each incoming interface 236

Smtp redirect security policy and policy route 236

The smtp redirect screen 236

Chapter 17 smtp redirect 237

Label description 237

Smtp redirect 237

Smtp redirect to open the smtp redirect screen then click the add or edit icon to open the smtp redirect edit screen where you can configure the rule 237

The following table describes the labels in this screen 237

The smtp redirect edit screen 237

Uag series user s guide 237

Chapter 17 smtp redirect 238

Label description 238

The following table describes the labels in this screen 238

Uag series user s guide 238

Alg overview 239

What you can do in this chapter 239

What you need to know 239

Alg to open the alg screen use this screen to turn the alg off or on configure the port numbers to which it applies 240

Before you begin 240

Chapter 18 alg 240

Label description 240

The alg screen 240

The following table describes the labels in this screen 240

Uag series user s guide 240

You must also configure the security policies and enable nat in the uag to allow sessions initiated from the wan 240

Nat traversal 241

Overview 241

What you need to know 241

Cautions with upnp 242

Upnp screen 242

Auto discover your upnp enabled network device 243

Chapter 19 upnp 243

Click start and control panel double click network connections an icon displays under internet gateway 243

Label description 243

Make sure the computer is connected to a lan port of the uag turn on your computer and the uag 243

Right click the icon and select properties 243

Technical reference 243

The following table describes the fields in this screen 243

The sections show examples of using upnp 243

This section shows you how to use the upnp feature in windows xp you must already have upnp installed in windows xp and upnp activated on the uag 243

Uag series user s guide 243

Using upnp in windows xp example 243

Note when the upnp enabled device is disconnected from your computer all port mappings will be deleted automatically 245

Web configurator easy access 245

Ip mac binding 248

Ip mac binding overview 248

What you can do in this chapter 248

What you need to know 248

Chapter 20 ip mac binding 249

Interfaces used with ip mac binding 249

Ip mac address bindings are grouped by interface you can use ip mac binding with ethernet bridge vlan interfaces you can also enable or disable ip mac binding and logging in an interface s configuration screen 249

Ip mac binding summary 249

Ip mac binding to open the ip mac binding summary screen this screen lists the total number of ip to mac address bindings for devices connected to each supported interface 249

Label description 249

Summary 249

The following table describes the labels in this screen 249

Uag series user s guide 249

Chapter 20 ip mac binding 250

Edit to open the ip mac binding edit screen use this screen to configure an interface s ip to mac address binding settings 250

Ip mac binding edit 250

Label description 250

The following table describes the labels in this screen 250

Uag series user s guide 250

Ip mac binding exempt list 251

Static dhcp edit 251

Chapter 20 ip mac binding 252

Exempt list 252

Label description 252

The following table describes the labels in this screen 252

Uag series user s guide 252

Layer 2 isolation 253

Overview 253

What you can do in this chapter 253

Chapter 21 layer 2 isolation 254

Ip addresses that are not listed in the white list are blocked from communicating with other devices in the layer 2 isolation enabled internal interface s except for broadcast packets 254

Label description 254

Layer 2 isolation 254

Layer 2 isolation general screen 254

Note you can enable this feature only when the security policy is enabled 254

The following table describes the labels in this screen 254

Uag series user s guide 254

White list 254

White list screen 254

Add edit white list rule 255

Chapter 21 layer 2 isolation 255

Label description 255

Note you can configure up to 100 white list rules on the uag 255

Note you can enable this feature only when the security policy is enabled 255

Note you need to know the ip address of each connected device that you want to allow to be accessed by other devices when layer 2 isolation is enabled 255

The following table describes the labels in this screen 255

This screen allows you to create a new rule in the white list or edit an existing one to access this screen click the add button or select an entry from the list and click the edit button 255

Uag series user s guide 255

White list 255

Add edit 256

Chapter 21 layer 2 isolation 256

Label description 256

The following table describes the labels in this screen 256

Uag series user s guide 256

Overview 257

What you can do in this chapter 257

Chapter 22 ipnp 258

Ipnp screen 258

Label description 258

Note you can enable this feature only when the security policy is enabled 258

The following table describes the labels in this screen 258

Uag series user s guide 258

Overview 259

Web authentication 259

What you can do in this chapter 259

Finding out more 260

Forced user authentication 260

General screen 260

Note this works with http traffic only the uag does not display the login screen when users attempt to send other kinds of traffic 260

Web authentication 260

What you need to know 260

Chapter 23 web authentication 261

Label description 261

The following table gives an overview of the objects you can configure 261

Uag series user s guide 261

Web authentication general 261

Add exceptional service 262

Chapter 23 web authentication 262

Label description 262

Uag series user s guide 262

Web authentication general continued 262

Chapter 23 web authentication 263

Creating editing an authentication policy 263

General screen then click the add icon or select an entry and click the edit icon in the web authentication policy summary section to open the auth policy add edit screen use this screen to configure an authentication policy 263

Label description 263

Uag series user s guide 263

Web authentication general continued 263

Chapter 23 web authentication 264

In this example the users are authenticated by an external radius server at 172 6 00 first set up the user accounts and user groups in the uag then set up user authentication using the radius server finally set up the policies in the table above 264

Label description 264

The following table gives an overview of the objects you can configure 264

Uag series user s guide 264

User aware access control example 264

You can configure many policies and security settings for specific users or groups of users users can be authenticated locally by the uag or by an external radius authentication server 264

Set up user accounts 265

Set up user groups 265

Set up user authentication using the radius server 266

Enable web authenticatio 267

Note the users must log in at the web configurator login screen before they can use http or msn 268

User group authentication using the radius server 269

Authentication type screen 271

Add edit an authentication type profile 272

Authentication type screen and click the edit icon to display the screen the screen differs depending on what you select in the type field 272

Chapter 23 web authentication 272

Label description 272

Login page screen 272

The following table describes the labels in this screen 272

Uag series user s guide 272

Web authentication authentication type 272

Chapter 23 web authentication 274

Label description 274

Note you must select a custom file uploaded to the uag before you can preview the pages 274

The following table describes the labels in this screen 274

Uag series user s guide 274

Web authentication authentication type add edit 274

Web authentication authentication type add edit user agreement 274

Web portal customize file screen 274

Chapter 23 web authentication 275

Label description 275

Note you must select a custom file uploaded to the uag before you can preview the pages 275

Uag series user s guide 275

User agreement customize file screen 275

Web authentication authentication type add edit continued 275

Custom web portal user agreement file screen 276

A user must log in before the uag allows the user s access to the internet however with a walled garden you can define one or more web site addresses that all users can access without logging in these can be used for advertisements for example 277

Chapter 23 web authentication 277

Label description 277

The following table describes the labels in this screen 277

Uag series user s guide 277

Walled garden 277

Web authentication custom user agreement file 277

Web authentication custom web portal user agreement file 277

General screen 278

Note you can configure up to 20 walled garden web site links 278

Note you must enable web authentication before you can access the walled garden screens 278

Url base screen 278

Adding editing a walled garden url 279

Chapter 23 web authentication 279

Label description 279

The following table describes the labels in this screen 279

Uag series user s guide 279

Url base screen click add or select an entry and click the edit to open the add edit walled garden url screen use this screen to configure a walled garden web site url entry 279

Walled garden url base 279

Walled garden url based 279

Chapter 23 web authentication 280

Domain ip base screen 280

Label description 280

The following table describes the labels in this screen 280

Uag series user s guide 280

Use this screen to configure walled garden web site links which use a wildcard domain name or an ip address these links will not display in the login page 280

Walled garden and then select the domain ip base tab to display the screen 280

Walled garden url base add edit 280

Adding editing a walled garden domain or ip 281

Chapter 23 web authentication 281

Domain ip base screen click add or select an entry and click the edit to open the add edit walled garden domain ip screen use this screen to configure the domain name or ip address entry for a walled garden web site 281

Label description 281

The following table describes the labels in this screen 281

Uag series user s guide 281

Walled garden domain ip base 281

Walled garden domain ip based 281

Chapter 23 web authentication 282

Label description 282

The following figure shows the user login screen with two walled garden links the links are named walledgardenlink1 through 2 for demonstration purposes 282

The following table describes the labels in this screen 282

Uag series user s guide 282

Walled garden domain ip base add edit 282

Walled garden login example 282

Advertisement screen 283

Add edit 284

Adding editing an advertisement url 284

Advertisement 284

Advertisement and then the add or edit icon in the advertisement summary section to open the add edit advertisement url screen use this screen to configure an advertisement address entry 284

Chapter 23 web authentication 284

Label description 284

Note this feature works only when you enable web authentication 284

Note you can create up to 20 advertisement url entries the uag randomly picks one and open the specified web site in a new frame when an authenticated user is attempts to access the internet 284

The following table gives an overview of the objects you can configure 284

Uag series user s guide 284

Add edit 285

Chapter 23 web authentication 285

Label description 285

The following table gives an overview of the objects you can configure 285

Uag series user s guide 285

Overview 286

What you can do in this chapter 286

A dedicated rtls ssid is recommended 287

At least three aps managed by the uag the more aps the better since it increases the amount of information the ekahau rtls controller has for calculating the location of the tags 287

Before you begin 287

Chapter 24 rtls 287

Configuring rtls 287

Ekahau rtls controller in blink mode with tzsp updater enabled 287

For example if the ekahau rtls controller is behind a firewall open ports 8550 8553 and 8569 to allow traffic the aps send to reach the ekahau rtls controller 287

Ip addresses for the ekahau wi fi tags 287

Port number type description 287

Rtls to open this screen use this screen to turn rtls real time location system on or off and specify the ip address and server port of the ekahau rtls controller 287

Security policies to allow rtls traffic if the uag security policy control is enabled or the ekahau rtls controller is behind a firewall 287

Table 127 rtls traffic port numbers 287

The following table lists default port numbers and types of packets rtls uses 287

Uag series user s guide 287

You need 287

Chapter 24 rtls 288

Label description 288

The following table describes the labels in this screen 288

Uag series user s guide 288

Overview 289

Security policy 289

What you can do in this chapter 289

Default security policy behavior 290

Note intra zone traffic such as lan to lan traffic or wan to wan traffic can also be blocked by the zone configuration see section 34 on page 397 for details 290

Stateful inspection 290

To device rules 290

What you need to know 290

Asymmetrical routes 291

Finding out more 291

Global security policies 291

Security policy control screen 291

Security policy rule criteria 291

Session limits 291

User specific security policies 291

Configuring the security policy control screen 292

Chapter 25 security policy 293

Label description 293

Note allowing asymmetrical routes may let traffic from the wan go directly to the lan without passing through the uag a better solution is to use virtual interfaces to put the uag and the backup gateway on separate subnets 293

Policy control 293

The following table describes the labels in this screen 293

Uag series user s guide 293

Add edit policy control rule 294

Chapter 25 security policy 294

In the policy control screen click the add icon or select a rule and click edit to display this screen 294

Label description 294

Policy control continued 294

Uag series user s guide 294

Add edit 295

Chapter 25 security policy 295

Label description 295

The following table describes the labels in this screen 295

Uag series user s guide 295

Add edit continued 296

Chapter 25 security policy 296

Label description 296

Note if you specified a source ip address group instead of any in the field below the user s ip address should be within the ip address range 296

Session control screen 296

Session control to display the security policy session control screen use this screen to limit the number of concurrent nat security policy sessions a client can use you can apply a default limit for all users and individual limits for specific users addresses or both the individual limit takes priority if you apply both 296

Uag series user s guide 296

Chapter 25 security policy 297

Label description 297

Session control 297

The following table describes the labels in this screen 297

Uag series user s guide 297

Add edit 298

Add edit a session limit rule 298

Chapter 25 security policy 298

Label description 298

Session control continued 298

Session control screen click the add icon or select an entry and click the edit icon to display the add edit session limit screen use this screen to configure rules that define a session limit for specific users or addresses 298

The following table describes the labels in this screen 298

Uag series user s guide 298

Add edit continued 299

Address to configure an address object configure it as follows and click ok 299

Chapter 25 security policy 299

Figure 211 security policy example security policy control screen 299

Label description 299

Note if you specified an ip address or address group instead of any in the field below the user s ip address should be within the ip address range 299

Policy control in the summary of security policies click add to configure a new first entry the sequence priority of the policies is important since they are applied in order 299

Security policy configuration example 299

The following internet security policy example allows doom players from the wan to ip addresses 172 6 0 through 172 6 5 dest_1 on the lan 299

Uag series user s guide 299

Security policy example applications 301

Chapter 25 security policy 303

Table 136 limited lan1 to wan irc traffic example 2 303

The first row allows any lan1 computer to access the irc service on the wan by logging into the uag with the ceo s user name 303

The policy for the ceo must come before the policy that blocks all lan1 to wan irc traffic if the policy that blocks all lan1 to wan irc traffic came first the ceo s irc traffic would match that policy and the uag would drop it and not check any other security policies 303

The second row blocks lan1 access to the irc service on the wan 303

The third row is the security policy s default policy of allowing all traffic from the lan1 to go to the wan 303

Uag series user s guide 303

User source destination schedule service action 303

Your security policy would have the following configuration 303

Billing 304

Overview 304

What you can do in this chapter 304

What you need to know 304

The general screen 305

Chapter 26 billing 306

General continued 306

Label description 306

Note this works only for free guest accounts or when the accounting method is time to finish 306

Uag series user s guide 306

Billing profile 307

Billing profile to open the following screen 307

Chapter 26 billing 307

Label description 307

The billing profile screen 307

The following table describes the labels in this screen 307

Uag series user s guide 307

Billing profile and then the preview button to open this screen you can also open this screen by logging into the web configurator with the guest manager account 308

Billing profile continued 308

Chapter 26 billing 308

Label description 308

The account generator screen 308

The account generator screen allows you to automatically create dynamic guest accounts see section 7 on page 103 and dynamic guest accounts on page 400 for more information on dynamic guest accounts 308

Uag series user s guide 308

Chapter 26 billing 309

Figure 220 account generator 309

Label description 309

Table 139 account generator 309

The following table describes the labels in this screen 309

Uag series user s guide 309

Chapter 26 billing 310

Label description 310

Sms screen you can enter the user s mobile phone number and click send sms to send the account information in an sms text message to the user s mobile phone click cancel to close this window when you are finished viewing it 310

Table 139 account generator continued 310

Uag series user s guide 310

The account redeem screen 311

Chapter 26 billing 312

Figure 221 account redeem 312

Label description 312

Note once the time allocated to a dynamic account is used up or a dynamic account remains un used after the expiration time the account is deleted from the account list 312

Table 140 account redeem 312

The following table describes the labels in this screen 312

Uag series user s guide 312

Add edit 313

Billing profile and then an add or edit icon to open this screen 313

Chapter 26 billing 313

Label description 313

Table 140 account redeem continued 313

The billing profile add edit screen 313

The following table describes the labels in this screen 313

Uag series user s guide 313

Add edit continued 314

Chapter 26 billing 314

Discount to open the following screen 314

Label description 314

Note the discount price plan does not apply to users who purchase access time online with a credit card 314

Note the priority setting here has priority over the priority setting in a bandwidth management rule 314

Note when the limit is exceeded the user is not allowed to access the internet through the uag 314

The discount screen 314

Uag series user s guide 314

Chapter 26 billing 315

Discount 315

Label description 315

The following table describes the labels in this screen 315

Uag series user s guide 315

The discount add edit screen 316

The payment service general screen 316

Chapter 26 billing 317

General 317

Label description 317

Note after you set up web authentication policies and enable the online payment service on the uag a link displays in the login screen when users try to access the internet the link redirects users to a screen where they can make online payments by credit card to purchase access time and get dynamic guest account information 317

The following table describes the labels in this screen 317

Uag series user s guide 317

The payment service desktop view mobile view screen 318

Chapter 26 billing 321

Desktop view or mobile view 321

Label description 321

The following table describes the labels in this screen 321

Uag series user s guide 321

Overview 322

Printer 322

The general setting screen 322

What you can do in this chapter 322

Chapter 27 printer 323

General 323

Label description 323

The following table describes the labels in this screen 323

Uag series user s guide 323

Add edit printer rule 324

Chapter 27 printer 324

General add edit 324

General continued 324

General screen and click the edit icon to open the following screen use this screen to add a new printer or modify the printer s settings 324

Label description 324

The following table describes the labels in this screen 324

Uag series user s guide 324

Chapter 27 printer 325

Label description 325

Printout configuration 325

Printout configuration to open the following screen 325

The following table describes the labels in this screen 325

The printout configuration screen 325

Uag series user s guide 325

Chapter 27 printer 326

General setting to manually configure a printer s ip address and add it to the managed printer list when the printer is not detected or connected to the uag 326

Label description 326

Note you cannot edit an entry s settings when the printer status is sync fail or sync progressing 326

Printer manager 326

Printer manager to display this screen 326

The following table describes the labels in this screen 326

The printer manager screen 326

Uag series user s guide 326

Chapter 27 printer 327

Edit printer manager 327

Label description 327

Printer manager continued 327

Printer manager edit 327

Printer manager screen and click the edit icon to open the following screen use this screen to modify the printer s nickname and ip address 327

The following table describes the labels in this screen 327

Uag series user s guide 327

Daily account summary 328

Key combinations 328

Note you must press the key combination on the sp350e within five seconds to print 328

Reports overview 328

Chapter 27 printer 329

Figure 233 daily account example 329

Figure 234 monthly account example 329

Key combination a b c b a 329

Monthly account summary 329

The following figure shows an example 329

The monthly account report lists the accounts printed during the current month the current month s total number of accounts and the total charge it covers the accounts that have been printed during the current month starting from midnight of the first day of the current month not the past one month period for example if you press the monthly account key combination on 2013 05 17 at 20 00 00 the monthly account report includes the accounts created from 2013 05 01 at 00 00 01 to 2013 05 17 at 19 59 59 329

Uag series user s guide 329

Account report notes 330

Chapter 27 printer 330

Dynamic guest screen to see the accounts generated on another day or month up to 2000 entries total 330

Figure 235 system status example 330

For example if 2030 accounts each priced at 1 have been created from 2013 05 01 00 00 00 to 2013 05 31 19 59 59 the monthly account report includes the latest 2000 accounts so the total would be 2 000 instead of 2 030 330

Key combination a b c c a 330

Label description 330

System status 330

Table 152 system status 330

The daily monthly or last month account report holds up to 2000 entries if there are more than 2000 accounts created in the same month or same day the account report s calculations only include the latest 2000 330

The following figure shows an example 330

The following table describes the labels in this report 330

This report shows the current system information such as the host name and wan ip address 330

Uag series user s guide 330

Chapter 27 printer 331

Label description 331

Table 152 system status continued 331

Uag series user s guide 331

Free time 332

Overview 332

The free time screen 332

What you can do in this chapter 332

Chapter 28 free time 333

Free time 333

Label description 333

Note after you set up web authentication policies and enable the free time feature on the uag a link displays in the login screen when users try to access the internet the link redirects users to a screen where they can get a free account 333

Sms screen to send text messages to the user s mobile device 333

The following table describes the labels in this screen 333

Uag series user s guide 333

Example 335

Overview 336

The sms screen 336

What you can do in this chapter 336

Chapter 29 sms 337

Label description 337

Note you must subscribe to the sms service before you can use the service to send a text message 337

Sms uag2100 337

The following table describes the labels in this screen 337

Uag series user s guide 337

Ipsec vpn 338

Virtual private networks vpn overview 338

What you can do in this chapter 338

Before you begin 339

Finding out more 339

What you need to know 339

Chapter 30 ipsec vpn 340

Each field is discussed in the following table see section 30 on page 341 for more information 340

In a vpn gateway the uag and remote ipsec router can use certificates to authenticate each other make sure the uag and the remote ipsec router will trust each other s certificates see chapter 44 on page 467 340

Ipsec vpn to open the vpn connection screen the vpn connection screen lists the vpn connection policies and their associated vpn gateway s and various settings in addition it also lets you activate or deactivate and connect or disconnect each vpn connection each ipsec sa click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order 340

Label description 340

The vpn connection screen 340

Uag series user s guide 340

Vpn connection 340

The vpn connection add edit screen 341

Add edit 343

Chapter 30 ipsec vpn 343

Each field is described in the following table 343

Label description 343

Uag series user s guide 343

Add edit continued 344

Chapter 30 ipsec vpn 344

Label description 344

Uag series user s guide 344

Add edit continued 345

Chapter 30 ipsec vpn 345

Label description 345

Uag series user s guide 345

Add edit continued 346

Chapter 30 ipsec vpn 346

Label description 346

Uag series user s guide 346

Chapter 30 ipsec vpn 347

Each field is discussed in the following table see section 30 on page 348 for more information 347

Label description 347

The vpn gateway screen 347

Uag series user s guide 347

Vpn gateway 347

Vpn gateway the following screen appears 347

The vpn gateway add edit screen 348

Add edit 350

Chapter 30 ipsec vpn 350

Each field is described in the following table 350

Label description 350

Note the uag and remote ipsec router must use the same authentication method to establish the ike sa 350

Uag series user s guide 350

Add edit continued 351

Chapter 30 ipsec vpn 351

Label description 351

Note the ipsec routers must trust each other s certificates 351

Uag series user s guide 351

Add edit continued 352

Chapter 30 ipsec vpn 352

Label description 352

Note if peer id type is ipv4 please read the rest of this section 352

Uag series user s guide 352

Add edit continued 353

Chapter 30 ipsec vpn 353

Label description 353

Uag series user s guide 353

Ike sa overview 354

Ike sa proposal 354

Ip addresses of the uag and remote ipsec router 354

Ipsec vpn background information 354

Note both routers must use the same negotiation mode 354

Diffie hellman dh key exchange 355

Note both routers must use the same encryption algorithm authentication algorithm and dh key group 355

Authentication 356

Note the uag and the remote ipsec router must use the same pre shared key 356

Additional topics for ike sa 357

Negotiation mode 357

Note the uag s local and peer id type and content must match the remote ipsec router s peer and local id type and content respectively 357

Extended authentication 358

Vpn nat and nat traversal 358

Active protocol 359

Certificates 359

Ipsec sa overview 359

Local network and remote network 359

Note the ipsec sa stays connected even if the underlying ike sa is not available anymore 359

Note the uag and remote ipsec router must use the same active protocol 359

Note you must set up the certificates for the uag and remote ipsec router first 359

Encapsulation 360

Ipsec sa proposal and perfect forward secrecy 360

Note the uag and remote ipsec router must use the same encapsulation 360

Additional topics for ipsec sa 361

Nat for inbound and outbound traffic 361

Source address in outbound packets outbound traffic source nat 361

Destination address in inbound packets inbound traffic destination nat 362

Ipsec vpn example 362

Source address in inbound packets inbound traffic source nat 362

68 24 172 6 24 363

Lan lan 363

Set up the vpn gateway that manages the ike sa 363

Set up the vpn connection that manages the ipsec sa 364

Bandwidth management 366

Overview 366

What you can do in this chapter 366

What you need to know 366

Connection and packet directions 367

Diffserv and dscp marking 367

Bandwidth management priority 368

Bwm bwm 368

Connection 368

Inbound 368

Outbound 368

Outbound and inbound bandwidth limits 368

Bandwidth management behavior 369

Bwm 1000 kbps 369

Configured rate effect 369

Maximize bandwidth usage 369

Priority effect 369

Finding out more 370

Maximize bandwidth usage effect 370

Priority and over allotment of bandwidth effect 370

The bandwidth management screen 370

Chapter 31 bandwidth management 371

Label description 371

The following table describes the labels in this screen see section 31 on page 372 for more information as well 371

Uag series user s guide 371

Bwm continued 372

Bwm screen see section 31 on page 370 and click either the add icon or an edit icon 372

Chapter 31 bandwidth management 372

Label description 372

The bandwidth management add edit screen 372

Uag series user s guide 372

Add edit 374

Chapter 31 bandwidth management 374

Label description 374

The following table describes the labels in this screen 374

Uag series user s guide 374

Add edit 375

Chapter 31 bandwidth management 375

Label description 375

Uag series user s guide 375

Application patrol 376

Overview 376

What you can do in this chapter 376

What you need to know 376

Application patrol profile 377

Custom ports for sip and the sip alg 377

Finding out more 377

Note the uag allows the first eight packets to go through the security policy regardless of the application patrol policy for the application the uag examines these first eight packets to identify the application 377

Note you must register for the apppatrol signature service at least the trial before you can use it 377

Add edit application patrol profile 378

Chapter 32 application patrol 378

Label description 378

Profile 378

Profile then click add to create a new profile rule or click an existing profile and click edit or double click it to open the following screen 378

The following table describes the labels in this screen 378

Uag series user s guide 378

Add edit 379

Chapter 32 application patrol 379

Label description 379

The following table describes the labels in this screen 379

Uag series user s guide 379

Add edit application 380

Add edit application patrol profile rule application 380

Add edit continued 380

Chapter 32 application patrol 380

Click add or edit under profile management in the previous screen to display the following screen 380

Label description 380

The following table describes the labels in this screen 380

Uag series user s guide 380

Content filtering 381

Overview 381

What you can do in this chapter 381

What you need to know 381

Before you begin 382

Content filtering configuration guidelines 382

External web filtering service 382

Finding out more 382

Keyword blocking url checking 382

Content filter profile screen 383

Chapter 33 content filtering 384

Label description 384

Profile continued 384

Uag series user s guide 384

Add edit content filter profile 385

Category service 385

Category service 386

Chapter 33 content filtering 386

Label description 386

The following table describes the labels in this screen 386

Uag series user s guide 386

Category service continued 387

Chapter 33 content filtering 387

Label description 387

Uag series user s guide 387

Category service continued 388

Chapter 33 content filtering 388

Custom service 388

Custom service to open the custom service screen you can create a list of good allowed web site addresses and a list of bad blocked web site addresses you can also block web sites based on whether the web site s address contains a keyword use this screen to add or remove specific sites or keywords from the filter list 388

Label description 388

Uag series user s guide 388

Chapter 33 content filtering 389

Custom service 389

Label description 389

The following table describes the labels in this screen 389

Uag series user s guide 389

Chapter 33 content filtering 390

Custom service continued 390

Label description 390

Uag series user s guide 390

Chapter 33 content filtering 391

Content filter trusted web sites screen 391

Custom service continued 391

Label description 391

Trusted web sites to open the trusted web sites screen you can create a common list of good allowed web site addresses when you configure filter profiles you can select the option to check the common trusted web sites list use this screen to add or remove specific sites from the filter list 391

Uag series user s guide 391

Chapter 33 content filtering 392

Content filter forbidden web sites screen 392

Forbidden web sites to open the forbidden web sites screen you can create a common list of bad blocked web site addresses when you configure filter profiles you can select the option to check the common forbidden web sites list use this screen to add or remove specific sites from the filter list 392

Label description 392

The following table describes the labels in this screen 392

Trusted web sites 392

Uag series user s guide 392

Chapter 33 content filtering 393

Content filter technical reference 393

External content filter server lookup procedure 393

Forbidden web sites 393

Label description 393

The content filter lookup process is described below 393

The following table describes the labels in this screen 393

This section provides content filtering background information 393

Uag series user s guide 393

What you can do in this chapter 395

What you need to know 395

Zones overview 395

Extra zone traffic 396

Inter zone traffic 396

Intra zone traffic 396

The zone screen 396

Add edit zone 397

Chapter 34 zones 397

Label description 397

The following table describes the labels in this screen 397

The zone edit screen allows you to add or edit a zone to access this screen go to the zone screen see section 34 on page 396 and click the add icon or an edit icon 397

Uag series user s guide 397

Zone add 397

Add edit 398

Chapter 34 zones 398

Label description 398

The following table describes the labels in this screen 398

Uag series user s guide 398

Overview 399

User group 399

What you can do in this chapter 399

What you need to know 399

Dynamic guest accounts 400

Ext group user accounts 400

Ext user accounts 400

Note if the uag tries to authenticate an ext user using the local database the attempt always fails 400

Note the default admin account is always authenticated locally regardless of the authentication method setting see chapter 43 on page 464 for more information about authentication methods 400

Finding out more 401

Note you cannot put access users and admin users in the same user group 401

Note you cannot put the default admin account into any user group 401

Pre subscriber accounts 401

User awareness 401

User groups 401

User summary screen 401

Chapter 35 user group 402

Enter a user name from 1 to 31 characters 402

Label description 402

Rules for user names 402

The following table describes the labels in this screen 402

The user add edit screen allows you to create a new user account or edit an existing one 402

Uag series user s guide 402

User add edit screen 402

Add edit 403

Alphanumeric a z 0 9 there is no unicode support 403

Chapter 35 user group 403

Dashes 403

Here are the reserved user names 403

The first character must be alphabetical a z a z an underscore _ or a dash other limitations on user names are 403

The user name can only contain the following characters 403

To access this screen go to the user screen see section 35 on page 401 and click either the add icon or an edit icon 403

Uag series user s guide 403

User names are case sensitive if you enter a user bob but use bob when connecting via cifs or ftp it will use the account settings used for bob not bob 403

User names have to be different than user group names 403

_ underscores 403

Add edit 404

Chapter 35 user group 404

Label description 404

The following table describes the labels in this screen 404

Uag series user s guide 404

Add edit continued 405

Chapter 35 user group 405

Group add edit screen 405

Label description 405

The following table describes the labels in this screen see section 35 on page 405 for more information as well 405

The group add edit screen allows you to create a new user group or edit an existing one to access this screen go to the group screen see section 35 on page 405 and click either the add icon or an edit icon 405

Uag series user s guide 405

User group summary screen 405

Chapter 35 user group 406

Label description 406

Setting 406

The following table describes the labels in this screen 406

The setting screen controls default settings login settings lockout settings and other user settings for the uag you can also use this screen to specify when users must log in to the uag before it routes traffic for them 406

Uag series user s guide 406

User group setting screen 406

Chapter 35 user group 407

Label description 407

Setting 407

The following table describes the labels in this screen 407

Uag series user s guide 407

Chapter 35 user group 408

Label description 408

Setting continued 408

Uag series user s guide 408

Chapter 35 user group 409

Default user settings edit screens 409

Label description 409

Setting continued 409

Setting screen see section 35 on page 406 and select one of the default settings section s entry and click the edit icons 409

The edit user default settings screen allows you to set the default authentication timeout settings for the selected type of user account these default authentication timeout settings also control the settings for any existing user accounts that are set to use the default settings you can still manually configure any user account s authentication timeout settings 409

Uag series user s guide 409

Access users cannot use the web configurator to browse the configuration of the uag instead after access users log into the uag the following status screen appears 410

Chapter 35 user group 410

Figure 276 web configurator for non admin users 410

Label description 410

The following table describes the labels in this screen 410

Uag series user s guide 410

User aware login example 410

Chapter 35 user group 411

Label description 411

Mac address 411

Mac address screen 411

Mac address to open this screen 411

Note you need to configure an ssid security profile s mac authentication settings to have the ap use the uag s local database to authenticate wireless clients by their mac addresses 411

Table 184 web configurator for non admin users 411

The following table describes the labels in this screen 411

Uag series user s guide 411

Add edit 412

Add edit mac address 412

Chapter 35 user group 412

Label description 412

Mac address 412

The following table describes the labels in this screen 412

Uag series user s guide 412

Use this screen to configure the wireless client s mac address and save it into the uag s local user database for mac authentication 412

Creating a large number of ext user accounts 413

Setting up user attributes in an external server 413

User group technical reference 413

Ap profile 414

Overview 414

What you can do in this chapter 414

What you need to know 414

Ieee 802 x 415

Radio screen 415

Wpa and wpa2 415

Chapter 36 ap profile 416

Label description 416

The following table describes the labels in this screen 416

Uag series user s guide 416

Add edit radio profile 417

Add edit radio profile 418

Chapter 36 ap profile 418

Label description 418

The following table describes the labels in this screen 418

Uag series user s guide 418

Add edit radio profile continued 419

Chapter 36 ap profile 419

Label description 419

Note reducing the output power also reduces the uag s effective broadcast radius 419

Uag series user s guide 419

Add edit radio profile continued 420

Chapter 36 ap profile 420

Label description 420

Ssid list 420

Ssid screen 420

The ssid screens allow you to configure three different types of profiles for your networked aps an ssid list which can assign specific ssid configurations to your aps a security list which can assign specific encryption methods to the aps when allowing wireless clients to connect to them and a mac filter list which can limit connections to an ap based on wireless clients mac addresses 420

This screen allows you to create and manage ssid configurations that can be used by the aps an ssid or service set identifier is basically the name of the wireless network to which a wireless client can connect the ssid appears as readable text to any device capable of scanning for wireless frequencies such as the wifi adapter in a laptop and is displayed as the wireless network name when a person makes a connection to it 420

Uag series user s guide 420

Chapter 36 ap profile 421

Label description 421

Ssid list 421

The following table describes the labels in this screen 421

Uag series user s guide 421

Add edit ssid profile 422

Chapter 36 ap profile 422

Label description 422

Note it is highly recommended that you create security profiles for all of your ssids to enhance your network security 422

Ssid list add edit ssid profile 422

The following table describes the labels in this screen 422

This screen allows you to create a new ssid profile or edit an existing one to access this screen click the add button or select an ssid profile from the list and click the edit button 422

Uag series user s guide 422

Chapter 36 ap profile 423

Label description 423

Ssid list add edit ssid profile continued 423

Uag series user s guide 423

Chapter 36 ap profile 424

Label description 424

Security list 424

Ssid list add edit ssid profile continued 424

The following table describes the labels in this screen 424

This screen allows you to manage wireless security configurations that can be used by your ssids wireless security is implemented strictly between the ap broadcasting the ssid and the stations that are connected to it 424

Uag series user s guide 424

Add edit security profile 425

Note this screen s options change based on the security mode selected only the default screen is displayed here 425

Add edit security profile 426

Chapter 36 ap profile 426

Label description 426

Uag series user s guide 426

Add edit security profile 427

Chapter 36 ap profile 427

Label description 427

Uag series user s guide 427

Add edit mac filter profile 428

Mac filter list 428

Add edit mac filter profile 429

Chapter 36 ap profile 429

Label description 429

The following table describes the labels in this screen 429

Uag series user s guide 429

Mon profile 430

Overview 430

What you can do in this chapter 430

What you need to know 430

Add edit mon profile 431

Chapter 37 mon profile 431

Label description 431

Mon profile 431

The following table describes the labels in this screen 431

This screen allows you to create a new monitor mode profile or edit an existing one to access this screen click the add button or select and existing monitor mode profile and click the edit button 431

Uag series user s guide 431

Add edit mon profile 432

Chapter 37 mon profile 432

Label description 432

The following table describes the labels in this screen 432

Uag series user s guide 432

Rogue aps 433

Technical reference 433

Friendly aps 434

Application 435

Overview 435

Application screen 436

What you can do in this chapter 436

Add application rule 437

Application continued 437

Application to create a new application rule in the first screen you type a name to identify this application object and write an optional brief description of it 437

Chapter 38 application 437

Label description 437

Uag series user s guide 437

You then click add again to choose the signatures that should go into this object 437

Add application object by category or service 438

Add application rule 438

Add application rule use this screen to choose the signatures that should go into this object 438

Add by category 438

Chapter 38 application 438

Label description 438

The following table describes the labels in this screen 438

Uag series user s guide 438

Add application object 439

Add by service 439

Chapter 38 application 439

Label description 439

The following table describes the labels in this screen 439

Uag series user s guide 439

Application group 440

Application group screen 440

Chapter 38 application 440

Label description 440

The following table describes the labels in this screen 440

Uag series user s guide 440

Add application group rule 441

Application group continued 441

Application group use this screen to select already created application rules and combine them as a single new rule 441

Chapter 38 application 441

Label description 441

The following table describes the labels in this screen 441

Uag series user s guide 441

Address summary screen 442

Addresses 442

Overview 442

What you can do in this chapter 442

What you need to know 442

Address 443

Address add edit screen 443

Address add edit screen allows you to create a new address or edit an existing one to access this screen go to the address screen see section 39 on page 442 and click either the add icon or an edit icon in the configuration section 443

Chapter 39 addresses 443

Label description 443

The following table describes the labels in this screen see section 39 on page 443 for more information as well 443

Uag series user s guide 443

Add edit 444

Address group click a column s heading cell to sort the table entries by that column s criteria click the heading cell again to reverse the sort order 444

Address group summary screen 444

Chapter 39 addresses 444

Label description 444

Note the uag automatically updates address objects that are based on an interface s ip address subnet or gateway if the interface s ip address settings change for example if you change lan1 s ip address the uag automatically updates the corresponding interface based lan subnet address object 444

The following table describes the labels in this screen 444

Uag series user s guide 444

Address group add edit screen 445

Chapter 39 addresses 446

Label description 446

The following table describes the labels in this screen 446

Uag series user s guide 446

Overview 447

Services 447

What you can do in this chapter 447

What you need to know 447

Service objects and service groups 448

The service summary screen 448

Chapter 40 services 449

Label description 449

Service 449

The following table describes the labels in this screen 449

The service add edit screen 449

The service add edit screen allows you to create a new service or edit an existing one to access this screen go to the service screen see section 40 on page 448 and click either the add icon or an edit icon 449

Uag series user s guide 449

Chapter 40 services 450

Label description 450

Service group 450

The following table describes the labels in this screen 450

The service group summary screen 450

The service group summary screen provides a summary of all service groups in addition this screen allows you to add edit and remove service groups 450

Uag series user s guide 450

Chapter 40 services 451

Label description 451

Service group 451

The following table describes the labels in this screen see section 40 on page 451 for more information as well 451

The service group add edit screen 451

The service group add edit screen allows you to create a new service group or edit an existing one to access this screen go to the service group screen see section 40 on page 450 and click either the add icon or an edit icon 451

Uag series user s guide 451

Chapter 40 services 452

Label description 452

The following table describes the labels in this screen 452

Uag series user s guide 452

Overview 453

Schedules 453

What you can do in this chapter 453

What you need to know 453

Chapter 41 schedules 454

Label description 454

Schedule 454

The following table describes the labels in this screen see section 41 on page 455 and section 41 on page 456 for more information as well 454

The schedule summary screen 454

Uag series user s guide 454

Chapter 41 schedules 455

Edit one time 455

Label description 455

The following table describes the labels in this screen 455

The one time schedule add edit screen 455

The one time schedule add edit screen allows you to define a one time schedule or edit an existing one to access this screen go to the schedule screen see section 41 on page 454 and click either the add icon or an edit icon in the one time section 455

Uag series user s guide 455

Chapter 41 schedules 456

Edit recurring 456

Label description 456

The recurring schedule add edit screen 456

The recurring schedule add edit screen allows you to define a recurring schedule or edit an existing one to access this screen go to the schedule screen see section 41 on page 454 and click either the add icon or an edit icon in the recurring section 456

The year month and day columns are not used in recurring schedules and are disabled in this screen the following table describes the remaining labels in this screen 456

Uag series user s guide 456

Chapter 41 schedules 457

Label description 457

Schedule group 457

The following table describes the fields in the above screen 457

The schedule group add edit screen 457

The schedule group add edit screen allows you to define a schedule group or edit an existing one to access this screen go to the schedule screen see and click either the add icon or an edit icon in the schedule group section 457

The schedule group summary screen 457

Uag series user s guide 457

Chapter 41 schedules 458

Label description 458

The following table describes the fields in the above screen 458

Uag series user s guide 458

Aaa server 459

Overview 459

Radius server 459

What you can do in this chapter 459

What you need to know 459

Adding editing a radius server 460

Radius server summary 460

Add edit 461

Chapter 42 aaa server 461

Label description 461

The following table describes the labels in this screen 461

Uag series user s guide 461

Add edit continued 462

Chapter 42 aaa server 462

Label description 462

Uag series user s guide 462

Add edit continued 463

Chapter 42 aaa server 463

Label description 463

Uag series user s guide 463

Authentication method 464

Authentication method objects 464

Before you begin 464

Overview 464

What you can do in this chapter 464

Creating an authentication method object 465

Note you can not select two server objects of the same type 465

Chapter 43 authentication method 466

Label description 466

The following table describes the labels in this screen 466

Uag series user s guide 466

Certificates 467

Overview 467

What you can do in this chapter 467

What you need to know 467

Advantages of certificates 468

Certificate file formats 468

Factory default certificate 468

Self signed certificates 468

Note be careful not to convert a binary file to text during the transfer process it is easy for this to occur since many programs use text files by default 469

Verifying a certificate 469

Chapter 44 certificates 470

Label description 470

My certificates 470

My certificates to open the my certificates screen this is the uag s summary list of certificates and certification requests 470

The following table describes the labels in this screen 470

The my certificates screen 470

Uag series user s guide 470

Use a secure method to verify that the certificate owner has the same information in the thumbprint algorithm and thumbprint fields the secure method may very based on your situation possible examples would be over the telephone or through an https connection 470

Chapter 44 certificates 471

Label description 471

My certificates and then the add icon to open the my certificates add screen use this screen to have the uag create a self signed certificate enroll a certificate with a certification authority or generate a certification request 471

My certificates continued 471

The my certificates add screen 471

Uag series user s guide 471

Chapter 44 certificates 472

Label description 472

The following table describes the labels in this screen 472

Uag series user s guide 472

Add continued 473

Chapter 44 certificates 473

Label description 473

My certificates and then the edit icon to open the my certificate edit screen you can use this screen to view in depth certificate information and change the certificate s name 473

The my certificates edit screen 473

Uag series user s guide 473

Chapter 44 certificates 474

Label description 474

The following table describes the labels in this screen 474

Uag series user s guide 474

Chapter 44 certificates 475

Edit continued 475

Label description 475

Uag series user s guide 475

Chapter 44 certificates 476

Edit continued 476

Import to open the my certificate import screen follow the instructions in this screen to save an existing certificate to the uag 476

Label description 476

Note you can import a certificate that matches a corresponding certification request that was generated by the uag you can also import a certificate in pkcs 12 format including the certificate s public and private keys 476

The certificate you import replaces the corresponding request in the my certificates screen 476

The my certificates import screen 476

Uag series user s guide 476

You must remove any spaces from the certificate s filename before you can import it 476

Chapter 44 certificates 477

Import 477

Label description 477

The following table describes the labels in this screen 477

The trusted certificates screen 477

Trusted certificates to open the trusted certificates screen this screen displays a summary list of certificates that you have set the uag to accept as trusted the uag also accepts any valid certificate signed by a certificate on this list as being trustworthy thus you do not need to import any certificate that is signed by one of these certificates 477

Uag series user s guide 477

Chapter 44 certificates 478

Label description 478

The following table describes the labels in this screen 478

Trusted certificates 478

Uag series user s guide 478

The trusted certificates edit screen 479

Chapter 44 certificates 480

Label description 480

The following table describes the labels in this screen 480

Uag series user s guide 480

Chapter 44 certificates 481

Edit continued 481

Import 481

Import to open the trusted certificates import screen follow the instructions in this screen to save a trusted certificate to the uag 481

Label description 481

Note you must remove any spaces from the certificate s filename before you can import the certificate 481

The trusted certificates import screen 481

Uag series user s guide 481

Chapter 44 certificates 482

Import 482

Label description 482

The following table describes the labels in this screen 482

Uag series user s guide 482

Isp account summary 483

Isp accounts 483

Overview 483

What you can do in this chapter 483

Isp account edit 484

Chapter 45 isp accounts 485

Edit continued 485

Label description 485

Uag series user s guide 485

Overview 486

System 486

What you can do in this chapter 486

Host name 487

Note only connect one usb device it must allow writing it cannot be read only and use the fat16 fat32 ext2 or ext3 file system 487

Note see each section for related background information and term definitions 487

Usb storage 487

Chapter 46 system 488

Date and time 488

Date time the screen displays as shown you can manually set the uag s time and date or have the uag get the date and time from a time server 488

For effective scheduling and logging the uag system time must be accurate the uag s real time chip rtc keeps track of the time and date there is also a software mechanism to set the time manually or get the current time and date from an external server 488

Label description 488

The following table describes the labels in this screen 488

Uag series user s guide 488

Usb storage 488

Chapter 46 system 489

Date and time 489

Label description 489

The following table describes the labels in this screen 489

Uag series user s guide 489

Chapter 46 system 490

Date and time continued 490

Label description 490

Uag series user s guide 490

Pre defined ntp time servers list 491

Time server synchronization 491

Console port speed 492

Configuring the dns screen 493

Dns overview 493

Dns server address assignment 493

Chapter 46 system 494

Label description 494

The following table describes the labels in this screen 494

Uag series user s guide 494

Chapter 46 system 495

Dns continued 495

Label description 495

Uag series user s guide 495

A ptr pointer record is also called a reverse record or a reverse lookup record it is a mapping of an ip address to a domain name 496

Adding an address ptr record 496

Address record 496

An address record contains the mapping of a fully qualified domain name fqdn to an ip address an fqdn consists of a host and domain name for example www zyxel com is a fully qualified domain name where www is the host zyxel is the second level domain and com is the top level domain mail myzyxel com tw is also a fqdn where mail is the host myzyxel is the third level domain com is the second level domain and tw is the top level domain 496

Chapter 46 system 496

Click the add icon in the address ptr record table to add an address ptr record 496

Dns continued 496

Label description 496

Ptr record 496

The uag allows you to configure address records about the uag itself or another device this way you can keep a record of dns names and addresses that people on your network may use frequently if the uag receives a dns query for an fqdn for which the uag has an address record the uag can send the ip address in a dns response without having to query a dns name server 496

Uag series user s guide 496

Adding a cname record 497

Cname record 497

A domain zone forwarder contains a dns server s ip address the uag can query the dns server to resolve domain zones for features like ddns and the time server a domain zone is a fully qualified domain name without the host for example zyxel com tw is the domain zone for the www zyxel com tw fully qualified domain name 498

Adding a domain zone forwarder 498

Chapter 46 system 498

Click the add icon in the domain zone forwarder table to add a domain zone forwarder record 498

Domain zone forwarder 498

Label description 498

The following table describes the labels in this screen 498

Uag series user s guide 498

0 mx record 499

A mx mail exchange record indicates which host is responsible for the mail for a particular domain that is controls where mail is sent for that domain if you do not configure proper mx records for your domain or other domain external e mail from other mail servers will not be able to be delivered to your mail server and vice versa each host or domain can have only one mx record that is one domain is mapping to one host 499

Chapter 46 system 499

Domain zone forwarder add 499

Label description 499

The following table describes the labels in this screen 499

Uag series user s guide 499

1 adding a mx record 500

2 adding a dns service control rule 500

Chapter 46 system 500

Click the add icon in the mx record table to add a mx record 500

Click the add icon in the service control table to add a service control rule 500

Label description 500

Mx record add 500

Service control rule add 500

The following table describes the labels in this screen 500

Uag series user s guide 500

Note to allow the uag to be accessed from a specified computer using a service make sure you do not have a service control rule or to device security policy to block that traffic 501

Service access limitations 501

System timeout 501

Www overview 501

Configuring www service control 502

Note if you disable http in the www screen then the uag blocks all http connection attempts 502

Note admin service control deals with management access to the web configurator user service control deals with user access to the uag logging into a web portal to access the internet for example 503

Chapter 46 system 504

Label description 504

Service control continued 504

Uag series user s guide 504

Chapter 46 system 505

Click add or edit in the service control table in a www ssh telnet ftp or snmp screen to add a service control rule 505

Label description 505

Service control continued 505

Service control rules 505

Uag series user s guide 505

Chapter 46 system 506

Customizing the www login page 506

Label description 506

Login page to open the login page screen use this screen to customize the web configurator login screen you can also customize the page that displays after an access user logs into the web configurator to access network services like the internet see chapter 35 on page 399 for more on access user accounts you can configure both the desktop and mobile versions of the the service pages users click a link in the pages to switch between the two versions 506

The following table describes the labels in this screen 506

Uag series user s guide 506

Chapter 46 system 510

Enter rgb followed by red green and blue values in parenthesis and separate by commas for example use rgb 0 0 0 for black 510

Label description 510

Login page 510

Note use a gif jpg or png of 100 kilobytes or less 510

The following table describes the labels in the screen 510

Uag series user s guide 510

Your desired color should display in the preview screen on the right after you click in another field click apply or press enter if your desired color does not display your browser may not support it try selecting another color 510

Https example 511

Internet explorer warning messages 511

Mozilla firefox warning messages 511

Avoiding browser warning messages 512

Enrolling and importing ssl client certificates 513

Login screen 513

Installing the ca s certificate 514

Installing your personal certificate s 514

Using a certificate when accessing the uag example 517

How ssh works 519

Configuring ssh 520

Requirements for using ssh 520

Ssh implementation on the uag 520

A window displays prompting you to store the host key in you computer click yes to continue 521

Chapter 46 system 521

Configure the ssh client to accept connection using ssh version 1 521

Example 1 microsoft windows 521

Label description 521

Launch the ssh client and specify the connection information ip address port number for the uag 521

Secure telnet using ssh examples 521

Ssh continued 521

This section describes how to access the uag using the secure shell client program 521

This section shows two examples using a command interface and a graphical interface ssh client program to remotely access the uag the configuration and connection steps are similar for most ssh client programs refer to your ssh client program user s guide 521

Uag series user s guide 521

Example 2 linux 522

Chapter 46 system 523

Configuring telnet 523

Label description 523

Telnet 523

Telnet to configure your uag for remote telnet access use this screen to specify from which zones telnet can be used to manage the uag you can also specify from which ip addresses the access can come 523

The following table describes the labels in this screen 523

Uag series user s guide 523

You can use telnet to access the uag s command line interface specify which zones allow telnet access and from which ip address the access can come 523

Chapter 46 system 524

Configuring ftp 524

Ftp tab the screen appears as shown use this screen to specify from which zones ftp can be used to access the uag you can also specify from which ip addresses the access can come 524

Label description 524

Telnet continued 524

Uag series user s guide 524

You can upload and download the uag s firmware and configuration files using ftp to use this feature your computer must have an ftp client please see chapter 48 on page 549 for more information about firmware and configuration files 524

Chapter 46 system 525

Label description 525

Simple network management protocol is a protocol used for exchanging management information between network devices your uag supports snmp agent functionality which allows a manager station to manage and monitor the uag through the network the uag supports snmp version one snmpv1 and version two snmpv2c the next figure illustrates an snmp management operation 525

The following table describes the labels in this screen 525

Uag series user s guide 525

Supported mibs 526

Configuring snmp 527

Snmp traps 527

Auth server tab the screen appears as shown use this screen to enable the authentication server feature of the uag and specify the radius client s ip address 528

Authentication server 528

Chapter 46 system 528

Label description 528

The following table describes the labels in this screen 528

Uag series user s guide 528

Auth server 529

Chapter 46 system 529

Label description 529

The following table describes the labels in this screen 529

Uag series user s guide 529

Add edit 530

Add edit trusted radius client 530

Auth server to display the auth server screen click the add icon or an edit icon to display the following screen use this screen to create a new entry or edit an existing one 530

Chapter 46 system 530

Label description 530

The following table describes the labels in this screen 530

Uag series user s guide 530

Language 531

Zyxel one network zon utility 531

Chapter 46 system 532

Icon description 532

In the zon utility select a device and then use the icons to perform actions the following table describes the icons numbered from left to right in the zon utility screen 532

Label description 532

Table 252 zon utility icons 532

Table 253 zon utility fields 532

The following table describes the fields in the zon utility main screen 532

Uag series user s guide 532

Use this screen to enable zdp and smart connect 532

Zyxel one network zon system screen 532

Chapter 46 system 533

Ethernet neighbor for information on using smart connect link layer discovery protocol lldp for discovering and configuring lldp aware devices in the same broadcast domain as the uag that you re logged into using the web configurator 533

Label description 533

The following table describes the labels in this screen 533

Uag series user s guide 533

Zon to open this screen 533

Email daily report 534

Log and report 534

Overview 534

What you can do in this chapter 534

Chapter 47 log and report 536

Email daily report 536

Label description 536

Log settings screens 536

The following table describes the labels in this screen 536

The log settings screens control log messages and alerts a log message stores the information for viewing or regular e mailing later and an alert is e mailed immediately usually alerts are used for events that require more serious attention such as system errors and attacks 536

Uag series user s guide 536

Log settings summary 537

Chapter 47 log and report 538

Edit system log settings 538

Label description 538

Log settings continued 538

The log settings edit screen controls the detailed settings for each log in the system log which includes the e mail profiles go to the log settings summary screen see section 47 on page 537 and click the system log edit icon 538

Uag series user s guide 538

Chapter 47 log and report 540

Edit system log 540

Label description 540

The following table describes the labels in this screen 540

Uag series user s guide 540

Chapter 47 log and report 541

Edit system log continued 541

Label description 541

Uag series user s guide 541

Edit log on usb storage setting 542

Chapter 47 log and report 543

Edit remote server log settings 543

Edit usb storage continued 543

Label description 543

The log settings edit screen controls the detailed settings for each log in the remote server syslog go to the log settings summary screen see section 47 on page 537 and click a remote server edit icon 543

Uag series user s guide 543

Chapter 47 log and report 545

Edit remote server 545

Label description 545

Log category settings screen 545

The following table describes the labels in this screen 545

This screen allows you to view and to edit what information is included in the system log usb storage e mail profiles and remote servers at the same time it does not let you change other log settings for example where and how often log information is e mailed or remote server names to access this screen go to the log settings summary screen see section 47 on page 537 and click the log category settings button 545

Uag series user s guide 545

Chapter 47 log and report 547

Label description 547

Log category settings 547

The following table describes the fields in this screen 547

Uag series user s guide 547

Chapter 47 log and report 548

Label description 548

Log category settings continued 548

Uag series user s guide 548

File manager 549

Overview 549

What you can do in this chapter 549

What you need to know 549

Comments in configuration files or shell scripts 550

Note exit or must follow sub commands if it is to make the uag exit sub command mode 550

Errors in configuration files or shell scripts 551

The configuration file screen 551

Configuration file flow at restart 552

Do not turn off the uag while configuration file upload is in progress 552

Chapter 48 file manager 553

Configuration file 553

Label description 553

Rename 553

The following table describes the labels in this screen 553

Uag series user s guide 553

Chapter 48 file manager 554

Configuration file continued 554

Label description 554

Uag series user s guide 554

Note the web configurator is the recommended method for uploading firmware you only need to use the command line interface if you need to recover the firmware see the cli reference guide for how to determine if you need to recover the firmware and how to recover it 555

The firmware package screen 555

The firmware update can take up to five minutes do not turn off or reset the uag while the firmware update is in progress 555

Note the uag automatically reboots after a successful upload 556

Note you should include write commands in your scripts if you do not use the write command the changes will be lost when the uag restarts you could use multiple write commands in a long script 557

The shell script screen 557

Chapter 48 file manager 558

Each field is described in the following table 558

Label description 558

Rename 558

Shell script 558

Uag series user s guide 558

Chapter 48 file manager 559

Label description 559

Shell script continued 559

Uag series user s guide 559

Diagnostics 560

Overview 560

The diagnostics screen 560

What you can do in this chapter 560

Chapter 49 diagnostics 561

Diagnostics 561

Files to open the diagnostic files screen this screen lists the files of diagnostic information the uag has collected and stored in a connected usb storage device you may need to send these files to customer support for troubleshooting 561

Label description 561

The diagnostics files screen 561

The following table describes the labels in this screen 561

Uag series user s guide 561

Chapter 49 diagnostics 562

Label description 562

Note new capture files overwrite existing files of the same name change the file suffix field s setting to avoid this 562

Packet capture to open the packet capture screen 562

The following table describes the labels in this screen 562

The packet capture screen 562

Uag series user s guide 562

Chapter 49 diagnostics 563

Label description 563

Packet capture 563

The following table describes the labels in this screen 563

Uag series user s guide 563

Chapter 49 diagnostics 564

Label description 564

Note if you have existing capture files and have not selected the continuously capture and overwrite old ones option you may need to set this size larger or delete existing capture files 564

Note the uag reserves some onboard storage space as a buffer 564

Note the uag reserves some usb storage space as a buffer 564

Packet capture continued 564

Uag series user s guide 564

Chapter 49 diagnostics 565

Files to open the packet capture files screen this screen lists the files of packet captures stored on the uag or a connected usb storage device you can download the files to your computer where you can study them using a packet analyzer also known as a network or protocol analyzer such as wireshark 565

Label description 565

Packet capture continued 565

The following table describes the labels in this screen 565

The packet capture files screen 565

Uag series user s guide 565

The core dump files screen 566

The core dump screen 566

Chapter 49 diagnostics 567

Label description 567

System log to open the system log files screen this screen lists the files of system logs stored on a connected usb storage device the files are in comma separated value csv format you can download them to your computer and open them in a tool like microsoft s excel 567

The following table describes the labels in this screen 567

The system log screen 567

Uag series user s guide 567

Chapter 49 diagnostics 568

Label description 568

Network tool to display this screen 568

System log 568

The following table describes the labels in this screen 568

The network tool screen 568

Uag series user s guide 568

Use this screen to ping or traceroute an ip address 568

Chapter 49 diagnostics 569

Label description 569

Network tool 569

Note new capture files overwrite existing files of the same name change the file prefix field s setting to avoid this 569

The following table describes the labels in this screen 569

The wireless frame capture screen 569

Uag series user s guide 569

Use this screen to capture wireless network traffic going through the ap interfaces connected to your uag studying these frame captures may help you identify network problems 569

Wireless frame capture to display this screen 569

Capture 570

Chapter 49 diagnostics 570

Label description 570

Note if you have existing capture files you may need to set this size larger or delete existing capture files 570

The following table describes the labels in this screen 570

Uag series user s guide 570

Capture continued 571

Chapter 49 diagnostics 571

Files to open this screen this screen lists the files of wireless frame captures the uag has performed you can download the files to your computer where you can study them using a packet analyzer also known as a network or protocol analyzer such as wireshark 571

Label description 571

The following table describes the labels in this screen 571

The wireless frame capture files screen 571

Uag series user s guide 571

Overview 572

Packet flow explore 572

The routing status screen 572

What you can do in this chapter 572

Chapter 50 packet flow explore 576

Label description 576

Routing status 576

Routing status main route 576

The following table describes the labels in this screen 576

Uag series user s guide 576

Chapter 50 packet flow explore 577

Label description 577

Routing status continued 577

Uag series user s guide 577

Note once a packet matches the criteria of an snat rule the uag takes the corresponding action and does not perform any further flow checking 578

The snat status screen 578

Chapter 50 packet flow explore 580

Label description 580

Snat status 580

The following table describes the labels in this screen 580

Uag series user s guide 580

Overview 581

Reboot 581

The reboot screen 581

What you need to know 581

Overview 582

Shutdown 582

The shutdown screen 582

What you need to know 582

Troubleshooting 583

I cannot enter the interface name i want 584

I cannot set up a ppp interface virtual ethernet interface or virtual vlan interface on an ethernet interface 584

I configured security settings but the uag is not applying them for certain interfaces 584

The uag is not applying the custom policy route i configured 584

The uag is not applying the custom security policy i configured 584

I cannot configure a particular vlan interface on top of an ethernet interface even though i have it configured it on top of another ethernet interface 585

I cannot get dynamic dns to work 585

I cannot set up a ppp interface 585

My rules and settings that apply to a particular interface no longer work 585

The uag is not applying an interface s configured ingress bandwidth limit 585

The uag routes and applies snat for traffic from some interfaces but not from others 585

I cannot create a second http redirect rule for an incoming interface 586

I cannot get the radius server to authenticate the uag s default admin account 586

I changed the lan ip address and can no longer access the internet 586

The uag fails to authentication the ext user user accounts i configured 586

The uag keeps resetting the connection 586

I cannot add the admin users to a user group with access users 587

I cannot add the default admin account to a user group 587

I cannot get a certificate to import into the uag 587

Note be careful not to convert a binary file to text during the transfer process it is easy for this to occur since many programs use text files by default 587

The schedule i configured is not being applied at the configured times 587

I can only see newer logs older logs are missing 588

I cannot access the uag from a computer connected to the internet 588

I uploaded a logo to display on the upper left corner of the web configurator login screen and access page but it does not display properly 588

I uploaded a logo to use as the screen or window background but it does not display properly 588

Note exit or must follow sub commands if it is to make the uag exit sub command mode 588

The commands in my configuration file or shell script are not working properly 588

The uag s traffic throughput rate decreased after i started collecting traffic statistics 588

I cannot get the firmware uploaded using the commands 589

My earlier packet capture files are missing 589

My packet capture captured less than i wanted or failed 589

Note this procedure removes the current configuration 589

Resetting the uag 589

Getting more troubleshooting help 590

Customer support 591

Ppendi 591

Austria 592

Europe 592

Malaysia 592

Pakistan 592

Philipines 592

Singapore 592

Taiwan 592

Thailand 592

Vietnam 592

Belarus 593

Belgium 593

Bulgaria 593

Denmark 593

Estonia 593

Finland 593

France 593

Germany 593

Hungary 593

Latvia 593

Lithuania 594

Netherlands 594

Norway 594

Poland 594

Romania 594

Russia 594

Slovakia 594

Sweden 594

Switzerland 594

Argentina 595

Ecuador 595

Latin america 595

Middle east 595

North america 595

Turkey 595

Ukraine 595

Africa 596

Australia 596

Oceania 596

South africa 596

Legal information 597

Ppendi 597

Appendix b legal information 598

Declaration of conformity with regard to eu directive 1999 5 ec r tte directive 598

Déclaration d exposition aux radiations 598

European union 598

Industry canada radiation exposure statement 598

Industry canada rss gen rss 210 statement 598

Uag series user s guide 598

Appendix b legal information 599

National restrictions 599

Uag series user s guide 599

Appendix b legal information 600

List of national codes 600

Safety warnings 600

Uag series user s guide 600

Appendix b legal information 601

Environment statement 601

Erp energy related products 601

Uag series user s guide 601

Weee directive 601

Environmental product declaration 602

Appendix b legal information 603

Open source licenses 603

Registration 603

Uag series user s guide 603

Viewing certifications 603

Zyxel limited warranty 603

台灣 603

Numbers 604

Symbols 604

Zyxel UAG4100 [299/617] Security policy configuration example

Содержание

Похожие устройства