iCard 300U UAG5100 - Licence logicielle et extension ZYXEL - Free user manual and instructions

USER MANUAL iCard 300U UAG5100 ZYXEL

Unified Access Gateway

Version 4.00

Edition 1, 02/2014

User's Guide

Default Login Details

IMPORTANT!

READ CAREFULLY BEFORE USE.

KEEP THIS GUIDE FOR FUTURE REFERENCE.

Screenshots and graphics in this book may differ slightly from your product due to differences in your product firmware or your computer operating system. Every effort has been made to ensure that the information in this manual is accurate.

Related Documentation

- Quick Start Guide

The Quick Start Guide shows how to connect the UAG and access the Web Configurator wizards. (See the wizard real time help for information on configuring each screen.) It also contains a package contents list.

- CLI Reference Guide

The CLI Reference Guide explains how to use the Command-Line Interface (CLI) to configure the UAG.

Note: It is recommended you use the Web Configurator to configure the UAG.

• Web Configurator Online Help

Click the help icon in any screen for help in configuring that screen and supplementary information.

Contents Overview

Introduction 18

Hardware Installation and Connection 32

Printer Deployment 35

Installation Setup Wizard 43

Quick Setup Wizards ....51

Dashboard 66

Monitor 77

Registration 111

Wireless 114

Interfaces 118

Trunks 158

Policy and Static Routes 166

Zones 176

DDNS 180

NAT 185

Chapter 1 Introduction......18

1.1 Overview ...... 18
1.2 Default Zones, Interfaces, and Ports .... 18
1.3 Management Overview ...... 19
1.4 Web Configurator ....20
1.4.1 Web Configurator Access ......20
1.4.2 Web Configurator Screens Overview ......21
1.4.3 Navigation Panel 24
1.4.4 Tables and Lists ....28
1.5 Stopping the UAG ....31

Chapter 2 Hardware Installation and Connection ....32

2.1 Rack-mounting 32
2.2 Front Panel 33
2.2.1 Front Panel LEDs 34
2.3 Rear Panel 34

Chapter 3 Printer Deployment....35

3.1 Overview ...... 35
3.2 Attach the Printer to the UAG 35
3.3 Set up an Internet Connection on the UAG 35
3.4 Allow the UAG to Monitor and Manage the Printer 36
3.5 Turn on Web Authentication on the UAG 38
3.6 Generate a Free Guest Account 40

Chapter 4 Installation Setup Wizard....43

4.1 Installation Setup Wizard Screens 43
4.1.1 Internet Access Setup - WAN Interface 43
4.1.2 Internet Access: Ethernet 44
4.1.3 Internet Access: PPPoE 45
4.1.4 Internet Access: PPTP 47
4.1.5 Internet Access Setup - Second WAN Interface 48

4.1.6 Internet Access - Finish 49

4.2 Device Registration 50

Chapter 5

Quick Setup Wizards....51

5.1 Quick Setup Overview ....51
5.2 WAN Interface Quick Setup .... 51

5.2.1 Choose an Ethernet Interface .... 52
5.2.2 Select WAN Type 52
5.2.3 Configure WAN IP Settings ....53
5.2.4 ISP and WAN Connection Settings ....53
5.2.5 Quick Setup Interface Wizard: Summary 55

5.3 VPN Setup Wizard .... 56

5.3.1 Welcome ....57
5.3.2 VPN Setup Wizard: Wizard Type ....57
5.3.3 VPN Express Wizard - Scenario 58
5.3.4 VPN Express Wizard - Configuration 59
5.3.5 VPN Express Wizard - Summary 59
5.3.6 VPN Express Wizard - Finish 60
5.3.7 VPN Advanced Wizard - Scenario 61
5.3.8 VPN Advanced Wizard - Phase 1 Settings 62
5.3.9 VPN Advanced Wizard - Phase 2 63
5.3.10 VPN Advanced Wizard - Summary 64
5.3.11 VPN Advanced Wizard - Finish 65

Chapter 6

Dashboard 66

6.1 Overview 66

6.1.1 What You Can Do in this Chapter 66

6.2 The Dashboard Screen 66

6.2.1 The CPU Usage Screen 71
6.2.2 The Memory Usage Screen 72
6.2.3 The Active Sessions Screen 73
6.2.4 The VPN Status Screen 73
6.2.5 The DHCP Table Screen ....74
6.2.6 The Number of Login Users Screen 75

Chapter 7

Monitor....77

7.1 Overview 77
7.1.1 What You Can Do in this Chapter 77
7.2 The Port Statistics Screen ....78
7.2.1 The Port Statistics Graph Screen 79

7.3 The Interface Status Screen 80

7.4 The Traffic Statistics Screen 83

7.5 The Session Monitor Screen 85

7.6 The DDNS Status Screen 87

7.7 The IP/MAC Binding Monitor Screen 88

7.8 The Login Users Screen 89

7.9 The UPnP Port Status Screen 90

7.10 The USB Storage Screen 91

7.11 The Dynamic Guest Screen 92

7.12 The AP List Screen 94

7.12.1 Station Count of AP 95

7.13 The Radio List Screen 96

7.13.1 AP Mode Radio Information .....98

7.14 The Station List Screen 99

7.15 The Printer Status Screen 100

7.16 The VPN 1-1 Mapping Status Screen ....101

7.16.1 VPN 1-1 Mapping Statistics ....102

7.17 The IPSec Monitor Screen 103

7.17.1 Regular Expressions in Searching IPSec SAs 104

7.18 The Log Screen 104

7.18.1 View AP Log 107

7.18.2 Dynamic Users Log 109

Chapter 8 Registration......111

8.1 Overview ...... 111

8.1.1 What You Can Do in this Chapter 111

8.1.2 What you Need to Know 111

8.2 Registration Screen 112

8.3 Service Screen 112

Chapter 9 Wireless....114

9.1 Overview ...... 114

9.1.1 What You Can Do in this Chapter 114

9.2 Controller Screen 114

9.3 AP Management Screen 115

9.3.1 Edit AP List 116

Chapter 10 Interfaces......118

10.1 Interface Overview 118

10.1.1 What You Can Do in this Chapter 118

10.1.2 What You Need to Know 118

10.2 Port Grouping 120

10.2.1 Port Grouping Overview 121

10.2.2 Port Grouping Screen 121

10.3 Ethernet Summary Screen 122

10.3.1 Ethernet Edit 123

10.3.2 Object References ...... 129

10.3.3 DHCP Extended Options Add/Edit 130

10.4 PPP Interfaces 132

10.4.1 PPP Interface Summary 133

10.4.2 PPP Interface Add/Edit 134

10.5 VLAN Interfaces 138

10.5.1 VLAN Interface Summary Screen 139

10.5.2 VLAN Interface Add/Edit 140

10.6 Bridge Interfaces 145

10.6.1 Bridge Interface Summary 147

10.6.2 Bridge Interface Add/Edit 148

10.7 Virtual Interfaces 152

10.7.1 Virtual Interfaces Add/Edit 153

10.8 Interface Technical Reference 154

Chapter 11

Trunks 158

11.1 Overview 158

11.1.1 What You Can Do in this Chapter 158

11.1.2 What You Need to Know 158

11.2 The Trunk Summary Screen 161

11.2.1 Configuring a User-Defined Trunk 162

11.2.2 Configuring the System Default Trunk 164

Chapter 12

Policy and Static Routes....166

12.1 Policy and Static Routes Overview 166

12.1.1 What You Can Do in this Chapter 166

12.1.2 What You Need to Know 166

12.2 Policy Route Screen 168

12.2.1 Policy Route Add/Edit Screen 170

12.3 IP Static Route Screen 173

12.3.1 Static Route Add/Edit Screen 174

12.4 Policy Routing Technical Reference .... 175

Chapter 13

Zones 176

13.1 Zones Overview 176

13.1.1 What You Can Do in this Chapter ....176

13.1.2 What You Need to Know 176

13.2 The Zone Screen 177

13.2.1 Zone Add/Edit 178

Chapter 14

DDNS....180

14.1 DDNS Overview .... 180

14.1.1 What You Can Do in this Chapter ....180

14.1.2 What You Need to Know .... 180

14.2 The DDNS Screen 181

14.2.1 The Dynamic DNS Add/Edit Screen 182

Chapter 15

NAT....185

15.1 NAT Overview 185

15.1.1 What You Can Do in this Chapter ....185

15.1.2 What You Need to Know 185

15.2 The NAT Screen 186

15.2.1 The NAT Add/Edit Screen 187

15.3 NAT Technical Reference 190

Chapter 16

16.1.1 What You Can Do in this Chapter ....192

16.1.2 What You Need to Know .... 193

16.2 The VPN 1-1 Mapping General Screen ....193

16.2.1 The VPN 1-1 Mapping Add/Edit Screen ....194

16.3 The VPN 1-1 Mapping Profile Screen ....195

Chapter 17

HTTP Redirect....197

17.1 Overview ...... 197

17.1.1 What You Can Do in this Chapter ....197

17.1.2 What You Need to Know 197

17.2 The HTTP Redirect Screen 198

17.2.1 The HTTP Redirect Add/Edit Screen 199

Chapter 18

SMTP Redirect 201

18.1 Overview ......201

18.1.1 What You Can Do in this Chapter ....201
18.1.2 What You Need to Know ....201

18.2 The SMTP Redirect Screen 202

18.2.1 The SMTP Redirect Add/Edit Screen 203

Chapter 19

ALG 205

19.1 ALG Overview ......205

19.1.1 What You Can Do in this Chapter ....205
19.1.2 What You Need to Know ....205
19.1.3 Before You Begin 206
19.2 The ALG Screen 206

Chapter 20

UPnP 207

20.1 Overview 207
20.2 What You Need to Know ....207

20.2.1 NAT Traversal 207
20.2.2 Cautions with UPnP 208

20.3 UPnP Screen 208
20.4 Technical Reference 209

20.4.1 Using UPnP in Windows XP Example ......209
20.4.2 Web Configurator Easy Access 211

Chapter 21

IP/MAC Binding......214

21.1 IP/MAC Binding Overview ......214

21.1.1 What You Can Do in this Chapter ....214
21.1.2 What You Need to Know 214

21.2 IP/MAC Binding Summary 215

21.2.1 IP/MAC Binding Edit 216
21.2.2 Static DHCP Add/Edit 217

21.3 IP/MAC Binding Exempt List ....217

Chapter 22

Layer 2 Isolation ....219

22.1 Overview ...... 219
22.1.1 What You Can Do in this Chapter ....219

22.2 Layer-2 Isolation General Screen 220

22.3 White List 220
22.3.1 Add/Edit White List Rule ......221

Chapter 23

IPnP 223

23.1 Overview ......223

23.1.1 What You Can Do in this Chapter 223

23.2 IPnP Screen 224

Chapter 24

Web Authentication 225

24.1 Overview 225

24.1.1 What You Can Do in this Chapter ...... 225

24.1.2 What You Need to Know 226

24.2 Web Authentication Screen 226

24.2.1 Adding/Editing an Authentication Policy 232

24.2.2 User-aware Access Control Example 233

24.3 Walled Garden Screen 240

24.3.1 Adding/Editing a Walled Garden URL 241

24.3.2 Walled Garden Login Example 242

24.4 Advertisement Screen 242

24.4.1 Adding/Editing an Advertisement URL 243

Chapter 25

Firewall 245

25.1 Overview 245

25.1.1 What You Can Do in this Chapter 245

25.1.2 What You Need to Know 245

25.2 The Firewall Screen 247

25.2.1 Configuring the Firewall Screen 248

25.2.2 The Firewall Add/Edit Screen 251

25.3 The Session Control Screen 252

25.3.1 The Session Control Add/Edit Screen 253

25.4 Firewall Rule Configuration Example 254

25.5 Firewall Rule Example Applications .....256

Chapter 26

Billing....259

26.1 Overview 259

26.1.1 What You Can Do in this Chapter ....259

26.1.2 What You Need to Know 259

26.2 The General Screen ....260

26.3 The Billing Profile Screen 261

26.3.1 The Account Generator Screen 263

26.3.2 The Account Redeem Screen 266

26.3.3 The Billing Profile Add/Edit Screen 268

26.4 The Discount Screen 269

26.4.1 The Discount Add/Edit Screen 270

26.5 The Payment Service General Screen 270

26.5.1 The Payment Service Custom Service Screen 272

Chapter 27

Printer Manager 275

27.1 Overview ...... 275

27.1.1 What You Can Do in this Chapter 275

27.2 The General Screen 275

27.3 The Printout Configuration Screen 277

27.3.1 Reports Overview ......278

27.3.2 Key Combinations ......278

27.3.3 Daily Account Summary 279

27.3.4 Monthly Account Summary ......279

27.3.5 Account Report Notes 280

27.3.6 System Status 280

Chapter 28

Free Time....282

28.1 Overview 282

28.1.1 What You Can Do in this Chapter 282

28.2 The Free Time Screen 282

Chapter 29

SMS 286

29.1 Overview 286

29.1.1 What You Can Do in this Chapter 286

29.2 The SMS Screen 286

Chapter 30

IPSec VPN....288

30.1 Virtual Private Networks (VPN) Overview 288

30.1.1 What You Can Do in this Chapter 288

30.1.2 What You Need to Know 289

30.1.3 Before You Begin 289

30.2 The VPN Connection Screen 290

30.2.1 The VPN Connection Add/Edit Screen 291

30.3 The VPN Gateway Screen 297

30.3.1 The VPN Gateway Add/Edit Screen 297

30.4 IPSec VPN Background Information ....303

Chapter 31

Bandwidth Management....315

31.1 Overview 315

31.1.1 What You Can Do in this Chapter ....315
31.1.2 What You Need to Know .... 315

31.2 The Bandwidth Management Screen .... 319

31.2.1 The Bandwidth Management Add/Edit Screen 321

Chapter 32

User/Group 325

32.1 Overview 325

32.1.1 What You Can Do in this Chapter ....325
32.1.2 What You Need To Know .... 325

32.2 User Summary Screen 327

32.2.1 User Add/Edit Screen 328

32.3 User Group Summary Screen 331

32.3.1 Group Add/Edit Screen 331

32.4 The User/Group Setting Screen 332

32.4.1 Default User Settings Edit Screen 335
32.4.2 User Aware Login Example ....336

32.5 User /Group Technical Reference 337

Chapter 33

AP Profile....339

33.1 Overview 339

33.1.1 What You Can Do in this Chapter ....339
33.1.2 What You Need To Know ....339

33.2 Radio Screen 340

33.2.1 Add/Edit Radio Profile 342

33.3 SSID Screen 345

33.3.1 SSID List .... 345
33.3.2 Add/Edit SSID Profile 347
33.3.3 Security List 348
33.3.4 Add/Edit Security Profile 350
33.3.5 MAC Filter List .... 352
33.3.6 Add/Edit MAC Filter Profile 353

Chapter 34

Addresses 354

34.1 Overview ...... 354

34.1.1 What You Can Do in this Chapter ....354
34.1.2 What You Need To Know ....354

34.2 Address Summary Screen 354

34.2.1 Address Add/Edit Screen 355

34.3 Address Group Summary Screen 356

34.3.1 Address Group Add/Edit Screen 357

Chapter 35

Services 359

35.1 Overview 359

35.1.1 What You Can Do in this Chapter 359
35.1.2 What You Need to Know .... 359

35.2 The Service Summary Screen 360

35.2.1 The Service Add/Edit Screen .... 361

35.3 The Service Group Summary Screen 362

35.3.1 The Service Group Add/Edit Screen 362

Chapter 36

Schedules 364

36.1 Overview 364

36.1.1 What You Can Do in this Chapter 364
36.1.2 What You Need to Know .... 364

36.2 The Schedule Summary Screen 365

36.2.1 The One-Time Schedule Add/Edit Screen 366
36.2.2 The Recurring Schedule Add/Edit Screen 367

Chapter 37

AAA Server 368

37.1 Overview 368

37.1.1 RADIUS Server 368
37.1.2 What You Can Do in this Chapter 368
37.1.3 What You Need To Know ....368

37.2 RADIUS Server Summary 369

37.2.1 Adding/Editing a RADIUS Server 369

Chapter 38

Authentication Method....372

38.1 Overview 372

38.1.1 What You Can Do in this Chapter ....372
38.1.2 Before You Begin 372

38.2 Authentication Method Objects ....372

38.2.1 Creating an Authentication Method Object 373

Chapter 39

Certificates 375

39.1 Overview 375

39.1.1 What You Can Do in this Chapter ....375
39.1.2 What You Need to Know ....375
39.1.3 Verifying a Certificate 377

39.2 The My Certificates Screen 378

39.2.1 The My Certificates Add Screen ....379
39.2.2 The My Certificates Edit Screen .... 381
39.2.3 The My Certificates Import Screen 384

39.3 The Trusted Certificates Screen 385

39.3.1 The Trusted Certificates Edit Screen 386
39.3.2 The Trusted Certificates Import Screen 389

Chapter 40

ISP Accounts....391

40.1 Overview ......391
40.1.1 What You Can Do in this Chapter ....391
40.2 ISP Account Summary 391
40.2.1 ISP Account Add/Edit 392

Chapter 41

System 394

41.1 Overview 394
41.1.1 What You Can Do in this Chapter ....394
41.2 Host Name 395
41.3 USB Storage 395
41.4 Date and Time 396

41.4.1 Pre-defined NTP Time Servers List ....399
41.4.2 Time Server Synchronization 399

41.5 Console Port Speed 400

41.6 DNS Overview 401

41.6.1 DNS Server Address Assignment 401
41.6.2 Configuring the DNS Screen 401
41.6.3 Address Record 403
41.6.4 PTR Record 403
41.6.5 Adding/Editing an Address/PTR Record 403
41.6.6 Domain Zone Forwarder 404
41.6.7 Adding/Editing a Domain Zone Forwarder 404
41.6.8 MX Record 405
41.6.9 Adding/Editing a MX Record ....406
41.6.10 Adding/Editing a DNS Service Control Rule 406

41.7 WWW Overview 407

41.7.1 Service Access Limitations .... 407
41.7.2 System Timeout ....407
41.7.3 HTTPS 408
41.7.4 Configuring WWW Service Control 408
41.7.5 Service Control Rules 411
41.7.6 Customizing the WWW Login Page 412
41.7.7 HTTPS Example 416

41.8 SSH 423

41.8.1 How SSH Works 424
41.8.2 SSH Implementation on the UAG 425
41.8.3 Requirements for Using SSH 425
41.8.4 Configuring SSH 425
41.8.5 Secure Telnet Using SSH Examples 426

41.9 Telnet 428

41.9.1 Configuring Telnet 428

41.10 FTP 429

41.10.1 Configuring FTP 429

41.11 SNMP 430

41.11.1 Supported MIBs 431
41.11.2 SNMP Traps 432
41.11.3 Configuring SNMP 432

41.12 Language 434

Chapter 42

Log and Report 435

42.1 Overview 435
42.1.1 What You Can Do In this Chapter 435
42.2 Email Daily Report 435
42.3 Log Settings Screens 437

42.3.1 Log Settings Summary 438
42.3.2 Edit System Log Settings 439
42.3.3 Edit Log on USB Storage Setting 442
42.3.4 Edit Remote Server Log Settings 444
42.3.5 Log Category Settings Screen 446

Chapter 43

File Manager....450

43.1 Overview 450

43.1.1 What You Can Do in this Chapter 450
43.1.2 What you Need to Know 450

43.2 The Configuration File Screen 452
43.3 The Firmware Package Screen 456
43.4 The Shell Script Screen 458

Chapter 44

Diagnostics 461

44.1 Overview 461
44.1.1 What You Can Do in this Chapter 461
44.2 The Diagnostics Screen 461
44.2.1 The Diagnostics Files Screen 462

44.3 The Packet Capture Screen 463

44.3.1 The Packet Capture Files Screen 465

44.4 Core Dump Screen 466

44.4.1 Core Dump Files Screen 467

44.5 The System Log Screen 467

Chapter 45

Packet Flow Explore....469

45.1 Overview 469

45.1.1 What You Can Do in this Chapter 469

45.2 The Routing Status Screen 469

45.3 The SNAT Status Screen 474

Chapter 46

Reboot 478

46.1 Overview 478

46.1.1 What You Need To Know ....478

46.2 The Reboot Screen 478

Chapter 47

Shutdown......479

47.1 Overview 479

47.1.1 What You Need To Know 479

47.2 The Shutdown Screen 479

Chapter 48

Troubleshooting....480

48.1 Resetting the UAG 487

48.2 Getting More Troubleshooting Help 488

Appendix A Legal Information....489

Index 492

1.1 Overview

The UAG is a comprehensive service gateway. If you have a "statement printer", such as SP350E, you can connect it directly to the UAG, allowing you to easily print subscriber statements. The UAG is ideal for offices, coffee shops, libraries, hotels and airport terminals catering to subscribers that seek Internet access. You should have an Internet account already set up and have been given usernames, passwords etc. required for Internet access.

graph TD
    A["Server"] --> B["Printer"]
    B --> C["Router"]
    C --> D["Phone"]
    D --> E["Internet"]
    style A fill:#f9f,stroke:#333
    style B fill:#ccf,stroke:#333
    style C fill:#cfc,stroke:#333
    style D fill:#fcc,stroke:#333
    style E fill:#cff,stroke:#333

You can use web authentication to allow guests to access the network only after they authenticate with the UAG through a specifically designated login web page. You can also forward the authenticated client's e-mail messages to a specific SMTP server.

The UAG also provides bandwidth management, NAT, port forwarding, policy routing, DHCP server and many other powerful features. The UAG's security features include firewall, VPN and certificates.

The UAG lets you set up multiple networks for your company. The De-Militarized Zone (DMZ) increases LAN security by providing separate ports for connecting publicly accessible servers. The UAG also provides two separate LAN networks. You can set ports to be part of the LAN1, LAN2 or DMZ. Alternatively, you can deploy the UAG as a transparent firewall in an existing network with minimal configuration.

1.2 Default Zones, Interfaces, and Ports

The default configurations for zones, interfaces, and ports are as follows. References to interfaces may be generic rather than the specific name used in your model. For example, this guide may use "the WAN interface" rather than "P1" or "P2".

Figure 1 Zones, Interfaces, and Physical Ethernet Ports

1.3 Management Overview

You can manage the UAG in the following ways.

Web Configurator

The Web Configurator allows easy UAG setup and management using an Internet browser. This User's Guide provides information about the Web Configurator.

Figure 2 Managing the UAG: Web Configurator

Command-Line Interface (CLI)

The CLI allows you to use text-based commands to configure the UAG. Access it using remote management (for example, SSH or Telnet) or via the physical or Web Configurator console port. See the Command Reference Guide for CLI details. The default settings for the console port are:

Table 1 Console Port Default Settings

1.4 Web Configurator

In order to use the Web Configurator, you must:

• Use one of the following web browser versions: Internet Explorer 7.0 and later versions, Mozilla Firefox 9.0 and later versions, Safari 4.0 and later versions, or Google Chrome 10.0 and later versions.
• Allow pop-up windows (blocked by default in Windows XP Service Pack 2)
• Enable JavaScripts, Java permissions, and cookies

The recommended screen resolution is 1024 x 768 pixels and higher.

1.4.1 Web Configurator Access

1 Make sure your UAG hardware is properly connected. See the Quick Start Guide.
2 In your browser go to http://172.16.0.1 or http://172.17.0.1. The Login screen appears.

3 Type the user name (default: "admin") and password (default: "1234").

4 Click Login. If you logged in using the default user name and password, the Update Admin Info screen appears. Otherwise, the dashboard appears.
5 Follow the directions in the Update Admin Info screen. If you change the default password, the Login screen appears after you click Apply. If you click Ignore, the Installation Setup Wizard opens if the UAG is using its default configuration; otherwise the dashboard appears.

1.4.2 Web Configurator Screens Overview

The Web Configurator screen is divided into these parts (as illustrated on page 21):

• A - title bar
• B - navigation panel
• C - main window

1.4.2.1 Title Bar

Figure 3 Title Bar

The title bar icons in the upper right corner provide the following functions.

Table 2 Title Bar: Web Configurator Icons

About

Click About to display basic information about the UAG.

Figure 4 About

The following table describes labels that can appear in this screen.

Table 3 About

Site Map

Click Site MAP to see an overview of links to the Web Configurator screens. Click a screen's link to go to that screen.

Figure 5 Site Map

Object Reference

Click Object Reference to open the Object Reference screen. Select the type of object and the individual object and click Refresh to show which configuration settings reference the object.

Figure 6 Object Reference

The fields vary with the type of object. The following table describes labels that can appear in this screen.

Table 4 Object References

CLI Messages

Click CLI to look at the CLI commands sent by the Web Configurator. Open the pop-up window and then click some menus in the web configurator to display the corresponding commands.

Figure 7 CLI Messages

Click Clear to remove the currently displayed information.

See the Command Reference Guide for information about the commands.

1.4.3 Navigation Panel

Use the navigation panel menu items to open status and configuration screens. Click the arrow in the middle of the right edge of the navigation panel to hide the panel or drag to resize it. The following sections introduce the UAG's navigation panel menus and their screens.

Figure 8 Navigation Panel

Dashboard

The dashboard displays general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re-arrange to suit your needs. See Chapter 6 on page 66 for details on the dashboard.

Monitor Menu

The monitor menu screens display status and statistics information.

Table 5 Monitor Menu Screens Summary

Configuration Menu

Use the configuration menu screens to configure the UAG's features.

Table 6 Configuration Menu Screens Summary

Maintenance Menu

Use the maintenance menu screens to manage configuration and firmware files, run diagnostics, and reboot or shut down the UAG.

Table 7 Maintenance Menu Screens Summary

1.4.4 Tables and Lists

Web Configurator tables and lists are flexible with several options for how to display their entries.

Click a column heading to sort the table's entries according to that column's criteria.

Figure 9 Sorting Table Entries by a Column's Criteria

Click the down arrow next to a column heading for more options about how to display the entries. The options available vary depending on the type of fields in the column. Here are some examples of what you can do:

• Sort in ascending or descending (reverse) alphabetical order
• Select which columns to display
• Group entries by field
  • Show entries in groups
• Filter by mathematical operators (<, >, or =) or searching for text

Figure 10 Common Table Column Options

Select a column heading cell's right border and drag to re-size the column.

Figure 11 Resizing a Table Column

Select a column heading and drag and drop it to change the column order. A green check mark displays next to the column's title when you drag the column to a valid new location.

Figure 12 Moving Columns

Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time.

Figure 13 Navigating Pages of Table Entries

The tables have icons for working with table entries. You can often use the [Shift] or [Ctrl] key to select multiple entries to remove, activate, or deactivate.

Figure 14 Common Table Icons

Here are descriptions for the most common table icons.

Table 8 Common Table Icons

Working with Lists

When a list of available entries displays next to a list of selected entries, you can often just double-click an entry to move it from one list to the other. In some lists you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list.

Figure 15 Working with Lists

1.5 Stopping the UAG

Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the UAG or remove the power. Not doing so can cause the firmware to become corrupt.

Hardware Installation and Connection

2.1 Rack-mounting

Use the following steps to mount the UAG on an EIA standard size, 19-inch rack or in a wiring closet with other equipment using a rack-mounting kit. Make sure the rack will safely support the combined weight of all the equipment it contains and that the position of the UAG does not make the rack unstable or top-heavy. Take all necessary precautions to anchor the rack securely before installing the unit.

Note: Leave 10 cm of clearance at the sides and 20 cm in the rear.

Use a #2 Phillips screwdriver to install the screws.

Note: Failure to use the proper screws may damage the unit.

1 Align one bracket with the holes on one side of the UAG and secure it with the included bracket screws (smaller than the rack-mounting screws).
2 Attach the other bracket in a similar fashion.

3 After attaching both mounting brackets, position the UAG in the rack and up the bracket holes with the rack holes. Secure the UAG to the rack with the rack-mounting screws.

2.2 Front Panel

This section introduces the UAG's front panel.

Figure 16 UAG Front Panel

Ethernet Ports

The 1000Base-T auto-negotiating, auto-crossover Ethernet ports support 10/100/1000 Mbps Gigabit Ethernet so the speed can be 100 Mbps or 1000 Mbps. The duplex mode is full at 1000 Mbps and half or full at 10/100 Mbps. An auto-negotiating port can detect and adjust to the optimum Ethernet speed (10/100/1000 Mbps) and duplex mode (full duplex or half duplex) of the connected device. An auto-crossover (auto-MDI/MDI-X) port automatically works with a straight-through or crossover Ethernet cable. The factory default negotiation settings for the Ethernet ports on the UAG are speed: auto, duplex: auto, and flow control: on (you cannot configure the flow control setting, but the UAG can negotiate with the peer and turn it off if needed).

The color-coded Ethernet port supports the IEEE 802.3at High Power over Ethernet (PoE) standard and can receive power of up to 30W per Ethernet port from a PoE switch via an 8-pin CAT 5 Ethernet cable. This helps eliminate the need for power sockets.

USB 2.0 Ports

Connect a USB storage device to a USB port on the UAG to archive the UAG system logs or save the UAG operating system kernel to it.

Console Port

Connect this port to your computer (using an RS-232 cable) if you want to configure the UAG using the command line interface (CLI) via the console port.

For local management, you can use a computer with terminal emulation software configured to the following parameters:

• VT100 terminal emulation
• 115200 bps
- No parity, 8 data bits, 1 stop bit
- No flow control

Connect the male 9-pin end of the RS-232 console cable to the console port of the UAG. Connect the female end to a serial port (COM1, COM2 or other COM port) of your computer.

2.2.1 Front Panel LEDs

The following tables describe the LEDs.

Table 9 Front Panel LEDs

2.3 Rear Panel

The following figure shows the rear panel of the UAG. The rear panel contains a connector for the power receptacle.

Figure 17 Rear Panel

Printer Deployment

3.1 Overview

This chapter shows you how to set up an external statement printer (SP350E for example) and deploy it in your network with the UAG.

In the following examples, you will:

• Attach the printer to the UAG.
• Set up an Internet connection on the UAG.
• Allow the UAG to monitor and manage the printer.
• Turn on web authentication on the UAG.
• Generate a free guest account.

3.2 Attach the Printer to the UAG

This section uses the SP350E as an example. Refer to the printer documentation for detailed information about paper loading.

1 Connect the Ethernet port of the printer to one LAN port of the UAG.
2 Connect the power socket of the printer to a power outlet. Turn on the printer.
The printer is acting as a DHCP client by default and will obtain an IP address from the connected UAG. Make sure the UAG is turned on already and the DHCP server is enabled on its LAN interface(s).

3.3 Set up an Internet Connection on the UAG

1 Connect the WAN port of the UAG to a broadband modem or router.
2 Connect your computer to one of the available LAN port on the UAG.
3 Log into the UAG web configurator. See Section 1.4 on page 20 on how to access the web configurator.
4 Enter your Internet access information to set up a Internet connection. See Chapter 4 on page 43 for detailed information on how to use the setup wizard.

3.4 Allow the UAG to Monitor and Manage the Printer

Before you add the printer to the UAG's printer list, check the sticker on the printer's rear panel to see its MAC address.

1 Go to the Dashboard of the UAG web configurator.

2 Open the DHCP Table to find the IP address that is assigned to the printer's MAC address. Make sure the IP address is reserved for the printer. Write down the printer's IP address.

3 Go to the Configuration > Printer Manager screen. Click Add in the Printer List to create a new entry for your printer.

4 After the printer's IP address is added to the printer list, select the Enable Printer Manager checkbox and then click Apply.

5 Go to the Monitor > Printer Status screen to check if the UAG can connect to the printer (the printer status is sync success). In this screen, you can also click Discover Printer to detect and display the printer that is connected to the UAG, and then click Add to Mgmt Printer List to add the selected AP to the managed printer list automatically.

Note: You may need to wait up to 90 seconds for the UAG to synchronize with the printer successfully after you click Apply in the Configuration > Printer Manager screen.

3.5 Turn on Web Authentication on the UAG

With web authentication, users need to log in through a designated web page before they can access the network(s).

1 Go to the Configuration > Web Authentication screen.
2 Set Authentication to Web Portal.
3 Select Internal Web Portal to use the default login page.
4 Click Add to create a new web authentication policy.

5 The Auth. Policy Add screen displays. Set Authentication to required and select Force User Authentication to redirect all HTTP traffic to the default login page.
6 Click OK to save your changes.

7 Click Apply the Configuration > Web Authentication screen.

3.6 Generate a Free Guest Account

You can use the buttons on the printer or web-based account generator to create guest accounts based on the pre-defined billing settings (see Section 26.3 on page 261).

1 Go to the Configuration > Free Time screen.
2 Select the Enable Free Time checkbox to turn on this feature. Click Apply.

3 Whenever a user tries to access a web page, he/she will be redirect to the default login page.
4 Click the link on the login page to get a free guest account.

5 A Welcome screen displays. Select the free time service. Click OK to generate and show the account information on the web page.

6 Now you can use this account to access the Internet through the UAG for

Welcome

You may now use the internet.

IMPORTANT MAKE a note for your case-sensitive username and password for logging later. This will be your only opportunity to do so.

This is your account information, please keep this for your internet service.

Your username is ipuijp

Your password is 5x96kr

Your time period is 30 minutes

Login Now

Installation Setup Wizard

4.1 Installation Setup Wizard Screens

When you log into the Web Configurator for the first time or when you reset the UAG to its default configuration, the Installation Setup Wizard screen displays. This wizard helps you configure Internet connection settings and activate subscription services. This chapter provides information on configuring the Web Configurator's installation setup wizard. See the feature-specific chapters in this User's Guide for background information.

Figure 18 Installation Setup Wizard

• Click the double arrow in the upper right corner to display or hide the help.
• Click Go to Dashboard to skip the installation setup wizard or click Next to start configuring for Internet access.

4.1.1 Internet Access Setup - WAN Interface

Use this screen to set how many WAN interfaces to configure and the first WAN interface's type of encapsulation and method of IP address assignment.

The screens vary depending on the encapsulation type. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don't have that information.

Note: Enter the Internet access information exactly as your ISP gave it to you.

Figure 19 Internet Access: Step 1: First WAN Interface

• I have two ISPs: Select this option to configure two Internet connections. Leave it cleared to configure just one. This option appears when you are configuring the first WAN interface.
• Encapsulation: Choose the Ethernet option when the WAN port is used as a regular Ethernet. Otherwise, choose PPP Over Ethernet (PPPoE) or PPTP for a dial-up connection according to the information from your ISP.
• First WAN Interface: This is the interface you are configuring for Internet access.
  • Zone: This is the security zone to which this interface and Internet connection belong.
• IP Address Assignment: Select Auto if your ISP did not assign you a fixed IP address. Select Static if the ISP assigned a fixed IP address.

4.1.2 Internet Access: Ethernet

This screen is read-only if you set the previous screen's IP Address Assignment field to Auto. Use this screen to configure your IP address settings.

Note: Enter the Internet access information exactly as given to you by your ISP.

Figure 20 Internet Access: Ethernet Encapsulation

• Encapsulation: This displays the type of Internet connection you are configuring.
• First WAN Interface: This is the number of the interface that will connect with your ISP.
  • Zone: This is the security zone to which this interface and Internet connection will belong.
• IP Address: Enter your (static) public IP address. Auto displays if you selected Auto as the IP Address Assignment in the previous screen.

The following fields display if you selected static IP address assignment.

• IP Subnet Mask: Enter the subnet mask for this WAN connection's IP address.
• Gateway IP Address: Enter the IP address of the router through which this WAN connection will send traffic (the default gateway).
• First / Second DNS Server: These fields display if you selected static IP address assignment. The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a DNS server's IP address(es). The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The UAG uses these (in the order you specify here) to resolve domain names for DDNS and the time server. Leave the field as 0.0.0.0 if you do not want to configure DNS servers.

4.1.3 Internet Access: PPPoE

Note: Enter the Internet access information exactly as given to you by your ISP.

Figure 21 Internet Access: PPPoE Encapsulation

4.1.3.1 ISP Parameters

• Type the PPPoE Service Name from your service provider. PPPoE uses a service name to identify and reach the PPPoE server. You can use alphanumeric and -_@\$./ characters, and it can be up to 64 characters long.

• Authentication Type - Select an authentication protocol for outgoing connection requests. Options are:

• CHAP/ PAP - Your UAG accepts either CHAP or PAP when requested by the remote node.
  • CHAP - Your UAG accepts CHAP only.
  • PAP - Your UAG accepts PAP only.
  • MSCHAP - Your UAG accepts MSCHAP only.
  • MSCHAP-V2 - Your UAG accepts MSCHAP-V2 only.

• Type the User Name given to you by your ISP. You can use alphanumeric and -_@\$./ characters, and it can be up to 31 characters long.

• Type the Password associated with the user name. Use up to 64 ASCII characters except the [] and ?. This field can be blank.
• Select Nailed-Up if you do not want the connection to time out. Otherwise, type the Idle Timeout in seconds that elapses before the router automatically disconnects from the PPPoE server.

4.1.3.2 WAN IP Address Assignments

• First WAN Interface: This is the name of the interface that will connect with your ISP.
  • Zone: This is the security zone to which this interface and Internet connection will belong.
• IP Address: Enter your (static) public IP address. Auto displays if you selected Auto as the IP Address Assignment in the previous screen.

- First / Second DNS Server: These fields display if you selected static IP address assignment. The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a DNS server's IP address(es). The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The UAG uses these (in the order you specify here) to resolve domain names for DDNS and the time server. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it.

4.1.4 Internet Access: PPTP

Note: Enter the Internet access information exactly as given to you by your ISP.

Figure 22 Internet Access: PPTP Encapsulation

4.1.4.1 ISP Parameters

• Authentication Type - Select an authentication protocol for outgoing calls. Options are:

• CHAP/ PAP - Your UAG accepts either CHAP or PAP when requested by the remote node.
  • CHAP - Your UAG accepts CHAP only.
  • PAP - Your UAG accepts PAP only.
  • MSCHAP - Your UAG accepts MSCHAP only.
  • MSCHAP-V2 - Your UAG accepts MSCHAP-V2 only.

• Type the User Name given to you by your ISP. You can use alphanumeric and -_@\$./ characters and it can be up to 31 characters long.

• Type the Password associated with the user name. Use up to 64 ASCII characters except the [] and ?. This field can be blank. Re-type your password in the next field to confirm it.
• Select Nailed-Up if you do not want the connection to time out. Otherwise, type the Idle Timeout in seconds that elapses before the router automatically disconnects from the PPTP server.

4.1.4.2 PPTP Configuration

• Base Interface: This identifies the Ethernet interface you configure to connect with a modem or router.
• Type a Base IP Address (static) assigned to you by your ISP.
• Type the IP Subnet Mask assigned to you by your ISP (if given).
• Gateway IP Address: Enter the IP address of the gateway if any.
• Server IP: Type the IP address of the PPTP server.
• Type a Connection ID or connection name. It must follow the "c:id" and "n:name" format. For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your broadband modem or router. You can use alphanumeric and -_: characters, and it can be up to 31 characters long.

4.1.4.3 WAN IP Address Assignments

• First WAN Interface: This is the connection type on the interface you are configuring to connect with your ISP.
  • Zone This is the security zone to which this interface and Internet connection will belong.
• IP Address: Enter your (static) public IP address. Auto displays if you selected Auto as the IP Address Assignment in the previous screen.
• First / Second DNS Server: These fields display if you selected static IP address assignment. The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a DNS server's IP address(es). The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The UAG uses these (in the order you specify here) to resolve domain names for DDNS and the time server. Leave the field as 0.0.0.0 if you do not want to configure DNS servers.

4.1.5 Internet Access Setup - Second WAN Interface

If you selected I have two ISPs, after you configure the First WAN Interface, you can configure the Second WAN Interface. The screens for configuring the second WAN interface are similar to the first (see Section 4.1.1 on page 43).

Figure 23 Internet Access: Step 1: Second WAN Interface

4.1.6 Internet Access - Finish

You have set up your UAG to access the Internet. A screen displays with your settings. If they are not correct, click Back.

Figure 24 Internet Access: Finish

Click Next and use the following screen to perform a basic registration (see Section 4.2 on page 50).

Alternatively, close the window to exit the wizard.

4.2 Device Registration

Go to http://portal.myZyXEL.com with the UAG's serial number and LAN MAC address to register it if you have not already done so.

Note: You must be connected to the Internet to register. Use the Registration > Service screen to update your service subscription status.

Figure 25 Registration

Quick Setup Wizards

5.1 Quick Setup Overview

The Web Configurator's quick setup wizards help you configure Internet and VPN connection settings. This chapter provides information on configuring the quick setup screens in the Web Configurator. See the feature-specific chapters in this User's Guide for background information.

In the Web Configurator, click Configuration > Quick Setup to open the first Quick Setup screen.

Figure 26 Quick Setup

- WAN Interface

Click this link to open a wizard to set up a WAN (Internet) connection. This wizard creates matching ISP account settings in the UAG if you use PPPoE or PPTP. See Section 5.2 on page 51.

- VPN Setup

Use VPN Setup to configure a VPN (Virtual Private Network) rule for a secure connection to another computer or network. See Section 5.3 on page 56.

5.2 WAN Interface Quick Setup

Click WAN Interface in the main Quick Setup screen to open the WAN Interface Quick Setup Wizard Welcome screen. Use these screens to configure an interface to connect to the Internet. Click Next.

Figure 27 WAN Interface Quick Setup Wizard

5.2.1 Choose an Ethernet Interface

Select the Ethernet interface that you want to configure for a WAN connection and click Next.

Figure 28 Choose an Ethernet Interface

5.2.2 Select WAN Type

WAN Type Selection: Select the type of encapsulation this connection is to use. Choose Ethernet when the WAN port is used as a regular Ethernet.

Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your ISP.

Figure 29 WAN Interface Setup: Step 2

The screens vary depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don't have that information.

Note: Enter the Internet access information exactly as your ISP gave it to you.

5.2.3 Configure WAN IP Settings

Use this screen to select whether the interface should use a fixed or dynamic IP address.

Figure 30 WAN Interface Setup: Step 2

• WAN Interface: This is the interface you are configuring for Internet access.
  • Zone: This is the security zone to which this interface and Internet connection belong.
• IP Address Assignment: Select Auto If your ISP did not assign you a fixed IP address. Select Static if you have a fixed IP address.

5.2.4 ISP and WAN Connection Settings

Use this screen to configure the ISP and WAN interface settings. This screen is read-only if you select Ethernet and set the IP Address Assignment to Auto. If you set the IP Address Assignment to Static and/or select PPTP or PPPoE, enter the Internet access information exactly as your ISP gave it to you.

Figure 31 ISP and WAN Connection Settings: (PPTP Shown)

The following table describes the labels in this screen.

Table 10 ISP and WAN Connection Settings

5.2.5 Quick Setup Interface Wizard: Summary

This screen displays the WAN interface's settings.

Figure 32 Interface Wizard: Summary WAN (Ethernet Shown)

The following table describes the labels in this screen.

Table 11 Interface Wizard: Summary WAN

5.3 VPN Setup Wizard

Click VPN Setup in the main Quick Setup screen to open the VPN Setup Wizard Welcome screen.

Figure 33 VPN Setup Wizard

5.3.1 Welcome

Use wizards to create Virtual Private Network (VPN) rules. After you complete the wizard, the Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen.

Figure 34 VPN Wizard Welcome

5.3.2 VPN Setup Wizard: Wizard Type

Choose Express to create a VPN rule with the default phase 1 and phase 2 settings to connect to another ZLD-based UAG using a pre-shared key.

Choose Advanced to change the default settings and/or use certificates instead of a pre-shared key to create a VPN rule to connect to another IPSec device.

Figure 35 VPN Setup Wizard: Wizard Type

5.3.3 VPN Express Wizard - Scenario

Click the Express radio button as shown in Figure 35 on page 58 to display the following screen.

Figure 36 VPN Express Wizard: Scenario

Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Application Scenario: This shows the scenario that the UAG supports.

- Site-to-site - The remote IPSec device has a static IP address or a domain name. This UAG can initiate the VPN tunnel.

5.3.4 VPN Express Wizard - Configuration

Figure 37 VPN Express Wizard: Configuration

• Secure Gateway: Enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec router by its IP address or a domain name.
• Pre-Shared Key: Type the password. Both ends of the VPN tunnel must use the same password. Use 8 to 31 case-sensitive ASCII characters or 8 to 31 pairs of hexadecimal ("0-9", "A-F") characters. Proceed a hexadecimal key with "0x". You will receive a PYLD_MALFORMED (payload malformed) packet if the same pre-shared key is not used on both ends.
• Local Policy (IP/ Mask): Type the IP address of a computer on your network that can use the tunnel. You can also specify a subnet. This must match the remote IP address configured on the remote IPSec device.
• Remote Policy (IP/ Mask): Type the IP address of a computer behind the remote IPSec device. You can also specify a subnet. This must match the local IP address configured on the remote IPSec device.

5.3.5 VPN Express Wizard - Summary

This screen provides a read-only summary of the VPN tunnel's configuration and commands that you can copy and paste into another ZLD-based UAG's command line interface to configure it.

Figure 38 VPN Express Wizard: Summary

• Rule Name: Identifies the VPN gateway policy.
• Secure Gateway: IP address or domain name of the remote IPSec device.
• Pre-Shared Key: VPN tunnel password. It identifies a communicating party during a phase 1 IKE negotiation.
• Local Policy: IP address and subnet mask of the computers on the network behind your UAG that can use the tunnel.
• Remote Policy: IP address and subnet mask of the computers on the network behind the remote IPSec device that can use the tunnel.
• Copy and paste the Configuration for Secure Gateway commands into another ZLD-based UAG's command line interface to configure it to serve as the other end of this VPN tunnel. You can also use a text editor to save these commands as a shell script file with a ".zysh" filename extension. Use the file manager to run the script in order to configure the VPN connection. See the commands reference guide for details on the commands displayed in this list.

5.3.6 VPN Express Wizard - Finish

Now the rule is configured on the UAG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen.

Figure 39 VPN Express Wizard: Finish

Click Close to exit the wizard.

5.3.7 VPN Advanced Wizard - Scenario

Click the Advanced radio button as shown in Figure 35 on page 58 to display the following screen.

Figure 40 VPN Advanced Wizard: Scenario

Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Application Scenario: This shows the scenario that the UAG supports.

- Site-to-site - The remote IPSec device has a static IP address or a domain name. This UAG can initiate the VPN tunnel.

5.3.8 VPN Advanced Wizard - Phase 1 Settings

There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association).

Figure 41 VPN Advanced Wizard: Phase 1 Settings

• Secure Gateway: Any displays in this field if it is not configurable for the chosen scenario. Otherwise, enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec device by its IP address or a domain name. Use 0.0.0.0 if the remote IPSec device has a dynamic WAN IP address.
• My Address (interface): Select an interface from the drop-down list box to use on your UAG.
• Negotiation Mode: Select Main for identity protection. Select Aggressive to allow more incoming connections from dynamic IP addresses to use separate passwords.

Note: Multiple SAs connecting through a secure gateway must have the same negotiation mode.

- Encryption Algorithm: 3DES and AES use encryption. The longer the key, the higher the security (this may affect throughput). Both sender and receiver must use the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. AES128 uses a 128-bit key and is faster than 3DES. AES192 uses a 192-bit key, and AES256 uses a 256-bit key.

- Authentication Algorithm: MD5 gives minimal security and SHA512 gives the highest security. MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The stronger the algorithm the slower it is.

• Key Group: DH5 is more secure than DH1 or DH2 (although it may affect throughput). DH1 (default) refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit random number.
• SA Life Time: Set how often the UAG renegotiates the IKE SA. A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel.
• NAT Traversal: Select this if the VPN tunnel must pass through NAT (there is a NAT router between the IPSec devices).

Note: The remote IPSec device must also have NAT traversal enabled. See the help in the main IPSec VPN screens for more information.

• Dead Peer Detection (DPD) has the UAG make sure the remote IPSec device is there before transmitting data through the IKE SA. If there has been no traffic for at least 15 seconds, the UAG sends a message to the remote IPSec device. If it responds, the UAG transmits the data. If it does not respond, the UAG shuts down the IKE SA.
• Authentication Method: Select Pre-Shared Key to use a password or Certificate to use one of the UAG's certificates.

5.3.9 VPN Advanced Wizard - Phase 2

Phase 2 in an IKE uses the SA that was established in phase 1 to negotiate SAs for IPSec.

Figure 42 VPN Advanced Wizard: Phase 2 Settings

• Active Protocol: ESP is compatible with NAT, AH is not.
- Encapsulation: Tunnel is compatible with NAT, Transport is not.
- Encryption Algorithm: 3DES and AES use encryption. The longer the AES key, the higher the security (this may affect throughput). Null uses no encryption.
- Authentication Algorithm: MD5 gives minimal security and SHA512 gives the highest security. MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The stronger the algorithm the slower it is.
- SA Life Time: Set how often the UAG renegotiates the IKE SA. A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel.

• Perfect Forward Secrecy (PFS): Disabling PFS allows faster IPSec setup, but is less secure. Select DH1, DH2 or DH5 to enable PFS. DH5 is more secure than DH1 or DH2 (although it may affect throughput). DH1 refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit random number (more secure, yet slower).
• Local Policy (IP/ Mask): Type the IP address of a computer on your network. You can also specify a subnet. This must match the remote IP address configured on the remote IPSec device.
• Remote Policy (IP/ Mask): Type the IP address of a computer behind the remote IPSec device. You can also specify a subnet. This must match the local IP address configured on the remote IPSec device.
• Nailed-Up: This displays for the site-to-site and remote access client role scenarios. Select this to have the UAG automatically renegotiate the IPSec SA when the SA life time expires.

5.3.10 VPN Advanced Wizard - Summary

This is a read-only summary of the VPN tunnel settings.

Figure 43 VPN Advanced Wizard: Summary

• Rule Name: Identifies the VPN connection (and the VPN gateway).
• Secure Gateway: IP address or domain name of the remote IPSec device.
• Pre-Shared Key: VPN tunnel password.
• Certificate: The certificate the UAG uses to identify itself when setting up the VPN tunnel.
• Local Policy: IP address and subnet mask of the computers on the network behind your UAG that can use the tunnel.
• Remote Policy: IP address and subnet mask of the computers on the network behind the remote IPSec device that can use the tunnel.
• Copy and paste the Configuration for Remote Gateway commands into another ZLD-based UAG's command line interface.
• Click Save to save the VPN rule.

5.3.11 VPN Advanced Wizard - Finish

Now the rule is configured on the UAG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen.

Figure 44 VPN Wizard: Finish

Click Close to exit the wizard.

6.1 Overview

Use the Dashboard screens to check status information about the UAG.

6.1.1 What You Can Do in this Chapter

Use the Dashboard screens for the following.

• Use the main Dashboard screen (see Section 6.2 on page 66) to see the UAG's general device information, system status, system resource usage, licensed service status, and interface status. You can also display other status screens for more information.
• Use the VPN Status screen (see Section 6.2.4 on page 73) to look at the VPN tunnels that are currently established.
• Use the DHCP Table screen (see Section 6.2.5 on page 74) to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses.
• Use the Number of Login Users screen (see Section 6.2.6 on page 75) to look at a list of the users currently logged into the UAG.

6.2 The Dashboard Screen

The Dashboard screen displays when you log into the UAG or click Dashboard in the navigation panel. The dashboard displays general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re-arrange to suit your needs. You can also collapse, refresh, and close individual widgets.

Figure 45 Dashboard

The following table describes the labels in this screen.

Table 12 Dashboard

6.2.1 The CPU Usage Screen

Use this screen to look at a chart of the UAG's recent CPU usage. To access this screen, click CPU Usage in the dashboard.

Figure 46 Dashboard > CPU Usage

The following table describes the labels in this screen.

Table 13 Dashboard > CPU Usage

6.2.2 The Memory Usage Screen

Use this screen to look at a chart of the UAG's recent memory (RAM) usage. To access this screen, click Memory Usage in the dashboard.

Figure 47 Dashboard > Memory Usage

The following table describes the labels in this screen.

Table 14 Dashboard > Memory Usage

6.2.3 The Active Sessions Screen

Use this screen to look at a chart of the UAG's recent traffic session usage. To access this screen, click Show Active Sessions in the dashboard.

Figure 48 Dashboard > Show Active Sessions

The following table describes the labels in this screen.

Table 15 Dashboard > Show Active Sessions

6.2.4 The VPN Status Screen

Use this screen to look at the VPN tunnels that are currently established. To access this screen, click VPN Status in System Status in the dashboard.

Figure 49 Dashboard > System Status > VPN Status

The following table describes the labels in this screen.

Table 16 Dashboard > VPN Status

6.2.5 The DHCP Table Screen

Use this screen to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses. To access this screen, click DHCP Table in System Status in the dashboard.

Figure 50 Dashboard > DHCP Table

The following table describes the labels in this screen.

Table 17 Dashboard > DHCP Table

6.2.6 The Number of Login Users Screen

Use this screen to look at a list of the users currently logged into the UAG. Users who close their browsers without logging out are still shown as logged in here. To access this screen, click Number of Login Users in System Status in the dashboard.

Figure 51 Dashboard > Number of Login Users

The following table describes the labels in this screen.

Table 18 Dashboard > Number of Login Users

7.1 Overview

Use the Monitor screens to check status and statistics information.

7.1.1 What You Can Do in this Chapter

Use the Monitor screens for the following.

• Use the System Status > Port Statistics screen (see Section 7.2 on page 78) to look at packet statistics for each physical port.
• Use the System Status > Port Statistics > Graph View screen (see Section 7.2 on page 78) to look at a line graph of packet statistics for each physical port.
• Use the System Status > Interface Status screen (see Section 7.3 on page 80) to see all of the UAG's interfaces and their packet statistics.
• Use the System Status > Traffic Statistics screen (see Section 7.4 on page 83) to start or stop data collection and view statistics.
• Use the System Status > Session Monitor screen (see Section 7.5 on page 85) to view sessions by user or service.
• Use the System Status > DDNS Status screen (see Section 7.6 on page 87) to view the status of the UAG's DDNS domain names.
• Use the System Status > IP/ MAC Binding screen (see Section 7.7 on page 88) to view a list of devices that have received an IP address from UAG interfaces with IP/MAC binding enabled.
• Use the System Status > Login Users screen (see Section 7.8 on page 89) to look at a list of the users currently logged into the UAG.
• Use the System Status > UPnP Port Status screen (see Section 7.9 on page 90) to look at a list of the NAT port mapping rules that UPnP creates on the UAG.
• Use the System Status > USB Storage screen (see Section 7.10 on page 91) to view information about a connected USB storage device.
• Use the System Status > Dynamic Guest screen (see Section 7.11 on page 92) to look at a list of the guest user accounts, which are created automatically and allowed to access the UAG's services for a certain period of time.
• Use the AP Information > AP List screen (see Section 7.12 on page 94) to view which APs are currently connected to the UAG.
• Use the AP Information > Radio List screen (see Section 7.13 on page 96) to view statistics about the wireless radio transmitters in each of the APs connected to the UAG.
• Use the Station Info > Station List screen (see Section 7.14 on page 99) to view statistics pertaining to the connected stations (or “wireless clients”).

• Use the Printer Status screen (see Section 7.15 on page 100) to view information about the connected statement printers.

• Use the VPN 1-1 Mapping screen (see Section 7.16 on page 101) to view the status of the active users to which the UAG applied a VPN 1-1 mapping rule.

• Use the VPN 1-1 Mapping > Statistics screen (see Section 7.16.1 on page 102) to display statistics for each of the VPN 1-1 mapping rules.
• Use the VPN Monitor > IPSec screen (Section 7.18 on page 104) to display and manage active IPSec SAs.
• Use the Log > View Log screen (see Section 7.18 on page 104) to view the UAG's current log messages. You can change the way the log is displayed, you can e-mail the log, and you can also clear the log in this screen.
• Use the Log > View AP Log screen (see Section 7.18.1 on page 107) to view the UAG's current wireless AP log messages.
• Use the Log > Dynamic Users Log screen (see Section 7.18.2 on page 109) to view the UAG's dynamic guest account log messages.

7.2 The Port Statistics Screen

Use this screen to look at packet statistics for each Gigabit Ethernet port. To access this screen, click Monitor > System Status > Port Statistics.

Figure 52 Monitor > System Status > Port Statistics

The following table describes the labels in this screen.

Table 19 Monitor > System Status > Port Statistics

7.2.1 The Port Statistics Graph Screen

Use this screen to look at a line graph of packet statistics for each physical port. To access this screen, click Port Statistics in the Status screen and then the Switch to Graphic View Button.

Figure 53 Monitor > System Status > Port Statistics > Switch to Graphic View

The following table describes the labels in this screen.

Table 20 Monitor > System Status > Port Statistics > Switch to Graphic View

7.3 The Interface Status Screen

This screen lists all of the UAG's interfaces and gives packet statistics for them. Click Monitor > System Status > Interface Status to access this screen.

Figure 54 Monitor > System Status > Interface Status

Each field is described in the following table.

Table 21 Monitor > System Status > Interface Status

7.4 The Traffic Statistics Screen

Click Monitor > System Status > Traffic Statistics to display the Traffic Statistics screen. This screen provides basic information about the following for example:

• Most-visited Web sites and the number of times each one was visited. This count may not be accurate in some cases because the UAG counts HTTP GET packets. Please see Table 22 on page 84 for more information.
• Most-used protocols or service ports and the amount of traffic on each one
  • LAN IP with heaviest traffic and how much traffic has been sent to and from each one

You use the Traffic Statistics screen to tell the UAG when to start and when to stop collecting information for these reports. You cannot schedule data collection; you have to start and stop it manually in the Traffic Statistics screen.

Figure 55 Monitor > System Status > Traffic Statistics

There is a limit on the number of records shown in the report. Please see Table 23 on page 85 for more information. The following table describes the labels in this screen.

Table 22 Monitor > System Status > Traffic Statistics

The following table displays the maximum number of records shown in the report, the byte count limit, and the hit count limit.

Table 23 Maximum Values for Reports

7.5 The Session Monitor Screen

The Session Monitor screen displays information about all established sessions that pass through the UAG for debugging or statistical analysis. It is not possible to manage sessions in this screen. The following information is displayed.

• User who started the session
• Protocol or service port used
• Source address
• Destination address
  • Number of bytes received (so far)
  • Number of bytes transmitted (so far)
  • Duration (so far)

You can look at all the active sessions by user, service, source IP address, or destination IP address. You can also filter the information by user, protocol / service or service group, source address, and/or destination address and view it by user.

Click Monitor > System Status > Session Monitor to display the following screen.

Figure 56 Monitor > System Status > Session Monitor

The following table describes the labels in this screen.

Table 24 Monitor > System Status > Session Monitor

7.6 The DDNS Status Screen

The DDNS Status screen shows the status of the UAG's DDNS domain names. Click Monitor > System Status > DDNS Status to open the following screen.

Figure 57 Monitor > System Status > DDNS Status

The following table describes the labels in this screen.

Table 25 Monitor > System Status > DDNS Status

7.7 The IP/MAC Binding Monitor Screen

Click Monitor > System Status > IP/ MAC Binding to open the IP/ MAC Binding Monitor screen. This screen lists the devices that have received an IP address from UAG interfaces with IP/ MAC binding enabled and have ever established a session with the UAG. Devices that have never established a session with the UAG do not display in the list.

Figure 58 Monitor > System Status > IP/MAC Binding

The following table describes the labels in this screen.

Table 26 Monitor > System Status > IP/MAC Binding

7.8 The Login Users Screen

Use this screen to look at a list of the users currently logged into the UAG. To access this screen, click Monitor > System Status > Login Users.

Figure 59 Monitor > System Status > Login Users

The following table describes the labels in this screen.

Table 27 Monitor > System Status > Login Users

7.9 The UPnP Port Status Screen

Use this screen to look at the NAT port mapping rules that UPnP creates on the UAG. To access this screen, click Monitor > System Status > UPnP Port Status.

Figure 60 Monitor > System Status > UPnP Port Status

The following table describes the labels in this screen.

Table 28 Monitor > System Status > UPnP Port Status

7.10 The USB Storage Screen

This screen displays information about a connected USB storage device. Click Monitor > System Status > USB Storage to display this screen.

Figure 61 Monitor > System Status > USB Storage

The following table describes the labels in this screen.

Table 29 Monitor > System Status > USB Storage

7.11 The Dynamic Guest Screen

Dynamic guest accounts can be automatically generated for guest users by using a connected statement printer or the web configurator with the guest-manager account (see Section 26.3.1 on page 263 for more information). A dynamic guest account has a dynamically-created user name and password. Guest users can log in with the dynamic guest accounts when connecting to an SSID for a specified time unit. Use this screen to look at a list of dynamic guest user accounts on the UAG's local database. To access this screen, click Monitor > System Status > Dynamic Guest.

Figure 62 Monitor > System Status > Dynamic Guest

The following table describes the labels in this screen.

Table 30 Monitor > System Status > Dynamic Guest

The following table describes the icons in this screen.

Table 31 Monitor > System Status > Dynamic Guest Icons

LABEL	DESCRIPTION
	This guest account is un-used.
[ZBWY]	This guest account is in use and online.
[02KB]	This guest account has been used but is offline now.
	This guest account expired.
	This guest account has been deleted.

7.12 The AP List Screen

Use this screen to view which APs are currently connected to the UAG. To access this screen, click Monitor > Wireless > AP Information > AP List.

Figure 63 Monitor > Wireless > AP Information > AP List

The following table describes the labels in this screen.

Table 32 Monitor > Wireless > AP Information > AP List

The following table describes the icons in this screen.

Table 33 Monitor > Wireless > AP Information > AP List Icons

LABEL DESCRIPTION
[2AC8]	This AP is not on the management list.
[4ZSH]	This AP is on the management list and online.
[3CHS]	This AP is in the process of having its firmware updated.
	This AP is on the management list but offline.
[403S]	This indicates one of the following cases:This AP has a runtime management VLAN ID setting that conflicts with the VLAN ID setting on the Access Controller (the UAG).A setting the UAG assigns to this AP does not match the AP's capability.

7.12.1 Station Count of AP

Use this screen to look at station statistics for the connected AP. To access this screen, select an entry and click the More Information button in the AP List screen.

Figure 64 Monitor > Wireless > AP Information > AP List > Station Count of AP

The following table describes the labels in this screen.

Table 34 Monitor > Wireless > AP Information > AP List > Station Count of AP

7.13 The Radio List Screen

Use this screen to view statistics about the wireless radio transmitters in each of the APs connected to the UAG. To access this screen, click Monitor > Wireless > AP Information > Radio List.

Figure 65 Monitor > Wireless > AP Information > Radio List

The following table describes the labels in this screen.

Table 35 Monitor > Wireless > AP Information > Radio List

7.13.1 AP Mode Radio Information

This screen allows you to view detailed information about a selected radio's SSID(s), wireless traffic and wireless clients for the preceding 24 hours. To access this window, select an entry and click the More Information button in the Radio List screen.

Figure 66 Monitor > Wireless > AP Information > Radio List > AP Mode Radio Information

The following table describes the labels in this screen.

Table 36 Monitor > Wireless > AP Info > Radio List > AP Mode Radio Information

7.14 The Station List Screen

Use this screen to view statistics pertaining to the associated stations (or "wireless clients"). Click Monitor > Wireless > Station Info to access this screen.

Figure 67 Monitor > Wireless > Station List

The following table describes the labels in this screen.

Table 37 Monitor > Wireless > Station List

7.15 The Printer Status Screen

This screen displays information about the connected statement printer, such as SP350E. Click Monitor > Printer Status to display this screen.

Figure 68 Monitor > Printer Status

The following table describes the labels in this screen.

Table 38 Monitor > Printer Status

7.16 The VPN 1-1 Mapping Status Screen

This screen displays the status of the active users to which the UAG applied a VPN 1-1 mapping rule.

Click Monitor > VPN 1-1 Mapping to open the following screen.

Figure 69 Monitor > VPN 1-1 Mapping

The following table describes the labels in this screen.

Table 39 Monitor > VPN 1-1 Mapping

7.16.1 VPN 1-1 Mapping Statistics

This screen shows statistics for each of the VPN 1-1 mapping rules. Click Monitor > VPN 1-1 Mapping > Statistics to display this screen.

Figure 70 Monitor > VPN 1-1 Mapping > Statistics

The following table describes the labels in this screen.

Table 40 Monitor > VPN 1-1 Mapping > Statistics

7.17 The IPSec Monitor Screen

You can use this screen to display and to manage active IPSec. To access this screen, click Monitor > VPN Monitor > IPSec. The following screen appears. SAs. Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order.

Figure 71 Monitor > VPN Monitor > IPSec

Each field is described in the following table.

Table 41 Monitor > VPN Monitor > IPSec

7.17.1 Regular Expressions in Searching IPSec SAs

A question mark (?) lets a single character in the VPN connection or policy name vary. For example, use "a?c" (without the quotation marks) to specify abc, acc and so on.

Wildcards (*) let multiple VPN connection or policy names match the pattern. For example, use “* abc” (without the quotation marks) to specify any VPN connection or policy name that ends with “abc”. A VPN connection named “testabc” would match. There could be any number (of any type) of characters in front of the “abc” at the end and the VPN connection or policy name would still match. A VPN connection or policy name named “testacc” for example would not match.

A * in the middle of a VPN connection or policy name has the UAG check the beginning and end and ignore the middle. For example, with “abc* 123”, any VPN connection or policy name starting with “abc” and ending in “123” matches, no matter how many characters are in between.

The whole VPN connection or policy name has to match if you do not use a question mark or asterisk.

7.18 The Log Screen

Log messages are stored in two separate logs, one for regular log messages and one for debugging messages. In the regular log, you can look at all the log messages by selecting All Logs, or you can select a specific category of log messages (for example, firewall or user). You can also look at the debugging log by selecting Debug Log. All debugging messages have the same priority.

To access this screen, click Monitor > Log. The log is displayed in the following screen.

Note: When a log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first.

- The maximum possible number of log messages in the UAG varies by model.

Events that generate an alert (as well as a log message) display in red. Regular logs display in black. Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order.

Figure 72 Monitor > Log

The following table describes the labels in this screen.

Table 42 Monitor > Log

The Web Configurator saves the filter settings if you leave the View Log screen and return to it later.

7.18.1 View AP Log

Use this screen to view the UAG's current wireless AP log messages. Click Monitor > Log > View AP Log to access this screen.

Figure 73 Monitor > Log > View AP Log

The following table describes the labels in this screen.

Table 43 Monitor > Log > View AP Log

Table 43 Monitor > Log > View AP Log (continued)

7.18.2 Dynamic Users Log

Use this screen to view the UAG's dynamic guest account log messages. Click Monitor > Log > Dynamic Users Log to access this screen.

Figure 74 Monitor > Log > Dynamic Users Log

The following table describes the labels in this screen.

Table 44 Monitor > Log > Dynamic Users Log

8.1 Overview

Use the Configuration > Licensing > Registration screens to register your UAG and manage its service subscriptions.

8.1.1 What You Can Do in this Chapter

• Use the Registration screen (see Section 8.2 on page 112) to register your UAG with myZyXEL.com.
• Use the Service screen (see Section 8.3 on page 112) to display the status of your service registrations and upgrade licenses.

8.1.2 What you Need to Know

This section introduces the topics covered in this chapter.

myZyXEL.com

myZyXEL.com is ZyXEL's online services center where you can register your UAG and manage subscription services available for the UAG. To use a subscription service, you have to register the UAG and activate the corresponding service at myZyXEL.com (through the UAG).

Note: You need to create a myZyXEL.com account before you can register your device and activate the services at myZyXEL.com.

Go to http://portal.myZyXEL.com with the UAG's serial number and LAN MAC address to register it. Refer to the web site's on-line help for details.

Note: To activate a service on a UAG, you need to access myZyXEL.com via that UAG.

Subscription Services Available on the UAG

At the time of writing, the UAG can use the upgrade service to extend the maximum number of the supported managed APs and the LAN/WLAN users that can connect to the UAG at one time.

Maximum Number of Managed APs

The UAG is initially configured to support up to 8 remote managed APs (such as the NWA5123-NI). You can increase this by subscribing to additional licenses. As of this writing, each license upgrade allows an additional 8 remote managed APs while the maximum number of remote managed APs a single UAG can support is 32.

8.2 Registration Screen

Click the link in this screen to register your UAG with myZyXEL.com. The UAG should already have Internet access before you can register it. Click Configuration > Licensing > Registration in the navigation panel to open the screen as shown next.

Figure 75 Configuration > Licensing > Registration

8.3 Service Screen

Use this screen to display the status of your service registrations. To activate or extend a standard service subscription, purchase an iCard and enter the iCard's PIN number (license key) at myZyXEL.com. Click Configuration > Licensing > Registration > Service to open the screen as shown next.

Figure 76 Configuration > Licensing > Registration > Service

The following table describes the labels in this screen.

Table 45 Configuration > Licensing > Registration > Service

9.1 Overview

Use the Wireless screens to configure how the UAG manages the Access Points (APs) that are connected to it.

9.1.1 What You Can Do in this Chapter

• The Controller screen (Section 9.2 on page 114) sets how the UAG allows new APs to connect to the network.
• The AP Management screen (Section 9.3 on page 115) manages all of the APs connected to the UAG.

9.2 Controller Screen

Use this screen to set how the UAG allows new APs to connect to the network. Click Configuration > Wireless > Controller to access this screen.

Figure 77 Configuration > Wireless > Controller

Each field is described in the following table.

Table 46 Configuration > Wireless > Controller

9.3 AP Management Screen

Use this screen to manage all of the APs connected to the UAG. Click Configuration > Wireless > AP Management to access this screen.

Figure 78 Configuration > Wireless > AP Management

Each field is described in the following table.

Table 47 Configuration > Wireless > AP Management

9.3.1 Edit AP List

Select an AP and click the Edit button in the Configuration > Wireless > AP Management table to display this screen.

Figure 79 Configuration > Wireless > AP Management > Edit AP List

Each field is described in the following table.

Table 48 Configuration > Wireless > AP Management > Edit AP List

10.1 Interface Overview

Use the Interface screens to configure the UAG's interfaces. You can also create interfaces on top of other interfaces.

• Ports are the physical ports to which you connect cables.
• Interfaces are used within the system operationally. You use them in configuring various features. An interface also describes a network that is directly connected to the UAG. For example, You connect the LAN network to the LAN interface.
• Zones are groups of interfaces used to ease security policy configuration.

10.1.1 What You Can Do in this Chapter

• Use the Port Grouping screen (Section 10.2 on page 120) to create port groups and to assign physical ports and port groups to Ethernet interfaces.
• Use the Ethernet screens (Section 10.3 on page 122) to configure the Ethernet interfaces. Ethernet interfaces are the foundation for defining other interfaces and network policies.
• Use the PPP screens (Section 10.4 on page 132) for PPPoE or PPTP Internet connections.
• Use the VLAN screens (Section 10.5 on page 138) to divide the physical network into multiple logical networks. VLAN interfaces receive and send tagged frames. The UAG automatically adds or removes the tags as needed. Each VLAN can only be associated with one Ethernet interface.
• Use the Bridge screens (Section 10.6 on page 145) to combine two or more network segments into a single network.
• Use the Virtual Interface screen (Section 10.7.1 on page 153) to create virtual interfaces on top of Ethernet interfaces to tell the UAG where to route packets. You can create virtual Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces.
• Use the Trunk screens (Chapter 11 on page 158) to configure load balancing.

10.1.2 What You Need to Know

Interface Characteristics

Interfaces generally have the following characteristics (although not all characteristics apply to each type of interface).

• An interface is a logical entity through which (layer-3) packets pass.
• An interface is bound to a physical port or another interface.
• Many interfaces can share the same physical port.
• An interface belongs to at most one zone.
• Many interfaces can belong to the same zone.

- Layer-3 virtualization (IP alias, for example) is a kind of interface.

Types of Interfaces

You can create several types of interfaces in the UAG.

• Setting interfaces to the same port role forms a port group. Port groups create a hardware connection between physical ports at the layer-2 (data link, MAC address) level. Port groups are created when you use the Interface > Port Grouping screen to set multiple physical ports to be part of the same interface.
• Ethernet interfaces are the foundation for defining other interfaces and network policies.
• VLAN interfaces receive and send tagged frames. The UAG automatically adds or removes the tags as needed. Each VLAN can only be associated with one Ethernet interface.
• Bridge interfaces create a software connection between Ethernet or VLAN interfaces at the layer-2 (data link, MAC address) level. Unlike port groups, bridge interfaces can take advantage of some security features in the UAG. You can also assign an IP address and subnet mask to the bridge.
• PPP interfaces support Point-to-Point Protocols (PPP). ISP accounts are required for PPPoE/PPTP interfaces.
• Virtual interfaces provide additional routing information in the UAG. There are three types: virtual Ethernet interfaces, virtual VLAN interfaces, and virtual bridge interfaces.
• Trunk interfaces manage load balancing between interfaces.

Port groups and trunks have a lot of characteristics that are specific to each type of interface. See Section 10.3 on page 122 and Chapter 11 on page 158 for details. The other types of interfaces--Ethernet, PPP, VLAN, bridge, and virtual--have a lot of similar characteristics. These characteristics are listed in the following table and discussed in more detail below.

Table 49 Ethernet, PPP, VLAN, Bridge, and Virtual Interface Characteristics

• * The format of interface names other than the Ethernet and ppp interface names is strict. Each name consists of 2-4 letters (interface type), followed by a number (x). For most interfaces, x is limited by the maximum number of the type of interface. For VLAN interfaces, x is defined by the number you enter in the VLAN name field. For example, Ethernet interface names are wan1, lan1, lan2; VLAN interfaces are vlan0, vlan1, vlan2...; and so on.
  ** - The names of virtual interfaces are derived from the interfaces on which they are created. For example, virtual interfaces created on Ethernet interface wan1 are called wan1:1, wan1:2, and so on. Virtual interfaces created on VLAN interface vlan2 are called vlan2:1, vlan2:2, and so on. You cannot specify the number after the colon(:) in the

Web Configurator; it is a sequential number. You can specify the number after the colon if you use the CLI to set up a virtual interface.

Relationships Between Interfaces

In the UAG, interfaces are usually created on top of other interfaces. Only Ethernet interfaces are created directly on top of the physical ports or port groups. The relationships between interfaces are explained in the following table.

Table 50 Relationships Between Different Types of Interfaces

* - You cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge. You also cannot add an Ethernet interface or VLAN interface to a bridge if the member interface has a virtual interface or PPP interface on top of it.

Finding Out More

• See Section 10.8 on page 154 for background information on interfaces.
• See Chapter 11 on page 158 to configure load balancing using trunks.

10.2 Port Grouping

This section introduces port groups and then explains the screen for port groups.

10.2.1 Port Grouping Overview

Use port grouping to create port groups and to assign physical ports and port groups to Ethernet interfaces.

Each physical port is assigned to one Ethernet interface. In port grouping, the Ethernet interfaces are called representative interfaces. If you assign more than one physical port to a representative interface, you create a port group. Port groups have the following characteristics:

• There is a layer-2 Ethernet switch between physical ports in the port group. This provides wire-speed throughput but no security.
• It can increase the bandwidth between the port group and other interfaces.

10.2.2 Port Grouping Screen

To access this screen, click Configuration > Network > Interface > Port Grouping. Define the relationship between physical ports, port groups, and Ethernet interfaces in the Port Grouping screen.

Figure 80 Configuration > Network > Interface > Port Grouping

The physical Ethernet ports are shown at the bottom and the Ethernet interfaces are shown at the top of the screen. To add a physical port to a representative interface, drag the physical port onto the corresponding representative interface.

Click Apply to save your changes and apply them to the UAG.

Click Reset to change the port groups to their current configuration (last-saved values).

10.3 Ethernet Summary Screen

This screen lists every Ethernet interface and virtual interface created on top of Ethernet interfaces. To access this screen, click Configuration > Network > Interface > Ethernet.

Unlike other types of interfaces, you cannot create new Ethernet interfaces nor can you delete any of them. If an Ethernet interface does not have any physical ports assigned to it (see Section 10.3 on page 122), the Ethernet interface is effectively removed from the UAG, but you can still configure it.

Ethernet interfaces are similar to other types of interfaces in many ways. They have an IP address, subnet mask, and gateway used to make routing decisions. They restrict the amount of bandwidth and packet size. They can provide DHCP services, and they can verify the gateway is available.

Use Ethernet interfaces to control which physical ports exchange routing information with other routers and how much information is exchanged through each one. The more routing information is exchanged, the more efficient the routers should be. However, the routers also generate more network traffic, and some routing protocols require a significant amount of configuration and management.

Figure 81 Configuration > Network > Interface > Ethernet

Each field is described in the following table.

Table 51 Configuration > Network > Interface > Ethernet

10.3.1 Ethernet Edit

The Ethernet Edit screen lets you configure IP address assignment, interface parameters, DHCP settings, connectivity check, and MAC address settings. To access this screen, select an entry in the Ethernet summary screen and click the Edit icon. (See Section 10.3 on page 122.)

Note: If you create IP address objects based on an interface's IP address, subnet, or gateway, the UAG automatically updates every rule or setting that uses the object whenever the interface's IP address settings change. For example, if you change the LAN's IP address, the UAG automatically updates the corresponding interface-based, LAN subnet address object.

Figure 82 Configuration > Network > Interface > Ethernet > Edit (External Type)

Figure 83 Configuration > Network > Interface > Ethernet > Edit (Internal Type)

This screen's fields are described in the table below.

Table 52 Configuration > Network > Interface > Ethernet > Edit

10.3.2 Object References

When a configuration screen includes an Object Reference icon, select a configuration object and click Object Reference to open the Object Reference screen. This screen displays which configuration settings reference the selected object. The fields shown vary with the type of object.

Figure 84 Object References

The following table describes labels that can appear in this screen.

Table 53 Object References

10.3.3 DHCP Extended Options Add/Edit

When you configure an interface as a DHCPv4 server, you can additionally add DHCP extended options which have the UAG to add more information in the DHCP packets. The available fields vary depending on the DHCP option you select in this screen. To open the screen, click Configuration > Network > Interface > Ethernet > Edit, select DHCP Server in the DHCP Setting section, and then click the Add icon or select an entry and click the Edit icon in the Extended Options table.

Figure 85 Configuration > Network > Interface > Ethernet > Edit > Add/Edit Extended Options

The following table describes labels that can appear in this screen.

Table 54 Configuration > Network > Interface > Ethernet > Edit > Add/Edit Extended Options

Table 54 Configuration > Network > Interface > Ethernet > Edit > Add/Edit Extended Options

The following table lists the available DHCP extended options (defined in RFCs) on the UAG. See RFCs for more information.

Table 55 DHCP Extended Options

10.4 PPP Interfaces

Use PPPoE/PPTP interfaces to connect to your ISP. This way, you do not have to install or manage PPPoE/PPTP software on each computer in the network.

Figure 86 Example: PPPoE/PPTP Interfaces

graph LR
    A["3D Block"] <--> B["INTERNET"]
    B <--> C["Server"]

PPPoE/PPTP interfaces are similar to other interfaces in some ways. They have an IP address, subnet mask, and gateway used to make routing decisions; they restrict bandwidth and packet size; and they can verify the gateway is available. There are two main differences between PPPoE/PPTP interfaces and other interfaces.

- You must also configure an ISP account object for the PPPoE/PPTP interface to use.

Each ISP account specifies the protocol (PPPoE or PPTP), as well as your ISP account information. If you change ISPs later, you only have to create a new ISP account, not a new PPPoE/PPTP interface. You should not have to change any network policies.

- You do not set up the subnet mask or gateway.

PPPoE/PPTP interfaces are interfaces between the UAG and only one computer. Therefore, the subnet mask is always 255.255.255.255. In addition, the UAG always treats the ISP as a gateway.

10.4.1 PPP Interface Summary

This screen lists every PPPoE/PPTP interface. To access this screen, click Configuration > Network > Interface > PPP.

Figure 87 Configuration > Network > Interface > PPP

Each field is described in the table below.

Table 56 Configuration > Network > Interface > PPP

10.4.2 PPP Interface Add/Edit

Note: You have to set up an ISP account before you create a PPPoE/PPTP interface.

This screen lets you configure a PPPoE or PPTP interface. To access this screen, click the Add icon or select an entry in the PPP interface summary screen and click the Edit icon.

Figure 88 Configuration > Network > Interface > PPP > Add

Each field is explained in the following table.

Table 57 Configuration > Network > Interface > PPP > Add/Edit

10.5 VLAN Interfaces

A Virtual Local Area Network (VLAN) divides a physical network into multiple logical networks. The standard is defined in IEEE 802.1q.

In this example, there are two physical networks and three departments A, B, and C. The physical networks are connected to hubs, and the hubs are connected to the router.

Figure 89 Example: Before VLAN

graph TD
    A["Router"] --> B["Computer 1"]
    A --> C["Computer 2"]
    B --> D["Computer 3"]
    B --> E["Computer 4"]
    C --> F["Computer 5"]
    C --> G["Computer 6"]
    D --> H["Computer 7"]
    E --> I["Computer 8"]
    F --> J["Computer 9"]
    G --> K["Computer 10"]
    style A fill:#f9f,stroke:#333
    style B fill:#ccf,stroke:#333
    style C fill:#cfc,stroke:#333
    style D fill:#fcc,stroke:#333
    style E fill:#fcc,stroke:#333
    style F fill:#fcc,stroke:#333
    style G fill:#fcc,stroke:#333
    style H fill:#cff,stroke:#333
    style I fill:#cff,stroke:#333
    style J fill:#ffc,stroke:#333
    style K fill:#ffc,stroke:#333

Alternatively, you can divide the physical networks into three VLANs.

Figure 90 Example: After VLAN

graph TD
    A["Router"] --> B["River"]
    B --> C["Switch"]
    C --> D["VLAN ID = 1"]
    C --> E["VLAN ID = 2"]
    B --> F["Switch"]
    F --> G["VLAN ID = 3"]
    F --> H["VLAN ID = 4"]

Each VLAN is a separate network with separate IP addresses, subnet masks, and gateways. Each VLAN also has a unique identification number (ID). The ID is a 12-bit value that is stored in the MAC header. The VLANs are connected to switches, and the switches are connected to the router. (If one switch has enough connections for the entire network, the network does not need switches A and B.)

• Traffic inside each VLAN is layer-2 communication (data link layer, MAC addresses). It is handled by the switches. As a result, the new switch is required to handle traffic inside VLAN 2. Traffic is only broadcast inside each VLAN, not each physical network.
• Traffic between VLANs (or between a VLAN and another type of network) is layer-3 communication (network layer, IP addresses). It is handled by the router.

This approach provides a few advantages.

• Increased performance - In VLAN 2, the extra switch should route traffic inside the sales department faster than the router does. In addition, broadcasts are limited to smaller, more logical groups of users.
• Higher security - If each computer has a separate physical connection to the switch, then broadcast traffic in each VLAN is never sent to computers in another VLAN.
• Better manageability - You can align network policies more appropriately for users. For example, you can set different bandwidth limits for each VLAN (each department in the example above). These rules are also independent of the physical network, so you can change the physical network without changing policies.

In this example, the new switch handles the following types of traffic:

• Inside VLAN 2.
• Between the router and VLAN 1.
• Between the router and VLAN 2.
• Between the router and VLAN 3.

VLAN Interfaces Overview

In the UAG, each VLAN is called a VLAN interface. As a router, the UAG routes traffic between VLAN interfaces, but it does not route traffic within a VLAN interface. All traffic for each VLAN interface can go through only one Ethernet interface, though each Ethernet interface can have one or more VLAN interfaces.

Note: Each VLAN interface is created on top of only one Ethernet interface.

Otherwise, VLAN interfaces are similar to other interfaces in many ways. They have an IP address, subnet mask, and gateway used to make routing decisions. They restrict bandwidth and packet size. They can provide DHCP services, and they can verify the gateway is available.

10.5.1 VLAN Interface Summary Screen

This screen lists every VLAN interface and virtual interface created on top of VLAN interfaces. To access this screen, click Configuration > Network > Interface > VLAN.

Figure 91 Configuration > Network > Interface > VLAN

Each field is explained in the following table.

Table 58 Configuration > Network > Interface > VLAN

10.5.2 VLAN Interface Add/Edit

This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each VLAN interface. To access this screen, click the Add icon

or select an entry in the VLAN summary screen and click the Edit icon. The following screen appears.

Figure 92 Configuration > Network > Interface > VLAN > Add

Each field is explained in the following table.

Table 59 Configuration > Network > Interface > VLAN > Add/Edit

10.6 Bridge Interfaces

This section introduces bridges and bridge interfaces and then explains the screens for bridge interfaces.

Bridge Overview

A bridge creates a connection between two or more network segments at the layer-2 (MAC address) level. In the following example, bridge X connects four network segments.

graph TD
    A["Switch 1"] -->|0A:0A:0A:0A:0A:0A| A1["Computer"]
    A -->|2| X["Switch 2"]
    A -->|3| X
    A -->|4| B["Switch 3"]
    B -->|0B:0B:0B:0B:0B:0B| B1["Computer"]
    B -->|1| X
    B -->|2| X
    style X fill:#f9f,stroke:#333,stroke-width:2px

When the bridge receives a packet, the bridge records the source MAC address and the port on which it was received in a table. It also looks up the destination MAC address in the table. If the bridge knows on which port the destination MAC address is located, it sends the packet to that port. If the destination MAC address is not in the table, the bridge broadcasts the packet on every port (except the one on which it was received).

In the example above, computer A sends a packet to computer B. Bridge X records the source address 0A:0A:0A:0A:0A:0A and port 2 in the table. It also looks up 0B:0B:0B:0B:0B:0B in the table. There is no entry yet, so the bridge broadcasts the packet on ports 1, 3, and 4.

Table 60 Example: Bridge Table After Computer A Sends a Packet to Computer B

If computer B responds to computer A, bridge X records the source address 0B:0B:0B:0B:0B:0B and port 4 in the table. It also looks up 0A:0A:0A:0A:0A:0A in the table and sends the packet to port 2 accordingly.

Table 61 Example: Bridge Table After Computer B Responds to Computer A

Bridge Interface Overview

A bridge interface creates a software bridge between the members of the bridge interface. It also becomes the UAG's interface for the resulting network.

This UAG can bridge traffic between some interfaces while it routes traffic for other interfaces. The bridge interfaces also support more functions, like interface bandwidth parameters, DHCP settings, and connectivity check. To use the whole UAG as a transparent bridge, add all of the UAG's interfaces to a bridge interface.

A bridge interface may consist of the following members:

• Zero or one VLAN interfaces (and any associated virtual VLAN interfaces)
• Any number of Ethernet interfaces (and any associated virtual Ethernet interfaces)

When you create a bridge interface, the UAG removes the members' entries from the routing table and adds the bridge interface's entries to the routing table. For example, this table shows the routing table before and after you create bridge interface br0 (250.250.250.0/23) between lan1 and vlan1.

Table 62 Example: Routing Table Before and After Bridge Interface br0 Is Created

In this example, virtual Ethernet interface lan1:1 is also removed from the routing table when lan1 is added to br0. Virtual interfaces are automatically added to or remove from a bridge interface when the underlying interface is added or removed.

10.6.1 Bridge Interface Summary

This screen lists every bridge interface and virtual interface created on top of bridge interfaces. To access this screen, click Configuration > Network > Interface > Bridge.

Figure 93 Configuration > Network > Interface > Bridge

Each field is described in the following table.

Table 63 Configuration > Network > Interface > Bridge

10.6.2 Bridge Interface Add/Edit

This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each bridge interface. To access this screen, click the Add icon, or select an entry in the Bridge summary screen and click the Edit icon. The following screen appears.

Figure 94 Configuration > Network > Interface > Bridge > Add

Each field is described in the table below.

Table 64 Configuration > Network > Interface > Bridge > Add/Edit

10.7 Virtual Interfaces

Use virtual interfaces to tell the UAG where to route packets.

Virtual interfaces can be created on top of Ethernet interfaces, VLAN interfaces, or bridge interfaces. Virtual VLAN interfaces recognize and use the same VLAN ID. Otherwise, there is no difference between each type of virtual interface. Network policies (for example, firewall rules) that apply to the underlying interface automatically apply to the virtual interface as well.

Like other interfaces, virtual interfaces have an IP address, subnet mask, and gateway used to make routing decisions. However, you have to manually specify the IP address and subnet mask; virtual interfaces cannot be DHCP clients. Like other interfaces, you can restrict bandwidth through virtual interfaces, but you cannot change the MTU. The virtual interface uses the same MTU that the underlying interface uses. Unlike other interfaces, virtual interfaces do not provide DHCP services, and they do not verify that the gateway is available.

10.7.1 Virtual Interfaces Add/Edit

This screen lets you configure IP address assignment and interface parameters for virtual interfaces. To access this screen, click the Create Virtual Interface icon in the Ethernet, VLAN, or bridge interface summary screen.

Figure 95 Configuration > Network > Interface > Create Virtual Interface

Each field is described in the table below.

Table 65 Configuration > Network > Interface > Create Virtual Interface

10.8 Interface Technical Reference

Here is more detailed information about interfaces on the UAG.

IP Address Assignment

Most interfaces have an IP address and a subnet mask. This information is used to create an entry in the routing table.

Figure 96 Example: Entry in the Routing Table Derived from Interfaces

Table 66 Example: Routing Table Entries for Interfaces

For example, if the UAG gets a packet with a destination address of 100.100.25.25, it routes the packet to interface lan1. If the UAG gets a packet with a destination address of 200.200.200.200, it routes the packet to interface wan1.

In most interfaces, you can enter the IP address and subnet mask manually. In PPPoE/PPTP interfaces, however, the subnet mask is always 255.255.255.255 because it is a point-to-point interface. For these interfaces, you can only enter the IP address.

In many interfaces, you can also let the IP address and subnet mask be assigned by an external DHCP server on the network. In this case, the interface is a DHCP client. Virtual interfaces, however, cannot be DHCP clients. You have to assign the IP address and subnet mask manually.

In general, the IP address and subnet mask of each interface should not overlap, though it is possible for this to happen with DHCP clients.

In the example above, if the UAG gets a packet with a destination address of 5.5.5.5, it might not find any entries in the routing table. In this case, the packet is dropped. However, if there is a default router to which the UAG should send this packet, you can specify it as a gateway in one of the interfaces. For example, if there is a default router at 200.200.200.100, you can create a gateway at 200.200.200.100 on wan1. In this case, the UAG creates the following entry in the routing table.

Table 67 Example: Routing Table Entry for a Gateway

The gateway is an optional setting for each interface. If there is more than one gateway, the UAG uses the gateway with the lowest metric, or cost. If two or more gateways have the same metric, the UAG uses the one that was set up first (the first entry in the routing table). In PPPoE/PPTP interfaces, the other computer is the gateway for the interface by default. In this case, you should specify the metric.

If the interface gets its IP address and subnet mask from a DHCP server, the DHCP server also specifies the gateway, if any.

Interface Parameters

The UAG restricts the amount of traffic into and out of the UAG through each interface.

• Egress bandwidth sets the amount of traffic the UAG sends out through the interface to the network.
• Ingress bandwidth sets the amount of traffic the UAG allows in through the interface from the network. ^1

If you set the bandwidth restrictions very high, you effectively remove the restrictions.

The UAG also restricts the size of each data packet. The maximum number of bytes in each packet is called the maximum transmission unit (MTU). If a packet is larger than the MTU, the UAG divides it into smaller fragments. Each fragment is sent separately, and the original packet is re-assembled later. The smaller the MTU, the more fragments sent, and the more work required to re-assemble packets correctly. On the other hand, some communication channels, such as Ethernet over ATM, might not be able to handle large data packets.

DHCP Settings

Dynamic Host Configuration Protocol (DHCP, RFC 2131, RFC 2132) provides a way to automatically set up and maintain IP addresses, subnet masks, gateways, and some network information (such as the IP addresses of DNS servers) on computers in the network. This reduces the amount of manual configuration you have to do and usually uses available IP addresses more efficiently.

In DHCP, every network has at least one DHCP server. When a computer (a DHCP client) joins the network, it submits a DHCP request. The DHCP servers get the request; assign an IP address; and provide the IP address, subnet mask, gateway, and available network information to the DHCP client. When the DHCP client leaves the network, the DHCP servers can assign its IP address to another DHCP client.

In the UAG, some interfaces can provide DHCP services to the network. In this case, the interface can be a DHCP relay or a DHCP server.

As a DHCP relay, the interface routes DHCP requests to DHCP servers on different networks. You can specify more than one DHCP server. If you do, the interface routes DHCP requests to all of them. It is possible for an interface to be a DHCP relay and a DHCP client simultaneously.

As a DHCP server, the interface provides the following information to DHCP clients.

- IP address - If the DHCP client's MAC address is in the UAG's static DHCP table, the interface assigns the corresponding IP address. If not, the interface assigns IP addresses from a pool, defined by the starting address of the pool and the pool size.

Table 68 Example: Assigning IP Addresses from a Pool

The UAG cannot assign the first address (network address) or the last address (broadcast address) in the subnet defined by the interface's IP address and subnet mask. For example, in the first entry, if the subnet mask is 255.255.255.0, the UAG cannot assign 50.50.50.0 or 50.50.50.255. If the subnet mask is 255.255.0.0, the UAG cannot assign 50.50.0.0 or 50.50.255.255. Otherwise, it can assign every IP address in the range, except the interface's IP address.

If you do not specify the starting address or the pool size, the interface the maximum range of IP addresses allowed by the interface's IP address and subnet mask. For example, if the interface's IP address is 9.9.9.1 and subnet mask is 255.255.255.0, the starting IP address in the pool is 9.9.9.2, and the pool size is 253.

• Subnet mask - The interface provides the same subnet mask you specify for the interface. See IP Address Assignment on page 154.
• Gateway - The interface provides the same gateway you specify for the interface. See IP Address Assignment on page 154.
• DNS servers - The interface provides IP addresses for up to three DNS servers that provide DNS services for DHCP clients. You can specify each IP address manually (for example, a company's own DNS server), or you can refer to DNS servers that other interfaces received from DHCP servers (for example, a DNS server at an ISP). These other interfaces have to be DHCP clients.

It is not possible for an interface to be the DHCP server and a DHCP client simultaneously.

WINS

WINS (Windows Internet Naming Service) is a Windows implementation of NetBIOS Name Server (NBNS) on Windows. It keeps track of NetBIOS computer names. It stores a mapping table of your network's computer names and IP addresses. The table is dynamically updated for IP addresses assigned by DHCP. This helps reduce broadcast traffic since computers can query the server instead of broadcasting a request for a computer name's IP address. In this way WINS is similar to DNS, although WINS does not use a hierarchy (unlike DNS). A network can have more than one WINS server. Samba can also serve as a WINS server.

PPPoE/PPTP Overview

Point-to-Point Protocol over Ethernet (PPPoE, RFC 2516) and Point-to-Point Tunneling Protocol (PPTP, RFC 2637) are usually used to connect two computers over phone lines or broadband connections. PPPoE is often used with cable modems and DSL connections. It provides the following advantages:

• The access and authentication method works with existing systems, including RADIUS.
• You can access one of several network services. This makes it easier for the service provider to offer the service
• PPPoE does not usually require any special configuration of the modem.

PPTP is used to set up virtual private networks (VPN) in unsecure TCP/IP environments. It sets up two sessions.

1 The first one runs on TCP port 1723. It is used to start and manage the second one.

2 The second one uses Generic Routing Encapsulation (GRE, RFC 2890) to transfer information between the computers.

PPTP is convenient and easy-to-use, but you have to make sure that firewalls support both PPTP sessions.

11.1 Overview

Use trunks for WAN traffic load balancing to increase overall network throughput and reliability. Load balancing divides traffic loads between multiple interfaces. This allows you to improve quality of service and maximize bandwidth utilization for multiple ISP links.

Maybe you have two Internet connections with different bandwidths. You could set up a trunk that uses spillover or weighted round robin load balancing so time-sensitive traffic (like video) usually goes through the higher-bandwidth interface. For other traffic, you might want to use least load first load balancing to even out the distribution of the traffic load.

Suppose ISP A has better connections to Europe while ISP B has better connections to Australia. You could use policy routes and trunks to have traffic for your European branch office primarily use ISP A and traffic for your Australian branch office primarily use ISP B.

Or maybe one of the UAG's interfaces is connected to an ISP that is also your Voice over IP (VoIP) service provider. You can use policy routing to send the VoIP traffic through a trunk with the interface connected to the VoIP service provider set to active and another interface (connected to another ISP) set to passive. This way VoIP traffic goes through the interface connected to the VoIP service provider whenever the interface's connection is up.

11.1.1 What You Can Do in this Chapter

• Use the Trunk summary screen (Section 11.2 on page 161) to configure link sticking and view the list of configured trunks and which load balancing algorithm each trunk uses.
• Use the Add Trunk screen (Section 11.2.1 on page 162) to configure the member interfaces for a trunk and the load balancing algorithm the trunk uses.
• Use the Add System Default screen (Section 11.2.2 on page 164) to configure the load balancing algorithm for the system default trunk.

11.1.2 What You Need to Know

• Add WAN interfaces to trunks to have multiple connections share the traffic load.
• If one WAN interface's connection goes down, the UAG sends traffic through another member of the trunk.
• For example, you connect one WAN interface to one ISP and connect a second WAN interface to a second ISP. The UAG balances the WAN traffic load between the connections. If one interface's connection goes down, the UAG can automatically send its traffic through another interface.

You can also use trunks with policy routing to send specific traffic types through the best WAN interface for that type of traffic.

• If that interface's connection goes down, the UAG can still send its traffic through another interface.
• You can define multiple trunks for the same physical interfaces.

Load Balancing Algorithms

The following sections describe the load balancing algorithms the UAG can use to decide which interface the traffic (from the LAN) should use for a session ^2 . The available bandwidth you configure on the UAG refers to the actual bandwidth provided by the ISP and the measured bandwidth refers to the bandwidth an interface is currently using.

Least Load First

The least load first algorithm uses the current (or recent) outbound bandwidth utilization of each trunk member interface as the load balancing index(es) when making decisions about to which interface a new session is to be distributed. The outbound bandwidth utilization is defined as the measured outbound throughput over the available outbound bandwidth.

Here the UAG has two WAN interfaces connected to the Internet. The configured available outbound bandwidths for wan1 and ppp0 are 512K and 256K respectively.

Figure 97 Least Load First Example

graph LR
    A["SCAN1\n512K"] --> B["INTERNET"]
    C["PPP0\n256K"] --> B

The outbound bandwidth utilization is used as the load balancing index. In this example, the measured (current) outbound throughput of wan1 is 412K and ppp0 is 198K. The UAG calculates the load balancing index as shown in the table below.

Since ppp0 has a smaller load balancing index (meaning that it is less utilized than wan1), the UAG will send the subsequent new session traffic through ppp0.

Table 69 Least Load First Example

Weighted Round Robin

Round Robin scheduling services queues on a rotating basis and is activated only when an interface has more traffic than it can handle. A queue is given an amount of bandwidth irrespective of the incoming traffic on that interface. This queue then moves to the back of the list. The next queue is

given an equal amount of bandwidth, and then moves to the end of the list; and so on, depending on the number of queues being used. This works in a looping fashion until a queue is empty.

The Weighted Round Robin (WRR) algorithm is best suited for situations when the bandwidths set for the two WAN interfaces are different. Similar to the Round Robin (RR) algorithm, the Weighted Round Robin (WRR) algorithm sets the UAG to send traffic through each WAN interface in turn. In addition, the WAN interfaces are assigned weights. An interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight.

For example, in the figure below, the configured available bandwidth of wan1 is 1M and ppp0 is 512K. You can set the UAG to distribute the network traffic between the two interfaces by setting the weight of wan1 and ppp0 to 2 and 1 respectively. The UAG assigns the traffic of two sessions to wan1 and one session's traffic to ppp0 in each round of 3 new sessions.

Figure 98 Weighted Round Robin Algorithm Example

graph LR
    S6 --> S4
    S2 --> S1
    S3 --> S2
    S1 --> wan1["wan1 1M"]
    S3 --> ppp0["ppp0 512K"]
    wan1 --> INTERNET["INTERNET"]
    ppp0 --> INTERNET

Spillover

The spillover load balancing algorithm sends network traffic to the first interface in the trunk member list until the interface's maximum allowable load is reached, then sends the excess network traffic of new sessions to the next interface in the trunk member list. This continues as long as there are more member interfaces and traffic to be sent through them.

Suppose the first trunk member interface uses an unlimited access Internet connection and the second is billed by usage. Spillover load balancing only uses the second interface when the traffic load exceeds the threshold on the first interface. This fully utilizes the bandwidth of the first interface to reduce Internet usage fees and avoid overloading the interface.

In this example figure, the upper threshold of the first interface is set to 800K. The UAG sends network traffic of new sessions that exceed this limit to the secondary WAN interface.

Figure 99 Spillover Algorithm Example

graph LR
    A["1M"] --> B["800K"]
    B --> C["wan1\n800K"]
    C --> D["Internet"]
    E["200K"] --> F["ppp0"]

11.2 The Trunk Summary Screen

Click Configuration > Network > Interface > Trunk to open the Trunk screen. This screen lists the configured trunks and the load balancing algorithm that each is configured to use.

Figure 100 Configuration > Network > Interface > Trunk

The following table describes the items in this screen.

Table 70 Configuration > Network > Interface > Trunk

11.2.1 Configuring a User-Defined Trunk

Click Configuration > Network > Interface > Trunk, in the User Configuration table click the Add (or Edit) icon to open the Add/Edit Trunk screen. Use this screen to create or edit a WAN trunk entry.

Figure 101 Configuration > Network > Interface > Trunk > Add/Edit

Each field is described in the table below.

Table 71 Configuration > Network > Interface > Trunk > Add/Edit

11.2.2 Configuring the System Default Trunk

In the Configuration > Network > Interface > Trunk screen and the System Default section, select the default trunk entry and click Edit to open the Edit System Default screen. Use this screen to change the load balancing algorithm and view the bandwidth allocations for each member interface.

Note: The available bandwidth is allocated to each member interface equally and is not allowed to be changed for the default trunk.

Figure 102 Configuration > Network > Interface > Trunk > Edit (System Default)

Each field is described in the table below.

Table 72 Configuration > Network > Interface > Trunk > Edit (System Default)

Policy and Static Routes

12.1 Policy and Static Routes Overview

Use policy routes and static routes to override the UAG's default routing behavior in order to send packets through the appropriate interface.

For example, the next figure shows a computer (A) connected to the UAG's LAN interface. The UAG routes most traffic from A to the Internet through the UAG's default gateway (R1). You create one policy route to connect to services offered by your ISP behind router R2. You create another policy route to communicate with a separate network behind another router (R3) connected to the LAN.

Figure 103 Example of Policy Routing Topology

graph TD
    A["Router A"] --> LAN
    R3["Router R3"] --> LAN
    LAN --> WAN
    R1["R1"] --> INTERNET["INTERNET"]
    R2["R2"] --> INTERNET
    subgraph LAN
        R3
        R2
    end
    subgraph WAN
        R1
        R2
    end
    style LAN fill:#f9f,stroke:#333
    style WAN fill:#ccf,stroke:#333

12.1.1 What You Can Do in this Chapter

• Use the Policy Route screens (see Section 12.2 on page 168) to list and configure policy routes.
• Use the Static Route screens (see Section 12.3 on page 173) to list and configure static routes.

12.1.2 What You Need to Know

Policy Routing

Traditionally, routing is based on the destination address only and the UAG takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator.

Policy-based routing is applied to incoming packets on a per interface basis, prior to the normal routing.

How You Can Use Policy Routing

• Source-Based Routing – Network administrators can use policy-based routing to direct traffic from different users through different connections.
• Cost Savings – IPPR allows organizations to distribute interactive traffic on high-bandwidth, high-cost paths while using low-cost paths for batch traffic.
• Load Sharing – Network administrators can use IPPR to distribute traffic among multiple paths.
• NAT - The UAG performs NAT by default for traffic going to or from the WAN interfaces. A routing policy's SNAT allows network administrators to have traffic received on a specified interface use a specified IP address as the source IP address.

Note: The UAG automatically uses SNAT for traffic it routes from internal interfaces to external interfaces. For example LAN to WAN traffic.

Static Routes

The UAG usually uses the default gateway to route outbound traffic from computers on the LAN to the Internet. To have the UAG send data to devices not reachable through the default gateway, use static routes.

Policy Routes Versus Static Routes

• Policy routes are more flexible than static routes. You can select more criteria for the traffic to match and can also use schedules, and NAT.
• Policy routes are only used within the UAG itself.
• Policy routes take priority over static routes. If you need to use a routing policy on the UAG and propagate it to other routers, you could configure a policy route and an equivalent static route.

DiffServ

QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority. CoS (class of service) is a way of managing traffic in a network by grouping similar types of traffic together and treating each type as a class. You can use CoS to give different priorities to different packet types.

DiffServ (Differentiated Services) is a class of service (CoS) model that marks packets so that they receive specific per-hop treatment at DiffServ-compliant network devices along the route based on the application types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs) indicating the level of service desired. This allows the intermediary DiffServ-compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow. In addition, applications do not have to request a particular service or give advanced notice of where the traffic is going.

DSCP Marking and Per-Hop Behavior

DiffServ defines a new DS (Differentiated Services) field to replace the Type of Service (TOS) field in the IP header. The DS field contains a 2-bit unused field and a 6-bit DSCP field which can define up to 64 service levels. The following figure illustrates the DS field.

DSCP (6 bits) Unused (2 bits) 

DSCP is backward compatible with the three precedence bits in the ToS octet so that non-DiffServ compliant, ToS-enabled network device will not conflict with the DSCP mapping.

The DSCP value determines the forwarding behavior, the PHB (Per-Hop Behavior), that each packet gets across the DiffServ network. Based on the marking rule, different kinds of traffic can be marked for different kinds of forwarding. Resources can then be allocated according to the DSCP values and the configured policies.

Finding Out More

• See Section 12.4 on page 175 for more background information on policy routing.

12.2 Policy Route Screen

Click Configuration > Network > Routing to open the Policy Route screen. Use this screen to see the configured policy routes.

A policy route defines the matching criteria and the action to take when a packet meets the criteria. The action is taken only when all the criteria are met. The criteria can include the user name, source address and incoming interface, destination address, schedule, IP protocol (ICMP, UDP, TCP, etc.) and port.

The actions that can be taken include:

- Routing the packet to a different gateway, outgoing interface, or trunk.

IPPR follows the existing packet filtering facility of RAS in style and in implementation.

Figure 104 Configuration > Network > Routing > Policy Route

The following table describes the labels in this screen.

Table 73 Configuration > Network > Routing > Policy Route

12.2.1 Policy Route Add/Edit Screen

Click Configuration > Network > Routing to open the Policy Route screen. Then click the Add icon or select an entry and click the Edit icon. The Add Policy Route or Policy Route Edit screen opens. Use this screen to configure or edit a policy route.

Figure 105 Configuration > Network > Routing > Policy Route > Add/Edit

The following table describes the labels in this screen.

Table 74 Configuration > Network > Routing > Policy Route > Add/Edit

12.3 IP Static Route Screen

Click Configuration > Network > Routing > Static Route to open the Static Route screen. This screen displays the configured static routes. Configure static routes to be able to propagate the routing information to other routers.

Figure 106 Configuration > Network > Routing > Static Route

The following table describes the labels in this screen.

Table 75 Configuration > Network > Routing > Static Route

12.3.1 Static Route Add/Edit Screen

Click Add or select a static route index number and click Edit. The screen shown next appears. Use this screen to configure the required information for a static route.

Figure 107 Configuration > Network > Routing > Static Route > Add

The following table describes the labels in this screen.

Table 76 Configuration > Network > Routing > Static Route > Add/Edit

12.4 Policy Routing Technical Reference

Here is more detailed information about some of the features you can configure in policy routing.

NAT and SNAT

NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address in a packet in one network to a different IP address in another network. Use SNAT (Source NAT) to change the source IP address in one network to a different IP address in another network.

Assured Forwarding (AF) PHB for DiffServ

Assured Forwarding (AF) behavior is defined in RFC 2597. The AF behavior group defines four AF classes. Inside each class, packets are given a high, medium or low drop precedence. The drop precedence determines the probability that routers in the network will drop packets when congestion occurs. If congestion occurs between classes, the traffic in the higher class (smaller numbered class) is generally given priority. Combining the classes and drop precedence produces the following twelve DSCP encodings from AF11 through AF43. The decimal equivalent is listed in brackets.

Table 77 Assured Forwarding (AF) Behavior Group

13.1 Zones Overview

Set up zones to configure network security and network policies in the UAG. A zone is a group of interfaces and/or VPN tunnels. The UAG uses zones instead of interfaces in many security and policy settings, such as firewall rules and remote management.

Zones cannot overlap. Each Ethernet interface, VLAN interface, bridge interface, PPPoE/PPTP interface and VPN tunnel can be assigned to at most one zone. Virtual interfaces are automatically assigned to the same zone as the interface on which they run.

Figure 108 Example: Zones

graph TD
    subgraph VLAN1
        A["Computer"] --> B["Switch"]
        C["Computer"] --> B
        D["Computer"] --> B
        E["Computer"] --> B
    end
    subgraph VLAN2
        F["Computer"] --> G["Switch"]
        H["Computer"] --> G
        I["Computer"] --> G
        J["Computer"] --> G
        K["Computer"] --> G
    end
    subgraph Ethernet1
        L["Computer"] --> M["Switch"]
        N["Computer"] --> M
        O["Computer"] --> M
        P["Computer"] --> M
    end
    subgraph C
        Q["Computer"] --> R["Switch"]
        S["Computer"] --> R
        T["Computer"] --> R
    end
    subgraph WAN
        U["ISP 1"] --> V["Internet"]
        W["ISP 2"] --> V
    end
    style VLAN1 fill:#f9f,stroke:#333
    style VLAN2 fill:#f9f,stroke:#333
    style INTERNET1 fill:#ccf,stroke:#333
    style INTERNET2 fill:#ccf,stroke:#333
    style CMM1 fill:#ccf,stroke:#333
    style DMZ fill:#ccf,stroke:#333
    style WAN fill:#cfc,stroke:#333

13.1.1 What You Can Do in this Chapter

Use the Zone screens (see Section 13.2 on page 177) to manage the UAG's zones.

13.1.2 What You Need to Know

Effects of Zones on Different Types of Traffic

Zones effectively divide traffic into three types--intra-zone traffic, inter-zone traffic, and extra-zone traffic--which are affected differently by zone-based security and policy settings.

Intra-zone Traffic

• Intra-zone traffic is traffic between interfaces or VPN tunnels in the same zone. For example, in Figure 108 on page 176, traffic between VLAN 2 and the Ethernet is intra-zone traffic.
• You can set up firewall rules to control intra-zone traffic (for example, DMZ-to-DMZ), but many other types of zone-based security and policy settings do not affect intra-zone traffic.

Inter-zone Traffic

Inter-zone traffic is traffic between interfaces or VPN tunnels in different zones. For example, in Figure 108 on page 176, traffic between VLAN 1 and the Internet is inter-zone traffic. This is the normal case when zone-based security and policy settings apply.

Extra-zone Traffic

• Extra-zone traffic is traffic to or from any interface or VPN tunnel that is not assigned to a zone. For example, in Figure 108 on page 176, traffic to or from computer C is extra-zone traffic.
• Some zone-based security and policy settings may apply to extra-zone traffic, especially if you can set the zone attribute in them to Any or All. See the specific feature for more information.

13.2 The Zone Screen

The Zone screen provides a summary of all zones. In addition, this screen allows you to add, edit, and remove zones. To access this screen, click Configuration > Network > Zone.

Figure 109 Configuration > Network > Zone

The following table describes the labels in this screen.

Table 78 Configuration > Network > Zone

13.2.1 Zone Add/Edit

The Zone Edit screen allows you to add or edit a zone. To access this screen, go to the Zone screen (see Section 13.2 on page 177), and click the Add icon or select an entry and click the Edit icon.

Figure 110 Network > Zone > Add

The following table describes the labels in this screen.

Table 79 Network > Zone > Add/Edit

14.1 DDNS Overview

Dynamic DNS (DDNS) services let you use a domain name with a dynamic IP address.

14.1.1 What You Can Do in this Chapter

• Use the DDNS screen (see Section 14.2 on page 181) to view a list of the configured DDNS domain names and their details.
• Use the DDNS Add/ Edit screen (see Section 14.2.1 on page 182) to add a domain name to the UAG or to edit the configuration of an existing domain name.

14.1.2 What You Need to Know

DNS maps a domain name to a corresponding IP address and vice versa. Similarly, dynamic DNS maps a domain name to a dynamic IP address. As a result, anyone can use the domain name to contact you (in NetMeeting, CU-SeeMe, etc.) or to access your FTP server or Web site, regardless of the current IP address.

Note: You must have a public WAN IP address to use Dynamic DNS.

You must set up a dynamic DNS account with a supported DNS service provider before you can use Dynamic DNS services with the UAG. When registration is complete, the DNS service provider gives you a password or key. At the time of writing, the UAG supports the following DNS service providers. See the listed websites for details about the DNS services offered by each.

Table 80 DDNS Service Providers

Note: Record your DDNS account's user name, password, and domain name to use to configure the UAG.

After, you configure the UAG, it automatically sends updated IP addresses to the DDNS service provider, which helps redirect traffic accordingly.

14.2 The DDNS Screen

The DDNS screen provides a summary of all DDNS domain names and their configuration. In addition, this screen allows you to add new domain names, edit the configuration for existing domain names, and delete domain names. Click Configuration > Network > DDNS to open the following screen.

Figure 111 Configuration > Network > DDNS

The following table describes the labels in this screen.

Table 81 Configuration > Network > DDNS

Table 81 Configuration > Network > DDNS (continued)

14.2.1 The Dynamic DNS Add/Edit Screen

The DDNS Add/ Edit screen allows you to add a domain name to the UAG or to edit the configuration of an existing domain name. Click Configuration > Network > DDNS and then an Add or Edit icon to open this screen.

Figure 112 Configuration > Network > DDNS > Add

The following table describes the labels in this screen.

Table 82 Configuration > Network > DDNS > Add/Edit

15.1 NAT Overview

NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network. Use Network Address Translation (NAT) to make computers on a private network behind the UAG available outside the private network. If the UAG has only one public IP address, you can make the computers in the private network available by using ports to forward packets to the appropriate private IP address.

Suppose you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example), port 80 to another (B in the example) and assign a default server IP address of 172.16.0.35 to a third (C in the example). You assign the LAN IP addresses and the ISP assigns the WAN IP address. The NAT network appears as a single host on the Internet.

Figure 113 Multiple Servers Behind NAT Example

graph LR
    A["Server"] --> B["Router"]
    C["Server"] --> B
    D["Server"] --> B
    B --> E["172.16.0.1"]
    B --> F["172.16.0.34"]
    B --> G["172.16.0.35"]
    H["A = 172.16.0.33"] --> B
    I["B = 172.16.0.34"] --> B
    J["C = 172.16.0.35"] --> B
    K["INTERNET"] --> L["Router"]

15.1.1 What You Can Do in this Chapter

Use the NAT screens (see Section 15.2 on page 186) to view and manage the list of NAT rules and see their configuration details. You can also create new NAT rules and edit or delete existing ones.

15.1.2 What You Need to Know

NAT is also known as virtual server, port forwarding, or port translation.

Finding Out More

• See Section 15.3 on page 190 for technical background information related to these screens.

15.2 The NAT Screen

The NAT summary screen provides a summary of all NAT rules and their configuration. In addition, this screen allows you to create new NAT rules and edit and delete existing NAT rules. To access this screen, login to the Web Configurator and click Configuration > Network > NAT. The following screen appears, providing a summary of the existing NAT rules.

Figure 114 Configuration > Network > NAT

The following table describes the labels in this screen.

Table 83 Configuration > Network > NAT

Table 83 Configuration > Network > NAT (continued)

15.2.1 The NAT Add/Edit Screen

The NAT Add/ Edit screen lets you create new NAT rules and edit existing ones. To open this window, open the NAT summary screen. (See Section 15.2 on page 186.) Then, click on the Add icon or select an entry and click the Edit icon to open the following screen.

Figure 115 Configuration > Network > NAT > Add

The following table describes the labels in this screen.

Table 84 Configuration > Network > NAT > Add/Edit

15.3 NAT Technical Reference

Here is more detailed information about NAT on the UAG.

NAT Loopback

Suppose an NAT 1:1 rule maps a public IP address to the private IP address of a LAN SMTP e-mail server to give WAN users access. NAT loopback allows other users to also use the rule's original IP to access the mail server.

For example, a LAN user's computer at IP address 172.16.0.89 queries a public DNS server to resolve the SMTP server's domain name (xxx.LAN-SMTP.com in this example) and gets the SMTP server's mapped public IP address of 1.1.1.1.

Figure 116 LAN Computer Queries a Public DNS Server

graph TD
    A["INTERNET"] -->|xxx.LAN-SMTP.com = ? 1.1.1.1| B["DNS"]
    B -->|xxx.LAN-SMTP.com = 1.1.1.1| C["LAN"]
    C -->|172.16.0.21| D["Server"]
    C -->|172.16.0.89| E["Computer"]

The LAN user's computer then sends traffic to IP address 1.1.1.1. NAT loopback uses the IP address of the UAG's lan1 interface (172.16.0.1) as the source address of the traffic going from the LAN users to the LAN SMTP server.

Figure 117 LAN to LAN Traffic

graph TD
    A["NAT"] -->|Source 172.16.0.1\nSMTP| B["LAN"]
    A -->|Source 172.16.0.89\nSMTP| C["Router"]
    B -->|172.16.0.21| C
    C -->|172.16.0.89| D["Computer"]

The LAN SMTP server replies to the UAG's LAN IP address and the UAG changes the source address to 1.1.1.1 before sending it to the LAN user. The return traffic's source matches the original destination address (1.1.1.1). If the SMTP server replied directly to the LAN user without the traffic going through NAT, the source would not match the original destination address which would cause the LAN user's computer to shut down the session.

Figure 118 LAN to LAN Return Traffic

graph TD
    A["NAT"] -->|Source 172.16.0.21 SMTP| B["LAN"]
    A -->|Source 1.1.1 SMTP| C["Computer"]
    B -->|172.16.0.21| D["Router"]
    C -->|172.16.0.89| D

VPN 1-1 mapping allows an authenticated user in your network to access the Internet or an external server using a public IP address different from the one used by the UAG's WAN interface. With VPN 1-1 mapping, each user that logs into the UAG and matches a pre-configured mapping rule can obtain an individual public IP address. This helps especially when multiple users need to access different remote servers through separate VPN tunnels via the UAG. Each user can use a unique public IP address to transmit traffic through a separate VPN tunnel. The VPN connection will not be disconnected due to response packets with the same source IP address coming from remote servers in different VPN tunnels.

For example, users A and B are behind the UAG and both want to use a unique WAN IP address to access a public server through the UAG's WAN1 interface. After the user is authenticated by the UAG and meets the criteria in a VPN 1-1 mapping rule, the UAG applies the rule settings and assigns a public IP address to the user. Outgoing traffic from user A will then be sent through the WAN1 interface using the mapped public IP address 10.10.1.35. Outgoing traffic from user B will be sent through the WAN1 interface using the mapped public IP address 10.10.1.36.

Figure 119 VPN 1-1 Mapping Example

graph TD
    A["Computer"] -->|10.10.1.35| WAN1["Switch"]
    B["Computer"] -->|10.10.1.36| WAN1
    WAN1 -->|10.10.1.35| INTERNET["Internet"]
    WAN1 -->|10.10.1.36| LAN["Server"]
    LAN -->|10.10.1.35| LAN
    LAN -->|10.10.1.36| LAN
    LAN -->|10.10.1.35| LAN
    LAN -->|10.10.1.36| LAN
    LAN -->|10.10.1.35| LAN
    LAN -->|10.10.1.36| LAN

16.1.1 What You Can Do in this Chapter

• Use the VPN 1-1 Mapping screens (see Section 16.2 on page 193) to enable and configure VPN 1-1 mapping to assign a public IP address to each of users that match the rules.
• Use the VPN 1-1 Mapping > Profile screen (see Section 16.3 on page 195) to configure a pool profile which defines the public IP address(es) that the UAG assigns to the matched users and the interface through which the user's traffic is forwarded.

16.1.2 What You Need to Know

VPN 1-1 Mapping, Firewall and Policy Route

With VPN 1-1 mapping, the relevant packet flow for traffic from the matched user is:

1 Firewall
2 Policy Route
3 VPN 1-1 Mapping

If you set a policy route to the same user/user group as a VPN 1-1 mapping rule, the UAG checks the policy routing rules first and forwards the traffic to a specified next-hop if matched. You need to make sure there is no firewall rule(s) blocking the traffic from the matched user or user group.

To make the example in Figure 119 on page 192 work, make sure you have the following settings. For traffic between lan1, lan2 or dmz and wan1:

• a from LAN1/LAN2/DMZ to WAN1 firewall rule (default) to allow any traffic from the user A/B from Ian1, Ian2 or dmz to wan1. Responses to this request are allowed automatically.
• a VPN 1-1 mapping rule to forward any traffic from the user A/B through the wan1 interface using a unique public IP address.

16.2 The VPN 1-1 Mapping General Screen

The VPN 1-1 Mapping summary screen provides a summary of all VPN 1-1 mapping rules and their configuration. In addition, this screen allows you to create new VPN 1-1 mapping rules and edit and delete existing VPN 1-1 mapping rules. To access this screen, login to the Web Configurator and click Configuration > Network > VPN 1-1 Mapping. The following screen appears, providing a summary of the existing VPN 1-1 mapping rules.

Figure 120 Configuration > Network > VPN 1-1 Mapping

The following table describes the labels in this screen.

Table 85 Configuration > Network > VPN 1-1 Mapping

16.2.1 The VPN 1-1 Mapping Add/Edit Screen

Click Network > VPN 1-1 Mapping to open the VPN 1-1 Mapping > General screen. Then click the Add icon or select an entry and click the Edit icon to open the VPN 1-1 Mapping Add/ Edit Policy screen where you can configure the rule.

Figure 121 Network > VPN 1-1 Mapping > Add

The following table describes the labels in this screen.

Table 86 Network > VPN 1-1 Mapping > Add/Edit

16.3 The VPN 1-1 Mapping Profile Screen

The VPN 1-1 Mapping Profile summary screen provides a summary of all pool profiles for VPN 1-1 mapping and their configuration. In addition, this screen allows you to create new pool profiles and edit and delete existing profiles. A pool profile defines the public IP address(es) that the UAG assigns to the matched users and the interface through which the user's traffic is forwarded. To access this screen, login to the Web Configurator and click Configuration > Network > VPN 1-1 Mapping > Profile. The following screen appears, providing a summary of the existing IP address pool profiles.

Figure 122 Configuration > Network > VPN 1-1 Mapping > Profile

The following table describes the labels in this screen.

Table 87 Configuration > Network > VPN 1-1 Mapping > Profile

17.1 Overview

HTTP redirect forwards the client's HTTP request (except HTTP traffic destined for the UAG) to a web proxy server. In the following example, proxy server A is connected to the Ian2 interface in the LAN2 zone. When a client connected to the Ian1 interface in the LAN1 zone wants to open a web page, its HTTP request is redirected to proxy server A first. If proxy server A cannot find the web page in its cache, a policy route allows it to access the Internet to get them from a server. Proxy server A then forwards the response to the client.

Figure 123 HTTP Redirect Example

17.1.1 What You Can Do in this Chapter

Use the HTTP Redirect screens (see Section 17.2 on page 198) to display and edit the HTTP redirect rules.

17.1.2 What You Need to Know

Web Proxy Server

A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services. A proxy server can act as a firewall or an ALG (application layer gateway) between the private network and the Internet or other networks. It also keeps hackers from knowing internal IP addresses.

A client connects to a web proxy server each time he/she wants to access the Internet. The web proxy provides caching service to allow quick access and reduce network usage. The proxy checks its local cache for the requested web resource first. If it is not found, the proxy gets it from the specified server and forwards the response to the client.

HTTP Redirect, Firewall and Policy Route

With HTTP redirect, the relevant packet flow for HTTP traffic is:

1 Firewall

2 HTTP Redirect

3 Policy Route

Even if you set a policy route to the same incoming interface and service as a HTTP redirect rule, the UAG checks the HTTP redirect rules first and forwards HTTP traffic to a proxy server if matched. You need to make sure there is no firewall rule(s) blocking the HTTP requests from the client to the proxy server.

You also need to manually configure a policy route to forward the HTTP traffic from the proxy server to the Internet. To make the example in Figure 123 on page 197 work, make sure you have the following settings.

For HTTP traffic between lan1 and lan2:

• a from LAN1 to LAN2 firewall rule to allow HTTP requests from Ian1 to Ian2. Responses to this request are allowed automatically.
• a HTTP redirect rule to forward HTTP traffic from Ian1 to proxy server A.

For HTTP traffic between lan2 and wan1:

• a from LAN2 to WAN firewall rule (default) to allow HTTP requests from lan2 to wan1. Responses to these requests are allowed automatically.
• a policy route to forward HTTP traffic from proxy server A to the Internet.

17.2 The HTTP Redirect Screen

To configure redirection of a HTTP request to a proxy server, click Configuration > Network > HTTP Redirect. This screen displays the summary of the HTTP redirect rules.

Note: You can configure up to one HTTP redirect rule for each (incoming) interface.

Figure 124 Configuration > Network > HTTP Redirect

The following table describes the labels in this screen.

Table 88 Configuration > Network > HTTP Redirect

17.2.1 The HTTP Redirect Add/Edit Screen

Click Network > HTTP Redirect to open the HTTP Redirect screen. Then click the Add icon or select an entry and click the Edit icon to open the screen where you can configure the rule.

Figure 125 Network > HTTP Redirect > Add/Edit

The following table describes the labels in this screen.

Table 89 Network > HTTP Redirect > Add/Edit

SMTP Redirect

18.1 Overview

SMTP redirect forwards the authenticated client's SMTP message to a SMTP server, that handles all outgoing e-mail messages. In the following example, SMTP server A is connected to the Ian2 interface in the LAN2 zone. When a client connected to the Ian1 interface in the LAN1 zone logs into the UAG and wants to send an e-mail, its SMTP message is redirected to SMTP server A. SMTP server A then sends it to a mail server, where the message will be delivered to the recipient.

The UAG forwards SMTP traffic using TCP port 25.

Figure 126 SMTP Redirect Example

graph TD
    subgraph LAN1
        A["Computer"] --> B["Switch"]
        C["Computer"] --> B
        B --> D["LAN1"]
    end
    subgraph LAN2
        E["Server"] --> F["Switch"]
        G["Server"] --> F
        F --> H["LAN2"]
    end
    subgraph WAN
        I["Cloud"] --> J["Server"]
    end
    subgraph Internet
        K["Internet"] --> L["Server"]
    end

18.1.1 What You Can Do in this Chapter

Use the SMTP Redirect screens (see Section 18.2 on page 202) to display and edit the SMTP redirect rules.

18.1.2 What You Need to Know

SMTP

Simple Mail Transfer Protocol (SMTP) is the Internet's message transport standard. It controls the sending of e-mail messages between servers. E-mail clients (also called e-mail applications) then use mail server protocols such as POP (Post Office Protocol) or IMAP (Internet Message Access Protocol) to retrieve e-mail. E-mail clients also generally use SMTP to send messages to a mail

server. The older POP2 requires SMTP for sending messages while the newer POP3 can be used with or without it. This is why many e-mail applications require you to specify both the SMTP server and the POP or IMAP server (even though they may actually be the same server).

SMTP Redirect, Firewall and Policy Route

With SMTP redirect, the relevant packet flow for SMTP traffic is:

1 Firewall

2 SMTP Redirect

3 Policy Route

Even if you set a policy route to the same incoming interface and service as a SMTP redirect rule, the UAG checks the SMTP redirect rules first and forwards SMTP traffic to a SMTP server if matched. You need to make sure there is no firewall rule(s) blocking the SMTP traffic from the client to the SMTP server.

You also need to manually configure a policy route to forward the SMTP traffic from the SMTP server to the Internet. To make the example in Figure 126 on page 201 work, make sure you have the following settings.

For SMTP traffic between lan1 and lan2:

• a from LAN1 to LAN2 firewall rule to allow SMTP messages from Ian1 to Ian2. Responses to this request are allowed automatically.
• a SMTP redirect rule to forward SMTP traffic from Ian1 to SMTP server A.

For SMTP traffic between lan2 and wan1:

• a from LAN2 to WAN firewall rule (default) to allow SMTP messages from lan2 to wan1. Responses to these requests are allowed automatically.
• a policy route to forward SMTP messages from SMTP server A to the Internet.

18.2 The SMTP Redirect Screen

To configure redirection of a SMTP message to a SMTP server, click Configuration > Network > SMTP Redirect. This screen displays the summary of the SMTP redirect rules.

Note: You can configure up to one SMTP redirect rule for each (incoming) interface.

Figure 127 Configuration > Network > SMTP Redirect

The following table describes the labels in this screen.

Table 90 Configuration > Network > SMTP Redirect

18.2.1 The SMTP Redirect Add/Edit Screen

Click Network > SMTP Redirect to open the SMTP Redirect screen. Then click the Add icon or select an entry and click the Edit icon to open the screen where you can configure the rule.

Figure 128 Network > SMTP Redirect > Add/Edit

The following table describes the labels in this screen.

Table 91 Network > SMTP Redirect > Add/Edit

19.1 ALG Overview

Application Layer Gateway (ALG) allows the following application to operate properly through the UAG's NAT.

- FTP - File Transfer Protocol - an Internet file transfer service.

The ALG feature is only needed for traffic that goes through the UAG's NAT.

19.1.1 What You Can Do in this Chapter

Use the ALG screen (Section 19.2 on page 206) to set up the FTP ALG settings.

19.1.2 What You Need to Know

Application Layer Gateway (ALG), NAT and Firewall

The UAG can function as an Application Layer Gateway (ALG) to allow certain NAT un-friendly applications to operate properly through the UAG's NAT and firewall. The UAG dynamically creates an implicit NAT session and firewall session for the application's traffic from the WAN to the LAN. The ALG on the UAG supports all of the UAG's NAT mapping types.

FTP ALG

The FTP ALG allows TCP packets with a specified port destination to pass through. If the FTP server is located on the LAN, you must also configure NAT (port forwarding) and firewall rules if you want to allow access to the server from the WAN.

ALG and Trunks

If you send your ALG-managed traffic through an interface trunk and all of the interfaces are set to active, you can configure routing policies to specify which interface the ALG-managed traffic uses.

You could also have a trunk with one interface set to active and a second interface set to passive. The UAG does not automatically change ALG-managed connections to the second (passive) interface when the active interface's connection goes down. When the active interface's connection fails, the client needs to re-initialize the connection through the second interface (that was set to passive) in order to have the connection go through the second interface.

19.1.3 Before You Begin

You must also configure the firewall and enable NAT in the UAG to allow sessions initiated from the WAN.

19.2 The ALG Screen

Click Configuration > Network > ALG to open the ALG screen. Use this screen to turn the ALG off or on, configure the port numbers to which it applies.

Figure 129 Configuration > Network > ALG

The following table describes the labels in this screen.

Table 92 Configuration > Network > ALG

20.1 Overview

The UAG supports both UPnP and NAT-PMP to permit networking devices to discover each other and connect seamlessly.

Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network. In turn, a device can leave a network smoothly and automatically when it is no longer in use. A gateway that supports UPnP is called Internet Gateway Device (IGD). The standardized Device Control Protocol (DCP) is defined by the UPnP Forum for IGDs to configure port mapping automatically.

NAT Port Mapping Protocol (NAT-PMP), introduced by Apple and implemented in current Apple products, is used as an alternative NAT traversal solution to the UPnP IGD protocol. NAT-PMP runs over UDP port 5351. NAT-PMP is much simpler than UPnP IGD and mainly designed for small home networks. It allows a client behind a NAT router to retrieve the router's public IP address and port number and make them known to the peer device with which it wants to communicate. The client can automatically configure the NAT router to create a port mapping to allow the peer to contact it.

20.2 What You Need to Know

UPnP hardware is identified as an icon in the Network Connections folder (Windows XP). Each UPnP compatible device installed on your network will appear as a separate icon. Selecting the icon of a UPnP device will allow you to access the information and properties of that device.

20.2.1 NAT Traversal

UPnP NAT traversal automates the process of allowing an application to operate through NAT. UPnP network devices can automatically configure network addressing, announce their presence in the network to other UPnP devices and enable exchange of simple product and service descriptions. NAT traversal allows the following:

• Dynamic port mapping
- Learning public IP addresses
- Assigning lease times to mappings

Windows Messenger is an example of an application that supports NAT traversal and UPnP.

See the NAT chapter for more information on NAT.

20.2.2 Cautions with UPnP

The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments.

When a UPnP device joins a network, it announces its presence with a multicast message. For security reasons, the UAG allows multicast messages on the LAN only.

All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention.

20.3 UPnP Screen

Use this screen to enable UPnP and NAT-PMP on your UAG.

Click Configuration > Network > UPnP to display the screen shown next.

Figure 130 Configuration > Network > UPnP

The following table describes the fields in this screen.

Table 93 Configuration > Network > UPnP

20.4 Technical Reference

The sections show examples of using UPnP.

20.4.1 Using UPnP in Windows XP Example

This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the UAG.

Make sure the computer is connected to a LAN port of the UAG. Turn on your computer and the UAG.

20.4.1.1 Auto-discover Your UPnP-enabled Network Device

1 Click start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway.
2 Right-click the icon and select Properties.

Figure 131 Network Connections

3 In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created.

Figure 132 Internet Connection Properties

4 You may edit or delete the port mappings or click Add to manually add port mappings.

Figure 133 Internet Connection Properties: Advanced Settings

Figure 134 Internet Connection Properties: Advanced Settings: Add

Note: When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically.

5 Select Show icon in notification area when connected option and click OK. An icon displays in the system tray.

Figure 135 System Tray Icon

6 Double-click on the icon to display your current Internet connection status.

Figure 136 Internet Connection Status

20.4.2 Web Configurator Easy Access

With UPnP, you can access the web-based configurator on the UAG without finding out the IP address of the UAG first. This comes helpful if you do not know the IP address of the UAG.

Follow the steps below to access the web configurator.

1 Click Start and then Control Panel.
2 Double-click Network Connections.

3 Select My Network Places under Other Places.

Figure 137 Network Connections

4 An icon with the description for each UPnP-enabled device displays under Local Network.
5 Right-click on the icon for your UAG and select Invoke. The web configurator login screen displays.

Figure 138 Network Connections: My Network Places

6 Right-click on the icon for your UAG and select Properties. A properties window displays with basic information about the UAG.

Figure 139 Network Connections: My Network Places: Properties: Example

21.1 IP/MAC Binding Overview

IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses. The UAG uses DHCP to assign IP addresses and records to MAC address it assigned each IP address. The UAG then checks incoming connection attempts against this list. A user cannot manually assign another IP to his computer and use it to connect to the UAG.

Suppose you configure access privileges for IP address 172.16.1.27 and use static DHCP to assign it to Bob's computer's MAC address of 12:34:56:78:90:AB. IP/MAC binding drops traffic from any computer trying to use IP address 172.16.1.27 with another MAC address.

Figure 140 IP/MAC Binding Example

graph TD
    Bob["Bob"] -->|MAC: 12:34:56:78:90:AB\nIP: 172.16.1.27| Router["Router"]
    Jim["Jim"] -->|MAC: AB:CD:EF:12:34:56\nIP: 172.16.1.27| Router

21.1.1 What You Can Do in this Chapter

• Use the Summary and Edit screens (Section 21.2 on page 215) to bind IP addresses to MAC addresses.
• Use the Exempt List screen (Section 21.3 on page 217) to configure ranges of IP addresses to which the UAG does not apply IP/MAC binding.

21.1.2 What You Need to Know

DHCP

IP/MAC address bindings are based on the UAG's dynamic and static DHCP entries.

Interfaces Used With IP/MAC Binding

IP/MAC address bindings are grouped by interface. You can use IP/MAC binding with Ethernet, bridge, VLAN interfaces. You can also enable or disable IP/MAC binding and logging in an interface's configuration screen.

21.2 IP/MAC Binding Summary

Click Configuration > Network > IP/ MAC Binding to open the IP/ MAC Binding Summary screen. This screen lists the total number of IP to MAC address bindings for devices connected to each supported interface.

Figure 141 Configuration > Network > IP/MAC Binding > Summary

The following table describes the labels in this screen.

Table 94 Configuration > Network > IP/MAC Binding > Summary

21.2.1 IP/MAC Binding Edit

Select an entry and click the Edit icon in the Configuration > Network > IP/ MAC Binding > Summary screen to open the screen. Use this screen to configure an interface's IP to MAC address binding settings.

Figure 142 Configuration > Network > IP/MAC Binding > Summary > Edit

The following table describes the labels in this screen.

Table 95 Configuration > Network > IP/MAC Binding > Summary > Edit

21.2.2 Static DHCP Add/Edit

In the Configuration > Network > IP/ MAC Binding > Summary > Edit screen, click the Add icon or select an entry and click the Edit icon to open the following screen. Use this screen to configure an interface's IP to MAC address binding settings.

Figure 143 Configuration > Network > IP/MAC Binding > Summary > Edit > Add

The following table describes the labels in this screen.

Table 96 Configuration > Network > IP/MAC Binding > Summary > Edit > Add/Edit

21.3 IP/MAC Binding Exempt List

Click Configuration > Network > IP/ MAC Binding > Exempt List to open the IP/ MAC Binding Exempt List screen. Use this screen to configure ranges of IP addresses to which the UAG does not apply IP/MAC binding.

Figure 144 Configuration > Network > IP/MAC Binding > Exempt List

The following table describes the labels in this screen.

Table 97 Configuration > Network > IP/MAC Binding > Exempt List

Layer 2 Isolation

22.1 Overview

Layer-2 isolation is used to prevent connected devices from communicating with each other in the UAG's local network(s), on which layer-2 isolation is enabled, except the devices in the white list.

Note: Layer-2 isolation does not check the wireless traffic.

In the following example, layer-2 isolation is enabled on the UAG's interface Ian2. A printer, PC and AP are connected to Ian2. The IP address of the network printer (C) is added to the white list. The connected AP then cannot communicate with the PC (D), but can access the network printer (C), server (B), wireless client (A) and the Internet.

Figure 145 Layer-2 Isolation Application

graph TD
    A["Computer"] -->|A| B["Server"]
    B -->|B| C["Client"]
    C -->|C| D["Printer"]
    D -->|D| E["AP"]
    E -->|E| F["Internet"]
    F -->|F| G["UAG"]
    G -->|GND| H["LAN2"]
    H -->|HND| I["AP"]
    I -->|I| J["Client"]
    style H stroke:#ff0000,stroke-width:2px
    style I stroke:#ff0000,stroke-width:2px
    style J stroke:#ff0000,stroke-width:2px

22.1.1 What You Can Do in this Chapter

• Use the General screen (Section 22.2 on page 220) to enable layer-2 isolation on the UAG and the internal interface(s).
• Use the White List screen (Section 22.3 on page 220) to enable and configures the white list.

22.2 Layer-2 Isolation General Screen

This screen allows you to enable Layer-2 isolation on the UAG and specific internal interface(s). To access this screen click Configuration > Network > Layer 2 Isolation.

Figure 146 Configuration > Network > Layer 2 Isolation

The following table describes the labels in this screen.

Table 98 Configuration > Network > Layer 2 Isolation

22.3 White List

IP addresses that are not listed in the white list are blocked from communicating with other devices in the layer-2-isolation-enabled internal interface(s) except for broadcast packets.

To access this screen click Configuration > Network > Layer 2 Isolation > White List.

Figure 147 Configuration > Network > Layer 2 Isolation > White List

The following table describes the labels in this screen.

Table 99 Configuration > Network > Layer 2 Isolation > White List

22.3.1 Add/Edit White List Rule

This screen allows you to create a new rule in the white list or edit an existing one. To access this screen, click the Add button or select an entry from the list and click the Edit button.

Note: You can configure up to 20 white list rules on the UAG.

Note: You need to know the IP address of each connected device that you want to allow to be accessed by other devices when layer-2 isolation is enabled.

Figure 148 Configuration > Network > Layer 2 Isolation > White List > Add/Edit

The following table describes the labels in this screen.

Table 100 Configuration > Network > Layer 2 Isolation > White List > Add/Edit

23.1 Overview

IP Plug and Play (IPnP) allows a computer to access the Internet without changing the network settings (such as IP address and subnet mask) of the computer, even when the IP addresses of the computer and the UAG are not in the same subnet.

When you disable the IPnP feature, only computers with dynamic IP addresses or static IP addresses in the same subnet as the UAG's LAN IP address can connect to the UAG or access the Internet through the UAG.

The IPnP feature does not apply to a computer using either a dynamic IP address or a static IP address that is in the same subnet as the UAG's IP address.

Note: You must enable NAT to use the IPnP feature.

The following figure depicts a scenario where a computer is set to use a static private IP address in the corporate environment. In a residential house where a UAG is installed, you can still use the computer to access the Internet without changing the network settings, even when the IP addresses of the computer and the UAG are not in the same subnet.

Figure 149 IPnP Application

graph TD
    A["192.168.1.23"] --> B["House"]
    B --> C["172.16.0.1"]
    C --> D["Server"]
    D --> E["INTERNET"]
    style A fill:#f9f,stroke:#333
    style B fill:#ccf,stroke:#333
    style C fill:#cfc,stroke:#333
    style D fill:#fcc,stroke:#333
    style E fill:#cff,stroke:#333

23.1.1 What You Can Do in this Chapter

Use the IP screen (Section 23.2 on page 224) to enable IPnP on the UAG and the internal interface(s).

23.2 IPnP Screen

This screen allows you to enable IPnP on the UAG and specific internal interface(s). To access this screen click Configuration > Network > IPnP.

Figure 150 Configuration > Network > IPnP

The following table describes the labels in this screen.

Table 101 Configuration > Network > IPnP

Web Authentication

24.1 Overview

Web authentication can intercepts network traffic, according to the authentication policies, until the user authenticates his or her connection, usually through a specifically designated login web page. This means all web page requests can initially be redirected to a special web page that requires users to authenticate their sessions. Once authentication is successful, they can then connect to the rest of the network or Internet.

As soon as a user attempt to open a web page, the UAG reroutes his/her browser to a web portal page that prompts he/she to log in.

Figure 151 Web Authentication Example

graph TD
    A["LAN"] --> B["Router"]
    C["WLAN"] --> B
    D["Laptop"] --> B
    E["Laptop"] --> B
    F["Computer"] --> B
    G["Printer"] --> B
    H["Internet"] --> I["Web Authentication Portal Page"]
    J["WAN"] --> I
    B --> K["ZyXEL UACHELS"]
    B --> L["Web Authentication Portal Page"]
    style B fill:#f9f,stroke:#333
    style I fill:#ccf,stroke:#333

The web authentication page only appears once per authentication session. Unless a user session times out or he/she closes the connection, he or she generally will not see it again during the same session.

24.1.1 What You Can Do in this Chapter

• Use the Configuration > Web Authentication screens (Section 24.2 on page 226) to create and manage web authentication policies.
• Use the Configuration > Web Authentication > Walled Garden screens (Section 24.3 on page 240) to enable and create walled garden links that display in the login screen.
• Use the Configuration > Web Authentication > Advertisement screens (Section 24.4 on page 242) to enable and set advertisement links.

24.1.2 What You Need to Know

Forced User Authentication

Instead of making users for which user-aware policies have been configured go to the UAG Login screen manually, you can configure the UAG to display the Login screen automatically whenever it routes HTTP traffic for anyone who has not logged in yet.

Note: This works with HTTP traffic only. The UAG does not display the Login screen when users attempt to send other kinds of traffic.

The UAG does not automatically route the request that prompted the login, however, so users have to make this request again.

Finding Out More

See Section 24.2.2 on page 233 for an example of using an authentication policy for user-aware access control.

24.2 Web Authentication Screen

The Web Authentication screen displays the web portal settings and web authentication policies you have configured on the UAG. The screen differs depending on what you select in the Authentication field.

Click Configuration > Web Authentication to display the screen.

Figure 152 Configuration > Web Authentication (Web Portal)

Figure 153 Configuration > Web Authentication (User Agreement)

The following table gives an overview of the objects you can configure.

Table 102 Configuration > Web Authentication

LABEL DESCRIPTION
Authentication	Select Web Portal or User Agreement to turn on the web authentication feature. Otherwise, select None to turn it off.Once enabled, all network traffic is blocked until a client authenticates with the UAG through the specifically designated web portal or user agreement page.If you select User agreement, by agreeing to the policy of user agreement, users can access the Internet without a guest account.
The following fields are available if you set Authentication to Web Portal.
Logout IP Specify	an IP address that users can use to terminate their sessions manually by entering the IP address in the address bar of the web browser.
Enable Terms of Service	Select this option to force users to agree to the terms before they can use the service. An agreement checkbox will display in the login page.
Internal Web Portal	Select this to use the default login page built into the UAG. If you later assign a custom login page, you can still return to the UAG's default page as it is saved indefinitely.The login page appears whenever the web portal intercepts network traffic, preventing unauthorized users from gaining access to the network.You can customize the login page built into the UAG in the System > WWW > Login Page screen.
Welcome URL	Specify the welcome page's URL; for example, http://IIS server IP Address/welcome.html.Users will be redirected to the welcome page after authentication. This field is optional.The Internet Information Server (IIS) is the web server on which the web portal files are installed.
Preview Click a	button to display the "Terms of Service" page you uploaded to the UAG.
File Name This	shows the file name of the "Terms of Service" page in the UAG.Click Download to download the "Terms of Service" page from the UAG to your computer.
File Path /Browse /Upload	Browse for the "Terms of Service" page or enter the file path in the available input box, then click the Upload button to put it on the UAG.
Restore File to Default	Click Restore to set the UAG back to use the default "Terms of Service" page.
Download	Click this to download an example internal "Terms of Service" page from the UAG for your reference.
External Web Portal	Select this to use a custom login page from an external web portal instead of the default one built into the UAG. You can configure the look and feel of the web portal page.
Login URL	Specify the login page's URL; for example, http://IIS server IP Address/login.html.The Internet Information Server (IIS) is the web server on which the web portal files are installed.
Logout URL	Specify the logout page's URL; for example, http://IIS server IP Address/logout.html.The Internet Information Server (IIS) is the web server on which the web portal files are installed.
Welcome URL	Specify the welcome page's URL; for example, http://IIS server IP Address/welcome.html.The Internet Information Server (IIS) is the web server on which the web portal files are installed.
Session URL	Specify the session page's URL; for example, http://IIS server IP Address/session.html.The Internet Information Server (IIS) is the web server on which the web portal files are installed.
Error URL	Specify the error page's URL; for example, http://IIS server IP Address/error.html.The Internet Information Server (IIS) is the web server on which the web portal files are installed.
Download	Click this to download an example web portal file for your reference.
The following fields are available if you set Authentication to User Agreement.
Enable Idle Detection	This is applicable for access users.Select this check box if you want the UAG to monitor how long each access user is logged in and idle (in other words, there is no traffic for this access user). The UAG automatically logs out the access user once the Idle timeout has been reached.
Idle timeout This is applicable for access users.This field is effective when Enable Idle Detection is checked. Type the number of minutes each access user can be logged in and idle before the UAG automatically logs out the access user.
Reauthentication Time	Enter the number of minutes the user can be logged into the UAG in one session before having to log in again.
Internal User Agreement	Select this to use the user agreement pages built into the UAG. The user agreement page appears whenever the UAG intercepts network traffic, preventing unauthorized users from gaining access to the network.
Use Customized Web Pages	Select this to use the custom user agreement pages that are uploaded to the UAG.
Preview Click a button to display the corresponding page you uploaded to the UAG.
File Name This shows the file name of the zipped user agreement file in the UAG.Click Download to download the user agreement file from the UAG to your computer.
File Path /Browse /Upload	Browse for the user agreement file or enter the file path in the available input box, then click the Upload button to put it on the UAG.
Restore Customization File to Default	Click Restore to set the UAG back to use the default built-in user agreement pages.
Download	Click this to download an example internal user agreement file from the UAG for your reference.
External User Agreement	Select this to use custom user agreement pages from an external web server instead of the default one built into the UAG. You can configure the look and feel of the user agreement page.
Agreement URL	Specify the user agreement page's URL; for example, http://IIS server IP Address/logout.html.The Internet Information Server (IIS) is the web server on which the user agreement files are installed.
Welcome URL	Specify the welcome page's URL; for example, http://IIS server IP Address/welcome.html.The Internet Information Server (IIS) is the web server on which the user agreement files are installed.If you leave this field blank, the UAG will use the welcome page of internal user agreement file.
Download	Click this to download an example external user agreement file for your reference.
The following fields are available if you set Authentication to Web Portal or User Agreement.
Exceptional Services	Use this table to list services that users can access without logging in.ClickAddto change the list's membership. A screen appears. Available services appear on the left. Select any services you want users to be able to access without logging in and click the right arrow button to add them. The member services are on the right. Select any service that you want to remove from the member list, and click the left arrow button to remove them.Keeping DNS as a member allows users' computers to resolve domain names into IP addresses.Figure 154 Configuration > Web Authentication > Add Exceptional ServiceIn the table, select one or more entries and clickRemoveto delete it or them.
Web Authentication Policy Summary	Use this table to manage the UAG's list of web authentication policies.
Add	Click this to create a new entry. Select an entry and clickAddto create a new entry after the selected entry.
Edit	Double-click an entry or select it and clickEditto open a screen where you can modify the entry's settings.
Remove	To remove an entry, select it and clickRemove. The UAG confirms you want to remove it before doing so.
Activate	To turn on an entry, select it and clickActivate.
Inactivate	To turn off an entry, select it and click Inactivate.
Move	To move an entry to a different number in the list, click theMoveicon. In the field that appears, specify the number to which you want to move the interface.
Status This icon is	lit when the entry is active and dimmed when the entry is inactive.
Priority This is the	position of the authentication policy in the list. The priority is important as the policies are applied in order of priority.Defaultdisplays for the default authentication policy that the UAG uses on traffic that does not match any exceptional service or other authentication policy. You can edit the default rule but not delete it.
Incoming Interface	This field displays the interface on which packets for this policy are received.
Source This displays the source address object to which this policy applies.
Destination This displays the destination address object to which this policy applies.
Schedule	This field displays the schedule object that dictates when the policy applies. none means the policy is active at all times if enabled.
Authentication	This field displays the authentication requirement for users when their traffic matches this policy.unnecessary- Users do not need to be authenticated.required- Users need to be authenticated. They must manually go to the login screen. The UAG will not redirect them to the login screen.force- Users need to be authenticated. The UAG automatically displays the login screen whenever it routes HTTP traffic for users who have not logged in yet.
Description	If the entry has a description configured, it displays here. This is n/ a for the default policy.
Apply Click this button to save your changes to the UAG.
Reset	Click this button to return the screen to its last-saved settings.

24.2.1 Adding/Editing an Authentication Policy

Open the Configuration > Web Authentication screen, then click the Add icon or select an entry and click the Edit icon in the Web Authentication Policy Summary section to open the Auth. Policy Add/ Edit screen. Use this screen to configure an authentication policy.

Figure 155 Configuration > Web Authentication > Add

The following table gives an overview of the objects you can configure.

Table 103 Configuration > Web Authentication > Add/Edit

24.2.2 User-aware Access Control Example

You can configure many policies and security settings for specific users or groups of users. Users can be authenticated locally by the UAG or by an external (RADIUS) authentication server.

In this example the users are authenticated by an external RADIUS server at 172.16.1.200. First, set up the user accounts and user groups in the UAG. Then, set up user authentication using the RADIUS server. Finally, set up the policies in the table above.

24.2.2.1 Set Up User Accounts

Set up user accounts in the RADIUS server. This example uses the Web Configurator. If you can export user names from the RADIUS server to a text file, then you might configure a script to create the user accounts instead.

1 Click Configuration > Object > User/ Group > User. Click the Add icon.
2 Enter the same user name that is used in the RADIUS server, and set the User Type to ext-user because this user account is authenticated by an external server. Click OK.

Figure 156 Configuration > Object > User/Group > User > Add

3 Repeat this process to set up the remaining user accounts.

24.2.2.2 Set Up User Groups

Set up the user groups and assign the users to the user groups.

1 Click Configuration > Object > User/ Group > Group. Click the Add icon.
2 Enter the name of the group. In this example, it is "Finance". Then, select Object/Leo and click the right arrow to move him to the Member list. This example only has one member in this group, so click OK. Of course you could add more members later.

Figure 157 Configuration > Object > User/Group > Group > Add

3 Repeat this process to set up the remaining user groups.

24.2.2.3 Set Up User Authentication Using the RADIUS Server

This step sets up user authentication using the RADIUS server. First, configure the settings for the RADIUS server. Then, set up the authentication method, and configure the UAG to use the authentication method. Finally, force users to log into the UAG before it routes traffic for them.

1 Click Configuration > Object > AAA Server > RADIUS. Double-click the radius entry. Configure the RADIUS server's address, authentication port (1812 if you were not told otherwise), and key. Click Apply.

Figure 158 Configuration > Object > AAA Server > RADIUS > Add

2 Click Configuration > Object > Auth. Method. Double-click the default entry. Click the Add icon. Select group radius because the UAG should use the specified RADIUS server for authentication. Click OK.

Figure 159 Configuration > Object > Auth. method > Edit

3 Click Configuration > Web Authentication. In the Web Authentication screen, select Web Portal to enable web authentication and click Apply.

Figure 160 Configuration > Web Authentication

4 In the Web Authentication Policy Summary section, click the Add icon.
5 Set up a default policy that forces every user to log into the UAG before the UAG routes traffic for them. Select Enable Policy. Set the Authentication field to required, and make sure Force User Authentication is selected. Keep the rest of the default settings, and click OK.

Note: The users must log in at the Web Configurator login screen before they can use HTTP or MSN.

Figure 161 Configuration > Web Authentication > Add

When the users try to browse the web (or use any HTTP application), the login screen appears. They have to log in using the user name and password in the RADIUS server.

24.2.2.4 User Group Authentication Using the RADIUS Server

The previous example showed how to have a RADIUS server authenticate individual user accounts. If the RADIUS server has different user groups distinguished by the value of a specific attribute, you can make a couple of slight changes in the configuration to have the RADIUS server authenticate groups of user accounts defined in the RADIUS server.

1 Click Configuration > Object > AAA Server > RADIUS. Double-click the radius entry. Besides configuring the RADIUS server's address, authentication port, and key; set the Group Membership Attribute field to the attribute that the UAG is to check to determine to which group a user belongs. This example uses Class. This attribute's value is called a group identifier; it determines to which group a user belongs. In this example the values are Finance, Engineer, Sales, and Boss.

Figure 162 Configuration > Object > AAA Server > RADIUS > Add

2 Now you add ext-group-user user objects to identify groups based on the group identifier values. Set up one user account for each group of user accounts in the RADIUS server. Click Configuration > Object > User/ Group > User. Click the Add icon.

Enter a user name and set the User Type to ext-group-user. In the Group Identifier field, enter Finance, Engineer, Sales, or Boss and set the Associated AAA Server Object to radius.

Figure 163 Configuration > Object > User/Group > User > Add

3 Repeat this process to set up the remaining groups of user accounts.

24.3 Walled Garden Screen

A user must log in before the UAG allows the user's access to the Internet. However, with a walled garden, you can define one or more web site addresses that all users can access without logging in. These can be used for advertisements for example.

Use this screen to configure walled garden web addresses for web sites that all users are allowed to access without logging in. The web site link(s) then displays in the user login screen.

Click Configuration > Web Authentication > Walled Garden to display the screen.

Figure 164 Configuration > Web Authentication > Walled Garden

The following table gives an overview of the objects you can configure.

Table 104 Configuration > Web Authentication > Walled Garden

24.3.1 Adding/Editing a Walled Garden URL

In the Configuration > Web Authentication > Walled Garden screen, click the Add icon or select an entry and click the Edit icon in the Walled Garden Summary section to open the Add/Edit Walled Garden URL screen. Use this screen to configure a walled garden web site address entry.

Note: You can configure up to 20 walled garden URL links.

Figure 165 Configuration > Web Authentication > Walled Garden > Add/Edit

The following table gives an overview of the objects you can configure.

Table 105 Configuration > Web Authentication > Walled Garden > Add/Edit

24.3.2 Walled Garden Login Example

The following figure shows the user login screen with two walled garden links. The links are named WalledGardenLink1 through 2 for demonstration purposes.

Figure 166 Walled Garden Login Example

24.4 Advertisement Screen

Use this screen to set the UAG to display an advertisement web page as the first web page whenever the user connects to the Internet.

Click Configuration > Web Authentication > Advertisement to display the screen.

Figure 167 Configuration > Web Authentication > Advertisement

The following table gives an overview of the objects you can configure.

Table 106 Configuration > Web Authentication > Advertisement

24.4.1 Adding/Editing an Advertisement URL

Go to Configuration > Web Authentication > Advertisement, and then click the Add icon or select an entry and click the Edit icon in the Advertisement Summary section to open the Add/Edit Advertisement URL screen. Use this screen to configure an advertisement address entry.

Note: You can create up to 20 advertisement URL entries. The UAG randomly picks one and open the specified web site in a new frame when an authenticated user is attempts to access the Internet.

Figure 168 Configuration > Web Authentication > Advertisement > Add/Edit

The following table gives an overview of the objects you can configure.

Table 107 Configuration > Web Authentication > Advertisement > Add/Edit

25.1 Overview

Use the firewall to block or allow services that use static port numbers. The firewall can also limit the number of user sessions.

This example shows the UAG's default firewall behavior for WAN to LAN traffic and how stateful inspection works. A LAN user can initiate a Telnet session from within the LAN zone and the firewall allows the response. However, the firewall blocks Telnet traffic initiated from the WAN zone and destined for the LAN zone. The firewall allows VPN traffic between any of the networks.

Figure 169 Default Firewall Action

graph LR
    A["LAN"] --> B["Computer"]
    B --> C["Router"]
    C --> D["INTERNET"]
    D --> E["WAN"]
    style A fill:#FFD700,stroke:#333
    style B fill:#FFA500,stroke:#333
    style C fill:#E6F2FF,stroke:#333
    style D fill:#B2C4A2,stroke:#333
    style E fill:#FFD700,stroke:#333

25.1.1 What You Can Do in this Chapter