TRENDnet TW100-BRV204 User Manual
  1. Manuals
  2. Brands
  3. TRENDnet Manuals
  4. Network Router
  5. TW100-BRV204 SHEETS
  6. User manual
TRENDnet TW100-BRV204 User Manual

TRENDnet TW100-BRV204 User Manual

Cable/dsl 4-port vpn firewall router
Hide thumbs Also See for TW100-BRV204:
Table of Contents

Advertisement

Quick Links

Download this manual See also: User Manual

Advertisement

Table of Contents
loading

Related Manuals for TRENDnet TW100-BRV204

Summary of Contents for TRENDnet TW100-BRV204

  • Page 3: Table Of Contents

    Table of Contents CHAPTER 1 INTRODUCTION ..................... 1 TW100-BRV204 Features....................1 Package Contents ......................3 Physical Details........................4 CHAPTER 2 INSTALLATION....................7 Requirements........................7 Procedure ........................... 7 CHAPTER 3 SETUP ........................ 9 Overview ..........................9 Configuration Program ....................10 Setup Wizard ........................13 LAN Screen........................
  • Page 4 VPN Configuration ......................73 VPN Examples ......................... 83 Certificates ........................101 CRLs..........................105 Status ..........................106 CHAPTER 9 MICROSOFT VPN ..................108 Overview ........................108 Server Setup........................108 Client Database......................109 Status Screen........................111 Windows Client Setup....................112 CHAPTER 10 OTHER FEATURES & SETTINGS ............120 Overview ........................

  • Page 5: Chapter 1 Introduction

    Chapter 1 Introduction This Chapter provides an overview of the TW100-BRV204 's features and capabilities. Congratulations on the purchase of your new TW100-BRV204 . The TW100-BRV204 is a multi-function device providing the following services: • Shared Broadband Internet Access for all LAN users. •...

  • Page 6: Advanced Internet Functions

    TW100-BRV204 User’s Guide Advanced Internet Functions • Communication Applications. Support for Internet communication applications, such as interactive Games, Telephony, and Conferencing applications, which are often difficult to use when behind a Firewall, is included. • Special Internet Applications. Applications which use non-standard connections or port numbers are normally blocked by the Firewall.

  • Page 7: Package Contents

    Introduction Security Features • Password - protected Configuration . Optional password protection is provided to prevent unauthorized users from modifying the configuration data and settings. • NAT Protection. An intrinsic side effect of NAT (Network Address Translation) tech- nology is that by allowing all LAN users to share a single IP address, the location and even the existence of each PC is hidden.

  • Page 8: Physical Details

    TW100-BRV204 User’s Guide Physical Details Front-mounted LEDs Figure 2: Front Panel Power On - Power on. Off - No power. Status (Red) On - Error condition. Off - Normal operation. Blinking - This LED blinks during start up. Each port has 2 LEDs •...

  • Page 9: Rear Panel

    Introduction Rear Panel Figure 3: Rear Panel Reset Button This button has two (2) functions: • Reboot. When pressed and released, the TW100-BRV204 will reboot (restart). • Clear All Data. This button can also be used to clear ALL data and restore ALL settings to the factory default values.
  • Page 10 TW100-BRV204 User’s Guide • PCs connected to the DMZ port are on the same LAN segment as PCs connected to the Hub ports. They must use the same IP address range. • PCs connected to the DMZ port are NOT visible to PCs on the hub (LAN) ports. So you cannot use Microsoft networking or other networking protocols to connect to PCs on the DMZ.

  • Page 11: Chapter 2 Installation

    Chapter 2 Installation This Chapter covers the physical installation of the TW100-BRV204 . Requirements • Network cables. Use standard 10/100BaseT network (UTP) cables with RJ45 connectors. • TCP/IP protocol must be installed on all PCs. • For Internet Access, an Internet Access account with an ISP, and a Broadband modem (usually, DSL or Cable modem).

  • Page 12: Check The Leds

    TW100-BRV204 User’s Guide 3. Connect WAN Cable Connect the Broadband modem to the WAN port on the TW100-BRV204 . Use the cable supplied with your Broadband modem. If no cable was supplied, use a standard LAN cable. 4. Power Up •...

  • Page 13: Chapter 3 Setup

    Chapter 3 Setup This Chapter provides Setup details of the TW100-BRV204 . Overview This chapter describes the setup procedure for: • Internet Access • LAN configuration PCs on your local LAN may also require configuration. For details, see Chapter 4 - PC Con- figuration.

  • Page 14: Configuration Program

    TW100-BRV204 User’s Guide Use the Microsoft VPN feature: Chapter 9: • Microsoft VPN PPTP Server in the TW100-BRV204 . • User and Client setup. • Checking VPN connection Status. Configure or use any of the following: Chapter 9: • Other Features and Settings Configuration File backup and restore.

  • Page 15: Using Your Web Browser

    Setup • Double - click the icon for the TW100-BRV204 (either on the Desktop, or in My Network Places) to start the configuration. Refer to the following section Setup Wizard for details of the initial configuration process. Using your Web Browser To establish a connection from your PC to the TW100-BRV204 : 1.
  • Page 16 TW100-BRV204 User’s Guide • These are the default values. Both the name and password can (and should) be changed, using the Admin Login screen. Once you have changed either the name or the password, you must use the current values.

  • Page 17: Setup Wizard

    Setup Setup Wizard The first time you connect to the TW100-BRV204 , the Setup Wizard will run automatically. (The Setup Wizard will also run if the TW100-BRV204 's default setting are restored.) 1. Step through the Wizard until finished. • You need to know the type of Internet connection service used by your ISP.
  • Page 18 TW100-BRV204 User’s Guide • PPTP Mainly used in Europe. PPTP Server IP Address. • User name and password. You connect to the ISP only • when required. The IP address IP Address allocated to is usually allocated automati- you, if Static (Fixed). cally, but may be Static (Fixed).

  • Page 19: Home Screen

    Setup Home Screen After finishing or exiting the Setup Wizard, you will see the Home screen. When you connect in future, you will see this screen when you connect. An example screen is shown below. Figure 6: Home Screen Navigation & Data Input •...

  • Page 20: Lan Screen

    TW100-BRV204 User’s Guide LAN Screen Use the LAN link on the main menu to reach the LAN screen An example screen is shown below. Figure 7: LAN Screen Data - LAN Screen TCP/IP IP Address IP address for the TW100-BRV204 , as seen from the local LAN. Use the default value unless the address is already in use or your LAN is using a different IP address range.
  • Page 21 Setup DHCP What DHCP Does A DHCP (Dynamic Host Configuration Protocol) Server allocates a valid IP address to a DHCP Client (PC or device) upon request. • The client request is made when the client device starts up (boots). • The DHCP Server provides the Gateway and DNS addresses to the client, as well as allocating an IP Address.

  • Page 22: Chapter 4 Pc Configuration

    Chapter 4 PC Configuration This Chapter details the PC Configuration required on the local ("Internal") LAN. Overview For each PC, the following may need to be configured: • TCP/IP network settings • Internet Access configuration Windows Clients This section describes how to configure Windows clients for Internet access via the TW100- BRV204 .
  • Page 23 PC Configuration Checking TCP/IP Settings - Windows 9x/ME: 1. Select Control Panel - Network. You should see a screen like the following: Figure 8: Network Configuration 2. Select the TCP/IP protocol for your network card. 3. Click on the Properties button. You should then see a screen like the following. Figure 9: IP Address (Win 95) Ensure your TCP/IP settings are correct, as follows: Using DHCP...
  • Page 24 TW100-BRV204 User Guide • On the Gateway tab, enter the TW100-BRV204 's IP address in the New Gateway field and click Add, as shown below. Your LAN administrator can advise you of the IP Address they assigned to the TW100-BRV204 . Figure 10: Gateway Tab (Win 95/98) •...
  • Page 25 PC Configuration Checking TCP/IP Settings - Windows NT4.0 1. Select Control Panel - Network, and, on the Protocols tab, select the TCP/IP protocol, as shown below. Figure 12: Windows NT4.0 - TCP/IP 2. Click the Properties button to see a screen like the one below. Figure 13: Windows NT4.0 - IP Address 3.
  • Page 26 TW100-BRV204 User Guide 4. Select the appropriate radio button - Obtain an IP address from a DHCP Server or Specify an IP Address, as explained below. Obtain an IP address from a DHCP Server This is the default Windows setting. Using this is recommended. By default, the TW100- BRV204 will act as a DHCP Server.
  • Page 27 PC Configuration Figure 15: Windows NT4.0 - DNS...
  • Page 28 TW100-BRV204 User Guide Checking TCP/IP Settings - Windows 2000: 1. Select Control Panel - Network and Dial-up Connection. 2. Right - click the Local Area Connection icon and select Properties. You should see a screen like the following: Figure 16: Network Configuration (Win 2000) 3.
  • Page 29 PC Configuration 5. Ensure your TCP/IP settings are correct, as described below. Using DHCP To use DHCP, select the radio button Obtain an IP Address automatically. This is the default Windows setting. Using this is recommended. By default, the TW100-BRV204 will act as a DHCP Server.
  • Page 30 TW100-BRV204 User Guide Checking TCP/IP Settings - Windows XP 1. Select Control Panel - Network Connection. 2. Right click the Local Area Connection and choose Properties. You should see a screen like the following: Figure 18: Network Configuration (Windows XP) 3.
  • Page 31 PC Configuration Figure 19: TCP/IP Properties (Windows XP) 5. Ensure your TCP/IP settings are correct. Using DHCP To use DHCP, select the radio button Obtain an IP Address automatically. This is the default Windows setting. Using this is recommended. By default, the TW100-BRV204 will act as a DHCP Server.
  • Page 32 TW100-BRV204 User Guide Internet Access To configure your PCs to use the TW100-BRV204 for Internet access: • Ensure that the DSL modem, Cable modem, or other permanent connection is functional. • Use the following procedure to configure your Browser to access the Internet via the LAN, rather than by a Dial-up connection.

  • Page 33: Macintosh Clients

    PC Configuration Macintosh Clients From your Macintosh, you can access the Internet via the TW100-BRV204 . The procedure is as follows. 1. Open the TCP/IP Control Panel. 2. Select Ethernet from the Connect via pop-up menu. 3. Select Using DHCP Server from the Configure pop-up menu. The DHCP Client ID field can be left blank.

  • Page 34: Chapter 5 Operation And Status

    Chapter 5 Operation and Status This Chapter details the operation of the TW100-BRV204 and the status screens. Operation Once both the TW100-BRV204 and the PCs are configured, operation is automatic. However, there are some situations where additional Internet configuration may be required: •...
  • Page 35 Operation and Status Data - Status Screen Internet This indicates the current connection method, as set in the Setup Connection Method Wizard. This shows the connection status of the modem. Broadband Modem Internet Connection Current connection status: • Active • Idle •...

  • Page 36: Connection Status - Pppoe

    TW100-BRV204 User Guide Connection Status - PPPoE If using PPPoE (PPP over Ethernet), a screen like the following example will be displayed when the "Connection Details" button is clicked. Figure 21: PPPoE Status Screen Data - PPPoE Screen Connection Physical Address The hardware address of this device, as seen by remote devices on the Internet.

  • Page 37: Connection Log Messages

    Operation and Status Buttons If not connected, establish a connection to your ISP. Connect Disconnect If connected to your ISP, hang up the connection. Clear Log Delete all data currently in the Log. This will make it easier to read new messages. Refresh Update the data on screen.

  • Page 38: Connection Status - Pptp

    TW100-BRV204 User Guide Connection Status - PPTP If using PPTP (Peer-to-Peer Tunneling Protocol), a screen like the following example will be displayed when the "Connection Details" button is clicked. Figure 22: PPTP Status Screen Data - PPTP Screen Connection Physical Address The hardware address of this device, as seen by remote devices on the Internet.

  • Page 39: Connection Status - Telstra Big Pond

    Operation and Status Clear Log Delete all data currently in the Log. This will make it easier to read new messages. Refresh Update the data on screen. Connection Status - Telstra Big Pond An example screen is shown below. Figure 23: Telstra Big Pond Status Screen Data - Telstra Big Pond Screen Connection Physical Address...

  • Page 40: Connection Details - Singtel Ras

    TW100-BRV204 User Guide Connection Log • The Connection Log shows status messages relating to the Connection Log existing connection. • The Clear Log button will restart the Log, while the Refresh button will update the messages shown on screen. Buttons Connect If not connected, establish a connection to Telstra Big Pond.
  • Page 41 Operation and Status DNS IP Address The IP Address of the Domain Name Server which is currently used. This will show "Enabled" or "Disabled", depending on whether or DHCP Client not this device is functioning as a DHCP client. If "Enabled" the "Remaining lease time" field indicates when the IP Address allocated by the DHCP Server will expire.

  • Page 42: Connection Details - Fixed/Dynamic Ip Address

    TW100-BRV204 User Guide Connection Details - Fixed/Dynamic IP Address If your access method is "Direct" (no login), a screen like the following example will be displayed when the "Connection Details" button is clicked. Figure 25: Connection Details - Fixed/Dynamic IP Address Data - Fixed/Dynamic IP address Screen Internet The hardware address of this device, as seen by remote devices on...
  • Page 43 Operation and Status the "Release" button will break the connection and release the IP Address. Refresh Update the data shown on screen.

  • Page 44: Chapter 6 Internet Features

    Chapter 6 Internet Features This Chapter explains when and how to use the TW100-BRV204 's "Internet" Features. Overview The following advanced features are provided. • WAN Port Configuration • Advanced Internet • Communication Applications • Special Applications • Multi-DMZ • URL filter •...

  • Page 45: Wan Port Configuration

    Internet Features WAN Port Configuration The WAN Port Configuration screen provides an alternative to using the Wizard. It can be accessed from the Internet menu. An example screen is shown below. Figure 26: WAN Port Configuration Screen Data – WAN Port Configuration Screen Identification Hostname Normally, there is no need to change the default name, but if your...
  • Page 46 TW100-BRV204 User Guide Specified Also called Static IP Address. Select this if your ISP has allocated you a fixed IP Address. If this option is selected, the following data IP Address must be entered. • IP Address. The IP Address allocated by the ISP. •...

  • Page 47: Advanced Internet

    Internet Features Advanced Internet Figure 27: Internet Screen This screen allows configuration of all advanced features relating to Internet access. • Communication Applications • Special Applications • Multi-DMZ • URL filter Communication Applications Most applications are supported transparently by the TW100-BRV204 . But sometimes it is not clear which PC should receive an incoming connection.

  • Page 48: Special Applications

    TW100-BRV204 User Guide Send incoming calls to This lists the PCs on your LAN. • If necessary, you can add PCs manually, using the PC Database option on the Other menu. • For each application listed above, you can choose a destina- tion PC.

  • Page 49: Using A Special Application

    Internet Features • Type - Select the protocol (TCP or UDP) used when you receive data Incoming from the special application or service. (Note: Some applications use Ports different protocols for outgoing and incoming data). • Start - Enter the beginning of the range of port numbers used by the application server, for data you receive.

  • Page 50: Url Filter

    TW100-BRV204 User Guide URL Filter The URL Filter allows you to block access to undesirable Web site • To use this feature, you must define "filter strings". If the "filter string" appears in a requested URL, the request is blocked. •...

  • Page 51: Dynamic Dns (Domain Name Server)

    Internet Features Dynamic DNS (Domain Name Server) This free service is very useful when combined with the Virtual Server feature. It allows Internet users to connect to your Virtual Servers using a URL, rather than an IP Address. This also solves the problem of having a dynamic IP address. With a dynamic IP address, your IP address may change whenever you connect, which makes it difficult to connect to you.
  • Page 52 TW100-BRV204 User Guide NOT need to use the "Client" program provided by some DDNS Service providers.) • From the Internet, users will now be able to connect to your Virtual Servers (or DMZ PC) using your Domain name. DDNS Data DDNS Service Select the desired DDNS Service provider.

  • Page 53: Virtual Servers

    Internet Features Virtual Servers This feature allows you to make Servers on your LAN accessible to Internet users. Normally, Internet users would not be able to access a server on your LAN because: • Your Server does not have a valid external IP Address. •...

  • Page 54: Virtual Servers Screen

    TW100-BRV204 User Guide • For each enabled Virtual Server, a firewall rule to allow incoming traffic from the Internet (WAN) to the DMZ is automatically created. If the Server is connected to the LAN (hub) ports, you must add the firewall rule manually. Note that the DMZ port is a normal port, not an "uplink"...

  • Page 55: Options

    Internet Features http://203.70.212.52 ftp://203.70.212.52 It is more convenient if you are using a Fixed IP Address from your ISP, rather than Dynamic. However, you can use the Dynamic DNS feature, described in the following section, to allow users to connect to your Virtual Servers using a URL, rather than an IP Address. Options This screen allows advanced users to enter or change a number of settings.

  • Page 56: Chapter 7 Security Configuration

    Chapter 7 Security Configuration This Chapter explains the settings available via the security configuration section of the "Security" menu. Overview The following advanced configurations are provided. • Admin Login • Access Control • Firewall Rules • Logs • E-mail • Security Options •...
  • Page 57 Security Configuration Figure 35: Password Dialog Enter the "User Name" and "Password" you set on the Admin Login screen above.

  • Page 58: Access Control

    TW100-BRV204 User Guide Access Control This feature is accessed by the Access Control link on the Security menu. The Access Control feature allows administrators to restrict the level of Internet Access avail- able to PCs on your LAN. With the default settings, everyone has unrestricted Internet access. To use this feature: 1.
  • Page 59 Security Configuration "Members" Button Click this button to add or remove members from the current Group. • If the current group is "Default", then members can not be added or deleted. This group contains PCs not allocated to any other group. •...

  • Page 60: Group Members Screen

    TW100-BRV204 User Guide Group Members Screen This screen is displayed when the Members button on the Access Control screen is clicked. Figure 37: Group Members Use this screen to add or remove members (PCs) from the current group. • The "Del >>" button will remove the selected PC (in the Members list) from the current group.

  • Page 61: Firewall Rules

    Security Configuration Firewall Rules For normal operation and LAN protection, it is not necessary to use this screen. The Firewall will always block DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it - the service is unavailable.
  • Page 62 TW100-BRV204 User Guide For each rule, the following data is shown: Data • Name - The name you assigned to the rule. • Source - The traffic covered by this rule, defined by the source IP address. If the IP address is followed by ... this indicates there is range of IP addresses, rather than a single address.
  • Page 63 Security Configuration Define Firewall Rule Clicking the "Add" button in the Firewall Rules screen will display a screen like the example below. Figure 39: Define Firewall Rule Data - Define Firewall Rule Screen Enter a suitable name for this rule. Name Type This determines the source and destination ports for traffic...
  • Page 64 TW100-BRV204 User Guide Dest IP These settings determine which traffic, based on their destination IP address, is covered by this rule. Select the desired option: • Any - All traffic from the source port is covered by this rule. • Single address - Enter the required IP address in the "Start IP address"...

  • Page 65: Logs

    Security Configuration Logs The Logs record various types of activity on the TW100-BRV204 . This data is useful for troubleshooting, but enabling all logs will generate a large amount of data and adversely affect performance. Since only a limited amount of log data can be stored in the TW100-BRV204 , log data can also be E-mailed to your PC or sent to a Syslog Server.
  • Page 66 TW100-BRV204 User Guide Outgoing Traffic Select the desired option: • All IP traffic - - this will log all outgoing TCP/IP connections, of any type. This will generate the largest logs, and fill the internal log buffer more quickly. • All TCP/UDP/ICMP traffic - These 3 protocols are used by most internet traffic.

  • Page 67: E-Mail

    Security Configuration E-mail Figure 41: E-Mail Screen Data – E-Mail Screen E-Mail Alerts Send E-Mail alert If enabled, an E-mail will be sent immediately if a DoS (Denial of Service) attack is detected. If enabled, the E-mail address infor- mation must be provided. E-Mail Logs If enabled, logs will be logs to the specified E-mail address.
  • Page 68 TW100-BRV204 User Guide Subject Enter the text string to be shown in the "Subject" field for the E- mail. SMTP Server Enter the address or address or IP address of the SMTP (Simple Mail Transport Protocol) Server you use for outgoing E-mail. Port No.

  • Page 69: Security Options

    Security Configuration Security Options This screen allows you to set Firewall and other security-related options. Figure 42: Security Options Screen Data - Security Options Screen Firewall If enabled, DoS (Denial of Service) attacks will be detected and Enable DoS blocked. The default is enabled. It is strongly recommended that this Firewall setting be left enabled.
  • Page 70 TW100-BRV204 User Guide Options The ICMP protocol is used by the "ping" and "trace route" programs, Respond to ICMP and by network monitoring and diagnostic programs. (ping) • If checked, the TW100-BRV204 will respond to ICMP packets received from the Internet. •...

  • Page 71: Scheduling

    Security Configuration Scheduling • This schedule can be (optionally) applied to any Access Control Group. • Blocking will be performed during the scheduled time (between the "Start" and "Finish" times.) • Two (2) separate sessions or periods can be defined. •...

  • Page 72: Services

    TW100-BRV204 User Guide Services Services are used in defining traffic to be blocked or allowed by the Access Control or Fire- wall Rules features. Many common Services are pre-defined, but you can also define your own services if required. To view the Services screen, select the Services link on the Security menu. Figure 44: Services Screen Data - Services Screen Available Services...

  • Page 73: Chapter 8 Vpn (Ipsec)

    Chapter 8 VPN (IPSec) This Chapter describes the VPN capabilities and configuration required for common situations. Overview This section describes the VPN (Virtual Private Network) support provided by your TW100- BRV204 . A VPN (Virtual Private Network) provides a secure connection between 2 points, over an insecure network - typically the Internet.

  • Page 74: Vpn Configuration

    TW100-BRV204 User Guide • Phase I is the negotiation and establishment up of the IKE connection. • Phase II is the negotiation and establishment up of the IPsec connection. Because the IKE and IPsec connections are separate, they have different SAs (security associa- tions).

  • Page 75: Common Vpn Situations

    Microsoft VPN Common VPN Situations VPN Pass-through Figure 45: VPN Pass-through Here, a PC on the LAN behind the Router/Gateway is using VPN software, but the Router/Gateway is NOT acting as a VPN endpoint. It is only allowing the VPN connection. •...
  • Page 76 TW100-BRV204 User Guide Connecting 2 LANs via VPN Figure 47: Connecting 2 VPN Gateways This allows two (2) LANs to be connected. PCs on each endpoint gain secure access to the remote LAN. • The 2 LANs MUST use different IP address ranges. •...

  • Page 77: Vpn Configuration

    Microsoft VPN VPN Configuration This section covers the configuration required on the TW100-BRV204 when using Manual Key Exchange (Manual Policies) or IKE (Automatic Policies). Details of using Certificates are covered in a later section. VPN Policies Screen To view this screen, select VPN Policies from the VPN menu. This screen lists all existing VPN policies.
  • Page 78 TW100-BRV204 User Guide Move The order in which policies are listed is only important if you have multiple polices for the same remote site. In that case, the first matching policy is used. There are 2 ways to change the order of policies: •...
  • Page 79 Microsoft VPN Figure 50: VPN Wizard – General Screen General Settings Policy Name Enter a suitable name. This name is not supplied to the remote VPN. It is used only to help you manage the policies. Enable Policy Enable or disable the policy as required. For each remote VPN, only 1 policy can be enabled at any time.
  • Page 80 TW100-BRV204 User Guide Figure 51: VPN Wizard - Traffic Selector Screen • For outgoing VPN connections, these settings determine which traffic will cause a VPN tunnel to be created, and which traffic will be sent through the tunnel. • For incoming VPN connections, these settings determine which systems on your local LAN will be available to the remote endpoint.
  • Page 81 Microsoft VPN Remote IP addresses • Single address - enter an IP address in the "Start IP address" Type field. • Range address - enter the starting IP address in the "Start IP address" field, and the finish IP address in the "Finish IP ad- dress"...
  • Page 82 TW100-BRV204 User Guide • For SHA-1, the keys should be 40 hex/20 ASCII characters. • Each SPI (Security Parameter Index) must be unique. • The "in" SPI here must match the "out" SPI on the remote VPN, and the "out" SPI here must match the "in" SPI on the remote VPN.
  • Page 83 Microsoft VPN IKE Phase 1 If you selected IKE, the following screen is displayed after the Traffic Selector screen. This screen sets the parameters for the IKE SA. Figure 53: VPN Wizard - IKE Phase 1 Screen IKE Phase 1 (IKE SA) This setting must match the "Remote Identity"...
  • Page 84 TW100-BRV204 User Guide • RSA Signature requires that both VPN endpoints have valid Authentication Certificates issued by a CA (Certification Authority). • For Pre-shared key, enter the same key value in both endpoints. The key should be at least 8 characters (maximum is 128 charac- ters).
  • Page 85 Microsoft VPN IKE Phase 2 Screen This screen sets the parameters for the IPSec SA. When using IKE, there are separate connec- tions (SAs) for IKE and IPSec. Figure 54: VPN Wizard - IKE Phase 2 Screen IKE Phase 2 (IPsec SA) IPsec SA Life Time This setting does not have to match the remote VPN endpoint;...
  • Page 86 TW100-BRV204 User Guide For IKE, configuration is now complete. Click "Next" to view the final screen. Figure 55: VPN Wizard - Final Screen On the final screen, click "Finish" to save your settings, then "Close" to exit the Wizard.

  • Page 87: Vpn Examples

    Microsoft VPN VPN Examples This section describes some examples of using the TW100-BRV204 in common VPN situa- tions. Example 1: Connecting 2 TW100-BRV204 s In this example, 2 LANs are connected via VPN. Figure 56: Connecting 2 TW100-BRV204 s Note •...
  • Page 88 TW100-BRV204 User Guide IKE Authentication Pre-shared Key Pre-shared Key Certificates are not widely method used. Pre-shared Key Xxxxxxxxxx Xxxxxxxxxx Must match IKE Authentication Must match algorithm IKE Encryption Must match IKE Exchange Main Mode Main Mode Must match mode DH Group Group 1 (768 bit) Group 1 (768 bit) Must match...
  • Page 89 Microsoft VPN Example 2: Windows 2000/XP Client to LAN In this example, a Windows 2000/XP client connects to the TW100-BRV204 and gains access to the local LAN. Figure 57: Windows 2000/XP Client to TW100-BRV204 To use 3DES encryption on Windows 2000, you need Service Pack 3 or later installed.
  • Page 90 TW100-BRV204 User Guide DH Group Group 1 (768 bit) Must match client PC IKE SA Life time 28800 Does not have to match client PC. Shorter period will be used. IKE PFS Disable Must match client PC IPSec SA Parameters IPSec SA Life time 28800 Do not have to match.
  • Page 91 Microsoft VPN Figure 59: Windows 2000/XP - Policy Properties • Note that no rules are in use. Two (2) rules are required - incoming and outgoing. • The outgoing rule will be added first. 6. Deselect the "Use Add Wizard" checkbox, then click "Add" to view the screen below. Figure 60: IP Filter List 7.
  • Page 92 TW100-BRV204 User Guide Figure 61: Filter Properties: Addressing 8. Enter the Source IP address and the Destination IP address. • Since this is the outgoing filter, the Source IP address is "My IP address" and the Destination IP address is the address range used on the remote LAN. •...
  • Page 93 Microsoft VPN Figure 63: New Rule Properties: Filter Action 11. Select Require Security, then click the "Edit" button, to view the Require Security Proper- ties screen. Figure 64: Require Security Properties 12. Select Negotiate security (this selects IKE), then click "Add".
  • Page 94 TW100-BRV204 User Guide Figure 65: Modify Security Method 13. On the resulting screen (above), select High [ESP] then click "OK" to save your changes and return to the Require Security Properties screen. Figure 66: Require Security Properties 14. Ensure the following settings are correct, then click "OK" to return to the Filter Action tab of the Edit Rule Properties screen.
  • Page 95 Microsoft VPN 15. Click the Tunnel Setting tab, then select The tunnel endpoint is specified by this IP address. Enter the WAN (Internet) IP address of the TW100-BRV204 , as shown below. Figure 67: Tunnel Setting 16. Click the Authentication Methods tab, then click the "Edit" to see the screen like the example below.
  • Page 96 TW100-BRV204 User Guide Figure 69: Windows 2000/XP Client to TW100-BRV204 20. To add the second (incoming) rule, click "Add". For the name, enter "To Win2K", then click "Add". Figure 70: Windows 2000/XP Client to TW100-BRV204 21. Enter the Source IP address and the Destination IP address as shown below. •...
  • Page 97 Microsoft VPN Figure 71: Filter Properties: Addressing 22. Click "OK" to save your changes, then "Close". Figure 72: Filter List 23. Ensure the "To Win2K" filter is selected, then click the Filter Action tab.
  • Page 98 TW100-BRV204 User Guide Figure 73: Filter Action 24. Select Require Security, then click "Edit". On the Require Security Methods screen below, select Negotiate security. Figure 74: Security Methods 25. Click the "Add" button. On the resulting Modify Security Method screen below, select High [ESP].
  • Page 99 Microsoft VPN Figure 75: Modify Security Method 26. Click "OK" to save your changes, then click "OK" again to return to the Filter Action screen. 27. Select the Tunnel Setting tab, and enter the WAN (Internet) IP address of this PC (172.16.9.10 in this example).
  • Page 100 TW100-BRV204 User Guide Figure 77: Authentication Method 29. Select Use this string to protect the key exchange (preshared key), then enter your pre- shared key in the field provided. 30. Click "OK" to save your settings, then "Close" to return to the DUT to Win2K Properties screen.
  • Page 101 Microsoft VPN Figure 79: Properties - General Tab 32. Click the "Advanced" button to see the screen below. Figure 80: Key Exchange Settings 33. Click the "Methods" button to see the screen below.
  • Page 102 TW100-BRV204 User Guide Figure 81: Key Exchange Security Methods 34. Select the first entry, and click the "Edit" button to see the following screen. Figure 82: IKE Security Algorithms 35. Select "SHA1" for Integrity Algorithm, "3DES" for Encryption algorithm, and "Low(1)" for the Diffie-Hellman Group.
  • Page 103 Microsoft VPN Example 3: Windows 2000 Server to VPN Gateway In this example, a Windows 2000 Server connects to the TW100-BRV204 . Users on each LAN can then gain access to the remote LAN. Figure 84: TW100-BRV204 to Windows 2000 Server TW100-BRV204 Configuration This is the same as for the client setup earlier, with the exception of the IP address range for the remote endpoint.

  • Page 104: Windows 2000 Server Configuration

    TW100-BRV204 User Guide Windows 2000 Server Configuration Configuration is the same as for Example 2: Windows 2000/XP Client to except for specify- ing the Source and Destination addresses for the "Filter Properties". Instead, for both IP Filters, the Filter Properties- Addressing should be completed as follows. Figure 85: Windows 2000 Server - Addressing •...

  • Page 105: Certificates

    Microsoft VPN Certificates Certificates are used to authenticate users. Certificates are issued to you by various CAs (Certification Authorities). These Certificates are called "Self Certificates". Each CA also issues a certificate to itself. This Certificate is required in order to validate communication with the CA.

  • Page 106: Self Certificates

    TW100-BRV204 User Guide Figure 87: Add Trusted Certificate 3. Click the "Browse" button, and locate the certificate file on your PC 4. Select the file. The name will appear in the "Certificate File" field. 5. Click "Upload" to upload the certificate file to the TW100-BRV204 . 6.
  • Page 107 Microsoft VPN Delete button Use this button to delete a Self Certificate. Select the checkbox in the Delete column for any Certificates you wish to delete, then click the "Delete" button. Self Certificate Requests Request List Any current requests are listed. These requests are generated by using the New Request button described below.
  • Page 108 TW100-BRV204 User Guide Name Enter a name which helps to identify this particular certifi- cate. This name is only for your reference, it is not visible to other people. Subject Name This is the name which other organizations will see as the Holder (owner) of this Certificate.

  • Page 109: Crls

    Microsoft VPN • Start the Self Certificate request procedure. • When prompted for the request data, supply the data you copied and saved in step 5 above. • Submit the CA's form. • If there are no problems, the Certificate will then be issued. 8.

  • Page 110: Status

    TW100-BRV204 User Guide Figure 92: Certificate Revocation Lists 3. Click the "Add New CRL" button. You will see a screen like the following: Figure 93: Upload CRL 4. Upload the CRL file: • Click the "Browse" button, and locate the CRL file on your PC •...
  • Page 111 Microsoft VPN Data – VPN Status Screen VPN Status The name of the VPN Policy which triggered this VPN connection. Policy Name Each SA (Security Association) has a unique SPI. For manual keys, this SPI is specified by user input. If using IKE, the SPI is generated by the IKE negotiation process.

  • Page 112: Chapter 9 Microsoft Vpn

    Chapter 9 Microsoft VPN This Chapter explains the screens and settings available for the Microsoft VPN function. Overview Microsoft VPN uses the Microsoft VPN Adapter which is provided in recent versions of Windows. This feature can be used to provide remote access to your LAN by individual PCs. This method provides an alternative to using IPSec VPN, which is described in the previous chapter.

  • Page 113: Client Database

    Microsoft VPN Data – Microsoft VPN Screen PPTP Server Enable Use this checkbox to enable or disable this feature as required. To allow connection by remote Windows clients, you must enable this feature, and enter the client details (on the Clients screen) to allow them to login to this Server.
  • Page 114 TW100-BRV204 User Guide Delete Button Use this to delete the selected user if required. Properties Allow connection Use this to enable or disable access by this user, as required. Login Name Enter the login name. The remote user must provide this name when they connect.

  • Page 115: Status Screen

    Microsoft VPN Status Screen The Status screen is accessed by selecting the Status option on the Microsoft VPN menu. Figure 97: Microsoft VPN Status Screen Data - Microsoft VPN Status Screen Server Status Status This indicates whether or not the PPTP (VPN) Server is enabled. This indicates the number of remote clients currently logged into the Current Connec- PPTP (VPN) Server.

  • Page 116: Windows Client Setup

    TW100-BRV204 User Guide Windows Client Setup To connect to the PPTP (VPN) Server in the VPN Broadband Gateway: • The Microsoft VPN feature in the VPN Broadband Gateway must be enabled and config- ured, as described in the previous section. •...
  • Page 117 Microsoft VPN 5. Click "Finish" to exit the Wizard. The new entry will now be listed in "Dial-up Networking". If necessary, you can change the settings for this connection by right-clicking on it, and select- ing Properties. To force all outgoing traffic to be sent via VPN, enable the setting This is the default Internet connection on the Dialing tab.

  • Page 118: Windows 2000

    TW100-BRV204 User Guide Windows 2000 Ensure you have logged on with Administrator rights before attempting this procedure. 1. Open "Network Connections", and start the "New Connection" Wizard. Figure 100: Windows 2000 Network Connection 2. Select the VPN option ("Connect to a private network through the Internet"), as shown above, and click Next.
  • Page 119 Microsoft VPN Figure 102: Windows 2000 VPN Host 4. On the screen above, enter the Domain Name or Internet IP address of the TW100- BRV204 you wish to connect to. Click Next to continue. Figure 103: Windows 2000 Connection Availability 5.
  • Page 120 TW100-BRV204 User Guide Figure 104: Windows 2000 Finish Wizard 6. Enter a suitable name, and click "Finish" to save and exit. Setup is now complete. To establish a connection: 1. Right-click the connection in "Network Connections", and select "Connect". 2. You will then be prompted for the username and password. Enter the username and password assigned to you, as recorded in the VPN client database on the TW100- BRV204 .
  • Page 121 Microsoft VPN Windows XP Ensure you have logged on with Administrator rights before attempting this procedure. 1. Open Network Connections (Start-Settings-Network Connections), and start the New Connection Wizard. Figure 105: Windows XP Network Connection Type 2. Select the option "Connect to the network at my workplace", as shown above, and click Next.
  • Page 122 TW100-BRV204 User Guide Figure 107: Windows XP Connection Name 4. Enter a suitable name for this connection. Click Next to continue. Figure 108: Windows XP Public Network 5. On the screen above, select "Do not dial the initial connection". Click Next to continue. Figure 109: Windows XP VPN Server...
  • Page 123 Microsoft VPN 6. On the screen above, enter the Domain Name or Internet IP address of the TW100- BRV204 you wish to connect to. Click Next to continue. Figure 110: Windows XP Connection Availability 7. Choose whether to allow this connection for everyone, or only for yourself, as required. Click Next to continue.

  • Page 124: Chapter 10 Other Features & Settings

    Chapter 10 Other Features & Settings This Chapter explains the screens and settings available via the "Other" menu. Overview Normally, it is not necessary to use these screens, or change any settings. These screens and settings are provided to deal with non-standard situations, or to provide additional options for advanced users.

  • Page 125: Config File

    Other Features and Settings Config File This feature allows you to backup (download) the current settings from the TW100-BRV204 , and save them to a file on your PC. You can restore a previously-downloaded configuration file to the TW100-BRV204 , by uploading it to the TW100-BRV204 .

  • Page 126: Network Diagnostics

    TW100-BRV204 User Guide Network Diagnostics This screen allows you to perform a "Ping" or a "DNS lookup". These activities can be useful in solving network problems. An example Network Diagnostics screen is shown below. Figure 112: Network Diagnostics Screen Data - Network Diagnostics Screen Ping IP Address Enter the IP address you wish to ping.

  • Page 127: Pc Database

    Other Features and Settings PC Database The PC Database is used whenever you need to select a PC (e.g. for the "DMZ" PC). It elimi- nates the need to enter IP addresses. Also, you do not need to use fixed IP addresses on your LAN.
  • Page 128 TW100-BRV204 User Guide Data - PC Database Screen Known PCs This lists all current entries. Data displayed is name (IP Address) type. The "type" indicates whether the PC is connected to the LAN. If adding a new PC to the list, enter its name here. It is best if this Name matches the PC's "hostname".
  • Page 129 Other Features and Settings PC Database (Admin) This screen is displayed if the "Advanced Administration" button on the PC Database is clicked. It provides more control than the standard PC Database screen. Figure 114: PC Database (Admin) Data - PC Database ( Admin) Screen This lists all current entries.
  • Page 130 TW100-BRV204 User Guide MAC Address Select the appropriate option • Automatic discovery - Select this to have the TW100-BRV204 contact the PC and find its MAC address. This is only possible if the PC is connected to the LAN and powered On. •...

  • Page 131: Remote Administration

    Other Features and Settings Remote Administration Remote Administration allows you to connect to this interface via the Internet, using your Web browser. Figure 115: Remote Administration Screen Data - Remote Administration Screen Information Information To establish a connection from the Internet: 1.
  • Page 132 TW100-BRV204 User Guide nected to the Internet. But if using a Dynamic IP Address, this value can change each time you connect to your ISP. There are 2 solutions to this problem: • Have your ISP allocate you a Fixed IP address. •...

  • Page 133: Routing

    Other Features and Settings Routing Overview • If you don't have other Routers or Gateways on your LAN, you can ignore the "Routing" page completely. • If the TW100-BRV204 is only acting as a Gateway for the local LAN segment, ignore the "Routing"...
  • Page 134 TW100-BRV204 User Guide Figure 116: Routing Screen Data - Routing Screen Enable RIP Check this to enable the RIP (Routing Information Protocol) feature of the TW100-BRV204 . The TW100-BRV204 supports RIP 1 only. Static Routing Static Routing This list shows all entries in the Routing Table. Table Entries •...

  • Page 135: Configuring Other Routers On Your Lan

    Other Features and Settings • Destination Network - The network address of the remote LAN Properties segment. For standard class "C" LANs, the network address is the first 3 fields of the Destination IP Address. The 4th (last) field can be left at 0. •...
  • Page 136 TW100-BRV204 User Guide Other Routers on the Local LAN Other routers on the local LAN must use the TW100-BRV204 's Local Router as the Default Route. The entries will be the same as the TW100-BRV204 's local router, with the exception of the Gateway IP Address.
  • Page 137 Other Features and Settings Metric For Router A's Default Route Destination IP Address 0.0.0.0 Network Mask 0.0.0.0 Gateway IP Address 192.168.0.1 (TW100-BRV204 's IP Address) Interface For Router B's Default Route Destination IP Address 0.0.0.0 Network Mask 0.0.0.0 Gateway IP Address 192.168.1.80 (TW100-BRV204 's local router) Interface...

  • Page 138: Upgrade Firmware

    TW100-BRV204 User Guide Upgrade Firmware Use this screen to upgrade your TW100-BRV204 's firmware. • You must download the required firmware file, and store it on your PC. • During the upgrade process, all existing Internet connections will be terminated. •...

  • Page 139: Upnp

    Other Features and Settings UPnP An example UPnP screen is shown below. Figure 119: UPnP Screen Data - UPnP Screen UPnP • UPnP (Universal Plug and Play) allows automatic discovery and Enable UPnP configuration of equipment attached to your LAN. UPnP is by Services supported by Windows ME, XP, or later.

  • Page 140: Appendix A Troubleshooting

    Appendix A Troubleshooting This Appendix covers the most likely problems and their solutions. Overview This chapter covers some common problems that may be encountered while using the TW100- BRV204 and some possible solutions to them. If you follow the suggested steps and the TW100-BRV204 still does not function properly, contact your dealer for further advice.
  • Page 141 Appendix A - Troubleshooting Solution 2: The TW100-BRV204 processes the data passing through it, so it is not transparent. Use the Special Applications feature to allow the use of Internet applications which do not function correctly. If this does solve the problem you can use the DMZ function. This should work with almost every application, but: •...

  • Page 142: Appendix B Specifications

    Appendix B Specifications TW100-BRV204 Model TW100-BRV204 Dimensions 141mm(W) * 100mm(D) * 27mm(H) Operating Temperature 0° C to 40° C Storage Temperature -10° C to 70° C Network Protocol: TCP/IP Network Interface: 5 Ethernet: 3 * 10/100BaseT (RJ45) LAN connection 1 * 10/100BaseT (RJ45) DMZ connection 1 * 10/100BaseT (RJ45) for WAN LEDs Power Adapter...

  • Page 143: Ce Marking Warning

    Appendix B - Specifications FCC Radiation Exposure Statement This equipment complies with FCC RF radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with a minimum distance of 20 centimeters between the radiator and your body. This device complies with Part 15 of the FCC Rules.

  • Page 144: Limited Warranty

    TW100-BRV204 User Guide Limited Warranty TRENDware warrants its products against defects in material and workmanship, under normal use and service, for the following lengths of time from the date of pur- chase. TW100-BRV204 – 5 Years Warranty If a product does not operate as warranted above during the applicable warranty period, TRENDware shall, at its option and expense, repair the defective product or part, deliver to customer an equivalent product or part to replace the defective item, or refund to customer the purchase price paid for the defective product.

  • Page 145: Technical Support

    You can find the most recent driver/firmware/software and user documentations on the TRENDware website. TRENDware provides FREE technical support for all customers for the duration of the warranty period on this product. TRENDware Technical Support Tel: +1-310-891-1100 Fax: +1-310-8911111 E-mail: support@trendware.com www.TRENDnet.com...
  • Page 146 TW100-BRV204 User Guide...

Table of Contents