Download Print this page

ZyXEL Communications UAG5100 User Manual

ZyXEL Communications UAG5100 User Manual

Unified access gateway

Hide thumbs Also See for UAG5100:

User manual (617 pages)

,

Firmware release notes (29 pages)

,

Quick start manual (2 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

See also: User Manual

UAG5100

Unified Access Gateway

Version 4.00

Edition 1, 02/2014

Quick Start Guide

User's Guide

Default Login Details

LAN IP Address

http://172.16.0.1 (LAN1)

http://172.17.0.1 (LAN2)

User Name

www.zyxel.com

Password

admin

1234

Copyright © 2014 ZyXEL Communications Corporation

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the UAG5100 and is the answer not in the manual?

Questions and answers

Summary of Contents for ZyXEL Communications UAG5100

Page 1 UAG5100 Unified Access Gateway Version 4.00 Edition 1, 02/2014 Quick Start Guide User’s Guide Default Login Details LAN IP Address http://172.16.0.1 (LAN1) http://172.17.0.1 (LAN2) User Name www.zyxel.com admin Password 1234 Copyright © 2014 ZyXEL Communications Corporation...
Page 2 The CLI Reference Guide explains how to use the Command-Line Interface (CLI) to configure the UAG. Note: It is recommended you use the Web Configurator to configure the UAG. • Web Configurator Online Help Click the help icon in any screen for help in configuring that screen and supplementary information. UAG5100 User’s Guide...
Page 3: Table Of Contents
Firewall ..............................245 Billing ..............................259 Printer Manager ............................275 Free Time ..............................282 SMS ..............................286 IPSec VPN ............................288 Bandwidth Management ........................315 User/Group ............................325 AP Profile ..............................339 Addresses .............................354 Services ..............................359 Schedules .............................364 AAA Server ............................368 Authentication Method ..........................372 Certificates ............................375 UAG5100 User’s Guide...
Page 4 Contents Overview ISP Accounts ............................391 System ..............................394 Log and Report .............................435 File Manager ............................450 Diagnostics ............................461 Packet Flow Explore ..........................469 Reboot ..............................478 Shutdown ..............................479 Troubleshooting ............................480 UAG5100 User’s Guide...
Page 5: Table Of Contents
4.1 Installation Setup Wizard Screens ....................43 4.1.1 Internet Access Setup - WAN Interface ..................43 4.1.2 Internet Access: Ethernet .......................44 4.1.3 Internet Access: PPPoE ......................45 4.1.4 Internet Access: PPTP ......................47 4.1.5 Internet Access Setup - Second WAN Interface ..............48 UAG5100 User’s Guide...
Page 6 6.2.5 The DHCP Table Screen ......................74 6.2.6 The Number of Login Users Screen ..................75 Chapter 7 Monitor..............................77 7.1 Overview ............................77 7.1.1 What You Can Do in this Chapter ....................77 7.2 The Port Statistics Screen .......................78 7.2.1 The Port Statistics Graph Screen ...................79 UAG5100 User’s Guide...
Page 7 9.1.1 What You Can Do in this Chapter ..................114 9.2 Controller Screen ........................... 114 9.3 AP Management Screen ........................ 115 9.3.1 Edit AP List ........................... 116 Chapter 10 Interfaces............................118 10.1 Interface Overview ........................118 10.1.1 What You Can Do in this Chapter ..................118 UAG5100 User’s Guide...
Page 8 12.1.2 What You Need to Know .....................166 12.2 Policy Route Screen ........................168 12.2.1 Policy Route Add/Edit Screen .....................170 12.3 IP Static Route Screen ........................173 12.3.1 Static Route Add/Edit Screen ....................174 12.4 Policy Routing Technical Reference ....................175 Chapter 13 Zones ..............................176 UAG5100 User’s Guide...
Page 9 17.1.1 What You Can Do in this Chapter ..................197 17.1.2 What You Need to Know ......................197 17.2 The HTTP Redirect Screen ......................198 17.2.1 The HTTP Redirect Add/Edit Screen ...................199 Chapter 18 SMTP Redirect ..........................201 18.1 Overview ............................201 UAG5100 User’s Guide...
Page 10 Chapter 22 Layer 2 Isolation ..........................219 22.1 Overview ............................219 22.1.1 What You Can Do in this Chapter ..................219 22.2 Layer-2 Isolation General Screen ....................220 22.3 White List ............................220 22.3.1 Add/Edit White List Rule .....................221 Chapter 23 IPnP..............................223 UAG5100 User’s Guide...
Page 11 26.2 The General Screen ........................260 26.3 The Billing Profile Screen ......................261 26.3.1 The Account Generator Screen ...................263 26.3.2 The Account Redeem Screen .....................266 26.3.3 The Billing Profile Add/Edit Screen ..................268 26.4 The Discount Screen ........................269 26.4.1 The Discount Add/Edit Screen ....................270 UAG5100 User’s Guide...
Page 12 30.2 The VPN Connection Screen ......................290 30.2.1 The VPN Connection Add/Edit Screen ................291 30.3 The VPN Gateway Screen ......................297 30.3.1 The VPN Gateway Add/Edit Screen ...................297 30.4 IPSec VPN Background Information .....................303 Chapter 31 Bandwidth Management........................315 31.1 Overview ............................315 UAG5100 User’s Guide...
Page 13 34.1.1 What You Can Do in this Chapter ..................354 34.1.2 What You Need To Know .....................354 34.2 Address Summary Screen ......................354 34.2.1 Address Add/Edit Screen ....................355 34.3 Address Group Summary Screen ....................356 34.3.1 Address Group Add/Edit Screen ..................357 UAG5100 User’s Guide...
Page 14 38.2.1 Creating an Authentication Method Object ................373 Chapter 39 Certificates ............................375 39.1 Overview ............................375 39.1.1 What You Can Do in this Chapter ..................375 39.1.2 What You Need to Know ......................375 39.1.3 Verifying a Certificate ......................377 39.2 The My Certificates Screen ......................378 UAG5100 User’s Guide...
Page 15 41.7 WWW Overview ..........................407 41.7.1 Service Access Limitations ....................407 41.7.2 System Timeout ........................407 41.7.3 HTTPS ..........................408 41.7.4 Configuring WWW Service Control ..................408 41.7.5 Service Control Rules ......................411 41.7.6 Customizing the WWW Login Page ..................412 41.7.7 HTTPS Example ........................416 UAG5100 User’s Guide...
Page 16 43.3 The Firmware Package Screen ....................456 43.4 The Shell Script Screen .......................458 Chapter 44 Diagnostics ............................461 44.1 Overview ............................461 44.1.1 What You Can Do in this Chapter ..................461 44.2 The Diagnostics Screen ........................461 44.2.1 The Diagnostics Files Screen ....................462 UAG5100 User’s Guide...
Page 17 Chapter 47 Shutdown............................479 47.1 Overview ............................479 47.1.1 What You Need To Know .....................479 47.2 The Shutdown Screen ........................479 Chapter 48 Troubleshooting..........................480 48.1 Resetting the UAG ........................487 48.2 Getting More Troubleshooting Help ....................488 Appendix A Legal Information......................489 Index ..............................492 UAG5100 User’s Guide...
Page 18: Introduction
The default configurations for zones, interfaces, and ports are as follows. References to interfaces may be generic rather than the specific name used in your model. For example, this guide may use “the WAN interface” rather than “P1” or” P2”. UAG5100 User’s Guide...
Page 19: Management Overview
You can manage the UAG in the following ways. Web Configurator The Web Configurator allows easy UAG setup and management using an Internet browser. This User’s Guide provides information about the Web Configurator. Figure 2 Managing the UAG: Web Configurator UAG5100 User’s Guide...
Page 20: Web Configurator
1.4.1 Web Configurator Access Make sure your UAG hardware is properly connected. See the Quick Start Guide. In your browser go to http://172.16.0.1 or http://172.17.0.1. The Login screen appears. Type the user name (default: “admin”) and password (default: “1234”). UAG5100 User’s Guide...
Page 21: Web Configurator Screens Overview
See the Command Reference Guide for information about the commands. Click this to open a popup window that displays the CLI commands sent by the Web Configurator to the UAG. About Click About to display basic information about the UAG. UAG5100 User’s Guide...
Page 22 This shows the date (yyyy-mm-dd) and time (hh:mm:ss) when the firmware is released. Click this to close the screen. Site Map Click Site MAP to see an overview of links to the Web Configurator screens. Click a screen’s link to go to that screen. Figure 5 Site Map UAG5100 User’s Guide...
Page 23 Click Cancel to close the screen. CLI Messages Click CLI to look at the CLI commands sent by the Web Configurator. Open the pop-up window and then click some menus in the web configurator to display the corresponding commands. UAG5100 User’s Guide...
Page 24: Navigation Panel
The dashboard displays general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re-arrange to suit your needs. See Chapter 6 on page 66 for details on the dashboard. UAG5100 User’s Guide...
Page 25: Monitor Menu
Display the UAG’s dynamic guest account log messages. Configuration Menu Use the configuration menu screens to configure the UAG’s features. Table 6 Configuration Menu Screens Summary FOLDER OR LINK TAB FUNCTION Quick Setup Quickly configure WAN interfaces or VPN connections. Licensing UAG5100 User’s Guide...
Page 26 Create walled garden links that display in the login screen. Advertisement Enable and set advertisement links. Firewall Firewall Create and manage level-3 traffic rules. Session Control Limit the number of concurrent client NAT/firewall sessions. Billing General Configure the general billing settings, such as the accounting method. UAG5100 User’s Guide...
Page 27 Configure the current date, time, and time zone in the UAG. Console Speed Set the console speed. Configure the DNS server and address records for the UAG. Service Control Configure HTTP, HTTPS, and general authentication. Login Page Configure how the login and access user screens look. UAG5100 User’s Guide...
Page 28: Tables And Lists
Web Configurator tables and lists are flexible with several options for how to display their entries. Click a column heading to sort the table’s entries according to that column’s criteria. Figure 9 Sorting Table Entries by a Column’s Criteria UAG5100 User’s Guide...
Page 29 Figure 12 Moving Columns Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time. UAG5100 User’s Guide...
Page 30 In some lists you can also use the [Shift] or [Ctrl] key to select multiple entries, and then use the arrow button to move them to the other list. UAG5100 User’s Guide...
Page 31: Stopping The Uag
Figure 15 Working with Lists 1.5 Stopping the UAG Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the UAG or remove the power. Not doing so can cause the firmware to become corrupt. UAG5100 User’s Guide...
Page 32: Hardware Installation And Connection
Attach the other bracket in a similar fashion. After attaching both mounting brackets, position the UAG in the rack and up the bracket holes with the rack holes. Secure the UAG to the rack with the rack-mounting screws. UAG5100 User’s Guide...
Page 33: Front Panel
• No flow control Connect the male 9-pin end of the RS-232 console cable to the console port of the UAG. Connect the female end to a serial port (COM1, COM2 or other COM port) of your computer. UAG5100 User’s Guide...
Page 34: Front Panel Leds
There is no connection on this port. 2.3 Rear Panel The following figure shows the rear panel of the UAG. The rear panel contains a connector for the power receptacle. Figure 17 Rear Panel UAG5100 User’s Guide...
Page 35: Printer Deployment
Section 1.4 on page 20 on how to access the web configurator. Enter your Internet access information to set up a Internet connection. See Chapter 4 on page 43 for detailed information on how to use the setup wizard. UAG5100 User’s Guide...
Page 36: Allow The Uag To Monitor And Manage The Printer
Go to the Dashboard of the UAG web configurator. Open the DHCP Table to find the IP address that is assigned to the printer’s MAC address. Make sure the IP address is reserved for the printer. Write down the printer’s IP address. UAG5100 User’s Guide...
Page 37 Go to the Configuration > Printer Manager screen. Click Add in the Printer List to create a new entry for your printer. After the printer’s IP address is added to the printer list, select the Enable Printer Manager checkbox and then click Apply. UAG5100 User’s Guide...
Page 38: Turn On Web Authentication On The Uag
Apply in the Configuration > Printer Manager screen. 3.5 Turn on Web Authentication on the UAG With web authentication, users need to log in through a designated web page before they can access the network(s). UAG5100 User’s Guide...
Page 39 Click Add to create a new web authentication policy. The Auth. Policy Add screen displays. Set Authentication to required and select Force User Authentication to redirect all HTTP traffic to the default login page. Click OK to save your changes. UAG5100 User’s Guide...
Page 40: Generate A Free Guest Account
Select the Enable Free Time checkbox to turn on this feature. Click Apply. Whenever a user tries to access a web page, he/she will be redirect to the default login page. Click the link on the login page to get a free guest account. UAG5100 User’s Guide...
Page 41 Chapter 3 Printer Deployment A Welcome screen displays. Select the free time service. Click OK to generate and show the account information on the web page. Now you can use this account to access the Internet through the UAG for UAG5100 User’s Guide...
Page 42 Chapter 3 Printer Deployment UAG5100 User’s Guide...
Page 43: Installation Setup Wizard
The screens vary depending on the encapsulation type. Refer to information provided by your ISP to know what to enter in each field. Leave a field blank if you don’t have that information. Note: Enter the Internet access information exactly as your ISP gave it to you. UAG5100 User’s Guide...
Page 44: Internet Access: Ethernet
This screen is read-only if you set the previous screen’s IP Address Assignment field to Auto. Use this screen to configure your IP address settings. Note: Enter the Internet access information exactly as given to you by your ISP. UAG5100 User’s Guide...
Page 45: Internet Access: Pppoe
DDNS and the time server. Leave the field as 0.0.0.0 if you do not want to configure DNS servers. 4.1.3 Internet Access: PPPoE Note: Enter the Internet access information exactly as given to you by your ISP. UAG5100 User’s Guide...
Page 46 • Zone: This is the security zone to which this interface and Internet connection will belong. • IP Address: Enter your (static) public IP address. Auto displays if you selected Auto as the IP Address Assignment in the previous screen. UAG5100 User’s Guide...
Page 47: Internet Access: Pptp
• CHAP/PAP - Your UAG accepts either CHAP or PAP when requested by the remote node. • CHAP - Your UAG accepts CHAP only. • PAP - Your UAG accepts PAP only. • MSCHAP - Your UAG accepts MSCHAP only. • MSCHAP-V2 - Your UAG accepts MSCHAP-V2 only. UAG5100 User’s Guide...
Page 48: Internet Access Setup - Second Wan Interface
If you selected I have two ISPs, after you configure the First WAN Interface, you can configure the Second WAN Interface. The screens for configuring the second WAN interface are similar to the first (see Section 4.1.1 on page 43). UAG5100 User’s Guide...
Page 49: Internet Access - Finish
You have set up your UAG to access the Internet. A screen displays with your settings. If they are not correct, click Back. Figure 24 Internet Access: Finish Click Next and use the following screen to perform a basic registration (see Section 4.2 on page 50). UAG5100 User’s Guide...
Page 50: Device Registration
UAG’s serial number and LAN MAC address to register it if you have not already done so. Note: You must be connected to the Internet to register. Use the Registration > Service screen to update your service subscription status. Figure 25 Registration UAG5100 User’s Guide...
Page 51: Quick Setup Wizards
5.2 WAN Interface Quick Setup Click WAN Interface in the main Quick Setup screen to open the WAN Interface Quick Setup Wizard Welcome screen. Use these screens to configure an interface to connect to the Internet. Click Next. UAG5100 User’s Guide...
Page 52: Choose An Ethernet Interface
WAN Type Selection: Select the type of encapsulation this connection is to use. Choose Ethernet when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your ISP. UAG5100 User’s Guide...
Page 53: Configure Wan Ip Settings
Ethernet and set the IP Address Assignment to Auto. If you set the IP Address Assignment to Static and/or select PPTP or PPPoE, enter the Internet access information exactly as your ISP gave it to you. UAG5100 User’s Guide...
Page 54 Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPPoE server. 0 means no timeout. PPTP Configuration This section only appears if the interface uses a PPPoE or PPTP Internet connection. UAG5100 User’s Guide...
Page 55: Quick Setup Interface Wizard: Summary
DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. Back Click Back to return to the previous screen. Next Click Next to continue. 5.2.5 Quick Setup Interface Wizard: Summary This screen displays the WAN interface’s settings. UAG5100 User’s Guide...
Page 56: Vpn Setup Wizard
If the IP Address Assignment is Static, these fields display the DNS server IP address(es). Second DNS Server Close Click Close to exit the wizard. 5.3 VPN Setup Wizard Click VPN Setup in the main Quick Setup screen to open the VPN Setup Wizard Welcome screen. UAG5100 User’s Guide...
Page 57: Welcome
Choose Express to create a VPN rule with the default phase 1 and phase 2 settings to connect to another ZLD-based UAG using a pre-shared key. Choose Advanced to change the default settings and/or use certificates instead of a pre-shared key to create a VPN rule to connect to another IPSec device. UAG5100 User’s Guide...
Page 58: Vpn Express Wizard - Scenario
Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Application Scenario: This shows the scenario that the UAG supports. UAG5100 User’s Guide...
Page 59: Vpn Express Wizard - Configuration
IPSec device. 5.3.5 VPN Express Wizard - Summary This screen provides a read-only summary of the VPN tunnel’s configuration and commands that you can copy and paste into another ZLD-based UAG’s command line interface to configure it. UAG5100 User’s Guide...
Page 60: Vpn Express Wizard - Finish
Now the rule is configured on the UAG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. UAG5100 User’s Guide...
Page 61: Vpn Advanced Wizard - Scenario
Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. UAG5100 User’s Guide...
Page 62: Vpn Advanced Wizard - Phase 1 Settings
• Authentication Algorithm: MD5 gives minimal security and SHA512 gives the highest security. MD5 (Message Digest 5) and SHA (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The stronger the algorithm the slower it is. UAG5100 User’s Guide...
Page 63: Vpn Advanced Wizard - Phase 2
The stronger the algorithm the slower it is. • SA Life Time: Set how often the UAG renegotiates the IKE SA. A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel. UAG5100 User’s Guide...
Page 64: Vpn Advanced Wizard - Summary
• Remote Policy: IP address and subnet mask of the computers on the network behind the remote IPSec device that can use the tunnel. • Copy and paste the Configuration for Remote Gateway commands into another ZLD-based UAG’s command line interface. • Click Save to save the VPN rule. UAG5100 User’s Guide...
Page 65: Vpn Advanced Wizard - Finish
Now the rule is configured on the UAG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Figure 44 VPN Wizard: Finish Click Close to exit the wizard. UAG5100 User’s Guide...
Page 66: Dashboard
The dashboard displays general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re-arrange to suit your needs. You can also collapse, refresh, and close individual widgets. UAG5100 User’s Guide...
Page 67 Widget Settings Use this link to open or close widgets by selecting/clearing the associated checkbox. Up Arrow (B) Click this to collapse a widget. It then becomes a down arrow. Click it again to enlarge the widget again. UAG5100 User’s Guide...
Page 68 IP addresses reserved for specific MAC addresses. See Section 6.2.5 on page Current Login This field displays the user name used to log in to the current session, the amount of User reauthentication time remaining, and the amount of lease time remaining. UAG5100 User’s Guide...
Page 69 If this interface is a member of an active virtual router, this field displays the IP address it is currently using. This is either the static IP address of the interface (if it is the master) or the management IP address (if it is a backup). UAG5100 User’s Guide...
Page 70 Session Monitor screen to see details about the active sessions. Click the Show Active Sessions icon to display a chart of UAG’s recent session usage. AP Information This shows a summary of connected wireless Access Points (APs). UAG5100 User’s Guide...
Page 71: The Cpu Usage Screen
This field displays the destination address (if any) in the packet that generated the log. 6.2.1 The CPU Usage Screen Use this screen to look at a chart of the UAG’s recent CPU usage. To access this screen, click CPU Usage in the dashboard. UAG5100 User’s Guide...
Page 72: The Memory Usage Screen
Click this to update the information in the window right away. 6.2.2 The Memory Usage Screen Use this screen to look at a chart of the UAG’s recent memory (RAM) usage. To access this screen, click Memory Usage in the dashboard. Figure 47 Dashboard > Memory Usage UAG5100 User’s Guide...
Page 73: The Active Sessions Screen
Click this to update the information in the window right away. 6.2.4 The VPN Status Screen Use this screen to look at the VPN tunnels that are currently established. To access this screen, click VPN Status in System Status in the dashboard. UAG5100 User’s Guide...
Page 74: The Dhcp Table Screen
Use this screen to look at the IP addresses currently assigned to DHCP clients and the IP addresses reserved for specific MAC addresses. To access this screen, click DHCP Table in System Status in the dashboard. Figure 50 Dashboard > DHCP Table UAG5100 User’s Guide...
Page 75: The Number Of Login Users Screen
Use this screen to look at a list of the users currently logged into the UAG. Users who close their browsers without logging out are still shown as logged in here. To access this screen, click Number of Login Users in System Status in the dashboard. Figure 51 Dashboard > Number of Login Users UAG5100 User’s Guide...
Page 76 (external user), this field will show its external-group information when you move your mouse over it. If the external user matches two external-group objects, both external-group object names will be shown. Force Logout Click this icon to end a user’s session. UAG5100 User’s Guide...
Page 77: Monitor
• Use the Station Info > Station List screen (see Section 7.14 on page 99) to view statistics pertaining to the connected stations (or “wireless clients”). • Use the Printer Status screen (see Section 7.15 on page 100) to view information about the connected statement printers. UAG5100 User’s Guide...
Page 78: The Port Statistics Screen
Poll Interval and clicking Set Interval. Switch to Click this to display the port statistics as a line graph. Graphic View This field displays the port’s number in the list. Port This field displays the physical port number. UAG5100 User’s Guide...
Page 79: The Port Statistics Graph Screen
Use this screen to look at a line graph of packet statistics for each physical port. To access this screen, click Port Statistics in the Status screen and then the Switch to Graphic View Button. Figure 53 Monitor > System Status > Port Statistics > Switch to Graphic View UAG5100 User’s Guide...
Page 80: The Interface Status Screen
This field displays how long the UAG has been running since it last restarted or was turned 7.3 The Interface Status Screen This screen lists all of the UAG’s interfaces and gives packet statistics for them. Click Monitor > System Status > Interface Status to access this screen. UAG5100 User’s Guide...
Page 81 Port This field displays the physical port number. If an Ethernet interface does not have any physical ports associated with it, this field displays n/a. UAG5100 User’s Guide...
Page 82 Ethernet interfaces. Name This field displays the name of each interface. If there is a Expand icon (plus-sign) next to the name, click this to look at the statistics for virtual interfaces on top of this interface. UAG5100 User’s Guide...
Page 83: The Traffic Statistics Screen
You use the Traffic Statistics screen to tell the UAG when to start and when to stop collecting information for these reports. You cannot schedule data collection; you have to start and stop it manually in the Traffic Statistics screen. UAG5100 User’s Guide...
Page 84 This field indicates whether the IP address or user is sending or receiving traffic. RX From- traffic is coming from the IP address or user to the UAG. Tx To - traffic is going from the UAG to the IP address or user. UAG5100 User’s Guide...
Page 85: The Session Monitor Screen
7.5 The Session Monitor Screen The Session Monitor screen displays information about all established sessions that pass through the UAG for debugging or statistical analysis. It is not possible to manage sessions in this screen. The following information is displayed. UAG5100 User’s Guide...
Page 86 The User, Service, Source Address, and Destination Address fields display if you view all sessions. Select your desired filter criteria and click the Search button to filter the list of sessions. UAG5100 User’s Guide...
Page 87: The Ddns Status Screen
This field displays the length of the active session in seconds. 7.6 The DDNS Status Screen The DDNS Status screen shows the status of the UAG’s DDNS domain names. Click Monitor > System Status > DDNS Status to open the following screen. UAG5100 User’s Guide...
Page 88: The Ip/Mac Binding Monitor Screen
MAC binding enabled and have ever established a session with the UAG. Devices that have never established a session with the UAG do not display in the list. Figure 58 Monitor > System Status > IP/MAC Binding UAG5100 User’s Guide...
Page 89: The Login Users Screen
See Chapter 32 on page 325. Type This field displays the way the user logged in to the UAG. IP Address This field displays the IP address of the computer used to log in to the UAG. UAG5100 User’s Guide...
Page 90: The Upnp Port Status Screen
Internal Client. Protocol This field displays the protocol of the NAT mapping rule (TCP or UDP). Internal Port This field displays the port number on the Internal Client to which the UAG should forward incoming connection requests. UAG5100 User’s Guide...
Page 91: The Usb Storage Screen
This field displays what file system the USB storage device is formatted with. This field displays Unknown if the file system of the USB storage device is not supported by the UAG, such as NTFS. Speed This field displays the connection speed the USB storage device supports. UAG5100 User’s Guide...
Page 92: The Dynamic Guest Screen
Use this screen to look at a list of dynamic guest user accounts on the UAG’s local database. To access this screen, click Monitor > System Status > Dynamic Guest. Figure 62 Monitor > System Status > Dynamic Guest UAG5100 User’s Guide...
Page 93 Table 31 Monitor > System Status > Dynamic Guest Icons LABEL DESCRIPTION This guest account is un-used. This guest account is in use and online. This guest account has been used but is offline now. This guest account expired. This guest account has been deleted. UAG5100 User’s Guide...
Page 94: The Ap List Screen
UAG last started up. Last Off-line This displays the most recent time the AP went off-line. N/A displays if the AP has either Time not come on-line or gone off-line since the UAG last started up. UAG5100 User’s Guide...
Page 95: Station Count Of Ap
Use this screen to look at station statistics for the connected AP. To access this screen, select an entry and click the More Information button in the AP List screen. Figure 64 Monitor > Wireless > AP Information > AP List > Station Count of AP UAG5100 User’s Guide...
Page 96: The Radio List Screen
Radio This indicates the radio number on the AP to which it belongs. OP Mode This indicates the radio’s operating mode, such as AP (access point). Profile This indicates the profile name to which the radio belongs. UAG5100 User’s Guide...
Page 97 This displays the total number of packets transmitted by the radio. Rx FCS Error This indicates the number of received packet errors accrued by the radio. Count Tx Retry Count This indicates the number of times the radio has attempted to re-transmit packets. UAG5100 User’s Guide...
Page 98: Ap Mode Radio Information
24 hours. To access this window, select an entry and click the More Information button in the Radio List screen. Figure 66 Monitor > Wireless > AP Information > Radio List > AP Mode Radio Information UAG5100 User’s Guide...
Page 99: The Station List Screen
7.14 The Station List Screen Use this screen to view statistics pertaining to the associated stations (or “wireless clients”). Click Monitor > Wireless > Station Info to access this screen. Figure 67 Monitor > Wireless > Station List UAG5100 User’s Guide...
Page 100: The Printer Status Screen
Click this to refresh the items displayed on this page. 7.15 The Printer Status Screen This screen displays information about the connected statement printer, such as SP350E. Click Monitor > Printer Status to display this screen. Figure 68 Monitor > Printer Status UAG5100 User’s Guide...
Page 101: The Vpn 1-1 Mapping Status Screen
This screen displays the status of the active users to which the UAG applied a VPN 1-1 mapping rule. Click Monitor > VPN 1-1 Mapping to open the following screen. Figure 69 Monitor > VPN 1-1 Mapping UAG5100 User’s Guide...
Page 102: Vpn 1-1 Mapping Statistics
This field displays how many times the UAG applied the rule to a user successfully or Peak Usage failed to apply the rule to a user. This also shows the maximum number of times the UAG has applied the rule to a user successfully. UAG5100 User’s Guide...
Page 103: The Ipsec Monitor Screen
This field displays how many seconds remain in the SA life time, before the UAG automatically disconnects the IPSec SA. Inbound (Bytes) This field displays the amount of traffic that has gone through the IPSec SA from the remote IPSec router to the UAG since the IPSec SA was established. UAG5100 User’s Guide...
Page 104: Regular Expressions In Searching Ipsec Sas
Events that generate an alert (as well as a log message) display in red. Regular logs display in black. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. UAG5100 User’s Guide...
Page 105 This displays when you show the filter. Select the service whose log messages you would like to see. The Web Configurator uses the protocol and destination port number(s) of the service to select which log messages you see. UAG5100 User’s Guide...
Page 106 This field displays the destination IP address and the port number of the event that generated the log message. Note This field displays any additional information about the log message. The Web Configurator saves the filter settings if you leave the View Log screen and return to it later. UAG5100 User’s Guide...
Page 107: View Ap Log
Table 43 Monitor > Log > View AP Log LABEL DESCRIPTION Show/Hide Filter Click this to show or hide the AP log filter. Select an AP Select an AP from the list and click Query to view its log messages. UAG5100 User’s Guide...
Page 108 This indicates the time that the log messages was created or recorded on the AP. Priority This indicates the selected log message’s priority. Category This indicates the selected log message’s category. Message This displays content of the selected log message. UAG5100 User’s Guide...
Page 109: Dynamic Users Log
Click this button to update the information in the screen. Clear Log Click this button to delete the log messages for invalid accounts. This is the index number of the dynamic guest account in the list. Status This field displays whether an account expires or not. UAG5100 User’s Guide...
Page 110 Charge This field displays the total cost of the account. Payment Info This field displays the method of payment for each account. Phone Num This field displays the telephone number for the user account. UAG5100 User’s Guide...
Page 111: Registration
You can increase this by subscribing to additional licenses. As of this writing, each license upgrade allows an additional 8 remote managed APs while the maximum number of remote managed APs a single UAG can support is 32. UAG5100 User’s Guide...
Page 112: Registration Screen
Figure 76 Configuration > Licensing > Registration > Service The following table describes the labels in this screen. Table 45 Configuration > Licensing > Registration > Service LABEL DESCRIPTION License Status This is the entry’s position in the list. UAG5100 User’s Guide...
Page 113 UAG at the same time or how many managed APs the UAG can support with your current license. Service License Refresh Click this button to renew service license information (such as the registration status and expiration day). UAG5100 User’s Guide...
Page 114: Wireless
UAG. 9.2 Controller Screen Use this screen to set how the UAG allows new APs to connect to the network. Click Configuration > Wireless > Controller to access this screen. Figure 77 Configuration > Wireless > Controller UAG5100 User’s Guide...
Page 115: Ap Management Screen
Select an AP and click this button to force it to restart. This field is a sequential value, and it is not associated with any entry. IP Address This field displays the IP address of the AP. MAC Address This field displays the MAC address of the AP. UAG5100 User’s Guide...
Page 116: Edit Ap List
Table 48 Configuration > Wireless > AP Management > Edit AP List LABEL DESCRIPTION Create new Object Use this menu to create a new Radio Profile object to associate with this AP. This displays the MAC address of the selected AP. UAG5100 User’s Guide...
Page 117 Select this option to treat this VLAN ID as a VLAN created on the UAG and not one assigned to it from outside the network. Click OK to save your changes back to the UAG. Cancel Click Cancel to close the window with changes unsaved. UAG5100 User’s Guide...
Page 118: Interfaces
• An interface is bound to a physical port or another interface. • Many interfaces can share the same physical port. • An interface belongs to at most one zone. • Many interfaces can belong to the same zone. UAG5100 User’s Guide...
Page 119: Types Of Interfaces
Ethernet interface wan1 are called wan1:1, wan1:2, and so on. Virtual interfaces created on VLAN interface vlan2 are called vlan2:1, vlan2:2, and so on. You cannot specify the number after the colon(:) in the UAG5100 User’s Guide...
Page 120: Port Grouping
Section 10.8 on page 154 for background information on interfaces. • See Chapter 11 on page 158 to configure load balancing using trunks. 10.2 Port Grouping This section introduces port groups and then explains the screen for port groups. UAG5100 User’s Guide...
Page 121: Port Grouping Overview
To add a physical port to a representative interface, drag the physical port onto the corresponding representative interface. Click Apply to save your changes and apply them to the UAG. Click Reset to change the port groups to their current configuration (last-saved values). UAG5100 User’s Guide...
Page 122: Ethernet Summary Screen
To turn on an interface, select it and click Activate. Inactivate To turn off an interface, select it and click Inactivate. Create Virtual To open the screen where you can create a virtual Ethernet interface, select an Ethernet Interface interface and click Create Virtual Interface. UAG5100 User’s Guide...
Page 123: Ethernet Edit
UAG automatically updates every rule or setting that uses the object whenever the interface’s IP address settings change. For example, if you change the LAN’s IP address, the UAG automatically updates the corresponding interface- based, LAN subnet address object. UAG5100 User’s Guide...
Page 124 Chapter 10 Interfaces Figure 82 Configuration > Network > Interface > Ethernet > Edit (External Type) UAG5100 User’s Guide...
Page 125 Chapter 10 Interfaces Figure 83 Configuration > Network > Interface > Ethernet > Edit (Internal Type) UAG5100 User’s Guide...
Page 126 (if any) on this interface. The UAG decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the UAG uses the one that was configured first. Interface Parameters UAG5100 User’s Guide...
Page 127 Enter the IP address of a DHCP server for the network. Relay Server 2 This field is optional. Enter the IP address of another DHCP server for the network. These fields appear if the UAG is a DHCP Server. UAG5100 User’s Guide...
Page 128 Binding specific MAC addresses. This stops anyone else from manually using a bound IP address on another device connected to this interface. Use this to make use only the intended users get to use specific IP addresses. UAG5100 User’s Guide...
Page 129: Object References
When a configuration screen includes an Object Reference icon, select a configuration object and click Object Reference to open the Object Reference screen. This screen displays which configuration settings reference the selected object. The fields shown vary with the type of object. UAG5100 User’s Guide...
Page 130: Dhcp Extended Options Add/Edit
DHCP option you select in this screen. To open the screen, click Configuration > Network > Interface > Ethernet > Edit, select DHCP Server in the DHCP Setting section, and then click the Add icon or select an entry and click the Edit icon in the Extended Options table. UAG5100 User’s Guide...
Page 131 First FQDN, If the Type is FQDN, you have to enter at least one domain name of the corresponding Second FQDN, servers in these fields. The servers should be listed in order of your preference. Third FQDN UAG5100 User’s Guide...
Page 132: Ppp Interfaces
TFTP; however, the option may be used for purposes other than contacting a VoIP configuration server. 10.4 PPP Interfaces Use PPPoE/PPTP interfaces to connect to your ISP. This way, you do not have to install or manage PPPoE/PPTP software on each computer in the network. UAG5100 User’s Guide...
Page 133: Ppp Interface Summary
255.255.255.255. In addition, the UAG always treats the ISP as a gateway. 10.4.1 PPP Interface Summary This screen lists every PPPoE/PPTP interface. To access this screen, click Configuration > Network > Interface > PPP. Figure 87 Configuration > Network > Interface > PPP UAG5100 User’s Guide...
Page 134: Ppp Interface Add/Edit
Note: You have to set up an ISP account before you create a PPPoE/PPTP interface. This screen lets you configure a PPPoE or PPTP interface. To access this screen, click the Add icon or select an entry in the PPP interface summary screen and click the Edit icon. UAG5100 User’s Guide...
Page 135 Chapter 10 Interfaces Figure 88 Configuration > Network > Interface > PPP > Add UAG5100 User’s Guide...
Page 136 Select this if this interface is a DHCP client. In this case, the DHCP server configures the Automatically IP address automatically. The subnet mask and gateway are always defined automatically in PPPoE/PPTP interfaces. Use Fixed IP Select this if you want to specify the IP address manually. Address UAG5100 User’s Guide...
Page 137 Click WAN_TRUNK to go to a screen where you can configure the interface as part of a WAN_TRUNK WAN trunk for load balancing. Policy Route Click Policy Route to go to the screen where you can manually configure a policy route to associate traffic with this interface. UAG5100 User’s Guide...
Page 138: Vlan Interfaces
VLAN also has a unique identification number (ID). The ID is a 12-bit value that is stored in the MAC header. The VLANs are connected to switches, and the switches are connected to the router. (If one switch has enough connections for the entire network, the network does not need switches A and B.) UAG5100 User’s Guide...
Page 139: Vlan Interface Summary Screen
They can provide DHCP services, and they can verify the gateway is available. 10.5.1 VLAN Interface Summary Screen This screen lists every VLAN interface and virtual interface created on top of VLAN interfaces. To access this screen, click Configuration > Network > Interface > VLAN. UAG5100 User’s Guide...
Page 140: Vlan Interface Add/Edit
Click Reset to return the screen to its last-saved settings. 10.5.2 VLAN Interface Add/Edit This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each VLAN interface. To access this screen, click the Add icon UAG5100 User’s Guide...
Page 141 Chapter 10 Interfaces or select an entry in the VLAN summary screen and click the Edit icon. The following screen appears. Figure 92 Configuration > Network > Interface > VLAN > Add UAG5100 User’s Guide...
Page 142 Enter the priority of the gateway (if any) on this interface. The UAG decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the UAG uses the one that was configured first. Interface Parameters UAG5100 User’s Guide...
Page 143 Enter the IP address of a DHCP server for the network. Relay Server 2 This field is optional. Enter the IP address of another DHCP server for the network. These fields appear if the UAG is a DHCP Server. UAG5100 User’s Guide...
Page 144 MAC addresses for this VLAN. This stops anyone else from manually using a bound IP address on another device connected to this interface. Use this to make use only the intended users get to use specific IP addresses. UAG5100 User’s Guide...
Page 145: Bridge Interfaces
This section introduces bridges and bridge interfaces and then explains the screens for bridge interfaces. Bridge Overview A bridge creates a connection between two or more network segments at the layer-2 (MAC address) level. In the following example, bridge X connects four network segments. UAG5100 User’s Guide...
Page 146: Bridge Interface Overview
(250.250.250.0/23) between lan1 and vlan1. Table 62 Example: Routing Table Before and After Bridge Interface br0 Is Created IP ADDRESS(ES) DESTINATION IP ADDRESS(ES) DESTINATION 210.210.210.0/24 lan1 221.221.221.0/24 vlan0 210.211.1.0/24 lan1:1 230.230.230.192/26 wan1 221.221.221.0/24 vlan0 250.250.250.0/23 222.222.222.0/24 vlan1 230.230.230.192/26 wan1 UAG5100 User’s Guide...
Page 147: Bridge Interface Summary
This field displays the Ethernet interfaces and VLAN interfaces in the bridge interface. It is blank for virtual interfaces. Apply Click Apply to save your changes back to the UAG. Reset Click Reset to return the screen to its last-saved settings. UAG5100 User’s Guide...
Page 148: Bridge Interface Add/Edit
To access this screen, click the Add icon, or select an entry in the Bridge summary screen and click the Edit icon. The following screen appears. Figure 94 Configuration > Network > Interface > Bridge > Add UAG5100 User’s Guide...
Page 149 Enter the IP address of the gateway. The UAG sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface. UAG5100 User’s Guide...
Page 150 Custom Defined - enter a static IP address. Server From ISP - select the DNS server that another interface received from its DHCP server. Device - the DHCP clients use the IP address of this interface and the UAG works as a DNS relay. UAG5100 User’s Guide...
Page 151 UAG stops routing to the gateway. The UAG resumes routing to the gateway the first time the gateway passes the connectivity check. UAG5100 User’s Guide...
Page 152: Virtual Interfaces
MTU. The virtual interface uses the same MTU that the underlying interface uses. Unlike other interfaces, virtual interfaces do not provide DHCP services, and they do not verify that the gateway is available. UAG5100 User’s Guide...
Page 153: Virtual Interfaces Add/Edit
UAG uses the one that was configured first. Interface Parameters Egress Enter the maximum amount of traffic, in kilobits per second, the UAG can send through Bandwidth the interface to the network. Allowed values are 0 - 1048576. UAG5100 User’s Guide...
Page 154: Interface Technical Reference
DHCP clients. You have to assign the IP address and subnet mask manually. In general, the IP address and subnet mask of each interface should not overlap, though it is possible for this to happen with DHCP clients. UAG5100 User’s Guide...
Page 155 IP address, subnet mask, gateway, and available network information to the DHCP client. When the DHCP client leaves the network, the DHCP servers can assign its IP address to another DHCP client. At the time of writing, the UAG does not support ingress bandwidth management. UAG5100 User’s Guide...
Page 156 IP address. In this way WINS is similar to DNS, although WINS does not use a hierarchy (unlike DNS). A network can have more than one WINS server. Samba can also serve as a WINS server. UAG5100 User’s Guide...
Page 157 The first one runs on TCP port 1723. It is used to start and manage the second one. The second one uses Generic Routing Encapsulation (GRE, RFC 2890) to transfer information between the computers. PPTP is convenient and easy-to-use, but you have to make sure that firewalls support both PPTP sessions. UAG5100 User’s Guide...
Page 158: Trunks
ISP. The UAG balances the WAN traffic load between the connections. If one interface's connection goes down, the UAG can automatically send its traffic through another interface. You can also use trunks with policy routing to send specific traffic types through the best WAN interface for that type of traffic. UAG5100 User’s Guide...
Page 159 A queue is given an amount of bandwidth irrespective of the incoming traffic on that interface. This queue then moves to the back of the list. The next queue is In the load balancing section, a session may refer to normal connection-oriented, UDP or SNMP2 traffic. UAG5100 User’s Guide...
Page 160 In this example figure, the upper threshold of the first interface is set to 800K. The UAG sends network traffic of new sessions that exceed this limit to the secondary WAN interface. Figure 99 Spillover Algorithm Example UAG5100 User’s Guide...
Page 161: The Trunk Summary Screen
SNAT settings for traffic it routes from internal interfaces to external interfaces. Default Trunk Select whether the UAG is to use the default system WAN trunk or one of the user Selection configured WAN trunks as the default trunk for routing traffic from internal interfaces to external interfaces. UAG5100 User’s Guide...
Page 162: Configuring A User-Defined Trunk
Click Configuration > Network > Interface > Trunk, in the User Configuration table click the Add (or Edit) icon to open the Add/Edit Trunk screen. Use this screen to create or edit a WAN trunk entry. Figure 101 Configuration > Network > Interface > Trunk > Add/Edit UAG5100 User’s Guide...
Page 163 This field displays with the least load first load balancing algorithm. It displays the maximum number of kilobits of data the UAG is to allow to come in through the interface per second. Note: You can configure the bandwidth of an interface in the corresponding interface edit screen. UAG5100 User’s Guide...
Page 164: Configuring The System Default Trunk
Note: The available bandwidth is allocated to each member interface equally and is not allowed to be changed for the default trunk. Figure 102 Configuration > Network > Interface > Trunk > Edit (System Default) UAG5100 User’s Guide...
Page 165 The UAG uses the group member interfaces in the order that they are listed. Click OK to save your changes back to the UAG. Cancel Click Cancel to exit this screen without saving. UAG5100 User’s Guide...
Page 166: Policy And Static Routes
Traditionally, routing is based on the destination address only and the UAG takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator. UAG5100 User’s Guide...
Page 167 In addition, applications do not have to request a particular service or give advanced notice of where the traffic is going. UAG5100 User’s Guide...
Page 168: Policy Route Screen
The actions that can be taken include: • Routing the packet to a different gateway, outgoing interface, or trunk. IPPR follows the existing packet filtering facility of RAS in style and in implementation. Figure 104 Configuration > Network > Routing > Policy Route UAG5100 User’s Guide...
Page 169 Next-Hop This is the next hop to which packets are directed. It helps forward packets to their destinations and can be a router, outgoing interface or trunk. UAG5100 User’s Guide...
Page 170: Policy Route Add/Edit Screen
Click Configuration > Network > Routing to open the Policy Route screen. Then click the Add icon or select an entry and click the Edit icon. The Add Policy Route or Policy Route Edit screen opens. Use this screen to configure or edit a policy route. UAG5100 User’s Guide...
Page 171 Select a user name or user group from which the packets are sent. Incoming Select where the packets are coming from; any, an interface, or the UAG itself (Device). For an interface, you also need to select the individual interface. UAG5100 User’s Guide...
Page 172 UAG send traffic that matches the policy route through the specified interface. Auto-Disable This field displays when you select Interface or Trunk in the Type field. Select this to have the UAG automatically disable this policy route when the next hop’s connection is down. DSCP Marking UAG5100 User’s Guide...
Page 173: Ip Static Route Screen
Click Configuration > Network > Routing > Static Route to open the Static Route screen. This screen displays the configured static routes. Configure static routes to be able to propagate the routing information to other routers. Figure 106 Configuration > Network > Routing > Static Route UAG5100 User’s Guide...
Page 174: Static Route Add/Edit Screen
Select the radio button and enter the IP address of the next-hop gateway. The gateway is a router or switch on the same segment as your UAG's interface(s). The gateway helps forward packets to their destinations. Interface Select the radio button and a predefined interface through which the traffic is sent. UAG5100 User’s Guide...
Page 175: Policy Routing Technical Reference
CLASS 3 CLASS 4 Low Drop Precedence AF11 (10) AF21 (18) AF31 (26) AF41 (34) Medium Drop Precedence AF12 (12) AF22 (20) AF32 (28) AF42 (36) High Drop Precedence AF13 (14) AF23 (22) AF33 (30) AF43 (38) UAG5100 User’s Guide...
Page 176: Zones
177) to manage the UAG’s zones. 13.1.2 What You Need to Know Effects of Zones on Different Types of Traffic Zones effectively divide traffic into three types--intra-zone traffic, inter-zone traffic, and extra-zone traffic--which are affected differently by zone-based security and policy settings. UAG5100 User’s Guide...
Page 177: The Zone Screen
The Zone screen provides a summary of all zones. In addition, this screen allows you to add, edit, and remove zones. To access this screen, click Configuration > Network > Zone. Figure 109 Configuration > Network > Zone UAG5100 User’s Guide...
Page 178: Zone Add/Edit
The Zone Edit screen allows you to add or edit a zone. To access this screen, go to the Zone screen (see Section 13.2 on page 177), and click the Add icon or select an entry and click the Edit icon. Figure 110 Network > Zone > Add UAG5100 User’s Guide...
Page 179 Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. UAG5100 User’s Guide...
Page 180: Ddns
Note: Record your DDNS account’s user name, password, and domain name to use to configure the UAG. After, you configure the UAG, it automatically sends updated IP addresses to the DDNS service provider, which helps redirect traffic accordingly. UAG5100 User’s Guide...
Page 181: The Ddns Screen
- The IP address comes from the specified interface. auto detected -The DDNS server checks the source IP address of the packets from the UAG for the IP address to use for the domain name. custom - The IP address is static. UAG5100 User’s Guide...
Page 182: The Dynamic Dns Add/Edit Screen
Table 82 Configuration > Network > DDNS > Add/Edit LABEL DESCRIPTION Show Advanced Click this button to display a greater or lesser number of configuration fields. Settings / Hide Advanced Settings Enable DDNS Select this check box to use this DDNS entry. Profile UAG5100 User’s Guide...
Page 183 Primary Binding Interface settings is not available. Interface Select the interface to use for updating the IP address mapped to the domain name. Select any to let the domain name be used with any interface. Select None to not use a backup address. UAG5100 User’s Guide...
Page 184 DynDNS server delivers the mail to you. See www.dyndns.org for more information about this service. Click OK to save your changes back to the UAG. Cancel Click Cancel to exit this screen without saving. UAG5100 User’s Guide...
Page 185: Nat
You can also create new NAT rules and edit or delete existing ones. 15.1.2 What You Need to Know NAT is also known as virtual server, port forwarding, or port translation. Finding Out More • See Section 15.3 on page 190 for technical background information related to these screens. UAG5100 User’s Guide...
Page 186: The Nat Screen
Mapped Port This field displays the new destination port(s) for the packet. This field is blank if there is no restriction on the original destination port. UAG5100 User’s Guide...
Page 187: The Nat Add/Edit Screen
Table 84 Configuration > Network > NAT > Add/Edit LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen. Enable Rule Use this option to turn the NAT rule on or off. UAG5100 User’s Guide...
Page 188 This field displays for Many 1:1 NAT. Select to which translated destination IP address Subnet/Range subnet or IP address range this NAT rule forwards packets. The original and mapped IP address subnets or ranges must have the same number of IP addresses. UAG5100 User’s Guide...
Page 189 Click OK to save your changes back to the UAG. Cancel Click Cancel to return to the NAT summary screen without creating the NAT rule (if it is new) or saving any changes (if it already exists). UAG5100 User’s Guide...
Page 190: Nat Technical Reference
The LAN user’s computer then sends traffic to IP address 1.1.1.1. NAT loopback uses the IP address of the UAG’s lan1 interface (172.16.0.1) as the source address of the traffic going from the LAN users to the LAN SMTP server. UAG5100 User’s Guide...
Page 191 NAT, the source would not match the original destination address which would cause the LAN user’s computer to shut down the session. Figure 118 LAN to LAN Return Traffic Source 172.16.0.21 Source 1.1.1.1 SMTP SMTP 172.16.0.89 172.16.0.21 UAG5100 User’s Guide...
Page 192: Vpn 1-1 Mapping
• Use the VPN 1-1 Mapping > Profile screen (see Section 16.3 on page 195) to configure a pool profile which defines the public IP address(es) that the UAG assigns to the matched users and the interface through which the user’s traffic is forwarded. UAG5100 User’s Guide...
Page 193: What You Need To Know
VPN 1-1 mapping rules. To access this screen, login to the Web Configurator and click Configuration > Network > VPN 1-1 Mapping. The following screen appears, providing a summary of the existing VPN 1-1 mapping rules. Figure 120 Configuration > Network > VPN 1-1 Mapping UAG5100 User’s Guide...
Page 194: The Vpn 1-1 Mapping Add/Edit Screen
Click Network > VPN 1-1 Mapping to open the VPN 1-1 Mapping > General screen. Then click the Add icon or select an entry and click the Edit icon to open the VPN 1-1 Mapping Add/Edit Policy screen where you can configure the rule. Figure 121 Network > VPN 1-1 Mapping > Add UAG5100 User’s Guide...
Page 195: The Vpn 1-1 Mapping Profile Screen
Web Configurator and click Configuration > Network > VPN 1-1 Mapping > Profile. The following screen appears, providing a summary of the existing IP address pool profiles. Figure 122 Configuration > Network > VPN 1-1 Mapping > Profile UAG5100 User’s Guide...
Page 196 This field displays the name of the interface the profile is set to use. Select the interface through which the UAG sends traffic from the matched users. Apply Click this button to save your changes to the UAG. Reset Click this button to return the screen to its last-saved settings. UAG5100 User’s Guide...
Page 197: Http Redirect
A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services. A proxy server can act as a firewall or an ALG (application layer gateway) between the private network and the Internet or other networks. It also keeps hackers from knowing internal IP addresses. UAG5100 User’s Guide...
Page 198: The Http Redirect Screen
To configure redirection of a HTTP request to a proxy server, click Configuration > Network > HTTP Redirect. This screen displays the summary of the HTTP redirect rules. Note: You can configure up to one HTTP redirect rule for each (incoming) interface. UAG5100 User’s Guide...
Page 199: The Http Redirect Add/Edit Screen
Click Network > HTTP Redirect to open the HTTP Redirect screen. Then click the Add icon or select an entry and click the Edit icon to open the screen where you can configure the rule. Figure 125 Network > HTTP Redirect > Add/Edit UAG5100 User’s Guide...
Page 200 Enter the IP address of the proxy server. Port Enter the port number that the proxy server uses. Click OK to save your changes back to the UAG. Cancel Click Cancel to exit this screen without saving. UAG5100 User’s Guide...
Page 201: Smtp Redirect
E-mail clients (also called e-mail applications) then use mail server protocols such as POP (Post Office Protocol) or IMAP (Internet Message Access Protocol) to retrieve e-mail. E-mail clients also generally use SMTP to send messages to a mail UAG5100 User’s Guide...
Page 202: The Smtp Redirect Screen
To configure redirection of a SMTP message to a SMTP server, click Configuration > Network > SMTP Redirect. This screen displays the summary of the SMTP redirect rules. Note: You can configure up to one SMTP redirect rule for each (incoming) interface. UAG5100 User’s Guide...
Page 203: The Smtp Redirect Add/Edit Screen
18.2.1 The SMTP Redirect Add/Edit Screen Click Network > SMTP Redirect to open the SMTP Redirect screen. Then click the Add icon or select an entry and click the Edit icon to open the screen where you can configure the rule. UAG5100 User’s Guide...
Page 204 Object if you need to configure a new one. Select any if the rule is effective for every source. SMTP Server Enter the IP address of the SMTP server. Click OK to save your changes back to the UAG. Cancel Click Cancel to exit this screen without saving. UAG5100 User’s Guide...
Page 205: Alg
When the active interface’s connection fails, the client needs to re-initialize the connection through the second interface (that was set to passive) in order to have the connection go through the second interface. UAG5100 User’s Guide...
Page 206: Before You Begin
If you are also using FTP on an additional TCP port number, enter it here. Signaling Port for Transformations Apply Click Apply to save your changes back to the UAG. Reset Click Reset to return the screen to its last-saved settings. UAG5100 User’s Guide...
Page 207: Upnp
• Dynamic port mapping • Learning public IP addresses • Assigning lease times to mappings Windows Messenger is an example of an application that supports NAT traversal and UPnP. See the NAT chapter for more information on NAT. UAG5100 User’s Guide...
Page 208: Cautions With Upnp
Disable UPnP if this is not your intention. 20.3 UPnP Screen Use this screen to enable UPnP and NAT-PMP on your UAG. Click Configuration > Network > UPnP to display the screen shown next. Figure 130 Configuration > Network > UPnP UAG5100 User’s Guide...
Page 209: Technical Reference
Make sure the computer is connected to a LAN port of the UAG. Turn on your computer and the UAG. 20.4.1.1 Auto-discover Your UPnP-enabled Network Device Click start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway. Right-click the icon and select Properties. UAG5100 User’s Guide...
Page 210 In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created. Figure 132 Internet Connection Properties You may edit or delete the port mappings or click Add to manually add port mappings. Figure 133 Internet Connection Properties: Advanced Settings UAG5100 User’s Guide...
Page 211: Web Configurator Easy Access
UAG first. This comes helpful if you do not know the IP address of the UAG. Follow the steps below to access the web configurator. Click Start and then Control Panel. Double-click Network Connections. UAG5100 User’s Guide...
Page 212 Right-click on the icon for your UAG and select Invoke. The web configurator login screen displays. Figure 138 Network Connections: My Network Places Right-click on the icon for your UAG and select Properties. A properties window displays with basic information about the UAG. UAG5100 User’s Guide...
Page 213 Chapter 20 UPnP Figure 139 Network Connections: My Network Places: Properties: Example UAG5100 User’s Guide...
Page 214: Ip/Mac Binding
(Section 21.3 on page 217) to configure ranges of IP addresses to which the UAG does not apply IP/MAC binding. 21.1.2 What You Need to Know DHCP IP/MAC address bindings are based on the UAG’s dynamic and static DHCP entries. UAG5100 User’s Guide...
Page 215: Ip/Mac Binding Summary
This is the name of an interface that supports IP/MAC binding. Number of This field displays the interface’s total number of IP/MAC bindings and IP addresses that the Binding interface has assigned by DHCP. Apply Click Apply to save your changes back to the UAG. UAG5100 User’s Guide...
Page 216: Ip/Mac Binding Edit
To remove an entry, select it and click Remove. The UAG confirms you want to remove it before doing so. This is the index number of the static DHCP entry. IP Address This is the IP address that the UAG assigns to a device with the entry’s MAC address. UAG5100 User’s Guide...
Page 217: Static Dhcp Add/Edit
21.3 IP/MAC Binding Exempt List Click Configuration > Network > IP/MAC Binding > Exempt List to open the IP/MAC Binding Exempt List screen. Use this screen to configure ranges of IP addresses to which the UAG does not apply IP/MAC binding. UAG5100 User’s Guide...
Page 218 Enter the first IP address in a range of IP addresses for which the UAG does not apply IP/MAC binding. End IP Enter the last IP address in a range of IP addresses for which the UAG does not apply IP/MAC binding. Apply Click Apply to save your changes back to the UAG. UAG5100 User’s Guide...
Page 219: Layer 2 Isolation
• Use the General screen (Section 22.2 on page 220) to enable layer-2 isolation on the UAG and the internal interface(s). • Use the White List screen (Section 22.3 on page 220) to enable and configures the white list. UAG5100 User’s Guide...
Page 220: Layer-2 Isolation General Screen
IP addresses that are not listed in the white list are blocked from communicating with other devices in the layer-2-isolation-enabled internal interface(s) except for broadcast packets. To access this screen click Configuration > Network > Layer 2 Isolation > White List. UAG5100 User’s Guide...
Page 221: Add/Edit White List Rule
Note: You can configure up to 20 white list rules on the UAG. Note: You need to know the IP address of each connected device that you want to allow to be accessed by other devices when layer-2 isolation is enabled. UAG5100 User’s Guide...
Page 222 Specify a description for the IP address associated with this rule. Enter up to 60 characters, spaces and underscores allowed. Click OK to save your changes back to the UAG. Cancel Click Cancel to exit this screen without saving your changes. UAG5100 User’s Guide...
Page 223: Ipnp
UAG are not in the same subnet. Figure 149 IPnP Application 23.1.1 What You Can Do in this Chapter Use the IP screen (Section 23.2 on page 224) to enable IPnP on the UAG and the internal interface(s). UAG5100 User’s Guide...
Page 224: Ipnp Screen
Member list. To remove an interface, select the name(s) in the Member list and click the left arrow button. Apply Click Apply to save your changes back to the UAG. Reset Click Reset to return the screen to its last-saved settings. UAG5100 User’s Guide...
Page 225: Web Authentication
(Section 24.3 on page 240) to enable and create walled garden links that display in the login screen. • Use the Configuration > Web Authentication > Advertisement screens (Section 24.4 on page 242) to enable and set advertisement links. UAG5100 User’s Guide...
Page 226: What You Need To Know
The Web Authentication screen displays the web portal settings and web authentication policies you have configured on the UAG. The screen differs depending on what you select in the Authentication field. Click Configuration > Web Authentication to display the screen. UAG5100 User’s Guide...
Page 227 Chapter 24 Web Authentication Figure 152 Configuration > Web Authentication (Web Portal) UAG5100 User’s Guide...
Page 228 Chapter 24 Web Authentication Figure 153 Configuration > Web Authentication (User Agreement) UAG5100 User’s Guide...
Page 229 The Internet Information Server (IIS) is the web server on which the web portal files are installed. Session URL Specify the session page’s URL; for example, http://IIS server IP Address/session.html. The Internet Information Server (IIS) is the web server on which the web portal files are installed. UAG5100 User’s Guide...
Page 230 If you leave this field blank, the UAG will use the welcome page of internal user agreement file. Download Click this to download an example external user agreement file for your reference. The following fields are available if you set Authentication to Web Portal or User Agreement. UAG5100 User’s Guide...
Page 231 This displays the source address object to which this policy applies. Destination This displays the destination address object to which this policy applies. Schedule This field displays the schedule object that dictates when the policy applies. none means the policy is active at all times if enabled. UAG5100 User’s Guide...
Page 232: Adding/Editing An Authentication Policy
Open the Configuration > Web Authentication screen, then click the Add icon or select an entry and click the Edit icon in the Web Authentication Policy Summary section to open the Auth. Policy Add/Edit screen. Use this screen to configure an authentication policy. Figure 155 Configuration > Web Authentication > Add UAG5100 User’s Guide...
Page 233: User-Aware Access Control Example
Set up user accounts in the RADIUS server. This example uses the Web Configurator. If you can export user names from the RADIUS server to a text file, then you might configure a script to create the user accounts instead. UAG5100 User’s Guide...
Page 234 Enter the name of the group. In this example, it is “Finance”. Then, select Object/Leo and click the right arrow to move him to the Member list. This example only has one member in this group, so click OK. Of course you could add more members later. UAG5100 User’s Guide...
Page 235 Finally, force users to log into the UAG before it routes traffic for them. Click Configuration > Object > AAA Server > RADIUS. Double-click the radius entry. Configure the RADIUS server’s address, authentication port (1812 if you were not told otherwise), and key. Click Apply. UAG5100 User’s Guide...
Page 236 Select group radius because the UAG should use the specified RADIUS server for authentication. Click OK. Figure 159 Configuration > Object > Auth. method > Edit Click Configuration > Web Authentication. In the Web Authentication screen, select Web Portal to enable web authentication and click Apply. UAG5100 User’s Guide...
Page 237 Select Enable Policy. Set the Authentication field to required, and make sure Force User Authentication is selected. Keep the rest of the default settings, and click OK. Note: The users must log in at the Web Configurator login screen before they can use HTTP or MSN. UAG5100 User’s Guide...
Page 238 Membership Attribute field to the attribute that the UAG is to check to determine to which group a user belongs. This example uses Class. This attribute’s value is called a group identifier; it determines to which group a user belongs. In this example the values are Finance, Engineer, Sales, and Boss. UAG5100 User’s Guide...
Page 239 Finance, Engineer, Sales, or Boss and set the Associated AAA Server Object to radius. Figure 163 Configuration > Object > User/Group > User > Add Repeat this process to set up the remaining groups of user accounts. UAG5100 User’s Guide...
Page 240: Walled Garden Screen
This field is a sequential value, and it is not associated with any entry. Status This icon is lit when the entry is active and dimmed when the entry is inactive. UAG5100 User’s Guide...
Page 241: Adding/Editing A Walled Garden Url
Preview Click this button to open the specified web site in a new frame. Click OK to save your changes back to the UAG. Cancel Click Cancel to exit this screen without saving. UAG5100 User’s Guide...
Page 242: Walled Garden Login Example
24.4 Advertisement Screen Use this screen to set the UAG to display an advertisement web page as the first web page whenever the user connects to the Internet. Click Configuration > Web Authentication > Advertisement to display the screen. UAG5100 User’s Guide...
Page 243: Adding/Editing An Advertisement Url
Go to Configuration > Web Authentication > Advertisement, and then click the Add icon or select an entry and click the Edit icon in the Advertisement Summary section to open the Add/ Edit Advertisement URL screen. Use this screen to configure an advertisement address entry. UAG5100 User’s Guide...
Page 244 Preview Click this button to open the specified web site in a new frame. Click OK to save your changes back to the UAG. Cancel Click Cancel to exit this screen without saving. UAG5100 User’s Guide...
Page 245: Firewall
A zone is a group of interfaces or VPN tunnels. Group the UAG’s interfaces into different zones based on your needs. You can configure firewall rules for data passing between zones or even between interfaces and/or VPN tunnels in a zone. UAG5100 User’s Guide...
Page 246 The global firewall rules are the only firewall rules that apply to an interface or VPN tunnel that is not included in a zone. The from any rules apply to traffic coming from the interface and the to any rules apply to traffic going to the interface. UAG5100 User’s Guide...
Page 247: The Firewall Screen
LAN without passing through the UAG. A better solution is to use virtual interfaces to put the UAG and the backup gateway on separate subnets. Virtual interfaces allow you to partition your network into logical sections over the same interface. See the chapter about interfaces for more information. UAG5100 User’s Guide...
Page 248: Configuring The Firewall Screen
NAT entry that sends WAN traffic to a LAN IP address, when you configure a corresponding firewall rule to allow the traffic, you need to set the LAN IP address as the destination. • The ordering of your rules is very important as rules are applied in sequence. UAG5100 User’s Guide...
Page 249 Note: Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the UAG. A better solution is to use virtual interfaces to put the UAG and the backup gateway on separate subnets. UAG5100 User’s Guide...
Page 250 This field shows you whether a log (and alert) is created when packets match this rule or not. Apply Click Apply to save your changes back to the UAG. Reset Click Reset to return the screen to its last-saved settings. UAG5100 User’s Guide...
Page 251: The Firewall Add/Edit Screen
IP address should be within the IP address range. Source Select an IPv4 address or address group to apply an IPv4 rule to traffic coming from it. Select any to apply an IPv4 rule to all traffic coming from IPv4 addresses. UAG5100 User’s Guide...
Page 252: The Session Control Screen
Use this screen to limit the number of concurrent NAT/firewall sessions a client can use. You can apply a default limit for all users and individual limits for specific users, addresses, or both. The individual limit takes priority if you apply both. Figure 173 Configuration > Firewall > Session Control UAG5100 User’s Guide...
Page 253: The Session Control Add/Edit Screen
Click Configuration > Firewall > Session Control, and then click the Add icon or select an entry and click the Edit icon to display the Firewall Session Control Add/Edit screen. Use this screen to configure rules that define a session limit for specific users or addresses. UAG5100 User’s Guide...
Page 254: Firewall Rule Configuration Example
172.16.1.10 through 172.16.1.15 (Dest_1) on the LAN. Click Configuration > Firewall. In the summary of firewall rules click Add to configure a new first entry. The sequence (priority) of the rules is important since they are applied in order. UAG5100 User’s Guide...
Page 255 Select From WAN and To LAN and enter a name for the firewall rule. Select Dest_1 for the Destination and Doom as the Service. Enter a description and configure the rest of the screen as follows. Click OK when you are done. UAG5100 User’s Guide...
Page 256: Firewall Rule Example Applications
To do this, you would configure a LAN to WAN firewall rule that blocks IRC traffic from any source IP address from going to any destination address. You do not need to specify a schedule since you need the firewall rule to always be in effect. The following figure shows the results of this rule. UAG5100 User’s Guide...
Page 257 CEO’s computer (172.16.1.7 for example) to go to any destination address. You do not need to specify a schedule since you want the firewall rule to always be in effect. The following figure shows the results of your two custom rules. UAG5100 User’s Guide...
Page 258 The rule for the CEO must come before the rule that blocks all LAN1 to WAN IRC traffic. If the rule that blocks all LAN1 to WAN IRC traffic came first, the CEO’s IRC traffic would match that rule and the UAG would drop it and not check any other firewall rules. UAG5100 User’s Guide...
Page 259: Billing
He starts using the Internet for the first 20 minutes and then disconnects his Internet access to go to a 20-minute meeting. After the meeting, he only has 20 minutes left on his account. UAG5100 User’s Guide...
Page 260: The General Screen
Unused account Enter the number and select a time unit from the drop-down list box to specify how long to will be deleted wait before the UAG deletes an account that has not been used. after the time: UAG5100 User’s Guide...
Page 261: The Billing Profile Screen
26.3 The Billing Profile Screen Use this screen to configure the billing profiles that defines the maximum Internet access time and charge per time unit. Click Configuration > Billing > Billing Profile to open the following screen. UAG5100 User’s Guide...
Page 262 This field displays the duration of the billing period. Price This field displays each profile’s price per time unit. Apply Click this button to save your changes to the UAG. Reset Click this button to return the screen to its last-saved settings. UAG5100 User’s Guide...
Page 263: The Account Generator Screen
This field displays the duration of the billing period. Price This field displays each profile’s price per time unit. Unit This field displays how many units of billing period to be charged for new account. Click to select a new number. UAG5100 User’s Guide...
Page 264 The following figure shows an example SMS message with account information. The SMS screen displays only when you enable SMS in the Configuration > SMS screen. You can enter the user’s UAG5100 User’s Guide...
Page 265 Chapter 26 Billing mobile phone number and click Send SMS to send the account information in an SMS text message to the user’s mobile phone. Close this window when you are finished viewing it. UAG5100 User’s Guide...
Page 266: The Account Redeem Screen
The following figure shows a printout preview example. Close this window when you are finished viewing it. 26.3.2 The Account Redeem Screen The Account Redeem screen allows you to send SMS messages for certain accounts. Click the Account Redeem tab in the Account Generator screen to open this screen. UAG5100 User’s Guide...
Page 267 Charge This field displays the total cost of the account. Payment Info This field displays the method of payment for each account. Phone Num This field displays the mobile phone number for the account. UAG5100 User’s Guide...
Page 268: The Billing Profile Add/Edit Screen
Select a time period (minute, hour, or day) and enter the time unit to define each profile’s maximum Internet access time. Click OK to save your changes back to the UAG. Cancel Click Cancel to exit this screen without saving. UAG5100 User’s Guide...
Page 269: The Discount Screen
Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The UAG confirms you want to remove it before doing so. UAG5100 User’s Guide...
Page 270: The Discount Add/Edit Screen
Click Cancel to exit this screen without saving. 26.5 The Payment Service General Screen Use this screen to use a credit card service to authorize, process, and manage credit card transactions directly through the Internet. You must register with the supported credit card service UAG5100 User’s Guide...
Page 271 Enter the ID token provided to you by PayPal after successfully applying for your PayPal account. Payment Enter the address of the PayPal gateway provided to you by PayPal after applying for your Gateway PayPal account. Account Delivery Method UAG5100 User’s Guide...
Page 272: The Payment Service Custom Service Screen
Use this screen to customize the online payment service pages that displays after an unauthorized user click the link in the Web Configurator login screen to purchase access time. Click Configuration > Billing > Payment Service > Custom Service to open the following screen. UAG5100 User’s Guide...
Page 273 Chapter 26 Billing Figure 190 Configuration > Billing > Payment Service > Custom Service UAG5100 User’s Guide...
Page 274 Enter a note to display when you set the UAG to send account information via SMS text Message messages. Use up to 1024 printable ASCII characters. Spaces are allowed. Apply Click this button to save your changes to the UAG. Reset Click this button to return the screen to its last-saved settings. UAG5100 User’s Guide...
Page 275: Printer Manager
277) to customize the account printout. 27.2 The General Screen Use this screen to configure a printer list and allow the UAG to monitor the printer status. Click Configuration > Printer Manager > General to open the following screen. UAG5100 User’s Guide...
Page 276 Use this section to add the printer(s) that can be managed by the UAG. Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. UAG5100 User’s Guide...
Page 277: The Printout Configuration Screen
Click this button to return the screen to its last-saved settings. 27.3 The Printout Configuration Screen Use this screen to customize the account printout. Click Configuration > Printer Manager > Printout Configuration to open the following screen. Figure 192 Configuration > Printer Manager > Printout Configuration UAG5100 User’s Guide...
Page 278: Reports Overview
Note: You must press the key combination on the SP350E within five seconds to print. Table 127 Report Printing Key Combinations REPORT TYPE KEY COMBINATION Daily Account Summary A B C A A Monthly Account Summary A B C B A UAG5100 User’s Guide...
Page 279: Daily Account Summary
For example, if you press the monthly account key combination on 2013/05/17 at 20:00:00, the monthly account report includes the accounts created from 2013/05/ 01 at 00:00:01 to 2013/05/17 at 19:59:59. Key combination: A B C B A The following figure shows an example. UAG5100 User’s Guide...
Page 280: Account Report Notes
(up to 2000 entries total). 27.3.6 System Status This report shows the current system information such as the host name and WAN IP address. Key combination: A B C C A The following figure shows an example. UAG5100 User’s Guide...
Page 281 This field displays the end of the continuous addresses in the IP address pool. CPUS This field displays the UAG’s recent CPU usage. MEMS This field displays the UAG’s recent memory usage. DKST This field displays what percentage of the UAG’s onboard flash memory is currently being used. UAG5100 User’s Guide...
Page 282: Free Time
Internet surfing during the specified time period. 28.2 The Free Time Screen Use this screen to enable and configure the free time settings. Click Configuration > Free Time to open the following screen. Figure 196 Configuration > Free Time UAG5100 User’s Guide...
Page 283 Click this button to save your changes to the UAG. Reset Click this button to return the screen to its last-saved settings. The following figure shows an example login screen with a link to create a free guest account. UAG5100 User’s Guide...
Page 284 You can still click the link to get a free account. If SMS is enabled on the UAG, you have to enter your mobile phone number before clicking OK to get a free guest account. UAG5100 User’s Guide...
Page 285 Chapter 28 Free Time The guest account information then displays in the screen and/or is sent to the configured mobile phone number. UAG5100 User’s Guide...
Page 286: Sms
Click Configuration > SMS to open the following screen. Figure 197 Configuration > SMS The following table describes the labels in this screen. Table 130 Configuration > SMS LABEL DESCRIPTION General Settings Enable SMS Select the check box to turn on the SMS service. UAG5100 User’s Guide...
Page 287 Type the Password associated with the user name. Retype to Type your password again for confirmation. Confirm Apply Click this button to save your changes to the UAG. Reset Click this button to return the screen to its last-saved settings. UAG5100 User’s Guide...
Page 288: Ipsec Vpn
297) to manage the UAG’s VPN gateways. A VPN gateway specifies the IPSec routers at either end of a VPN tunnel and the IKE SA settings (phase 1 settings). You can also activate and deactivate each VPN gateway. UAG5100 User’s Guide...
Page 289: What You Need To Know
• In a VPN gateway, you can enable extended authentication. If the UAG is in server mode, you should set up the authentication method (AAA server) first. The authentication method specifies how the UAG authenticates the remote IPSec router. See Chapter 37 on page 368. UAG5100 User’s Guide...
Page 290: The Vpn Connection Screen
To remove an entry, select it and click Remove. The UAG confirms you want to remove it before doing so. Activate To turn on an entry, select it and click Activate. Inactivate To turn off an entry, select it and click Inactivate. UAG5100 User’s Guide...
Page 291: The Vpn Connection Add/Edit Screen
To access this screen, go to the Configuration > VPN > IPSec VPN > VPN Connection screen (see Section 30.2 on page 290), and either click the Add icon or select an entry and click the Edit icon. UAG5100 User’s Guide...
Page 292 Chapter 30 IPSec VPN Figure 201 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit UAG5100 User’s Guide...
Page 293 Type the maximum number of seconds the IPSec SA can last. Shorter life times provide better security. The UAG automatically negotiates a new IPSec SA before the current one expires, if there are users who are accessing remote resources. UAG5100 User’s Guide...
Page 294 Choices are SHA1, SHA256, SHA512 and MD5. SHA is generally considered stronger than MD5, but it is also slower. The UAG and the remote IPSec router must both have a proposal that uses the same authentication algorithm. UAG5100 User’s Guide...
Page 295 Create new Object to configure a new one). This is the address object for the computer or network outside the local network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT). UAG5100 User’s Guide...
Page 296 The size of the original port range must be the same size as the size of the mapped port range. Click OK to save the changes. Cancel Click Cancel to discard all changes and return to the main VPN screen. UAG5100 User’s Guide...
Page 297: The Vpn Gateway Screen
The VPN Gateway Add/Edit screen allows you to create a new VPN gateway policy or edit an existing one. To access this screen, go to the VPN Gateway summary screen (see Section 30.3 on page 297), and either click the Add icon or select an entry and click the Edit icon. UAG5100 User’s Guide...
Page 298 Chapter 30 IPSec VPN Figure 203 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit UAG5100 User’s Guide...
Page 299 "0x0123456789ABCDEF" is in hexadecimal format; “0123456789ABCDEF” is in ASCII format. If you use hexadecimal, you must enter twice as many characters since you need to enter pairs. The UAG and remote IPSec router must use the same pre-shared key. UAG5100 User’s Guide...
Page 300 Any - the UAG does not check the identity of the remote IPSec router If the UAG and remote IPSec router use certificates, there is one more choice. Subject Name - the remote IPSec router is identified by the subject name in the certificate UAG5100 User’s Guide...
Page 301 Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. This field is a sequential value, and it is not associated with a specific proposal. The sequence of proposals should not affect performance significantly. UAG5100 User’s Guide...
Page 302 UAG authenticates this information. Client Mode Select this radio button if the UAG provides a username and password to the remote IPSec router for authentication. You also have to provide the User Name and the Password. UAG5100 User’s Guide...
Page 303: Ipsec Vpn Background Information
The IKE SA proposal is used to identify the encryption algorithm, authentication algorithm, and Diffie-Hellman (DH) key group that the UAG and remote IPSec router use in the IKE SA. In main mode, this is done in steps 1 and 2, as illustrated next. UAG5100 User’s Guide...
Page 304 The UAG and the remote IPSec router use DH public-key cryptography to establish a shared secret. The shared secret is then used to generate encryption keys for the IKE SA and IPSec SA. In main mode, this is done in steps 3 and 4, as illustrated next. UAG5100 User’s Guide...
Page 305 Router identity consists of ID type and content. The ID type can be domain name, IP address, or e- mail address, and the content is a (properly-formatted) domain name, IP address, or e-mail address. The content is only used for identification. Any domain name or e-mail address that you UAG5100 User’s Guide...
Page 306: Additional Topics For Ike Sa
UAG. Steps 3 - 4: The UAG and the remote IPSec router exchange pre-shared keys for authentication and participate in a Diffie-Hellman key exchange, based on the accepted DH key group, to establish a shared secret. UAG5100 User’s Guide...
Page 307 The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the UAG and remote IPSec router support. Extended Authentication Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to connect to a single IPSec router. For example, this might be used with telecommuters. UAG5100 User’s Guide...
Page 308 AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security Payload, RFC 2406). Note: The UAG and remote IPSec router must use the same active protocol. Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT. UAG5100 User’s Guide...
Page 309 If you do not enable PFS, the UAG and remote IPSec router use the same root key that was generated when the IKE SA was established to generate encryption keys. The DH key exchange is time-consuming and may be unnecessary for data that does not require such security. UAG5100 User’s Guide...
Page 310 M through the IPSec SA because computer M’s IP address is not part of its local policy. To set up this NAT, you have to specify the following information: • Source - the original source address; most likely, computer M’s network. UAG5100 User’s Guide...
Page 311 • Mapped Port - the translated destination port or range of destination ports. The original port range and the mapped port range must be the same size. IPSec VPN Example Here is an example of configuring a site-to-site IPSec VPN. UAG5100 User’s Guide...
Page 312 (VPN_GW_EXAMPLE here). Set My Address to Interface and select a WAN interface. Set Peer Gateway Address to Static Address and enter the remote IPSec router’s public IP address (2.2.2.2 here) as the Primary. Set Authentication to Pre-Shared Key and enter 12345678. Click UAG5100 User’s Guide...
Page 313 Enable the VPN connection and name it (“VPN_CONN_EXAMPLE”). Set VPN Gateway to Site-to- site and select the VPN gateway you configured (VPN_GW_EXAMPLE). Set Local Policy to LAN1_SUBNET and Remote Policy to VPN_REMOTE_SUBNET for the remote. Click OK. UAG5100 User’s Guide...
Page 314 Chapter 30 IPSec VPN UAG5100 User’s Guide...
Page 315: Bandwidth Management
In the following example, you configure a Per-user bandwidth management rule for billing-users to limit outgoing traffic to 300 kbs. Then all billing-users (A, B and C) can send 300 kbps of traffic. UAG5100 User’s Guide...
Page 316 • Outbound traffic goes from a LAN1 device to a WAN device. Bandwidth management is applied before sending the packets out a WAN interface on the UAG. • Inbound traffic comes back from the WAN device to the LAN1 device. Bandwidth management is applied before sending the traffic out a LAN1 interface. UAG5100 User’s Guide...
Page 317 • Then lower-priority traffic gets bandwidth. • The UAG uses a fairness-based (round-robin) scheduler to divide bandwidth among traffic flows with the same priority. • The UAG automatically treats traffic with bandwidth management disabled as priority 7 (the lowest priority). UAG5100 User’s Guide...
Page 318 (800 kbps), leaving only 200 kbps for server B. Table 138 Priority Effect POLICY CONFIGURED RATE MAX. B. U. PRIORITY ACTUAL RATE 800 kbps 800 kbps 1000 kbps 200 kbps UAG5100 User’s Guide...
Page 319: The Bandwidth Management Screen
The default bandwidth management policy is the one with the priority of “default”. It is the last policy the UAG checks if traffic does not match any other bandwidth management policies you have configured. You cannot remove, activate, deactivate or move the default bandwidth management policy. UAG5100 User’s Guide...
Page 320 This is the destination interface of the traffic to which this policy applies. Interface Source This is the source address or address group for whom this policy applies. If any displays, the policy is effective for every source. UAG5100 User’s Guide...
Page 321: The Bandwidth Management Add/Edit Screen
The Configuration > BWM Add/Edit screen allows you to create a new condition or edit an existing one. To access this screen, go to the Configuration > BWM screen (see Section 31.2 on page 319), and either click the Add icon or select an entry and click the Edit icon. UAG5100 User’s Guide...
Page 322 Chapter 31 Bandwidth Management Figure 215 Configuration > BWM > Edit (For the Default Policy) Configuration > BWM > Add/Edit Figure 216 UAG5100 User’s Guide...
Page 323 “af” identifies one of four classes and one of three drop preferences. See Section 12.4 on page 175 for more details. Select preserve to have the UAG keep the packets’ original DSCP value. Select default to have the UAG set the DSCP value of the packets to 0. UAG5100 User’s Guide...
Page 324 Select whether to have the UAG generate a log (log), log and alert (log alert) or not (no) for packets that match the policy. Click OK to save your changes back to the UAG. Cancel Click Cancel to exit this screen without saving your changes. UAG5100 User’s Guide...
Page 325: User/Group
WWW, TELNET, SSH, Console Perform basic diagnostics (CLI) Access Users ext-user External user account ext-group-user External group user account guest-manager Create dynamic guest accounts pre-subscriber Access network services Web Authentication Portal dynamic-guest Access network services Web Authentication Portal UAG5100 User’s Guide...
Page 326 UAG5100 User’s Guide...
Page 327: User Summary Screen
32.2 User Summary Screen The User screen provides a summary of all user accounts. To access this screen, login to the Web Configurator, and click Configuration > Object > User/Group > User. UAG5100 User’s Guide...
Page 328: User Add/Edit Screen
- this user has access to the UAG’s services but cannot look at the configuration. Description This field displays the description for each user. 32.2.1 User Add/Edit Screen The User Add/Edit screen allows you to create a new user account or edit an existing one. UAG5100 User’s Guide...
Page 329 To access this screen, go to the User screen (see Section 32.2 on page 327), and either click the Add icon or select an entry and click the Edit icon. Figure 218 Configuration > Object > User/Group > User > Add/Edit UAG5100 User’s Guide...
Page 330 UAG in one session before the user has to log in again. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. Unlike Lease Time, the user has no opportunity to renew the session without logging out. UAG5100 User’s Guide...
Page 331: User Group Summary Screen
The Group Add/Edit screen allows you to create a new user group or edit an existing one. To access this screen, go to the Group screen (see Section 32.3 on page 331), and either click the Add icon or select an entry and click the Edit icon. UAG5100 User’s Guide...
Page 332: The User/Group Setting Screen
UAG. You can also use this screen to specify when users must log in to the UAG before it routes traffic for them. To access this screen, login to the Web Configurator, and click Configuration > Object > User/ Group > Setting. UAG5100 User’s Guide...
Page 333 Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. This field is a sequential value, and it is not associated with a specific entry. UAG5100 User’s Guide...
Page 334 IP addresses. Maximum number per This field is effective when Limit number of simultaneous logons for access account access account is checked. Type the maximum number of simultaneous logins by each access user. UAG5100 User’s Guide...
Page 335: Default User Settings Edit Screen
To access this screen, go to the Configuration > Object > User/Group > Setting screen (see Section 32.4 on page 332), and select one of the Default Settings section’s entry and click the Edit icon. Figure 222 Configuration > Object > User/Group > Setting > Edit UAG5100 User’s Guide...
Page 336: User Aware Login Example
32.4.2 User Aware Login Example Access users cannot use the Web Configurator to browse the configuration of the UAG. Instead, after access users log into the UAG, the following screen appears. Figure 223 Web Configurator for Non-Admin Users UAG5100 User’s Guide...
Page 337: User /Group Technical Reference
Lease Time. Possible Values: 1-1440 (minutes). reauthTime Reauthentication Time. Possible Values: 1-1440 (minutes). The following example shows you how you might set up user attributes in RADIUS servers. Figure 224 RADIUS Example: Keywords for User Attributes type=user;leaseTime=222;reauthTime=222 UAG5100 User’s Guide...
Page 338 Web Configurator, to create the accounts. Extract the user names from the RADIUS server, and create a shell script that creates the user accounts. See Chapter 43 on page 450 for more information about shell scripts. UAG5100 User’s Guide...
Page 339: Ap Profile
The SSID (Service Set IDentifier) is the name that identifies the Service Set with which a wireless station is associated. Wireless stations associating to the access point (AP) must have the same SSID. In other words, it is the name of the wireless network that clients use to connect to it. UAG5100 User’s Guide...
Page 340: Radio Screen
Table 152 Configuration > Object > AP Profile > Radio LABEL DESCRIPTION Click this to add a new radio profile. Edit Click this to edit the selected radio profile. Remove Click this to remove the selected radio profile. UAG5100 User’s Guide...
Page 341 Channel ID This field indicates the broadcast channel which this radio profile is configured to use. Apply Click Apply to save your changes back to the UAG. Reset Click Reset to return the screen to its last-saved settings. UAG5100 User’s Guide...
Page 342: Add/Edit Radio Profile
This screen allows you to create a new radio profile or edit an existing one. To access this screen, click the Add button or select a radio profile from the list and click the Edit button. Figure 226 Configuration > Object > AP Profile > Radio > Add/Edit UAG5100 User’s Guide...
Page 343 802.11n headers and wraps them in a 802.11n MAC header. This method is useful for increasing bandwidth throughput in environments that are prone to high error rates. A-MPDU Limit Enter the maximum frame size to be aggregated. UAG5100 User’s Guide...
Page 344 Select the check box and set a minimum client signal strength for connecting to the AP. -20 dBm is the strongest signal you can require and -76 is the weakest. Clear the check box to not require wireless clients to have a minimum signal strength to connect to the AP. UAG5100 User’s Guide...
Page 345: Ssid Screen
(such as the Wi-Fi adapter in a laptop), and is displayed as the wireless network name when a person makes a connection to it. To access this screen click Configuration > Object > AP Profile > SSID. UAG5100 User’s Guide...
Page 346 This field indicates the QoS type associated with the SSID profile. MAC Filtering This field indicates which (if any) MAC Filter Profile is associated with the SSID profile. Profile VLAN ID This field indicates the VLAN ID associated with the SSID profile. UAG5100 User’s Guide...
Page 347: Add/Edit Ssid Profile
MAC filtering allows you to limit the wireless clients connecting to your network through a particular SSID by wireless client MAC addresses. Any clients that have MAC addresses not in the MAC filtering profile of allowed addresses are denied connections. The disable setting means no MAC filtering is used. UAG5100 User’s Guide...
Page 348: Security List
This screen allows you to manage wireless security configurations that can be used by your SSIDs. Wireless security is implemented strictly between the AP broadcasting the SSID and the stations that are connected to it. To access this screen click Configuration > Object > AP Profile > SSID > Security List. UAG5100 User’s Guide...
Page 349 This field is a sequential value, and it is not associated with a specific profile. Profile Name This field indicates the name assigned to the security profile. Security Mode This field indicates this profile’s security mode (if any). UAG5100 User’s Guide...
Page 350: Add/Edit Security Profile
Enter up to 31 alphanumeric characters for the profile name. This name is only visible in the Web Configurator and is only for management purposes. Spaces and underscores are allowed. Security Mode Select a security mode from the list: wep, wpa, wpa2, or wpa2-mix. UAG5100 User’s Guide...
Page 351 WEP encryption protocol to further secure. Not all wireless clients may support this. • aes - This is the Advanced Encryption Standard encryption method. It is a more recent development over TKIP and considerably more robust. Not all wireless clients may support this. UAG5100 User’s Guide...
Page 352: Mac Filter List
This field is a sequential value, and it is not associated with a specific profile. Profile Name This field indicates the name assigned to the MAC filtering profile. Filter Action This field indicates this profile’s filter action (if any). UAG5100 User’s Guide...
Page 353: Add/Edit Mac Filter Profile
This field displays a description for the MAC address associated with this profile. You can click the description to make it editable. Enter up to 60 characters, spaces and underscores allowed. Click OK to save your changes back to the UAG. Cancel Click Cancel to exit this screen without saving your changes. UAG5100 User’s Guide...
Page 354: Addresses
The Address screen provides a summary of all addresses in the UAG. To access this screen, click Configuration > Object > Address > Address. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. UAG5100 User’s Guide...
Page 355: Address Add/Edit Screen
To access this screen, go to the Address screen (see Section 34.2 on page 354), and either click the Add icon or select an entry and click the Edit icon in the Configuration section. Figure 234 IPv4 Address Configuration > Add/Edit UAG5100 User’s Guide...
Page 356: Address Group Summary Screen
Configuration > Object > Address > Address Group. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 235 Configuration > Object > Address > Address Group UAG5100 User’s Guide...
Page 357: Address Group Add/Edit Screen
To access this screen, go to the Address Group screen (see Section 34.3 on page 356), and either click the Add icon or select an entry and click the Edit icon in the Configuration section. Figure 236 Configuration > Object > Address > Address Group > Add/Edit UAG5100 User’s Guide...
Page 358 Move any members you do not want included to the Available list. Click OK to save your changes back to the UAG. Cancel Click Cancel to exit this screen without saving your changes. UAG5100 User’s Guide...
Page 359: Services
For example, ICMP is used to send the response if a computer cannot be reached. Another use is ping. ICMP does not guarantee delivery, but networks often treat ICMP messages differently, sometimes looking at the message itself to decide where to send it. UAG5100 User’s Guide...
Page 360: The Service Summary Screen
To access this screen, log in to the Web Configurator, and click Configuration > Object > Service > Service. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 237 Configuration > Object > Service > Service UAG5100 User’s Guide...
Page 361: The Service Add/Edit Screen
Number Enter the number of the next-level protocol (IP protocol). Allowed values are 1 - 255. Click OK to save your changes back to the UAG. Cancel Click Cancel to exit this screen without saving your changes. UAG5100 User’s Guide...
Page 362: The Service Group Summary Screen
The Service Group Add/Edit screen allows you to create a new service group or edit an existing one. To access this screen, go to the Service Group screen (see Section 35.3 on page 362), and either click the Add icon or select an entry and click the Edit icon. UAG5100 User’s Guide...
Page 363 Move any members you do not want included to the Available list. Click OK to save your changes back to the UAG. Cancel Click Cancel to exit this screen without saving your changes. UAG5100 User’s Guide...
Page 364: Schedules
Recurring schedules are useful for defining the workday and off-work hours. Finding Out More • See Section 41.4 on page 396 for information about the UAG’s current date and time. UAG5100 User’s Guide...
Page 365: The Schedule Summary Screen
This field displays the name of the schedule, which is used to refer to the schedule. Start Time This field displays the time at which the schedule begins. Stop Time This field displays the time at which the schedule ends. UAG5100 User’s Guide...
Page 366: The One-Time Schedule Add/Edit Screen
Specify the hour and minute when the schedule ends. • Hour - 0 - 23 • Minute - 0 - 59 Click OK to save your changes back to the UAG. Cancel Click Cancel to exit this screen without saving your changes. UAG5100 User’s Guide...
Page 367: The Recurring Schedule Add/Edit Screen
Minute - 0 - 59 Weekly Week Days Select each day of the week the recurring schedule is effective. Click OK to save your changes back to the UAG. Cancel Click Cancel to exit this screen without saving your changes. UAG5100 User’s Guide...
Page 368: Aaa Server
The following lists the types of authentication server the UAG supports. • Local user database The UAG uses the built-in local user database to authenticate administrative users logging into the UAG’s Web Configurator or network access users logging into the network through the UAG. UAG5100 User’s Guide...
Page 369: Radius Server Summary
Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen. Click the Add icon or select an entry and click the Edit icon to display the following screen. Use this screen to create a new RADIUS entry or edit an existing one. UAG5100 User’s Guide...
Page 370 If the RADIUS server requires the UAG to provide the Network Access Server (NAS) IP address attribute with a specific value, enter it here. Case-sensitive Select this if the server checks the case of the usernames. User Names UAG5100 User’s Guide...
Page 371 “management”. Then you could also create a ext-group-user user object for each group. One with “sales” as the group identifier, another for “RD” and a third for “management”. Click OK to save the changes. Cancel Click Cancel to discard the changes. UAG5100 User’s Guide...
Page 372: Authentication Method
38.2 Authentication Method Objects Click Configuration > Object > Auth. Method to display the screen as shown. Note: You can create up to four authentication method objects. Figure 247 Configuration > Object > Auth. Method UAG5100 User’s Guide...
Page 373: Creating An Authentication Method Object
Note: You can NOT select two server objects of the same type. Click OK to save the settings or click Cancel to discard all changes and return to the previous screen. UAG5100 User’s Guide...
Page 374 UAG does not continue the search on the second authentication server when you enter the username and password that doesn’t match the one on the first authentication server. Click OK to save the changes. Cancel Click Cancel to discard the changes. UAG5100 User’s Guide...
Page 375: Certificates
Jenny receives the message and uses Tim’s public key to verify it. Jenny knows that the message is from Tim, and that although other people may have been able to read the message, no-one can have altered it (because they cannot re-sign the message with Tim’s private key). UAG5100 User’s Guide...
Page 376 The UAG currently allows the importation of a PKS#7 file that contains a single certificate. • PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable form. UAG5100 User’s Guide...
Page 377: Verifying A Certificate
Make sure that the certificate has a “.cer” or “.crt” file name extension. Figure 249 Remote Host Certificates Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. Figure 250 Certificate Details UAG5100 User’s Guide...
Page 378: The My Certificates Screen
This field displays the certificate index number. The certificates are listed in alphabetical order. Name This field displays the name used to identify this certificate. It is recommended that you give each certificate a unique name. UAG5100 User’s Guide...
Page 379: The My Certificates Add Screen
Click Configuration > Object > Certificate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the UAG create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. UAG5100 User’s Guide...
Page 380 @ symbol, periods and the underscore. Organizational Unit Identify the organizational unit or department to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore. UAG5100 User’s Guide...
Page 381: The My Certificates Edit Screen
39.2.2 The My Certificates Edit Screen Click Configuration > Object > Certificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate’s name. UAG5100 User’s Guide...
Page 382 The UAG does not trust the certificate and displays “Not trusted” in this field if any certificate on the path has expired or been revoked. Refresh Click Refresh to display the certification path. UAG5100 User’s Guide...
Page 383 You can copy and paste a certificate into an e-mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution (via floppy disk for example). UAG5100 User’s Guide...
Page 384: The My Certificates Import Screen
The certificate you import replaces the corresponding request in the My Certificates screen. You must remove any spaces from the certificate’s filename before you can import it. Figure 254 Configuration > Object > Certificate > My Certificates > Import UAG5100 User’s Guide...
Page 385: The Trusted Certificates Screen
To remove an entry, select it and click Remove. The UAG confirms you want to remove it before doing so. Subsequent certificates move up by one when you take this action. UAG5100 User’s Guide...
Page 386: The Trusted Certificates Edit Screen
Trusted Certificates Edit screen. Use this screen to view in-depth information about the certificate, change the certificate’s name and set whether or not you want the UAG to check a certification authority’s list of revoked certificates before trusting a certificate issued by the certification authority. UAG5100 User’s Guide...
Page 387 Chapter 39 Certificates Figure 256 Configuration > Object > Certificate > Trusted Certificates > Edit UAG5100 User’s Guide...
Page 388 Key Algorithm This field displays the type of algorithm that was used to generate the certificate’s key pair (the UAG uses RSA encryption) and the length of the key set in bits (1024 bits for example). UAG5100 User’s Guide...
Page 389: The Trusted Certificates Import Screen
Trusted Certificates Import screen. Follow the instructions in this screen to save a trusted certificate to the UAG. Note: You must remove any spaces from the certificate’s filename before you can import the certificate. Figure 257 Configuration > Object > Certificate > Trusted Certificates > Import UAG5100 User’s Guide...
Page 390 You cannot import a certificate with the same name as a certificate that is already in the UAG. Browse Click Browse to find the certificate file you want to upload. Click OK to save the certificate on the UAG. Cancel Click Cancel to quit and return to the previous screen. UAG5100 User’s Guide...
Page 391: Isp Accounts
Table 182 Configuration > Object > ISP Account LABEL DESCRIPTION Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. UAG5100 User’s Guide...
Page 392: Isp Account Add/Edit
This field is read-only if you are editing an existing account. Select the protocol used by the ISP account. Options are: pppoe - This ISP account uses the PPPoE protocol. pptp - This ISP account uses the PPTP protocol. UAG5100 User’s Guide...
Page 393 ISP Account Edit screen. Cancel Click Cancel to return to the ISP Account screen without creating the profile (if it is new) or saving any changes to the profile (if it already exists). UAG5100 User’s Guide...
Page 394: System
IP addresses the access can come. • The Language screen (Section 41.12 on page 434) sets the user interface language for the UAG’s Web Configurator screens. Note: See each section for related background information and term definitions. UAG5100 User’s Guide...
Page 395: Host Name
Note: Only connect one USB device. It must allow writing (it cannot be read-only) and use the FAT16, FAT32, EXT2, or EXT3 file system. Click Configuration > System > USB Storage to open the screen as shown next. UAG5100 User’s Guide...
Page 396: Date And Time
To change your UAG’s time based on your local time zone and date, click Configuration > System > Date/Time. The screen displays as shown. You can manually set the UAG’s time and date or have the UAG get the date and time from a time server. UAG5100 User’s Guide...
Page 397 This field displays the last updated date from the time server or the last date configured (yyyy-mm-dd) manually. When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply. UAG5100 User’s Guide...
Page 398 For example, if you set this field to 3.5, a log occurred at 6 P.M. in local official time will appear as if it had occurred at 10:30 P.M. Apply Click Apply to save your changes back to the UAG. Reset Click Reset to return the screen to its last-saved settings. UAG5100 User’s Guide...
Page 399: Pre-Defined Ntp Time Servers List
Enter the UAG’s date in the New Date field. Under Time Zone Setup, select your Time Zone from the list. As an option you can select the Enable Daylight Saving check box to adjust the UAG clock for daylight savings. Click Apply. UAG5100 User’s Guide...
Page 400: Console Port Speed
The Console Port Speed applies to a console port connection using terminal emulation software and NOT the Console in the UAG Web Configurator Status screen. Apply Click Apply to save your changes back to the UAG. Reset Click Reset to return the screen to its last-saved settings. UAG5100 User’s Guide...
Page 401: Dns Overview
DDNS and the time server. You can also configure the UAG to accept or discard DNS queries. Use the Network > Interface screens to configure the DNS server information that the UAG sends to the specified DHCP client devices. Figure 265 Configuration > System > DNS UAG5100 User’s Guide...
Page 402 Note that subsequent entries move up by one when you take this action. This is the index number of the MX record. Domain Name This is the domain name where the mail is destined for. UAG5100 User’s Guide...
Page 403: Address Record
A PTR (pointer) record is also called a reverse record or a reverse lookup record. It is a mapping of an IP address to a domain name. 41.6.5 Adding/Editing an Address/PTR Record Click the Add icon or select an entry and click the Edit icon in the Address/PTR Record table to configure an address/PTR record. UAG5100 User’s Guide...
Page 404: Domain Zone Forwarder
41.6.7 Adding/Editing a Domain Zone Forwarder Click the Add icon or select an entry and click the Edit icon in the Domain Zone Forwarder table to configure a domain zone forwarder record. UAG5100 User’s Guide...
Page 405: Mx Record
Each host or domain can have only one MX record, that is, one domain is mapping to one host. UAG5100 User’s Guide...
Page 406: Adding/Editing A Mx Record
Select ALL to allow or deny any computer to send DNS queries to the UAG. Select a predefined address object to just allow or deny the computer with the IP address that you specified to send DNS queries to the UAG. UAG5100 User’s Guide...
Page 407: Www Overview
The management session does not time out when a statistics screen is polling. Each user is also forced to log in the UAG for authentication again when the reauthentication time expires. You can change the timeout settings in the User/Group screens. UAG5100 User’s Guide...
Page 408: Https
Click Configuration > System > WWW to open the WWW screen. Use this screen to specify from which zones you can access the UAG using HTTP or HTTPS. You can also specify which IP addresses the access can come from. UAG5100 User’s Guide...
Page 409 DESCRIPTION HTTPS Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the UAG Web Configurator using secure HTTPs connections. UAG5100 User’s Guide...
Page 410 IP address(es) in the Service Control table to access the UAG Web Configurator using HTTP connections. Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service to access the UAG. UAG5100 User’s Guide...
Page 411: Service Control Rules
Click the Add icon or select an entry and click the Edit icon in the Service Control table in a WWW, SSH, Telnet, FTP or SNMP screen to configure a service control rule. Figure 272 Configuration > System > Service Control Rule > Add/Edit UAG5100 User’s Guide...
Page 412: Customizing The Www Login Page
Web Configurator login screen. You can also customize the page that displays after an access user logs into the Web Configurator to access network services like the Internet. See Chapter 32 on page 325 for more on access user accounts. UAG5100 User’s Guide...
Page 413 Chapter 41 System Figure 273 Configuration > System > WWW > Login Page The following figures identify the parts you can customize in the login and access pages. UAG5100 User’s Guide...
Page 414 • Click Color to display a screen of web-safe colors from which to choose. • Enter the name of the desired color. • Enter a pound sign (#) followed by the six-digit hexadecimal number that represents the desired color. For example, use “#000000” for black. UAG5100 User’s Guide...
Page 415 Browse to locate it. The picture’s size cannot be over 438 x 337 pixels. Note: Use a GIF, JPG, or PNG of 100 kilobytes or less. To use a color, select Color and specify the color. UAG5100 User’s Guide...
Page 416: Https Example
Click Technical Details if you want to verify more information about the certificate from the UAG. Select I Understand the Risks and then click Add Exception to add the UAG to the security exception list. Click Confirm Security Exception. UAG5100 User’s Guide...
Page 417 41.7.7.4 Login Screen After you accept the certificate, the UAG login screen appears. The lock displayed in the bottom of the browser status bar denotes a secure connection. UAG5100 User’s Guide...
Page 418 The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). 41.7.7.5.1 Installing the CA’s Certificate Double click the CA’s trusted certificate to produce a screen similar to the one shown next. UAG5100 User’s Guide...
Page 419 You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next Click Next to begin the wizard. UAG5100 User’s Guide...
Page 420 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 283 Personal Certificate Import Wizard 2 Enter the password given to you by the CA. UAG5100 User’s Guide...
Page 421 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 285 Personal Certificate Import Wizard 4 Click Finish to complete the wizard and begin the import process. UAG5100 User’s Guide...
Page 422 When Authenticate Client Certificates is selected on the UAG, the following screen asks you to select a personal certificate to send to the UAG. This screen displays even if you only have a single certificate as in the example. UAG5100 User’s Guide...
Page 423: Ssh
SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. In the following figure, computer A on the Internet uses SSH to securely connect to the WAN port of the UAG for a management session. UAG5100 User’s Guide...
Page 424: How Ssh Works
The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer. Encryption Method Once the identification is verified, both the client and server must agree on the type of encryption method to use. UAG5100 User’s Guide...
Page 425: Ssh Implementation On The Uag
IP address(es) in the Service Control table to access the UAG CLI using this service. Version 1 Select the check box to have the UAG use both SSH version 1 and version 2 protocols. If you clear the check box, the UAG uses only SSH version 2 protocol. UAG5100 User’s Guide...
Page 426: Secure Telnet Using Ssh Examples
Launch the SSH client and specify the connection information (IP address, port number) for the UAG. Configure the SSH client to accept connection using SSH version 1. A window displays prompting you to store the host key in you computer. Click Yes to continue. UAG5100 User’s Guide...
Page 427 The authenticity of host '172.16.0.1 (172.16.0.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.0.1' (RSA1) to the list of known hosts. Administrator@172.16.0.1's password: The CLI screen displays next. UAG5100 User’s Guide...
Page 428: Telnet
To change an entry’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed. UAG5100 User’s Guide...
Page 429: Ftp
Use this screen to specify from which zones FTP can be used to access the UAG. You can also specify from which IP addresses the access can come. Figure 298 Configuration > System > FTP UAG5100 User’s Guide...
Page 430: Snmp
Your UAG supports SNMP agent functionality, which allows a manager station to manage and monitor the UAG through the network. The UAG supports SNMP version one (SNMPv1) and version two (SNMPv2c). The next figure illustrates an SNMP management operation. UAG5100 User’s Guide...
Page 431: Supported Mibs
MIBs (private.mib and enterprise.mib) to collect information about CPU and memory usage and VPN total throughput. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. You can download the UAG’s MIBs from www.zyxel.com. UAG5100 User’s Guide...
Page 432: Snmp Traps
Use this screen to configure your SNMP settings, including from which zones SNMP can be used to access the UAG. You can also specify from which IP addresses the access can come. Figure 300 Configuration > System > SNMP UAG5100 User’s Guide...
Page 433 This displays whether the computer with the IP address specified above can access the UAG zone(s) configured in the Zone field (Accept) or not (Deny). Apply Click Apply to save your changes back to the UAG. Reset Click Reset to return the screen to its last-saved settings. UAG5100 User’s Guide...
Page 434: Language
Select a display language for the UAG’s Web Configurator screens. You also need to open a new browser session to display the screens in the new language. Apply Click Apply to save your changes back to the UAG. Reset Click Reset to return the screen to its last-saved settings. UAG5100 User’s Guide...
Page 435: Log And Report
Note: Data collection may decrease the UAG’s traffic throughput rate. Click Configuration > Log & Report > Email Daily Report to display the following screen. Configure this screen to have the UAG e-mail you system statistics every day. UAG5100 User’s Guide...
Page 436 Chapter 42 Log and Report Figure 302 Configuration > Log & Report > Email Daily Report UAG5100 User’s Guide...
Page 437: Log Settings Screens
The first Log Settings screen provides a settings summary. Use the Edit screens to configure settings such as log categories, e-mail addresses, and server names for any log. Use the Log UAG5100 User’s Guide...
Page 438: Log Settings Summary
This field displays the format of the log. Format Internal - system log; you can view the log on the View Log tab. VRPT/Syslog - ZyXEL’s Vantage Report, syslog-compatible format. CEF/Syslog - Common Event Format, syslog-compatible format. UAG5100 User’s Guide...
Page 439: Edit System Log Settings
The Log Settings Edit screen controls the detailed settings for each log in the system log (which includes the e-mail profiles). Go to the Log Settings Summary screen (see Section 42.3.1 on page 438), and click the system log Edit icon. UAG5100 User’s Guide...
Page 440 Chapter 42 Log and Report Figure 304 Configuration > Log & Report > Log Settings > Edit (System Log) UAG5100 User’s Guide...
Page 441 Using the System Log drop-down list to disable all logs overrides your e-mail server 1 settings. enable normal logs (green check mark) - e-mail log messages for all categories to e-mail server 1. enable alert logs (red exclamation point) - e-mail alerts for all categories to e-mail server 1. UAG5100 User’s Guide...
Page 442: Edit Log On Usb Storage Setting
The Edit Log on USB Storage Setting screen controls the detailed settings for saving logs to a connected USB storage device. Go to the Log Setting Summary screen (see Section 42.3.1 on page 438), and click the USB storage Edit icon. UAG5100 User’s Guide...
Page 443 (yellow check mark) - send the remote server log messages, alerts, and debugging information for all log categories. This field is a sequential value, and it is not associated with a specific entry. UAG5100 User’s Guide...
Page 444: Edit Remote Server Log Settings
The Log Settings Edit screen controls the detailed settings for each log in the remote server (syslog). Go to the Log Settings Summary screen (see Section 42.3.1 on page 438), and click a remote server Edit icon. UAG5100 User’s Guide...
Page 445 Chapter 42 Log and Report Figure 306 Configuration > Log & Report > Log Settings > Edit (Remote Server) UAG5100 User’s Guide...
Page 446: Log Category Settings Screen
(for example, where and how often log information is e-mailed or remote server names). To access this screen, go to the Log Settings Summary screen (see Section 42.3.1 on page 438), and click the Log Category Settings button. UAG5100 User’s Guide...
Page 447 This screen provides a different view and a different way of indicating which messages are included in each log and each alert. Please see Section 42.3.2 on page 439, where this process is discussed. (The Default category includes debugging messages generated by open source software.) UAG5100 User’s Guide...
Page 448 Log Category This field displays each category of messages. It is the same value used in the Display and Category fields in the View Log tab. The Default category includes debugging messages generated by open source software. UAG5100 User’s Guide...
Page 449 (yellow check mark) - log regular information, alerts, and debugging information from this category Click this to save your changes and return to the previous screen. Cancel Click this to return to the previous screen without saving your changes. UAG5100 User’s Guide...
Page 450: File Manager
When you apply a configuration file, the UAG uses the factory default settings for any features that the configuration file does not include. When you run a shell script, the UAG only applies the commands that it contains. Other settings do not change. UAG5100 User’s Guide...
Page 451: Comments In Configuration Files Or Shell Scripts
Your configuration files or shell scripts can use “exit” or a command line consisting of a single “!” to have the UAG exit sub command mode. Note: “exit” or “!'” must follow sub commands if it is to make the UAG exit sub command mode. UAG5100 User’s Guide...
Page 452: The Configuration File Screen
Once your UAG is configured and functioning properly, it is highly recommended that you back up your configuration file before making further configuration changes. The backup configuration file will be useful in case you need to return to your previous settings. UAG5100 User’s Guide...
Page 453 The UAG still generates a log for any errors. Figure 309 Maintenance > File Manager > Configuration File Do not turn off the UAG while configuration file upload is in progress. UAG5100 User’s Guide...
Page 454 Specify a name for the duplicate configuration file. Use up to 25 characters (including a-zA- Z0-9;‘~!@#$%^&()_+[]{}’,.=-). Click OK to save the duplicate or click Cancel to close the screen without saving a duplicate of the configuration file. UAG5100 User’s Guide...
Page 455 This column displays the number for each configuration file entry. This field is a sequential value, and it is not associated with a specific address. The total number of configuration files that you can save depends on the sizes of the configuration files and the available flash storage space. UAG5100 User’s Guide...
Page 456: The Firmware Package Screen
Find the firmware package at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, “UAG.bin”. The firmware update can take up to five minutes. Do not turn off or reset the UAG while the firmware update is in progress! UAG5100 User’s Guide...
Page 457 Figure 315 Network Temporarily Disconnected After five minutes, log in again and check your new firmware version in the Dashboard screen. If the upload was not successful, the following message appears in the status bar at the bottom of the screen. UAG5100 User’s Guide...
Page 458: The Shell Script Screen
Note: You should include write commands in your scripts. If you do not use the write command, the changes will be lost when the UAG restarts. You could use multiple write commands in a long script. Figure 317 Maintenance > File Manager > Shell Script UAG5100 User’s Guide...
Page 459 This column displays the label that identifies a shell script file. Size This column displays the size (in KB) of a shell script file. Last This column displays the date and time that the individual shell script files were last changed or Modified saved. UAG5100 User’s Guide...
Page 460 Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .zysh file you want to upload. Upload Click Upload to begin the upload process. This process may take up to several minutes. UAG5100 User’s Guide...
Page 461: Diagnostics
The Diagnostic screen provides an easy way for you to generate a file containing the UAG’s configuration and diagnostic information. You may need to send this file to customer support for troubleshooting. Click Maintenance > Diagnostics to open the Diagnostic screen. Figure 320 Maintenance > Diagnostics UAG5100 User’s Guide...
Page 462: The Diagnostics Files Screen
File Name This column displays the label that identifies the file. Size This column displays the size (in bytes) of a file. Last Modified This column displays the date and time that the individual files were saved. UAG5100 User’s Guide...
Page 463: The Packet Capture Screen
Click Maintenance > Diagnostics > Packet Capture to open the packet capture screen. Note: New capture files overwrite existing files of the same name. Change the File Suffix field’s setting to avoid this. Figure 322 Maintenance > Diagnostics > Packet Capture UAG5100 User’s Guide...
Page 464 Set a time limit in seconds for the capture. The UAG stops the capture and generates the capture file when either this period of time has passed or the file reaches the size specified in the File Size field. 0 means there is no time limit. UAG5100 User’s Guide...
Page 465: The Packet Capture Files Screen
You can download the files to your computer where you can study them using a packet analyzer (also known as a network or protocol analyzer) such as Wireshark. Figure 323 Maintenance > Diagnostics > Packet Capture > Files UAG5100 User’s Guide...
Page 466: Core Dump Screen
(if ready) device if the process terminates abnormally (crashes). If you clear this option the UAG only saves Apply Click Apply to save the changes. Reset Click Reset to return the screen to its last-saved settings. UAG5100 User’s Guide...
Page 467: Core Dump Files Screen
44.5 The System Log Screen Click Maintenance > Diagnostics > System Log to open the system log files screen. This screen lists the files of system logs stored on a connected USB storage device. The files are in comma UAG5100 User’s Guide...
Page 468 File Name This column displays the label that identifies the file. Size This column displays the size (in bytes) of a file. Last Modified This column displays the date and time that the individual files were saved. UAG5100 User’s Guide...
Page 469: Packet Flow Explore
• select use policy routes to control dynamic IPSec rules in the CONFIGURATION > VPN > IPSec VPN > VPN Connection screen. Note: Once a packet matches the criteria of a routing rule, the UAG takes the corresponding action and does not perform any further flow checking. UAG5100 User’s Guide...
Page 470 Chapter 45 Packet Flow Explore Figure 327 Maintenance > Packet Flow Explore > Routing Status (Direct Route) Figure 328 Maintenance > Packet Flow Explore > Routing Status (Dynamic VPN) Figure 329 Maintenance > Packet Flow Explore > Routing Status (Policy Route) UAG5100 User’s Guide...
Page 471 Figure 330 Maintenance > Packet Flow Explore > Routing Status (VPN 1-1 Mapping Route) Figure 331 Maintenance > Packet Flow Explore > Routing Status (1-1 SNAT) Figure 332 Maintenance > Packet Flow Explore > Routing Status (SiteToSite VPN) UAG5100 User’s Guide...
Page 472 Figure 333 Maintenance > Packet Flow Explore > Routing Status (Static Route) Figure 334 Maintenance > Packet Flow Explore > Routing Status (Default WAN Trunk) Figure 335 Maintenance > Packet Flow Explore > Routing Status (Main Route) UAG5100 User’s Guide...
Page 473 This is the interface name and gateway IP address if the next hop type is Interface / • This is the trunk name if the next hop type is Trunk. The following fields are available if you click VPN 1-1 Mapping Route in the Routing Flow section. UAG5100 User’s Guide...
Page 474: The Snat Status Screen
• use policy routes to control 1-1 NAT by using the policy control-virtual-server-rules activate command. Note: Once a packet matches the criteria of an SNAT rule, the UAG takes the corresponding action and does not perform any further flow checking. UAG5100 User’s Guide...
Page 475 Figure 336 Maintenance > Packet Flow Explore > SNAT Status (Policy Route SNAT) Figure 337 Maintenance > Packet Flow Explore > SNAT Status (VPN 1-1 Mapping Route) Figure 338 Maintenance > Packet Flow Explore > SNAT Status (1-1 SNAT) UAG5100 User’s Guide...
Page 476 The following fields are available if you click VPN 1-1 Mapping SNAT in the SNAT Flow section. This field is a sequential value, and it is not associated with any entry. Source This is the original source IP address(es). UAG5100 User’s Guide...
Page 477 This indicates which source IP address the SNAT rule uses finally. For example, Outgoing Interface IP means that the UAG uses the IP address of the outgoing interface as the source IP address for the matched packets it sends out through this rule. UAG5100 User’s Guide...
Page 478: Reboot
Click the Reboot button to restart the UAG. Wait a few minutes until the login screen appears. If the login screen does not appear, type the IP address of the device in your Web browser. You can also use the CLI command reboot to restart the UAG. UAG5100 User’s Guide...
Page 479: Shutdown
Click the Shutdown button to shut down the UAG. Wait for the device to shut down before you manually turn off or remove the power. It does not turn off the power. You can also use the CLI command shutdown to shutdown the UAG. UAG5100 User’s Guide...
Page 480: Troubleshooting
VT100 terminal emulation, no parity, 8 data bits, 1 stop bit, no flow control and 115200 bps port speed. I cannot access the Internet. • Check the UAG’s connection to the Ethernet jack with Internet access. Make sure the Internet gateway device (such as a DSL modem) is working properly. UAG5100 User’s Guide...
Page 481 You cannot set up a PPP interface, virtual Ethernet interface or virtual VLAN interface if the underlying interface is a member of a bridge. You also cannot add an Ethernet interface or VLAN interface to a bridge if the member interface has a virtual interface or PPP interface on top of it. UAG5100 User’s Guide...
Page 482 • You may need to configure the DDNS entry’s IP Address setting to Auto if the interface has a dynamic IP address or there are one or more NAT routers between the UAG and the DDNS server. UAG5100 User’s Guide...
Page 483 • The UAG’s local and peer ID type and content must match the remote IPSec router’s peer and local ID type and content, respectively. • The UAG and remote IPSec router must use the same active protocol. • The UAG and remote IPSec router must use the same encapsulation. UAG5100 User’s Guide...
Page 484 The UAG automatically updates address objects based on an interface’s IP address, subnet, or gateway if the interface’s IP address settings change. However, you need to manually edit any address objects for your LAN that are not based on the interface. UAG5100 User’s Guide...
Page 485 • Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates. • PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable form. UAG5100 User’s Guide...
Page 486 Data collection may decrease the UAG’s traffic throughput rate. I can only see newer logs. Older logs are missing. When a log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first. UAG5100 User’s Guide...
Page 487: Resetting The Uag
48.1 Resetting the UAG If you cannot access the UAG by any method, try restarting it by turning the power off and then on again. If you still cannot access the UAG by any method or you forget the administrator UAG5100 User’s Guide...
Page 488: Getting More Troubleshooting Help
Release the RESET button, and wait for the UAG to restart. You should be able to access the UAG using the default settings. 48.2 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. UAG5100 User’s Guide...
Page 489: Appendix A Legal Information
The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved.
Page 490: Uag5100 User's Guide
Lo smaltimento abusivo del prodotto da parte del detentore comporta l’applicazione delle sanzioni amministrative previste dalla normativa vigente." UAG5100 User’s Guide...
Page 491 Appendix A Legal Information Environmental Product Declaration UAG5100 User’s Guide...
Page 492: Index
NAT user and policy routes accounting server and trunks active protocol H.323 and encapsulation see also VoIP pass through active sessions 70, 73, 85 Application Layer Gateway, see ALG address groups UAG5100 User’s Guide...
Page 493 119, 146 viewing and virtual interfaces of members basic characteristics Challenge Handshake Authentication Protocol (CHAP) effect on routing table member interfaces CHAP (Challenge Handshake Authentication Protocol) virtual CHAP/PAP bridges 20, 23 button UAG5100 User’s Guide...
Page 494 Mail eXchange (MX) records and schedules pointer (PTR) records daylight savings DNS servers 55, 401, 404 setting manually and interfaces time server documentation custom related access user page domain name login page Domain Name System, see DNS UAG5100 User’s Guide...
Page 495 68, 457 getting updated exceptional services uploading 456, 457 extended authentication uploading with FTP and VPN gateways firmware upload IKE SA troubleshooting Extended Service Set IDentification flash usage ext-user forcing login troubleshooting FQDN free guest account UAG5100 User’s Guide...
Page 496 DHCP relays with Internet Explorer as DHCP servers 156, 395 with Netscape Navigator backup, see trunks HyperText Transfer Protocol over Secure Socket bandwidth management 155, 163, 165 Layer, see HTTPS bridge, see also bridge interfaces. DHCP clients UAG5100 User’s Guide...
Page 497 NAT for outbound traffic and certificates status authentication transport mode basic troubleshooting tunnel mode certificates when IKE SA is disconnected connections IPSec VPN connectivity check troubleshooting encapsulation encryption ISP account CHAP established in two phases CHAP/PAP UAG5100 User’s Guide...
Page 498 Microsoft spillover Challenge-Handshake Authentication Protocol (MSCHAP) weighted round robin Challenge-Handshake Authentication Protocol local user database Version 2 (MSCHAP-V2) Point-to-Point Encryption (MPPE) troubleshooting model name UAG5100 User’s Guide...
Page 499 Netscape Navigator and ALG Network Access Server and HTTP redirect Network Address Translation, see NAT and interfaces Network Time Protocol (NTP) and NAT No-IP and schedules 172, 323 and service objects and SMTP redirect UAG5100 User’s Guide...
Page 500 PTR record RESET button Public-Key Infrastructure (PKI) public-private key pairs 1631 (NAT) 2131 (DHCP) 2132 (DHCP) UAG5100 User’s Guide...
Page 501 GetNext limitations Manager timeouts managers service groups and firewall network components service objects and firewall Trap and IP protocols traps and policy routes UAG5100 User’s Guide...
Page 502 68, 395 HTTP redirect system reports, see reports interface Internet access system uptime 480, 484 IPSec VPN system-default.conf LEDs logo logs management access packet capture policy route connections UAG5100 User’s Guide...
Page 503 70, 72 types of onboard flash user names sessions 70, 73 USB storage status user authentication external local user database Vantage Report (VRPT) user awareness virtual interfaces 119, 152 User Datagram Protocol, see UDP basic characteristics UAG5100 User’s Guide...
Page 504 245, 250 and policy routes and FTP 172, 484 VPN gateways and interfaces and certificates and SNMP and extended authentication and SSH and interfaces and Telnet and to-Device firewall and VPN and WWW VRPT (Vantage Report) UAG5100 User’s Guide...
Page 505 Index extra-zone traffic inter-zone traffic intra-zone traffic types of traffic UAG5100 User’s Guide...