ZyXEL UAG4100 User Guide
ZyXEL UAG4100 Manual
 |
View all ZyXEL UAG4100 manuals
Add to My Manuals
Save this manual to your list of manuals |
ZyXEL UAG4100 manual content summary:
- ZyXEL UAG4100 | User Guide - Page 1
/ UAG4100 / UAG5100 Unified Access Gateway Version 4.10 Edition 1, 03/2015 Quick Start Guide User's Guide Default Login Details LAN IP Address http://172.16.0.1 (LAN1) http://172.17.0.1 (LAN2) User Namwwew.zyxel.com admin Password 1234 Copyright © 2015 ZyXEL Communications Corporation - ZyXEL UAG4100 | User Guide - Page 2
differences in your product firmware or your computer operating system. Every effort has been made to ensure that the information in this manual is accurate. Related Documentation • Quick Start Guide The Quick Start Guide shows how to connect the UAG and access the Web Configurator wizards. (See the - ZyXEL UAG4100 | User Guide - Page 3
Policy ...289 Billing ...304 Printer ...322 Free Time ...332 SMS ...336 IPSec VPN ...338 Bandwidth Management ...366 Application Patrol ...376 Content Filtering ...381 Zones ...395 User/Group ...399 AP Profile ...414 MON Profile ...430 Application ...435 Addresses ...442 UAG Series - ZyXEL UAG4100 | User Guide - Page 4
Services ...447 Schedules ...453 AAA Server ...459 Authentication Method ...464 Certificates ...467 ISP Accounts ...483 System ...486 Log and Report ...534 File Manager ...549 Diagnostics ...560 Packet Flow Explore ...572 Reboot ...581 Shutdown ...582 Troubleshooting ...583 UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 5
Default Zones, Interfaces, and Ports 21 1.3 Management Overview ...21 1.4 Web Configurator ...22 1.4.1 Web Configurator Access ...23 1.4.2 Web Configurator 2.4 Rear Panel ...40 2.4.1 UAG2100 or UAG4100 ...40 2.4.2 UAG5100 ...41 Chapter 3 Printer Deployment...42 3.1 Overview ...42 User's Guide 5 - ZyXEL UAG4100 | User Guide - Page 6
Interface Quick Setup ...65 5.2.1 Choose an Ethernet Interface 65 5.2.2 Select WAN Type ...65 5.2.3 Configure WAN IP Settings ...66 5.2.4 ISP and WAN Connection Settings 66 5.2.5 Quick Setup Interface Wizard: The CPU Usage Screen ...86 6.2.2 The Memory Usage Screen ...86 UAG Series User's Guide 6 - ZyXEL UAG4100 | User Guide - Page 7
Table Screen ...88 6.2.6 The Number of Login Users Screen 89 Chapter 7 Monitor...91 7.1 IP/MAC Binding Monitor Screen 101 7.8 The Login Users Screen ...102 7.9 The Dynamic Guest Screen 125 7.22.1 View AP Log ...127 7.22.2 Dynamic Users Log ...129 Chapter 8 Licensing ...131 8.1 Overview ...131 - ZyXEL UAG4100 | User Guide - Page 8
Table of Contents 8.2 Registration Screen ...132 8.3 Service Screen ...132 8.4 App Patrol Signature Update Screen 133 Chapter 9 Wireless ...136 9.1 Overview ...136 9.1.1 What You Can Do in this Chapter 176 10.6 Bridge Interfaces ...181 10.6.1 Bridge Interface Summary 183 UAG Series User's Guide 8 - ZyXEL UAG4100 | User Guide - Page 9
Need to Know ...195 11.2 The Trunk Summary Screen ...198 11.2.1 Configuring a User-Defined Trunk 199 11.2.2 Configuring the System Default Trunk 201 Chapter 12 Policy and Static Routes ...203 12.1 Policy and NAT Technical Reference ...224 Chapter 15 VPN 1-1 Mapping ...226 UAG Series User's Guide 9 - ZyXEL UAG4100 | User Guide - Page 10
Traversal ...241 19.2.2 Cautions with UPnP ...242 19.3 UPnP Screen ...242 19.4 Technical Reference ...243 19.4.1 Using UPnP in Windows XP Example 243 19.4.2 Web Configurator Easy Access 245 Chapter 20 IP/MAC Binding...248 UAG Series User's Guide 10 - ZyXEL UAG4100 | User Guide - Page 11
Garden ...277 23.3.1 General Screen ...278 23.3.2 URL Base Screen ...278 23.3.3 Domain/IP Base Screen ...280 23.3.4 Walled Garden Login Example 282 23.4 Advertisement Screen ...283 23.4.1 Adding/Editing an Advertisement URL 284 Chapter 24 RTLS ...286 24.1 Overview ...286 UAG Series User's Guide 11 - ZyXEL UAG4100 | User Guide - Page 12
Screen 316 26.5 The Payment Service General Screen 316 26.5.1 The Payment Service Desktop View / Mobile View Configuration Screen 325 27.4 The Printer Manager Screen ...326 27.4.1 Edit Printer Manager ...327 27.4.2 Reports Overview ...328 27.4.3 Key Combinations ...328 UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 13
.1 Overview ...376 32.1.1 What You Can Do in this Chapter 376 32.1.2 What You Need to Know ...376 32.2 Application Patrol Profile ...377 UAG Series User's Guide 13 - ZyXEL UAG4100 | User Guide - Page 14
Need To Know ...399 35.2 User Summary Screen ...401 35.2.1 User Add/Edit Screen ...402 35.3 User Group Summary Screen ...405 35.3.1 Group Add/Edit Screen ...405 35.4 User/Group Setting Screen ...406 35.4.1 Default User Settings Edit Screens 409 35.4.2 User Aware Login Example 410 35.5 MAC Address - ZyXEL UAG4100 | User Guide - Page 15
.2 Address Summary Screen ...442 39.2.1 Address Add/Edit Screen ...443 39.3 Address Group Summary Screen 444 39.3.1 Address Group Add/Edit Screen 445 Chapter 40 Services ...447 40.1 Overview ...447 40.1.1 What You Can Do in this Chapter 447 UAG Series - ZyXEL UAG4100 | User Guide - Page 16
You Need to Know ...447 40.2 The Service Summary Screen ...448 40.2.1 The Service Add/Edit Screen 449 40.3 The Service Group Summary Screen 450 40.3.1 The Service Group Add/Edit Screen 451 Chapter 41 Schedules Add Screen 471 44.2.2 The My Certificates Edit Screen 473 UAG Series User's Guide 16 - ZyXEL UAG4100 | User Guide - Page 17
Rule 500 46.7 WWW Overview ...501 46.7.1 Service Access Limitations 501 46.7.2 System Timeout ...501 46.7.3 HTTPS ...502 46.7.4 Configuring WWW Service Control 502 46.7.5 Service Control Rules ...505 46.7.6 Customizing the WWW Login Page 506 46.7.7 HTTPS Example ...511 UAG Series User's Guide 17 - ZyXEL UAG4100 | User Guide - Page 18
46.10 FTP ...524 46.10.1 Configuring FTP ...524 46.11 SNMP ...525 46.11.1 Supported MIBs ...526 46.11.2 SNMP Traps ...527 46.11.3 Configuring SNMP ...527 46.12 Authentication Server ...528 46.12.1 Add/Edit Trusted RADIUS Client 530 46.13 Language ...531 46.14 ZyXEL One Network (ZON) Utility 531 46 - ZyXEL UAG4100 | User Guide - Page 19
Overview ...582 52.1.1 What You Need To Know ...582 52.2 The Shutdown Screen ...582 Chapter 53 Troubleshooting...583 53.1 Resetting the UAG ...589 53.2 Getting More Troubleshooting Help 590 Appendix A Customer Support ...591 Appendix B Legal Information...597 Index ...604 UAG Series User's Guide 19 - ZyXEL UAG4100 | User Guide - Page 20
User's Guide covers the following models: UAG2100, UAG4100 and UAG5100. Table 1 UAG Series Comparison Table FEATURES SMS Service up and have been given usernames, passwords etc. required for Internet access. You with the UAG through a specifically designated login web page. You can also forward the - ZyXEL UAG4100 | User Guide - Page 21
P5 UAG5100 Zones Interfaces Physical Ports WAN wan1 wan2 LAN1 LAN2 DMZ lan1 lan2 dmz P1 P2 P3 P4 P5 1.3 Management Overview You can manage the UAG in the following ways. Web Configurator The Web Configurator allows easy UAG setup and management using an Internet browser. This User's Guide - ZyXEL UAG4100 | User Guide - Page 22
Web Configurator, you must: • Use one of the following web browser versions or later: Internet Explorer 6.0, Firefox 8.0, Chrome 14.0, Safari 4.0 • Allow pop-up windows (blocked by default in Windows XP Service Pack 2) • Enable JavaScripts, Java permissions, and cookies UAG Series User's Guide 22 - ZyXEL UAG4100 | User Guide - Page 23
change the default password, the Login screen appears after you click Apply. If you click Ignore, the Installation Setup Wizard opens if the UAG is using its default configuration; otherwise the dashboard appears. B A C 1.4.2 Web Configurator Screens Overview This guide uses the UAG5100 screens - ZyXEL UAG4100 | User Guide - Page 24
user name and password. See the Command Reference Guide for information about the commands. CLI Click this to open a popup window that displays the CLI commands sent by the Web Configurator process of the UAG. This shows the firmware version of the UAG. This shows the date (yyyy-mm-dd) and time (hh - ZyXEL UAG4100 | User Guide - Page 25
Site Map Click Site MAP to see an overview of links to the Web Configurator screens. Click a screen's link to go to that screen. Figure 5 Site the individual object and click Refresh to show which configuration settings reference the object. Figure 6 Object Reference UAG Series User's Guide 25 - ZyXEL UAG4100 | User Guide - Page 26
the navigation panel menu items to open status and configuration screens. Click the arrow in the middle of the right edge of the navigation panel to hide the panel or drag to resize it. The following sections introduce the UAG's navigation panel menus and their screens. UAG Series User's Guide 26 - ZyXEL UAG4100 | User Guide - Page 27
device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re an IP address from UAG interfaces using IP/MAC binding. Login Users List the users currently logged into the UAG. Dynamic Guest List the dynamic User's Guide 27 - ZyXEL UAG4100 | User Guide - Page 28
Register the device and activate trial services. Service View the licensed service status and upgrade licensed services. Signature Update App Patrol Update application patrol signatures immediately or by a schedule. Wireless Controller Configuration Configure how the UAG handles APs that - ZyXEL UAG4100 | User Guide - Page 29
method. Billing Profile Configure the billing profiles for the web-based account generator and each button on the connected statement printer. Discount Configure discount price plans. Payment Service Enable online payment service and configure the service pages. UAG Series User's Guide 29 - ZyXEL UAG4100 | User Guide - Page 30
used to define various policies. User/Group User Create and manage users. Group Create and manage groups of users. Setting Manage default settings for all users, general settings for user sessions, and rules to force user authentication. MAC Address Configure the MAC addresses of wireless - ZyXEL UAG4100 | User Guide - Page 31
DNS server and address records for the UAG. WWW Service Control Configure HTTP, HTTPS, and general authentication. Login Page Configure how the login and access user screens look. SSH Configure SSH server and SSH service settings. TELNET Configure telnet server settings for the UAG. FTP - ZyXEL UAG4100 | User Guide - Page 32
Network Tool Identify problems with the connections. You can use Ping or TraceRoute to help you identify problems. Wireless Frame Capture Shutdown Turn off the UAG. 1.4.4 Tables and Lists Web Configurator tables and lists are flexible with several options for how text UAG Series User's Guide 32 - ZyXEL UAG4100 | User Guide - Page 33
for working with table entries. You can often use the [Shift] or [Ctrl] key to select multiple entries to remove, activate, or deactivate. UAG Series User's Guide 33 - ZyXEL UAG4100 | User Guide - Page 34
] key to select multiple entries, and then use the arrow button to move them to the other list. Figure 15 Working with Lists UAG Series User's Guide 34 - ZyXEL UAG4100 | User Guide - Page 35
Chapter 1 Introduction 1.5 Stopping the UAG Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the UAG or remove the power. Not doing so can cause the firmware to become corrupt. UAG Series User's Guide 35 - ZyXEL UAG4100 | User Guide - Page 36
-mounting (UAG5100) Use the following steps to mount the UAG on an EIA standard size, 19-inch rack or in a wiring closet with other equipment using a rack-mounting kit. Make sure the rack will safely support the combined the UAG to the rack with the rack-mounting screws. UAG Series User's Guide 36 - ZyXEL UAG4100 | User Guide - Page 37
connection cables. 5 Align the holes on the back of the UAG with the screws on the wall. Hang the UAG on the screws. UAG Series User's Guide 37 - ZyXEL UAG4100 | User Guide - Page 38
Chapter 2 Hardware Installation and Connection Figure 16 Wall Mounting Example 2.3 Front Panel This section introduces the UAG's front panel. Figure 17 Front Panel: UAG2100 or UAG4100 UAG Series User's Guide 38 - ZyXEL UAG4100 | User Guide - Page 39
default negotiation settings for the Ethernet ports on the UAG are speed: auto, duplex: auto, and flow control: on (you cannot configure to it. Console Port (UAG5100) Connect this port to your computer (using an RS-232 cable) if you want to configure the UAG using the command Series User's Guide 39 - ZyXEL UAG4100 | User Guide - Page 40
of the UAG. 2.4.1 UAG2100 or UAG4100 The rear panel contains a console port, a power switch and a connector for the power receptacle and four antennas. UAG Series User's Guide 40 - ZyXEL UAG4100 | User Guide - Page 41
using an RS-232 cable) if you want to configure the UAG using the command line interface (CLI) can use a computer with terminal emulation software configured to the following parameters: • VT100 terminal COM port) of your computer. 2.4.2 UAG5100 The following figure shows the rear panel of the - ZyXEL UAG4100 | User Guide - Page 42
Turn on the printer. The printer is acting as a DHCP client by default and will obtain an IP address from the connected UAG. Make sure the UAG the UAG. 3 Log into the UAG web configurator. See Section 1.4 on page 22 on how to access the web configurator. 4 Enter your Internet access information to - ZyXEL UAG4100 | User Guide - Page 43
the UAG's printer list, check the sticker on the printer's rear panel to see its MAC address. 1 Go to the Dashboard of the UAG web configurator. 2 Open the DHCP Table to find the IP address which is assigned to the printer's MAC address. Make sure the IP address is reserved for - ZyXEL UAG4100 | User Guide - Page 44
> Printer > General Setting screen. Click Add in the Printer List to create a new entry for your printer. Alternatively, go to the Configuration > Printer > Printer Manager screen and click the Discover Printer icon. The UAG automatically detects the connected printer(s) and displays the printer - ZyXEL UAG4100 | User Guide - Page 45
printer's IP address is added to the printer list, select the Enable Printer Manager checkbox in the Configuration > Printer > General Setting screen and then click Apply. 5 Go to the Configuration > Printer > Printer Manager screen to check if the UAG can connect to the printer (the printer status - ZyXEL UAG4100 | User Guide - Page 46
Apply in the the Configuration > Printer > General Setting screen. 3.5 Turn on Web Authentication on the UAG With web authentication, users need to log in or agree to the policy of user agreement before they can access the network(s). 1 Go to the Configuration > Web Authentication > General screen. - ZyXEL UAG4100 | User Guide - Page 47
default login page. 4 Select default-web-portal from the Authentication Type drop-down list box to allow users to authenticate through the default web portal login page. 5 Click OK to save your changes. 6 Click Apply in the Configuration to the Configuration > Free Time screen. 2 Select the Enable - ZyXEL UAG4100 | User Guide - Page 48
to access a web page, he/she will be redirected to the default login page. 4 Click the link on the login page to get a free guest account. 5 A Welcome screen displays. Select the free time service. Click OK to generate and show the account information on the web page. UAG Series User's Guide 48 - ZyXEL UAG4100 | User Guide - Page 49
Chapter 3 Printer Deployment 6 Now you can use this account to access the Internet through the UAG for free. UAG Series User's Guide 49 - ZyXEL UAG4100 | User Guide - Page 50
Configurator for the first time or when you reset the UAG to its default configuration, the Installation Setup Wizard screen displays. This wizard helps you configure on configuring the Web Configurator's installation setup wizard. See the feature-specific chapters in this User's Guide for - ZyXEL UAG4100 | User Guide - Page 51
: Enter the Internet access information exactly as your ISP gave it to you. Figure 22 Internet Access: Step 1 (UAG2100/UAG4100) Figure 23 Internet Access: Step 1 (UAG5100) UAG Series User's Guide 51 - ZyXEL UAG4100 | User Guide - Page 52
previous screen's IP Address Assignment field to Auto and click Next. Use this screen to configure your IP address settings. Note: Enter the Internet access information exactly as given to you through which this WAN connection will send traffic (the default gateway). UAG Series User's Guide 52 - ZyXEL UAG4100 | User Guide - Page 53
field as 0.0.0.0 if you do not want to configure DNS servers. 4.2.2 Internet Settings: PPPoE Note: Type the PPPoE Service Name from your service provider. PPPoE uses a service name to V2 - Your UAG accepts MSCHAP-V2 only. • Type the User Name given to you by your ISP. You can use alphanumeric and - ZyXEL UAG4100 | User Guide - Page 54
DNS servers. If you do not configure a DNS server, you must know the IP address of a machine in order to access it. 4.2.3 Internet Settings: PPTP Note: Enter the Internet access information exactly as given to you by your ISP. Figure 26 Internet Access: PPTP Encapsulation UAG Series User's Guide 54 - ZyXEL UAG4100 | User Guide - Page 55
User Name given Password associated with the user name. Use up to 64 ASCII characters except the [] and ?. This field can be blank. Re-type your password configuring to configure DNS servers. 4.2.4 configure the First WAN Interface, you can configure the Second WAN Interface. The screens for configuring - ZyXEL UAG4100 | User Guide - Page 56
on the controller feature and allow the UAG to manage the connected APs. Figure 27 Wireless Settings 4.3.1 Wireless and Radio Settings Use this screen to configure the wireless and wireless security settings when you turn on the local AP. The screen varies depending on the security mode you selected - ZyXEL UAG4100 | User Guide - Page 57
key and configure the WEP key default login page. Otherwise, select No and click Next to disable web authentication and go to the Device Registration screen. Note: A View Mobile Version or View Desktop Version link displays on the login page if you enable web authentication. UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 58
traffic or traffic received on a specific interface, use the Configuration > Web Authentication screens (Section 23.2 on page 260) to configure a new policy. Figure 29 Web Authentication Settings 4.5 Printer UAG to create free guest accounts. Figure 30 Printer Settings UAG Series User's Guide 58 - ZyXEL UAG4100 | User Guide - Page 59
shows the MAC address of the printer. Printout • Specify how many copies of subscriber statements you want to print. 4.6 Billing Settings Use this screen to configure the general billing settings. UAG Series User's Guide 59 - ZyXEL UAG4100 | User Guide - Page 60
before the time period is finished. If a user disconnects and reconnects before the allocated time expires, the user does not have to enter the user name and password to access the Internet again. • Select Accumulation to allow each user multiple re-login until the time allocated is used up. The - ZyXEL UAG4100 | User Guide - Page 61
- Set the duration of the billing period. When this period expires, the user's access will be stopped. • Price - Set each profile's price, up to 999999.99, per time unit. 4.6.2 Account Generator Settings Use this maximum Internet access time and charge per time unit. UAG Series User's Guide 61 - ZyXEL UAG4100 | User Guide - Page 62
35 Free Time Settings • Free Time Period - Select the duration of time period for which the free time account is allowed to access the Internet. • Reset Time - Select the time in 24-hour format at which the new free time account is allowed to access the Internet. UAG Series User's Guide 62 - ZyXEL UAG4100 | User Guide - Page 63
MAC address to register it if you have not already done so. Note: You must be connected to the Internet to register. Use the Registration > Service screen to update your service subscription status. Figure 36 Registration UAG Series User's Guide 63 - ZyXEL UAG4100 | User Guide - Page 64
. See the feature-specific chapters in this User's Guide for background information. In the Web Configurator, click Configuration > Quick Setup to open the first Quick Setup screen. Figure 37 Quick Setup (UAG2100/UAG4100) Figure 38 Quick Setup (UAG5100) • WAN Interface Click this link to open - ZyXEL UAG4100 | User Guide - Page 65
VPN Setup Use VPN Setup to configure a VPN (Virtual Private Network Setup Wizard Welcome screen. Use these screens to configure an interface to connect to the Internet. Click Next Interface Select the Ethernet interface that you want to configure for a WAN connection and click Next. Figure 40 - ZyXEL UAG4100 | User Guide - Page 66
as your ISP gave it to you. 5.2.3 Configure WAN IP Settings Use this screen to select whether WAN Interface: This is the interface you are configuring for Internet access. • Zone: This is ISP and WAN Connection Settings Use this screen to configure the ISP and WAN interface settings. This screen is - ZyXEL UAG4100 | User Guide - Page 67
. This displays the type of Internet connection you are configuring. Enter the PPPoE service name specified in the ISP account. This field is only. MSCHAP - Your UAG accepts MSCHAP only. User Name MSCHAP-V2 - Your UAG accepts MSCHAP-V2 only. Type the user name given to you by your ISP. You can - ZyXEL UAG4100 | User Guide - Page 68
Password Retype to Confirm Nailed-Up Idle Timeout PPTP Configuration Base Interface Base IP Address IP Subnet Mask Gateway IP Address Server IP Connection ID DESCRIPTION Type the password associated with the user Summary This screen displays the WAN interface's settings. UAG Series User's Guide 68 - ZyXEL UAG4100 | User Guide - Page 69
service name specified in the ISP account. Server IP This field only appears for a PPTP interface. It displays the IP address of the PPTP server. User Name This is the user here. WAN Interface This identifies the interface you configure to connect with your ISP. Zone This field User's Guide 69 - ZyXEL UAG4100 | User Guide - Page 70
Setup Wizard On the UAG that supports VPN, click VPN Setup in the main Quick Setup screen to open the VPN Setup Wizard Welcome screen. Figure 45 VPN Setup Wizard (UAG5100) 5.3.1 Welcome Use wizards to create VPN > VPN Connection screen. Figure 46 VPN Setup Wizard: Welcome UAG Series User's Guide 70 - ZyXEL UAG4100 | User Guide - Page 71
2 settings to connect to another ZLD-based UAG using a pre-shared key. Choose Advanced to change the default settings and/or use certificates instead of a pre-shared key to create a VPN rule to connect to display the following screen. Figure 48 VPN Express Wizard: Scenario UAG Series User's Guide 71 - ZyXEL UAG4100 | User Guide - Page 72
supports. • Site-to-site - The remote IPSec device has a static IP address or a domain name. This UAG can initiate the VPN tunnel. 5.3.4 VPN Express Wizard - Configuration Figure 49 VPN Express Wizard: Configuration password. Both ends of the VPN tunnel must use the same password address configured on - ZyXEL UAG4100 | User Guide - Page 73
device. • Pre-Shared Key: VPN tunnel password. It identifies a communicating party during a configured on the UAG. The Phase 1 rule settings appear in the VPN > IPSec VPN > VPN Gateway screen and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 74
VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. UAG Series User's Guide 74 - ZyXEL UAG4100 | User Guide - Page 75
: This shows the scenario that the UAG supports. • Site-to-site - The remote Gateway: Any displays in this field if it is not configurable for the chosen scenario. Otherwise, enter the WAN IP dynamic IP addresses to use separate passwords. Note: Multiple SAs connecting through User's Guide 75 - ZyXEL UAG4100 | User Guide - Page 76
than DH1 or DH2 (although it may affect throughput). DH1 (default) refers to Diffie-Hellman Group 1 a 768 bit random number. the IKE SA. • Authentication Method: Select Pre-Shared Key to use a password or Certificate to use one of the UAG's certificates. 5.3.9 VPN Advanced Wizard User's Guide 76 - ZyXEL UAG4100 | User Guide - Page 77
behind the remote IPSec device. You can also specify a subnet. This must match the local IP address configured on the remote IPSec device. • Nailed-Up: This displays for the site-to-site and remote access client : IP address or domain name of the remote IPSec device. UAG Series User's Guide 77 - ZyXEL UAG4100 | User Guide - Page 78
Shared Key: VPN tunnel password. • Certificate: The can use the tunnel. • Copy and paste the Configuration for Remote Gateway commands into another ZLD-based UAG the VPN rule. 5.3.11 VPN Advanced Wizard - Finish Now the rule is configured on the UAG. The Phase 1 rule settings appear in the VPN > - ZyXEL UAG4100 | User Guide - Page 79
Chapter 5 Quick Setup Wizards Figure 56 VPN Wizard: Finish Click Close to exit the wizard. UAG Series User's Guide 79 - ZyXEL UAG4100 | User Guide - Page 80
Use the Number of Login Users screen (see Section 6.2.6 on page 89) to look at a list of the users currently logged into service status, and interface status in widgets that you can re-arrange to suit your needs. You can also collapse, refresh, and close individual widgets. UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 81
again to enlarge the widget again. Refresh Time Setting (C) Set the interval for refreshing the information displayed in the widget. Refresh Now (D) Click this to update the widget's information immediately. UAG Series User's Guide 81 - ZyXEL UAG4100 | User Guide - Page 82
6.2.4 on page 88. DHCP Table This field is available only on the UAG that supports IPSec VPN. Click this to look at the IP addresses currently assigned to the UAG's DHCP clients and the IP addresses reserved for specific MAC addresses. See Section 6.2.5 on page 88. UAG Series User's Guide 82 - ZyXEL UAG4100 | User Guide - Page 83
. Problematic configuration after firmware update - The application of the configuration failed after a firmware upgrade. System default configuration - The UAG successfully applied the system default configuration. This occurs when the UAG starts for the first time or you intentionally reset the - ZyXEL UAG4100 | User Guide - Page 84
server. Use this field to get or to update the IP address for the interface. Click Renew service is not licensed or has expired. This field displays the maximum number of wired and wireless users that may connect to the UAG at the same time or how many managed APs the UAG can support User's Guide 84 - ZyXEL UAG4100 | User Guide - Page 85
that have connected to this AP. Count AP Description This field displays the AP's description. The default description is "AP-" followed by the AP's MAC address. Top 5 IPv4 Security Policy Rules that log. Category This field displays the type of log generated. UAG Series User's Guide 85 - ZyXEL UAG4100 | User Guide - Page 86
x-axis shows the time period over which the CPU usage occurred Refresh Interval Enter how often you want this window to be automatically updated. Refresh Now Click this to update the information in the window right away. 6.2.2 The Memory Usage Screen Use this screen to look at a chart of the UAG - ZyXEL UAG4100 | User Guide - Page 87
to update the information in the window right away. 6.2.3 The Active Sessions Screen Use this screen to look at a chart of the UAG's recent traffic session usage. To access this screen, click Show Active Sessions in the dashboard. Figure 60 Dashboard > Show Active Sessions UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 88
update the information in the window right away. 6.2.4 The VPN Status Screen Use this screen to look at the VPN tunnels that are currently established. To access this screen, click VPN Status in System Status in the dashboard. This screen is available only on the UAG that supports User's Guide 88 - ZyXEL UAG4100 | User Guide - Page 89
entry, the host name or the description you configured shows here. This field is blank for dynamic DHCP updated. Click this to update the information in the window right away. 6.2.6 The Number of Login Users Screen Use this screen to look at a list of the users currently logged into the UAG. Users - ZyXEL UAG4100 | User Guide - Page 90
amount of either data in both directions (Total) or upstream data (Upload) and downstream data (Download). Type IP address User Info This shows -/-/- for an administrator account. This field displays the way the user logged in to the UAG. This field displays the IP address of the computer used to - ZyXEL UAG4100 | User Guide - Page 91
Monitor screen (see Section 7.5 on page 99) to view sessions by user or service. • Use the System Status > DDNS Status screen (see Section 7.6 on • Use the System Status > Login Users screen (see Section 7.8 on page 102) to look at a list of the users currently logged into the UAG. User's Guide 91 - ZyXEL UAG4100 | User Guide - Page 92
7.22.1 on page 127) to view the UAG's current wireless AP log messages. • Use the Log > Dynamic Users Log screen (see Section 7.22.2 on page 129) to view the UAG's dynamic guest account log messages. 7.2 Port Statistics. Figure 64 Monitor > System Status > Port Statistics UAG Series User's Guide 92 - ZyXEL UAG4100 | User Guide - Page 93
Stop Switch to Graphic View # Port Status DESCRIPTION Enter how often you want this window to be updated automatically, and click Set Interval. Click this to set the Poll Interval the screen uses. Click this Status screen and then the Switch to Graphic View Button. UAG Series User's Guide 93 - ZyXEL UAG4100 | User Guide - Page 94
field displays the date and time the information in the window was last updated. 7.3 The Interface Status Screen This screen lists all of the UAG's interfaces and gives packet statistics for them. Click Monitor > System Status > Interface Status to access this screen. UAG Series User's Guide 94 - ZyXEL UAG4100 | User Guide - Page 95
Inactive. For PPP interfaces: • Inactive - The PPP interface is disabled. • Connected - The PPP interface is connected. • Disconnected - The PPP interface is not connected. UAG Series User's Guide 95 - ZyXEL UAG4100 | User Guide - Page 96
static IP address. Services Action Interface Statistics field lists which services the interface provides any services to the network. Use this field to get or to update the update its IP address, this field displays n/a. This to update the information the screen updated. This field - ZyXEL UAG4100 | User Guide - Page 97
protocols or service ports and it manually in Reset Click Reset to return the screen to its last-saved settings. Statistics Interface Select the interface from which to collect information. You can collect information from Ethernet, VLAN, bridge and PPPoE/PPTP interfaces. UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 98
update the report display. These fields are available when the Top is Host IP Address/User. This field is the rank of each record. The IP addresses and users user is sending or receiving traffic. RX From- traffic is coming from the IP address or user to the UAG. IP Address/User Amount # Service/ - ZyXEL UAG4100 | User Guide - Page 99
• User who started the session • Protocol or service port user, service, source IP address, or destination IP address. You can also filter the information by user, protocol / service or service group, source address, and/ or destination address and view it by user - ZyXEL UAG4100 | User Guide - Page 100
this button to update the information on the screen using the filter criteria in the User, Service, Source Address, and Destination Address fields. This field displays the user in each active session. Service If you are the length of the active session in seconds. UAG Series User's Guide 100 - ZyXEL UAG4100 | User Guide - Page 101
labels in this screen. Table 27 Monitor > System Status > DDNS Status LABEL DESCRIPTION Update Click this to have the UAG update the profile to the DDNS server. The UAG attempts to resolve the IP address for the a session with the UAG do not display in the list. UAG Series User's Guide 101 - ZyXEL UAG4100 | User Guide - Page 102
button to update the information in the screen. 7.8 The Login Users Screen Use this screen to look at a list of the users currently logged into the UAG. To access this screen, click Monitor > System Status > Login Users. Figure 71 Monitor > System Status > Login Users UAG Series User's Guide 102 - ZyXEL UAG4100 | User Guide - Page 103
(Download). This shows -/-/- for an administrator account. This field displays the way the user update the information in the screen. 7.9 The Dynamic Guest Screen Dynamic guest accounts can be automatically generated for guest users by using a connected statement printer or the web configurator - ZyXEL UAG4100 | User Guide - Page 104
directions (Total) or upstream data (Upload) and downstream data (Download) can be transmitted through the WAN interface before the account expires. User Role This field displays the role of the account. Refresh Click this button to update the information in the screen. UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 105
"0", the UAG ignores the Internal Port value and forwards requests on all external port numbers (that are otherwise unmapped) to the Internal Client. UAG Series User's Guide 105 - ZyXEL UAG4100 | User Guide - Page 106
to remove all mapping rules from the NAT table. Refresh Click this button to update the information in the screen. 7.11 The USB Storage Screen This screen displays information system of the USB storage device is not supported by the UAG, such as NTFS. Speed This field displays the connection speed - ZyXEL UAG4100 | User Guide - Page 107
manually not supported (unknown ZyXEL Discovery Protocol (ZDP) for discovering and configuring ZDP-aware ZyXEL devices in the same network as the computer on which the ZON utility is installed. Click Monitor > System Status > Ethernet Neighbor to see the following screen. UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 108
the discovered device. This field displays the firmware version of the discovered device. This field internal interface port number. IP Address MAC Refresh For UAGs that support Port Role, if ports 3 to 4 are grouped together and update the information in the screen. UAG Series User's Guide 108 - ZyXEL UAG4100 | User Guide - Page 109
details on the different Status states, see the next table. This displays the AP's associated description. The default description is "AP-" + the AP's MAC Address. This indicates whether the AP is registered with the -line or gone off-line since the UAG last started up. UAG Series User's Guide 109 - ZyXEL UAG4100 | User Guide - Page 110
This displays the AP LED status. N/A displays if the AP does not support LED suppression mode and/or have a locator LED to show the actual list and online. This AP is in the process of having its firmware updated. This AP is on the management list but offline. This indicates one User's Guide 110 - ZyXEL UAG4100 | User Guide - Page 111
Information > AP List > Station Count of AP LABEL Configuration Status Non Support Port Status Port Status DESCRIPTION This displays whether or not any of the AP's configuration is in conflict with the UAG's settings for the AP . This shows the name of the VLAN. UAG Series User's Guide 111 - ZyXEL UAG4100 | User Guide - Page 112
shows the time over which a station was connected. Last Update This field displays the date and time the information in the window was last updated. 7.14 The Radio List Screen Use this screen to view Profile This indicates the profile name to which the radio belongs. UAG Series User's Guide 112 - ZyXEL UAG4100 | User Guide - Page 113
number of received packet errors accrued by the radio. This indicates the number of times the radio has attempted to re-transmit packets. UAG Series User's Guide 113 - ZyXEL UAG4100 | User Guide - Page 114
and click the More Information button in the Radio List screen. Figure 79 Monitor > Wireless > AP Information > Radio List > AP Mode Radio Information UAG Series User's Guide 114 - ZyXEL UAG4100 | User Guide - Page 115
the time over which a wireless client was connected. Last Update This field displays the date and time the information in the window was last updated. OK Click this to close this window. Cancel Click access this screen. Figure 80 Monitor > Wireless > Station List UAG Series User's Guide 115 - ZyXEL UAG4100 | User Guide - Page 116
Device to access this screen. Note: At least one radio of the APs connected to the UAG must be set to monitor mode (in the Configuration > Wireless > AP Management screen) in order to detect other wireless devices in its vicinity. UAG Series - ZyXEL UAG4100 | User Guide - Page 117
rogue AP. A rogue AP can be contained in the Configuration > Wireless > MON Mode screen (Section 9.4 on more on managing friendly AP APs, see the Configuration > Wireless > MON Mode screen (Section 9.4 managing friendly and rogue APs, see the Configuration > Wireless > MON Mode screen (Section - ZyXEL UAG4100 | User Guide - Page 118
Nickname Firmware Version MAC This shows n/a when the printer status is sync fail. This field displays whether the UAG can connect to the printer and update the printer information. This field displays the descriptive name of the printer that you configured in the Configuration > Printer - ZyXEL UAG4100 | User Guide - Page 119
button to update the information in the screen. 7.18.1 VPN 1-1 Mapping Statistics This screen shows statistics for each of the VPN 1-1 mapping rules. Click Monitor > VPN 1-1 Mapping > Statistics to display this screen. Figure 84 Monitor > VPN 1-1 Mapping > Statistics UAG Series User's Guide 119 - ZyXEL UAG4100 | User Guide - Page 120
is lit when the entry is active and dimmed when the entry is inactive. User/Group This field displays the name of the user or user group object to which the rule is applied. Pool Profile This field displays the an IPSec SA and click this button to disconnect it. UAG Series User's Guide 120 - ZyXEL UAG4100 | User Guide - Page 121
the UAG to the remote IPSec router since the IPSec SA was established. Refresh Click Refresh to update the information in the display. 7.19.1 Regular Expressions in Searching IPSec SAs A question mark (?) (VoIP), and streaming (RSTP) applications. You can even control UAG Series User's Guide 121 - ZyXEL UAG4100 | User Guide - Page 122
. Click Apply to save your changes back to the UAG. Click Reset to return the screen to its last-saved settings. Click this button to update the report display. Click this button to discard all of the screen 's traffic the UAG identified by examining the IP payload. UAG Series User's Guide 122 - ZyXEL UAG4100 | User Guide - Page 123
Monitor > UTM Statistics > Content Filter to display the following screen. This screen displays content filter statistics. Figure 87 Monitor > UTM Statistics > Content Filter UAG Series User's Guide 123 - ZyXEL UAG4100 | User Guide - Page 124
Reset Click Reset to return the screen to its last-saved settings. Refresh Click this button to update users access. Web Pages Blocked by This is the number of web pages to which the UAG did not allow access due to the Custom Service content filtering custom service configuration service's - ZyXEL UAG4100 | User Guide - Page 125
a specific category of log messages (for example, Security Policy Control or User). You can also look at the debugging log by selecting Debug Log. Source Address, Destination Address, Source Interface, Destination Interface, Service, Keyword, Protocol and Search fields are available. Select the - ZyXEL UAG4100 | User Guide - Page 126
. Select a service protocol whose log messages you would like to see. Search This displays when you show the filter. Click this button to update the log using the current filter settings. Reset This displays when interface of the packet that generated the log message. UAG Series User's Guide 126 - ZyXEL UAG4100 | User Guide - Page 127
This field displays the service protocol used by the packet that generated the log message. Note This field displays any additional information about the log message. The Web Configurator saves the filter to access this screen. Figure 89 Monitor > Log > View AP Log UAG Series User's Guide 127 - ZyXEL UAG4100 | User Guide - Page 128
Note: This criterion only appears when you Show Filter. Select a service type to display only the log messages related to it. Keyword the specified AP regardless. Click this open a new e-mail in your default e-mail program with the selected log attached. Click this to refresh the User's Guide 128 - ZyXEL UAG4100 | User Guide - Page 129
service protocol of the log message. Note This displays any notes associated with the selected log message. 7.22.2 Dynamic Users 50 Monitor > Log > Dynamic Users Log LABEL DESCRIPTION Begin/End Date Search Click this button to update the information on the screen using the filter criteria - ZyXEL UAG4100 | User Guide - Page 130
either data in both directions (Total) or upstream data (Upload) and downstream data (Download). Bandwidth (U/D) This field displays the maximum upstream (Upload) and downstream (Download) bandwidth allowed for the user account in kilobits per second. Charge This field displays the total cost of - ZyXEL UAG4100 | User Guide - Page 131
UAG can use the upgrade service to extend the maximum number of the supported managed APs and the LAN/WLAN users that can connect to the UAG at one time. The UAG2100 can also subscribe to the SMS ticketing service in order to send SMS text messages. The UAG5100 can also use AppPatrol (application - ZyXEL UAG4100 | User Guide - Page 132
www.myzyxel.com to have the UAG use UTM services. See below the respective chapters in this guide for more information about UTM features. Maximum Number of Managed APs The UAG is initially configured to support up to one local AP (NOT available on the UAG5100) and 8 remote managed APs (such as the - ZyXEL UAG4100 | User Guide - Page 133
Signature Update Screen The UAG comes with signatures for the application patrol feature. These signatures are continually updated as new attack types evolve. New signatures can be downloaded to the UAG periodically if you have subscribed for the AppPatrol signatures service. UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 134
service registration to update the App Patrol signatures. • Schedule signature updates for a day and time when your network is least busy to minimize disruption to your network. • Your custom signature configurations are not over-written when you download then downloaded to the then download them. - ZyXEL UAG4100 | User Guide - Page 135
Chapter 8 Licensing Table 52 Configuration > Licensing > Signature Update > App Patrol (continued) LABEL DESCRIPTION Hourly Select this option to Apply Click this button to save your changes to the UAG. Reset Click this button to return the screen to its last-saved settings. UAG Series - ZyXEL UAG4100 | User Guide - Page 136
Section 9.6 on page 148) configures dynamic radio channel selection on managed APs. • The Auto Healing screen (Section 9.7 on page 151) turns on the auto healing feature to extend the wireless service coverage area of the managed APs so the AP does not become overloaded. UAG Series User's Guide 136 - ZyXEL UAG4100 | User Guide - Page 137
Manual Reset to return the screen to its last-saved settings. 9.3 AP Management Screen Use this screen to manage all of the APs connected to the UAG. Click Configuration > Wireless > AP Management to access this screen. Figure 95 Configuration > Wireless > AP Management UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 138
after the AP is ready. This button is not available if the selected AP doesn't support suppression mode. This field is a sequential value, and it is not associated with any AP's description, which you can configure by selecting the AP's entry and clicking the Edit button. UAG Series User's Guide 138 - ZyXEL UAG4100 | User Guide - Page 139
this menu to create a new Radio Profile or MON Profile object to associate with this AP. Configuration MAC This displays the MAC address of the selected AP. Model This field displays the AP's hardware You can use up to 31 characters, spaces and underscores allowed. UAG Series User's Guide 139 - ZyXEL UAG4100 | User Guide - Page 140
55 Configuration > Port Setting # Status Port PVID VLAN Configuration # Status Name VID Member OK Cancel UAG change the AP's management VLAN to match the configuration in this screen. Enter a VLAN ID for this AP port on the managed AP and configure the port's PVID. To access this screen, select a - ZyXEL UAG4100 | User Guide - Page 141
> Edit Port Each field is described in the following table. Table 56 Configuration > Wireless > AP Management > Edit AP List > Edit Port LABEL Enable . 9.3.3 VLAN Add/Edit Use this screen to create a new VLAN or configure an existing VLAN on the UAG. To access this screen, click Add or select - ZyXEL UAG4100 | User Guide - Page 142
the VLAN. Otherwise, deselect it. This field is read-only if you are editing an existing VLAN. VID Member Configuration Edit # Port Name Member Enter the number of the VLAN. You can use a number from 1~4094. For Click Cancel to close the window with changes unsaved. UAG Series User's Guide 142 - ZyXEL UAG4100 | User Guide - Page 143
Controller when possible Fall Back Check Interval Apply Reset Select Manual to replace the AP controller's IP address configured on the managed AP(s) with the one(s) you save your changes back to the UAG. Click Reset to return the screen to its last-saved settings. UAG Series User's Guide 143 - ZyXEL UAG4100 | User Guide - Page 144
a network's security. Click Configuration > Wireless > MON Mode to access this screen. Figure 100 Configuration > Wireless > MON Mode Each Dis-Containment A quarantined AP cannot grant access to any network services. Any stations that attempt to connect to a quarantined AP Series User's Guide 144 - ZyXEL UAG4100 | User Guide - Page 145
changes back to the UAG. Reset Click Reset to return the screen to its last-saved settings. 9.4.1 Add/Edit Rogue/Friendly List Select an AP and click the Edit button in the Configuration > Wireless > MON Mode table Click Cancel to close the window with changes unsaved. UAG Series User's Guide 145 - ZyXEL UAG4100 | User Guide - Page 146
> Wireless > Load Balancing Each field is described in the following table. Table 61 Configuration > Wireless > Load Balancing LABEL Enable Load Balancing Mode DESCRIPTION Select this to enable AP will be kicked continuously and never be allowed to connect. UAG Series User's Guide 146 - ZyXEL UAG4100 | User Guide - Page 147
9 Wireless Table 61 Configuration > Wireless > Load Balancing (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the UAG. Reset Click Reset to return the screen to connections that are pushing it over its balanced bandwidth allotment. UAG Series User's Guide 147 - ZyXEL UAG4100 | User Guide - Page 148
are many APs and there may be interference. DCS allows APs to automatically find a less-used channel in such an environment. Use this screen to configure dynamic radio channel selection on managed APs. Click Configuration > Wireless > DCS to access this screen. UAG Series User's Guide 148 - ZyXEL UAG4100 | User Guide - Page 149
DCS Each field is described in the following table. Table 62 Configuration > Wireless > DCS LABEL General Settings Select Now Enable Dynamic Channel select in the 2.4 GHz Channel Deployment field. Select manual and specify the channels the AP uses in the 2.4 GHz band. UAG Series User's Guide 149 - ZyXEL UAG4100 | User Guide - Page 150
in this configuration; otherwise, the UAG uses channels 1, 5, 9, 13 in this configuration. Four 5 GHz band. Available channels Channels selected Apply Reset Select manual and specify the channels the AP uses in the Reset to return the screen to its last-saved settings. UAG Series User's Guide 150 - ZyXEL UAG4100 | User Guide - Page 151
the power level (in dBm) to which the neighbor APs of the failed AP increase their output power in order to extend their wireless service coverage areas. Apply Reset When the failed AP is working again, its neighbor APs return their output power to the original level. Click Apply to save your - ZyXEL UAG4100 | User Guide - Page 152
radio channel. If the interference becomes too great, then the network administrator must open his AP configuration options and manually change the channel to one that no other AP is using (or at least a channel that the affected AP, signal strength, activity, and so on. UAG Series User's Guide 152 - ZyXEL UAG4100 | User Guide - Page 153
you allow any number of devices to connect as long as their total bandwidth usage does not exceed the configured bandwidth cap associated with this setting. Once the cap is hit, any new connections are rejected or delayed turn or get shunted to the nearest identical AP. UAG Series User's Guide 153 - ZyXEL UAG4100 | User Guide - Page 154
You connect the LAN network to the LAN interface. • Zones are groups of interfaces used to ease security policy configuration. 10.1.1 What You Can Do in this Chapter • Use the Port Role screen (Section 10.2 on page one zone. • Many interfaces can belong to the same zone. UAG Series User's Guide 154 - ZyXEL UAG4100 | User Guide - Page 155
an IP address and subnet mask to the bridge. • PPP interfaces support Point-to-Point Protocols (PPP). ISP accounts are required for PPPoE/PPTP Name* wan1, wan2 lan1, lan2, dmz pppx vlanx brx Configurable Zone Yes Yes Yes Yes Yes IP Address Assignment Static IP UAG Series User's Guide 155 - ZyXEL UAG4100 | User Guide - Page 156
called vlan2:1, vlan2:2, and so on. You cannot specify the number after the colon(:) in the Web Configurator; it is a sequential number. You can specify the number after the colon if you use the CLI MAC address) level. This provides wire-speed throughput but no security. UAG Series User's Guide 156 - ZyXEL UAG4100 | User Guide - Page 157
you are configuring from a dmz IP address to access the UAG. Figure 110 Configuration > Network > Interface > Port Role Physical Ports UAG. Click Reset to change the port groups to their current configuration (last-saved values To access this screen, click Configuration > Network > Interface > - ZyXEL UAG4100 | User Guide - Page 158
interface is effectively removed from the UAG, but you can still configure it. Ethernet interfaces are similar to other types of interfaces the amount of bandwidth and packet size. They can provide DHCP services, and they can verify the gateway is available. Use Ethernet Series User's Guide 158 - ZyXEL UAG4100 | User Guide - Page 159
Click Reset to return the screen to its last-saved settings. 10.3.1 Ethernet Edit The Ethernet Edit screen lets you configure IP based on an interface's IP address, subnet, or gateway, the UAG automatically updates every rule or setting that uses the object whenever the interface's IP address - ZyXEL UAG4100 | User Guide - Page 160
Chapter 10 Interfaces Figure 112 Configuration > Network > Interface > Ethernet > Edit (External Type) UAG Series User's Guide 160 - ZyXEL UAG4100 | User Guide - Page 161
Chapter 10 Interfaces Figure 113 Configuration > Network > Interface > Ethernet > Edit (Internal Type) UAG Series User's Guide 161 - ZyXEL UAG4100 | User Guide - Page 162
the default WAN trunk. Interface Name Port Zone MAC Address Description IP Address Assignment Get Automatically Use Fixed IP Address IP Address Subnet Mask Gateway Metric Interface Parameters For general, the rest of the screen's options do not automatically adjust and you must manually configure - ZyXEL UAG4100 | User Guide - Page 163
Table 67 Configuration > Network available. Check Period Check Timeout Check Fail Tolerance Check Default Gateway Check this address Check Port DHCP Setting DHCP of DHCP service the UAG provides to the network. Choices are: None - the UAG does not provide any DHCP services. There User's Guide 163 - ZyXEL UAG4100 | User Guide - Page 164
Configuration Second WINS Server Default Router Device - Internet Naming Service) server that default router. This default router will become the DHCP clients' default gateway. Lease time To use another IP address as the default DHCP server. Configure this table manually using a bound IP address - ZyXEL UAG4100 | User Guide - Page 165
associate traffic with this interface. OK Cancel You must manually configure a policy route to add routing and SNAT settings for an interface with the Interface Type set to general. You can also configure a policy route to override the default routing and SNAT behavior for an interface with an - ZyXEL UAG4100 | User Guide - Page 166
. # This field is a sequential value, and it is not associated with any entry. Service This is the type of setting that references the selected object. Click a service's name to display the service's configuration screen in the main window. Priority If it is applicable, this field lists the - ZyXEL UAG4100 | User Guide - Page 167
an appropriate type for the value that you will enter in the next field. Only advanced users should configure User Defined. Misconfiguration could result in interface lockout. Enter the value for the selected DHCP option should be listed in order of your preference. UAG Series User's Guide 167 - ZyXEL UAG4100 | User Guide - Page 168
Configuration > Network > Interface > Ethernet > Edit > Add/Edit Extended Options LABEL DESCRIPTION OK Click this to close this screen and update is for downloading configuration from a VoIP server via TFTP; however other than contacting a VoIP configuration server. 10.4 PPP Interfaces - ZyXEL UAG4100 | User Guide - Page 169
main differences between PPPoE/ PPTP interfaces and other interfaces. • You must also configure an ISP account object for the PPPoE/PPTP interface to use. Each ISP screen, click Configuration > Network > Interface > PPP. Figure 117 Configuration > Network > Interface > PPP UAG Series User's Guide 169 - ZyXEL UAG4100 | User Guide - Page 170
Configuration > Network > Interface > PPP LABEL User Configuration / System Default Default PPP interfaces preconfigured. You can create (and delete) User Configuration PPP interfaces. Click this to create a new user-configured a user-configured PPP manually Apply Reset Reset lets you configure a - ZyXEL UAG4100 | User Guide - Page 171
Chapter 10 Interfaces Figure 118 Configuration > Network > Interface > PPP > Add UAG Series User's Guide 171 - ZyXEL UAG4100 | User Guide - Page 172
or lesser number of configuration fields. Create new object Protocol User Name Service Name Server new Object if you need to configure a new ISP account (see user name for the ISP account. This field is read-only. It displays the PPPoE service , the DHCP server configures the IP address automatically - ZyXEL UAG4100 | User Guide - Page 173
gateway. Select this to use the default gateway for the connectivity check. configure the interface as part of a WAN trunk for load balancing. Click Policy Route to go to the screen where you can manually configure a policy route to associate traffic with this interface. UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 174
Chapter 10 Interfaces Table 72 Configuration > Network > Interface > PPP > Add (continued) LABEL DESCRIPTION OK Click OK to save your changes back to the UAG. (If one switch has enough connections for the entire network, the network does not need switches A and B.) UAG Series User's Guide 174 - ZyXEL UAG4100 | User Guide - Page 175
of users. • services, and they can verify the gateway is available. 10.5.1 VLAN Interface Summary Screen This screen lists every VLAN interface and virtual interface created on top of VLAN interfaces. To access this screen, click Configuration > Network > Interface > VLAN. UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 176
does not have an IP address yet. Mask Apply Reset This screen also shows whether the IP address is a configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each VLAN interface. To access this screen, click the Add icon UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 177
Chapter 10 Interfaces or select an entry in the VLAN summary screen and click the Edit icon. The following screen appears. Figure 122 Configuration > Network > Interface > VLAN > Edit UAG Series User's Guide 177 - ZyXEL UAG4100 | User Guide - Page 178
manually configure some related settings. internal is for connecting to a local network. Other corresponding configuration options: DHCP server and DHCP relay. The UAG automatically adds default SNAT the same priority, the UAG uses the one that was configured first. UAG Series User's Guide 178 - ZyXEL UAG4100 | User Guide - Page 179
Table 74 Configuration > available. Check Period Check Timeout Check Fail Tolerance Check Default Gateway Check this address Check Port DHCP Setting DHCP of DHCP service the UAG provides to the network. Choices are: None - the UAG does not provide any DHCP services. There is User's Guide 179 - ZyXEL UAG4100 | User Guide - Page 180
Configuration Second WINS Server Default Router Device - Internet Naming Service) server that default router. This default router will become the DHCP clients' default gateway. Lease time To use another IP address as the default DHCP server. Configure this table manually using a bound IP address on - ZyXEL UAG4100 | User Guide - Page 181
default MAC address, a manually specified MAC address, or clone the MAC address of another device or computer. Use Default a WAN trunk for load balancing. Configure Policy Click Policy Route to go to the screen where you can manually configure a policy route Route to associate User's Guide 181 - ZyXEL UAG4100 | User Guide - Page 182
resulting network. This UAG can bridge traffic between some interfaces while it routes traffic for other interfaces. The bridge interfaces also support more functions, like interface bandwidth parameters, DHCP settings, and connectivity check. To use the whole UAG as a transparent bridge, add all - ZyXEL UAG4100 | User Guide - Page 183
created on top of bridge interfaces. To access this screen, click Configuration > Network > Interface > Bridge. Figure 123 Configuration > Network > Interface > Bridge Each field is described in the following . The UAG confirms you want to remove it before doing so. UAG Series User's Guide 183 - ZyXEL UAG4100 | User Guide - Page 184
configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each bridge interface. To access this screen, click the Add icon, or select an entry in the Bridge summary screen and click the Edit icon. The following screen appears. UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 185
Chapter 10 Interfaces Figure 124 Configuration > Network > Interface > Bridge > Add UAG Series User's Guide 185 - ZyXEL UAG4100 | User Guide - Page 186
to additionally manually configure some related settings. internal is for connecting to a local network. Other corresponding configuration options: DHCP server and DHCP relay. The UAG automatically adds default SNAT settings is the same for all computers in the network. UAG Series User's Guide 186 - ZyXEL UAG4100 | User Guide - Page 187
gateways have the same priority, the UAG uses the one that was configured first. Enter the maximum amount of traffic, in kilobits per second, what type of DHCP service the UAG provides to the network. Choices are: None - the UAG does not provide any DHCP services. There is already User's Guide 187 - ZyXEL UAG4100 | User Guide - Page 188
Server, Second WINS Server Default Router Device - the DHCP (Windows Internet Naming Service) server that you selected DHCP server. Configure this table if you manually using a bound IP address on another device connected to this interface. Use this to make use only the intended users User's Guide 188 - ZyXEL UAG4100 | User Guide - Page 189
Configuration Default Gateway Check this address Check Port Related Setting Configure WAN TRUNK Configure . Select this to use the default gateway for the connectivity check. the screen where you can manually configure a policy route to associate However, you have to manually specify the IP address - ZyXEL UAG4100 | User Guide - Page 190
do not provide DHCP services, and they do not verify that the gateway is available. 10.7.1 Virtual Interfaces Add/Edit This screen lets you configure IP address assignment and have the same priority, the UAG uses the one that was configured first. Interface Parameters UAG Series User's Guide 190 - ZyXEL UAG4100 | User Guide - Page 191
Table 80 Configuration > Network most interfaces, you can enter the IP address and subnet mask manually. In PPPoE/PPTP interfaces, however, the subnet mask is always clients. You have to assign the IP address and subnet mask manually. In general, the IP address and subnet mask of each interface - ZyXEL UAG4100 | User Guide - Page 192
case, the packet is dropped. However, if there is a default router to which the UAG should send this packet, you can in the network. This reduces the amount of manual configuration you have to do and usually uses available IP support ingress bandwidth management. UAG Series User's Guide 192 - ZyXEL UAG4100 | User Guide - Page 193
up to three DNS servers that provide DNS services for DHCP clients. You can specify each IP address manually (for example, a company's own DNS 's computer names and IP addresses. The table is dynamically updated for IP addresses assigned by DHCP. This helps reduce broadcast UAG Series User's Guide 193 - ZyXEL UAG4100 | User Guide - Page 194
can access one of several network services. This makes it easier for the service provider to offer the service • PPPoE does not usually require any special configuration of the modem. PPTP is used but you have to make sure that security policies support both PPTP sessions. UAG Series User's Guide 194 - ZyXEL UAG4100 | User Guide - Page 195
This way VoIP traffic goes through the interface connected to the VoIP service provider whenever the interface's connection is up. 11.1.1 What You the Add System Default screen (Section 11.2.2 on page 201) to configure the load balancing algorithm for the system default trunk. 11.1.2 User's Guide 195 - ZyXEL UAG4100 | User Guide - Page 196
LAN) should use for a session2. The available bandwidth you configure on the UAG refers to the actual bandwidth provided by the BALANCING INDEX (M/A) 0.8 0.77 Weighted Round Robin Round Robin scheduling services queues on a rotating basis and is activated only when an interface User's Guide 196 - ZyXEL UAG4100 | User Guide - Page 197
to transmit traffic than an interface with a smaller weight. For example, in the figure below, the configured available bandwidth of wan1 is 1M and ppp0 is 512K. You can set the UAG to distribute the network secondary WAN interface. Figure 129 Spillover Algorithm Example UAG Series User's Guide 197 - ZyXEL UAG4100 | User Guide - Page 198
or lesser number of configuration fields. Disconnect Connections Before the same trunk comes back up. Enable Default SNAT Select this to have the UAG use Default Trunk Selection Select whether the UAG is to use the default system WAN trunk or one of the user configured WAN trunks as the default - ZyXEL UAG4100 | User Guide - Page 199
. Apply Click this button to save your changes to the UAG. Reset Click this button to return the screen to its last-saved settings. 11.2.1 Configuring a User-Defined Trunk Click Configuration > Network > Interface > Trunk, in the User Configuration table click the Add (or Edit) icon to open the - ZyXEL UAG4100 | User Guide - Page 200
the trunk's member interfaces. You can add, edit, remove, or move entries for user configured trunks. Click this to add a member interface to the trunk. Select an interface Note: You can configure the bandwidth of an interface in the corresponding interface edit screen. UAG Series User's Guide 200 - ZyXEL UAG4100 | User Guide - Page 201
allocations for each member interface. Note: The available bandwidth is allocated to each member interface equally and is not allowed to be changed for the default trunk. Figure 132 Configuration > Network > Interface > Trunk > Edit (System Default) UAG Series User's Guide 201 - ZyXEL UAG4100 | User Guide - Page 202
below. Table 87 Configuration > Network > Interface > Trunk > Edit (System Default) LABEL Name Load Balancing Algorithm DESCRIPTION This field displays the name of the selected system default trunk. Select the load UAG. Click Cancel to exit this screen without saving. UAG Series User's Guide 202 - ZyXEL UAG4100 | User Guide - Page 203
205) to list and configure policy routes. • Use the Static Route screens (see Section 12.3 on page 211) to list and configure static routes. 12.1.2 What the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator. UAG Series User's Guide 203 - ZyXEL UAG4100 | User Guide - Page 204
traffic. Static Routes The UAG usually uses the default gateway to route outbound traffic from computers on and propagate it to other routers, you could configure a policy route and an equivalent static route. service or give advanced notice of where the traffic is going. UAG Series User's Guide 204 - ZyXEL UAG4100 | User Guide - Page 205
contains a 2-bit unused field and a 6-bit DSCP field which can define up to 64 service levels. The following figure illustrates the DS field. DSCP (6 bits) Unused (2 bits) DSCP style and in implementation. Figure 134 Configuration > Network > Routing > Policy Route UAG Series User's Guide 205 - ZyXEL UAG4100 | User Guide - Page 206
labels in this screen. Table 88 Configuration > Network > Routing > Policy Route service port. any means all service ports. This is the next hop to which packets are directed. It helps forward packets to their destinations and can be a router, outgoing interface or trunk. UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 207
. default means Reset It Configuration > Network > Routing to open the Policy Route screen. Then click the Add icon or select an entry and click the Edit icon. The Add Policy Route or Policy Route Edit screen opens. Use this screen to configure or edit a policy route. UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 208
135 Configuration > Network > Routing > Policy Route > Add/Edit The following table describes the labels in this screen. Table 89 Configuration > to display a greater or lesser number of configuration fields. Create new Object Use this to configure any new settings objects that you need to use - ZyXEL UAG4100 | User Guide - Page 209
Configuration > Network > Routing > Policy Route > Add/Edit (continued) LABEL Configuration Enable Description Criteria User no DSCP marker. default means traffic with a DSCP value of 0. This is usually best effort traffic User-Defined DSCP Code Schedule Service Source Port Next User's Guide 209 - ZyXEL UAG4100 | User Guide - Page 210
value. Select default to have the UAG set the DSCP value of the packets to 0. User-Defined Use this field to specify a custom DSCP value. DSCP Marking Address Translation Use this section to configure NAT for the the port number to use for a TCP connectivity check. UAG Series User's Guide 210 - ZyXEL UAG4100 | User Guide - Page 211
. 12.3.1 Static Route Add/Edit Screen Select a static route index number and click Add or Edit. The screen shown next appears. Use this screen to configure the required information for a static route. UAG Series User's Guide 211 - ZyXEL UAG4100 | User Guide - Page 212
. 12.4 Policy Routing Technical Reference Here is more detailed information about some of the features you can configure in policy routing. NAT and SNAT NAT (Network Address Translation - NAT, RFC 1631) is the given a high, medium or low drop precedence. The drop UAG Series User's Guide 212 - ZyXEL UAG4100 | User Guide - Page 213
) AF22 (20) High Drop Precedence AF13 (14) AF23 (22) CLASS 3 AF31 (26) AF32 (28) AF33 (30) CLASS 4 AF41 (34) AF42 (36) AF43 (38) UAG Series User's Guide 213 - ZyXEL UAG4100 | User Guide - Page 214
www.3322.org selfhost.de Note: Record your DDNS account's user name, password, and domain name to use to configure the UAG. After, you configure the UAG, it automatically sends updated IP addresses to the DDNS service provider, which helps redirect traffic accordingly. UAG Series User's Guide 214 - ZyXEL UAG4100 | User Guide - Page 215
this entry. This field displays which DDNS service you are using. This field displays each domain name the UAG can route. This field displays the interface to use for updating the IP address mapped to the domain name the domain name. custom - The IP address is static. UAG Series User's Guide 215 - ZyXEL UAG4100 | User Guide - Page 216
. Table 95 Configuration > Network > DDNS > Add LABEL DESCRIPTION Show Advanced Settings / Hide Advanced Settings Click this button to display a greater or lesser number of configuration fields. Enable DDNS Profile Select this check box to use this DDNS entry. UAG Series User's Guide 216 - ZyXEL UAG4100 | User Guide - Page 217
Configuration service you are using. Select this option to encrypt traffic using SSL (port 443), including traffic with username and password, to the DDNS server. Not all DDNS providers support this option. Type the user interface to use for updating the IP address to use for updating the IP address - ZyXEL UAG4100 | User Guide - Page 218
Chapter 13 DDNS Table 95 Configuration > Network > DDNS > Add (continued) server that will host the DDSN service. This field displays when you select User custom from the DDNS Type field above. These are the options supported at the time of writing: OK without saving. UAG Series User's Guide 218 - ZyXEL UAG4100 | User Guide - Page 219
in the example), port 80 to another (B in the example) and assign a default server IP address of 172.16.0.35 to a third (C in the example). ) to view and manage the list of NAT rules and see their configuration details. You can also create new NAT rules and edit or delete UAG Series User's Guide 219 - ZyXEL UAG4100 | User Guide - Page 220
To access this screen, login to the Web Configurator and click Configuration > Network > NAT. The following screen appears, providing a summary of the existing NAT rules. Figure 141 Configuration > Network > NAT displays the new destination IP address for the packet. UAG Series User's Guide 220 - ZyXEL UAG4100 | User Guide - Page 221
Configuration > Network > NAT (continued) LABEL DESCRIPTION Protocol This field displays the service used by the packets for this NAT entry. It displays any if there is no restriction on the services Reset Configuration > Network > NAT > Add LABEL DESCRIPTION Create new Object Use to configure - ZyXEL UAG4100 | User Guide - Page 222
configuration effort supports. This field displays for Many 1:1 NAT. Select to which translated destination IP address subnet or IP address range this NAT rule forwards packets. The original and mapped IP address subnets or ranges must have the same number of IP addresses. UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 223
unknown services or when one server supports more than one service. Original Service Mapped Service Protocol Type default the Security Policy blocks incoming connections from external addresses. After you configure your NAT rule settings, click the Security Policy link to configure User's Guide 223 - ZyXEL UAG4100 | User Guide - Page 224
WAN users access. NAT loopback allows other users to also use the rule's original IP to access the mail server. For example, a LAN user's computer LAN-SMTP.com = 1.1.1.1 LAN 172.16.0.21 172.16.0.89 The LAN user's computer then sends traffic to IP address 1.1.1.1. NAT loopback uses the IP address - ZyXEL UAG4100 | User Guide - Page 225
traffic going through NAT, the source would not match the original destination address which would cause the LAN user's computer to shut down the session. Figure 145 LAN to LAN Return Traffic NAT Source 172.16.0.21 SMTP LAN Source 1.1.1.1 SMTP 172.16.0.21 172.16.0.89 UAG Series User's Guide 225 - ZyXEL UAG4100 | User Guide - Page 226
address different from the one used by the UAG's WAN interface. With VPN 1-1 mapping, each user that logs into the UAG and matches a pre-configured mapping rule can obtain an individual public IP address. For example, users A and B are behind the UAG and both want to use a unique WAN IP address to - ZyXEL UAG4100 | User Guide - Page 227
to the same user/user group as a from the matched user or user group. To make policy (default) to allow any traffic from the user A/B from traffic from the user A/B through the rules and their configuration. In addition, login to the Web Configurator and click Configuration Table 98 Configuration > - ZyXEL UAG4100 | User Guide - Page 228
[ENTER] to move the rule to the number that you typed. # Status User / Group Pool Profile Apply Reset The ordering of your rules is important as they are applied in order of Edit Policy screen where you can configure the rule. Figure 148 Network > VPN 1-1 Mapping > Add UAG Series User's Guide 228 - ZyXEL UAG4100 | User Guide - Page 229
To access this screen, login to the Web Configurator and click Configuration > Network > VPN 1-1 Mapping > Profile. The following screen appears, providing a summary of the existing IP address pool profiles. Figure 149 Configuration > Network > VPN 1-1 Mapping > Profile UAG Series User's Guide 229 - ZyXEL UAG4100 | User Guide - Page 230
labels in this screen. Table 100 Configuration > Network > VPN 1-1 Mapping > users by the UAG. Note: You cannot select an address group object at the time of writing. Interface Apply Reset which the UAG sends traffic from the matched users. Click this button to save your changes to the - ZyXEL UAG4100 | User Guide - Page 231
You Need to Know Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services. A proxy server can act as a firewall or an ALG (application layer gateway) between the private network and the Internet or other networks. It - ZyXEL UAG4100 | User Guide - Page 232
web proxy provides caching service to allow quick to the same incoming interface and service as a HTTP redirect rule, also need to manually configure a policy route to WAN security policy (default) to allow HTTP requests configure redirection of a HTTP request to a proxy server, click Configuration - ZyXEL UAG4100 | User Guide - Page 233
server. Port This is the service port number used by the proxy server. Apply Click Apply to save your changes back to the UAG. Reset Click Reset to return the screen to its Edit screen where you can configure the rule. Figure 152 Network > HTTP Redirect > Edit UAG Series User's Guide 233 - ZyXEL UAG4100 | User Guide - Page 234
proxy server uses. OK Click OK to save your changes back to the UAG. Cancel Click Cancel to exit this screen without saving. UAG Series User's Guide 234 - ZyXEL UAG4100 | User Guide - Page 235
(Post Office Protocol) or IMAP (Internet Message Access Protocol) to retrieve e-mail. E-mail clients also generally use SMTP to send messages to a mail UAG Series User's Guide 235 - ZyXEL UAG4100 | User Guide - Page 236
route to the same incoming interface and service as a SMTP redirect rule, the UAG server. You also need to manually configure a policy route to forward LAN2 to WAN security policy (default) to allow SMTP messages from lan2 configure redirection of a SMTP message to a SMTP server, click Configuration - ZyXEL UAG4100 | User Guide - Page 237
UAG. Click Reset to return the screen to its last-saved settings. 17.2.1 The SMTP Redirect Edit Screen Click Network > SMTP Redirect to open the SMTP Redirect screen. Then click the Add or Edit icon to open the SMTP Redirect Edit screen where you can configure the rule. UAG Series User's Guide 237 - ZyXEL UAG4100 | User Guide - Page 238
SMTP Redirect > Edit LABEL Enable User DESCRIPTION Use this option to turn the to select the individual user or user group for which you want that the UAG receives from any user. Select the interface on which the Use Create new Object if you need to configure a new one. Select any if the - ZyXEL UAG4100 | User Guide - Page 239
- File Transfer Protocol - an Internet file transfer service. The ALG feature is only needed for traffic to the LAN. The ALG on the UAG supports all of the UAG's NAT mapping types. the interfaces are set to active, you can configure routing policies to specify which interface the ALG- User's Guide 239 - ZyXEL UAG4100 | User Guide - Page 240
or on, configure the port numbers to which it applies. Figure 156 Configuration > Network > ALG The following table describes the labels in this screen. Table 105 Configuration > Network to the UAG. Reset Click Reset to return the screen to its last-saved settings. UAG Series User's Guide 240 - ZyXEL UAG4100 | User Guide - Page 241
configure network addressing, announce their presence in the network to other UPnP devices and enable exchange of simple product and service descriptions is an example of an application that supports NAT traversal and UPnP. See the NAT chapter for more information on NAT. UAG Series User's Guide 241 - ZyXEL UAG4100 | User Guide - Page 242
automated nature of NAT traversal applications in establishing their own services and opening security policy ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. When a UPnP device joins a network - ZyXEL UAG4100 | User Guide - Page 243
Support LAN List DESCRIPTION Select this check box to activate UPnP on the UAG. Be aware that anyone could use a UPnP application to open the web configurator's login screen without entering the UAG's IP address (although you must still enter the password UAG. Click Reset to return User's Guide 243 - ZyXEL UAG4100 | User Guide - Page 244
see the port mappings there were automatically created. Figure 159 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings. Figure 160 Internet Connection Properties: Advanced Settings UAG Series User's Guide 244 - ZyXEL UAG4100 | User Guide - Page 245
based configurator on the UAG without finding out the IP address of the UAG first. This comes helpful if you do not know the IP address of the UAG. Follow the steps below to access the web configurator. 1 Click Start and then Control Panel. 2 Double-click Network Connections. UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 246
for each UPnP-enabled device displays under Local Network. 5 Right-click on the icon for your UAG and select Invoke. The web configurator login screen displays. Figure 165 Network Connections: My Network Places 6 Right-click on the icon for your UAG and select Properties. A properties window - ZyXEL UAG4100 | User Guide - Page 247
Chapter 19 UPnP Figure 166 Network Connections: My Network Places: Properties: Example UAG Series User's Guide 247 - ZyXEL UAG4100 | User Guide - Page 248
this list. A user cannot manually assign another IP to his computer and use it to connect to the UAG. Suppose you configure access privileges for IP addresses. • Use the Exempt List screen (Section 20.3 on page 251) to configure ranges of IP addresses to which the UAG does not apply IP/MAC binding. - ZyXEL UAG4100 | User Guide - Page 249
interface's configuration screen. 20.2 IP/MAC Binding Summary Click Configuration > Network connected to each supported interface. Figure 168 Configuration > Network > this screen. Table 107 Configuration > Network > IP/MAC the name of an interface that supports IP/MAC binding. Number of Binding - ZyXEL UAG4100 | User Guide - Page 250
The following table describes the labels in this screen. Table 108 Configuration > Network > IP/MAC Binding > Edit LABEL DESCRIPTION IP/ from manually using a bound IP address on another device connected to this interface. Use this to make use only the intended users get Series User's Guide 250 - ZyXEL UAG4100 | User Guide - Page 251
Configuration without saving. 20.2.2 Static DHCP Edit Click Configuration > Network > IP/MAC Binding > add or configure a static DHCP entry. Figure 170 Configuration > Network > IP/ in this screen. Table 109 Configuration > Network > IP/MAC Configuration > Network > IP/MAC Binding > - ZyXEL UAG4100 | User Guide - Page 252
> IP/MAC Binding > Exempt List The following table describes the labels in this screen. Table 110 Configuration > Network > IP/MAC Binding > Exempt List LABEL DESCRIPTION Add Click this to create a new entry Apply Click Apply to save your changes back to the UAG. UAG Series User's Guide 252 - ZyXEL UAG4100 | User Guide - Page 253
254) to enable layer-2 isolation on the UAG and the internal interface(s). • Use the White List screen (Section 21.3 on page 254) to enable and configures the white list. UAG Series User's Guide 253 - ZyXEL UAG4100 | User Guide - Page 254
click the left arrow button. Click Apply to save your changes back to the UAG. Click Reset to return the screen to its last-saved settings. 21.3 White List Screen IP addresses packets. To access this screen click Configuration > Network > Layer 2 Isolation > White List. UAG Series User's Guide 254 - ZyXEL UAG4100 | User Guide - Page 255
in this screen. Table 112 Configuration > Network > Layer 2 Inactivate # Status IP Address Description Apply Reset Note: You can enable this feature only your changes back to the UAG. Click Reset to return the screen to its last the Edit button. Note: You can configure up to 100 white list rules on - ZyXEL UAG4100 | User Guide - Page 256
Isolation > White List > Add/Edit The following table describes the labels in this screen. Table 113 Configuration > Network > Layer 2 Isolation > White List > Add/Edit LABEL DESCRIPTION Enable Select this option to to exit this screen without saving your changes. UAG Series User's Guide 256 - ZyXEL UAG4100 | User Guide - Page 257
Do in this Chapter Use the IP screen (Section 22.2 on page 258) to enable IPnP on the UAG and the internal interface(s). UAG Series User's Guide 257 - ZyXEL UAG4100 | User Guide - Page 258
UAG and specific internal interface(s). To access this screen click Configuration > Network > IPnP. Figure 177 Configuration > Network > IPnP The following table describes the labels changes back to the UAG. Click Reset to return the screen to its last-saved settings. UAG Series User's Guide 258 - ZyXEL UAG4100 | User Guide - Page 259
authentication policies, configure authentication type profiles and upload or download custom files. • Use the Configuration > Web Authentication > Walled Garden screens (Section 23.3 on page 277) to enable and create walled garden links that display in the login screen. UAG Series User's Guide 259 - ZyXEL UAG4100 | User Guide - Page 260
User Authentication Instead of making users for which user-aware policies have been configured go to the UAG Login screen manually, you can configure the UAG to display the Login you have configured on the UAG. Use this screen to enable web authentication on the UAG. UAG Series User's Guide 260 - ZyXEL UAG4100 | User Guide - Page 261
gives an overview of the objects you can configure. Table 115 Configuration > Web Authentication: General LABEL Global Setting Enable portal or user agreement page. Web Portal General Setting Logout IP Specify an IP address that users can use to terminate their sessions manually by entering - ZyXEL UAG4100 | User Guide - Page 262
users' computers to resolve domain names into IP addresses. Figure 180 Configuration > Web Authentication > Add Exceptional Service traffic that does not match any exceptional service or other authentication policy. You can edit the default rule but not delete it. This Series User's Guide 262 - ZyXEL UAG4100 | User Guide - Page 263
need to be authenticated. required - Users need to be authenticated. They must manually go to the login screen or or user agreement page. The UAG will not redirect them to the login screen. Authentication Type Description Apply Reset force - Users need to be authenticated. The UAG automatically - ZyXEL UAG4100 | User Guide - Page 264
) or not (no) for packets that match the default policy. See Chapter 47 on page 534 for more on logs. This field is available for user-configured policies that require authentication. Select this to have the UAG automatically display the login screen when users who have not logged in yet try to send - ZyXEL UAG4100 | User Guide - Page 265
Configuration > Object > User/Group > User > Add 3 Repeat this process to set up the remaining user accounts. 23.2.2.2 Set Up User Groups Set up the user groups and assign the users to the user groups. 1 Click Configuration > Object > User you could add more members later. UAG Series User's Guide 265 - ZyXEL UAG4100 | User Guide - Page 266
, force users to log into the UAG before it routes traffic for them. 1 Click Configuration > Object > AAA Server > RADIUS. Double-click the radius entry. Configure the RADIUS server's address, authentication port (1812 if you were not told otherwise), and key. Click OK. UAG Series User's Guide 266 - ZyXEL UAG4100 | User Guide - Page 267
server for authentication. Click OK. Figure 185 Configuration > Object > Auth. method > Edit 3 Click Configuration > Web Authentication. In the Web Authentication > General screen, select Enable Web Authentication to turn on the web authentication feature and click Apply. UAG Series User's Guide 267 - ZyXEL UAG4100 | User Guide - Page 268
sure Force User Authentication is selected. Select an authentication type profile ("default-web-portal" in this example). Keep the rest of the default settings, and click OK. Note: The users must log in at the Web Configurator login screen before they can use HTTP or MSN. UAG Series User's Guide 268 - ZyXEL UAG4100 | User Guide - Page 269
23 Web Authentication Figure 187 Configuration > Web Authentication: General: Add When the users try to browse the web (or use any HTTP application), the login screen appears. They have to log in using the user name and password in the RADIUS server. 23.2.2.4 User Group Authentication Using the - ZyXEL UAG4100 | User Guide - Page 270
the RADIUS server. Click Configuration > Object > User/Group > User. Click the Add icon. Enter a user name and set the User Type to ext-group-user. In the Group Identifier field, enter Finance, Engineer, Sales, or Boss and set the Associated AAA Server Object to radius. UAG Series User's Guide 270 - ZyXEL UAG4100 | User Guide - Page 271
Authentication Figure 189 Configuration > Object > User/Group > User > Add 3 Repeat this process to set up the remaining groups of user accounts. 23 type of web authentication pages to be used for user authentication. Go to Configuration > Web Authentication and then select the Authentication Type - ZyXEL UAG4100 | User Guide - Page 272
Table 117 Configuration > Web default-web-portal: the default login page built into the UAG. Note: You can also customize the default login page built into the UAG in the System > WWW > Login Page screen. Type Web Page Apply Reset default-web-portal: the default user User's Guide 272 - ZyXEL UAG4100 | User Guide - Page 273
Chapter 23 Web Authentication Figure 191 Configuration > Web Authentication: Authentication Type: Add/Edit (Web Portal) UAG Series User's Guide 273 - ZyXEL UAG4100 | User Guide - Page 274
portal pages uploaded to the UAG. The login page appears whenever the web portal intercepts network traffic, preventing unauthorized users from gaining access to the network. Preview the UAG using the Configuration > Web Authentication > Web Portal Customize File screen. UAG Series User's Guide 274 - ZyXEL UAG4100 | User Guide - Page 275
which the web portal files are installed. Download Click this to download an example external web portal file for your user agreement pages from an external web server instead of the default one built into the UAG. You can configure the look and feel of the user agreement page. Specify the user - ZyXEL UAG4100 | User Guide - Page 276
. You can also download the custom files to your computer. Click Configuration > Web Authentication and then select the Custom Web Portal File or Custom User Agreement File tab to display the screen. Figure 193 Configuration > Web Authentication: Custom Web Portal File UAG Series User's Guide 276 - ZyXEL UAG4100 | User Guide - Page 277
table describes the labels in this screen. Table 119 Configuration > Web Authentication: Custom Web Portal / User Agreement File LABEL DESCRIPTION Remove Click a file's row to select it and and click Remove to delete it from the UAG. Download Click a file's row to select it and and click - ZyXEL UAG4100 | User Guide - Page 278
Table 120 Configuration > Web Reset Click this button to return the screen to its last-saved settings. 23.3.2 URL Base Screen Use this screen to configure users are allowed to access without logging in. The web site link(s) displays in the user login screen by default. Click Configuration - ZyXEL UAG4100 | User Guide - Page 279
/Editing a Walled Garden URL Go to the Configuration > Web Authentication > Walled Garden > URL Base screen. Click Add or select an entry and click the Edit to open the Add/Edit Walled Garden URL screen. Use this screen to configure a walled garden web site URL entry. UAG Series User's Guide 279 - ZyXEL UAG4100 | User Guide - Page 280
screen to configure walled garden web site links, which use a (wildcard) domain name or an IP address. These links will not display in the login page. Click Configuration > Web Authentication > Walled Garden and then select the Domain/IP Base tab to display the screen. UAG Series User's Guide 280 - ZyXEL UAG4100 | User Guide - Page 281
the Configuration > Web Authentication > Walled Garden > Domain/IP Base screen. Click Add or select an entry and click the Edit to open the Add/Edit Walled Garden Domain/IP screen. Use this screen to configure the domain name or IP address entry for a walled garden web site. UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 282
labels in this screen. Table 124 Configuration > Web Authentication > Walled Garden: . For example, www.zyxel.com.tw is a fully qualified domain name, where "www" is the host, "zyxel" is the third-level 23.3.4 Walled Garden Login Example The following figure shows the user login screen with two - ZyXEL UAG4100 | User Guide - Page 283
23 Web Authentication Figure 200 Walled Garden Login Example 23.4 Advertisement Screen Use this screen to set the UAG to display an advertisement web page as the first web page whenever the user connects to the Internet. Click Configuration > Web Authentication > Advertisement to display the screen - ZyXEL UAG4100 | User Guide - Page 284
the UAG. Reset Click this button to return the screen to its last-saved settings. 23.4.1 Adding/Editing an Advertisement URL Click Configuration > Web user is attempts to access the Internet. Figure 202 Configuration > Web Authentication > Advertisement > Add/Edit UAG Series User's Guide 284 - ZyXEL UAG4100 | User Guide - Page 285
23 Web Authentication The following table gives an overview of the objects you can configure. Table 126 Configuration > Web Authentication > Advertisement > Add/Edit LABEL Name DESCRIPTION Enter a descriptive the UAG. Click Cancel to exit this screen without saving. UAG Series User's Guide 285 - ZyXEL UAG4100 | User Guide - Page 286
CHAPTER 24 RTLS 24.1 Overview Ekahau RTLS (Real Time Location Service) tracks battery-powered Wi-Fi tags attached to APs managed by the UAG to create maps, alerts, and reports. The use the managed APs as part of an Ekahau RTLS to track the location of Ekahau Wi-Fi tags. UAG Series User's Guide 286 - ZyXEL UAG4100 | User Guide - Page 287
table lists default port user interface. 8552 UDP Ekahau Location Protocol 8553 UDP Ekahau Maintenance Protocol 8554 UDP Ekahau T301 firmware update. 8560 TCP Ekahau Vision web interface 8562 UDP Ekahau T301W firmware update. 8569 UDP Ekahau TZSP Listener Port 24.3 Configuring - ZyXEL UAG4100 | User Guide - Page 288
RTLS The following table describes the labels in this screen. Table 128 Configuration > RTLS LABEL DESCRIPTION Enable Select this to use Wi-Fi to Click Apply to save your changes back to the UAG. Reset Click Reset to return the screen to its last-saved settings. UAG Series User's Guide 288 - ZyXEL UAG4100 | User Guide - Page 289
specific type of traffic (services) • to a specific user or group of users • at a specific schedule The policy can be configured: • to allow or user sessions. The following example shows the UAG's default security policy behavior for WAN to LAN traffic and how stateful inspection works. A LAN user - ZyXEL UAG4100 | User Guide - Page 290
configure security policies for data passing between zones or even between interfaces. Default configuration. See Section 34.2.1 on page 397 for details. Table 129 Default itself is allowed. The default services listed in To-Device going to the UAG itself. By default: • The security policy allows - ZyXEL UAG4100 | User Guide - Page 291
service schedule, user name (user's login name User Specific Security Policies You can specify users or user groups in security policies. For example, to allow a specific user as part of configuring user-aware access control causes the UAG to reset the connection, as network (not reset the connection - ZyXEL UAG4100 | User Guide - Page 292
a NAT entry that sends WAN traffic to a LAN IP address, when you configure a corresponding policy control rule to allow the traffic, you need to set the LAN IP address as the destination. • The ordering of your rules is very important as rules are applied in sequence. UAG Series User's Guide 292 - ZyXEL UAG4100 | User Guide - Page 293
UAG performs access control when this is activated. IPv4 Configuration Allow Asymmetrical Route If an alternate gateway on the LAN called an asymmetrical or "triangle" route. This causes the UAG to reset the connection, as the connection has not been acknowledged. Select this User's Guide 293 - ZyXEL UAG4100 | User Guide - Page 294
Configuration in sequence. Default displays for the default security policy Destination Service User Schedule Action Log UTM Profile Apply Reset To service object to which this security policy applies. This is the user name or user changes back to the UAG. Click Reset to return the screen to its last - ZyXEL UAG4100 | User Guide - Page 295
in this screen. Table 131 Configuration > Security Policy > Policy Control > Add/Edit LABEL Create new Object Enable Name DESCRIPTION Use to configure any new settings objects that going to IPv4 addresses. Select a service or service group from the drop-down list box. UAG Series User's Guide 295 - ZyXEL UAG4100 | User Guide - Page 296
configuring a to-UAG policy. Select a user name or user group to which to apply the policy. The security policy is activated only when the specified user logs into the system and the policy will be disabled when the user user's reset default limit for all users and individual limits for specific users - ZyXEL UAG4100 | User Guide - Page 297
Session Control LABEL General Settings UDP Session Time Out Session Limit Settings Enable Session limit IPv4 Configuration Default Session per Host DESCRIPTION Set how many seconds (from 1 to 300) the UAG will . To turn off an entry, select it and click Inactivate. UAG Series User's Guide 297 - ZyXEL UAG4100 | User Guide - Page 298
which this session limit rule applies. This is the information configured to help you identify the rule. This is how many concurrent sessions this user or address is allowed to have. Click Apply to save your changes back to the UAG. Click Reset to return the screen to its last-saved settings. 25 - ZyXEL UAG4100 | User Guide - Page 299
policy sessions this rule's users or addresses can have. OK Cancel For this rule's users and addresses, this setting overrides the Default Session per Host setting in Create new Object > Address to configure an address object. Configure it as follows and click OK. UAG Series User's Guide 299 - ZyXEL UAG4100 | User Guide - Page 300
Service to configure a service object for Doom (UDP port 666). Configure it as follows and click OK. Figure 213 Security Policy Example: Create a Service policy. Select Dest_1 for the Destination and Doom as the Service. Enter a name and configure the rest of the screen as follows. Click OK when you - ZyXEL UAG4100 | User Guide - Page 301
LAN to WAN IRC Traffic Example # USER SOURCE DESTINATION SCHEDULE 1 Any Any Any Any 2 Any Any Any Any SERVICE IRC Any ACTION Deny Allow • The first row blocks LAN access to the IRC service on the WAN. • The second row is the security policy's default policy that allows all LAN1 to - ZyXEL UAG4100 | User Guide - Page 302
. • The second row blocks LAN1 access to the IRC service on the WAN. • The third row is the security policy's default policy of allowing all traffic from the LAN1 to go to the WAN. Alternatively, you configure a LAN1 to WAN security policy with the CEO's user name (say CEO) to allow IRC traffic from - ZyXEL UAG4100 | User Guide - Page 303
25 Security Policy Your security policy would have the following configuration. Table 136 Limited LAN1 to WAN IRC Traffic Example 2 # USER SOURCE DESTINATION SCHEDULE 1 CEO Any Any Any 2 Any Any Any Any 3 Any Any Any Any SERVICE IRC IRC Any ACTION Allow Deny Allow • The first - ZyXEL UAG4100 | User Guide - Page 304
the built-in billing function to setup billing profiles. A billing profile describes how to charge users. This chapter also shows you how to select an accounting method, configure a discount price plan or use an online payment service by credit card. 26.1.1 What You Can Do in this Chapter • Use the - ZyXEL UAG4100 | User Guide - Page 305
Configuration > Billing > General LABEL DESCRIPTION General Settings Unused account will be deleted after the time: Enter the number and select a time unit from the drop-down list box to specify how long to wait before the UAG deletes an account that has not been used. UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 306
disconnects and reconnects before the allocated time expires, the user does not have to enter the user name and password to access the Internet again. User idle timeout Select Accumulation to allow each user multiple re-login until the time allocated is used up. The UAG accounts the time that the - ZyXEL UAG4100 | User Guide - Page 307
Internet access time and charge per time unit. Click Configuration > Billing > Billing Profile to open the following screen. Figure 219 Configuration > Billing > Billing Profile The following table describes field displays the descriptive profile name for this entry. UAG Series User's Guide 307 - ZyXEL UAG4100 | User Guide - Page 308
Download) bandwidth allowed for the user account in kilobits per second. Price This field displays each profile's price per time unit. Apply Click this button to save your changes to the UAG. Reset information on dynamic guest accounts). Click Configuration > Billing > Billing Profile and then - ZyXEL UAG4100 | User Guide - Page 309
the number of each discount level. Name Unit Price Default Thermal Printer Summary Total The default (first) level cannot be edited or deleted. period that should be reached before the UAG charges users at this level. This field displays the price per time unit for each level. Select a statement - ZyXEL UAG4100 | User Guide - Page 310
price including tax. Quantity Specify the number of account to be created. Generate Click Generate to generate an account based on the billing settings you configure log out of the web configurator. This button is available only in the Configuration > SMS screen. You can enter the user's mobile - ZyXEL UAG4100 | User Guide - Page 311
allows you to send SMS messages for certain accounts. Click the Account Redeem tab in the Account Generator screen to open this screen. UAG Series User's Guide 311 - ZyXEL UAG4100 | User Guide - Page 312
guest account in the list. This field displays whether an account expires or not. This field displays the user name of the account. This field displays when the account was created. This field displays the amount field displays the mobile phone number for the account. UAG Series User's Guide 312 - ZyXEL UAG4100 | User Guide - Page 313
out of the web configurator. This button is Configuration > Billing > Billing Profile > Add/Edit LABEL Enable billing profile Name DESCRIPTION Select this option to activate the profile. Enter a name for the billing profile. Price be a letter. Define each profile's price, up to 999999.99, per time - ZyXEL UAG4100 | User Guide - Page 314
for the user accounts. This only applies to user's traffic for the user account. If you select Upload/Download, specify this screen to configure a custom discount pricing plan. This Configuration > Billing > Discount to open the following screen. Note: The discount price plan does not apply to users - ZyXEL UAG4100 | User Guide - Page 315
Configuration > Billing > Discount LABEL Discount Settings Enable Discount Button Select Charge by levels DESCRIPTION Select the check box to activate the discount price level. Name Unit Price Apply Reset The default (first) level cannot users at this level. This field displays the price per - ZyXEL UAG4100 | User Guide - Page 316
and manage credit card transactions directly through the Internet. You must register with the supported credit card service before you can configure the UAG to handle credit card transactions. Click Configuration > Billing > Payment Service to open the following screen. UAG Series User's Guide 316 - ZyXEL UAG4100 | User Guide - Page 317
Configuration > Billing > payment Service > General LABEL General Setting DESCRIPTION Enable Payment Service service on the UAG, a link displays in the login screen when users try to access the Internet. The link redirects users currencies that PayPal supports. Identity Token User's Guide 317 - ZyXEL UAG4100 | User Guide - Page 318
this screen to customize the online payment service pages that displays after an unauthorized user click the link in the Web Configurator login screen to purchase access time. You can configure both the desktop and mobile versions of the the service pages. Users click a link in the pages to switch - ZyXEL UAG4100 | User Guide - Page 319
Chapter 26 Billing Figure 226 Configuration > Billing > Payment Service > Desktop View UAG Series User's Guide 319 - ZyXEL UAG4100 | User Guide - Page 320
Chapter 26 Billing Figure 227 Configuration > Billing > Payment Service > Mobile View UAG Series User's Guide 320 - ZyXEL UAG4100 | User Guide - Page 321
Configuration > Billing > payment Service > Desktop View or Mobile View LABEL DESCRIPTION Select Type Use Default Page Select this to use the default online payment service service page instead of the default user the user account user Reset Click this button to return the screen to its last-saved - ZyXEL UAG4100 | User Guide - Page 322
and view information about the connected statement printer. 27.2 The General Setting Screen Use this screen to configure a printer list and allow the UAG to monitor the printer status. Click Configuration > Printer > General > General Setting to open the following screen. UAG Series User's Guide 322 - ZyXEL UAG4100 | User Guide - Page 323
table describes the labels in this screen. Table 146 Configuration > Printer > General Setting > General LABEL DESCRIPTION General Select how many copies of subscriber statements you want to print (1 is the default). Printer List Use this section to add the printer(s) that can be managed - ZyXEL UAG4100 | User Guide - Page 324
firmware currently uploaded to the UAG. The UAG automatically installs it in the connected printers to make sure the printers are upgraded to the same version. Apply Click this button to save your changes to the UAG. Reset this screen. Table 147 Configuration > Printer > General User's Guide 324 - ZyXEL UAG4100 | User Guide - Page 325
Configuration > Printer > General Setting > Printout Configuration LABEL Use Default Printout Configuration Use Customized Printout Configuration Preview File Name DESCRIPTION Select this to use the default Customized File to Default Download Apply Reset Click Download to download the account - ZyXEL UAG4100 | User Guide - Page 326
to the printer and update the printer information. This shows n/a when the printer is not in the managed printer list. This field displays the descriptive name of the printer that you configured. This field displays the nickname of the printer that you configured. UAG Series User's Guide 326 - ZyXEL UAG4100 | User Guide - Page 327
Configuration > Printer > Printer Manager (continued) LABEL DESCRIPTION Firmware Version This field displays the model number and firmware specify the printer's IP address, subnet mask, and gateway Address manually. IP Address Enter the IP address for this printer. Subnet User's Guide 327 - ZyXEL UAG4100 | User Guide - Page 328
press a key combination on the SP350E to print a report instantly without accessing the web configurator. The following lists the reports that you can print using the SP300E. • Daily account summary . Key combination: A B C A A The following figure shows an example. UAG Series User's Guide 328 - ZyXEL UAG4100 | User Guide - Page 329
Key combination: A B C B A The following figure shows an example. Figure 234 Monthly Account Example Monthly Account 2013/05 Username Price p2m6pf52 1.00 s4pcms28 2.00 7ufm7z22 2.00 qm5fxn95 6.00 TOTAL ACCOUNTS: 4 TOTAL PRICE: $ 11.00 2013/05/17 20:00:11 ---End--- UAG Series User's Guide 329 - ZyXEL UAG4100 | User Guide - Page 330
or same day, the account report's calculations only include the latest 2000. For example, if 2030 accounts (each priced at $1) have been created from 2013/05/01 00:00:00 to 2013/05/31 19:59:59, the was last restarted. WAST This field displays the WAN connection status. UAG Series User's Guide 330 - ZyXEL UAG4100 | User Guide - Page 331
This field displays the status of the UAG's wireless LAN. FWVR This field displays the version of the firmware on the UAG. BTVR This field displays the version of the bootrom. WAMA This field displays the of the UAG's onboard flash memory is currently being used. UAG Series User's Guide 331 - ZyXEL UAG4100 | User Guide - Page 332
users to get a free account for Internet surfing during the specified time period. 28.2 The Free Time Screen Use this screen to enable and configure the free time settings. Click Configuration > Free Time to open the following screen. Figure 236 Configuration > Free Time UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 333
use Short Message Service (SMS) to send account information in a text message to the user's mobile device. Select On-Screen and SMS to provide the account information both in the web screen and via SMS text messages. Apply Reset Note: You should have enabled SMS in the Configuration > SMS screen - ZyXEL UAG4100 | User Guide - Page 334
example login screen with a link to create a free guest account. If you enable both online payment service and free time feature on the UAG, the link description in the login screen will be mainly for online payment service. You can still click the link to get a free account. UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 335
Chapter 28 Free Time If SMS is enabled on the UAG, you have to enter your mobile phone number before clicking OK to get a free guest account. The guest account information then displays in the screen and/or is sent to the configured mobile phone number. EXAMPLE UAG Series User's Guide 335 - ZyXEL UAG4100 | User Guide - Page 336
336) to turn on the SMS service on the UAG. 29.2 The SMS Screen Use this screen to enable SMS in order to send dynamic guest account information in text messages. Click Configuration > SMS to open the following screen. Figure 237 Configuration > SMS (UAG4100 or UAG5100) UAG Series User's Guide 336 - ZyXEL UAG4100 | User Guide - Page 337
Configuration > SMS LABEL General Settings Enable SMS Default country code for phone number ViaNett Configuration User Name Password Retype to Confirm License Licensed Service your UAG and activate the service. Apply Reset This link is available only when the service is not activated yet. Click - ZyXEL UAG4100 | User Guide - Page 338
communication. IPSec VPN Internet Protocol Security (IPSec) VPN connects IPSec routers or remote users using IPSec client software. This standards-based VPN offers flexible solutions for secure data communications ). You can also activate and deactivate each VPN gateway. UAG Series User's Guide 338 - ZyXEL UAG4100 | User Guide - Page 339
briefly explains the relationship between VPN tunnels and other features. It also gives some basic suggestions for troubleshooting. You should set up the following features before you set up the VPN tunnel. • In any the remote IPSec router. See Chapter 42 on page 459. UAG Series User's Guide 339 - ZyXEL UAG4100 | User Guide - Page 340
table entries by that column's criteria. Click the heading cell again to reverse the sort order. Figure 241 Configuration > VPN > IPSec VPN > VPN Connection Each field is discussed in the following table. See Section 30 . See Section 10.3.2 on page 165 for an example. UAG Series User's Guide 340 - ZyXEL UAG4100 | User Guide - Page 341
155 Configuration > is inactive. Name VPN Gateway Policy Apply Reset The connect icon is lit when the interface your changes back to the UAG. Click Reset to return the screen to its last-saved existing one. To access this screen, go to the Configuration > VPN > IPSec VPN > VPN Connection screen ( - ZyXEL UAG4100 | User Guide - Page 342
Chapter 30 IPSec VPN Figure 242 Configuration > VPN > IPSec VPN > VPN Connection > Add/Edit UAG Series User's Guide 342 - ZyXEL UAG4100 | User Guide - Page 343
number of configuration fields. Use to configure any new duplicate packets to protect against Denial-of-Service attacks. Select this check box if and shows the scenario that the UAG supports. Site-to-site - The remote IPSec router users who are accessing remote resources. UAG Series User's Guide 343 - ZyXEL UAG4100 | User Guide - Page 344
Chapter 30 IPSec VPN Table 156 Configuration > VPN > IPSec VPN > VPN Connection > an Authentication algorithm. ESP (RFC 2406) - provides encryption and the same services offered by AH, but its authentication is weaker. If you select ESP, same authentication algorithm. UAG Series User's Guide 344 - ZyXEL UAG4100 | User Guide - Page 345
Configuration rules or settings configured for the selected connection. The peer must be configured to respond to the method connection. You may need to configure the peer to respond to connection. You may need to configure the peer to accept the TCP Create new Object to configure a new one). This - ZyXEL UAG4100 | User Guide - Page 346
network. SNAT Select the address object that represents the translated source address (or select Create new Object to configure a new one). This is the address object for the local network. The size of the original source all changes and return to the main VPN screen. UAG Series User's Guide 346 - ZyXEL UAG4100 | User Guide - Page 347
in the following table. See Section 30.3.1 on page 348 for more information. Table 157 Configuration > VPN > IPSec VPN > VPN Gateway LABEL DESCRIPTION Add Click this to create a back to the UAG. Reset Click Reset to return the screen to its last-saved settings. UAG Series User's Guide 347 - ZyXEL UAG4100 | User Guide - Page 348
summary screen (see Section 30.3 on page 347), and either click the Add icon or select an entry and click the Edit icon. UAG Series User's Guide 348 - ZyXEL UAG4100 | User Guide - Page 349
Chapter 30 IPSec VPN Figure 244 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit UAG Series User's Guide 349 - ZyXEL UAG4100 | User Guide - Page 350
Settings My Address DESCRIPTION Click this button to display a greater or lesser number of configuration fields. Select this check box to activate this VPN gateway policy. Type the this option to not display the real key (password) and instead show a sequence of dots. UAG Series User's Guide 350 - ZyXEL UAG4100 | User Guide - Page 351
Chapter 30 IPSec VPN Table 158 Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued) LABEL Certificate DESCRIPTION Select this to have the UAG and more choice. Subject Name - the remote IPSec router is identified by the subject name in the certificate UAG Series User's Guide 351 - ZyXEL UAG4100 | User Guide - Page 352
Chapter 30 IPSec VPN Table 158 Configuration > VPN > IPSec VPN > VPN last. When this time has passed, the UAG and remote IPSec router have to update the encryption and authentication keys and re-negotiate the IKE SA. This does not not affect performance significantly. UAG Series User's Guide 352 - ZyXEL UAG4100 | User Guide - Page 353
Table 158 Configuration > VPN Server Mode Client Mode If the remote IPSec router does not support DPD, see if you can use the VPN connection connectivity check password to the remote IPSec router for authentication. You also have to provide the User Name and the Password. UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 354
Configuration > VPN > IPSec VPN > VPN Gateway > Add/Edit (continued) LABEL DESCRIPTION User Name This field is required if the UAG is in Client Mode for extended authentication. Type the user name the UAG sends to the remote IPSec router. The user Type the password again here User's Guide 354 - ZyXEL UAG4100 | User Guide - Page 355
to generate encryption keys for the IKE SA and IPSec SA. In main mode, this is done in steps 3 and 4, as illustrated next. UAG Series User's Guide 355 - ZyXEL UAG4100 | User Guide - Page 356
-formatted) domain name, IP address, or e-mail address. The content is only used for identification. Any domain name or e-mail address that you UAG Series User's Guide 356 - ZyXEL UAG4100 | User Guide - Page 357
: 1.1.1.20 Peer ID content: [email protected] It is also possible to configure the UAG to ignore the identity of the remote IPSec router. In this (for example, extended authentication) or if you are troubleshooting a VPN tunnel. Additional Topics for IKE SA This section Series User's Guide 357 - ZyXEL UAG4100 | User Guide - Page 358
problem by enabling NAT traversal. In NAT traversal, router X and router Y add an extra header to the IKE SA and IPSec SA packets. If you configure and remote IPSec router. • Configure the NAT router to forward packets and remote IPSec router support. Extended Authentication Extended authentication - ZyXEL UAG4100 | User Guide - Page 359
) provides a user name and password to the other router, which uses a local user database and/or an external server to verify the user name and password. If the user name or password is wrong, select ESP. AH does not support encryption, and ESP is more suitable with NAT. UAG Series User's Guide 359 - ZyXEL UAG4100 | User Guide - Page 360
to generate encryption keys. The DH key exchange is time-consuming and may be unnecessary for data that does not require such security. UAG Series User's Guide 360 - ZyXEL UAG4100 | User Guide - Page 361
computer M to establish a connection with any computer in the remote network (B). If you do not configure it, the remote IPSec router may not route messages for computer M through the IPSec SA because - the original source address; most likely, computer M's network. UAG Series User's Guide 361 - ZyXEL UAG4100 | User Guide - Page 362
the remote network (B). • Protocol - the protocol [TCP, UDP, or both] used by the service requesting the connection. • Original Port - the original destination port or range of destination ports; in VPN Example Here is an example of configuring a site-to-site IPSec VPN. UAG Series User's Guide 362 - ZyXEL UAG4100 | User Guide - Page 363
subnet behind the peer IPSec router (172.16.1.0/24). Set Up the VPN Gateway that Manages the IKE SA In Configuration > VPN > IPSec VPN > VPN Gateway > Add, enable the VPN gateway and name it (VPN_GW_EXAMPLE here). Set to Pre-Shared Key and enter 12345678. Click OK. UAG Series User's Guide 363 - ZyXEL UAG4100 | User Guide - Page 364
VPN Set Up the VPN Connection that Manages the IPSec SA 1 In Configuration > VPN > IPSec VPN > VPN Connection > Add, click Create Set VPN Gateway to Site-tosite and select the VPN gateway you configured (VPN_GW_EXAMPLE). Set Local Policy to LAN1_SUBNET and Remote Policy to VPN_REMOTE_SUBNET for the - ZyXEL UAG4100 | User Guide - Page 365
Chapter 30 IPSec VPN UAG Series User's Guide 365 - ZyXEL UAG4100 | User Guide - Page 366
want to use a service, make sure both the security policy allow the service's packets to go supports three types of bandwidth management: Shared, Per user and Per-Source-IP. The Shared BWM type is selected by default in a bandwidth management rule. All matched taffic shares the bandwidth configured - ZyXEL UAG4100 | User Guide - Page 367
-destination traffic flows. All packets in the same flow are given the same priority. CoS (class of service) is a way of managing traffic in a network by grouping similar types of traffic together and treating each applied before sending the traffic out a LAN1 interface. UAG Series User's Guide 367 - ZyXEL UAG4100 | User Guide - Page 368
Management Priority • The UAG gives bandwidth to higher-priority traffic first, until it reaches its configured bandwidth rate. • Then lower-priority traffic gets bandwidth. • The UAG uses a fairness with bandwidth management disabled as priority 7 (the lowest priority). UAG Series User's Guide 368 - ZyXEL UAG4100 | User Guide - Page 369
configured you configure LAN1 You configure policy A for Configured Rate Effect In the following table the configured configured rate. Table 161 Configured Rate Effect POLICY CONFIGURED configured rate (800 kbps), leaving only 200 kbps for server B. Table 162 Priority Effect POLICY CONFIGURED - ZyXEL UAG4100 | User Guide - Page 370
policy is the one with the priority of "default". It is the last policy the UAG checks if traffic does not match any other bandwidth management policies you have configured. You cannot remove, activate, deactivate or move the default bandwidth management policy. UAG Series User's Guide 370 - ZyXEL UAG4100 | User Guide - Page 371
well. Table 165 Configuration > BWM LABEL Enable icon is not available for the default bandwidth management policy. This is the User Schedule This field displays default for the default bandwidth user name or user group to which the policy applies. If any displays, the policy applies to all users - ZyXEL UAG4100 | User Guide - Page 372
Management Add/Edit Screen The Configuration > BWM Add/Edit screen allows you to create a new condition or edit an existing one. To access this screen, go to the Configuration > BWM screen (see Section 31.2 on page 370), and click either the Add icon or an Edit icon. UAG Series User's Guide 372 - ZyXEL UAG4100 | User Guide - Page 373
Chapter 31 Bandwidth Management Figure 256 Configuration > BWM > Edit (For the Default Policy) Figure 257 Configuration > BWM > Add/Edit UAG Series User's Guide 373 - ZyXEL UAG4100 | User Guide - Page 374
for whom this policy applies. Use Create new Object if you need to configure a new one. Select any if the policy is effective for every source. DSCP marker. default means traffic with a DSCP value of 0. This is usually best effort traffic. User-Defined DSCP Code Service Type Service Object The - ZyXEL UAG4100 | User Guide - Page 375
the packets' original DSCP value. Bandwidth Shaping Inbound kbps Select default to have the UAG set the DSCP value of the packets to 0. Configure these fields to set the amount of bandwidth the matching traffic Cancel to exit this screen without saving your changes. UAG Series User's Guide 375 - ZyXEL UAG4100 | User Guide - Page 376
profile is a group of categories of application patrol signatures. For each profile, you can specify the default action the UAG takes once a packet matches a signature (forward, drop, or reject a service's connections and/or create a log alert). Use policies to link profiles to traffic flows based - ZyXEL UAG4100 | User Guide - Page 377
the AppPatrol signature service (at least the trial) before you can use it. A profile is an application object(s) or application group(s) that has customized action and log settings. Click Configuration > UTM Profile > App Patrol > Profile to open the following screen. UAG Series User's Guide 377 - ZyXEL UAG4100 | User Guide - Page 378
the labels in this screen. Table 167 Configuration > UTM Profile > App Patrol > settings use the entry. Click Refresh to update information on this screen. # This field is Application Patrol Profile Use this screen to configure profile settings. Click Configuration > UTM Profile > App Patrol - ZyXEL UAG4100 | User Guide - Page 379
The following table describes the labels in this screen. Table 168 Configuration > UTM Profile > App Patrol > Profile > Add/Edit LABEL Thie field displays the application name of the policy. Select the default action for all signatures in this category. forward - the UAG Series User's Guide 379 - ZyXEL UAG4100 | User Guide - Page 380
following screen. Figure 260 Configuration > UTM Profile > this screen. Table 169 Configuration > UTM Profile > configured an application object in the Configuration > Object > Application screen. Select the default log alert) or neither (no) by default when traffic matches a signature in this - ZyXEL UAG4100 | User Guide - Page 381
create different content filter policies for different addresses, schedules, users or groups and content filter profiles. For example, you can configure one policy that blocks John Doe's access to arts and of web site content, such as pornography or racial intolerance. UAG Series User's Guide 381 - ZyXEL UAG4100 | User Guide - Page 382
policy is not set to block. The UAG blocks the request if the default policy is set to block. External Web Filtering Service When you register for and enable the external web filtering service, your UAG accesses an external database that has millions of web sites categorized based on content. You - ZyXEL UAG4100 | User Guide - Page 383
check your external web filtering service registration status. Figure 261 Configuration > UTM Profile > Content Service Timeout Specify the allowable time period in seconds for accessing the external web filtering service's server. Message to display when a site is blocked UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 384
Configuration Refresh to update information on this service or the service has expired. Click this link to go to the screen where you can register for the service. Click Apply to save your changes back to the UAG. Click Reset to return the screen to its last-saved settings. UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 385
> Add/Edit to open the Add Filter Profile screen. Configure Category Service and Custom Service tabs. 33.2.1.1 Category Service Click the Category Service tab. Figure 262 Configuration > UTM Profile > Content Filter > Profile > Add/Edit Filter Profile > Category Service UAG Series User's Guide 385 - ZyXEL UAG4100 | User Guide - Page 386
Chapter 33 Content Filtering The following table describes the labels in this screen. Table 171 Configuration > UTM Profile > Content Filter > Profile > Add/Edit Filter Profile > Category Service LABEL License Status DESCRIPTION This read-only field displays the status of your content-filtering - ZyXEL UAG4100 | User Guide - Page 387
configured in the Content Filter General screen along with the category of the blocked web page. Select Warn to display a warning message before allowing users to access web pages that the external web filtering service before allowing users to to pose a threat to users or their computers are: - ZyXEL UAG4100 | User Guide - Page 388
screen without saving your changes. 33.2.1.2 Custom Service Click Configuration > UTM Profile > Content Filter > Filter Profile > Add/Edit > Custom Service to open the Custom Service screen. You can create a list of good specific sites or keywords from the filter list. UAG Series User's Guide 388 - ZyXEL UAG4100 | User Guide - Page 389
describes the labels in this screen. Table 172 Configuration > UTM Profile > Content Filter > Profile > Add/Edit Filter Profile > Custom Service LABEL Name Description DESCRIPTION Enter a descriptive name for is the most effective way to block objectionable material. UAG Series User's Guide 389 - ZyXEL UAG4100 | User Guide - Page 390
See Section 33.3 on page 391 and Section 33.4 on page 392 for information on configuring these lists. Select the check box(es) to restrict a feature. Select the check box(es) to restrict a feature. • When you download a page containing ActiveX or Java, that part of the web page will be blocked with - ZyXEL UAG4100 | User Guide - Page 391
Configuration > UTM Profile > Content Filter > Profile > Add/Edit Filter Profile > Custom Service .3 Content Filter Trusted Web Sites Screen Click Configuration > UTM Profile > Content Filter > Trusted good (allowed) web site addresses. When you configure Filter Profiles, you can select the option to - ZyXEL UAG4100 | User Guide - Page 392
Table 173 Configuration > UTM entering "zyxel.com" also allows "www.zyxel.com", "partner.zyxel.com", "press.zyxel.com", Reset to return the screen to its last-saved settings. 33.4 Content Filter Forbidden Web Sites Screen Click Configuration site addresses. When you configure Filter Profiles, you can - ZyXEL UAG4100 | User Guide - Page 393
describes the labels in this screen. Table 174 Configuration > UTM Profile > Content Filter > Forbidden enter .com to block all .com domains. Apply Reset Use up to 127 characters (0-9a-z-). The casing does not matter. your changes back to the UAG. Click Reset to return the screen to its last-saved - ZyXEL UAG4100 | User Guide - Page 394
be in the UAG's cache. The UAG blocks, blocks and logs or just logs the request based on your configuration. 3 If the UAG has no record of the web site, it queries the external content filter database and and category are then stored in the UAG's content filter cache. UAG Series User's Guide 394 - ZyXEL UAG4100 | User Guide - Page 395
CHAPTER 34 Zones 34.1 Zones Overview Set up zones to configure network security and network policies in the UAG. A zone is a group of interfaces. The UAG uses zones traffic, and extra-zone traffic--which are affected differently by zone-based security and policy settings. UAG Series User's Guide 395 - ZyXEL UAG4100 | User Guide - Page 396
The Zone screen provides a summary of all zones. In addition, this screen allows you to add, edit, and remove zones. To access this screen, click Configuration > Object > Zone. Figure 268 Configuration > Object > Zone UAG Series User's Guide 396 - ZyXEL UAG4100 | User Guide - Page 397
Configuration > Object > Zone LABEL DESCRIPTION User Configuration / System Default The UAG comes with pre-configured System Default zones that you cannot delete. You can create your own User Configuration or an Edit icon. Figure 269 Configuration > Object > Zone Add UAG Series User's Guide 397 - ZyXEL UAG4100 | User Guide - Page 398
the labels in this screen. Table 176 Configuration > Object > Zone > Add/Edit LABEL Name DESCRIPTION For a system default zone, the name is read only. Member List For a user-configured zone, type the name used to . Click Cancel to exit this screen without saving. UAG Series User's Guide 398 - ZyXEL UAG4100 | User Guide - Page 399
(web, CLI) limited-admin Look at UAG configuration (web, CLI) Perform basic diagnostics (CLI) Access Users ext-user External user account ext-group-user External group user account LOGIN METHOD(S) WWW, TELNET, SSH, FTP, Console WWW, TELNET, SSH, Console WWW WWW UAG Series User's Guide 399 - ZyXEL UAG4100 | User Guide - Page 400
35 User/Group Table 177 Types of User Accounts (continued) TYPE ABILITIES guest-manager Create dynamic guest accounts pre-subscriber Access network services dynamic-guest Access network services LOGIN METHOD(S) WWW Web Authentication Portal Web Authentication Portal Note: The default admin - ZyXEL UAG4100 | User Guide - Page 401
information on users who use an external authentication server in order to log in. 35.2 User Summary Screen The User screen provides a summary of all user accounts. To access this screen, login to the Web Configurator, and click Configuration > Object > User/Group > User. UAG Series User's Guide 401 - ZyXEL UAG4100 | User Guide - Page 402
kinds of user account the UAG supports. Description Reference • admin - this user can look at and change the configuration of the UAG • limited-admin - this user can look at the configuration of the UAG but not to change it • dynamic-guest - this user has access to the UAG's services but cannot - ZyXEL UAG4100 | User Guide - Page 403
• uucp • zyxel • bin • games • news • shutdown • daemon • halt • nobody • sshd To access this screen, go to the User screen (see Section 35.2 on page 401), and click either the Add icon or an Edit icon. Figure 271 Configuration > Object > User/Group > User > Add/Edit UAG Series User's Guide 403 - ZyXEL UAG4100 | User Guide - Page 404
the Account Generator screen. • pre-subscriber - this user has access to the UAG's services but cannot look at the configuration. This field is not available if you select the ext-user or ext-group-user type. Retype Group Identifier Enter the password of this user account. It can consist of 4 - 31 - ZyXEL UAG4100 | User Guide - Page 405
user groups. To access this screen, login to the Web Configurator, and click Configuration > Object > User/Group > Group. Figure 272 Configuration > Object > User a group does not remove the user accounts in the group. Object Reference allows you to create a new user group or edit an existing one. - ZyXEL UAG4100 | User Guide - Page 406
controls default settings, login settings, lockout settings, and other user settings for the UAG. You can also use this screen to specify when users must log in to the UAG before it routes traffic for them. To access this screen, log into the Web Configurator, and click Configuration > Object > User - ZyXEL UAG4100 | User Guide - Page 407
These authentication timeout settings are used by default when you create a new user account. They also control the settings for any existing user accounts that are set to use the default settings. You can still manually configure any user account's authentication timeout settings. Edit Double - ZyXEL UAG4100 | User Guide - Page 408
guest-manager - this user can log in via the web configurator login screen and create dynamic guest accounts using the Account Generator screen that pops up. • pre-subscriber - this user has access to the UAG's services but cannot look at the configuration. This is the default lease time in minutes - ZyXEL UAG4100 | User Guide - Page 409
timeout settings for the selected type of user account. These default authentication timeout settings also control the settings for any existing user accounts that are set to use the default settings. You can still manually configure any user account's authentication timeout settings. To access this - ZyXEL UAG4100 | User Guide - Page 410
saving your changes. 35.4.2 User Aware Login Example Access users cannot use the Web Configurator to browse the configuration of the UAG. Instead, after access users log into the UAG, the following status screen appears. Figure 276 Web Configurator for Non-Admin Users UAG Series User's Guide 410 - ZyXEL UAG4100 | User Guide - Page 411
Web Configurator for Non-Admin Users LABEL User-defined lease time (max ... minutes) Renew DESCRIPTION Access users can specify a lease time shorter than or equal to the one that you specified. The default value is the lease time that you specified. Access users can click this button to reset the - ZyXEL UAG4100 | User Guide - Page 412
MAC Address Use this screen to configure the wireless client's MAC address and save it into the UAG's local user database for MAC authentication. Figure 278 Configuration > Object > User/Group > MAC Address > Add Cancel to exit this screen without saving your changes. UAG Series User's Guide 412 - ZyXEL UAG4100 | User Guide - Page 413
-User accounts, you might use CLI commands, instead of the Web Configurator, to create the accounts. Extract the user names from the RADIUS server, and create a shell script that creates the user accounts. See Chapter 48 on page 549 for more information about shell scripts. UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 414
and concepts may help as you read this chapter. Wireless Profiles At the heart of all wireless AP configurations on the UAG are profiles. A profile represents a group of saved settings that you can use across and the UAG4100, or 64 MAC filtering profiles on the UAG5100. UAG Series User's Guide 414 - ZyXEL UAG4100 | User Guide - Page 415
A radio profile is a list of settings that a supported managed AP (NWA5121-N for example) can use to configure either one of its two radio transmitters. To access this screen click Configuration > Object > AP Profile. Figure 280 Configuration > Object > AP Profile > Radio UAG Series User's Guide 415 - ZyXEL UAG4100 | User Guide - Page 416
profile. Apply Reset none means the WLAN of the mangaed AP (to which the radio profile is applied) is active at all times if the profile is enabled. Click Apply to save your changes back to the UAG. Click Reset to return the screen to its last-saved settings. UAG Series User's Guide 416 - ZyXEL UAG4100 | User Guide - Page 417
an existing one. To access this screen, click the Add button or select a radio profile from the list and click the Edit button. Figure 281 Configuration > Object > AP Profile > Add/Edit Radio Profile UAG Series User's Guide 417 - ZyXEL UAG4100 | User Guide - Page 418
Chapter 36 AP Profile The following table describes the labels in this screen. Table 189 Configuration > Object > AP Profile > Add/Edit Radio Profile LABEL Hide / Show Advanced Settings increasing bandwidth throughput in environments that are prone to high error rates. UAG Series User's Guide 418 - ZyXEL UAG4100 | User Guide - Page 419
Chapter 36 AP Profile Table 189 Configuration > Object > AP Profile > Add/Edit frames to be aggregated each time. Select this to enable A-MSDU aggregation. Mac Service Data Unit (MSDU) aggregation collects Ethernet frames without any of their 802.11n headers the AP UAG Series User's Guide 419 - ZyXEL UAG4100 | User Guide - Page 420
configuration in Mbps. • Support Rate (Mbps) - Set the support rate configuration in Mbps. • MCS Rate - Set the MCS rate configuration. IEEE 802.11n supports you to create and manage SSID configurations that can be used by the APs. An SSID, or Service Set IDentifier, is basically the User's Guide 420 - ZyXEL UAG4100 | User Guide - Page 421
Object > AP Profile > SSID List The following table describes the labels in this screen. Table 190 Configuration > Object > AP Profile > SSID List LABEL DESCRIPTION Add Click this to add a new SSID This field indicates the VLAN ID associated with the SSID profile. UAG Series User's Guide 421 - ZyXEL UAG4100 | User Guide - Page 422
Enter up to 31 alphanumeric characters for the profile name. This name is only visible in the Web Configurator and is only for management purposes. Underscores are allowed. SSID Enter the SSID name for this profile. . The disable setting means no MAC filtering is used. UAG Series User's Guide 422 - ZyXEL UAG4100 | User Guide - Page 423
Configuration > Object > AP Profile > SSID List: Add/Edit SSID Profile (continued) LABEL QoS DESCRIPTION Select a Quality of Service VAP Setting VLAN Support When an SSID is "hidden" to the SSID is by manually entering the SSID name in available only on the UAG that supports a local AP. Select ON to - ZyXEL UAG4100 | User Guide - Page 424
without saving your changes. 36.3.3 Security List This screen allows you to manage wireless security configurations that can be used by your SSIDs. Wireless security is implemented strictly between the AP This field indicates this profile's security mode (if any). UAG Series User's Guide 424 - ZyXEL UAG4100 | User Guide - Page 425
Security Mode selected. Only the default screen is displayed here. Figure 285 Configuration > Object > AP Profile the labels in this screen. Table 193 Configuration > Object > AP Profile > SSID > This name is only visible in the Web Configurator and is only for management purposes. Underscores are - ZyXEL UAG4100 | User Guide - Page 426
Users cannot get an IP address if the MAC authentication fails. Auth. Method An external server can use the wireless client's account (username/password) or Calling Station ID for MAC authentication. Configure a WEP authentication method. Choices are Open or Share key. UAG Series User's Guide 426 - ZyXEL UAG4100 | User Guide - Page 427
Profile Table 193 Configuration > Object > protocol to further secure. Not all wireless clients may support this. • aes - This is the Advanced discontinued. Enter the interval (in seconds) at which the AP updates the group WPA encryption key. This field is available only when you User's Guide 427 - ZyXEL UAG4100 | User Guide - Page 428
AP Profile > SSID > MAC Filter List The following table describes the labels in this screen. Table 194 Configuration > Object > AP Profile > SSID > MAC Filter List LABEL DESCRIPTION Add Click this to add a MAC filter profile from the list and click the Edit button. UAG Series User's Guide 428 - ZyXEL UAG4100 | User Guide - Page 429
to 31 alphanumeric characters for the profile name. This name is only visible in the Web Configurator and is only for management purposes. Underscores are allowed. Filter Action Select allow to permit the Click Cancel to exit this screen without saving your changes. UAG Series User's Guide 429 - ZyXEL UAG4100 | User Guide - Page 430
other wireless devices broadcasting on the 802.11 frequencies. 37.2 MON Profile This screen allows you to create monitor mode configurations that can be used by the APs. To access this screen, login to the Web Configurator, and click Configuration > Object > MON Profile. UAG Series User's Guide 430 - ZyXEL UAG4100 | User Guide - Page 431
table describes the labels in this screen. Table 196 Configuration > Object > MON Profile LABEL DESCRIPTION Add Click this . Apply Click Apply to save your changes back to the UAG. Reset Click Reset to return the screen to its last-saved settings. 37.2.1 Add/Edit Series User's Guide 431 - ZyXEL UAG4100 | User Guide - Page 432
Edit MON Profile The following table describes the labels in this screen. Table 197 Configuration > Object > MON Profile > Add/Edit MON Profile LABEL Activate Profile Name Channel Mode is set to manual. These channels are limited to the 2 GHz range (802.11 b/g/n). UAG Series User's Guide 432 - ZyXEL UAG4100 | User Guide - Page 433
197 Configuration > Object > MON Profile > Add/Edit MON Profile (continued) LABEL Set Scan Channel List (5 GHz) DESCRIPTION Move a channel from the Available channels column to the Channels selected column to have the APs using this profile scan that channel when Scan Channel Mode is set to manual - ZyXEL UAG4100 | User Guide - Page 434
Profile Friendly APs If you have more than one AP in your wireless network, you should also configure a list of "friendly" APs. Friendly APs are other wireless access points that are detected in , especially if you have a network with a large number of access points. UAG Series User's Guide 434 - ZyXEL UAG4100 | User Guide - Page 435
Configuration > Licensing > Signature Update > AppPatrol to check that you have the latest App Patrol signatures. These signatures are available to create application objects in Configuration Proxies and Tunnels • Security Update • Web IM • of categories currently supported (A) and the - ZyXEL UAG4100 | User Guide - Page 436
objects consisting of service signatures as well as view license and signature information. To access this screen click Configuration > Object > Application > Application. Figure 292 Configuration > Object > the number of times an object reference is used in a profile. UAG Series User's Guide 436 - ZyXEL UAG4100 | User Guide - Page 437
the current version downloaded to the UAG. Released Date This field shows the date (YYYY-MM-DD) and time the current signature version was released. Update Signatures If your signature set is not the most recent, click this to go to Configuration > Licensing > Signature Update > IDP / AppPatrol - ZyXEL UAG4100 | User Guide - Page 438
Click Add in Configuration > Object > Application > Application > Add Application Rule. Use this screen to choose the signatures that should go into this object. Figure 294 Configuration > Object > Application > Application > Add Application Rule > Add By Category UAG Series User's Guide 438 - ZyXEL UAG4100 | User Guide - Page 439
Application > Application > Add Application Rule > Add By Service The following table describes the labels in this screen. Table 201 Configuration > Object > Application > Application > Add Application Rule . Click Cancel to exit this screen without saving your changes. UAG Series User's Guide 439 - ZyXEL UAG4100 | User Guide - Page 440
allows you to download signatures to the UAG from myZyXEL.com. These fields show details on the signatures downloaded. Current Version The version number increments when signatures are updated at myZyXEL.com. This field shows the current version downloaded to the UAG. UAG Series User's Guide 440 - ZyXEL UAG4100 | User Guide - Page 441
recent, click this to go to Configuration > Licensing > Signature Update > IDP / AppPatrol to update your signatures. 38.3.1 Add Application Group Rule Click Add in Configuration > Object > Application > Application Cancel to exit this screen without saving your changes. UAG Series User's Guide 441 - ZyXEL UAG4100 | User Guide - Page 442
a Network IP address and Netmask subnet mask. The Address screen provides a summary of all addresses in the UAG. To access this screen, click Configuration > Object > Address > Address. Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to - ZyXEL UAG4100 | User Guide - Page 443
Table 204 Configuration > Object > Address > Address LABEL DESCRIPTION Configuration Add Click specific address. Name This field displays the configured name of each address object. Type This . 39.2.1 Address Add/Edit Screen The Configuration > Object > Address Add/Edit screen allows - ZyXEL UAG4100 | User Guide - Page 444
Table 205 IPv4 Address Configuration > Add/Edit Cancel Note: The UAG automatically updates address objects that are based lan1's IP address, the UAG automatically updates the corresponding interface-based, LAN subnet . To access this screen, click Configuration > Object > Address > Address Group - ZyXEL UAG4100 | User Guide - Page 445
39.3.1 on page 445 for more information as well. Table 206 Configuration > Object > Address > Address Group LABEL DESCRIPTION Configuration Add Click this to create a new entry. Edit Double-click an either the Add icon or an Edit icon in the Configuration section. UAG Series User's Guide 445 - ZyXEL UAG4100 | User Guide - Page 446
> Add The following table describes the labels in this screen. Table 207 Address Group Configuration > Add LABEL Name Description Member List DESCRIPTION Enter a name for the address group. You may UAG. Click Cancel to exit this screen without saving your changes. UAG Series User's Guide 446 - ZyXEL UAG4100 | User Guide - Page 447
Service screens (Section 40.2 on page 448) to view and configure the UAG's list of services and their definitions. • Use the Service Group screens (Section 40.2 on page 448) to view and configure the UAG's list of service 6) and User Datagram Protocol or to investigate problems. For example, - ZyXEL UAG4100 | User Guide - Page 448
and their definitions. In addition, this screen allows you to add, edit, and remove services. To access this screen, log in to the Web Configurator, and click Configuration > Object > Service > Service. Click a column's heading cell to sort the table entries by that column's criteria. Click the - ZyXEL UAG4100 | User Guide - Page 449
used in a profile. 40.2.1 The Service Add/Edit Screen The Service Add/Edit screen allows you to create a new service or edit an existing one. To access this screen, go to the Service screen (see Section 40.2 on page 448), and click either the Add icon or an Edit icon. UAG Series User's Guide 449 - ZyXEL UAG4100 | User Guide - Page 450
The Service Group summary screen provides a summary of all service groups. In addition, this screen allows you to add, edit, and remove service groups. To access this screen, log into the Web Configurator, and click Configuration > Object > Service > Service Group. UAG Series User's Guide 450 - ZyXEL UAG4100 | User Guide - Page 451
.3.1 The Service Group Add/Edit Screen The Service Group Add/Edit screen allows you to create a new service group or edit an existing one. To access this screen, go to the Service Group screen (see Section 40.3 on page 450), and click either the Add icon or an Edit icon. UAG Series User's Guide 451 - ZyXEL UAG4100 | User Guide - Page 452
the labels in this screen. Table 211 Configuration > Object > Service > Service Group > Edit LABEL Name Description Member List DESCRIPTION Enter the name of the service group. You may use 1-31 alphanumeric Click Cancel to exit this screen without saving your changes. UAG Series User's Guide 452 - ZyXEL UAG4100 | User Guide - Page 453
to set up one-time and recurring schedules for policy routes, and security policies. The UAG supports one-time and recurring schedules. One-time schedules are effective only once, while recurring schedules page 488 for information about the UAG's current date and time. UAG Series User's Guide 453 - ZyXEL UAG4100 | User Guide - Page 454
Section 41.2.1 on page 455 and Section 41.2.2 on page 456 for more information as well. Table 212 Configuration > Object > Schedule LABEL DESCRIPTION One Time Add Click this to create a new entry. Edit Double-click displays the time at which the schedule ends. UAG Series User's Guide 454 - ZyXEL UAG4100 | User Guide - Page 455
following table describes the labels in this screen. Table 213 Configuration > Object > Schedule > Edit (One Time) LABEL Configuration Name Date Time StartDate DESCRIPTION Type the name used to refer UAG. Click Cancel to exit this screen without saving your changes. UAG Series User's Guide 455 - ZyXEL UAG4100 | User Guide - Page 456
on page 454), and click either the Add icon or an Edit icon in the Recurring section. Figure 308 Configuration > Object > Schedule > Edit (Recurring) The Year, Month, and Day columns are not used in recurring Click Cancel to exit this screen without saving your changes. UAG Series User's Guide 456 - ZyXEL UAG4100 | User Guide - Page 457
all groups of schedules in the UAG. To access this screen, click Configuration > Object > Schedule >Group. Figure 309 Configuration > Object > Schedule > Schedule Group The following table describes the fields in Add icon or an Edit icon in the Schedule Group section. UAG Series User's Guide 457 - ZyXEL UAG4100 | User Guide - Page 458
table describes the fields in the above screen. Table 216 Configuration > Schedule > Schedule Group > Add LABEL Group Members Name The Member list displays the names of the service and service group objects that have been added to the service group. The order of members is not User's Guide 458 - ZyXEL UAG4100 | User Guide - Page 459
42.1.2 What You Can Do in this Chapter Use the Configuration > Object > AAA Server > RADIUS screen (Section 42.2 on page 460) to configure the default external RADIUS server to use for user authentication. 42.1.3 What You Need To Know AAA Servers Supported by the UAG The following lists the types of - ZyXEL UAG4100 | User Guide - Page 460
RADIUS screen to manage the list of RADIUS servers the UAG can use in authenticating users. Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen. Figure 312 Configuration > Object > AAA Server > RADIUS The following table describes the labels in this screen. Table 217 - ZyXEL UAG4100 | User Guide - Page 461
Server > RADIUS > Add The following table describes the labels in this screen. Table 218 Configuration > Object > AAA Server > RADIUS > Add/Edit LABEL DESCRIPTION General Settings Name Enter a UAG sends authentication requests. Enter a number between 1 and 65535. UAG Series User's Guide 461 - ZyXEL UAG4100 | User Guide - Page 462
218 Configuration > Object Enter a number between 1 and 65535. Enter a password (up to 15 alphanumeric characters) as the key to update to the RADIUS server. Specify the timeout period (between 1 and 300 seconds) before the UAG disconnects from the RADIUS server. In this case, user User's Guide 462 - ZyXEL UAG4100 | User Guide - Page 463
Configuration > Object > AAA Server > RADIUS > Add/Edit (continued) LABEL User Login to which group a user belongs. You can add ext-group-user user objects to identify groups ", and "management". Then you could also create a ext-group-user user object for each group. One with "sales" as the group - ZyXEL UAG4100 | User Guide - Page 464
servers and authentication server groups specified by AAA server objects. By default, user accounts created and stored on the UAG are authenticated locally. 43.1.1 What You Can Do in this Chapter • Use the Configuration > Object > Auth. Method screens (Section 43.2 on page 464) to create - ZyXEL UAG4100 | User Guide - Page 465
. 1 Click Configuration > Object > password that doesn't match the one on the first authentication server. Note: You can NOT select two server objects of the same type. 7 Click OK to save the settings or click Cancel to discard all changes and return to the previous screen. UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 466
this screen. Table 220 Configuration > Object > Auth methods is important as UAG authenticates the users using the authentication methods in the order UAG authenticates the users using the databases (in the local user database or the when you enter the username and password that doesn't match the one - ZyXEL UAG4100 | User Guide - Page 467
44 Certificates 44.1 Overview The UAG can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner's identity they cannot re-sign the message with Tim's private key). UAG Series User's Guide 467 - ZyXEL UAG4100 | User Guide - Page 468
when you first turn it on. This certificate is referred to in the GUI as the factory default certificate. Certificate File Formats Any certificate that you want to import has to be in one of these numerals to convert a binary PKCS#7 certificate into a printable form. UAG Series User's Guide 468 - ZyXEL UAG4100 | User Guide - Page 469
within a password-encrypted envelope. The file's password is not connected to your certificate's public or private passwords. Exporting a easy for this to occur since many programs use text files by default. 44.1.3 Verifying a Certificate Before you import a trusted certificate into User's Guide 469 - ZyXEL UAG4100 | User Guide - Page 470
The UAG keeps all of your certificates unless you specifically delete them. Uploading a new firmware or default configuration file does not delete your certificates. To remove an entry, select it and click is recommended that you give each certificate a unique name. UAG Series User's Guide 470 - ZyXEL UAG4100 | User Guide - Page 471
Chapter 44 Certificates Table 221 Configuration > Object > Certificate > My Certificates (continued) LABEL display the current validity status of the certificates. 44.2.1 The My Certificates Add Screen Click Configuration > Object > Certificate > My Certificates and then the Add icon to open the - ZyXEL UAG4100 | User Guide - Page 472
> My Certificates > Add The following table describes the labels in this screen. Table 222 Configuration > Object > Certificate > My Certificates > Add LABEL Name Subject Information DESCRIPTION Type a characters, the hyphen, the @ symbol, periods and the underscore. UAG Series User's Guide 472 - ZyXEL UAG4100 | User Guide - Page 473
44 Certificates Table 222 Configuration > Object > Certificate request and save it locally for later manual enrollment OK Cancel Select IKE Intermediate to have Certificates screen. 44.2.2 The My Certificates Edit Screen Click Configuration > Object > Certificate > My Certificates and then the - ZyXEL UAG4100 | User Guide - Page 474
My Certificates > Edit The following table describes the labels in this screen. Table 223 Configuration > Object > Certificate > My Certificates > Edit LABEL Name Certification Path DESCRIPTION This or been revoked. Click Refresh to display the certification path. UAG Series User's Guide 474 - ZyXEL UAG4100 | User Guide - Page 475
Chapter 44 Certificates Table 223 Configuration > Object > Certificate > My Certificates > Edit (continued) LABEL Certificate Information Type Version Serial Number Subject Issuer This is the certificate's message digest that the UAG calculated using the SHA1 algorithm. UAG Series User's Guide 475 - ZyXEL UAG4100 | User Guide - Page 476
later manual enrollment. Export Certificate Only Password Export Certificate 's password and click this button. Click Save in the File Download screen Configuration > Object > Certificate > My Certificates > Import to open the My Certificate Import screen. Follow the instructions User's Guide 476 - ZyXEL UAG4100 | User Guide - Page 477
224 Configuration > Object > Certificate > My Certificates > Import LABEL File Path DESCRIPTION Type in the location of the file you want to upload in this field or click Browse to find it. Browse Password OK certificate that is signed by one of these certificates. UAG Series User's Guide 477 - ZyXEL UAG4100 | User Guide - Page 478
The UAG keeps all of your certificates unless you specifically delete them. Uploading a new firmware or default configuration file does not delete your certificates. To remove an entry, select it and click to display the current validity status of the certificates. UAG Series User's Guide 478 - ZyXEL UAG4100 | User Guide - Page 479
Chapter 44 Certificates 44.3.1 The Trusted Certificates Edit Screen Click Configuration > Object > Certificate > Trusted Certificates and then a certificate issued by the certification authority. Figure 323 Configuration > Object > Certificate > Trusted Certificates > Edit UAG Series User's Guide 479 - ZyXEL UAG4100 | User Guide - Page 480
Configuration > Object > Certificate > Trusted Certificates > Edit LABEL Name Certification Path Refresh LDAP Server Address Port ID Password number that the directory server uses. 389 is the default server port number for LDAP. The UAG may need to authenticate itself in ). UAG Series User's Guide 480 - ZyXEL UAG4100 | User Guide - Page 481
File Download screen. instructions in this screen to save a trusted certificate to the UAG. Note: You must remove any spaces from the certificate's filename before you can import the certificate. Figure 324 Configuration > Object > Certificate > Trusted Certificates > Import UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 482
Chapter 44 Certificates The following table describes the labels in this screen. Table 227 Configuration > Object > Certificate > Trusted Certificates > Import LABEL File Path DESCRIPTION Type in the UAG. Click Cancel to quit and return to the previous screen. UAG Series User's Guide 482 - ZyXEL UAG4100 | User Guide - Page 483
45.1 Overview Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE/PPTP the ISP Account Edit section below for more information as well. Table 228 Configuration > Object > ISP Account LABEL DESCRIPTION Add Click this to create a . UAG Series User's Guide 483 - ZyXEL UAG4100 | User Guide - Page 484
the ISP Account Edit screen below. Figure 326 Configuration > Object > ISP Account > Edit The following table describes the labels in this screen. Table 229 Configuration > Object > ISP Account > Edit LABEL protocol. pptp - This ISP account uses the PPTP protocol. UAG Series User's Guide 484 - ZyXEL UAG4100 | User Guide - Page 485
Accounts Table 229 Configuration > Object User Name Password Retype to Confirm IP Address/ FQDN Connection ID Service Name mppe-128 - This ISP account uses 128-bit MMPE. Type the user name given to you by your ISP. Type the password associated with the user name above. The password User's Guide 485 - ZyXEL UAG4100 | User Guide - Page 486
493) to configure the DNS ( configure settings for HTTP or HTTPS access to the UAG and how the login and access user 523) to configure Telnet to download the UAG's firmware and configuration files using FTP. Please also see Chapter 48 on page 549 for more information about firmware and configuration - ZyXEL UAG4100 | User Guide - Page 487
"-" are accepted. Apply Click Apply to save your changes back to the UAG. Reset Click Reset to return the screen to its last-saved settings. 46.3 USB Storage The UAG , or EXT3 file system. Click Configuration > System > USB Storage to open the screen as shown next. UAG Series User's Guide 487 - ZyXEL UAG4100 | User Guide - Page 488
Configuration > System > USB Storage LABEL DESCRIPTION Activate USB storage service save your changes back to the UAG. Reset Click Reset to return the screen to its last-saved and date, click Configuration > System > Date/Time. The screen displays as shown. You can manually set the UAG's time - ZyXEL UAG4100 | User Guide - Page 489
new time in this field and then click Apply. New Date (yyyy-mm-dd) This field displays the last updated date from the time server or the last date configured manually. When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply. UAG Series User's Guide 489 - ZyXEL UAG4100 | User Guide - Page 490
Configuration option if you use Daylight Saving Time. Configure the day and time when Daylight Saving hour ahead of GMT or UTC (GMT+1). Configure the day and time when Daylight Saving Time a number from 1 to 5.5 (by 0.5 increments). Apply Reset For example, if you set this field to 3.5, a log - ZyXEL UAG4100 | User Guide - Page 491
it cannot synchronize with the time server you specified. Table 233 Default Time Servers 0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp. screen. Try re-configuring the Date/Time screen. To manually set the UAG date and time. 1 Click System > Date/Time. 2 Select Manual under Time and Date User's Guide 491 - ZyXEL UAG4100 | User Guide - Page 492
of the console port. Your UAG supports 9600, 19200, 38400, 57600, and 115200 bps (default) for the console port. Apply Reset The Console Port Speed applies to a console port connection using terminal emulation software and NOT the Console in the UAG Web Configurator Status screen. Click Apply to - ZyXEL UAG4100 | User Guide - Page 493
manually manually enter the IP addresses of other DNS servers. 46.6.2 Configuring the DNS Screen Click Configuration > System > DNS to change your UAG's DNS settings. Use the DNS screen to configure configure the UAG to accept or discard DNS queries. Use the Network > Interface screens to configure - ZyXEL UAG4100 | User Guide - Page 494
Configuration > System > DNS LABEL DESCRIPTION Address/PTR Record This record specifies the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel Address This is the IP address of a host. UAG Series User's Guide 494 - ZyXEL UAG4100 | User Guide - Page 495
the www.zyxel.com.tw fully qualified domain name. Type DNS Server Query Via MX Record (for My FQDN) Add Edit Remove # A "*" means all domain zones. This displays whether the DNS server IP address is assigned by the ISP dynamically through a specified interface or configured manually (User-Defined - ZyXEL UAG4100 | User Guide - Page 496
service control rule. The ordering of your rules is important as rules are applied in sequence. Zone Address Action The entry with a hyphen (-) instead of a number is the UAG's (non-configurable) default .zyxel.com is a fully qualified domain name, where "www" is the host, "zyxel" User's Guide 496 - ZyXEL UAG4100 | User Guide - Page 497
following table describes the labels in this screen. Table 236 Configuration > System > DNS > Address/PTR Record Add LABEL FQDN subdomain's IP address is updated as well, with one edit to the record. For example, the domain name zyxel.com is hooked up to *.zyxel.com. UAG Series User's Guide 497 - ZyXEL UAG4100 | User Guide - Page 498
describes the labels in this screen. Table 237 Configuration > System > DNS > CNAME Record > For example, www.zyxel.com.tw is a fully qualified domain name, where "www" is the host, "zyxel" is the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain - ZyXEL UAG4100 | User Guide - Page 499
238 Configuration > System > DNS > Domain Zone Forwarder Add LABEL Domain Zone DESCRIPTION A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel. , that is, one domain is mapping to one host. UAG Series User's Guide 499 - ZyXEL UAG4100 | User Guide - Page 500
saving 46.6.12 Adding a DNS Service Control Rule Click the Add icon in the Service Control table to add a service control rule. Figure 337 Configuration > System > DNS > Service Control Rule Add The following table on which a DNS query to the UAG is allowed or denied. UAG Series User's Guide 500 - ZyXEL UAG4100 | User Guide - Page 501
Configuration > System > DNS > Service using a service, make sure you do not have a service control rule service from accessing the UAG, clear Enable in the corresponding service screen. 46.7.1 Service Access Limitations A service object) in the Service Control table is not polling. Each user is also - ZyXEL UAG4100 | User Guide - Page 502
connection attempts. 46.7.4 Configuring WWW Service Control Click Configuration > System > WWW to open the WWW screen. Use this screen to specify from which zones you can access the UAG using HTTP or HTTPS. You can also specify which IP addresses the access can come from. UAG Series User's Guide 502 - ZyXEL UAG4100 | User Guide - Page 503
> System > WWW > Service Control LABEL DESCRIPTION HTTPS Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the UAG Web Configurator using secure HTTPs connections. UAG Series User's Guide 503 - ZyXEL UAG4100 | User Guide - Page 504
Chapter 46 System Table 241 Configuration > System > WWW > Service Control (continued) LABEL Server Port Authenticate Client Certificates Server Certificate Redirect HTTP to HTTPS Admin/User Service Control DESCRIPTION The HTTPS server listens on port 443 by default. If you change the HTTPS - ZyXEL UAG4100 | User Guide - Page 505
Click Reset to return the screen to its last-saved settings. 46.7.5 Service Control Rules Click Add or Edit in the Service Control table in a WWW, SSH, Telnet, FTP or SNMP screen to add a service control rule. Figure 340 Configuration > System > Service Control Rule > Edit UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 506
the WWW Login Page Click Configuration > System > WWW > Login Page to open the Login Page screen. Use this screen to customize the Web Configurator login screen. You can also customize the page that displays after an access user logs into the Web Configurator to access network services like the - ZyXEL UAG4100 | User Guide - Page 507
Chapter 46 System Figure 341 Configuration > System > WWW > Login Page (Desktop View) UAG Series User's Guide 507 - ZyXEL UAG4100 | User Guide - Page 508
Chapter 46 System Figure 342 Configuration > System > WWW > Login Page (Mobile View) The following figures identify the parts you can customize in the login and access pages. UAG Series User's Guide 508 - ZyXEL UAG4100 | User Guide - Page 509
Chapter 46 System Figure 343 Login Page Customization Logo Title Message Color (color of all text) Background Figure 344 Access Page Customization Logo followed by the six-digit hexadecimal number that represents the desired color. For example, use "#000000" for black. UAG Series User's Guide 509 - ZyXEL UAG4100 | User Guide - Page 510
, your browser may not support it. Try selecting another color. The following table describes the labels in the screen. Table 243 Configuration > System > WWW > Login Page LABEL Select Type Logo File DESCRIPTION Select whether the Web Configurator uses the default login screen or the one that - ZyXEL UAG4100 | User Guide - Page 511
to the UAG. Click Reset to return the screen to its last-saved settings. 46.7.7 HTTPS Example If you haven't changed the default HTTPS port on the Select Continue to this website to proceed to the Web Configurator login screen. Otherwise, select Click here to close this webpage to User's Guide 511 - ZyXEL UAG4100 | User Guide - Page 512
of the browser's trusted certificate authorities. The issuing certificate authority of the UAG's factory default certificate is the UAG itself since the certificate is a self-signed certificate. • 's certificate into your operating system as a trusted certificate. UAG Series User's Guide 512 - ZyXEL UAG4100 | User Guide - Page 513
secure connection. Figure 348 Login Screen (Internet Explorer) 46 Configurator screen). Figure 349 UAG Trusted CA Screen The CA sends you a package containing the CA's trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 514
Install Certificate and follow the wizard as shown earlier in this appendix. 46.7.7.5.2 Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the - ZyXEL UAG4100 | User Guide - Page 515
automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 352 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA. UAG Series User's Guide 515 - ZyXEL UAG4100 | User Guide - Page 516
following store and choose a different location. Figure 354 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process. UAG Series User's Guide 516 - ZyXEL UAG4100 | User Guide - Page 517
to select a personal certificate to send to the UAG. This screen displays even if you only have a single certificate as in the example. UAG Series User's Guide 517 - ZyXEL UAG4100 | User Guide - Page 518
Chapter 46 System Figure 358 SSL Client Authentication 3 You next see the Web Configurator login screen. Figure 359 Secure Web Configurator Login Screen 46.8 SSH You can use SSH (Secure SHell) to securely access connect to the WAN port of the UAG for a management session. UAG Series User's Guide 518 - ZyXEL UAG4100 | User Guide - Page 519
computer. 2 Encryption Method Once the identification is verified, both the client and server must agree on the type of encryption method to use. UAG Series User's Guide 519 - ZyXEL UAG4100 | User Guide - Page 520
(user name and password) to the server to log in to the server. 46.8.2 SSH Implementation on the UAG Your UAG supports Configuration > System > SSH LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service - ZyXEL UAG4100 | User Guide - Page 521
typed. # This the index number of the service control rule. Zone This is the zone on the UAG the user is allowed or denied to access. Address This UAG. The configuration and connection steps are similar for most SSH client programs. Refer to your SSH client program user's guide. 46.8.5.1 - ZyXEL UAG4100 | User Guide - Page 522
Test whether the SSH service is available on the UAG. Enter "telnet 172.16.0.1 22" at a terminal prompt and press [ENTER]. The computer attempts to connect to port 22 on the UAG (using the default IP address of 172.16.0.1). A message displays indicating the SSH protocol version supported by the UAG - ZyXEL UAG4100 | User Guide - Page 523
screen. Table 245 Configuration > System > TELNET LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to ] to move the rule to the number that you typed. UAG Series User's Guide 523 - ZyXEL UAG4100 | User Guide - Page 524
service control rule. Zone Address Action Apply Reset The entry with a hyphen (-) instead of a number is the UAG's (non-configurable) default UAG. Click Reset to return the screen to its last-saved settings. 46.10 FTP You can upload and download the UAG's firmware and configuration files using FTP - ZyXEL UAG4100 | User Guide - Page 525
[ENTER] to move the rule to the number that you typed. This the index number of the service control rule. Zone Address Action Apply Reset The entry with a hyphen (-) instead of a number is the UAG's (non-configurable) default policy. The UAG applies this to traffic that does not match any other - ZyXEL UAG4100 | User Guide - Page 526
also supports private MIBs (private.mib and enterprise.mib) to collect information about CPU and memory usage. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. You can download the UAG's MIBs from www.zyxel.com. UAG Series User's Guide 526 - ZyXEL UAG4100 | User Guide - Page 527
> System > SNMP tab. The screen appears as shown. Use this screen to configure your SNMP settings, including from which zones SNMP can be used to access the UAG. You can also specify from which IP addresses the access can come. Figure 369 Configuration > System > SNMP UAG Series User's Guide 527 - ZyXEL UAG4100 | User Guide - Page 528
[ENTER] to move the rule to the number that you typed. This the index number of the service control rule. Zone Address Action Apply Reset The entry with a hyphen (-) instead of a number is the UAG's (non-configurable) default policy. The UAG applies this to traffic that does not match any other - ZyXEL UAG4100 | User Guide - Page 529
the UAG to the RADIUS client. You must have certificates already configured in the My Certificates screen. Authentication Method Select an authentication method if save your changes back to the UAG. Reset Click Reset to return the screen to its last-saved settings. UAG Series User's Guide 529 - ZyXEL UAG4100 | User Guide - Page 530
The following table describes the labels in this screen. Table 250 Configuration > System > Auth. Server > Add/Edit LABEL Activate Profile the UAG. Enter the subnet mask of the RADIUS client. Enter a password (up to 64 alphanumeric characters) as the key to be shared between Series User's Guide 530 - ZyXEL UAG4100 | User Guide - Page 531
information is then displayed in the ZON Utility screen and you can perform tasks like basic configuration of the devices and batch firmware upgrade in it. You can download the ZON Utility at www.zyxel.com and install it on a computer. The following figure shows the ZON Utility screen. Figure 373 - ZyXEL UAG4100 | User Guide - Page 532
IP Configuration, Renew IP address and Flash Locator LED, this field displays "Update failed", "Not support Renew IP address" and "Not support Flash Locator LED" respectively. 46.14.1 ZyXEL One Network (ZON) System Screen Use this screen to enable ZDP and Smart Connect. UAG Series User's Guide 532 - ZyXEL UAG4100 | User Guide - Page 533
into using the web configurator. Enable Select to activate LLDP discovery on the UAG. See also Monitor > System Status > Ethernet Discovery. Apply Click Apply to save your changes back to the UAG. Reset Click Reset to return the screen to its last-saved settings. UAG Series User's Guide 533 - ZyXEL UAG4100 | User Guide - Page 534
Chapter • Use the Email Daily Report screen (Section 47.2 on page 534) to configure where and how to send daily reports and what reports to send. • Use traffic throughput rate. Click Configuration > Log & Report > Email Daily Report to display the following screen. Configure this screen to have the - ZyXEL UAG4100 | User Guide - Page 535
Chapter 47 Log and Report Figure 375 Configuration > Log & Report > Email Daily Report UAG Series User's Guide 535 - ZyXEL UAG4100 | User Guide - Page 536
Configuration > Log & Report > Email Daily Report LABEL Enable Email Daily Report Mail Server Mail Server Port TLS Security Authenticate Server Mail Subject Append system name Append date time Mail From Mail To SMTP Authentication User Name Password the UAG. Click Reset to return the User's Guide 536 - ZyXEL UAG4100 | User Guide - Page 537
log and supports e-mail profiles settings summary. Use the Edit screens to configure settings such as log categories, e-mail addresses this screen, click Configuration > Log & Report > Log Settings. Figure 376 Configuration > Log & labels in this screen. Table 256 Configuration > Log & Report > Log - ZyXEL UAG4100 | User Guide - Page 538
Chapter 47 Log and Report Table 256 Configuration > Log & Report > Log Settings (continued log; you can view the log on the View Log tab. VRPT/Syslog - ZyXEL's Vantage Report, syslog-compatible format. Summary Log Category Settings Apply CEF/Syslog - Common Edit icon. UAG Series User's Guide 538 - ZyXEL UAG4100 | User Guide - Page 539
Chapter 47 Log and Report Figure 377 Configuration > Log & Report > Log Settings > Edit (System Log) UAG Series User's Guide 539 - ZyXEL UAG4100 | User Guide - Page 540
Configuration > Log & Report > Log Settings > Edit (System Log) LABEL E-Mail Server 1/2 Active Mail Server Mail Server Port TLS Security Authenticate Server Mail Subject Send From Send Log To Send Alerts To Sending Log Day for Sending Log Time for Sending Log SMTP Authentication User Name Password - ZyXEL UAG4100 | User Guide - Page 541
Chapter 47 Log and Report Table 257 Configuration > Log & Report > Log Settings > Edit (System used in the Display and Category fields in the View Log tab. The Default category includes debugging messages generated by open source software. Select which events you want . UAG Series User's Guide 541 - ZyXEL UAG4100 | User Guide - Page 542
> Log Settings > Edit (USB Storage) The following table describes the labels in this screen. Table 258 Configuration > Log & Report > Log Settings > Edit (USB Storage) LABEL DESCRIPTION Duplicate logs to USB storage storage device before discarding it. Active Log UAG Series User's Guide 542 - ZyXEL UAG4100 | User Guide - Page 543
Chapter 47 Log and Report Table 258 Configuration > Log & Report > Log Settings a specific entry. This field displays each category of messages. The Default category includes debugging messages generated by open source software. Select what information server Edit icon. UAG Series User's Guide 543 - ZyXEL UAG4100 | User Guide - Page 544
Chapter 47 Log and Report Figure 379 Configuration > Log & Report > Log Settings > Edit (Remote Server) UAG Series User's Guide 544 - ZyXEL UAG4100 | User Guide - Page 545
labels in this screen. Table 259 Configuration > Log & Report > Log the log information. VRPT/Syslog - ZyXEL's Vantage Report, syslog-compatible format. and Category fields in the View Log tab. The Default category includes debugging messages generated by open source software. User's Guide 545 - ZyXEL UAG4100 | User Guide - Page 546
of indicating which messages are included in each log and each alert. Please see Section 47.3.2 on page 538, where this process is discussed. (The Default category includes debugging messages generated by open source software.) UAG Series User's Guide 546 - ZyXEL UAG4100 | User Guide - Page 547
and Report The following table describes the fields in this screen. Table 260 Configuration > Log & Report > Log Setting > Log Category Settings LABEL System fields in the View Log tab. The Default category includes debugging messages generated by open source software. UAG Series User's Guide 547 - ZyXEL UAG4100 | User Guide - Page 548
Chapter 47 Log and Report Table 260 Configuration > Log & Report > Log Setting > Log Category Settings (continued) LABEL System Log DESCRIPTION Select which events you want the previous screen. Click this to return to the previous screen without saving your changes. UAG Series User's Guide 548 - ZyXEL UAG4100 | User Guide - Page 549
and upload firmware to the UAG. • Use the Shell Script screen (see Section 48.4 on page 557) to store, name, download, upload and run shell script files. 48.1.2 What you Need to Know Configuration Files and Shell Scripts When you apply a configuration file, the UAG uses the factory default settings - ZyXEL UAG4100 | User Guide - Page 550
to the way you run CLI commands manually. An example is shown below. Figure 381 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure wan1 interface wan1 ip address 10.16 - ZyXEL UAG4100 | User Guide - Page 551
the UAG. Once your UAG is configured and functioning properly, it is highly recommended that you back up your configuration file before making further configuration changes. The backup configuration file will be useful in case you need to return to your previous settings. UAG Series User's Guide 551 - ZyXEL UAG4100 | User Guide - Page 552
the power off and back on), the UAG uses the system-default.conf configuration file with the UAG's default settings. • If there is a startup-config.conf, the > File Manager > Configuration File Do not turn off the UAG while configuration file upload is in progress. UAG Series User's Guide 552 - ZyXEL UAG4100 | User Guide - Page 553
Maintenance > File Manager > Configuration File > Rename Remove Download Copy Specify the new name for the configuration file. Use up to 25 configuration file. Click a configuration file's row to select it and click Remove to delete it from the UAG. You can only delete manually saved configuration - ZyXEL UAG4100 | User Guide - Page 554
number for each configuration file entry. This field is a sequential value, and it is not associated with a specific entry. The total number of configuration files that you can save depends on the sizes of the configuration files and the available flash storage space. UAG Series User's Guide 554 - ZyXEL UAG4100 | User Guide - Page 555
it. Find the firmware package at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, "UAG.bin". The firmware update can take up to five minutes. Do not turn off or reset the UAG while the firmware update is in progress! UAG Series User's Guide 555 - ZyXEL UAG4100 | User Guide - Page 556
firmware version and the date created. Released Date This is the date that the version of the firmware Firmware Upload in Process screen, wait two minutes before logging into the UAG again. Figure 387 Firmware , log in again and check your new firmware version in the Dashboard screen. If the upload - ZyXEL UAG4100 | User Guide - Page 557
48 File Manager Figure 389 Firmware Upload Error 48.4 The Shell Script to open the Shell Script screen. Use the Shell Script screen to store, name, download, upload and run shell script files. You can store multiple shell script files on the UAG File Manager > Shell Script UAG Series User's Guide 557 - ZyXEL UAG4100 | User Guide - Page 558
without deleting the shell script file. Click a shell script file's row to select it and click Download to save the configuration to your computer. Use this button to save a duplicate of a shell script file on the UAG shell script files were last changed or saved. UAG Series User's Guide 558 - ZyXEL UAG4100 | User Guide - Page 559
the .zysh file you want to upload. Upload Click Upload to begin the upload process. This process may take up to several minutes. UAG Series User's Guide 559 - ZyXEL UAG4100 | User Guide - Page 560
support for troubleshooting. • Use the System Log screens (see Section 49.5 on page 567) to download configuration and diagnostic information. You may need to send this file to customer support for troubleshooting. Click Maintenance > Diagnostics to open the Diagnostic screen. UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 561
. Collect Now Click this to have the UAG create a new diagnostic file. Download Click this to save the most recent diagnostic file to a computer. 49.2.1 The to send these files to customer support for troubleshooting. Figure 394 Maintenance > Diagnostics > Files UAG Series User's Guide 561 - ZyXEL UAG4100 | User Guide - Page 562
up window asks you to confirm that you want to delete. Download Click a file to select it and click Download to save it to your computer. # This column displays the . Studying these packet captures may help you identify network problems. Click Maintenance > Diagnostics > Packet Capture to open - ZyXEL UAG4100 | User Guide - Page 563
to capture packets. Select any to capture packets for all hosts. Select User Defined to be able to enter an IP address. Host Port This field is configurable when you set the Protocol Type to any, tcp, or udp. ones entries when the available storage space runs out. UAG Series User's Guide 563 - ZyXEL UAG4100 | User Guide - Page 564
to the UAG. Status: Unused - the connected USB storage device was manually unmounted by using the Remove Now button or for some reason the use the USB storage device. The available storage capacity also displays. service deactivated - the USB storage feature is disabled and the UAG User's Guide 564 - ZyXEL UAG4100 | User Guide - Page 565
storage device. Use the [Shift] and/or [Ctrl] key to select multiple files. A pop-up window asks you to confirm that you want to delete. Download Click a file to select it and click Download to save it to your computer. UAG Series User's Guide 565 - ZyXEL UAG4100 | User Guide - Page 566
This column displays the size (in bytes) of a configuration file. Last Modified This column displays the date and time dump file. Apply Click Apply to save the changes. Reset Click Reset to return the screen to its last-saved settings. 49 support for troubleshooting. UAG Series User's Guide 566 - ZyXEL UAG4100 | User Guide - Page 567
A pop-up window asks you to confirm that you want to delete. Download Click a file to select it and click Download to save it to your computer. # This column displays the number for (csv) format. You can download them to your computer and open them in a tool like Microsoft's Excel. UAG Series - ZyXEL UAG4100 | User Guide - Page 568
multiple files. A pop-up window asks you to confirm that you want to delete. Download Click a file to select it and click Download to save it to your computer. # This column displays the number for each file entry > Diagnostics > Network Tool to display this screen. UAG Series User's Guide 568 - ZyXEL UAG4100 | User Guide - Page 569
IP address that you entered. Domain Name or IP Address Test Stop Reset Select TRACEROUTE IPv4 to perform the traceroute function. This determines the path UAG. Studying these frame captures may help you identify network problems. Click Maintenance > Diagnostics > Wireless Frame Capture to display - ZyXEL UAG4100 | User Guide - Page 570
off this list and onto the Captured MON Mode APs list. This column displays the monitor-mode configured APs selected for wireless frame capture. Specify a maximum size limit in kilobytes for the total combined format is: [file prefix].cap. For example, "monitor.cap". UAG Series User's Guide 570 - ZyXEL UAG4100 | User Guide - Page 571
configure the UAG while a frame capture is in progress although you cannot modify the frame capture settings. The UAG's throughput or performance may be affected while a frame capture is in progress. Stop Reset You can download the files . Download Click a file to select it and click Download to - ZyXEL UAG4100 | User Guide - Page 572
your routing and SNAT settings and helps troubleshoot any related problems. 50.1.1 What You Can Do in policy route to override direct route in the CONFIGURATION > Network > Routing > Policy Route screen. routes to control dynamic IPSec rules in the CONFIGURATION > VPN > IPSec VPN > VPN Connection - ZyXEL UAG4100 | User Guide - Page 573
Chapter 50 Packet Flow Explore Figure 403 Maintenance > Packet Flow Explore > Routing Status (Direct Route) Figure 404 Maintenance > Packet Flow Explore > Routing Status (Policy Route) UAG Series User's Guide 573 - ZyXEL UAG4100 | User Guide - Page 574
Chapter 50 Packet Flow Explore Figure 405 Maintenance > Packet Flow Explore > Routing Status (VPN 1-1 Mapping Route) Figure 406 Maintenance > Packet Flow Explore > Routing Status (1-1 SNAT) Figure 407 Maintenance > Packet Flow Explore > Routing Status (SiteToSite VPN) UAG Series User's Guide 574 - ZyXEL UAG4100 | User Guide - Page 575
Chapter 50 Packet Flow Explore Figure 408 Maintenance > Packet Flow Explore > Routing Status (Static Route) Figure 409 Maintenance > Packet Flow Explore > Routing Status (Default WAN Trunk) UAG Series User's Guide 575 - ZyXEL UAG4100 | User Guide - Page 576
is a sequential value, and it is not associated with any entry. Source This is the IP address(es) of the local VPN network. UAG Series User's Guide 576 - ZyXEL UAG4100 | User Guide - Page 577
an activated policy route. If you have configured a schedule for the route, this Service This is the name of the service object. any means all services. Source Port This is the name of a service fields are available if you click Default WAN Trunk in the Routing Flow section User's Guide 577 - ZyXEL UAG4100 | User Guide - Page 578
Status. The order of the SNAT flow may vary depending on whether you: • select use default SNAT in the Configuration > Network > Interface > Trunk screen. • use policy routes to control 1-1 NAT by 412 Maintenance > Packet Flow Explore > SNAT Status (VPN 1-1 Mapping Route) UAG Series User's Guide 578 - ZyXEL UAG4100 | User Guide - Page 579
Chapter 50 Packet Flow Explore Figure 413 Maintenance > Packet Flow Explore > SNAT Status (1-1 SNAT) Figure 414 Maintenance > Packet Flow Explore > SNAT Status (Loopback SNAT) Figure 415 Maintenance > Packet Flow Explore > SNAT Status (Default SNAT) UAG Series User's Guide 579 - ZyXEL UAG4100 | User Guide - Page 580
the source IP address for a packet according to the rules you have configured in the UAG. Click a function box to display the related settings in out through this rule. The following fields are available if you click Default SNAT in the SNAT Flow section. # This field is a User's Guide 580 - ZyXEL UAG4100 | User Guide - Page 581
reset returns the device to its default configuration. 51.2 The Reboot Screen The Reboot screen allows remote users to restart the device. To access this screen, click Maintenance > Reboot. Figure 416 Maintenance > Reboot Click the Reboot button to restart the UAG. Wait a few minutes until the login - ZyXEL UAG4100 | User Guide - Page 582
you turn off the UAG or remove the power. Not doing so can cause the firmware to become corrupt. 52.1.1 What You Need To Know Shutdown writes all cached data to shut down the UAG. Wait for the device to shut down before you manually turn off or remove the power. It does not turn off the power. You - ZyXEL UAG4100 | User Guide - Page 583
ve forgotten the UAG's password, use the RESET button. Press the button in for about 5 seconds (or until the PWR LED starts to blink), then release it. It returns the UAG to the factory defaults (password is 1234, LAN IP address 172.16.0.1 or 172.17.0.1 etc.; see your User's Guide for details). • If - ZyXEL UAG4100 | User Guide - Page 584
Troubleshooting • Check the WAN interface's status in the Dashboard. Use the installation setup wizard again and make sure that you enter the correct settings. Use the same case as provided by your ISP. I configured has a virtual interface or PPP interface on top of it. UAG Series User's Guide 584 - ZyXEL UAG4100 | User Guide - Page 585
manually configure a policy route to add routing and SNAT settings for an interface with the Interface Type set to General. You can also configure a policy route to override the default 's user name, password, and domain name and have entered them properly in the UAG. • You may need to configure the - ZyXEL UAG4100 | User Guide - Page 586
UAG to reset the connection, updates address default admin account is always authenticated locally, regardless of the authentication method setting. (See Chapter 42 on page 459 for more information about authentication methods.) The UAG fails to authentication the ext-user user accounts I configured - ZyXEL UAG4100 | User Guide - Page 587
53 Troubleshooting I cannot add the admin users to a user group with access users. You cannot put access users and admin users in the same user group. I cannot add the default admin account to a user group. You cannot put the default admin account into any user group. The schedule I configured is - ZyXEL UAG4100 | User Guide - Page 588
Troubleshooting I cannot access the UAG from a computer connected to the Internet. Check the service control rules and to-UAG security policies. I uploaded a logo to display on the upper left corner of the Web Configurator login on configuration files and shell scripts. UAG Series User's Guide 588 - ZyXEL UAG4100 | User Guide - Page 589
and then on again. If you still cannot access the UAG by any method or you forget the administrator password(s), you can reset the UAG to its factory-default settings. Any configuration files or shell scripts that you saved on the UAG should still be available afterwards. Use the following procedure - ZyXEL UAG4100 | User Guide - Page 590
Chapter 53 Troubleshooting You should be able to access the UAG using the default settings. 53.2 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. UAG Series User's Guide 590 - ZyXEL UAG4100 | User Guide - Page 591
A Customer Support In the event of problems that cannot be solved by using this manual, you should contact your vendor. If you cannot contact your vendor, then contact a ZyXEL office for the region in which you bought the device. Regional websites are listed below. See also http://www.zyxel.com - ZyXEL UAG4100 | User Guide - Page 592
• ZyXEL Communications Corporation • http://www.zyxel.com Thailand • ZyXEL Thailand Co., Ltd • http://www.zyxel.co.th Vietnam • ZyXEL Communications Corporation-Vietnam Office • http://www.zyxel.com/vn/vi Europe Austria • ZyXEL Deutschland GmbH • http://www.zyxel.de UAG Series User's Guide 592 - ZyXEL UAG4100 | User Guide - Page 593
ZyXEL Estonia • http://www.zyxel.com/ee/et/ Finland • ZyXEL Communications • http://www.zyxel.fi France • ZyXEL France • http://www.zyxel.fr Germany • ZyXEL Deutschland GmbH • http://www.zyxel.de Hungary • ZyXEL Hungary & SEE • http://www.zyxel.hu Latvia • ZyXEL Latvia UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 594
://www.zyxel.com/ro/ro Russia • ZyXEL Russia • http://www.zyxel.ru Slovakia • ZyXEL Communications Czech s.r.o. organizacna zlozka • http://www.zyxel.sk Spain • ZyXEL Spain • http://www.zyxel.es Sweden • ZyXEL Communications • http://www.zyxel.se Switzerland • Studerus AG UAG Series User's Guide 594 - ZyXEL UAG4100 | User Guide - Page 595
East Egypt • ZyXEL Communication Corporation • http://www.zyxel.com/homepage.shtml Middle East • ZyXEL Communication Corporation • http://www.zyxel.com/homepage.shtml North America USA • ZyXEL Communications, Inc. - North America Headquarters • http://www.us.zyxel.com/ UAG Series User's Guide 595 - ZyXEL UAG4100 | User Guide - Page 596
Appendix A Customer Support Oceania Australia • ZyXEL Communications Corporation • http://www.zyxel.com/au/en/ Africa South Africa • Nology (Pty) Ltd. • http://www.zyxel.co.za UAG Series User's Guide 596 - ZyXEL UAG4100 | User Guide - Page 597
ZyXEL manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimers ZyXEL of others. ZyXEL further reserves service user instructions and on, the user is encouraged to from the user and must - ZyXEL UAG4100 | User Guide - Page 598
(Danish) Undertegnede ZyXEL erklærer herved, ZyXEL ovime izjavljuje da je radijska oprema tipa u skladu s Direktivom 1999/5/EC. Íslenska (Icelandic) Hér með lýsir, ZyXEL því yfir að þessi búnaður er í samræmi við grunnkröfur og önnur viðeigandi ákvæði tilskipunar 1999/5/EC. UAG Series User's Guide - ZyXEL UAG4100 | User Guide - Page 599
relevanti li hemm fid-Dirrettiva 1999/5/EC. Hierbij verklaart ZyXEL dat het toestel uitrusting in overeenstemming is met de érieure à 300 mètres doivent être notifiées à l'Institut Belge des services Postaux et des Télécommunications (IBPT). Visitez http://www.ibpt.be pour de plus User's Guide 599 - ZyXEL UAG4100 | User Guide - Page 600
no one will step on them or stumble over them. • Always disconnect all cables from this device before servicing or disassembling. • Use ONLY an appropriate power adaptor or cord for your device. Connect it to the marketed in US must fixed to US operation channels only. UAG Series User's Guide 600 - ZyXEL UAG4100 | User Guide - Page 601
Appendix B Legal Information Environment statement ErP (Energy-related Products) ZyXEL products put on the EU market in compliance with the requirement of the da parte del detentore comporta l'applicazione delle sanzioni amministrative previste dalla normativa vigente." UAG Series User's Guide 601 - ZyXEL UAG4100 | User Guide - Page 602
Appendix B Legal Information Environmental Product Declaration UAG Series User's Guide 602 - ZyXEL UAG4100 | User Guide - Page 603
download the latest firmware at www.zyxel.com. If you cannot find it there, contact your vendor or ZyXEL Technical Support at [email protected]. To obtain the source code covered under those Licenses, please contact your vendor or ZyXEL Technical Support at [email protected]. UAG Series User - ZyXEL UAG4100 | User Guide - Page 604
users 399, 401 custom page 506 forcing login 260 idle timeout 408 logging in 260 multiple logins 408 see also users 399 Web Configurator 410 access users, see also force user authentication policies account user admin user troubleshooting 587 admin users 399 multiple logins 408 see also users 399 - ZyXEL UAG4100 | User Guide - Page 605
377 service ports Denial of Service (DoS configuration files 551 bandwidth limit troubleshooting 585 bandwidth management 366, 376 and schedules 371, 374 and user groups 371, 374 and users certificate troubleshooting 587 Certificate , 480 expired 468 factory-default 468 file formats 468 fingerprints - ZyXEL UAG4100 | User Guide - Page 606
560, 566 configuration file troubleshooting 588 configuration files 549 at restart 552 backing up 551 downloading 553, 571 downloading with FTP 524 editing 549 how applied 550 lastgood.conf 552, 555 managing 551 startup-config.conf 555 startup-config-bad.conf 552 syntax 550 system-default.conf 555 - ZyXEL UAG4100 | User Guide - Page 607
158 basic characteristics 155 virtual 189 exceptional services 262 extended authentication and VPN gateways 339 IKE SA 358 Extended Service Set IDentification 415 ext-user troubleshooting 586 F FCC interference statement 597 file extensions configuration files 549 UAG Series User's Guide 607 - ZyXEL UAG4100 | User Guide - Page 608
boot module, see boot module current version 82, 556 getting updated 555 uploading 555, 556 uploading with FTP 524 firmware upload troubleshooting 589 flash usage 84 forcing login 260 FQDN 496 free guest account 332 free time 332 configuration 332 enable 332 FTP 524 additional signaling port 240 ALG - ZyXEL UAG4100 | User Guide - Page 609
virtual interfaces. VLAN, see also VLAN interfaces. Internet access troubleshooting 583, 586 Internet Control Message Protocol, see ICMP Internet Explorer see IPSec IP policy routing, see policy routes IP protocols 447 and service objects 448 ICMP, see ICMP TCP, see TCP UDP, see UDP User's Guide 609 - ZyXEL UAG4100 | User Guide - Page 610
IP 254 LDAP and users 400 port 461, 462 least load first load balancing 196 LED suppression mode 138 LED troubleshooting 583 level-4 inspection 377 regular 125 types of 125 logged in users 89 login custom page 506 logo troubleshooting 588 logout Web Configurator 24 logs and security policy 296 e- - ZyXEL UAG4100 | User Guide - Page 611
426 mac role 411 managed web pages 387 management access troubleshooting 588 Management Information Base (MIB) 526 MD5 355 memory address groups 442 authentication method 464 certificates 467 schedules 453 services and service groups 447 users, user groups 399 OSI level-4 377 OSI level-7 376 - ZyXEL UAG4100 | User Guide - Page 612
Index files 561, 565, 566, 567 troubleshooting 589 packet captures downloading files 562, 565, 567, 568 PAP (Password Authentication Protocol) 485 Password Authentication Protocol (PAP) 485 Peanut Hull 214 Peer-to-peer (P2P) managing 376 Perfect Forward Secrecy (PFS) 345 Diffie-Hellman key group - ZyXEL UAG4100 | User Guide - Page 613
294 rule criteria 291 session control 296 session limits 291 stateful inspection 290 to-Device, see to-Device security policy triangle routes 291, 293 troubleshooting 584 vs application patrol 289 security settings troubleshooting 584 serial number 82 service control 501 UAG Series User's Guide 613 - ZyXEL UAG4100 | User Guide - Page 614
troubleshooting 588 shell scripts 549 and users 413 downloading 558 editing 557 how applied 550 managing 557 syntax 550 uploading 559 Short Message Service 336 shutdown 582 signatures updating 134 Simple Network Management Protocol, see SNMP SMS 336 configuration services UAG Series User's Guide 614 - ZyXEL UAG4100 | User Guide - Page 615
virtual interfaces 291 Triple Data Encryption Standard, see 3DES troubleshooting 560, 566, 583 admin user 587 bandwidth limit 585 certificate 587 configuration file 588 connection resets 586 DDNS 585 device access 583 ext-user 586 firmware upload 589 HTTP redirect 586 interface 584 Internet access - ZyXEL UAG4100 | User Guide - Page 616
service control 501 and shell scripts 413 attributes for Ext-User 400 attributes for RADIUS 413 attributes in AAA servers 413 currently logged in 83, 89 default lease time 408, 410 default reauthentication time 408, 410 default type for Ext-User 400 ext-group-user 174 troubleshooting User's Guide 616 - ZyXEL UAG4100 | User Guide - Page 617
W warranty 603 note 603 Web Configurator 21 access 23 access users 410 requirements 22 supported browsers 22 web features ActiveX 390 ) 415 Wi-Fi Protected Access 415 Windows Internet Naming Service, see WINS Windows Internet Naming Service, see WINS. WINS 164, 180, 188, 193 WINS User's Guide 617
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
-
404
-
405
-
406
-
407
-
408
-
409
-
410
-
411
-
412
-
413
-
414
-
415
-
416
-
417
-
418
-
419
-
420
-
421
-
422
-
423
-
424
-
425
-
426
-
427
-
428
-
429
-
430
-
431
-
432
-
433
-
434
-
435
-
436
-
437
-
438
-
439
-
440
-
441
-
442
-
443
-
444
-
445
-
446
-
447
-
448
-
449
-
450
-
451
-
452
-
453
-
454
-
455
-
456
-
457
-
458
-
459
-
460
-
461
-
462
-
463
-
464
-
465
-
466
-
467
-
468
-
469
-
470
-
471
-
472
-
473
-
474
-
475
-
476
-
477
-
478
-
479
-
480
-
481
-
482
-
483
-
484
-
485
-
486
-
487
-
488
-
489
-
490
-
491
-
492
-
493
-
494
-
495
-
496
-
497
-
498
-
499
-
500
-
501
-
502
-
503
-
504
-
505
-
506
-
507
-
508
-
509
-
510
-
511
-
512
-
513
-
514
-
515
-
516
-
517
-
518
-
519
-
520
-
521
-
522
-
523
-
524
-
525
-
526
-
527
-
528
-
529
-
530
-
531
-
532
-
533
-
534
-
535
-
536
-
537
-
538
-
539
-
540
-
541
-
542
-
543
-
544
-
545
-
546
-
547
-
548
-
549
-
550
-
551
-
552
-
553
-
554
-
555
-
556
-
557
-
558
-
559
-
560
-
561
-
562
-
563
-
564
-
565
-
566
-
567
-
568
-
569
-
570
-
571
-
572
-
573
-
574
-
575
-
576
-
577
-
578
-
579
-
580
-
581
-
582
-
583
-
584
-
585
-
586
-
587
-
588
-
589
-
590
-
591
-
592
-
593
-
594
-
595
-
596
-
597
-
598
-
599
-
600
-
601
-
602
-
603
-
604
-
605
-
606
-
607
-
608
-
609
-
610
-
611
-
612
-
613
-
614
-
615
-
616
-
617
 |
 |
Quick Start Guide
www.zyxel.com
UAG Series
UAG2100 / UAG4100 / UAG5100
Unified Access Gateway
Version 4.10
Edition 1, 03/2015
Copyright © 2015 ZyXEL Communications Corporation
User’s Guide
Default Login Details
LAN IP Address
http://172.16.0.1 (LAN1)
http://172.17.0.1 (LAN2)
User Name
admin
Password
1234