ZyXEL UAG715 User Guide
ZyXEL UAG715 Manual
 |
View all ZyXEL UAG715 manuals
Add to My Manuals
Save this manual to your list of manuals |
ZyXEL UAG715 manual content summary:
- ZyXEL UAG715 | User Guide - Page 1
UAG715 Unified Access Gateway Version 2.50 Edition 1, 08/2012 Quick Start Guide User's Guide Default Login Details LAN IP Address https://192.168.1.1 User Name admin Passwordwww.zyxel.com 1234 Copyright © 2012 ZyXEL Communications Corporation - ZyXEL UAG715 | User Guide - Page 2
firmware or your computer operating system. Every effort has been made to ensure that the information in this manual is accurate. Related Documentation • Quick Start Guide The Quick Start Guide shows how to connect the UAG and access the Web Configurator wizards. (See the wizard real time help - ZyXEL UAG715 | User Guide - Page 3
User Screens ...295 ZyWALL SecuExtender ...303 Bandwidth Management ...307 ADP ...317 Content Filtering ...333 User/Group ...355 Addresses ...368 Services ...373 Schedules ...378 AAA Server ...382 Authentication Method ...390 Certificates ...394 ISP Accounts ...411 SSL Application ...414 Endpoint - ZyXEL UAG715 | User Guide - Page 4
Contents Overview Log and Report ...467 File Manager ...481 Diagnostics ...492 Packet Flow Explore ...500 Reboot ...509 Shutdown ...510 Troubleshooting ...511 4 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 5
- Second WAN Interface 42 3.1.7 Internet Access - Finish ...43 3.2 Device Registration ...44 Chapter 4 Quick Setup Wizards ...47 4.1 Quick Setup Overview ...47 4.2 WAN Interface Quick Setup ...47 UAG715 User's Guide 5 - ZyXEL UAG715 | User Guide - Page 6
...78 6.5 The Session Monitor Screen ...80 6.6 The DDNS Status Screen ...82 6.7 IP/MAC Binding Monitor ...83 6.8 The Login Users Screen ...83 6.9 USB Storage Screen ...84 6 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 7
Do in this Chapter 97 7.1.2 What you Need to Know ...97 7.2 Registration Screen ...98 7.3 Service Screen ...100 Chapter 8 Interfaces ...103 8.1 Interface Overview ...103 8.1.1 What You Can Do in this Trunks ...143 9.1 Overview ...143 9.1.1 What You Can Do in this Chapter 143 UAG715 User's Guide 7 - ZyXEL UAG715 | User Guide - Page 8
Do in this Chapter 181 13.1.2 What You Need to Know ...181 13.2 The DDNS Screen ...182 13.2.1 The Dynamic DNS Add/Edit Screen 183 8 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 9
this Chapter 209 18.1.2 What You Need to Know ...209 18.1.3 Before You Begin ...212 18.2 The ALG Screen ...212 18.3 ALG Technical Reference ...214 UAG715 User's Guide 9 - ZyXEL UAG715 | User Guide - Page 10
Example Applications 250 Chapter 22 IPSec VPN...253 22.1 Virtual Private Networks (VPN) Overview 253 22.1.1 What You Can Do in this Chapter 254 10 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 11
Screen ...256 22.2.1 The VPN Connection Add/Edit (IKE) Screen 257 22.2.2 The VPN Connection Add/Edit Manual Key Screen 263 22.3 The VPN Gateway Screen ...265 22.3.1 The VPN Gateway Add/Edit Screen 266 22.4 26.1 Overview ...307 26.1.1 What You Can Do in this Chapter 307 UAG715 User's Guide 11 - ZyXEL UAG715 | User Guide - Page 12
Screen ...338 28.4 Content Filter Category Service Screen 339 28.4.1 Content Filter Blocked and Warning Messages 350 28.5 Content Filter Custom Service Screen 350 28.6 Content Filter Technical Reference User Group Summary Screen ...360 29.3.1 Group Add/Edit Screen ...361 12 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 13
Add/Edit Screen 371 Chapter 31 Services ...373 31.1 Overview ...373 31.1.1 What Service Summary Screen ...374 31.2.1 The Service Add/Edit Screen 375 31.3 The Service Group Summary Screen 376 31.3.1 The Service ...382 33.1 Overview ...382 33.1.1 Directory Service (AD/LDAP 382 33.1.2 RADIUS Server ... - ZyXEL UAG715 | User Guide - Page 14
a Web Site for Access 415 37.2 The SSL Application Screen ...416 37.2.1 Creating/Editing an SSL Application Object 417 Chapter 38 Endpoint Security ...419 14 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 15
438 39.6.9 Adding a MX Record ...438 39.6.10 Adding a DNS Service Control Rule 439 39.7 WWW Overview ...439 39.7.1 Service Access Limitations 440 39.7.2 System Timeout ...440 39.7.3 HTTPS ...440 39 Using SSH Examples 459 39.9 Telnet ...461 39.9.1 Configuring Telnet ...461 UAG715 User's Guide 15 - ZyXEL UAG715 | User Guide - Page 16
of Contents 39.10 FTP ...462 39.10.1 Configuring FTP ...462 39.11 SNMP ...463 39.11.1 Supported MIBs ...464 39.11.2 SNMP Traps ...465 39.11.3 Configuring SNMP ...465 Chapter 40 Log and .5 The System Log Screen ...498 Chapter 43 Packet Flow Explore...500 43.1 Overview ...500 16 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 17
509 Chapter 45 Shutdown...510 45.1 Overview ...510 45.1.1 What You Need To Know ...510 45.2 The Shutdown Screen ...510 Chapter 46 Troubleshooting...511 46.1 Resetting the UAG ...519 46.2 Getting More Troubleshooting Help 520 Appendix A Legal Information...521 Index ...525 UAG715 User's Guide 17 - ZyXEL UAG715 | User Guide - Page 18
Table of Contents 18 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 19
1.1 Overview The UAG is a comprehensive service gateway. Its flexible configuration helps network administrators Router Security features include a stateful inspection firewall, anomaly detection & prevention, and content filtering. Figure 1 Applications: Security Router UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 20
file server. User B has a lower level of access and can only access the Internet. User C is not even logged in and cannot access either. 20 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 21
may be generic rather than the specific name used in your model. For example, this guide may use "the WAN interface" rather than "P1" or" P2". Figure 6 Zones, Interfaces, and Physical Ethernet Ports UAG715 Zones Interfaces WAN wan1 wan2 LAN1 LAN2 DMZ lan1 lan2 dmz Physical Ports P1 P2 P3 - ZyXEL UAG715 | User Guide - Page 22
SSH or Telnet) or via the physical or Web Configurator console port. See the Command Reference Guide for CLI details. The default settings for the console port are: Table 1 Console Port Default versions or later: Internet Explorer 6.0, Firefox 8.0, Chrome 14.0, Safari 4.0 22 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 23
Service Pack 2) • Enable JavaScripts, Java permissions, and cookies The recommended screen resolution is 1024 x 768 pixels. 1.4.1 Web Configurator Access 1 Make sure your UAG hardware is properly connected. See the Quick Start Guide these parts (as illustrated on page 23): UAG715 User's Guide 23 - ZyXEL UAG715 | User Guide - Page 24
(CLI) commands. You will be prompted to enter your user name and password. See the Command Reference Guide for information about the commands. CLI Click this to open a popup window that displays the CLI commands Current Version This shows the firmware version of the UAG. 24 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 25
screen. Select the type of object and the individual object and click Refresh to show which configuration settings reference the object. Figure 11 Object Reference UAG715 User's Guide 25 - ZyXEL UAG715 | User Guide - Page 26
and it is not associated with any entry. Service This is the type of setting that references the selected object. Click a service's name to display the service's configuration screen in the main window. Priority the UAG's navigation panel menus and their screens. 26 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 27
Dashboard The dashboard displays general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re-arrange to suit your needs log out individual users and delete related session information. UAG715 User's Guide 27 - ZyXEL UAG715 | User Guide - Page 28
device and activate trial services. Service View the licensed service status and upgrade licensed services. Network Interface Port Role Configure IP to MAC address bindings for devices connected to each supported interface. Exempt List Configure ranges of IP addresses to which the UAG does - ZyXEL UAG715 | User Guide - Page 29
Group Create and manage groups of addresses. Service Service Create and manage TCP and UDP services. Service Group Create and manage groups of services. Schedule Schedule Create one-time and recurring , and time zone in the UAG. Console Speed Set the console speed. UAG715 User's Guide 29 - ZyXEL UAG715 | User Guide - Page 30
telnet server settings for the UAG. FTP Configure FTP server settings. SNMP Configure SNMP communities and services. Log & Report Email Daily Report Configure where and how to send daily reports heading to sort the table's entries according to that column's criteria. 30 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 31
drop it to change the column order. A green check mark displays next to the column's title when you drag the column to a valid new location. UAG715 User's Guide 31 - ZyXEL UAG715 | User Guide - Page 32
, if you type 6, the entry you are moving becomes number 6 and the previous entry 6 (if there is one) gets pushed up (or down) one. 32 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 33
> Shutdown or the shutdown command before you turn off the UAG or remove the power. Not doing so can cause the firmware to become corrupt. UAG715 User's Guide 33 - ZyXEL UAG715 | User Guide - Page 34
or in a wiring closet with other equipment using a rack-mounting kit. Make sure the rack will safely support the combined weight of all the equipment it contains and that the position of the UAG does not make the . Secure the UAG to the rack with the rack-mounting screws. UAG715 User's Guide 34 - ZyXEL UAG715 | User Guide - Page 35
, but the UAG can negotiate with the peer and turn it off if needed). The color-coded Ethernet port supports the IEEE 802.3at High Power over Ethernet (PoE) standard and can receive power of up to 30W per end to a serial port (COM1, COM2 or other COM port) of your computer. UAG715 User's Guide 35 - ZyXEL UAG715 | User Guide - Page 36
Panel The following figure shows the rear panel of the UAG. The rear panel contains a connector for the power receptacle. Figure 22 Rear Panel 36 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 37
displays. This wizard helps you configure Internet connection settings and activate subscription services. This chapter provides information on configuring the Web Configurator's installation setup : Enter the Internet access information exactly as your ISP gave it to you. UAG715 User's Guide 37 - ZyXEL UAG715 | User Guide - Page 38
Auto. Use this screen to configure your IP address settings. Note: Enter the Internet access information exactly as given to you by your ISP. 38 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 39
mask for this WAN connection's IP address. • Gateway IP Address: Enter the IP address of the router through which this WAN connection will send traffic (the default gateway). • First / Second DNS Server: the Internet access information exactly as given to you by your ISP. UAG715 User's Guide 39 - ZyXEL UAG715 | User Guide - Page 40
Parameters • Type the PPPoE Service Name from your service provider. PPPoE uses a service name to identify and reach the Otherwise, type the Idle Timeout in seconds that elapses before the router automatically disconnects from the PPPoE server. 3.1.3.2 WAN IP Address Assignments UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 41
. Use up to 64 ASCII characters except the [] and ?. This field can be blank. Re-type your password in the next field to confirm it. UAG715 User's Guide 41 - ZyXEL UAG715 | User Guide - Page 42
For example, C:12 or N:My ISP. This field is optional and depends on the requirements of your broadband modem or router. You can use alphanumeric and -_: characters, and it can be up to 31 characters long. 3.1.5.2 WAN IP similar to the first (see Section 3.1.1 on page 37). 42 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 43
29 Internet Access: Ethernet Encapsulation Note: If you have not already done so, you can register your UAG with myZyXEL.com and activate trials of services like Content Filter. UAG715 User's Guide 43 - ZyXEL UAG715 | User Guide - Page 44
name and which trial services are activated (if any). You can still activate any un-activated trial services. Note: You must be connected to the Internet to register. Use the Registration > Service screen to update your service subscription status. Figure 30 Registration 44 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 45
vendor from which you bought the product. Customer support may use this information if there are problems with your UAG. • Seller's Name: Enter accept the terms in the Privacy Policy. • Trial Service Activation: You can try a trial service subscription. The trial period starts the day you activate - ZyXEL UAG715 | User Guide - Page 46
Chapter 3 Installation Setup Wizard 46 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 47
quick setup screens in the Web Configurator. See the feature-specific chapters in this User's Guide for background information. In the Web Configurator, click Configuration > Quick Setup to open the first to configure an interface to connect to the Internet. Click Next. UAG715 User's Guide 47 - ZyXEL UAG715 | User Guide - Page 48
the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your ISP. 48 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 49
read-only if you set the IP Address Assignment to Static. Note: Enter the Internet access information exactly as your ISP gave it to you. UAG715 User's Guide 49 - ZyXEL UAG715 | User Guide - Page 50
before the router automatically disconnects from the PPPoE server. 0 means no timeout. This section only appears if the interface uses a PPPoE or PPTP Internet connection. This displays the identity of the Ethernet interface you configure to connect with a modem or router. 50 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 51
, C:12 or N:My ISP. This field is optional and depends on the requirements of your DSL modem. WAN Interface Setup WAN Interface Zone IP Address First DNS Server Second DNS Server You can use alphanumeric settings. Figure 37 Interface Wizard: Summary WAN (Ethernet Shown) UAG715 User's Guide 51 - ZyXEL UAG715 | User Guide - Page 52
the Internet. Service Name This field only appears for a PPPoE interface. It displays the PPPoE service name specified in This is how many seconds the connection can be idle before the router automatically disconnects from the PPPoE server. 0 means no timeout. Connection UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 53
Advanced to change the default settings and/or use certificates instead of a pre-shared key to create a VPN rule to connect to another IPSec device. UAG715 User's Guide 53 - ZyXEL UAG715 | User Guide - Page 54
Chapter 4 Quick Setup Wizards Figure 40 VPN Setup Wizard: Wizard Type 4.3.3 VPN Express Wizard - Scenario Click the Express radio button as shown in Figure 40 on page 54 to display the following screen. Figure 41 VPN Express Wizard: Scenario 54 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 55
the remote IPSec device (secure gateway) to identify the remote IPSec router by its IP address or a domain name. Use 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address. • Pre-Shared Key: Type the match the local IP address configured on the remote IPSec device. UAG715 User's Guide 55 - ZyXEL UAG715 | User Guide - Page 56
IPSec device can initiate the VPN connection. • Pre-Shared Key: VPN tunnel password. It identifies a communicating party during a phase 1 IKE negotiation. • Local Policy: IP address and subnet mask of the settings appear in the VPN > IPSec VPN > VPN Connection screen. 56 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 57
Figure 44 VPN Express Wizard: Finish Chapter 4 Quick Setup Wizards Click Close to exit the wizard. 4.3.7 VPN Advanced Wizard - Scenario Click the Advanced radio button as shown in Figure 40 on page 54 to display the following screen. Figure 45 VPN Advanced Wizard: Scenario UAG715 User's Guide 57 - ZyXEL UAG715 | User Guide - Page 58
more incoming connections from dynamic IP addresses to use separate passwords. Note: Multiple SAs connecting through a secure gateway must have the same negotiation mode. 58 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 59
• NAT Traversal: Select this if the VPN tunnel must pass through NAT (there is a NAT router between the IPSec devices). Note: The remote IPSec device must also have NAT traversal enabled. See the , AH is not. • Encapsulation: Tunnel is compatible with NAT, Transport is not. UAG715 User's Guide 59 - ZyXEL UAG715 | User Guide - Page 60
remote IPSec device. • Pre-Shared Key: VPN tunnel password. • Certificate: The certificate the UAG uses to identify itself when setting up the VPN tunnel. 60 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 61
and the Phase 2 rule settings appear in the VPN > IPSec VPN > VPN Connection screen. Figure 49 VPN Wizard: Finish Click Close to exit the wizard. UAG715 User's Guide 61 - ZyXEL UAG715 | User Guide - Page 62
Chapter 4 Quick Setup Wizards 62 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 63
UAG's general device information, system status, system resource usage, licensed service status, and interface status. You can also display other status screens general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re - ZyXEL UAG715 | User Guide - Page 64
Now (D) Click this to update the widget's information immediately. Close Widget (E) Click this to close the widget. Use Widget Setting to re-open it. 64 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 65
users currently logged in to the UAG. Click the icon to pop-open a list of the users who are currently logged in to the UAG. UAG715 User's Guide 65 - ZyXEL UAG715 | User Guide - Page 66
not have any physical ports associated with it, its entry is displayed in light gray text. This field displays the name of each interface. 66 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 67
DHCP. Action If this interface is a member of an active virtual router, this field displays the IP address it is currently using. This is update its IP address, this field displays n/a. Licensed Service Status # Status Name Version Expiration Content Filter Statistics Web UAG715 User's Guide 67 - ZyXEL UAG715 | User Guide - Page 68
Use this screen to look at a chart of the UAG's recent memory (RAM) usage. To access this screen, click Memory Usage in the dashboard. 68 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 69
a chart of the UAG's recent traffic session usage. To access this screen, click Show Active Sessions in the dashboard. Figure 53 Dashboard > Show Active Sessions UAG715 User's Guide 69 - ZyXEL UAG715 | User Guide - Page 70
DHCP clients and the IP addresses reserved for specific MAC addresses. To access this screen, click DHCP Table in System Status in the dashboard. 70 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 71
without logging out are still shown as logged in here. To access this screen, click Number of Login Users in System Status in the dashboard. UAG715 User's Guide 71 - ZyXEL UAG715 | User Guide - Page 72
If the external user matches two external-group objects, both external-group object names will be shown. Click this icon to end a user's session. 72 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 73
Use the System Status > Session Monitor screen (see Section 6.5 on page 80) to view sessions by user or service. • Use the System Status > DDNS Status screen (see Section 6.6 on page 82) to view the status of 6.15 on page 91) to view and configure your UAG's URL caching. UAG715 User's Guide 73 - ZyXEL UAG715 | User Guide - Page 74
connected. This field displays the transmission speed, in bytes per second, on the physical port in the one-second interval before the screen updated. 74 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 75
over which the transmission or reception occurred TX This line represents traffic transmitted from the UAG on the physical port since it was last connected. UAG715 User's Guide 75 - ZyXEL UAG715 | User Guide - Page 76
name, click this to look at the status of virtual interfaces on top of this interface. Port This field displays the physical port number. 76 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 77
relay, DHCP server, DDNS, RIP, and OSPF. This field displays n/a if the interface does not provide any services to the network. Use this field to get or to update the IP address for the interface. Click Renew time (hh:mm:ss) since when the PPP interface is connected. UAG715 User's Guide 77 - ZyXEL UAG715 | User Guide - Page 78
Please see Table 22 on page 79 for more information. • Most-used protocols or service ports and the amount of traffic on each one • LAN IP with heaviest traffic start and stop it manually in the Traffic Statistics screen. Figure 60 Monitor > System Status > Traffic Statistics 78 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 79
what protocol the service was using. This field indicates whether the indicated protocol or service port is sending or receiving traffic. Ingress - traffic is coming into the router through the interface Egress - traffic is going out from the router through the interface UAG715 User's Guide 79 - ZyXEL UAG715 | User Guide - Page 80
, source IP address, or destination IP address. You can also filter the information by user, protocol / service or service group, source address, and/ or destination address and view it by user. Click Monitor > System Status > Session Monitor to display the following screen. 80 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 81
services - display all active sessions grouped by service Service Source Destination Search Service , Service, service or service group whose sessions you want to view. The UAG identifies the service services that is defined. (See Chapter 31 on page 373 for more information about services the User, Service, Source - ZyXEL UAG715 | User Guide - Page 82
This field displays the protocol used in each active session. Source If you are looking at the sessions by services report, click + or - to display or hide details about a protocol's sessions. This field displays the occurred (in year-month-day hour:minute:second format). 82 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 83
Use this screen to look at a list of the users currently logged into the UAG. To access this screen, click Monitor > System Status > Login Users. UAG715 User's Guide 83 - ZyXEL UAG715 | User Guide - Page 84
displays information about a connected USB storage device. Click Monitor > System Status > USB Storage to display this screen. Figure 65 Monitor > System Status > USB Storage 84 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 85
supports. Ready - you can have the UAG use the USB storage device. Click Remove Now to stop the UAG from using the USB storage device so you can remove it. Unused - the connected USB storage device was manually . Click Monitor > VPN 1-1 Mapping to open the following screen. UAG715 User's Guide 85 - ZyXEL UAG715 | User Guide - Page 86
shows statistics for each of the VPN 1-1 mapping rules. Click Monitor > VPN 1-1 Mapping > Statistics to display this screen. Figure 67 Monitor > VPN 1-1 Mapping > Statistics 86 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 87
above. Disconnect Select an IPSec SA and click this button to disconnect it. Total Connection This field displays the total number of associated IPSec SAs. UAG715 User's Guide 87 - ZyXEL UAG715 | User Guide - Page 88
displays N/A if the IPSec SA uses manual keys. Inbound (Bytes) This field displays the amount of traffic that has gone through the IPSec SA from the remote IPSec router to the UAG since the IPSec SA screen to do the following: • View a list of active SSL VPN connections. 88 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 89
this connection. 6.14 The Content Filter Statistics Screen Click Monitor > Anti-X Statistics > Content Filter to display the following screen. This screen displays content filter statistics. UAG715 User's Guide 89 - ZyXEL UAG715 | User Guide - Page 90
which the UAG displayed a warning message to the access requesters. Passed This is the number of web pages to which the UAG allowed access. 90 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 91
the UAG did not allow access because they were not rated by the external database content filtering service. Report Server Click this link to go to http://www.myZyXEL.com where you can view content column's criteria. Click the heading cell again to reverse the sort order. UAG715 User's Guide 91 - ZyXEL UAG715 | User Guide - Page 92
the list of content filter cache entries. Click this button to clear all web site addresses from the cache manually. Select one or more URL entries and click Delete to remove them from the cache. This is the minutes left before the URL entry is discarded from the cache. 92 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 93
in black. Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order. UAG715 User's Guide 93 - ZyXEL UAG715 | User Guide - Page 94
Destination Interface Service If the filter settings are shown, the Display, Priority, Source Address, Destination Address, Service, Keyword, log message. This displays when you show the filter. Select the service whose log messages you would like to see. The Web Configurator uses the protocol - ZyXEL UAG715 | User Guide - Page 95
double quotes, and brackets are not allowed. Protocol This displays when you show the filter. Select a service protocol whose log messages you would like to see. Search This displays when you show the filter. Click you leave the View Log screen and return to it later. UAG715 User's Guide 95 - ZyXEL UAG715 | User Guide - Page 96
Chapter 6 Monitor 96 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 97
Services Available on the UAG You can have the UAG use the content filtering subscription service. You can also purchase and enter a license key to have the UAG use more SSL VPN tunnels. See the respective User's Guide chapters for more information about these features. UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 98
7.2 Registration Screen Use this screen to register your UAG with myZyXEL.com and activate a service, such as content filtering. Click Configuration > Licensing > Registration in the navigation panel to open name and password in the fields below to register your UAG. 98 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 99
: If the UAG is registered already, this screen is read-only and indicates whether trial services are activated (if any). You can still select the unchecked trial service(s) to activate it after registration. Use the Service screen to update your service subscription status. UAG715 User's Guide 99 - ZyXEL UAG715 | User Guide - Page 100
shown next. Figure 75 Configuration > Licensing > Registration > Service The following table describes the labels in this screen. Table 37 Configuration > Licensing > Registration > Service LABEL DESCRIPTION License Status # This is the entry's position in the list. 100 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 101
service subscription runs out, you need to buy a new iCard (specific to your UAG) and enter the new PIN number to extend the service. Service License Refresh Click this button to renew service license information (such as the registration status and expiration day). UAG715 User's Guide 101 - ZyXEL UAG715 | User Guide - Page 102
Chapter 7 Registration 102 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 103
interface is bound to a physical port or another interface. • Many interfaces can share the same physical port. • An interface belongs to at most one zone. UAG715 User's Guide 103 - ZyXEL UAG715 | User Guide - Page 104
. You can also assign an IP address and subnet mask to the bridge. • PPP interfaces support Point-to-Point Protocols (PPP). ISP accounts are required for PPPoE/PPTP interfaces. • Virtual interfaces number (x). For most interfaces, x is limited by the maximum number of the 104 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 105
it. Finding Out More • See Section 8.8 on page 137 for background information on interfaces. • See Chapter 9 on page 143 to configure load balancing using trunks. UAG715 User's Guide 105 - ZyXEL UAG715 | User Guide - Page 106
to save your changes and apply them to the UAG. Click Reset to change the port groups to their current configuration (last-saved values). 106 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 107
amount of bandwidth and packet size. They can provide DHCP services, and they can verify the gateway is available. Use routers also generate more network traffic, and some routing protocols require a significant amount of configuration and management. The UAG supports . UAG715 User's Guide 107 - ZyXEL UAG715 | User Guide - Page 108
information, send routing information, or do both. • Select which version of RIP to support in each direction - The UAG supports RIP-1, RIP-2, and both versions. • Select the broadcasting method used by RIP-2 packets used to identify the DR or BDR if one does not exist. 108 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 109
Chapter 8 Interfaces Figure 78 Configuration > Network > Interface > Ethernet > Edit (External Type) UAG715 User's Guide 109 - ZyXEL UAG715 | User Guide - Page 110
Chapter 8 Interfaces Figure 79 Configuration > Network > Interface > Ethernet > Edit (Internal Type) 110 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 111
Type is external. Select this if you want to specify the IP address, subnet mask, and gateway manually. Enter the IP address for this interface. Enter the subnet mask of this interface in dot decimal from the network through the interface. Allowed values are 0 - 1048576. UAG715 User's Guide 111 - ZyXEL UAG715 | User Guide - Page 112
Interface Type is internal. Select what type of DHCP service the UAG provides to the network. Choices are: None - the UAG does not provide any DHCP services. There is already a DHCP server on the network. ), last address (broadcast address) and the interface's IP address. 112 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 113
relay. Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The addresses and specific MAC addresses. This stops anyone else from manually using a bound IP address on another device connected to this . UAG715 User's Guide 113 - ZyXEL UAG715 | User Guide - Page 114
when the area is looking for a Designated Router (DR) or Backup Designated Router (BDR). The highest-priority interface identifies the DR the interface use either the factory assigned default MAC address, a manually specified MAC address, or clone the MAC address of another device UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 115
and it is not associated with any entry. Service This is the type of setting that references the selected object. Click a service's name to display the service's configuration screen in the main window. Priority manage PPPoE/PPTP software on each computer in the network. UAG715 User's Guide 115 - ZyXEL UAG715 | User Guide - Page 116
Interface Summary This screen lists every PPPoE/PPTP interface. To access this screen, click Configuration > Network > Interface > PPP. Figure 82 Configuration > Network > Interface > PPP 116 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 117
an interface, select it and click Connect. You might use this in testing the interface or to manually establish the connection for a Dial-on-Demand PPPoE/PPTP interface. To disconnect an interface, select it and in the PPP interface summary screen and click the Edit icon. UAG715 User's Guide 117 - ZyXEL UAG715 | User Guide - Page 118
Chapter 8 Interfaces Figure 83 Configuration > Network > Interface > PPP > Add 118 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 119
It displays the user name for the ISP account. This field is read-only. It displays the PPPoE service name specified in the ISP account. This field is not available if the ISP account uses PPTP. This interfaces. Select this if you want to specify the IP address manually. UAG715 User's Guide 119 - ZyXEL UAG715 | User Guide - Page 120
where you can configure the interface as part of a WAN trunk for load balancing. Click Policy Route to go to the screen where you can manually configure a policy route to associate traffic with this interface. 120 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 121
The physical networks are connected to hubs, and the hubs are connected to the router. Figure 84 Example: Before VLAN Alternatively, you can divide the physical networks into the switches are connected to the router. (If one switch has enough connections for the entire network, the network does not need - ZyXEL UAG715 | User Guide - Page 122
communication communication (network layer, IP addresses). It is handled by the router department faster than the router does. In addition, broadcasts router and VLAN 1. • Between the router and VLAN 2. • Between the router . As a router, the UAG . They can provide DHCP services, and they can verify - ZyXEL UAG715 | User Guide - Page 123
you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each VLAN interface. To access this screen, click the Add icon UAG715 User's Guide 123 - ZyXEL UAG715 | User Guide - Page 124
Chapter 8 Interfaces or select an entry in the VLAN summary screen and click the Edit icon. The following screen appears. Figure 87 Configuration > Network > Interface > VLAN > Edit 124 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 125
and gateway automatically. Select this if you want to specify the IP address, subnet mask, and gateway manually. This field is enabled if you select Use Fixed IP Address. Subnet Mask Enter the IP address . Allowed values are 576 - 1500. Usually, this value is 1500. UAG715 User's Guide 125 - ZyXEL UAG715 | User Guide - Page 126
, LAN and DMZ interfaces. Select what type of DHCP service the UAG provides to the network. Choices are: None - the UAG does not provide any DHCP services. There is already a DHCP server on the network. DHCP last address (broadcast address) and the interface's IP address. 126 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 127
DNS relay. Type the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP clients. The specific MAC addresses for this VLAN. This stops anyone else from manually using a bound IP address on another device connected to this interface UAG715 User's Guide 127 - ZyXEL UAG715 | User Guide - Page 128
when the area is looking for a Designated Router (DR) or Backup Designated Router (BDR). The highest-priority interface identifies the balancing. Click Policy Route to go to the screen where you can manually configure a policy route to associate traffic with this VLAN. Click OK UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 129
resulting network. This UAG can bridge traffic between some interfaces while it routes traffic for other interfaces. The bridge interfaces also support more functions, like interface bandwidth parameters, DHCP settings, and connectivity check. To use the whole UAG as a transparent bridge, add all - ZyXEL UAG715 | User Guide - Page 130
create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings. 130 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 131
access this screen, click the Add icon, or select an entry in the Bridge summary screen and click the Edit icon. The following screen appears. UAG715 User's Guide 131 - ZyXEL UAG715 | User Guide - Page 132
Chapter 8 Interfaces Figure 89 Configuration > Network > Interface > Bridge > Add 132 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 133
and gateway automatically. Select this if you want to specify the IP address, subnet mask, and gateway manually. This field is enabled if you select Use Fixed IP Address. Subnet Mask Enter the IP address through the interface to the network. Allowed values are 0 - 1048576. UAG715 User's Guide 133 - ZyXEL UAG715 | User Guide - Page 134
the IP address of the WINS (Windows Internet Naming Service) server that you want to send to the DHCP router. This default router will become the DHCP clients' default gateway. To use another IP address as the default router, select Custom Defined and enter the IP address. 134 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 135
interface enforce links between specific IP addresses and specific MAC addresses. This stops anyone else from manually using a bound IP address on another device connected to this interface. Use this to make configure the interface as part of a WAN trunk for load balancing. UAG715 User's Guide 135 - ZyXEL UAG715 | User Guide - Page 136
Click Policy Route to go to the screen where you can manually configure a policy route Route to associate traffic with this bridge . Unlike other interfaces, virtual interfaces do not provide DHCP services, and they do not verify that the gateway is available Interface 136 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 137
UAG. IP Address Assignment Most interfaces have an IP address and a subnet mask. This information is used to create an entry in the routing table. UAG715 User's Guide 137 - ZyXEL UAG715 | User Guide - Page 138
DHCP clients. You have to assign the IP address and subnet mask manually. In general, the IP address and subnet mask of each interface should In this case, the packet is dropped. However, if there is a default router to which the UAG should send this packet, you can specify it as UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 139
. On the other hand, some communication channels, such as Ethernet over ATM network. This reduces the amount of manual configuration you have to do and In the UAG, some interfaces can provide DHCP services to the network. In this case, the support ingress bandwidth management. UAG715 User's Guide 139 - ZyXEL UAG715 | User Guide - Page 140
cable modems and DSL connections. It provides the following advantages: • The access and authentication method works with existing systems, including RADIUS. • You can access one of several network services. This makes it easier for the service provider to offer the service 140 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 141
Chapter 8 Interfaces • PPPoE does not usually require any special configuration of the modem. PPTP is used to set up virtual private networks (VPN) in unsecure TCP/IP PPTP is convenient and easy-to-use, but you have to make sure that firewalls support both PPTP sessions. UAG715 User's Guide 141 - ZyXEL UAG715 | User Guide - Page 142
Chapter 8 Interfaces 142 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 143
to another ISP) set to passive. This way VoIP traffic goes through the interface connected to the VoIP service provider whenever the interface's connection is up. 9.1.1 What You Can Do in this Chapter • Use the types through the best WAN interface for that type of traffic. UAG715 User's Guide 143 - ZyXEL UAG715 | User Guide - Page 144
to the bandwidth an interface is currently using. 2. In the load balancing section, a session may refer to normal connection-oriented, UDP or SNMP2 traffic. 144 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 145
MEASURED (M) 412 K 198 K LOAD BALANCING INDEX (M/A) 0.8 0.77 Weighted Round Robin Round Robin scheduling services queues on a rotating basis and is activated only when an interface has more traffic than it can one session's traffic to wan2 in each round of 3 new sessions. UAG715 User's Guide 145 - ZyXEL UAG715 | User Guide - Page 146
> Interface > Trunk to open the Trunk screen. This screen lists the configured trunks and the load balancing algorithm that each is configured to use. 146 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 147
default system WAN trunk or one of the user configured WAN trunks as the default trunk for routing traffic from internal interfaces to external interfaces. UAG715 User's Guide 147 - ZyXEL UAG715 | User Guide - Page 148
to open the following screen. Use this screen to create or edit a WAN trunk entry. Figure 97 Configuration > Network > Interface > Trunk > Add (or Edit) 148 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 149
to allow to come in through the interface per second. Note: You can configure the bandwidth of an interface in the corresponding interface edit screen. UAG715 User's Guide 149 - ZyXEL UAG715 | User Guide - Page 150
each member interface equally and is not allowed to be changed for the default trunk. Figure 98 Configuration > Network > Interface > Trunk > Edit (System Default) 150 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 151
in the order that they are listed. Click OK to save your changes back to the UAG. Click Cancel to exit this screen without saving. UAG715 User's Guide 151 - ZyXEL UAG715 | User Guide - Page 152
Chapter 9 Trunks 152 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 153
through the UAG's default gateway (R1). You create one policy route to connect to services offered by your ISP behind router R2. You create another policy route to communicate with a separate network behind another router (R3) connected to the LAN. Figure 99 Example of Policy Routing Topology A R1 - ZyXEL UAG715 | User Guide - Page 154
propagate the routing information to other routers. See Chapter 11 on page Static routes can be propagated to other routers using RIP or OSPF. • Policy UAG and propagate it to other routers, you could configure a policy route the same priority. CoS (class of service) is a way of managing traffic in - ZyXEL UAG715 | User Guide - Page 155
is going. DSCP Marking and Per-Hop Behavior DiffServ defines a new DS (Differentiated Services) field to replace the Type of Service (TOS) field in the IP header. The DS field contains a 2-bit unused packet filtering facility of RAS in style and in implementation. UAG715 User's Guide 155 - ZyXEL UAG715 | User Guide - Page 156
the schedule object. none means the route is active at all times if enabled. This is the interface on which the packets are received. 156 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 157
This is the name of the service object. any means all services. This is the next hop to which packets are directed. It helps forward packets to their destinations and can be a router, VPN tunnel, outgoing interface or . Use this screen to configure or edit a policy route. UAG715 User's Guide 157 - ZyXEL UAG715 | User Guide - Page 158
of up to 31 printable ASCII characters for the policy. Criteria User Select a user name or user group from which the packets are sent. 158 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 159
service group to identify the type of traffic to which this policy route applies. Select Auto to have the UAG use the routing table to find a next-hop and forward the matched packets automatically. Select Gateway to route the matched packets to the next-hop router is down. UAG715 User's Guide 159 - ZyXEL UAG715 | User Guide - Page 160
on the LAN to dynamically take turns using a service that uses a dedicated range of ports on the Service Trigger Service Bandwidth Shaping Note: You need to create a firewall rule to allow an incoming service to the client computer that requested the service. This allows you to allocate bandwidth - ZyXEL UAG715 | User Guide - Page 161
static routes to be able to use RIP or OSPF to propagate the routing information to other routers. Figure 102 Configuration > Network > Routing > Static Route The following table describes the labels in click Edit to open a screen where you can modify the entry's settings. UAG715 User's Guide 161 - ZyXEL UAG715 | User Guide - Page 162
of the next-hop gateway or the interface through which the traffic is routed. The gateway is a router or switch on the same segment as your UAG's interface(s). The gateway helps forward packets to their destinations be 0~127. In practice, 2 or 3 is usually a good number. 162 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 163
(coming in from the remote server) to a client computer. The problem is that port forwarding only forwards a service to a single IP address. In order to use the same service on a different computer, you have to manually replace the client computer's IP address with another client computer's IP - ZyXEL UAG715 | User Guide - Page 164
computer that sent the request. In the following example, you configure two services for port triggering: Incoming service: Game (UDP: 1234) Trigger service: Game-1 (UDP: 5670-5678) 1 Computer A wants to play a equally among policy routes with the same priority level. 164 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 165
from other routers. The routers. Routing protocols are usually only used in networks using multiple routers You Need to Know The UAG supports two standards, RIP and OSPF, Small (with up to 15 routers) Metric Hop count Convergence Slow exchange routing information with other routers. RIP is a vector - ZyXEL UAG715 | User Guide - Page 166
asynchronously to the network and converges slowly. Therefore, RIP is more suitable for small networks (up to 15 routers). • In the UAG, you can configure two sets of RIP settings before you can use it in an the ID for MD5 authentication. The ID can be between 1 and 255. 166 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 167
advantages over vector-space routing protocols like RIP. • OSPF supports variable-length subnet masks, which can be set up to responds to changes in the network, such as the loss of a router, more quickly. • OSPF considers several factors, including bandwidth, hop areas. UAG715 User's Guide 167 - ZyXEL UAG715 | User Guide - Page 168
-bit ID in the OSPF AS, and there are several types of routers. Each type is really just a different role, and it is possible for one router to play multiple roles at one time. • An internal router (IR) only exchanges routing information with other routers in the same area. 168 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 169
and exchanges routing information between them. • An Autonomous System Boundary Router (ASBR) exchanges routing information with routers in networks outside the OSPF AS. This is called redistribution in area to the backbone. This is illustrated in the following example. UAG715 User's Guide 169 - ZyXEL UAG715 | User Guide - Page 170
virtual links, as needed. 11.3.1 Configuring the OSPF Screen Use the first OSPF screen to specify the OSPF router the UAG uses in the OSPF AS and maintain the policies for redistribution. In addition, it provides a Network > Routing > OSPF to open the following screen. 170 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 171
assigns an available interface with the largest IP address hex value at last reboot as the OSPF Router ID. Redistribute Active RIP Type User Defined - enter the ID (in IP address format) in (Metric) Type 2 - cost = external cost (Metric); the OSPF AS cost is ignored. UAG715 User's Guide 171 - ZyXEL UAG715 | User Guide - Page 172
screen (see Section 11.3 on page 167), and click either the Add icon or an Edit icon. Figure 110 Configuration > Network > Routing > OSPF > Add 172 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 173
doing so. # This field is a sequential value, and it is not associated with a specific area. Peer Router ID This is the 32-bit ID (in IP address format) of the other ABR in the virtual link. Authentication to the UAG. Click Cancel to exit this screen without saving. UAG715 User's Guide 173 - ZyXEL UAG715 | User Guide - Page 174
labels in this screen. Table 70 Configuration > Network > Routing > OSPF > Add > Add LABEL Peer Router ID Authentication DESCRIPTION Enter the 32-bit ID (in IP address format) of the other ABR in the virtual Reference Here is more detailed information about RIP and OSPF. 174 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 175
message is verified, then the receiving router accepts the updated routing information. The transmitting and receiving routers must have the same key. The UAG supports three types of authentication for RIP . Please see the respective interface sections for more information. UAG715 User's Guide 175 - ZyXEL UAG715 | User Guide - Page 176
Chapter 11 Routing Protocols 176 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 177
traffic into three types--intra-zone traffic, inter-zone traffic, and extra-zone traffic--which are affected differently by zone-based security and policy settings. UAG715 User's Guide 177 - ZyXEL UAG715 | User Guide - Page 178
addition, this screen allows you to add, edit, and remove zones. To access this screen, click Configuration > Network > Zone. Figure 113 Configuration > Network > Zone 178 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 179
, go to the Zone screen (see Section 12.2 on page 178), and click the Add icon or an Edit icon. Figure 114 Network > Zone > Add UAG715 User's Guide 179 - ZyXEL UAG715 | User Guide - Page 180
arrow button to remove them. Click OK to save your customized settings and exit this screen. Click Cancel to exit this screen without saving. 180 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 181
supports the following DNS service providers. See the listed websites for details about the DNS services offered by each. Table 73 DDNS Service Providers PROVIDER SERVICE TYPES SUPPORTED IP addresses to the DDNS service provider, which helps redirect traffic accordingly. UAG715 User's Guide 181 - ZyXEL UAG715 | User Guide - Page 182
entry is inactive. This field displays the descriptive profile name for this entry. This field displays which DDNS service you are using. This field displays each domain name the UAG can route. This field displays the for the domain name. custom - The IP address is static. 182 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 183
Settings Click this button to display a greater or lesser number of configuration fields. Enable DDNS Profile Select this check box to use this DDNS entry. UAG715 User's Guide 183 - ZyXEL UAG715 | User Guide - Page 184
entry, this user name is the one you use for logging into the service, not the name recorded in your personal information in the Dynu website. may want to use this if there are one or more NAT routers between the UAG and the DDNS server. Custom IP Backup Binding Address 184 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 185
if there are one or more NAT routers between the UAG and the DDNS server the mail exchanger. If you are using this service, type the host record of your mail are using DynDNS's backup service for e-mail. With this service, DynDNS holds onto your service. Click OK to save your changes back - ZyXEL UAG715 | User Guide - Page 186
Chapter 13 DDNS 186 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 187
as virtual server, port forwarding, or port translation. Finding Out More • See Section 14.3 on page 191 for technical background information related to these screens. UAG715 User's Guide 187 - ZyXEL UAG715 | User Guide - Page 188
field displays the new destination IP address for the packet. Protocol This field displays the service used by the packets for this NAT entry. It displays any if there is no restriction on the UAG. Reset Click this button to return the screen to its last-saved settings. 188 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 189
to the NAT rule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. UAG715 User's Guide 189 - ZyXEL UAG715 | User Guide - Page 190
rule supports one destination port. Ports - this NAT rule supports a range of destination ports. You might use a range of destination ports for unknown services or when one server supports more than one service. This field is read-only and displays any for Many 1:1 NAT. 190 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 191
Service. Select the original service whose destination port(s) is supported by this NAT rule. This field is available if Port Mapping Type is Service. Select the translated service whose destination port(s) is supported Here is more detailed information about NAT on the UAG. UAG715 User's Guide 191 - ZyXEL UAG715 | User Guide - Page 192
server. Figure 121 LAN to LAN Traffic NAT Source 192.168.1.1 SMTP LAN 192.168.1.21 Source 192.168.1.89 SMTP 192.168.1.89 192 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 193
down the session. Figure 122 LAN to LAN Return Traffic NAT Source 192.168.1.21 SMTP LAN Source 1.1.1.1 SMTP 192.168.1.21 192.168.1.89 UAG715 User's Guide 193 - ZyXEL UAG715 | User Guide - Page 194
Chapter 14 NAT 194 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 195
which defines the public IP address(es) that the UAG assigns to the matched users and the interface through which the user's traffic is forwarded. UAG715 User's Guide 195 - ZyXEL UAG715 | User Guide - Page 196
and click Configuration > Network > VPN 1-1 Mapping. The following screen appears, providing a summary of the existing VPN 1-1 mapping rules. Figure 124 Configuration > Network > VPN 1-1 Mapping 196 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 197
Add or Edit icon to open the VPN 1-1 Mapping Add/Edit Policy screen where you can configure the rule. Figure 125 Network > VPN 1-1 Mapping > Add UAG715 User's Guide 197 - ZyXEL UAG715 | User Guide - Page 198
> Network > VPN 1-1 Mapping > Profile. The following screen appears, providing a summary of the existing IP address pool profiles. Figure 126 Configuration > Network > VPN 1-1 Mapping > Profile 198 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 199
the matched users. Click this button to save your changes to the UAG. Click this button to return the screen to its last-saved settings. UAG715 User's Guide 199 - ZyXEL UAG715 | User Guide - Page 200
Chapter 15 VPN 1-1 Mapping 200 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 201
You Need to Know Web Proxy Server A proxy server helps client devices make indirect requests to access the Internet or outside network resources/services. A proxy server can act as a firewall or an ALG (application layer gateway) between the private network and the Internet or other networks. It - ZyXEL UAG715 | User Guide - Page 202
Route Even if you set a policy route to the same incoming interface and service as a HTTP redirect rule, the UAG checks the HTTP redirect rules first from the client to the proxy server. You also need to manually configure a policy route to forward the HTTP traffic from the proxy UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 203
must be received. Proxy Server This is the IP address of the proxy server. Port This is the service port number used by the proxy server. Apply Click Apply to save your changes back to the UAG. you can configure the rule. Figure 129 Network > HTTP Redirect > Edit UAG715 User's Guide 203 - ZyXEL UAG715 | User Guide - Page 204
the proxy server uses. OK Click OK to save your changes back to the UAG. Cancel Click Cancel to exit this screen without saving. 204 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 205
as POP (Post Office Protocol) or IMAP (Internet Message Access Protocol) to retrieve e-mail. E-mail clients also generally use SMTP to send messages to a mail UAG715 User's Guide 205 - ZyXEL UAG715 | User Guide - Page 206
Route Even if you set a policy route to the same incoming interface and service as a SMTP redirect rule, the UAG checks the SMTP redirect rules first from the client to the SMTP server. You also need to manually configure a policy route to forward the SMTP traffic from the SMTP UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 207
open the SMTP Redirect screen. Then click the Add or Edit icon to open the SMTP Redirect Edit screen where you can configure the rule. UAG715 User's Guide 207 - ZyXEL UAG715 | User Guide - Page 208
IP address of the SMTP server. Click OK to save your changes back to the UAG. Click Cancel to exit this screen without saving. 208 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 209
audio, data and video conferencing. • FTP - File Transfer Protocol - an Internet file transfer service. The following example shows SIP signaling (1) and audio (2) sessions between SIP clients A and B the LAN. The ALG on the UAG supports all of the UAG's NAT mapping types. UAG715 User's Guide 209 - ZyXEL UAG715 | User Guide - Page 210
and firewall rules if you want to allow access to the server from the WAN. H.323 ALG • The H.323 ALG supports peer-to-peer H.323 calls. • The H.323 ALG handles H.323 calls that go through NAT or that the UAG NAT) for VoIP devices behind the UAG when you enable the SIP ALG. 210 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 211
to have calls from LAN IP address A go out through WAN IP address 1 and calls from LAN IP address B go out through WAN IP address 2. UAG715 User's Guide 211 - ZyXEL UAG715 | User Guide - Page 212
screen. Use this screen to turn ALGs off or on, configure the port numbers to which they apply, and configure SIP ALG time outs. 212 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 213
timeout period expires, the UAG deletes the audio session. You cannot hear anything and you will need to make a new call to continue your conversation. UAG715 User's Guide 213 - ZyXEL UAG715 | User Guide - Page 214
UDP port number, enter it here. Turn on the H.323 ALG to detect H.323 traffic (used for audio communications) and help build H.323 sessions through the UAG's NAT. Select this to have the UAG modify IP addresses the data stream to a public IP address. It also records session 214 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 215
users can manually force them to re-register. FTP File Transfer Protocol (FTP) is an Internet file transfer service that operates and multipoint communication between client computers over a packet-based network that does not provide a guaranteed quality of service. NetMeeting UAG715 User's Guide 215 - ZyXEL UAG715 | User Guide - Page 216
Chapter 18 ALG 216 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 217
assigned each IP address. The UAG then checks incoming connection attempts against this list. A user cannot manually assign another IP to his computer and use it to connect to the UAG. Suppose you configure bindings are based on the UAG's dynamic and static DHCP entries. UAG715 User's Guide 217 - ZyXEL UAG715 | User Guide - Page 218
number of IP to MAC address bindings for devices connected to each supported interface. Figure 139 Configuration > Network > IP/MAC Binding > the entry is inactive. Interface This is the name of an interface that supports IP/MAC binding. Number of Binding This field displays the interface's total - ZyXEL UAG715 | User Guide - Page 219
interface enforce links between specific IP addresses and specific MAC addresses. This stops anyone else from manually using a bound IP address on another device connected to this interface. Use this to make use of the device to which the UAG assigns the entry's IP address. UAG715 User's Guide 219 - ZyXEL UAG715 | User Guide - Page 220
/MAC Binding Exempt List screen. Use this screen to configure ranges of IP addresses to which the UAG does not apply IP/MAC binding. 220 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 221
a range of IP addresses for which the UAG does not apply IP/MAC binding. Apply Click Apply to save your changes back to the UAG. UAG715 User's Guide 221 - ZyXEL UAG715 | User Guide - Page 222
Chapter 19 IP/MAC Binding 222 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 223
A. A passes authentication and the endpoint security check and is given access. Local user B passes authentication but fails the endpoint security check and is denied access. UAG715 User's Guide 223 - ZyXEL UAG715 | User Guide - Page 224
of making users for which user-aware policies have been configured go to the UAG Login screen manually, you can configure the UAG to display the Login screen automatically whenever it routes HTTP traffic for login, however, so users have to make this request again. 224 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 225
portal settings and web authentication policies you have configured on the UAG. Click Configuration > Web Authentication to display the screen. Figure 145 Configuration > Web Authentication UAG715 User's Guide 225 - ZyXEL UAG715 | User Guide - Page 226
) is the web server on which the web portal files are installed. Click this to download an example web portal file for your reference. 226 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 227
for the default authentication policy that the UAG uses on traffic that does not match any exceptional service or other authentication policy. You can edit the default rule but not delete it. This displays the . none means the policy is active at all times if enabled. UAG715 User's Guide 227 - ZyXEL UAG715 | User Guide - Page 228
- Users do not need to be authenticated. required - Users need to be authenticated. They must manually go to the login screen. The UAG will not redirect them to the login screen. EPS Description authentication policy. Figure 147 Configuration > Web Authentication > Add 228 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 229
HTTP traffic from unauthenticated users is redirected to a default or user-defined login page. Otherwise, they must manually go to the login screen. The UAG will not redirect them to the login screen. This field first and the one that the least user's should match last. UAG715 User's Guide 229 - ZyXEL UAG715 | User Guide - Page 230
by an external server. Click OK. Figure 148 Configuration > Object > User/Group > User > Add 3 Repeat this process to set up the remaining user accounts. 230 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 231
Server > RADIUS. Double-click the radius entry. Configure the RADIUS server's address, authentication port (1812 if you were not told otherwise), and key. Click Apply. UAG715 User's Guide 231 - ZyXEL UAG715 | User Guide - Page 232
default settings, and click OK. Note: The users must log in at the Web Configurator login screen before they can use HTTP or MSN. 232 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 233
(or use any HTTP/HTTPS application), the login screen appears. They have to log in using the user name and password in the RADIUS server. UAG715 User's Guide 233 - ZyXEL UAG715 | User Guide - Page 234
to ext-group-user. In the Group Identifier field, enter Finance, Engineer, Sales, or Boss and set the Associated AAA Server Object to radius. 234 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 235
move the Kaspersky Internet Security and Kaspersky Anti-Virus anti-virus software entries to the allowed list. The following figure shows the configuration screen example. UAG715 User's Guide 235 - ZyXEL UAG715 | User Guide - Page 236
Chapter 20 Web Authentication Figure 156 Configuration > Object > Endpoint Security > Add Repeat as needed to create endpoint security objects for other Windows operating system versions. 236 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 237
the EPS objects you created to the selected list. • Click OK. Figure 157 Configuration > Web Authentication > Add 4 Turn on web authentication policy and click Apply. UAG715 User's Guide 237 - ZyXEL UAG715 | User Guide - Page 238
's computer does not meet an endpoint security object's requirements. Click Close to return to the login screen. Figure 159 Example: Endpoint Security Error Message 238 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 239
CHAPTER 21 Firewall 21.1 Overview Use the firewall to block or allow services that use static port numbers. The firewall can also limit the number of user sessions. This firewall rules for data passing between zones or even between interfaces and/or VPN tunnels in a zone. UAG715 User's Guide 239 - ZyXEL UAG715 | User Guide - Page 240
on page 427 for more information about service control (remote management). The UAG checks the firewall rules before the service control rules for traffic destined for the UAG. A From Any To Device direction rule applies to traffic from an interface which is not in a zone. 240 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 241
use. Finding Out More • See Section 21.4 on page 248 for an example of creating firewall rules as part of configuring user-aware access control. UAG715 User's Guide 241 - ZyXEL UAG715 | User Guide - Page 242
from which zone packets come and to which zone packets travel to display only the rules specific to the selected direction. Note the following. 242 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 243
the LAN without passing through the UAG. A better solution is to use virtual interfaces to put the UAG and the backup gateway on separate subnets. UAG715 User's Guide 243 - ZyXEL UAG715 | User Guide - Page 244
is the direction of travel of packets to which the firewall rule applies. To Schedule User Source Destination Service Access Log Apply Reset This field tells you the schedule object that the rule uses. none means the Reset to return the screen to its last-saved settings. 244 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 245
group to apply an IPv4 rule to traffic going to it. Select any to apply an IPv4 rule to all traffic going to IPv4 addresses. UAG715 User's Guide 245 - ZyXEL UAG715 | User Guide - Page 246
Chapter 21 Firewall Table 94 Configuration > Firewall > Add (continued) LABEL Service Access DESCRIPTION Select a service or service group from the drop-down list box. Use the drop-down list this check box to control the number of concurrent sessions hosts can have. 246 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 247
Edit icon to display the Firewall Session Limit Edit screen. Use this screen to configure rules that define a session limit for specific users or addresses. UAG715 User's Guide 247 - ZyXEL UAG715 | User Guide - Page 248
of firewall rules click Add to configure a new first entry. The sequence (priority) of the rules is important since they are applied in order. 248 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 249
168 Firewall Example: Create a Service Object 4 Select From WAN and To LAN1 and enter a name for the firewall rule. Select Dest_1 for the Destination and Doom as the Service. Enter a description and configure the rest of the screen as follows. Click OK when you are done. UAG715 User's Guide 249 - ZyXEL UAG715 | User Guide - Page 250
need to specify a schedule since you need the firewall rule to always be in effect. The following figure shows the results of this rule. 250 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 251
DESTINATION SCHEDULE 1 Any Any Any Any 2 Any Any Any Any SERVICE IRC Any ACTION Deny Allow • The first row blocks LAN access to the IRC service on the WAN. • The second row is the firewall's default following figure shows the results of your two custom rules. UAG715 User's Guide 251 - ZyXEL UAG715 | User Guide - Page 252
SOURCE DESTINATION SCHEDULE 1 Any 192.168.1.7 Any Any 2 Any Any Any Any 3 Any Any Any Any SERVICE IRC IRC Any ACTION Allow Deny Allow • The first row allows the LAN1 computer at IP address 192.168.1.7 would drop it and not check any other firewall rules. 252 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 253
the Internet or any insecure network that uses TCP/IP for communication. IPSec VPN Internet Protocol Security (IPSec) VPN connects IPSec routers or remote users using IPSec client software. This standards-based VPN network. See Chapter 23 on page 285 for more on SSL VPN. UAG715 User's Guide 253 - ZyXEL UAG715 | User Guide - Page 254
router. The second phase uses the IKE SA to securely establish an IPSec SA through which the UAG and remote IPSec router can send data between computers on the local network and remote network. This is illustrated in the following figure. Figure 175 VPN: IKE SA and IPSec SA 254 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 255
addresses and are also known as dial-in users. You don't specify the addresses of the client IPSec routers or the remote policy. This creates a dynamic IPSec VPN rule that can let multiple clients connect. Only . • See the help in the IPSec VPN quick setup wizard screens. UAG715 User's Guide 255 - ZyXEL UAG715 | User Guide - Page 256
and other features. It also gives some basic suggestions for troubleshooting. You should set up the following features before you set up remote IPSec router. See Chapter 33 on page 382. • In a VPN gateway, the UAG and remote IPSec router can use certificates Connection 256 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 257
This field displays the associated VPN gateway(s). If there is no VPN gateway, this field displays "manual key". This field displays what encapsulation the IPSec SA uses. This field displays what encryption and .2 on page 256), and click either the Add icon or an Edit icon. UAG715 User's Guide 257 - ZyXEL UAG715 | User Guide - Page 258
Chapter 22 IPSec VPN Figure 177 Configuration > VPN > IPSec VPN > VPN Connection > Edit (IKE) 258 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 259
to protect against Denial-of-Service attacks. Select this check box computer to connect to and communicate with a LAN. It may - Choose this if the remote IPSec router has a static IP address or a manual key instead of IKE key management. This may be useful if you have problems UAG715 User's Guide 259 - ZyXEL UAG715 | User Guide - Page 260
provides encryption and the same services offered by AH, but remote IPSec router must use the UAG and remote IPSec router must use the same UAG accepts from the remote IPSec router for negotiating the IPSec SA. algorithm The UAG and the remote IPSec router must both have at least one proposal - ZyXEL UAG715 | User Guide - Page 261
the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group. Connectivity Check The UAG can regularly check the VPN connection to from computers outside the local network through the IPSec SA. UAG715 User's Guide 261 - ZyXEL UAG715 | User Guide - Page 262
mapped port range. OK Click OK to save the changes. Cancel Click Cancel to discard all changes and return to the main VPN screen. 262 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 263
other fields. Table 103 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key LABEL DESCRIPTION Manual Key My Address Type the IP address of the UAG in the IPSec SA. Secure Gateway Type the IP address of the remote IPSec router in the IPSec SA. Address UAG715 User's Guide 263 - ZyXEL UAG715 | User Guide - Page 264
this if the IPSec SA is used for communication between the UAG and remote IPSec router. If you select Transport mode, the UAG (RFC 2406) - provides encryption and the same services offered by AH, but its authentication is weaker. router must use the same algorithm. 264 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 265
Connection > Add > Manual Key (continued) LABEL as listed above. The remote IPSec router must have the same encryption key as listed above. The remote IPSec router must have the same authentication key. well as the UAG's address, remote IPSec router's address, and associated VPN connections for - ZyXEL UAG715 | User Guide - Page 266
uses for the VPN gateway. Secure Gateway This field displays the IP address(es) of the remote IPSec routers. VPN Connection This field displays VPN connections that use this VPN gateway. Apply Click Apply to save your 265), and click either the Add icon or an Edit icon. 266 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 267
Figure 180 Configuration > VPN > IPSec VPN > VPN Gateway > Edit Chapter 22 IPSec VPN UAG715 User's Guide 267 - ZyXEL UAG715 | User Guide - Page 268
must trust each other's certificates. The UAG uses one of its Trusted Certificates to authenticate the remote IPSec router's certificate. The trusted certificate can be a self-signed certificate or that of a trusted CA that signed the remote IPSec router's certificate. 268 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 269
string specified in this field Any - the UAG does not check the identity of the remote IPSec router If the UAG and remote IPSec router use certificates, there is one more choice. Subject Name - the remote IPSec router is identified by the subject name in the certificate UAG715 User's Guide 269 - ZyXEL UAG715 | User Guide - Page 270
use to negotiate the IKE SA. Choices are Main - this encrypts the UAG's and remote IPSec router's identities but takes more time to establish the IKE SA Aggressive - this is faster but does not proposal. The sequence of proposals should not affect performance significantly. 270 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 271
the UAG to make sure the remote IPSec router is there before it transmits data through the IKE SA. The remote IPSec router must support DPD. If there has been no traffic to the remote IPSec router for authentication. You also have to provide the User Name and the Password. UAG715 User's Guide 271 - ZyXEL UAG715 | User Guide - Page 272
remote IPSec router. The remote IPSec router. The password router. Both routers must Router To set up an IKE SA router router as 0.0.0.0. This means that the remote IPSec router can have any IP address. In this case, only the remote IPSec router router router use in the IKE SA. In main - ZyXEL UAG715 | User Guide - Page 273
proposals to the remote IPSec router. (In some devices, you router selects an acceptable proposal and sends the accepted proposal router rejects all of the proposals, the UAG and remote IPSec router cannot establish an IKE SA. Note: Both routers The UAG and the remote IPSec router use DH public-key cryptography to - ZyXEL UAG715 | User Guide - Page 274
. Router identity consists of ID type and content. The ID type can be domain name, IP address, or email address, and the content is a (properly-formatted) domain name, IP address, or e-mail address. The content is only used for identification. Any domain name or e-mail address that you 274 UAG715 - ZyXEL UAG715 | User Guide - Page 275
router selects an acceptable proposal and sends it back to the UAG. Steps 3 - 4: The UAG and the remote IPSec router exchange pre-shared keys for authentication and participate in a Diffie-Hellman key exchange, based on the accepted DH key group, to establish a shared secret. UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 276
depending on the standard(s) the UAG and remote IPSec router support. Extended Authentication Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to connect to a single IPSec router. For example, this might be used with telecommuters. 276 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 277
protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security Payload, RFC 2406). Note: The UAG and remote IPSec router must use the same active protocol. Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT. UAG715 User's Guide 277 - ZyXEL UAG715 | User Guide - Page 278
communication between the UAG and remote IPSec router IPSec router or remote IPSec router, whichever is the destination. or remote IPSec router. The header UAG and remote IPSec router perform a new DH UAG and remote IPSec router perform a DH key exchange UAG and remote IPSec router use the same root - ZyXEL UAG715 | User Guide - Page 279
example, for troubleshooting. You should only do this as a temporary solution, however, because it is not as secure as a regular IPSec SA. In IPSec SAs using manual keys, the UAG and remote IPSec router do not The following example is used to help explain each one. UAG715 User's Guide 279 - ZyXEL UAG715 | User Guide - Page 280
connection with any computer in the remote network (B). If you do not configure it, the remote IPSec router may not route messages for computer M through the IPSec SA because computer M's IP address is not IP address (range of addresses) to hide the original source address. 280 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 281
the remote network (B). • Protocol - the protocol [TCP, UDP, or both] used by the service requesting the connection. • Original Port - the original destination port or range of destination ports; in to Static Address and enter the remote IPSec router's public IP address UAG715 User's Guide 281 - ZyXEL UAG715 | User Guide - Page 282
-tosite and select the VPN gateway you configured (VPN_GW_EXAMPLE). Set Local Policy to LAN1_SUBNET and Remote Policy to VPN_REMOTE_SUBNET for the remote. Click OK. 282 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 283
Chapter 22 IPSec VPN UAG715 User's Guide 283 - ZyXEL UAG715 | User Guide - Page 284
Chapter 22 IPSec VPN 284 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 285
VPN to allow users to use a web browser for secure remote user login. The remote users do not need a VPN router or VPN client software. 23.1.1 What You Can Do in this Chapter • Use the VPN > SSL VPN > Access An SSL access policy allows the UAG to perform the following tasks: UAG715 User's Guide 285 - ZyXEL UAG715 | User Guide - Page 286
. 23.2 The SSL Access Privilege Screen Click VPN > SSL VPN to open the Access Privilege screen. This screen lists the configured SSL access policies. 286 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 287
Policy Add/Edit Screen To create a new or edit an existing SSL access policy, click the Add or Edit icon in the Access Privilege screen. UAG715 User's Guide 287 - ZyXEL UAG715 | User Guide - Page 288
Chapter 23 SSL VPN Figure 190 VPN > SSL VPN > Access Privilege > Add/Edit 288 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 289
endpoint security objects in order with the one that the most users should match first and the one that the least users should match last. UAG715 User's Guide 289 - ZyXEL UAG715 | User Guide - Page 290
on the network as if they were on the same local network. This includes access to resources not supported by SSL application objects. For example this lets users Telnet to the internal network even though the upload a custom logo to be displayed on the remote user screen. 290 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 291
domain names so you could use one domain name for each of two WAN ports. For example, www.zyxel.com is a fully qualified domain name where "www" is the host. Message Login Message Logout Message The . You can enter up to 60 characters (0-9, a-z, A-Z with spaces allowed. UAG715 User's Guide 291 - ZyXEL UAG715 | User Guide - Page 292
You can upload a graphic logo to be displayed on the web browser on the remote user computer. The ZyXEL company logo is the default logo. Specify the location and file name of the logo graphic or click on the remote user screen. Figure 192 Example Logo Graphic Display 292 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 293
. 3 Display the UAG's login screen, enter your user account information (the user name and password), and click SSL VPN to establish an SSL VPN connection. UAG715 User's Guide 293 - ZyXEL UAG715 | User Guide - Page 294
, the UAG redirects the user to the user aware screen. For more information on user portal screens, refer to Chapter 24 on page 295. 294 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 295
you can access resources on the local network using one of the following methods. • Using a supported web browser Once you have successfully logged in through the UAG, you can access intranet sites, above, Firefox 8.0 and above, Chrome 14.0 and above, or Safari 4.0 and above UAG715 User's Guide 295 - ZyXEL UAG715 | User Guide - Page 296
user's computer establishes an HTTPS connection to the UAG to access the login screen. If instructed by your network administrator, you must install or import a certificate (provided by the UAG or the Address in a Web Browser 2 Click OK or Yes if a security screen displays. 296 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 297
UAG tries to install the SecuExtender client. As shown next, you may have to click some popups to get your browser to allow the installation. UAG715 User's Guide 297 - ZyXEL UAG715 | User Guide - Page 298
. In Internet Explorer, click Run. Figure 200 SecuExtender Progress 7 Click Next to use the setup wizard to install the SecuExtender client on your computer. 298 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 299
depending on the configuration your network administrator made. 24.3 The SSL VPN User Screens This section describes the main elements in the remote user screens. UAG715 User's Guide 299 - ZyXEL UAG715 | User Guide - Page 300
, click the Add to Favorite icon. 2 A screen displays. Accept the default name in the Name field or enter a descriptive name to identify this link. 300 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 301
a web site (Web Link). To access a web-based application, simply click a link in the Application screen to display the web screen in a separate browser window. UAG715 User's Guide 301 - ZyXEL UAG715 | User Guide - Page 302
Chapter 24 SSL User Screens Figure 206 Application 302 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 303
program to your computer after a successful login to an SSL VPN tunnel with network extension support enabled. The ZyWALL SecuExtender lets you: • Access servers, remote desktops and manage files as view the ZyWALL SecuExtender's connection status and activity statistics. UAG715 User's Guide 303 - ZyXEL UAG715 | User Guide - Page 304
connection. These are the IP addresses of the WINS (Windows Internet Naming Service) and backup WINS servers for the SSL VPN connection. The WINS server connection. 25.3 View Log If you have problems with the ZyWALL SecuExtender, customer support may request you to provide information from the log - ZyXEL UAG715 | User Guide - Page 305
System status... [ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Checking service (first) ... [ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] SecuExtender Programs > ZyXEL > ZyWALL SecuExtender > Uninstall ZyWALL SecuExtender. 2 In the confirmation screen, click Yes. UAG715 User's Guide 305 - ZyXEL UAG715 | User Guide - Page 306
Chapter 25 ZyWALL SecuExtender Figure 210 Uninstalling the ZyWALL SecuExtender Confirmation 3 Windows uninstalls the ZyWALL SecuExtender. Figure 211 ZyWALL SecuExtender Uninstallation 306 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 307
flows. All packets in the same flow are given the same priority. CoS (class of service) is a way of managing traffic in a network by grouping similar types of traffic together not have to request a particular service or give advanced notice of where the traffic is going. UAG715 User's Guide 307 - ZyXEL UAG715 | User Guide - Page 308
is limited to 500 kbs. The connection initiator is on the LAN1 so inbound means the traffic traveling from the WAN to the LAN1. 308 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 309
1000 kbps, but the WAN is set to a maximum outgoing speed of 1000 kbps. You configure policy A for server A's traffic and policy B for server B's traffic. UAG715 User's Guide 309 - ZyXEL UAG715 | User Guide - Page 310
kbps. Table 116 Maximize Bandwidth Usage Effect POLICY CONFIGURED RATE MAX. B. U. A 300 kbps Yes B 200 kbps Yes PRIORITY 1 2 ACTUAL RATE 550 kbps 450 kbps 310 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 311
destination interface, destination port, schedule, user, source, destination information, DSCP code and service type as criteria to create a sequence of specific conditions, similar to the sequence of management policy. Figure 215 Configuration > Bandwidth Management UAG715 User's Guide 311 - ZyXEL UAG715 | User Guide - Page 312
In/Out This field displays default for the default bandwidth management policy. This is the destination service port number of the traffic to which this policy applies. This is the schedule that defines when drop preferences. See Section 10.4 on page 163 for more details. 312 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 313
Section 26.2 on page 311), and click either the Add icon or an Edit icon. Figure 216 Configuration > Bandwidth Management > Edit (For the Default Policy) UAG715 User's Guide 313 - ZyXEL UAG715 | User Guide - Page 314
of the traffic to which this policy applies. Select any if the policy is effective for every service port. Schedule Select a schedule that defines when the policy applies or select Create new Object to DSCP value of the incoming and outgoing packets that match this policy. 314 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 315
have maximize bandwidth usage enabled. Click OK to save your changes back to the UAG. Click Cancel to exit this screen without saving your changes. UAG715 User's Guide 315 - ZyXEL UAG715 | User Guide - Page 316
Chapter 26 Bandwidth Management 316 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 317
use to create new ADP profiles. The UAG comes with several base profiles. See Table 122 on page 320 for details on ADP base profiles. UAG715 User's Guide 317 - ZyXEL UAG715 | User Guide - Page 318
to modify it. Remove Select an entry and click this to delete it. Activate To turn on an entry, select it and click Activate. 318 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 319
using an existing base profile • Edit an existing profile • Delete an existing profile 27.3.1 Configuring The ADP Profile Summary Screen Select Configuration > Anti-X > ADP > Profile. UAG715 User's Guide 319 - ZyXEL UAG715 | User Guide - Page 320
122 Base Profiles BASE PROFILE DESCRIPTION none All traffic anomaly and protocol anomaly rules are disabled. No logs are generated nor actions are taken. 320 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 321
to other screens belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab. UAG715 User's Guide 321 - ZyXEL UAG715 | User Guide - Page 322
Chapter 27 ADP Figure 221 Profiles: Traffic Anomaly 322 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 323
UAG to take the configured action. Click OK to save your settings to the UAG, complete the profile and return to the profile summary page. UAG715 User's Guide 323 - ZyXEL UAG715 | User Guide - Page 324
other screens belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Protocol Anomaly tab. 324 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 325
Figure 222 Profiles: Protocol Anomaly Chapter 27 ADP UAG715 User's Guide 325 - ZyXEL UAG715 | User Guide - Page 326
and use the Action icon. Click OK to save your settings to the UAG, complete the profile and return to the profile summary page. 326 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 327
what types of network protocols or services a device supports. One of the most common port is a workstation, a printer, or a router. Decoy Port Scans Decoy port scans are scans services. This may be used to evade intrusion detection. These are distributed port scan types: UAG715 User's Guide 327 - ZyXEL UAG715 | User Guide - Page 328
to the same port (service) may indicate a is looking for a specific service. These are some port sweep such as NAT routers, may trigger these make communications in the A smurf attacker (A) floods a router (B) with Internet Control Message Protocol of the network. The router will broadcast the ICMP - ZyXEL UAG715 | User Guide - Page 329
ends the three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for other users. UAG715 User's Guide 329 - ZyXEL UAG715 | User Guide - Page 330
to encode attack strings. Attackers may use this method to bypass system parameter checks in order to get information or privileges from a web server. 330 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 331
any Apache servers, make sure you have this option turned on. When this rule is enabled, ASCII decoding is also enabled to enforce correct functioning. UAG715 User's Guide 331 - ZyXEL UAG715 | User Guide - Page 332
is sent which has an ICMP datagram length of less than the ICMP Time Stamp header length. This may cause some applications to crash. 332 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 333
pornography or racial intolerance. • Restrict Web Features The UAG can disable web proxies and block web features such as ActiveX controls, Java applets and cookies. UAG715 User's Guide 333 - ZyXEL UAG715 | User Guide - Page 334
set to block. External Web Filtering Service When you register for and enable the external web filtering service, your UAG accesses an external database For example, with the URL www.zyxel.com.tw/news/pressroom.php, the domain name is www.zyxel.com.tw. The file path is the 334 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 335
a denial of access message or specify a redirect URL and check your external web filtering service registration status. Figure 226 Configuration > Anti-X > Content Filter > General The following table an entry and click Add to create a new entry after the selected entry. UAG715 User's Guide 335 - ZyXEL UAG715 | User Guide - Page 336
content filter profile that each content filter policy uses. The content filter profile defines to which web services, web sites or web site categories access is to be allowed or denied. Enter a message to (0-9a-zA-Z For example, http://192.168.1.17/blocked access. 336 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 337
and activated the trial service subscription. This field displays the date your service license expires. This link appears if you have not registered for the service or the service has expired. Click . Figure 227 Configuration > Anti-X > Content Filter > General > Add UAG715 User's Guide 337 - ZyXEL UAG715 | User Guide - Page 338
to use for this policy. The content filter profile defines to which web services, web sites or web site categories access is to be allowed or denied the Filter Profile screen. A content filter profile defines to which web services, web sites or web site categories access is to be allowed or denied - ZyXEL UAG715 | User Guide - Page 339
Category Service screen. Use this screen to enable external database content filtering and select which web site categories to block and/or log. Note: You must register for BlueCoat external content filtering before you can use it. See Section 7.2 on page 98 for how to register. UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 340
Chapter 28 Content Filtering Figure 229 Configuration > Anti-X > Content Filter > Filter Profile > Add > Category Service 340 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 341
Chapter 28 Content Filtering Figure 230 Configuration > Anti-X > Content Filter > Filter Profile > Add > Category Service (Continue) UAG715 User's Guide 341 - ZyXEL UAG715 | User Guide - Page 342
Unsafe Web Pages Trial displays if you have successfully registered the UAG and activated the trial service subscription. Enter a descriptive name for this content filtering profile name. You may use 1-31 web pages that match the other categories that you select below. 342 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 343
display a warning message before allowing users to access web pages that the external web filtering service has not categorized. Action When Category Server Is Unavailable Select Log to record attempts to rated as spyware should have a second category assigned with them. UAG715 User's Guide 343 - ZyXEL UAG715 | User Guide - Page 344
proxy server/appliance. It also includes any service that will allow a person to bypass the content filtering feature, such as anonymous surfing services. Managed Categories These are categories of web well as products used for sexual enhancement. Liability Concerns 344 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 345
as service support or oppose weapons use. This category includes pages that distribute, promote, or provide hacking tools and/or information which may help gain unauthorized access to computer systems and/or computerized communication systems. Hacking encompasses instructions UAG715 User's Guide 345 - ZyXEL UAG715 | User Guide - Page 346
or offer methods, means of instruction, or other resources to affect services. It also includes pages that discuss or explain laws of various governmental entities. LGBT This category includes pages that provide information regarding, support communities with blogs. 346 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 347
content-typically more than 15 minutes in length. Communication Chat/Instant Messaging This category includes pages that list, review, discuss, advertise and promote food, catering, dining services, cooking and recipes. Alcohol Sites that promote, offer for sale, . UAG715 User's Guide 347 - ZyXEL UAG715 | User Guide - Page 348
services, drugs, alternative and complimentary therapies, medical information about ailments, dentistry, optometry, general psychiatry, self-help, and support support support support services services). Financial Services This category includes pages that provide or advertise banking services services - ZyXEL UAG715 | User Guide - Page 349
Service LABEL DESCRIPTION Real Estate This category includes pages that provide information on renting, buying, or selling real estate or properties. Auctions This category includes pages that support pages that support online purchase web communities or hosting services. Web that support - ZyXEL UAG715 | User Guide - Page 350
the proxy server. 28.5 Content Filter Custom Service Screen Click Configuration > Anti-X > Content Filter > Filter Profile > Add or Edit > Custom Service to open the Custom Service screen. You can create a list of or remove specific sites or keywords from the filter list. 350 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 351
(-), but the first character cannot be a number. This value is case-sensitive. Enable Custom Service Select this check box to allow trusted web sites and block forbidden web sites. Content filter carefully, this is the most effective way to block objectionable material. UAG715 User's Guide 351 - ZyXEL UAG715 | User Guide - Page 352
. Some web servers use them to track usage and provide service based on ID. A server that acts as an intermediary ://". All subdomains are allowed. For example, entering "*zyxel.com" also allows "www.zyxel.com", "partner.zyxel.com", "press.zyxel.com", and so on. You can also enter UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 353
Filtering Table 131 Configuration > Anti-X > Content Filter > Filter Profile > Custom Service (continued) LABEL Forbidden Web Sites DESCRIPTION This list displays the forbidden web sites Server Lookup Procedure The content filter lookup process is described below. UAG715 User's Guide 353 - ZyXEL UAG715 | User Guide - Page 354
based on the settings in the content filter profile. The web site's address and category are then stored in the UAG's content filter cache. 354 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 355
(CLI) Access network services guest ext-user ext-group-user Browse user-mode commands (CLI) Access network services External user account External group user account LOGIN METHOD(S) WWW, TELNET, SSH, FTP, Console WWW, TELNET, SSH, Console WWW, TELNET, SSH WWW WWW WWW UAG715 User's Guide 355 - ZyXEL UAG715 | User Guide - Page 356
user group. Note: You cannot put the default admin account into any user group. The sequence of members in a user group is not important. 356 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 357
'aware' of the user who is logged in and you can create 'user-aware policies' that define what services they can use. See Section 29.4.2 on page 365 for a user-aware login example. Finding Out More • field is a sequential value, and it is not associated with a specific user. UAG715 User's Guide 357 - ZyXEL UAG715 | User Guide - Page 358
the following characters: • Alphanumeric A-z 0-9 (there is no unicode support) • _ [underscores] • - [dashes] The first character must • any • devicehaecived • ftp • lp • mail • radius-users • root • uucp • zyxel • bin • games • news • shutdown • daemon • halt • nobody • sshd To access - ZyXEL UAG715 | User Guide - Page 359
• user - this user has access to the UAG's services and can also browse user-mode commands (CLI). • guest - this user has access to the UAG's services but cannot look at the configuration. • ext-user - up to 60 printable ASCII characters. Default descriptions are provided. UAG715 User's Guide 359 - ZyXEL UAG715 | User Guide - Page 360
in the User Settings field, the default lease time is shown. Reauthentication Time If you select Use Manual Settings, you need to enter the number of minutes this user has to renew the current session before to open a screen where you can modify the entry's settings. 360 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 361
] key to select multiple entries and use the arrow button to move them. Move any members you do not want included to the Available list. UAG715 User's Guide 361 - ZyXEL UAG715 | User Guide - Page 362
them. To access this screen, login to the Web Configurator, and click Configuration > Object > User/ Group > Setting. Figure 237 Configuration > Object > User/Group > Setting 362 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 363
These are the kinds of user account the UAG supports. Lease Time • admin - this user can services but cannot look at the configuration • guest - this user has access to the UAG's services lease time automatically, as well as manually, simply by selecting the Updating lease UAG715 User's Guide 363 - ZyXEL UAG715 | User Guide - Page 364
any existing user accounts that are set to use the default settings. You can still manually configure any user account's authentication timeout settings. To access this screen, go to the Configuration icons. Figure 238 Configuration > Object > User/Group > Setting > Edit 364 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 365
it. • user - this user has access to the UAG's services but cannot look at the configuration. • guest - this user has access to the UAG's services but cannot look at the configuration • ext-user - this user access users log into the UAG, the following screen appears. UAG715 User's Guide 365 - ZyXEL UAG715 | User Guide - Page 366
time. 29.5 User /Group Technical Reference This section provides some information on users who use an external authentication server in order to log in. 366 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 367
LDAP or RADIUS server, and create a shell script that creates the user accounts. See Chapter 41 on page 481 for more information about shell scripts. UAG715 User's Guide 367 - ZyXEL UAG715 | User Guide - Page 368
> Address > Address. Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order. UAG715 User's Guide 368 - ZyXEL UAG715 | User Guide - Page 369
, go to the Address screen (see Section 30.2 on page 368), and click either the Add icon or an Edit icon in the Configuration section. UAG715 User's Guide 369 - ZyXEL UAG715 | User Guide - Page 370
Group. Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order. 370 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 371
to the Address Group screen (see Section 30.3 on page 370), and click either the Add icon or an Edit icon in the Configuration section. UAG715 User's Guide 371 - ZyXEL UAG715 | User Guide - Page 372
to the Available list. Click OK to save your changes back to the UAG. Click Cancel to exit this screen without saving your changes. 372 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 373
service groups to refer to multiple service objects in other features. 31.1.1 What You Can Do in this Chapter • Use the Service services and their definitions. • Use the Service Group screens (Section 31.2 on page 374) to view and configure the UAG's list of service to investigate problems. For - ZyXEL UAG715 | User Guide - Page 374
in to the Web Configurator, and click Configuration > Object > Service > Service. Click a column's heading cell to sort the table entries by that column's criteria. Click the heading cell again to reverse the sort order. Figure 246 Configuration > Object > Service > Service 374 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 375
if the IP Protocol is ICMP. IP Protocol Number OK Cancel Select the ICMP message used by this service. This field displays the message text, not the message number. This field appears if the IP Protocol the UAG. Click Cancel to exit this screen without saving your changes. UAG715 User's Guide 375 - ZyXEL UAG715 | User Guide - Page 376
31.3.1 The Service Group Add/Edit Screen The Service Group Add/Edit screen allows you to create a new service group or edit an existing one. To access this screen, go to the Service Group screen (see Section 31.3 on page 376), and click either the Add icon or an Edit icon. 376 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 377
to 60 printable ASCII characters. The Member list displays the names of the service and service group objects that have been added to the service group. The order of members is not important. Select items from the Cancel to exit this screen without saving your changes. UAG715 User's Guide 377 - ZyXEL UAG715 | User Guide - Page 378
one-time and recurring schedules for policy routes, firewall rules, and content filtering. The UAG supports one-time and recurring schedules. One-time schedules are effective only once, while recurring schedules page 429 for information about the UAG's current date and time. UAG715 User's Guide 378 - ZyXEL UAG715 | User Guide - Page 379
schedule. Start Time This field displays the time at which the schedule begins. Stop Time This field displays the time at which the schedule ends. UAG715 User's Guide 379 - ZyXEL UAG715 | User Guide - Page 380
• Hour - 0 - 23 • Minute - 0 - 59 Click OK to save your changes back to the UAG. Click Cancel to exit this screen without saving your changes. 380 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 381
the recurring schedule is effective. Click OK to save your changes back to the UAG. Click Cancel to exit this screen without saving your changes. UAG715 User's Guide 381 - ZyXEL UAG715 | User Guide - Page 382
ext-group-user user objects and authentication method objects (see Chapter 34 on page 390). 33.1.1 Directory Service (AD/LDAP) LDAP/AD allows a client (the UAG) to connect to a server to retrieve information you to validate a large number of users from a central location. UAG715 User's Guide 382 - ZyXEL UAG715 | User Guide - Page 383
To Know AAA Servers Supported by the UAG The following lists the types of authentication server the UAG supports. • Local user database server. • RADIUS RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to authenticate users by . UAG715 User's Guide 383 - ZyXEL UAG715 | User Guide - Page 384
the UAG can use in authenticating users. Click Configuration > Object > AAA Server > Active Directory (or LDAP) to display the Active Directory (or LDAP) screen. 384 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 385
This is the address of the AD or LDAP server. Base DN This specifies a directory. For example, o=ZyXEL, c=US. 33.2.1 Adding an Active Directory or LDAP Server Click Object > AAA Server > Active Directory (or to create a new AD or LDAP entry or edit an existing one. UAG715 User's Guide 385 - ZyXEL UAG715 | User Guide - Page 386
AD or LDAP server(s) in this group. Specify the directory (up to 127 alphanumerical characters). For example, o=ZyXEL, c=US. Search time limit This is only for LDAP. Specify the timeout period (between 1 and 300 seconds LDAP server(s) or the AD or LDAP server(s) is down. 386 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 387
to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry's settings. UAG715 User's Guide 387 - ZyXEL UAG715 | User Guide - Page 388
description of each server, if any. You can use up to 60 printable ASCII characters. Server Address Enter the address of the RADIUS server. 388 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 389
with "sales" as the group identifier, another for "RD" and a third for "management". Click OK to save the changes. Click Cancel to discard the changes. UAG715 User's Guide 389 - ZyXEL UAG715 | User Guide - Page 390
34.1 Overview Authentication method objects set how the UAG authenticates wireless, HTTP/HTTPS clients, and peer IPSec routers (extended authentication) clients. Configure authentication method objects to have from the drop-down list box. 4 Click OK to save the settings. UAG715 User's Guide 390 - ZyXEL UAG715 | User Guide - Page 391
This field displays the authentication method(s) for this entry. 34.2.1 Creating an Authentication Method Object Follow the steps below to create an authentication method object. UAG715 User's Guide 391 - ZyXEL UAG715 | User Guide - Page 392
modify the entry's settings. To remove an entry, select it and click Remove. The UAG confirms you want to remove it before doing so. 392 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 393
username and password that doesn't match the one on the first authentication server. Click OK to save the changes. Click Cancel to discard the changes. UAG715 User's Guide 393 - ZyXEL UAG715 | User Guide - Page 394
may have been able to read the message, no-one can have altered it (because they cannot re-sign the message with Tim's private key). UAG715 User's Guide 394 - ZyXEL UAG715 | User Guide - Page 395
(Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable form. UAG715 User's Guide 395 - ZyXEL UAG715 | User Guide - Page 396
's icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. Figure 264 Certificate Details 396 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 397
listed in alphabetical order. Name This field displays the name used to identify this certificate. It is recommended that you give each certificate a unique name. UAG715 User's Guide 397 - ZyXEL UAG715 | User Guide - Page 398
My Certificates Add screen. Use this screen to have the UAG create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. 398 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 399
Figure 266 Configuration > Object > Certificate > My Certificates > Add Chapter 35 Certificates UAG715 User's Guide 399 - ZyXEL UAG715 | User Guide - Page 400
Options Create a self-signed certificate Create a certification request and save it locally for later manual enrollment Select DSA to use the Digital Signature Algorithm public-key algorithm. Select a number from on page 401) and then send it to the certification authority. 400 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 401
Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate's name. UAG715 User's Guide 401 - ZyXEL UAG715 | User Guide - Page 402
displays "Not trusted" in this field if any certificate on the path has expired or been revoked. Click Refresh to display the certification path. 402 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 403
authority's web page, an e-mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment. You can copy and paste a certificate into an e-mail to send to friends or colleagues or you can copy and paste a certificate into - ZyXEL UAG715 | User Guide - Page 404
Object > Certificate > My Certificates > Import to open the My Certificate Import screen. Follow the instructions in this screen to save an existing certificate to the UAG. Note: You can import a in the UAG. Click Browse to find the certificate file you want to upload. 404 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 405
. # This field displays the certificate index number. The certificates are listed in alphabetical order. Name This field displays the name used to identify this certificate. UAG715 User's Guide 405 - ZyXEL UAG715 | User Guide - Page 406
set whether or not you want the UAG to check a certification authority's list of revoked certificates before trusting a certificate issued by the certification authority. 406 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 407
Chapter 35 Certificates Figure 270 Configuration > Object > Certificate > Trusted Certificates > Edit UAG715 User's Guide 407 - ZyXEL UAG715 | User Guide - Page 408
to generate the certificate's key pair (the UAG uses RSA encryption) and the length of the key set in bits (1024 bits for example). 408 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 409
Certificates Import Screen Click Configuration > Object > Certificate > Trusted Certificates > Import to open the Trusted Certificates Import screen. Follow the instructions in this screen to save a trusted certificate to the UAG. Note: You must remove any spaces from the certificate's filename - ZyXEL UAG715 | User Guide - Page 410
file you want to upload. Click OK to save the certificate on the UAG. Click Cancel to quit and return to the previous screen. 410 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 411
CHAPTER 36 ISP Accounts 36.1 Overview Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE/PPTP interfaces. An ISP account is a profile of settings for that shows which settings use the entry. See Section 8.3.2 on page 115 for an example. UAG715 User's Guide 411 - ZyXEL UAG715 | User Guide - Page 412
protocol used by the ISP account. Options are: pppoe - This ISP account uses the PPPoE protocol. pptp - This ISP account uses the PPTP protocol. 412 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 413
is correctly. If this ISP account uses the PPPoE protocol, this field is not displayed. Connection ID Service Name If this ISP account uses the PPTP protocol, type the IP address of the PPTP server. This ) or saving any changes to the profile (if it already exists). UAG715 User's Guide 413 - ZyXEL UAG715 | User Guide - Page 414
on the functions supported by the remote desktop software, they can install or remove software, run programs, change settings, and open, copy, create, and delete files. This is useful for troubleshooting, support, administration, and remote access to files and programs. UAG715 User's Guide 414 - ZyXEL UAG715 | User Guide - Page 415
. The UAG works with the following remote desktop connection software: RDP • Windows Remote Desktop (supported in Internet Explorer) VNC • RealVNC • TightVNC • UltraVNC For example, user A uses an configuration screen should look similar to the following figure. UAG715 User's Guide 415 - ZyXEL UAG715 | User Guide - Page 416
entry. See Section 8.3.2 on page 115 for an example. # This field displays the index number. Name This field displays the name of the object. 416 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 417
any new settings objects that you need to use in this screen. Object Type Select Web Application from the drop-down list box. Web Application UAG715 User's Guide 417 - ZyXEL UAG715 | User Guide - Page 418
field only appears when you choose Web Application as the object type. Specify the type of service for this SSL application. Select VNC to allow users to manage LAN computers that have Virtual discard the changes and return to the main SSL Application Configuration screen. 418 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 419
You Can Do in this Chapter Use the Configuration > Object > Endpoint Security screens (Section 38.2 on page 420) to create and manage endpoint security objects. UAG715 User's Guide 419 - ZyXEL UAG715 | User Guide - Page 420
The Endpoint Security screen displays the endpoint security objects you have configured on the UAG. Click Configuration > Object > Endpoint Security to display the screen. 420 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 421
> Endpoint Security and then the Add (or Edit) icon to open the Endpoint Security Edit screen. Use this screen to configure an endpoint security object. UAG715 User's Guide 421 - ZyXEL UAG715 | User Guide - Page 422
Chapter 38 Endpoint Security Figure 280 Configuration > Object > Endpoint Security > Add 422 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 423
Chapter 38 Endpoint Security UAG715 User's Guide 423 - ZyXEL UAG715 | User Guide - Page 424
. The user's computer must have this service pack or higher. For example, "2" means service pack 2. Leave the field blank to have the UAG ignore the Windows service pack number. Passing Criterion Select whether the is activated; in those cases it must also be activated. 424 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 425
information checks to pass this checking item. Click OK to save your changes back to the UAG. Click Cancel to exit this screen without saving. UAG715 User's Guide 425 - ZyXEL UAG715 | User Guide - Page 426
Chapter 38 Endpoint Security 426 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 427
the UAG. You can also specify from which IP addresses the access can come. Note: See each section for related background information and term definitions. UAG715 User's Guide 427 - ZyXEL UAG715 | User Guide - Page 428
read-only) and use the FAT16, FAT32, EXT2, or EXT3 file system. Click Configuration > System > USB Storage to open the screen as shown next. 428 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 429
> USB Storage LABEL DESCRIPTION Activate USB storage service Select this if you want to use the date. There is also a software mechanism to set the time manually or get the current time and date from an external server as shown. You can manually set the UAG's time and date or have the UAG get - ZyXEL UAG715 | User Guide - Page 430
affect the new time and date you entered. When you enter the time settings manually, the UAG uses the new setting once you click Apply. New Time (hh date configured manually. When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply. 430 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 431
occurred at 10:30 P.M. Click Apply to save your changes back to the UAG. Click Reset to return the screen to its last-saved settings. UAG715 User's Guide 431 - ZyXEL UAG715 | User Guide - Page 432
in the View Log screen. Try re-configuring the Date/Time screen. To manually set the UAG date and time. 1 Click System > Date/Time. 2 Select Manual under Time and Date Setup. 3 Enter the UAG's time in the New Time check box to adjust the UAG clock for daylight savings. 432 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 433
Port Speed DESCRIPTION Use the drop-down list box to change the speed of the console port. Your UAG supports 9600, 19200, 38400, 57600, and 115200 bps (default) for the console port. Apply Reset The Console . Click Reset to return the screen to its last-saved settings. UAG715 User's Guide 433 - ZyXEL UAG715 | User Guide - Page 434
IP address), set the DNS server fields to get the DNS server address from the ISP. • You can manually enter the IP addresses of other DNS servers. 39.6.2 Configuring the DNS Screen Click Configuration > System > DHCP client devices. Figure 286 Configuration > System > DNS 434 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 435
www.zyxel.com.tw fully qualified domain name. Type DNS Server Query Via MX Record (for My FQDN) Add Edit Remove # Domain Name A "*" means all domain zones. This displays whether the DNS server IP address is assigned by the ISP dynamically through a specified interface or configured manually (User - ZyXEL UAG715 | User Guide - Page 436
to the number that you typed. This the index number of the service control rule. The ordering of your rules is important as rules are host and domain name. For example, www.zyxel.com is a fully qualified domain name, where "www" is the host, "zyxel" is the second-level domain, and UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 437
tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. 39.6.7 Adding a Domain Zone Forwarder Click the Add icon in the Domain Zone Forwarder table to add a domain zone forwarder record. Figure 288 Configuration > System > DNS > Domain Zone Forwarder Add UAG715 User's Guide 437 - ZyXEL UAG715 | User Guide - Page 438
domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. For example, whenever the UAG receives needs a MX record. Figure 289 Configuration > System > DNS > MX Record Add 438 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 439
39.6.10 Adding a DNS Service Control Rule Click the Add icon in the Service Control table to add a service control rule. Figure 290 Configuration > System > DNS > Service Control Rule Add The following and SSH access are secure. HTTP and Telnet access are not secure. UAG715 User's Guide 439 - ZyXEL UAG715 | User Guide - Page 440
match the client IP address (the UAG disallows the session). 3 The IP address (address object) in the Service Control table is not in the allowed zone or the action is set to Deny. 4 There is a firewall authenticate itself when the HTTPS server requires it to do so (select 440 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 441
the UAG using HTTP or HTTPS. You can also specify which IP addresses the access can come from. Note: Admin Service Control deals with management access (to the Web Configurator). User Service Control deals with user access to the UAG (logging into SSL VPN for example). UAG715 User's Guide 441 - ZyXEL UAG715 | User Guide - Page 442
to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the UAG Web Configurator using secure HTTPs connections. Server Port The HTTPS server listens to use "https://UAG IP Address:8443" as the URL. 442 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 443
also specify the IP addresses from which the administrators can manage the UAG. Add Edit Remove Move # User Service Control specifies from which zones a user can use HTTPS to log into the UAG (to log into SSL and click Add to create a new entry after the selected entry. UAG715 User's Guide 443 - ZyXEL UAG715 | User Guide - Page 444
Click Reset to return the screen to its last-saved settings. 39.7.5 Service Control Rules Click Add or Edit in the Service Control table in a WWW, SSH, Telnet, FTP or SNMP screen to add a service control rule. Figure 293 Configuration > System > Service Control Rule > Edit 444 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 445
this screen. Select ALL to allow or deny any computer to communicate with the UAG using this service. Zone Select a predefined address object to just allow or deny to access network services like the Internet. See Chapter 29 on page 355 for more on access user accounts. UAG715 User's Guide 445 - ZyXEL UAG715 | User Guide - Page 446
Chapter 39 System Figure 294 Configuration > System > WWW > Login Page The following figures identify the parts you can customize in the login and access pages. 446 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 447
one of the following ways: • Click Color to display a screen of web-safe colors from which to choose. • Enter the name of the desired color. UAG715 User's Guide 447 - ZyXEL UAG715 | User Guide - Page 448
ENTER]. If your desired color does not display, your browser may not support it. Try selecting another color. The following table describes the labels in after an access user logs into the Web Configurator to access network services like the Internet. Enter the title for the top of the screen - ZyXEL UAG715 | User Guide - Page 449
from the UAG. Select I Understand the Risks and then click Add Exception to add the UAG to the security exception list. Click Confirm Security Exception. UAG715 User's Guide 449 - ZyXEL UAG715 | User Guide - Page 450
After you accept the certificate, the UAG login screen appears. The lock displayed in the bottom of the browser status bar denotes a secure connection. 450 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 451
to install the personal certificate(s). 39.7.7.5.1 Installing the CA's Certificate 1 Double click the CA's trusted certificate to produce a screen similar to the one shown next. UAG715 User's Guide 451 - ZyXEL UAG715 | User Guide - Page 452
the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard. 452 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 453
box. Click Browse if you wish to import a different certificate. Figure 304 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA. UAG715 User's Guide 453 - ZyXEL UAG715 | User Guide - Page 454
the following store and choose a different location. Figure 306 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process. 454 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 455
asks you to select a personal certificate to send to the UAG. This screen displays even if you only have a single certificate as in the example. UAG715 User's Guide 455 - ZyXEL UAG715 | User Guide - Page 456
that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network. In the following figure, computer A on the Internet uses SSH to securely connect to the WAN port of the UAG for a management session. 456 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 457
Figure 312 SSH Communication Over the WAN Example Chapter 39 System A 39.8.1 How SSH Works The following figure is an example of how a secure Method Once the identification is verified, both the client and server must agree on the type of encryption method to use. UAG715 User's Guide 457 - ZyXEL UAG715 | User Guide - Page 458
in to the server. 39.8.2 SSH Implementation on the UAG Your UAG supports SSH versions 1 and 2 using RSA authentication and four encryption methods ( that matches the IP address(es) in the Service Control table to access the UAG CLI using this service. Version 1 Select the check box to have the - ZyXEL UAG715 | User Guide - Page 459
[ENTER] to move the rule to the number that you typed. # This the index number of the service control rule. Zone This is the zone on the UAG the user is allowed or denied to access. Address prompting you to store the host key in you computer. Click Yes to continue. UAG715 User's Guide 459 - ZyXEL UAG715 | User Guide - Page 460
program that comes with most Linux distributions. 1 Test whether the SSH service is available on the UAG. Enter "telnet 192.168.1.1 22" of 192.168.1.1). A message displays indicating the SSH protocol version supported by the UAG. Figure 316 SSH Example 2: Test $ telnet . 460 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 461
that matches the IP address(es) in the Service Control table to access the UAG CLI using this service. Server Port You may change the server port number for a service if needed, however you must use the same and press [ENTER] to move the rule to the number that you typed. UAG715 User's Guide 461 - ZyXEL UAG715 | User Guide - Page 462
Table 185 Configuration > System > TELNET (continued) LABEL # DESCRIPTION This the index number of the service control rule. Zone Address Action Apply Reset The entry with a hyphen (-) instead of a number is the access can come. Figure 319 Configuration > System > FTP 462 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 463
Service Control table to access the UAG using this service. Select the check box to use FTP over TLS (Transport Layer Security) to encrypt communication. Server Port Server Certificate Service service if needed, however you must use the same port number in order to use that service service supports - ZyXEL UAG715 | User Guide - Page 464
managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects. SNMP itself is events. 39.11.1 Supported MIBs The UAG supports MIB II that is defined in RFC-1213 and RFC-1215. The UAG also supports private MIBs (private zyxel.com. 464 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 465
that matches the IP address(es) in the Service Control table to access the UAG using this service. Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. UAG715 User's Guide 465 - ZyXEL UAG715 | User Guide - Page 466
> System > SNMP (continued) LABEL Get Community Set Community Trap Community Destination Service Control Add Edit Remove Move # DESCRIPTION Enter the Get Community, which is the password for the incoming UAG. Click Reset to return the screen to its last-saved settings. 466 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 467
. Click Configuration > Log & Report > Email Daily Report to display the following screen. Configure this screen to have the UAG e-mail you system statistics every day. UAG715 User's Guide 467 - ZyXEL UAG715 | User Guide - Page 468
Daily Report Select this to send reports by e-mail every day. Mail Server Type the name or IP address of the outgoing SMTP server. 468 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 469
more serious attention, such as system errors and attacks. The UAG provides a system log and supports e-mail profiles and remote syslog servers. View the system log in the MONITOR > Log screen. Summary To access this screen, click Configuration > Log & Report > Log Setting. UAG715 User's Guide 469 - ZyXEL UAG715 | User Guide - Page 470
to open the Active Log Summary Edit screen. Click this button to save your changes (activate and deactivate logs) and make them take effect. 470 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 471
Summary screen (see Section 40.3.1 on page 469), and click the system log Edit icon. Figure 324 Configuration > Log & Report > Log Setting > Edit (System Log) UAG715 User's Guide 471 - ZyXEL UAG715 | User Guide - Page 472
mark) - e-mail log messages for all categories to e-mail server 1. enable alert logs (red exclamation point) - e-mail alerts for all categories to e-mail server 1. 472 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 473
to a connected USB storage device. Go to the Log Setting Summary screen (see Section 40.3.1 on page 469), and click the USB storage Edit icon. UAG715 User's Guide 473 - ZyXEL UAG715 | User Guide - Page 474
Chapter 40 Log and Report Figure 325 Configuration > Log & Report > Log Setting > Edit (USB Storage) 474 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 475
log in the remote server (syslog). Go to the Log Settings Summary screen (see Section 40.3.1 on page 469), and click a remote server Edit icon. UAG715 User's Guide 475 - ZyXEL UAG715 | User Guide - Page 476
Chapter 40 Log and Report Figure 326 Configuration > Log & Report > Log Setting > Edit (Remote Server) 476 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 477
names). To access this screen, go to the Log Settings Summary screen (see Section 40.3.1 on page 469), and click the Active Log Summary button. UAG715 User's Guide 477 - ZyXEL UAG715 | User Guide - Page 478
and debug logs (yellow check mark) - create log messages, alerts, and debugging information for all categories and save them to a connected USB storage device. 478 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 479
point) for the e-mail settings specified in E-Mail Server 1. The UAG does not e-mail debugging information, even if it is recorded in the System log. UAG715 User's Guide 479 - ZyXEL UAG715 | User Guide - Page 480
Click this to save your changes and return to the previous screen. Click this to return to the previous screen without saving your changes. 480 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 481
the configuration file does not include. When you run a shell script, the UAG only applies the commands that it contains. Other settings do not change. UAG715 User's Guide 481 - ZyXEL UAG715 | User Guide - Page 482
which is also identical to the way you run CLI commands manually. An example is shown below. Figure 328 Configuration File / Shell # enable Telnet access (not enabled by default, unlike other services) ip telnet server # open WAN-to-Device firewall for TW_TEAM command mode. 482 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 483
your configuration file before making further configuration changes. The backup configuration file will be useful in case you need to return to your previous settings. UAG715 User's Guide 483 - ZyXEL UAG715 | User Guide - Page 484
a log for any errors. Figure 329 Maintenance > File Manager > Configuration File Do not turn off the UAG while configuration file upload is in progress. 484 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 485
row to select it and click Remove to delete it from the UAG. You can only delete manually saved configuration files. You cannot delete the systemdefault.conf, startup-config.conf and lastgood.conf files. close the screen without saving a duplicate of the configuration file. UAG715 User's Guide 485 - ZyXEL UAG715 | User Guide - Page 486
. The total number of configuration files that you can save depends on the sizes of the configuration files and the available flash storage space. 486 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 487
if you need to recover the firmware. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it. Find the firmware package at www.zyxel.com in a file that (usually) uses the system model name with a .bin - ZyXEL UAG715 | User Guide - Page 488
in the Dashboard screen. If the upload was not successful, the following message appears in the status bar at the bottom of the screen. 488 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 489
, the changes will be lost when the UAG restarts. You could use multiple write commands in a long script. Figure 337 Maintenance > File Manager > Shell Script UAG715 User's Guide 489 - ZyXEL UAG715 | User Guide - Page 490
(in KB) of a shell script file. This column displays the date and time that the individual shell script files were last changed or saved. 490 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 491
... to find the .zysh file you want to upload. Upload Click Upload to begin the upload process. This process may take up to several minutes. UAG715 User's Guide 491 - ZyXEL UAG715 | User Guide - Page 492
an easy way for you to generate a file containing the UAG's configuration and diagnostic information. You may need to send this file to customer support for troubleshooting. Click Maintenance > Diagnostics to open the Diagnostic screen. Figure 340 Maintenance > Diagnostics UAG715 User's Guide 492 - ZyXEL UAG715 | User Guide - Page 493
in a connected USB storage device. You may need to send these files to customer support for troubleshooting. Figure 341 Maintenance > Diagnostics > Files The following table describes the labels in this column displays the date and time that the individual files were saved. UAG715 User's Guide 493 - ZyXEL UAG715 | User Guide - Page 494
traffic going through the UAG's interfaces. Studying these packet captures may help you identify network problems. Click Maintenance > Diagnostics > Packet Capture to open the packet capture screen. Note: New packets. Select any to capture packets for all types of traffic. 494 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 495
the UAG. Status: Unused - the connected USB storage device was manually unmounted by using the Remove Now button or for some reason the the USB storage device. The available storage capacity also displays. service deactivated - the USB storage feature is disabled and the UAG UAG715 User's Guide 495 - ZyXEL UAG715 | User Guide - Page 496
asks you to confirm that you want to delete. Download Click a file to select it and click Download to save it to your computer. 496 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 497
process terminates abnormally (crashes). You may need to send this file to customer support for troubleshooting. Click Maintenance > Diagnostics > Core Dump to open the following screen. Figure . You may need to send these files to customer support for troubleshooting. UAG715 User's Guide 497 - ZyXEL UAG715 | User Guide - Page 498
. The files are in comma separated value (csv) format. You can download them to your computer and open them in a tool like Microsoft's Excel. 498 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 499
. Size This column displays the size (in bytes) of a file. Last Modified This column displays the date and time that the individual files were saved. UAG715 User's Guide 499 - ZyXEL UAG715 | User Guide - Page 500
settings. This function provides you a summary of all your routing and SNAT settings and helps troubleshoot any related problems. 43.1.1 What You Can Do in this Chapter • Use the Routing Status screen (see corresponding action and does not perform any further flow checking. UAG715 User's Guide 500 - ZyXEL UAG715 | User Guide - Page 501
Chapter 43 Packet Flow Explore Figure 347 Maintenance > Packet Flow Explore > Routing Status (Direct Route) Figure 348 Maintenance > Packet Flow Explore > Routing Status (Policy Route) Figure 349 Maintenance > Packet Flow Explore > Routing Status (VPN 1-1 Mapping Route) UAG715 User's Guide 501 - ZyXEL UAG715 | User Guide - Page 502
Chapter 43 Packet Flow Explore Figure 350 Maintenance > Packet Flow Explore > Routing Status (1-1 SNAT) Figure 351 Maintenance > Packet Flow Explore > Routing Status (SiteToSite VPN) Figure 352 Maintenance > Packet Flow Explore > Routing Status (Dynamic VPN) 502 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 503
Chapter 43 Packet Flow Explore Figure 353 Maintenance > Packet Flow Explore > Routing Status (Static-Dynamic Route) Figure 354 Maintenance > Packet Flow Explore > Routing Status (Default WAN Trunk) Figure 355 Maintenance > Packet Flow Explore > Routing Status (Main Route) UAG715 User's Guide 503 - ZyXEL UAG715 | User Guide - Page 504
this is a dynamic route learned through RIP • G - the route is to a gateway (router) in the same network. • ! - this is a route which forces a route lookup to packets are transmitted. Service This is the name of the service object. any means all services. DSCP Code This is UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 505
command. Note: Once a packet matches the criteria of an SNAT rule, the UAG takes the corresponding action and does not perform any further flow checking. UAG715 User's Guide 505 - ZyXEL UAG715 | User Guide - Page 506
Chapter 43 Packet Flow Explore Figure 356 Maintenance > Packet Flow Explore > SNAT Status (Policy Route SNAT) Figure 357 Maintenance > Packet Flow Explore > SNAT Status (VPN 1-1 Mapping Route) Figure 358 Maintenance > Packet Flow Explore > SNAT Status (1-1 SNAT) 506 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 507
it is not associated with any entry. Source This is the original source IP address(es). Destination This is the original destination IP address(es). UAG715 User's Guide 507 - ZyXEL UAG715 | User Guide - Page 508
UAG uses the IP address of the outgoing interface as the source IP address for the matched packets it sends out through this rule. 508 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 509
not appear, type the IP address of the device in your Web browser. You can also use the CLI command reboot to restart the UAG. UAG715 User's Guide 509 - ZyXEL UAG715 | User Guide - Page 510
, click Maintenance > Shutdown. Figure 362 Maintenance > Shutdown Click the Shutdown button to shut down the UAG. Wait for the device to shut down before you manually turn off or remove the power. It does not turn off the power. You can also use the CLI command shutdown to shutdown the UAG - ZyXEL UAG715 | User Guide - Page 511
Troubleshooting This chapter offers some suggestions to solve problems , you may have a hardware problem. In this case, you should .1.1 etc.; see your User's Guide for details). • If you've have a terminal emulation communications program (such as (such as a DSL modem) is working properly. • - ZyXEL UAG715 | User Guide - Page 512
Chapter 46 Troubleshooting The content filter category service is not working. • Make sure your UAG has the content filter category service registered and that the license is not expired. Purchase a new Ethernet interface or virtual VLAN interface on an Ethernet interface. 512 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 513
Chapter 46 Troubleshooting You cannot set up a PPP interface, 's configured ingress bandwidth limit. At the time of writing, the UAG does not support ingress bandwidth management. I uploaded a custom signature file and now all of my may affect the UAG's performance. UAG715 User's Guide 513 - ZyXEL UAG715 | User Guide - Page 514
Troubleshooting The UAG routes and applies SNAT for traffic from some interfaces but not from others. The UAG automatically uses SNAT for traffic it routes from internal interfaces to external interfaces. For example LAN to WAN traffic. You must manually incoming service. I routers UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 515
Troubleshooting I cannot set up an IPSec VPN tunnel to another device. If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into both ZyXEL IPSec routers protocol 50. • The UAG supports UDP port 500 and UDP UAG715 User's Guide 515 - ZyXEL UAG715 | User Guide - Page 516
46 Troubleshooting • If you set up a VPN tunnel across the Internet, make sure your ISP supports AH or ESP (whichever you are using). • If you have the UAG and remote IPSec router use certificates to authenticate each other, You must set up the certificates for the UAG and remote IPSec router first - ZyXEL UAG715 | User Guide - Page 517
Chapter 46 Troubleshooting The UAG fails to authentication the ext-user user accounts I configured. An external server such as AD, Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable form. UAG715 User's Guide 517 - ZyXEL UAG715 | User Guide - Page 518
Chapter 46 Troubleshooting • Binary PKCS#12: This is a default. I cannot access the UAG from a computer connected to the Internet. Check the service control rules and to-UAG firewall rules. I uploaded a logo to display on the upper "!" to have the UAG exit sub command mode. 518 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 519
Chapter 46 Troubleshooting • Include write commands in your scripts. Otherwise the changes will be lost when the UAG restarts. You could use multiple configuration. If you want to reboot the device without changing the current configuration, see Chapter 44 on page 509. UAG715 User's Guide 519 - ZyXEL UAG715 | User Guide - Page 520
Chapter 46 Troubleshooting 1 Make sure the SYS LED is on and not blinking. 2 Press able to access the UAG using the default settings. 46.2 Getting More Troubleshooting Help Search for support information for your model at www.zyxel.com for more troubleshooting suggestions. 520 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 521
instruction manual, may cause harmful interference to radio communications zyxel.com to view this product's documentation and certifications. ZyXEL Limited Warranty ZyXEL /or the authorized ZyXEL local distributor for /or materials, ZyXEL will, at at the discretion of ZyXEL. This warranty shall not - ZyXEL UAG715 | User Guide - Page 522
[email protected] to get it. Safety Warnings • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. • Do NOT store things on the device. • Do NOT install, use, or service UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 523
RoHS Appendix A Legal Information UAG715 User's Guide 523 - ZyXEL UAG715 | User Guide - Page 524
Appendix A Legal Information 524 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 525
389 search time limit 386 AAA server 382 AD 383 and users 356 directory service 382 LDAP 382, 383 local user database 383 RADIUS 382, 383, 387 224 multiple logins 364 see also users 355 Web Configurator 365 UAG715 User's Guide Index Index access users, see also force user authentication policies - ZyXEL UAG715 | User Guide - Page 526
admin user troubleshooting 517 admin 330 bare byte encoding 331 526 base36-encoding 331 Denial of Service (DoS) 259 directory traversal 331 double-encoding 331 IIS- 444 create 391 example 390 authentication policy exceptional services 227 authentication type 50, 413 Authentication, Authorization, - ZyXEL UAG715 | User Guide - Page 527
CEF (Common Event Format) 470, 477 cellular status 84 certificate troubleshooting 517 Certificate Authority (CA) see certificates Certificate Management Protocol (CMP) 401 Certificate Revocation List (CRL) 395 certificates 394 UAG715 User's Guide Index advantages of 395 and CA 395 and FTP 463 and - ZyXEL UAG715 | User Guide - Page 528
firewall behavior 240 Denial of Service (Dos) attacks 259 DES 273 device access troubleshooting 511 DHCP 139, 428 and DNS servers 140 and domain name 428 and interfaces 139 client list 70 pool 140 static DHCP 140 diagnostics 492, 497 Diffie-Hellman key group 274 DiffServ 163 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 529
see DSA direct routes 156 directory 382 directory service 382 file structure 383 directory traversal attack troubleshooting 517 E EGP (Exterior Gateway Protocol) 327 e-mail daily statistics report 467 Encapsulating Security Payload, see ESP encapsulation and active protocol 278 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 530
NAT 243 and port triggering 160, 514 and schedules 229, 245, 312, 314 and service groups 246 and service objects 374 and services 246 and SIP (ALG) 210 and SMTP redirect 206 and user groups 245, 248 and and interfaces 204 and policy routes 202 packet flow 202 troubleshooting 514 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 531
Peer Detection (DPD) 271 Diffie-Hellman key group 274 encryption algorithms 273 extended authentication 276 UAG715 User's Guide Index ID type 274 IP address, remote IPSec router 272 IP address, ZyXEL device 272 local identity 275 main mode 272, 275 NAT traversal 276 negotiation mode 272 password - ZyXEL UAG715 | User Guide - Page 532
troubleshooting IP protocols 373 and service objects 374 ICMP, see troubleshooting policy 259 manual key remote IPSec router 253 remote manual keys) manual keys) 279 local policy 277 manual Parameter Index (SPI) (manual keys) 279 see also troubleshooting 515 ISP account CHAP 413 CHAP/PAP 413 - ZyXEL UAG715 | User Guide - Page 533
balancing 143 algorithms 144, 149, 151 least load first 145 round robin 145 UAG715 User's Guide see also trunks 143 session-oriented 144 spillover 146 weighted round robin 145 local user database 383 log troubleshooting 518 log messages categories 473, 475, 477, 478, 479 debugging 93 regular 93 - ZyXEL UAG715 | User Guide - Page 534
Index manual key IPSec 259 MD5 273 memory usage 66, 68 Message Digest 5, 286 AAA server 382 addresses and address groups 368 authentication method 390 certificates 394 schedules 378 services and service groups 373 SSL application 414 users, user groups 355 obsolete-options attack 332 Open Shortest - ZyXEL UAG715 | User Guide - Page 535
areas 168 types of 167 OSPF routers 168 area border (ABR) 169 troubleshooting 519 packet captures downloading files 493, 496, 498, 499 PAP (Password Authentication Protocol) 413 Password Authentication Protocol (PAP) 413 UAG715 User's Guide 159, 312, 314 and service objects 374 and SMTP redirect - ZyXEL UAG715 | User Guide - Page 536
356 user attributes 367 RADIUS server troubleshooting 516 RDP 414 Real-time Transport Protocol, see RTP RealVNC 414 reboot 509 vs reset 509 Reference Guide, CLI 2 registration 97 and content filtering 337, 339, 342 product 522 subscription services, see subscription services reject (IDP) both 326 - ZyXEL UAG715 | User Guide - Page 537
101 services 373 and firewall 246 and port triggering 160 subscription 97 Session Initiation Protocol, see SIP session limits 241, 246 sessions 80 sessions usage 66, 69 SHA1 273 shell script troubleshooting 518 shell scripts 481 and users 367 downloading 490 editing 489 how applied 482 UAG715 User - ZyXEL UAG715 | User Guide - Page 538
206 and interfaces 208 and policy routes 206 packet flow 206 smurf attack 328 SNAT 163 troubleshooting 514 SNMP 463, 464 agents 464 and address groups 466 and address objects 466 and connections 414 see also SSL 285 troubleshooting 516 weblink 415 stac compression 413 538 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 539
330 decoy portscan 327 distributed portscan 328 UAG715 User's Guide Index port numbers 373 portscan 327 troubleshooting 518 TightVNC 414 time 429 time servers (default) 432 to-Device firewall 240 and NAT 191 and NAT traversal (VPN) 515 and OSPF 167 and remote management 240 and RIP 166 and service - ZyXEL UAG715 | User Guide - Page 540
SSL user screens 295, 299 user sessions, see sessions user SSL screens 295, 299 access methods 295 bookmarks 300 certificates 296 login 296 logout 301 UAG715 User's Guide - ZyXEL UAG715 | User Guide - Page 541
158, 159, 312, 314 and RADIUS 356 and service control 440 and shell scripts 367 attributes for Ext-User UAG715 User's Guide Virtual Local Area Network, see VLAN. Virtual Network Computing see VNC Virtual Private Network, see VPN VLAN 121 advantages 122 and MAC address 121 ID 121 troubleshooting - ZyXEL UAG715 | User Guide - Page 542
22 access 23 access users 365 requirements 22 supported browsers 22 web features ActiveX 352 cookies 352 Java round robin (for load balancing) 145 Windows Internet Naming Service, see WINS Windows Internet Naming Service, see WINS. Windows Remote Desktop 414 WINS 113, 127 177 UAG715 User's Guide
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
-
404
-
405
-
406
-
407
-
408
-
409
-
410
-
411
-
412
-
413
-
414
-
415
-
416
-
417
-
418
-
419
-
420
-
421
-
422
-
423
-
424
-
425
-
426
-
427
-
428
-
429
-
430
-
431
-
432
-
433
-
434
-
435
-
436
-
437
-
438
-
439
-
440
-
441
-
442
-
443
-
444
-
445
-
446
-
447
-
448
-
449
-
450
-
451
-
452
-
453
-
454
-
455
-
456
-
457
-
458
-
459
-
460
-
461
-
462
-
463
-
464
-
465
-
466
-
467
-
468
-
469
-
470
-
471
-
472
-
473
-
474
-
475
-
476
-
477
-
478
-
479
-
480
-
481
-
482
-
483
-
484
-
485
-
486
-
487
-
488
-
489
-
490
-
491
-
492
-
493
-
494
-
495
-
496
-
497
-
498
-
499
-
500
-
501
-
502
-
503
-
504
-
505
-
506
-
507
-
508
-
509
-
510
-
511
-
512
-
513
-
514
-
515
-
516
-
517
-
518
-
519
-
520
-
521
-
522
-
523
-
524
-
525
-
526
-
527
-
528
-
529
-
530
-
531
-
532
-
533
-
534
-
535
-
536
-
537
-
538
-
539
-
540
-
541
-
542
 |
 |
Quick Start Guide
www.zyxel.com
UAG715
Unified Access Gateway
Version 2.50
Edition 1, 08/2012
Copyright © 2012 ZyXEL Communications Corporation
User’s Guide
Default Login Details
LAN IP Address
User Name
admin
Password
1234