ISG50 Integrated Service Gateway Default Login Details LAN IP Address https://192.168.1.1 User Name admin Password 1234 IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. Version 2.30 Editionwww.zyxel.com 3, 05/2012 www.zyxel.
IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. Graphics in this book may differ slightly from the product due to differences in operating systems, operating system versions, or if you installed updated firmware/software for your device. Every effort has been made to ensure that the information in this manual is accurate.
Contents Overview Contents Overview User’s Guide .......................................................................................................................................25 Introducing the ISG50 .............................................................................................................................27 Features and Applications .......................................................................................................................37 Web Configurator .........
Contents Overview Meet-me Conference ............................................................................................................................547 Paging Group ........................................................................................................................................549 ACD .......................................................................................................................................................553 Sound Files ......................
Table of Contents Table of Contents Contents Overview ..............................................................................................................................3 Table of Contents .................................................................................................................................5 Part I: User’s Guide ......................................................................................... 25 Chapter 1 Introducing the ISG50 .................................
Table of Contents 4.1.1 Internet Access Setup - WAN Interface ..................................................................................59 4.1.2 Internet Access: Ethernet .......................................................................................................60 4.1.3 Internet Access: PPPoE ..........................................................................................................62 4.1.4 Internet Access: PPTP ............................................................
Table of Contents 6.5.2 NAT Table Checking Flow ........................................................................................................96 6.6 Other Features Configuration Overview ............................................................................................97 6.6.1 Feature ....................................................................................................................................97 6.6.2 Licensing Registration .........................................
Table of Contents 7.5.2 Set Up User Groups .............................................................................................................. 118 7.5.3 Set Up User Authentication Using the RADIUS Server ......................................................... 118 7.6 How to Use a RADIUS Server to Authenticate User Accounts Based on Groups ..........................120 7.7 How to Use Authentication Policies ........................................................................................
Table of Contents 8.7 Using Call Features .........................................................................................................................163 8.7.1 Customizing Feature Codes ..................................................................................................163 8.7.2 Using the Voicemail Feature ..................................................................................................163 8.8 Using the Extension Portal ...........................................
Table of Contents 10.7 IP/MAC Binding Monitor ................................................................................................................205 10.8 The Login Users Screen ..............................................................................................................206 10.9 Cellular Status Screen ...................................................................................................................207 10.9.1 More Information ....................................
Table of Contents 12.6 VLAN Interfaces ...........................................................................................................................259 12.6.1 VLAN Summary Screen ......................................................................................................261 12.6.2 VLAN Add/Edit ....................................................................................................................262 12.7 Bridge Interfaces ................................................
Table of Contents 16.1 Zones Overview ............................................................................................................................313 16.1.1 What You Can Do in this Chapter ........................................................................................313 16.1.2 What You Need to Know ......................................................................................................313 16.2 The Zone Screen ..........................................................
Table of Contents 21.1.1 What You Can Do in this Chapter ........................................................................................341 21.1.2 What You Need to Know ......................................................................................................341 21.2 IP/MAC Binding Summary ............................................................................................................342 21.2.1 IP/MAC Binding Edit ............................................................
Table of Contents 25.1 Overview .......................................................................................................................................397 25.1.1 What You Can Do in this Chapter ........................................................................................397 25.1.2 What You Need to Know .....................................................................................................397 25.1.3 Bandwidth Management Examples ......................................
Table of Contents 28.1 Overview .......................................................................................................................................448 28.1.1 What You Can Do in this Chapter ........................................................................................448 28.1.2 What You Need to Know ......................................................................................................448 28.2 The FXS Screen ......................................................
Table of Contents 30.2.10 Auto-Attendant for Incoming BRI Calls ..............................................................................502 Chapter 31 Auto-attendant ..................................................................................................................................503 31.1 Overview .......................................................................................................................................503 31.1.1 What You Can Do in this Chapter ............
Table of Contents 34.3 The Call Park Screen ....................................................................................................................534 34.3.1 Configuring the Call Park Screen ........................................................................................535 34.4 The Call Waiting Screen ...............................................................................................................536 34.4.1 Configuring the Call Waiting Screen ............................
Table of Contents 38.6.1 The Skill Menu Settings Screen .........................................................................................565 38.6.2 Add/Edit Skill Menu Action Screen .....................................................................................566 Chapter 39 Sound Files .......................................................................................................................................568 39.1 Overview .......................................................
Table of Contents 42.5.1 Local Phonebook Add/Edit Screen .....................................................................................592 Chapter 43 Office Hours ......................................................................................................................................595 43.1 Overview .......................................................................................................................................595 43.1.1 What You Can Do in this Chapter ..........
Table of Contents Chapter 47 Schedules..........................................................................................................................................625 47.1 Overview .......................................................................................................................................625 47.1.1 What You Can Do in this Chapter ........................................................................................625 47.1.2 What You Need to Know ..................
Table of Contents 50.3.2 The Trusted Certificates Import Screen ..............................................................................659 50.4 Certificates Technical Reference ...................................................................................................659 Chapter 51 ISP Accounts.....................................................................................................................................661 51.1 Overview .................................................
Table of Contents 52.8.4 Configuring SSH ..................................................................................................................695 52.8.5 Secure Telnet Using SSH Examples ...................................................................................696 52.9 Telnet ............................................................................................................................................698 52.9.1 Configuring Telnet ...........................................
Table of Contents 56.1 Overview .......................................................................................................................................737 56.1.1 What You Can Do in this Chapter ........................................................................................737 56.2 The Diagnostic Screen ..................................................................................................................737 56.2.1 The Diagnostics Files Screen ............................
Table of Contents 61.1 Resetting the ISG50 ......................................................................................................................774 61.2 Getting More Troubleshooting Help ..............................................................................................774 Appendix A Log Descriptions...........................................................................................................775 Appendix B Common Services ...........................................
P ART I User’s Guide 25
C HAPT ER 1 Introducing the ISG50 This chapter gives an overview of the ISG50. It explains the front panel ports, LEDs, introduces the management methods, and lists different ways to start or stop the ISG50. 1.1 Overview The ISG50 combines an IP PBX with powerful routing and security features. Its flexible configuration helps network administrators set up the network and enforce security policies efficiently, making it an ideal solution for reliable, secure voice and data service. 1.1.
Chapter 1 Introducing the ISG50 company can call each other by dialing extensions. Calls to the outside world go through the IP PBX to the PSTN, ITSP, or ISDN. Figure 1 IP PBX Example ITSP Internet ISG PSTN/ISDN PSTN The ISG50 can function as a stand alone telephone switchboard for a small organization. It can also supplement a legacy PBX within an organization by providing VoIP telephony features. See Chapter 2 on page 37 for a more detailed overview of the ISG50’s features. 1.1.
Chapter 1 Introducing the ISG50 1.1.3.1 All-in-one Use the ISG50 to provide VoIP and security services. Figure 2 All-in-one Application Scenario Headquarters B A LAN DMZ ISG C WAN1 WAN2 ITSP FAX PSTN/ISDN D VoIP Services: • VoIP phones and smartphones can make internal calls and external calls. • Least Cost Routing (LCR) dialing rules put calls through the appropriate outbound line. Long distance calls (to C in the figure) use VoIP and local calls (to D) use PSTN or ISDN.
Chapter 1 Introducing the ISG50 provides the VoIP services listed in the previous scenario, and the USG provides the security services. Here is an example. Figure 3 DMZ Installation Headquarters A B LAN DMZ USG C WAN1 WAN2 ISG ITSP FAX PSTN/ISDN D 1.1.3.3 Parallel to a USG Connect the ISG50 to the Internet and a USG model’s LAN to give the VoIP a physically separate Internet connection to keep bursts of data traffic from impacting voice quality.
Chapter 1 Introducing the ISG50 1.1.3.4 N-site In addition to one of the application scenarios already described, you can also use site-to-site VPNs to connect ISG50s at multiple locations. This allows peer to peer VoIP calling and faxes over IP without using an ITSP and remote dial-out to make local calls in different areas.
Chapter 1 Introducing the ISG50 Use a #2 Phillips screwdriver to install the screws. Note: Failure to use the proper screws may damage the unit. 1.2.1 Rack-Mounted Installation Procedure 1 Align one bracket with the holes on one side of the ISG50 and secure it with the included bracket screws (smaller than the rack-mounting screws). 2 Attach the other bracket in a similar fashion.
Chapter 1 Introducing the ISG50 Connect the frame ground before you connect any other cables or wiring. Figure 8 Frame Ground Frame Ground 1.4 Front Panel This section introduces the ISG50’s front panel. Figure 9 ISG50-PSTN Front Panel Figure 10 ISG50-ISDN Front Panel 1.4.1 Front Panel LEDs The following table describes the LEDs. Table 1 Front Panel LEDs LED COLOR PWR SYS DESCRIPTION Off The ISG50 is turned off. Green On The ISG50 is turned on. Red On There is a hardware component failure.
Chapter 1 Introducing the ISG50 Table 1 Front Panel LEDs (continued) LED COLOR WAN Green P1/P2 Yellow LAN/DMZ P3~P5 Green Yellow FXO BRI FXS Green Green Green STATUS DESCRIPTION Off There is no traffic on this port. On The Ethernet port has a successful 10/100M connection but is not sending or sending packets. Blinking The ISG50 is sending or receiving packets on this port through a 10/100M connection.
Chapter 1 Introducing the ISG50 Web Configurator The Web Configurator allows easy ISG50 setup and management using an Internet browser. This User’s Guide provides information about the Web Configurator. Figure 11 Managing the ISG50: Web Configurator Command-Line Interface (CLI) The CLI allows you to use text-based commands to configure the ISG50. You can access it using remote management (for example, SSH or Telnet) or via the console port.
Chapter 1 Introducing the ISG50 Always use Maintenance > Shutdown > Shutdown or the shutdown command before you turn off the ISG50 or remove the power. Not doing so can cause the firmware to become corrupt. Table 3 Starting and Stopping the ISG50 METHOD DESCRIPTION Turning on the power A cold start occurs when you turn on the power to the ISG50. The ISG50 powers up, checks the hardware, and starts the system processes.
C HAPT ER 2 Features and Applications This chapter introduces the main features and applications of the ISG50. 2.1 Features Voice over Internet Protocol (VoIP) Implementation The ISG50 uses SIP (Session Initiation Protocol) to communicate with other SIP devices. SIP is an internationally-recognized standard for implementing Voice over Internet Protocol (VoIP). The following figure shows SIP devices communicating with the ISG50.
Chapter 2 Features and Applications F: SIP Servers - Servers (D) located at your Internet Telephony Service Provider (ITSP) which process outgoing calls from the ISG50 and direct them to IP phones on the Internet or traditional phones on the PSTN. Figure 12 SIP Devices and the ISG50 E ITSP PSTN F D ISG A B C PBX Telephony Features The ISG50 allows you to set up and manage features on an internal telephone network without relying on your telephone service provider.
Chapter 2 Features and Applications • B - Connecting several ISG50s together to manage a larger telephone network. Figure 13 Scalable Design ITSP ISG ISG ISG Automatic Call Distribution Automatic Call Distribution (ACD) allows you to distribute incoming calls to specific groups of phones connected to your telephone network. Distributed calls can then be sent to individual people based on assigned skill sets. This is known as Skill-Based Routing (SBR).
Chapter 2 Features and Applications Set up multiple connections to the Internet on the same port, or set up multiple connections on different ports. In either case, you can balance the loads between them. Figure 14 Applications: Multiple WAN Interfaces ISG Virtual Private Networks (VPN) Use IPSec VPN to provide secure communication between two sites over the Internet or any insecure network that uses TCP/IP for communication. The ISG50 also offers hub-and-spoke IPSec VPN.
Chapter 2 Features and Applications travelers to provide secure access to your network. You can also set up additional connections to the Internet to provide better service. Figure 15 Applications: VPN Connectivity ISG Flexible Security Zones Many security settings are made by zone, not by interface, port, or network. As a result, it is much simpler to set up and to change security settings in the ISG50. You can create your own custom zones. You can add interfaces and VPN tunnels to zones.
Chapter 2 Features and Applications User-Aware Access Control Set up security policies that restrict access to sensitive information and shared resources based on the user who is trying to access it. Figure 16 Applications: User-Aware Access Control ISG Firewall The ISG50’s firewall is a stateful inspection firewall. The ISG50 restricts access by screening data packets against defined access rules. It can also inspect sessions.
C HAPT ER 3 Web Configurator The ISG50 Web Configurator allows easy ISG50 setup and management using an Internet browser. 3.1 Web Configurator Requirements In order to use the Web Configurator, you must • Use Internet Explorer 7 or later, or Firefox 1.5 or later • Allow pop-up windows (blocked by default in Windows XP Service Pack 2) • Enable JavaScript (enabled by default) • Enable Java permissions (enabled by default) • Enable cookies The recommended screen resolution is 1024 x 768 pixels. 3.
Chapter 3 Web Configurator 3 Type the user name (default: “admin”) and password (default: “1234”). If your account is configured to use an ASAS authentication server, use the OTP (One-Time Password) token to generate a number. Enter it in the One-Time Password field. The number is only good for one login. You must use the token to generate a new number the next time you log in. 4 Click Login.
Chapter 3 Web Configurator 3.3 Web Configurator Screens Overview Figure 19 Dashboard A B C The Web Configurator screen is divided into these parts (as illustrated in Figure 19 on page 45): • A - title bar • B - navigation panel • C - main window 3.3.1 Title Bar The title bar provides some icons in the upper right corner. Figure 20 Title Bar The icons provide the following functions. Table 4 Title Bar: Web Configurator Icons LABEL DESCRIPTION Logout Click this to log out of the Web Configurator.
Chapter 3 Web Configurator Table 4 Title Bar: Web Configurator Icons (continued) LABEL DESCRIPTION Object Reference Click this to open a screen where you can check which configuration items reference an object. Console Click this to open the console in which you can use the command line interface (CLI). See the CLI Reference Guide for details on the commands. CLI Click this to open a popup window that displays the CLI commands sent by the Web Configurator. 3.3.1.
Chapter 3 Web Configurator drag it to resize them. The following sections introduce the ISG50’s navigation panel menus and their screens. Figure 22 Navigation Panel 3.3.2.1 Dashboard The dashboard displays general device information, system status, system resource usage, licensed service status, and interface status in widgets that you can re-arrange to suit your needs. See Chapter 9 on page 185 for details on the dashboard. 3.3.2.
Chapter 3 Web Configurator Table 6 Monitor Menu Screens Summary (continued) FOLDER OR LINK FUNCTION BRI Trunk Displays status information about ISDN BRI outbound line groups configured on the ISG50. ACD Queue Monitor phone call activity for Automatic Call Distribution (ACD) agents. System Log Lists system log entries. Call Recording Listen to or delete call recordings on the ISG50. CDR Query the CDR database. Log 3.3.2.
Chapter 3 Web Configurator Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK TAB FUNCTION VPN Connection Configure IPSec tunnels. VPN Gateway Configure IKE tunnels. VPN IPSec VPN BWM Control bandwidth for services passing through the ISG50. Anti-X ADP General Display and manage ADP bindings. Profile Create and manage ADP profiles. SIP Server Configure global SIP server settings.
Chapter 3 Web Configurator Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK Call Service TAB FUNCTION Auto Callback Automatically call an extension once it becomes available (ends an existing conversation). Call Park Allow users to put a call on hold at one extension and pick up the call from another extension in your organization. Call Waiting Allow users to put a call on hold at one extension and pick up another incoming call.
Chapter 3 Web Configurator Table 7 Configuration Menu Screens Summary (continued) FOLDER OR LINK Address Service TAB FUNCTION Address Create and manage host, range, and network (subnet) addresses. Address Group Create and manage groups of addresses. Service Create and manage TCP and UDP services. Service Group Create and manage groups of services. Schedule AAA Server Create one-time and recurring schedules.
Chapter 3 Web Configurator 3.3.2.4 Maintenance Menu Use the maintenance menu screens to manage configuration and firmware files, run diagnostics, and reboot or shut down the ISG50. Table 8 Maintenance Menu Screens Summary FOLDER OR LINK File Manager Diagnostics Packet Flow Explore TAB FUNCTION Configuration File Manage and upload configuration files for the ISG50. Firmware Package View the current firmware version and to upload firmware.
Chapter 3 Web Configurator 3.3.3.2 Site Map Click Site MAP to see an overview of links to the Web Configurator screens. Click a screen’s link to go to that screen. Figure 24 Site Map 3.3.3.3 Object Reference Click Object Reference to open the Object Reference screen. Select the type of object and the individual object and click Refresh to show which configuration settings reference the object.
Chapter 3 Web Configurator The fields vary with the type of object. The following table describes labels that can appear in this screen. Table 9 Object References LABEL DESCRIPTION Object Name This identifies the object for which the configuration settings that use it are displayed. Click the object’s name to display the object’s configuration screen in the main window. # This field is a sequential value, and it is not associated with any entry.
Chapter 3 Web Configurator 1 Click a column heading to sort the table’s entries according to that column’s criteria. Figure 27 Sorting Table Entries by a Column’s Criteria 2 Click the down arrow next to a column heading for more options about how to display the entries. The options available vary depending on the type of fields in the column.
Chapter 3 Web Configurator 4 Select a column heading and drag and drop it to change the column order. A green check mark displays next to the column’s title when you drag the column to a valid new location. Figure 30 Changing the Column Order 5 Use the icons and fields at the bottom of the table to navigate to different pages of entries and control how many entries display at a time. Figure 31 Navigating Pages of Table Entries 3.3.4.
Chapter 3 Web Configurator Table 10 Common Table Icons (continued) LABEL DESCRIPTION Inactivate To turn off an entry, select it and click Inactivate. Connect To connect an entry, select it and click Connect. Disconnect To disconnect an entry, select it and click Disconnect. Object References Select an entry and click Object References to open a screen that shows which settings use the entry. See Section 12.3.2 on page 246 for an example.
Chapter 3 Web Configurator 3.3.4.5 iNotes The iNote icon is a green square with an ‘i’. Hover your cursor over the icon to display information.
C HAPT ER 4 Installation Setup Wizard 4.1 Installation Setup Wizard Screens If you log into the Web Configurator when the ISG50 is using its default configuration, the first Installation Setup Wizard screen displays. This wizard helps you configure Internet connection settings and activate subscription services. This chapter provides information on configuring the Web Configurator's installation setup wizard. See the feature-specific chapters in this User’s Guide for background information.
Chapter 4 Installation Setup Wizard Note: Enter the Internet access information exactly as your ISP gave it to you. Figure 36 Internet Access: Step 1 • I have two ISPs: Select this option to configure two Internet connections. Leave it cleared to configure just one. This option appears when you are configuring the first WAN interface. • Encapsulation: Choose the Ethernet option when the WAN port is used as a regular Ethernet.
Chapter 4 Installation Setup Wizard Note: Enter the Internet access information exactly as given to you by your ISP. Figure 37 Internet Access: Ethernet Encapsulation • Encapsulation: This displays the type of Internet connection you are configuring. • First WAN Interface: This is the number of the interface that will connect with your ISP. • Zone: This is the security zone to which this interface and Internet connection will belong. • IP Address: Enter your (static) public IP address.
Chapter 4 Installation Setup Wizard 4.1.3 Internet Access: PPPoE Note: Enter the Internet access information exactly as given to you by your ISP. Figure 38 Internet Access: PPPoE Encapsulation 4.1.3.1 ISP Parameters • Type the PPPoE Service Name from your service provider. PPPoE uses a service name to identify and reach the PPPoE server. You can use alphanumeric and -_@$./ characters, and it can be up to 64 characters long.
Chapter 4 Installation Setup Wizard • First / Second DNS Server: These fields display if you selected static IP address assignment. The Domain Name System (DNS) maps a domain name to an IP address and vice versa. Enter a DNS server's IP address(es). The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The ISG50 uses these (in the order you specify here) to resolve domain names for VPN, DDNS and the time server. Leave the field as 0.
Chapter 4 Installation Setup Wizard • Select Nailed-Up if you do not want the connection to time out. Otherwise, type the Idle Timeout in seconds that elapses before the router automatically disconnects from the PPTP server. 4.1.5.1 PPTP Configuration • Base Interface: This identifies the Ethernet interface you configure to connect with a modem or router. • Type a Base IP Address (static) assigned to you by your ISP. • Type the IP Subnet Mask assigned to you by your ISP (if given).
Chapter 4 Installation Setup Wizard 4.1.6 Internet Access Setup - Second WAN Interface If you selected I have two ISPs, after you configure the First WAN Interface, you can configure the Second WAN Interface. The screens for configuring the second WAN interface are similar to the first (see Section 4.1.1 on page 59).
Chapter 4 Installation Setup Wizard 4.1.7 Internet Access - Finish You have set up your ISG50 to access the Internet. After configuring the WAN interface(s), a screen displays with your settings. If they are not correct, click Back. Figure 41 Internet Access: Ethernet Encapsulation Note: If you have not already done so, you can register your ISG50 with myZyXEL.com. Click Next and use the following screen to perform a basic registration (see Section 4.2 on page 66).
Chapter 4 Installation Setup Wizard Use the Registration > Service screen to update your service subscription status. Figure 42 Registration • Select new myZyXEL.com account if you haven’t created an account at myZyXEL.com, select this option and configure the following fields to create an account and register your ISG50. • Select existing myZyXEL.com account if you already have an account at myZyXEL.com and enter your user name and password in the fields below to register your ISG50.
Chapter 4 Installation Setup Wizard • Country Code: Select your country from the drop-down box list.
C HAPT ER 5 Quick Setup 5.1 Quick Setup Overview The Web Configurator's quick setup wizards help you configure Internet and VPN connection settings. This chapter provides information on configuring the quick setup screens in the Web Configurator. See the feature-specific chapters in this User’s Guide for background information. In the Web Configurator, click Configuration > Quick Setup to open the first Quick Setup screen.
Chapter 5 Quick Setup 5.2 WAN Interface Quick Setup Click WAN Interface in the main Quick Setup screen to open the WAN Interface Quick Setup Wizard Welcome screen. Use these screens to configure an interface to connect to the internet. Click Next. Figure 45 WAN Interface Quick Setup Wizard 5.2.1 Choose an Ethernet Interface Select the Ethernet interface that you want to configure for a WAN connection and click Next.
Chapter 5 Quick Setup 5.2.2 Select WAN Type WAN Type Selection: Select the type of encapsulation this connection is to use. Choose Ethernet when the WAN port is used as a regular Ethernet. Otherwise, choose PPPoE or PPTP for a dial-up connection according to the information from your ISP. Figure 47 WAN Interface Setup: Step 2 The screens vary depending on what encapsulation type you use. Refer to information provided by your ISP to know what to enter in each field.
Chapter 5 Quick Setup 5.2.3 Configure WAN Settings Use this screen to select whether the interface should use a fixed or dynamic IP address. Figure 48 WAN Interface Setup: Step 2 • WAN Interface: This is the interface you are configuring for Internet access. • Zone: This is the security zone to which this interface and Internet connection belong. • IP Address Assignment: Select Auto If your ISP did not assign you a fixed IP address. Select Static If the ISP assigned a fixed IP address. 5.2.
Chapter 5 Quick Setup Note: Enter the Internet access information exactly as your ISP gave it to you. Figure 49 WAN and ISP Connection Settings: (PPTP Shown) The following table describes the labels in this screen. Table 11 WAN and ISP Connection Settings LABEL DESCRIPTION ISP Parameter This section appears if the interface uses a PPPoE or PPTP Internet connection. Encapsulation This displays the type of Internet connection you are configuring.
Chapter 5 Quick Setup Table 11 WAN and ISP Connection Settings (continued) LABEL DESCRIPTION Retype to Confirm Type your password again for confirmation. Nailed-Up Select Nailed-Up if you do not want the connection to time out. Idle Timeout Type the time in seconds that elapses before the router automatically disconnects from the PPPoE server. 0 means no timeout. PPTP Configuration This section only appears if the interface uses a PPPoE or PPTP Internet connection.
Chapter 5 Quick Setup 5.2.5 Quick Setup Interface Wizard: Summary This screen displays the WAN interface’s settings. Figure 50 Interface Wizard: Summary WAN (PPTP Shown) The following table describes the labels in this screen. Table 12 Interface Wizard: Summary WAN LABEL DESCRIPTION Encapsulation This displays what encapsulation this interface uses to connect to the Internet. Service Name This field is read-only and only appears for a PPPoE interface.
Chapter 5 Quick Setup 5.3 VPN Quick Setup Click VPN Setup in the main Quick Setup screen to open the VPN Setup Wizard Welcome screen. The VPN wizard creates corresponding VPN connection and VPN gateway settings and address objects that you can use later in configuring more VPN connections or other features. Click Next.
Chapter 5 Quick Setup 5.4 VPN Setup Wizard: Wizard Type A VPN (Virtual Private Network) tunnel is a secure connection to another computer, smartphone, or network. Use this screen to select which type of VPN connection you want to configure. Figure 52 VPN Setup Wizard: Wizard Type Express: Use this wizard to create a VPN connection with another ISG50 using a pre-shared key and default security settings. Advanced: Use this wizard to configure detailed VPN security settings such as using certificates.
Chapter 5 Quick Setup 5.5 VPN Express Wizard - Scenario Click the Express radio button as shown in Figure 52 on page 77 to display the following screen. Figure 53 VPN Express Wizard: Step 2 Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Select the scenario that best describes your intended VPN connection.
Chapter 5 Quick Setup 5.5.1 VPN Express Wizard - Configuration Figure 54 VPN Express Wizard: Step 3 • Secure Gateway: If Any displays in this field, it is not configurable for the chosen scenario. If this field is configurable, enter the WAN IP address or domain name of the remote IPSec device (secure gateway) to identify the remote IPSec router by its IP address or a domain name. Use 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address. • Pre-Shared Key: Type the password.
Chapter 5 Quick Setup 5.5.2 VPN Express Wizard - Summary This screen provides a read-only summary of the VPN tunnel’s configuration and also commands that you can copy and paste into another ISG50’s command line interface to configure it. Figure 55 VPN Express Wizard: Step 4 • Rule Name: Identifies the VPN gateway policy. • Secure Gateway: IP address or domain name of the remote IPSec device. If this field displays Any, only the remote IPSec device can initiate the VPN connection.
Chapter 5 Quick Setup 5.5.3 VPN Express Wizard - Finish Now you can use the VPN tunnel. Figure 56 VPN Express Wizard: Finish Note: If you have not already done so, use the myZyXEL.com link and register your ISG50 with myZyXEL.com. Click Close to exit the wizard.
Chapter 5 Quick Setup 5.5.4 VPN Advanced Wizard - Scenario Click the Advanced radio button as shown in Figure 52 on page 77 to display the following screen. Figure 57 VPN Advanced Wizard: Scenario Rule Name: Type the name used to identify this VPN connection (and VPN gateway). You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Select the scenario that best describes your intended VPN connection.
Chapter 5 Quick Setup 5.5.5 VPN Advanced Wizard - Phase 1 Settings There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association). Figure 58 VPN Advanced Wizard: Phase 1 Settings • Secure Gateway: If Any displays in this field, it is not configurable for the chosen scenario.
Chapter 5 Quick Setup • SA Life Time: Set how often the ISG50 renegotiates the IKE SA. A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel. • NAT Traversal: Select this if the VPN tunnel must pass through NAT (there is a NAT router between the IPSec devices). Note: The remote IPSec device must also have NAT traversal enabled. See the help in the main IPSec VPN screens or the User’s Guide VPN, NAT, and NAT Traversal on page 390 for more information.
Chapter 5 Quick Setup • Perfect Forward Secrecy (PFS): Disabling PFS allows faster IPSec setup, but is less secure. Select DH1, DH2 or DH5 to enable PFS. DH5 is more secure than DH1 or DH2 (although it may affect throughput). DH1 refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number. DH5 refers to Diffie-Hellman Group 5 a 1536 bit random number (more secure, yet slower).
Chapter 5 Quick Setup 5.5.8 VPN Advanced Wizard - Finish Now you can use the VPN tunnel. Figure 61 VPN Wizard: Step 6: Advanced Note: If you have not already done so, you can register your ISG50 with myZyXEL.com and activate trials of services. Click Close to exit the wizard.
C HAPT ER 6 Configuration Basics This information is provided to help you configure the ISG50 effectively. Some of it is helpful when you are just getting started. Some of it is provided for your reference when you configure various features in the ISG50. • Section 6.2 on page 91 introduces the ISG50’s object-based configuration. • Section 6.3 on page 92 introduces zones, interfaces, and port groups. • Section 6.4 on page 94 introduces some terminology and organization for the ISG50. • Section 6.
Chapter 6 Configuration Basics • FXS (Foreign Exchange Subscriber) Extension - This is an extension assigned to an analog phone directly connected to an FXS port on the ISG50 (See Figure 62 on page 88). The FXS ports on the ISG50 work the same way as the phone sockets in your home. In your home you are a subscriber to the telephone services of your local telephone company and when you connect an analog phone to the ISG50 you subscribe to the telephone services of the ISG50.
Chapter 6 Configuration Basics • Auto-Attendant - This is a feature which routes incoming calls to their proper extension. An auto-attendant is assigned to each outbound line group and it services incoming calls on those lines. If your organization has two outbound line groups, each with a specific telephone number for incoming calls, then you can assign a different auto-attendant for each incoming line.
Chapter 6 Configuration Basics In the most basic setup example an organization has one authority group (with all of the company’s extensions), one outbound line group and an LCR which grants the authority group access to outbound lines. Everyone in the organization has the same rights to use outbound lines.
Chapter 6 Configuration Basics 6.2 Object-based Configuration The ISG50 stores information or settings as objects. You use these objects to configure many of the ISG50’s features and settings. Once you configure an object, you can reuse it in configuring other features. When you change an object’s settings, the ISG50 automatically updates all the settings or rules that use the object. For example, if you create a schedule object, you can have firewall and other settings use it.
Chapter 6 Configuration Basics 6.3 Zones, Interfaces, and Physical Ports Zones (groups of interfaces and VPN tunnels) simplify security settings. Here is an overview of zones, interfaces, and physical ports in the ISG50. Figure 66 Zones, Interfaces, and Physical Ethernet Ports Zones Interfaces WAN wan1 wan2 LAN1 LAN2 lan1 lan2 DMZ dmz Physical Ports Table 13 Zones, Interfaces, and Physical Ethernet Ports Zones (WAN,LAN, DMZ) Interfaces (Ethernet, VLAN,...
Chapter 6 Configuration Basics • Virtual interfaces increase the amount of routing information in the ISG50. There are three types: virtual Ethernet interfaces (also known as IP alias), virtual VLAN interfaces, and virtual bridge interfaces. 6.3.2 Default Interface and Zone Configuration This section introduces the ISG50’s default zone member physical interfaces and the default configuration of those interfaces.
Chapter 6 Configuration Basics 6.4 Terminology in the ISG50 This section highlights some terminology or organization for the ISG50.
Chapter 6 Configuration Basics • Automatic SNAT and WAN trunk routing for traffic going from internal to external interfaces (you don’t need to configure anything to all LAN to WAN traffic). The ISG50 automatically adds all of the external interfaces to the default WAN trunk. External interfaces include ppp and cellular interfaces as well as any Ethernet interfaces that are set as external interfaces. Examples of internal interfaces are any Ethernet interfaces that you configure as internal interfaces.
Chapter 6 Configuration Basics 2 Policy Routes: These are the user-configured policy routes. Configure policy routes to send packets through the appropriate interface or VPN tunnel. See Chapter 14 on page 289 for more on policy routes. 3 1 to 1 and Many 1 to 1 NAT: These are the 1 to 1 NAT and many 1 to 1 NAT rules.
Chapter 6 Configuration Basics 1 SNAT defined in the policy routes. 2 1 to 1 SNAT (including Many 1 to 1) is also included in the NAT table. 3 NAT loopback is now included in the NAT table instead of requiring a separate policy route. 4 SNAT is also now performed by default and included in the NAT table. 6.6 Other Features Configuration Overview This section provides information about configuring the main features in the ISG50.
Chapter 6 Configuration Basics 6.6.2 Licensing Registration Use these screens to register your ISG50 and subscribe to services. You must have Internet access to myZyXEL.com. MENU ITEM(S) Configuration > Licensing > Registration PREREQUISITES Internet access to myZyXEL.com 6.6.3 Interface See Section 6.3 on page 92 for background information. Note: When you create an interface, there is no security applied on it until you assign it to a zone.
Chapter 6 Configuration Basics Criteria: users, user groups, interfaces (incoming), IPSec VPN (incoming), addresses (source, destination), address groups (source, destination), schedules, services, service groups PREREQUISITES Next-hop: addresses (HOST gateway), IPSec VPN, trunks, interfaces NAT: addresses (translated address), services and service groups (port triggering) Example: You have an FTP server connected to P6 (in the DMZ zone).
Chapter 6 Configuration Basics Zones cannot overlap. Each interface and VPN tunnel can be assigned to at most one zone. Virtual interfaces are automatically assigned to the same zone as the interface on which they run. When you create a zone, the ISG50 does not create any firewall rule or configure remote management for the new zone.
Chapter 6 Configuration Basics 6.6.10 HTTP Redirect Configure this feature to have the ISG50 transparently forward HTTP (web) traffic to a proxy server. This can speed up web browsing because the proxy server keeps copies of the web pages that have been accessed so they are readily available the next time one of your users needs to access that page. The ISG50 does not check to-ISG50 firewall rules for packets that are redirected by HTTP redirect. It does check regular (through-ISG50) firewall rules.
Chapter 6 Configuration Basics To-ISG50 firewall rules control access to the ISG50. Configure to-ISG50 firewall rules for remote management. By default, the firewall only allows management connections from the LAN or WAN zone. MENU ITEM(S) Configuration > Firewall PREREQUISITES Zones, schedules, users, user groups, addresses (source, destination), address groups (source, destination), services, service groups Example: Suppose you have a SIP proxy server connected to the DMZ zone for VoIP calls.
Chapter 6 Configuration Basics Examples: Suppose you want to give a user named Bob FTP access but with a limited download speed of 200 kbps from LAN (FTP client) to WAN (FTP server). 1 Create user account for Bob. 2 Click BWM > Add New Policy. Select the user account that you created for Bob. 3 Select from LAN zone to WAN zone (default). 4 Set BWM inbound value to 200kbps and keep the default values for all other fields. 6.6.
Chapter 6 Configuration Basics 6.7.1 User/Group Use these screens to configure the ISG50’s administrator and user accounts. The ISG50 provides the following user types.
Chapter 6 Configuration Basics 3 Click Configuration > System > WWW to configure the HTTP management access. Enable HTTPS and add an administrator service control entry. • Select the address object for the administrator’s computer. • Select the WAN zone. • Set the action to Accept. 6.8.2 Logs and Reports The ISG50 provides a system log, offers two e-mail profiles to which to send log messages, and sends information to four syslog servers. It can also e-mail you statistical reports on a daily basis.
Chapter 6 Configuration Basics 106 ISG50 User’s Guide
C HAPT ER 7 General Tutorials Here are examples of using the Web Configurator to configure general settings in the ISG50. See Chapter 8 on page 135 for how to configure PBX settings. Note: The tutorials featured here require a basic understanding of connecting to and using the Web Configurator, see Chapter 3 on page 43 for details. For field descriptions of individual screens, see Technical Reference on page 183. 7.
Chapter 7 General Tutorials 7.1.1 Configure a WAN Ethernet Interface You need to assign the ISG50’s wan1 interface a static IP address of 1.2.3.4. Click Configuration > Network > Interface > Ethernet and double-click the wan1 interface’s entry. Select Use Fixed IP Address and configure the IP address, subnet mask, and default gateway settings and click OK. Figure 72 Configuration > Network > Interface > Ethernet > Edit wan1 7.1.
Chapter 7 General Tutorials 2 Select WIZ_VPN and move it to the Member box and click OK. Figure 74 Configuration > Network > Zone > IPSec_VPN Edit 7.2 How to Configure a Cellular Interface Use 3G cards for cellular WAN (Internet) connections. See www.zyxel.com for a list of the compatible 3G devices. In this example you connect the 3G USB card before you configure the cellular interfaces but is also possible to reverse the sequence. 1 Make sure the 3G device’s SIM card is installed.
Chapter 7 General Tutorials Figure 76 Configuration > Network > Interface > Cellular > Edit Note: The Network Selection is set to Auto by default. This means that the 3G USB modem may connect to another 3G network when your service provider is not in range or when necessary. Select Home to have the 3G device connect only to your home network or local service provider. This prevents you from being charged using the rate of a different ISP. 5 Go to the Dashboard.
Chapter 7 General Tutorials To fine-tune the load balancing configuration, see Chapter 13 on page 281. See also Section 7.3 on page 111 for an example. 7.3 How to Configure Load Balancing This example shows how to configure a trunk for two WAN connections (to the Internet). The available bandwidth for the connections is 1Mbps (wan1) and 512 Kbps (wan2) respectively. As these connections have different bandwidth, use the Weighted Round Robin algorithm to send traffic to wan1 and wan2 in a 2:1 ratio.
Chapter 7 General Tutorials Figure 79 Configuration > Network > Interface > Ethernet > Edit (wan1) 2 Repeat the process to set the egress bandwidth for wan2 to 512 Kbps. 7.3.2 Configure the WAN Trunk 1 Click Configuration > Network > Interface > Trunk. Click the Add icon. 2 Name the trunk and set the Load Balancing Algorithm field to Weighted Round Robin. Add wan1 and enter 2 in the Weight column. Add wan2 and enter 1 in the Weight column. Click OK.
Chapter 7 General Tutorials Figure 80 Configuration > Network > Interface > Trunk > Add 3 Select the trunk as the default trunk and click Apply. Figure 81 Configuration > Network > Interface > Trunk 7.4 How to Set Up an IPSec VPN Tunnel This example shows how to use the IPSec VPN configuration screens to create the following VPN tunnel, see Section 5.4 on page 77 for details on the VPN quick setup wizard.
Chapter 7 General Tutorials Figure 82 VPN Example LAN LAN ISG 1.2.3.4 192.168.1.0/24 ISG 2.2.2.2 172.16.1.0/24 In this example, the ISG50 is router X (1.2.3.4), and the remote IPSec router is router Y (2.2.2.2). Create the VPN tunnel between ISG50 X’s LAN subnet (192.168.1.0/24) and the LAN subnet behind peer IPSec router Y (172.16.1.0/24). 7.4.1 Set Up the VPN Gateway The VPN gateway manages the IKE SA.
Chapter 7 General Tutorials Figure 83 Configuration > VPN > IPSec VPN > VPN Gateway > Add 7.4.2 Set Up the VPN Connection The VPN connection manages the IPSec SA. You have to set up the address objects for the local network and remote network before you can set up the VPN connection. 1 Click Configuration > Object > Address. Click the Add icon. 2 Give the new address object a name (“VPN_REMOTE_SUBNET”), change the Address Type to SUBNET. Set up the Network field to 172.16.1.0 and the Netmask to 255.
Chapter 7 General Tutorials 4 Enable the VPN connection and name it (“VPN_CONN_EXAMPLE”). Under VPN Gateway select Site-to-site and the VPN gateway (VPN_GW_EXAMPLE). Under Policy, select LAN1_SUBNET for the local network and VPN_REMOTE_SUBNET for the remote. Click OK. Figure 85 Configuration > VPN > IPSec VPN > VPN Connection > Add 5 Now set up the VPN settings on the peer IPSec router and try to establish the VPN tunnel.
Chapter 7 General Tutorials example that does not include priorities for different types of traffic. See Chapter 25 on page 397 for more on bandwidth management.
Chapter 7 General Tutorials 7.5.2 Set Up User Groups Set up the user groups and assign the users to the user groups. 1 Click Configuration > Object > User/Group > Group. Click the Add icon. 2 Enter the name of the group that is used in the example in Table 18 on page 117. In this example, it is “Finance”. Then, select User/Leo and click the right arrow to move him to the Member list. This example only has one member in this group, so click OK. Of course you could add more members later.
Chapter 7 General Tutorials Figure 88 Configuration > Object > AAA Server > RADIUS > Add 2 Click Configuration > Object > Auth. method. Double-click the default entry. Click the Add icon. Select group radius because the ISG50 should use the specified RADIUS server for authentication. Click OK. Figure 89 Configuration > Object > Auth. method > Add 3 Click Configuration > Auth. Policy. In the Authentication Policy Summary section, click the Add icon.
Chapter 7 General Tutorials Figure 90 Configuration > Object > User/Group > Setting > Add (Force User Authentication Policy) When the users try to browse the web (or use any HTTP/HTTPS application), the Login screen appears. They have to log in using the user name and password in the RADIUS server. 7.6 How to Use a RADIUS Server to Authenticate User Accounts Based on Groups The previous example showed how to have a RADIUS server authenticate individual user accounts.
Chapter 7 General Tutorials Figure 91 Configuration > Object > AAA Server > RADIUS > Add 2 Now you add ext-group-user user objects to identify groups based on the group identifier values. Set up one user account for each group of user accounts in the RADIUS server. Click Configuration > Object > User/Group > User. Click the Add icon. Enter a user name and set the User Type to ext-group-user.
Chapter 7 General Tutorials 7.7 How to Use Authentication Policies Here is how to use authentication policies to make sure that users log in before they are allowed to access the network. 7.7.1 Configure the Authentication Policy Click Configuration > Auth. Policy and then the Authentication Policy Summary’s Add icon to open the Auth. Policy Edit screen. Use this screen to configure an authentication policy. • Enable the policy and name it.
Chapter 7 General Tutorials Figure 94 Configuration > Auth. Policy 7.8 How to Configure Service Control Service control lets you configure rules that control HTTP and HTTPS management access (to the Web Configurator) and separate rules that control HTTP and HTTPS user access. See Chapter 52 on page 665 for more on service control. The To-ISG50 firewall rules apply to any kind of HTTP or HTTPS connection to the ISG50. They do not distinguish between administrator management access and user access.
Chapter 7 General Tutorials Figure 95 Configuration > System > WWW 3 In the Zone field select LAN1 and click OK. Figure 96 Configuration > System > WWW > Service Control Rule Edit 4 Select the new rule and click the Add icon. Figure 97 Configuration > System > WWW (First Example Admin Service Rule Configured) 5 124 In the Zone field select ALL and set the Action to Deny. Click OK.
Chapter 7 General Tutorials Figure 98 Configuration > System > WWW > Service Control Rule Edit 6 Click Apply. Figure 99 Configuration > System > WWW (Second Example Admin Service Rule Configured) Now administrator access to the Web Configurator can only come from the LAN1 zone. Non-admin users can still use HTTPS to log into the ISG50 from any of the ISG50’s zones. 7.9 How to Allow Incoming H.323 Peer-to-peer Calls Suppose you have a H.
Chapter 7 General Tutorials Figure 100 WAN to LAN H.323 Peer-to-peer Calls Example 192.168.1.56 10.0.0.8 ISG 7.9.1 Turn On the ALG Click Configuration > Network > ALG. Select Enable H.323 ALG and Enable H.323 transformations and click Apply. Figure 101 Configuration > Network > ALG 7.9.2 Set Up a NAT Policy For H.323 In this example, you need a NAT policy to forward H.323 (TCP port 1720) traffic received on the ISG50’s 10.0.0.8 WAN IP address to LAN1 IP address 192.168.1.56.
Chapter 7 General Tutorials Figure 102 Create Address Objects 2 Click Configuration > Network > NAT > Add. Configure a name for the rule (WAN-LAN_H323 here). You want the LAN H.323 device to receive peer-to-peer calls from the WAN and also be able to initiate calls to the WAN so you set the Classification to NAT 1:1. Set the Incoming Interface to wan1. Set the Original IP to the WAN address object (WAN_IP-for-H323). Set the Mapped IP to the H.323 device’s LAN1 IP address object (LAN_H323).
Chapter 7 General Tutorials Figure 103 Configuration > Network > NAT > Add 7.9.3 Set Up a Firewall Rule For H.323 The default firewall rule for WAN-to-LAN traffic drops all traffic. Here is how to configure a firewall rule to allow H.323 (TCP port 1720) traffic received on the WAN_IP-for-H323 IP address to go to LAN1 IP address 192.168.1.56. 1 Click Configuration > Firewall > Add. In the From field select WAN. In the To field select LAN1. Configure a name for the rule (WAN-to-LAN_H323 here).
Chapter 7 General Tutorials Figure 104 Configuration > Firewall > Add 7.10 How to Allow Public Access to a Web Server This is an example of making an HTTP (web) server in the DMZ zone accessible from the Internet (the WAN zone). In this example you have public IP address 1.1.1.1 that you will use on the wan1 interface and map to the HTTP server’s private IP address of 192.168.3.7. Figure 105 Public Server Example Network Topology DMZ 192.168.3.7 1.1.1.1 ISG 7.10.
Chapter 7 General Tutorials Figure 106 Creating the Address Object for the HTTP Server’s Private IP Address 2 Create a host address object named Public_HTTP_Server_IP for the public WAN IP address 1.1.1.1. Figure 107 Creating the Address Object for the Public IP Address 7.10.2 Configure NAT You need a NAT rule to send HTTP traffic coming to IP address 1.1.1.1 on wan1 to the HTTP server’s private IP address of 192.168.3.7.
Chapter 7 General Tutorials Figure 108 Creating the NAT Entry 7.10.3 Set Up a Firewall Rule The firewall blocks traffic from the WAN zone to the DMZ zone by default so you need to create a firewall rule to allow the public to send HTTP traffic to IP address 1.1.1.1 in order to access the HTTP server. If a domain name is registered for IP address 1.1.1.1, users can just go to the domain name to access the web server. 1 Click Configuration > Firewall > Add.
Chapter 7 General Tutorials Figure 109 Configuration > Firewall > Add 7.11 How to Use Multiple Static Public WAN IP Addresses for LAN to WAN Traffic If your ISP gave you a range of static public IP addresses, here is how to configure a policy route to have the ISG50 use them for traffic it sends out from the LAN. 7.11.1 Create the Public IP Address Range Object Click Configuration > Object > Address > Add to create the address object that represents the range of static public IP addresses.
Chapter 7 General Tutorials Although adding a description is optional, it is recommended. This example uses LAN-to-WANRange. Specifying a Source Address is also optional although recommended. This example uses LAN_SUBNET1. Set the Source Network Address Translation to Public-IPs and click OK.
Chapter 7 General Tutorials 7.12 Initial Setup Video Use Adobe Reader 9 or later or a recent version of Foxit Reader to play this video. After clicking play, you may need to confirm that you want to play the content and click play again.
C HAPT ER 8 PBX Tutorials Here are examples of using the web configurator to set up and use the ISG50 for a telephone network as shown in the following figure.
Chapter 8 PBX Tutorials Table 19 Tutorials Overview TUTORIAL GOAL STEPS Using Call Features • • Customizing Feature Codes Using the Voicemail Feature Using the Extension Portal • • • • • Your Information Accessing the Extension Portal Changing Your Security Information Personalizing Your Settings Setting Up Voicemail Capturing Packets Using the Web Configurator • Capturing Packets Using the Web Configurator Creating an Automated Menu System • • • Create an Agent Identity Create a Skill Create
Chapter 8 PBX Tutorials 1 In the web configurator, click Configuration > PBX > Extension Management > Authority Group to open the Authority Group screen. 2 Click the Add icon to open the Add screen. Enter the name of the group (Basic in this example) and type 1-5 digits to use as an ID for this authority group (345 here). Click OK. 3 The Edit Authority Group Basic screen displays. Click Batch Add SIP Peer to configure multiple SIP accounts at the same time. 4 The Batch Add SIP Peer screen opens.
Chapter 8 PBX Tutorials The SIP username for extension 1001 is 1001 and the SIP password for this extension is 11100199. You do not need to configure the Prefix and Postfix values as long as the SIP password length is at least four digits long. Click OK and wait for the ISG50 to create the extensions.
Chapter 8 PBX Tutorials 5 The SIP extensions display in the Edit Authority Group Basic screen. Click OK. 6 Keep a list of the SIP passwords (the Prefix + Extension Number + Postfix combinations). When you deploy the network’s IP phones, you will need this information for SIP registration. See Section 8.1.2 on page 140 for information on configuring your IP phones.
Chapter 8 PBX Tutorials 8.1.2 Connect IP Phones You can now set up your IP phones. For example, you can connect all of the IP phones and the ISG50 to an Ethernet switch and assign all the IP phones IP addresses in the same subnet. Figure 114 Connect IP Phones ISG IP = 172.23.37.201 IP = 172.23.37.101 1001 1006 1002 1007 1003 1004 1005 1008 1009 1010 8.1.3 Register IP Phones After your network connections have been made, you can proceed with the SIP registration of the IP phones on your network.
Chapter 8 PBX Tutorials Complete the SIP registration for all the IP phones on your network. When all the phones are registered, you can make internal calls by dialing the extension number assigned to each phone. 8.2 Auto Provisioning You can have snom VoIP phones get a configuration text file from the ISG50. The configuration file contains the SIP settings that the SIP device uses to register with the ISG50.
Chapter 8 PBX Tutorials 1 Click Configuration > PBX > Auto Provision. Then double-click a SIP extension entry. 2 Enter the SIP device’s MAC address and select what model it is. Click OK. 3 Repeat these steps to map each SIP extension to a snom device’s MAC. 8.2.1 Configuring the snom VoIP Phones for Auto Provisioning Configure the snom phones to receive configuration information from the ISG50. This typically involves enabling auto provisioning through HTTP.
Chapter 8 PBX Tutorials 8.3 Making PSTN Calls The following section shows you how to make and receive calls via a connection to the PSTN. This example covers: • The PSTN Connection - configuring the outbound line group (connection settings) from the FXO ports to the PSTN. • Creating a Dialing Rule for PSTN - creating a rule which tells the ISG50 when to use the PSTN connection when completing outbound calls.
Chapter 8 PBX Tutorials 1 In the web configurator, click Configuration > PBX > Outbound Line Management > Outbound Trunk Group to open the Outbound Trunk Group screen. 2 In the FXO Settings section click the Add icon to open the following screen. Enter the name of the group (PSTN1 in this example) and select the FXO ports that are to be members. Click OK. 3 People from the outside world can now call the ISG50 using the PSTN numbers provided by your local telephone company.
Chapter 8 PBX Tutorials The LCRs determine which outside line the ISG50 should use to complete outbound calls. In our example we want to use the PSTN1 outbound line group to complete local calls. Figure 119 Outbound Calls via PSTN LocalCall PSTN ISG 1001 FXO 1 In the web configurator, click Configuration > PBX > Outbound Line Management > LCR > Add to open the Add LCR screen. Enter a name and description for the LCR.
Chapter 8 PBX Tutorials • Click OK. 3 Click OK again and you are done configuring the LCR. However, before it can be used by any of the phones connected to the ISG50, the LCR needs to be assigned to an appropriate authority group. 8.3.3 Assigning an LCR to an Authority Group Now add the LCR to an authority group to give the extensions in that group the right to use an LCR (outbound dial condition). In our example, we give the authority group Basic the right to call out using the LCR LocalCall.
Chapter 8 PBX Tutorials 2 Select the LocalCall entry’s Association checkbox. Click OK. 3 You can now use the telephones that are part of the FXOTrunk authority group to make outbound calls using the PSTN connection. The following figure summarizes the outbound call process for this example. Caller dials 05555555 The ISG50 matches this number with the LocalCall LCR, applies the offset (strips off the 0) and routes the call to PSTN. The ISG50 sends the call to 5555555. PSTN 5555555 FXO ISG 1001 8.
Chapter 8 PBX Tutorials • Assigning an LCR to an Authority Group - giving extensions the right to make outbound calls via the ITSP connection. Caller dials 1212555555 The ISG50 matches this number with an LCR, applies an offset (strips off the 1), add a dial plan prefix 016 to the start of the number and routes the call to ITSP. ISG ITSP FXO 1001 212555555 8.4.1 The ITSP Connection The following section introduces how to configure a connection to the ITSP.
Chapter 8 PBX Tutorials 1 In the web configurator, click Configuration > PBX > Outbound Line Management > Outbound Line Group.
Chapter 8 PBX Tutorials 2 150 Click the Add icon in the SIP Trunk section. Enter the name of the group (“ITSP1” in this example). Fill in the other fields with the information provided by your ITSP (in our example we use the sample information as shown in Table 20 on page 148). Click OK when you are done.
Chapter 8 PBX Tutorials 3 People from the outside world can now call the ISG50 using the numbers provided by your ITSP. The default AA prompts the callers to dial the extension they would like to reach. See Section 8.4.2 on page 151 for information on how to set up a dialing rule so that the extensions on your network can make calls via your ITSP. 8.4.2 Creating a Dialing Rule for ITSP In our example we want to use the ITSP1 outbound line group to complete long distance calls.
Chapter 8 PBX Tutorials 2 The Dial Condition screen appears. • Type 1XXXXX followed by a period (.) in the Dial Condition field. This means that this LCR will be used when callers dial any 7 or greater digit number that begins with a 1. The X stands for any digit 0 to 9 and is used to create a minimum length condition. The period (.) is a wildcard indicating that any number can follow the 1XXXXX condition. • Specify an offset value. In our example, we configure an offset value of 1.
Chapter 8 PBX Tutorials 1 Click Configuration > PBX > Group Management and double-click the Basic entry. 2 Select the LongDistance entry’s checkbox in the Association column and click OK.
Chapter 8 PBX Tutorials 3 You can now use the telephones that are part of the Basic authority group to make long distance calls using the ITSP connection. The following figure summarizes the outbound call process for this example. Caller dials 1212555555 The ISG50 matches this number with the long_distance_call LCR, applies the offset (strips off the 1), adds the prefix 016 to the start of of the number and routes the call to ITSP.
Chapter 8 PBX Tutorials 8.5.1 The ISDN Connection Refer to the Quick Start Guide to connect your telephone cables to the outlets that connect to your local telephone company. The front of your ISG50 should look as shown in the following figure. Figure 123 BRI Connection ISDN 1 In the web configurator, click Configuration > PBX > Outbound Line Management and click the Add icon in the BRI Settings section.
Chapter 8 PBX Tutorials 2 Enter the name of the group (BRI1 in this example). Assume you want calls to be answered by the Auto-Attendant, so select AA. Select the BRI ports that are to be members and click OK. 3 People from the outside world can now call the ISG50 using the ISDN numbers provided by your local telephone company. The Default AA prompts the callers to dial the extension they would like to reach. See Section 8.5.
Chapter 8 PBX Tutorials 1 In the web configurator, click Configuration > PBX > Outbound Line Management > LCR > Add. Enter a name and description for the dialing rule (the LCR is named ISDN_call in this example). Select the outbound line group from the pool column that you want to add to this LCR (in our example this is BRI1 as configured in Section 8.5.1 on page 155), then click the Right icon to move them to the Selected column. Click the Add icon to configure a dial condition.
Chapter 8 PBX Tutorials • Click OK. 3 Click OK again and you are done configuring the LCR. However, before it can be used by any of the phones connected to the ISG50, the LCR needs to be assigned to an appropriate authority group. 8.5.3 Assigning an LCR to an Authority Group The Group Management screen allows you to give an authority group (and the extensions in that group) the right to use an LCR (outbound dial condition).
Chapter 8 PBX Tutorials 2 Select the ISDN_call entry’s checkbox in the Association column and click OK. 3 You can now use the telephones that are part of the Basic authority group to make outbound calls using the ISDN connection. The following figure summarizes the outbound call process for this example. The ISG50 matches this number with the ISDN_call LCR, routes the call to ISDN. The ISG50 sends the call to 8005555555. ISDN 8005555555 Caller dials 8005555555 BRI BRI ISG 1001 8.
Chapter 8 PBX Tutorials The following figure shows the three examples (1 ~ 3). Figure 125 ISDN Network Configuration A ISDN Line ISG ISG B PBX C E PBX D 1 2 ISG F 3 8.6.1 Example 1: Small/Medium Business For a small/medium company, the ISG50 is the only device that forwards ISDN calls between the company and the telephone service provider. • For an example of configuring ISDN settings, see Section 8.5 on page 154.
Chapter 8 PBX Tutorials • If you want outsiders to dial in directly to extensions without going through the Auto-Attendant, follow the instructions until step 2, select DDI/DID and configure the settings as following. In the DDI/DID Mapping Setting section, define DDI/DID Mask (the digits of the Directory Number on the right) for extension mappings. For example, you define 4 for the DDI/DID Mask and add 1001 to 1001 for the mapping rule.
Chapter 8 PBX Tutorials • If you don’t want incoming calls to go through the Auto-Attendant, select Direct. • If you are using BRI line(s) and you want to have multiple subscriber numbers on one port, select MSN and configure the settings. Note: We don’t use DDI/DID in this type of example because DDI/DID is mainly used for outsiders to call extensions. 8.6.
Chapter 8 PBX Tutorials • Like Example 2, you can also select Direct (if you want the callers from the PBX’s extensions to the ISG50’s not to go through the Auto-Attendant) or MSN (if you are using BRI line(s) and you want to have multiple subscriber numbers on one port). Note: Like Example 2, we don’t use DDI/DID in this type of example because DDI/DID is mainly used for outsiders to call extensions. 8.
Chapter 8 PBX Tutorials 8.8 Using the Extension Portal Every phone user has a personal extension portal on the ISG50. You can log in and make changes to your account setup, and IP phone users also use the web phone. The web phone is just like the telephone you usually use to make calls from this extension; you can call all the same numbers in the same way. The following sections show examples of how to access the ISG50’s extension portal, configure your own personal settings, and use the web phone. 8.8.
Chapter 8 PBX Tutorials Continue past any warning messages to the Login screen. Click the Extension Portal tab. Figure 128 Extension Portal Log In Enter your extension number (“1001”) in the Extension Number field, and enter your PIN code (“5678”) in the PIN Code field. Click SIP Login. 8.8.3 Using the Web Phone (IP Phone Users Only) The Web Phone screen opens. If a security pop-up screen displays, click the option that lets you view the unsecure content.
Chapter 8 PBX Tutorials The Web Phone screen displays. Figure 130 Tutorial: The Web Phone Note: Make sure you have a headset (or speakers and a microphone) connected to your computer, and that your sound card is working correctly (try listening to an audio file or recording a voice note to check, if there is a problem). The following table describes how to use the web phone to perform some basic phone functions.
Chapter 8 PBX Tutorials Note: The SIP Auth Password field does not display if you connect to the ISG50 using a regular analog telephone system. Figure 131 Tutorial: Changing Security Information • Enter the new SIP Auth Password and enter it again in the next field. Click Apply. • Enter the new Web/VM PIN Code and enter it again in the next field. Click Apply. 8.8.5 Personalizing Your Settings Next, configure your extension’s call settings. Click the Forward/Block tab at the top of the screen.
Chapter 8 PBX Tutorials The following screen displays.
Chapter 8 PBX Tutorials The following table shows the example call setting information. You can also use this table to make a note of the call settings you want to configure, if you like.
Chapter 8 PBX Tutorials 8.8.6 Setting Up Voicemail Next, you can set up your voicemail inbox to automatically send your received messages as audio files to your email inbox. It is recommended that you do this so that your voicemail inbox does not fill up (if it fills up, no new messages can be recorded). Click the Voice Mail tab at the top of the screen. The following screen displays. EX AM PL E Figure 133 Tutorial: Setting Up Voicemail The following table shows the example voicemail settings.
Chapter 8 PBX Tutorials 8.9 Capturing Packets Using the Web Configurator The following section shows you how to capture packets using the ISG50 web configurator. You may need to do this if there are problems. For example, suppose a SIP phone (P) fails to register to the ISG50. Figure 134 Tutorial: Basic Troubleshooting Using Packet Capture ISG 192.168.1.12 P 192.168.1.
Chapter 8 PBX Tutorials • Duration: 10 seconds Then click Capture. 2 Re-initialize the SIP phone. This helps to get a complete packet capturing. 3 Wait ten seconds, then use the Files tab to save the file to your computer. 4 Use a packet capturing tool (such as Ethereal) to open the file and analyze the possible root cause. In this example, registration fails because the SIP username must be a number and not letters (bob in this example) for the ISG50.
Chapter 8 PBX Tutorials If you cannot solve the problem, contact customer support and send this file. You may be asked to provide another file containing more real-time system information. Select Maintenance > Diagnostics > Collect and click Collect Now. Wait several seconds, then use the Files tab to save the file to your computer. 8.
Chapter 8 PBX Tutorials In order to do this, he must map his connections: Table 25 Tutorial: Example Automated Menu Design 1ST MENU SUBMENUS SKILLS AGENTS Language Selection English Order Status Tom Pam Steven Technical Support Steven George Spanish Accounts and Billing George Estado del Pedido Eddie Susan Maria Apoyo Técnico Maria Alejandro Cuentas y Facturación Alejandro • The first menu and the submenus both utilize an auto-attendant.
Chapter 8 PBX Tutorials 1 Log into the ISG50, then go to the Configuration > PBX > ACD > Agent screen. 2 For each of your agents, click the Add button to open the Agent Settings screen, and configure the following items: Agent ID: Enter between 3 and 20 digits to serve as the agent’s identification number. This number cannot overlap with existing extension numbers and is required for the agent to log into the ACD system from his telephone.
Chapter 8 PBX Tutorials “Technical Support” as a skill, then any caller who presses the key for that skill is immediately forwarded to the first available person whose agent identity appears on that skill’s rule list. To create a new skill: 1 176 Go to the Configuration > ACD > Skill screen.
Chapter 8 PBX Tutorials 2 For each skill, click the Add button to open the Add New Skill screen, and assign configure the following items: Number: Enter an identification number of this skill. This is required to link the skill to a skill menu in the next section. You can use between 3 and 20 digits. Skill Name: Enter a descriptive name for this skill. For example, “Order Status” since this will be the skill that forwards all calls requesting order status information to the appropriate people.
Chapter 8 PBX Tutorials having two agents linked to this skill (Pam and Steven). He decides that the person who has received the fewest number of incoming calls since logging in should always be the first to answer the next incoming call. He therefore sets the Ring Strategy option to Fewest Calls. For more information about this option, see Section 38.4.1 on page 559.
Chapter 8 PBX Tutorials 2 Click the Add button. 3 On the Add Customized Auto-Attendant screen, enter a Name and a Description (optional) for your first auto-attendant. The company manager of the Acme Widget company enters Language_Select, since this will be the first automated menu where callers choose either English or Spanish.
Chapter 8 PBX Tutorials 4 180 In the Office Hour tab provide an audio file saying something like “Press 1 for English or 2 for Spanish” to tell callers to select a language. Either upload an audio file (see Section 31.3.2 on page 509) or record one on the extension set as the recording peer (see Section 39.4 on page 571) and then click the Add Option button.
Chapter 8 PBX Tutorials 5 In the Add Option screen, enter a keypad number and action for your auto-attendant. Because this is the language selection auto-attendant for the Acme Widget company, the company manager enters “1” for Key, “English” for Description, and selects “Forward to a sub menu” for Action. The action selected here is quite important because it allows us to open up the second tier submenu.
Chapter 8 PBX Tutorials 8 On the Add Option screen, enter the keypad number and action for the submenu item. The company manager for the Acme Widget company enters “1” for Key, selects “Forward to a skill” for Action, selects “766/Order Status” from the list of configured skills for the ACD, and enters “Order Status” for Description. 9 Click OK to save these settings, then repeat this process for any other menu options (such as “Technical Support” and “Accounts and Billing” for the Acme Widget company).
P ART II Technical Reference 183
C HAPT ER 9 Dashboard 9.1 Overview Use the Dashboard screens to check status information about the ISG50. 9.1.1 What You Can Do in this Chapter Use the Dashboard screens for the following. • Use the main Dashboard screen (see Section 9.2 on page 185) to see the ISG50’s general device information, system status, system resource usage, licensed service status, and interface status. You can also display other status screens for more information. • Use the VPN status screen (see Section 9.2.
Chapter 9 Dashboard licensed service status, and interface status in widgets that you can re-arrange to suit your needs. You can also collapse, refresh, and close individual widgets. Figure 135 Dashboard A B C D E The following table describes the labels in this screen. Table 26 Dashboard 186 LABEL DESCRIPTION Widget Settings (A) Use this link to re-open closed widgets. Widgets that are already open appear grayed out. Expand/collapse widget (B) Click this to expand or collapse a widget.
Chapter 9 Dashboard Table 26 Dashboard (continued) LABEL DESCRIPTION Virtual Device Hover your cursor over a LED, interface or slot to view details about the status of the ISG50 connections. See Section 1.4.1 on page 33 for LED descriptions. An unconnected interface or slot appears grayed out. Device This identifies a device installed in one of the ISG50’s USB ports. Name The configuration name of the interface. Status This field displays the current status of each Ethernet interface.
Chapter 9 Dashboard Table 26 Dashboard (continued) LABEL DESCRIPTION Current Date/ Time This field displays the current date and time in the ISG50. The format is yyyy-mm-dd hh:mm:ss. VPN Status Click this to look at the VPN tunnels that are currently established. See Section 9.2.1 on page 190. DHCP Table Click this to look at the IP addresses currently assigned to the ISG50’s DHCP clients and the IP addresses reserved for specific MAC addresses. See Section 9.2.5 on page 192.
Chapter 9 Dashboard Table 26 Dashboard (continued) LABEL Action DESCRIPTION Use this field to get or to update the IP address for the interface. Click Renew to send a new DHCP request to a DHCP server. Click the Connect icon to have the ISG50 try to connect a PPPoE/PPTP interface. If the interface cannot use one of these ways to get or to update its IP address, this field displays n/a. Click the Disconnect icon to stop a PPPoE/PPTP connection.
Chapter 9 Dashboard 9.2.1 The CPU Usage Screen Use this screen to look at a chart of the ISG50’s recent CPU usage. To access this screen, click Show CPU Usage in the dashboard. Figure 136 Dashboard > Show CPU Usage The following table describes the labels in this screen. Table 27 Dashboard > Show CPU Usage LABEL DESCRIPTION The y-axis represents the percentage of CPU usage.
Chapter 9 Dashboard The following table describes the labels in this screen. Table 28 Dashboard > Show Memory Usage LABEL DESCRIPTION The y-axis represents the percentage of RAM usage. The x-axis shows the time period over which the RAM usage occurred Refresh Interval Enter how often you want this window to be automatically updated. Refresh Now Click this to update the information in the window right away. 9.2.
Chapter 9 Dashboard 9.2.4 The VPN Status Screen Use this screen to look at the VPN tunnels that are currently established. To access this screen, click VPN Status in the dashboard. Figure 139 Dashboard > VPN Status The following table describes the labels in this screen. Table 30 Dashboard > VPN Status LABEL DESCRIPTION # This field is a sequential value, and it is not associated with a specific SA. Name This field displays the name of the IPSec SA.
Chapter 9 Dashboard The following table describes the labels in this screen. Table 31 Dashboard > DHCP Table LABEL DESCRIPTION # This field is a sequential value, and it is not associated with a specific entry. Interface This field identifies the interface that assigned an IP address to a DHCP client. IP Address This field displays the IP address currently assigned to a DHCP client or reserved for a specific MAC address. Click the column’s heading cell to sort the table entries by IP address.
Chapter 9 Dashboard Table 32 Dashboard > Number of Login Users (continued) LABEL 194 DESCRIPTION IP address This field displays the IP address of the computer used to log in to the ISG50. Force Logout Click this icon to end a user’s session.
C HAPTER 10 Monitor 10.1 Overview Use the Monitor screens to check status and statistics information. 10.1.1 What You Can Do in this Chapter Use the Monitor screens for the following. • Use the System Status > Port Statistics screen (see Section 10.2 on page 196) to look at packet statistics for each physical port. • Use the System Status > Port Statistics > Graph View screen (see Section 10.2 on page 196) to look at a line graph of packet statistics for each physical port.
Chapter 10 Monitor • Use the PBX > BRI Trunk screen (Section 10.17 on page 218) to display status information about external connections via BRI interfaces. • Use the PBX > ACD Queue screen (Section 10.18 on page 219) to monitor phone call activity for Automatic Call Distribution (ACD) agents. • Use the System Log screen (Section 10.19 on page 220) to view the ISG50’s current log messages. You can change the way the log is displayed, you can e-mail the log, and you can also clear the log in this screen.
Chapter 10 Monitor Table 33 Monitor > System Status > Port Statistics (continued) LABEL DESCRIPTION Status This field displays the current status of the physical port. Down - The physical port is not connected. Speed / Duplex - The physical port is connected. This field displays the port speed and duplex setting (Full or Half). TxPkts This field displays the number of packets transmitted from the ISG50 on the physical port since it was last connected.
Chapter 10 Monitor The following table describes the labels in this screen. Table 34 Monitor > System Status > Port Statistics > Switch to Graphic View LABEL DESCRIPTION Refresh Interval Enter how often you want this window to be automatically updated. Refresh Now Click this to update the information in the window right away. Port Selection Select the number of the physical port for which you want to display graphics. Switch to Grid View Click this to display the port statistics as a table.
Chapter 10 Monitor Each field is described in the following table. Table 35 Monitor > System Status > Interface Status LABEL DESCRIPTION Interface Status If an Ethernet interface does not have any physical ports associated with it, its entry is displayed in light gray text. Expand/Close Click this button to show or hide statistics for all the virtual interfaces on top of the Ethernet interfaces. Name This field displays the name of each interface.
Chapter 10 Monitor Table 35 Monitor > System Status > Interface Status (continued) LABEL DESCRIPTION Name This field displays the name of each interface. If there is a Expand icon (plus-sign) next to the name, click this to look at the statistics for virtual interfaces on top of this interface. Status This field displays the current status of the interface. Down - The interface is not connected. Speed / Duplex - The interface is connected.
Chapter 10 Monitor You use the Traffic Statistics screen to tell the ISG50 when to start and when to stop collecting information for these reports. You cannot schedule data collection; you have to start and stop it manually in the Traffic Statistics screen. Figure 145 Monitor > System Status > Traffic Statistics There is a limit on the number of records shown in the report. Please see Table 37 on page 203 for more information. The following table describes the labels in this screen.
Chapter 10 Monitor Table 36 Monitor > System Status > Traffic Statistics (continued) LABEL DESCRIPTION Top Select the type of report to display. Choices are: Host IP Address/User - displays the IP addresses or users with the most traffic and how much traffic has been sent to and from each one. Service/Port - displays the most-used protocols or service ports and the amount of traffic for each one. Web Site Hits - displays the most-visited Web sites and how many times each one has been visited.
Chapter 10 Monitor The following table displays the maximum number of records shown in the report, the byte count limit, and the hit count limit. Table 37 Maximum Values for Reports LABEL DESCRIPTION Maximum Number of Records 20 Byte Count Limit 264 bytes; this is just less than 17 million terabytes. Hit Count Limit 264 hits; this is over 1.8 x 1019 hits. 10.5 The Session Monitor Screen The Session Monitor screen displays information about active sessions for debugging or statistical analysis.
Chapter 10 Monitor The following table describes the labels in this screen. Table 38 Monitor > System Status > Session Monitor LABEL DESCRIPTION View Select how you want the information to be displayed.
Chapter 10 Monitor Table 38 Monitor > System Status > Session Monitor (continued) LABEL DESCRIPTION Tx This field displays the amount of information transmitted by the source in the active session. Duration This field displays the length of the active session in seconds. 10.6 The DDNS Status Screen The DDNS Status screen shows the status of the ISG50’s DDNS domain names. Click Monitor > System Status > DDNS Status to open the following screen.
Chapter 10 Monitor IP/MAC binding enabled and have ever established a session with the ISG50. Devices that have never established a session with the ISG50 do not display in the list. Figure 148 Monitor > System Status > IP/MAC Binding The following table describes the labels in this screen. Table 40 Monitor > System Status > IP/MAC Binding LABEL DESCRIPTION Interface Select a ISG50 interface that has IP/MAC binding enabled to show to which devices it has assigned an IP address.
Chapter 10 Monitor The following table describes the labels in this screen. Table 41 Monitor > System Status > Login Users LABEL DESCRIPTION # This field is a sequential value and is not associated with any entry. User ID This field displays the user name of each user who is currently logged in to the ISG50. Reauth Lease T. This field displays the amount of reauthentication time remaining and the amount of lease time remaining for each user. See Chapter 44 on page 599.
Chapter 10 Monitor Table 42 Monitor > System Status > Cellular Status (continued) 208 LABEL DESCRIPTION Status No device - no 3G device is connected to the ISG50. No Service - no 3G network is available in the area; you cannot connect to the Internet. Limited Service - returned by the service provider in cases where the SIM card is expired, the user failed to pay for the service and so on; you cannot connect to the Internet. Device detected - displays when you connect a 3G device.
Chapter 10 Monitor 10.9.1 More Information This screen displays more information on your 3G, such as the signal strength, IMEA/ESN and IMSI that helps identify your 3G device and SIM card. Click Monitor > System Status > More Information to display this screen. Note: This screen is only available when the 3G device is attached to and activated on the ISG50. Figure 151 Monitor > System Status > More Information The following table describes the labels in this screen.
Chapter 10 Monitor Table 43 Monitor > System Status > More Information LABEL DESCRIPTION Device Firmware This shows the software version of the 3G device. Device IMEI/ESN IMEI (International Mobile Equipment Identity) is a 15-digit code in decimal format that identifies the 3G device. ESN (Electronic Serial Number) is an 8-digit code in hexadecimal format that identifies the 3G device. SIM Card IMSI IMSI (International Mobile Subscriber Identity) is a 15-digit code that identifies the SIM card. 10.
Chapter 10 Monitor Table 44 Monitor > System Status > USB Storage (continued) LABEL DESCRIPTION Status Ready - you can have the ISG50 use the USB storage device. Click Remove Now to stop the ISG50 from using the USB storage device so you can remove it. Unused - the connected USB storage device was manually unmounted by using the Remove Now button or for some reason the ISG50 cannot mount it. Click Use It to have the ISG50 mount a connected USB storage device.
Chapter 10 Monitor Each field is described in the following table. Table 45 Monitor > VPN Monitor > IPSec LABEL DESCRIPTION Name Enter the name of a IPSec SA here and click Search to find it (if it is associated). You can use a keyword or regular expression. Use up to 30 alphanumeric and _+.()!$*^:?|{}[]<>/ characters. See Section 10.11.1 on page 212 for more details. Policy Enter the IP address(es) or names of the local and remote policies for an IPSec SA and click Search to find it.
Chapter 10 Monitor The whole VPN connection or policy name has to match if you do not use a question mark or asterisk. 10.12 SIP Peer Screen This screen displays information about the ISG50’s SIP extensions. Click Monitor > PBX > SIP Peer to display this screen. Figure 154 Monitor > PBX > SIP Peer The following table describes the labels in this screen. Table 46 Monitor > PBX > SIP Peer LABEL DESCRIPTION General Settings Use this section to specify your query criteria.
Chapter 10 Monitor Table 46 Monitor > PBX > SIP Peer (continued) LABEL DESCRIPTION Registration Status This field displays online, if an IP phone is registered with the ISG50. It displays offline if no IP phone is registered with the ISG50 for a specific extension. For the web phone feature, it displays online, if a user has logged in the web phone feature, otherwise it displays offline. Call Status This field displays busy if a SIP extension is currently engaged, otherwise it displays idle.
Chapter 10 Monitor Table 47 Monitor > PBX > FXS Peer (continued) LABEL DESCRIPTION Call Status This field displays busy if an FXS extension is currently engaged, otherwise it displays idle. Mobile Extension Status This indicates whether the connection’s mobile extension is activated or not, or if it is unspecified. 10.14 SIP Trunk Screen This screen displays status information about external connections to other SIP servers. Click Monitor > PBX > SIP Trunk to display this screen.
Chapter 10 Monitor Table 48 Monitor > PBX > SIP Trunk (continued) LABEL DESCRIPTION Registration Status This field displays online if the ISG50 successfully registered with the SIP server for this SIP trunk, offline if the ISG50 failed to register with the SIP server for this SIP trunk or Auth. Sent if the ISG50 is in the process of registering with the SIP server associated with this SIP trunk. Call Status This field displays busy if a SIP line is currently engaged, otherwise it displays idle. 10.
Chapter 10 Monitor 10.16 FXO Trunk Screen This screen displays status information about external connections via FXO interfaces. Click Monitor > PBX > FXO Trunk to display this screen. Figure 158 Monitor > PBX > FXO Trunk The following table describes the labels in this screen. Table 50 Monitor > PBX > FXO Trunk LABEL DESCRIPTION General Settings Use this section to specify your query criteria. You can select an attribute, value pair for your search.
Chapter 10 Monitor 10.17 BRI Trunk Screen This screen displays status information about external connections via BRI interfaces. Click Monitor > PBX > BRI Trunk to display this screen. Figure 159 Monitor > PBX > BRI Trunk The following table describes the labels in this screen. Table 51 Monitor > PBX > BRI Trunk LABEL DESCRIPTION General Settings Use this section to specify your query criteria. You can select an attribute, value pair for your search.
Chapter 10 Monitor 10.18 ACD Queue Screen Use this screen to monitor phone call activity for Automatic Call Distribution (ACD) agents. Click Monitor > PBX > ACD Queue to display this screen. Figure 160 Monitor > PBX > ACD Queue The following table describes the labels in this screen. Table 52 Monitor > PBX > ACD Queue LABEL DESCRIPTION Query Use this section to specify your query criteria. You can select an attribute, value pair for your search.
Chapter 10 Monitor Table 52 Monitor > PBX > ACD Queue (continued) LABEL DESCRIPTION Caller ID This indicates the caller ID of the call. Entered Time This indicates the time the caller entered the queue. Waiting Time This indicates how long the caller has been waiting in the queue. 10.19 Log Screen Log messages are stored in two separate logs, one for regular log messages and one for debugging messages.
Chapter 10 Monitor The following table describes the labels in this screen. Table 53 Monitor > Log LABEL DESCRIPTION Show Filter / Hide Filter Click this button to show or hide the filter settings. If the filter settings are hidden, the Display, Email Log Now, Refresh, and Clear Log fields are available. If the filter settings are shown, the Display, Priority, Source Address, Destination Address, Service, Keyword, and Search fields are available.
Chapter 10 Monitor Table 53 Monitor > Log (continued) LABEL DESCRIPTION Source This field displays the source IP address and the port number in the event that generated the log message. Destination This field displays the destination IP address and the port number of the event that generated the log message. Note This field displays any additional information about the log message. The Web Configurator saves the filter settings if you leave the View Log screen and return to it later. 10.
Chapter 10 Monitor 10.20.1 Call Recordings File List This screen lists the call recordings that matched your specified criteria. Use this screen to listen to or delete individual call recordings. Click Monitor > Log > Call Recording and perform a query to open the screen as following. Figure 163 Call Recordings File List The following table describes the labels in this screen.
Chapter 10 Monitor Table 56 Monitor > Log > CDR (continued) LABEL DESCRIPTION Backup Now Click the Backup Now button to save a CDR backup file on the ISG50. Remove If you no longer want to store a CDR file on the ISG50 then select the files you want to delete from the ISG50 and click the Remove button. # This is the number of the entry in the list. Filename This column displays the names of the backup CDR files currently stored on the ISG50.
Chapter 10 Monitor 10.22 CDR Query Screen Use this screen to search for call records on the ISG50. Click Monitor > Log > CDR > Query to view the screen as shown next. See Viewing Aged Files on page 720 for details about extension “.tgz” files. Figure 165 Monitor > Log > CDR > Query Each field is described in the following table. Table 57 Monitor > Log > CDR > Query LABEL DESCRIPTION Query Condition Use this section to specify your query details. Start Time Specify the time period for your query.
Chapter 10 Monitor Table 57 Monitor > Log > CDR > Query (continued) LABEL DESCRIPTION Call Time Call time is the time from when a caller finishes dialing a number until one of the parties hangs up. Enter the range of seconds, minutes or hours to specify the length of calls that you want to search for. If you leave this field blank, then the length of the call will not be considered as a search criterion, in other words calls of all length duration are displayed unless limited by other search criteria.
Chapter 10 Monitor Table 57 Monitor > Log > CDR > Query (continued) LABEL DESCRIPTION Search Click the Search button to display your query results in a report window. Your Internet browser opens up a new window with the query results. Reset Click Reset to return the screen to its last-saved settings. 10.23 CDR Query Result Screen This screen displays the results of your search for call records on the ISG50. Click Monitor > Log > CDR > Query and perform a search to view the screen as shown next.
Chapter 10 Monitor 228 ISG50 User’s Guide
C HAPTER 11 Registration 11.1 Overview Use the Configuration > Licensing > Registration screens to register your ISG50 and manage its service subscriptions. 11.1.1 What You Can Do in this Chapter • Use the Registration screen (see Section 11.2 on page 230) to register your ISG50 with myZyXEL.com and activate a service. • Use the Service screen (see Section 11.3 on page 231) to display the status of your service registrations and upgrade licenses. 11.1.
Chapter 11 Registration 11.2 The Registration Screen Use this screen to register your ISG50 with myZyXEL.com and activate a service, such as additional SIP extension numbers. Click Configuration > Licensing > Registration in the navigation panel to open the screen as shown next. Figure 167 Configuration > Licensing > Registration The following table describes the labels in this screen. Table 59 Configuration > Licensing > Registration LABEL DESCRIPTION General Settings If you select existing myZyXEL.
Chapter 11 Registration Table 59 Configuration > Licensing > Registration (continued) LABEL DESCRIPTION Password Enter a password of between 6 and 20 alphanumeric characters (and the underscore). Spaces are not allowed. Confirm Password Enter the password again for confirmation. E-Mail Address Enter your e-mail address. You can use up to 80 alphanumeric characters (periods and the underscore are also allowed) without spaces. Country Select your country from the drop-down box list.
Chapter 11 Registration (license key) in this screen. Click Configuration > Licensing > Registration > Service to open the screen as shown next. Figure 169 Configuration > Licensing > Registration > Service The following table describes the labels in this screen. Table 60 Configuration > Licensing > Registration > Service LABEL DESCRIPTION License Status # This is the entry’s position in the list. Service This lists the services that available on the ISG50.
C HAPTER 12 Interfaces 12.1 Interface Overview Use the Interface screens to configure the ISG50’s interfaces. You can also create interfaces on top of other interfaces. • Ports are the physical ports to which you connect cables. • Interfaces are used within the system operationally. You use them in configuring various features. An interface also describes a network that is directly connected to the ISG50. For example, You connect the LAN1 network to the LAN1 interface.
Chapter 12 Interfaces • Many interfaces can share the same physical port. • An interface belongs to at most one zone. • Many interfaces can belong to the same zone. • Layer-3 virtualization (IP alias, for example) is a kind of interface. Types of Interfaces You can create several types of interfaces in the ISG50. • Setting interfaces to the same port role forms a port group. Port groups create a hardware connection between physical ports at the layer-2 (data link, MAC address) level.
Chapter 12 Interfaces - * The format of interface names other than the Ethernet and ppp interface names is strict. Each name consists of 2-4 letters (interface type), followed by a number (x). For most interfaces, x is limited by the maximum number of the type of interface. For VLAN interfaces, x is defined by the number you enter in the VLAN name field. For example, Ethernet interface names are wan1, wan2, lan1, lan2, dmz; VLAN interfaces are vlan0, vlan1, vlan2, ...; and so on.
Chapter 12 Interfaces 12.2 Port Role To access this screen, click Configuration > Network > Interface > Port Role. Use the Port Role screen to set the ISG50’s flexible ports as part of the lan1, lan2 or dmz interfaces. This creates a hardware connection between the physical ports at the layer-2 (data link, MAC address) level. This provides wire-speed throughput but no security.
Chapter 12 Interfaces Table 63 Configuration > Network > Interface > Port Role (continued) LABEL DESCRIPTION Apply Click this button to save your changes and apply them to the ISG50. Reset Click this button to change the port groups to their current configuration (last-saved values). 12.3 Ethernet Summary Screen This screen lists every Ethernet interface and virtual interface created on top of Ethernet interfaces. To access this screen, click Configuration > Network > Interface > Ethernet.
Chapter 12 Interfaces Each field is described in the following table. Table 64 Configuration > Network > Interface > Ethernet LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove a virtual interface, select it and click Remove. The ISG50 confirms you want to remove it before doing so. Activate To turn on an interface, select it and click Activate.
Chapter 12 Interfaces With OSPF, you can use Ethernet interfaces to do the following things. • Enable and disable OSPF in the underlying physical port or port group. • Select the area to which the interface belongs. • Override the default link cost and authentication method for the selected area. • Select in which direction(s) routing information is exchanged - The ISG50 can receive routing information, send routing information, or do both.
Chapter 12 Interfaces Figure 172 Configuration > Network > Interface > Ethernet > Edit (WAN) 240 ISG50 User’s Guide
Chapter 12 Interfaces Figure 173 Configuration > Network > Interface > Ethernet > Edit (DMZ) ISG50 User’s Guide 241
Chapter 12 Interfaces This screen’s fields are described in the table below. Table 65 Configuration > Network > Interface > Ethernet > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. General Settings Enable Interface Select this to enable this interface. Clear this to disable this interface. Interface Properties Interface Type This field is read-only. internal - is for connecting to a local network.
Chapter 12 Interfaces Table 65 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL MTU Connectivity Check DESCRIPTION Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the ISG50 divides it into smaller fragments. Allowed values are 576 - 1500. Usually, this value is 1500. These fields appear when Interface Properties is external.
Chapter 12 Interfaces Table 65 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL Pool Size DESCRIPTION Enter the number of IP addresses to allocate. This number must be at least one and is limited by the interface’s Subnet Mask. For example, if the Subnet Mask is 255.255.255.0 and IP Pool Start Address is 10.10.10.10, the ISG50 can allocate 10.10.10.10 to 10.10.10.254, or 245 IP addresses. If this field is blank, the IP Pool Start Address must also be blank.
Chapter 12 Interfaces Table 65 Configuration > Network > Interface > Ethernet > Edit (continued) LABEL DESCRIPTION Send Version This field is effective when RIP is enabled. Select the RIP version(s) used for sending RIP packets. Choices are 1, 2, and 1 and 2. Receive Version This field is effective when RIP is enabled. Select the RIP version(s) used for receiving RIP packets. Choices are 1, 2, and 1 and 2. V2-Broadcast This field is effective when RIP is enabled.
Chapter 12 Interfaces 12.3.2 Object References When a configuration screen includes an Object References icon, select a configuration object and click Object References to open the Object References screen. This screen displays which configuration settings reference the selected object. The fields shown vary with the type of object. Figure 174 Object References The following table describes labels that can appear in this screen.
Chapter 12 Interfaces Figure 175 Example: PPPoE/PPTP Interfaces ISG PPPoE/PPTP interfaces are similar to other interfaces in some ways. They have an IP address, subnet mask, and gateway used to make routing decisions; they restrict bandwidth and packet size; and they can verify the gateway is available. There are two main differences between PPPoE/ PPTP interfaces and other interfaces. • You must also configure an ISP account object for the PPPoE/PPTP interface to use.
Chapter 12 Interfaces Each field is described in the table below. Table 67 Configuration > Network > Interface > PPP LABEL DESCRIPTION User Configuration / System Default The ISG50 comes with the (non-removable) System Default PPP interfaces preconfigured. You can create (and delete) User Configuration PPP interfaces. Add Click this to create a new user-configured PPP interface. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Chapter 12 Interfaces Figure 177 Configuration > Network > Interface > PPP > Add Each field is explained in the following table. Table 68 Configuration > Network > Interface > PPP > Add LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields.
Chapter 12 Interfaces Table 68 Configuration > Network > Interface > PPP > Add (continued) LABEL Enable Interface DESCRIPTION Select this to enable this interface. Clear this to disable this interface. Interface Properties Interface Name Specify a name for the interface. It can use alphanumeric characters, hyphens, and underscores, and it can be up to 11 characters long. Base Interface Select the interface upon which this PPP interface is built.
Chapter 12 Interfaces Table 68 Configuration > Network > Interface > PPP > Add (continued) LABEL MTU Connectivity Check DESCRIPTION Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the ISG50 divides it into smaller fragments. Allowed values are 576 - 1492. Usually, this value is 1492. The interface can regularly check the connection to the gateway you specified to make sure it is still available.
Chapter 12 Interfaces • You can set the 3G device to connect only to the home network, which is the network to which you are originally subscribed. • You can set the 3G device to connect to other networks if the signal strength of the home network is too low or it is unavailable. Aside from selecting the 3G network, the 3G card may also select an available 2.5G or 2.75G network automatically. See the following table for a comparison between 2G, 2.5G, 2.75G and 3G of wireless technologies. Table 69 2G, 2.
Chapter 12 Interfaces Figure 178 Configuration > Network > Interface > Cellular The following table describes the labels in this screen. Table 70 Configuration > Network > Interface > Cellular LABEL DESCRIPTION Add Click this to create a new cellular interface. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ISG50 confirms you want to remove it before doing so.
Chapter 12 Interfaces Figure 179 Configuration > Network > Interface > Cellular > Add 254 ISG50 User’s Guide
Chapter 12 Interfaces The following table describes the labels in this screen. Table 71 Configuration > Network > Interface > Cellular > Add LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. General Settings Enable Interface Select this option to turn on this interface. Interface Properties Interface Name Select a name for the interface.
Chapter 12 Interfaces Table 71 Configuration > Network > Interface > Cellular > Add (continued) LABEL User Name DESCRIPTION This field displays when you select an authentication type other than None. This field is read-only if you selected Device in the profile selection. If this field is configurable, enter the user name for this 3G card exactly as the service provider gave it to you. You can use 1 ~ 64 alphanumeric and #:%-_@$./ characters. The first character must be alphanumeric or -_@$./.
Chapter 12 Interfaces Table 71 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Check Fail Tolerance Enter the number of consecutive failures before the ISG50 stops routing through the gateway. Check Default Gateway Select this to use the default gateway for the connectivity check. Check this address Select this to specify a domain name or IP address for the connectivity check. Enter that domain name or IP address in the field next to it.
Chapter 12 Interfaces Table 71 Configuration > Network > Interface > Cellular > Add (continued) LABEL Network Selection DESCRIPTION Home network is the network to which you are originally subscribed. Select Home to have the 3G device connect only to the home network. If the home network is down, the ISG50's 3G Internet connection is also unavailable.
Chapter 12 Interfaces Table 71 Configuration > Network > Interface > Cellular > Add (continued) LABEL DESCRIPTION Actions when over % of time budget or % of data budget Specify the actions the ISG50 takes when the specified percentage of time budget or data limit is exceeded. Enter a number from 1 to 99 in the percentage fields. If you change the value after you configure and enable budget control, the ISG50 resets the statistics.
Chapter 12 Interfaces Figure 181 Example: After VLAN A ISG B Each VLAN is a separate network with separate IP addresses, subnet masks, and gateways. Each VLAN also has a unique identification number (ID). The ID is a 12-bit value that is stored in the MAC header. The VLANs are connected to switches, and the switches are connected to the router. (If one switch has enough connections for the entire network, the network does not need switches A and B.
Chapter 12 Interfaces Note: Each VLAN interface is created on top of only one Ethernet interface. Otherwise, VLAN interfaces are similar to other interfaces in many ways. They have an IP address, subnet mask, and gateway used to make routing decisions. They restrict bandwidth and packet size. They can provide DHCP services, and they can verify the gateway is available. 12.6.1 VLAN Summary Screen This screen lists every VLAN interface and virtual interface created on top of VLAN interfaces.
Chapter 12 Interfaces Table 72 Configuration > Network > Interface > VLAN (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ISG50. Reset Click Reset to return the screen to its last-saved settings. 12.6.2 VLAN Add/Edit This screen lets you configure IP address assignment, interface bandwidth parameters, DHCP settings, and connectivity check for each VLAN interface.
Chapter 12 Interfaces Figure 183 Configuration > Network > Interface > VLAN > Edit ISG50 User’s Guide 263
Chapter 12 Interfaces Each field is explained in the following table. Table 73 Configuration > Network > Interface > VLAN > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. General Settings Enable Interface Select this to turn this interface on. Clear this to disable this interface. Interface Properties Interface Name This field is read-only if you are editing an existing VLAN interface.
Chapter 12 Interfaces Table 73 Configuration > Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION Connectivity Check The ISG50 can regularly check the connection to the gateway you specified to make sure it is still available. You specify how often to check the connection, how long to wait for a response before the attempt is a failure, and how many consecutive failures are required before the ISG50 stops routing to the gateway.
Chapter 12 Interfaces Table 73 Configuration > Network > Interface > VLAN > Edit (continued) LABEL Pool Size DESCRIPTION Enter the number of IP addresses to allocate. This number must be at least one and is limited by the interface’s Subnet Mask. For example, if the Subnet Mask is 255.255.255.0 and IP Pool Start Address is 10.10.10.10, the ISG50 can allocate 10.10.10.10 to 10.10.10.254, or 245 IP addresses. If this field is blank, the IP Pool Start Address must also be blank.
Chapter 12 Interfaces Table 73 Configuration > Network > Interface > VLAN > Edit (continued) LABEL DESCRIPTION Send Version This field is effective when RIP is enabled. Select the RIP version(s) used for sending RIP packets. Choices are 1, 2, and 1 and 2. Receive Version This field is effective when RIP is enabled. Select the RIP version(s) used for receiving RIP packets. Choices are 1, 2, and 1 and 2. V2-Broadcast This field is effective when RIP is enabled.
Chapter 12 Interfaces Bridge Overview A bridge creates a connection between two or more network segments at the layer-2 (MAC address) level. In the following example, bridge X connects four network segments. When the bridge receives a packet, the bridge records the source MAC address and the port on which it was received in a table. It also looks up the destination MAC address in the table. If the bridge knows on which port the destination MAC address is located, it sends the packet to that port.
Chapter 12 Interfaces • Zero or one VLAN interfaces (and any associated virtual VLAN interfaces) • Any number of Ethernet interfaces (and any associated virtual Ethernet interfaces) When you create a bridge interface, the ISG50 removes the members’ entries from the routing table and adds the bridge interface’s entries to the routing table. For example, this table shows the routing table before and after you create bridge interface br0 (250.250.250.0/23) between lan1 and vlan1.
Chapter 12 Interfaces Table 77 Configuration > Network > Interface > Bridge (continued) LABEL DESCRIPTION Object References Select an entry and click Object References to open a screen that shows which settings use the entry. See Section 12.3.2 on page 246 for an example. # This field is a sequential value, and it is not associated with any interface. Status This icon is lit when the entry is active and dimmed when the entry is inactive. Name This field displays the name of the interface.
Chapter 12 Interfaces Figure 185 Configuration > Network > Interface > Bridge > Add ISG50 User’s Guide 271
Chapter 12 Interfaces Each field is described in the table below. Table 78 Configuration > Network > Interface > Bridge > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. General Settings Enable Interface Select this to enable this interface. Clear this to disable this interface. Interface Properties Interface Name This field is read-only if you are editing the interface.
Chapter 12 Interfaces Table 78 Configuration > Network > Interface > Bridge > Edit (continued) LABEL DESCRIPTION Interface Parameters Egress Bandwidth Enter the maximum amount of traffic, in kilobits per second, the ISG50 can send through the interface to the network. Allowed values are 0 - 1048576. Ingress Bandwidth This is reserved for future use. MTU Maximum Transmission Unit. Type the maximum size of each data packet, in bytes, that can move through this interface.
Chapter 12 Interfaces Table 78 Configuration > Network > Interface > Bridge > Edit (continued) LABEL Lease time DESCRIPTION Specify how long each computer can use the information (especially the IP address) before it has to request the information again. Choices are: infinite - select this if IP addresses never expire days, hours, and minutes - select this to enter how long IP addresses are valid.
Chapter 12 Interfaces 12.7.3 Virtual Interfaces Add/Edit This screen lets you configure IP address assignment and interface parameters for virtual interfaces. To access this screen, click an Add icon next to an Ethernet interface, VLAN interface, or bridge interface in the respective interface summary screen. Figure 186 Virtual Interface Add Each field is described in the table below. Table 79 Virtual Interface Add LABEL DESCRIPTION Interface Properties Interface Name This field is read-only.
Chapter 12 Interfaces Table 79 Virtual Interface Add (continued) LABEL Ingress Bandwidth DESCRIPTION This is reserved for future use. Enter the maximum amount of traffic, in kilobits per second, the ISG50 can receive from the network through the interface. Allowed values are 0 - 1048576. OK Click OK to save your changes back to the ISG50. Cancel Click Cancel to exit this screen without saving. 12.8 Interface Technical Reference Here is more detailed information about interfaces on the ISG50.
Chapter 12 Interfaces In the example above, if the ISG50 gets a packet with a destination address of 5.5.5.5, it might not find any entries in the routing table. In this case, the packet is dropped. However, if there is a default router to which the ISG50 should send this packet, you can specify it as a gateway in one of the interfaces. For example, if there is a default router at 200.200.200.100, you can create a gateway at 200.200.200.100 on wan2.
Chapter 12 Interfaces In the ISG50, some interfaces can provide DHCP services to the network. In this case, the interface can be a DHCP relay or a DHCP server. As a DHCP relay, the interface routes DHCP requests to DHCP servers on different networks. You can specify more than one DHCP server. If you do, the interface routes DHCP requests to all of them. It is possible for an interface to be a DHCP relay and a DHCP client simultaneously.
Chapter 12 Interfaces PPPoE/PPTP Overview Point-to-Point Protocol over Ethernet (PPPoE, RFC 2516) and Point-to-Point Tunneling Protocol (PPTP, RFC 2637) are usually used to connect two computers over phone lines or broadband connections. PPPoE is often used with cable modems and DSL connections. It provides the following advantages: • The access and authentication method works with existing systems, including RADIUS. • You can access one of several network services.
Chapter 12 Interfaces 280 ISG50 User’s Guide
C HAPTER 13 Trunks 13.1 Overview Use trunks for WAN traffic load balancing to increase overall network throughput and reliability. Load balancing divides traffic loads between multiple interfaces. This allows you to improve quality of service and maximize bandwidth utilization for multiple ISP links. Maybe you have two Internet connections with different bandwidths.
Chapter 13 Trunks • You can define multiple trunks for the same physical interfaces. Link Sticking You can have the ISG50 send each local computer’s traffic that is going to the same destination through a single WAN interface for a specified period of time. This is useful when a server requires authentication. For example, the ISG50 sends a user’s traffic through one WAN IP address when he logs into a server B.
Chapter 13 Trunks Least Load First The least load first algorithm uses the current (or recent) outbound bandwidth utilization of each trunk member interface as the load balancing index(es) when making decisions about to which interface a new session is to be distributed. The outbound bandwidth utilization is defined as the measured outbound throughput over the available outbound bandwidth. Here the ISG50 has two WAN interfaces connected to the Internet.
Chapter 13 Trunks the weight of wan1 and wan2 to 2 and 1 respectively. The ISG50 assigns the traffic of two sessions to wan1 for every session's traffic assigned to wan2. Figure 190 Weighted Round Robin Algorithm Example ISG Spillover The spillover load balancing algorithm sends network traffic to the first interface in the trunk member list until the interface’s maximum allowable load is reached, then sends the excess network traffic of new sessions to the next interface in the trunk member list.
Chapter 13 Trunks 13.2 The Trunk Summary Screen Click Configuration > Network > Interface > Trunk to open the Trunk screen. This screen lists the configured trunks and the load balancing algorithm that each is configured to use.
Chapter 13 Trunks The following table describes the items in this screen. Table 84 Configuration > Network > Interface > Trunk LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. Enable Link Sticking Enable link sticking to have the system route sessions from one source to the same destination through the same link for a period of time.
Chapter 13 Trunks 13.3 Configuring a Trunk Click Configuration > Network > Interface > Trunk and then the Add (or Edit) icon to open the Trunk Edit screen. Use this screen to create or edit a WAN trunk entry. Figure 193 Configuration > Network > Interface > Trunk > Add (or Edit) Each field is described in the table below. Table 85 Configuration > Network > Interface > Trunk > Add (or Edit) LABEL DESCRIPTION Name This is read-only if you are editing an existing trunk.
Chapter 13 Trunks Table 85 Configuration > Network > Interface > Trunk > Add (or Edit) (continued) LABEL DESCRIPTION Move To move an interface to a different number in the list, click the Move icon. In the field that appears, specify the number to which you want to move the interface. # This column displays the priorities of the group’s interfaces. The order of the interfaces in the list is important since they are used in the order they are listed.
C HAPTER 14 Policy and Static Routes 14.1 Policy and Static Routes Overview Use policy routes and static routes to override the ISG50’s default routing behavior in order to send packets through the appropriate interface or VPN tunnel. For example, the next figure shows a computer (A) connected to the ISG50’s LAN interface. The ISG50 routes most traffic from A to the Internet through the ISG50’s default gateway (R1). You create one policy route to connect to services offered by your ISP behind router R2.
Chapter 14 Policy and Static Routes 14.1.2 What You Need to Know Policy Routing Traditionally, routing is based on the destination address only and the ISG50 takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator. Policy-based routing is applied to incoming packets on a per interface basis, prior to the normal routing.
Chapter 14 Policy and Static Routes DiffServ (Differentiated Services) is a class of service (CoS) model that marks packets so that they receive specific per-hop treatment at DiffServ-compliant network devices along the route based on the application types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs) indicating the level of service desired.
Chapter 14 Policy and Static Routes Note: Policy routes do not apply to the routing of PBX traffic. Figure 195 Configuration > Network > Routing > Policy Route The following table describes the labels in this screen. Table 86 Configuration > Network > Routing > Policy Route LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields.
Chapter 14 Policy and Static Routes Table 86 Configuration > Network > Routing > Policy Route (continued) LABEL DESCRIPTION Incoming This is the interface on which the packets are received. Source This is the name of the source IP address (group) object. any means all IP addresses. Destination This is the name of the destination IP address (group) object. any means all IP addresses. DSCP Code This is the DSCP value of incoming packets to which this policy route applies.
Chapter 14 Policy and Static Routes 14.2.1 Policy Route Edit Screen Click Configuration > Network > Routing to open the Policy Route screen. Then click the Add or Edit icon to open the Policy Route Edit screen. Use this screen to configure or edit a policy route. Figure 196 Configuration > Network > Routing > Policy Route > Add The following table describes the labels in this screen.
Chapter 14 Policy and Static Routes Table 87 Configuration > Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Incoming Select where the packets are coming from; any, an interface, a tunnel, or the ISG50 itself. For an interface or a tunnel, you also need to select the individual interface or VPN tunnel connection. Source Address Select a source IP address object from which the packets are sent.
Chapter 14 Policy and Static Routes Table 87 Configuration > Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Interface This field displays when you select Interface in the Type field. Select an interface to have the ISG50 send traffic that matches the policy route through the specified interface. Auto-Disable This field displays when you select Interface or Trunk in the Type field.
Chapter 14 Policy and Static Routes Table 87 Configuration > Network > Routing > Policy Route > Edit (continued) LABEL DESCRIPTION Incoming Service Select the service that the client computer sends to a remote server. Trigger Service Select a service that a remote server sends. It causes (triggers) the ISG50 to forward the traffic (received on the outgoing interface) to the client computer that requested the service.
Chapter 14 Policy and Static Routes The following table describes the labels in this screen. Table 88 Configuration > Network > Routing > Static Route LABEL DESCRIPTION Add Click this to create a new static route. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ISG50 confirms you want to remove it before doing so. # This is the number of an individual static route.
Chapter 14 Policy and Static Routes Table 89 Configuration > Network > Routing > Static Route > Add (continued) LABEL DESCRIPTION Metric Metric represents the “cost” of transmission for routing purposes. IP routing uses hop count as the measurement of cost, with a minimum of 1 for directly connected networks. Enter a number that approximates the cost for this link. The number need not be precise, but it must be 0~127. In practice, 2 or 3 is usually a good number.
Chapter 14 Policy and Static Routes to connect to the remote server without manually configuring a port forwarding rule for each client computer. Port triggering is used especially when the remote server responses using a different port from the port the client computer used to request a service. The ISG50 records the IP address of a client computer that sends traffic to a remote server to request a service (incoming service).
Chapter 14 Policy and Static Routes When multiple policy routes require more bandwidth, the ISG50 gives the highest priority policy routes the available bandwidth first (as much as they require, if there is enough available bandwidth), and then to lower priority policy routes if there is still bandwidth available. The ISG50 distributes the available bandwidth equally among policy routes with the same priority level.
C HAPTER 15 Routing Protocols 15.1 Routing Protocols Overview Routing protocols give the ISG50 routing information about the network from other routers. The ISG50 stores this routing information in the routing table it uses to make routing decisions. In turn, the ISG50 can also use routing protocols to propagate routing information to other routers. See Section 6.7 on page 103 for related information on the RIP and OSPF screens.
Chapter 15 Routing Protocols protocols, it uses hop count to decide which route is the shortest. Unfortunately, it also broadcasts its routes asynchronously to the network and converges slowly. Therefore, RIP is more suitable for small networks (up to 15 routers). • In the ISG50, you can configure two sets of RIP settings before you can use it in an interface.
Chapter 15 Routing Protocols Table 92 Configuration > Network > Routing Protocol > RIP (continued) LABEL MD5 Authentication Key DESCRIPTION This field is available if the Authentication is MD5. Type the password for MD5 authentication. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long. Redistribute Active OSPF Select this to use RIP to advertise routes that were learned through OSPF. Metric Type the cost for routes provided by OSPF.
Chapter 15 Routing Protocols • The backbone is the transit area that routes packets between other areas. All other areas are connected to the backbone. • A normal area is a group of adjacent networks. A normal area has routing information about the OSPF AS, any networks outside the OSPF AS to which it is directly connected, and any networks outside the OSPF AS that provide routing information to any area in the OSPF AS. • A stub area has routing information about the OSPF AS.
Chapter 15 Routing Protocols • An Area Border Router (ABR) connects two or more areas. It is a member of all the areas to which it is connected, and it filters, summarizes, and exchanges routing information between them. • An Autonomous System Boundary Router (ASBR) exchanges routing information with routers in networks outside the OSPF AS. This is called redistribution in OSPF.
Chapter 15 Routing Protocols Virtual Links In some OSPF AS, it is not possible for an area to be directly connected to the backbone. In this case, you can create a virtual link through an intermediate area to logically connect the area to the backbone. This is illustrated in the following example. Figure 203 OSPF: Virtual Link In this example, area 100 does not have a direct connection to the backbone. As a result, you should set up a virtual link on both ABR in area 10.
Chapter 15 Routing Protocols Click Configuration > Network > Routing > OSPF to open the following screen. Figure 204 Configuration > Network > Routing > OSPF The following table describes the labels in this screen. See Section 15.3.2 on page 309 for more information as well. Table 94 Configuration > Network > Routing Protocol > OSPF LABEL DESCRIPTION OSPF Router ID Select the 32-bit ID the ISG50 uses in the OSPF AS.
Chapter 15 Routing Protocols Table 94 Configuration > Network > Routing Protocol > OSPF (continued) LABEL Metric Area DESCRIPTION Type the external cost for routes provided by static routes. The metric represents the “cost” of transmission for routing purposes. The way this is used depends on the Type field. This value is usually the average cost in the OSPF AS, and it can be between 1 and 16777214. This section displays information about OSPF areas in the ISG50.
Chapter 15 Routing Protocols The following table describes the labels in this screen. Table 95 Configuration > Network > Routing > OSPF > Add LABEL DESCRIPTION Area ID Type the unique, 32-bit identifier for the area in IP address format. Type Select the type of OSPF area. Normal - This area is a normal area. It has routing information about the OSPF AS and about networks outside the OSPF AS. Stub - This area is an stub area.
Chapter 15 Routing Protocols 15.3.3 Virtual Link Add/Edit Screen The Virtual Link Add/Edit screen allows you to create a new virtual link or edit an existing one. When the OSPF add or edit screen (see Section 15.3.2 on page 309) has the Type set to Normal, a Virtual Link table displays. Click either the Add icon or an entry and the Edit icon to display a screen like the following. Figure 206 Configuration > Network > Routing > OSPF > Add > Add The following table describes the labels in this screen.
Chapter 15 Routing Protocols Authentication Types Authentication is used to guarantee the integrity, but not the confidentiality, of routing updates. The transmitting router uses its key to encrypt the original message into a smaller message, and the smaller message is transmitted with the original message. The receiving router uses its key to encrypt the received message and then verifies that it matches the smaller message sent with it.
C HAPTER 16 Zones 16.1 Zones Overview Set up zones to configure network security and network policies in the ISG50. A zone is a group of interfaces and/or VPN tunnels. The ISG50 uses zones instead of interfaces in many security and policy settings, such as firewall rules and remote management. Zones cannot overlap. Each Ethernet interface, VLAN interface, bridge interface, PPPoE/PPTP interface and VPN tunnel can be assigned to at most one zone.
Chapter 16 Zones Intra-zone Traffic • Intra-zone traffic is traffic between interfaces or VPN tunnels in the same zone. For example, in Figure 207 on page 313, traffic between VLAN 2 and the Ethernet is intra-zone traffic. • In each zone, you can either allow or prohibit all intra-zone traffic. For example, in Figure 207 on page 313, you might allow intra-zone traffic in the LAN zone but prohibit it in the WAN zone.
Chapter 16 Zones The following table describes the labels in this screen. Table 97 Configuration > Network > Zone LABEL DESCRIPTION User Configuration / System Default The ISG50 comes with pre-configured System Default zones that you cannot delete. You can create your own User Configuration zones Add Click this to create a new, user-configured zone. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.
Chapter 16 Zones The following table describes the labels in this screen. Table 98 Network > Zone > Edit LABEL DESCRIPTION Name For a system default zone, the name is read only. For a user-configured zone, type the name used to refer to the zone. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Block Intra-zone Traffic Select this check box to block network traffic between members in the zone.
C HAPTER 17 DDNS 17.1 DDNS Overview Dynamic DNS (DDNS) services let you use a domain name with a dynamic IP address. 17.1.1 What You Can Do in this Chapter • Use the DDNS screen (see Section 17.2 on page 318) to view a list of the configured DDNS domain names and their details. • Use the DDNS Add/Edit screen (see Section 17.2.1 on page 319) to add a domain name to the ISG50 or to edit the configuration of an existing domain name. 17.1.
Chapter 17 DDNS Finding Out More See Section 6.6.8 on page 100 for related information on these screens. 17.2 The DDNS Screen The DDNS screen provides a summary of all DDNS domain names and their configuration. In addition, this screen allows you to add new domain names, edit the configuration for existing domain names, and delete domain names. Click Configuration > Network > DDNS to open the following screen.
Chapter 17 DDNS Table 100 Configuration > Network > DDNS (continued) LABEL DESCRIPTION Backup Interface/IP This field displays the alternate interface to use for updating the IP address mapped to the domain name followed by how the ISG50 determines the IP address for the domain name. The ISG50 uses the backup interface and IP address when the primary interface is disabled, its link is down or its connectivity check fails. from interface - The IP address comes from the specified interface.
Chapter 17 DDNS The following table describes the labels in this screen. Table 101 Configuration > Network > DDNS > Add LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. Enable DDNS Profile Select this check box to use this DDNS entry. Profile Name When you are adding a DDNS entry, type a descriptive name for this DDNS entry in the ISG50.
Chapter 17 DDNS Table 101 Configuration > Network > DDNS > Add (continued) LABEL IP Address DESCRIPTION The options available in this field vary by DDNS provider. Interface -The ISG50 uses the IP address of the specified interface. This option appears when you select a specific interface in the Backup Binding Address Interface field. Auto -The DDNS server checks the source IP address of the packets from the ISG50 for the IP address to use for the domain name.
Chapter 17 DDNS 322 ISG50 User’s Guide
C HAPTER 18 NAT 18.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network. Use Network Address Translation (NAT) to make computers on a private network behind the ISG50 available outside the private network.
Chapter 18 NAT • See Section 7.10.2 on page 130 for an example of how to configure NAT to allow web traffic from the WAN to a server on the DMZ. 18.2 The NAT Screen The NAT summary screen provides a summary of all NAT rules and their configuration. In addition, this screen allows you to create new NAT rules and edit and delete existing NAT rules. To access this screen, login to the Web Configurator and click Configuration > Network > NAT.
Chapter 18 NAT Table 102 Configuration > Network > NAT (continued) LABEL DESCRIPTION Mapped Port This field displays the new destination port(s) for the packet. This field is blank if there is no restriction on the original destination port. Apply Click this button to save your changes to the ISG50. Reset Click this button to return the screen to its last-saved settings. 18.2.1 The NAT Add/Edit Screen The NAT Add/Edit screen lets you create new NAT rules and edit existing ones.
Chapter 18 NAT Table 103 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Classification Select what kind of NAT this rule is to perform. Virtual Server - This makes computers on a private network behind the ISG50 available to a public network outside the ISG50 (like the Internet).
Chapter 18 NAT Table 103 Configuration > Network > NAT > Add (continued) LABEL DESCRIPTION Port Mapping Type Use the drop-down list box to select how many original destination ports this NAT rule supports for the selected destination IP address (Original IP). Choices are: any - this NAT rule supports all the destination ports. Service - this NAT rule maps one service to another. Port - this NAT rule supports one destination port. Ports - this NAT rule supports a range of destination ports.
Chapter 18 NAT 18.3 NAT Technical Reference Here is more detailed information about NAT on the ISG50. NAT Loopback Suppose a NAT 1:1 rule maps a public IP address to the private IP address of a LAN SMTP e-mail server to give WAN users access. NAT loopback allows other users to also use the rule’s original IP to access the mail server. For example, a LAN user’s computer at IP address 192.168.1.89 queries a public DNS server to resolve the SMTP server’s domain name (xxx.LAN-SMTP.
Chapter 18 NAT The LAN user’s computer then sends traffic to IP address 1.1.1.1. NAT loopback uses the IP address of the ISG50’s LAN interface (192.168.1.1) as the source address of the traffic going from the LAN users to the LAN SMTP server. Figure 216 LAN to LAN Traffic NAT ISG Source 192.168.1.1 Source 192.168.1.89 SMTP SMTP LAN 192.168.1.21 192.168.1.89 The LAN SMTP server replies to the ISG50’s LAN IP address and the ISG50 changes the source address to 1.1.1.1 before sending it to the LAN user.
Chapter 18 NAT 330 ISG50 User’s Guide
C HAPTER 19 HTTP Redirect 19.1 Overview HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the ISG50) to a web proxy server. In the following example, proxy server A is connected to the DMZ interface. When a client connected to the LAN1 zone wants to open a web page, its HTTP request is redirected to proxy server A first. If proxy server A cannot find the web page in its cache, a policy route allows it to access the Internet to get them from a server.
Chapter 19 HTTP Redirect A client connects to a web proxy server each time he/she wants to access the Internet. The web proxy provides caching service to allow quick access and reduce network usage. The proxy checks its local cache for the requested web resource first. If it is not found, the proxy gets it from the specified server and forwards the response to the client.
Chapter 19 HTTP Redirect Note: You can configure up to one HTTP redirect rule for each (incoming) interface. Figure 219 Configuration > Network > HTTP Redirect The following table describes the labels in this screen. Table 104 Configuration > Network > HTTP Redirect LABEL DESCRIPTION Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove.
Chapter 19 HTTP Redirect The following table describes the labels in this screen. Table 105 Network > HTTP Redirect > Edit LABEL 334 DESCRIPTION Enable Use this option to turn the HTTP redirect rule on or off. Name Enter a name to identify this rule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
C HAPTER 20 ALG 20.1 ALG Overview Application Layer Gateway (ALG) allows the following applications to operate properly through the ISG50’s NAT. • H.323 - A teleconferencing protocol suite that provides audio, data and video conferencing. • FTP - File Transfer Protocol - an Internet file transfer service. The ALG feature is only needed for traffic that goes through the ISG50’s NAT. 20.1.1 What You Can Do in this Chapter Use the ALG screen (Section 20.2 on page 338) to set up H.323 and FTP ALG settings.
Chapter 20 ALG The following example shows H.323 signaling (1) and audio (2) sessions between H.323 devices A and B. Figure 221 H.323 ALG Example 1 ISG 2 Peer-to-Peer Calls and the ISG50 The ISG50 ALG can allow peer-to-peer VoIP calls for H.323. You must configure the firewall and NAT (port forwarding) to allow incoming (peer-to-peer) calls from the WAN to a private IP address on the LAN (or DMZ).
Chapter 20 ALG address B to receive calls through public WAN IP address 2. You configure corresponding policy routes to have calls from LAN IP address A go out through WAN IP address 1 and calls from LAN IP address B go out through WAN IP address 2. Figure 223 VoIP with Multiple WAN IP Addresses ISG Finding Out More • See Section 6.6.11 on page 101 for related information on these screens. • See Section 7.9 on page 125 for a tutorial showing how to use the ALG for peer-to-peer H.323 traffic.
Chapter 20 ALG 20.2 The ALG Screen Click Configuration > Network > ALG to open the ALG screen. Use this screen to turn ALGs off or on and configure the port numbers to which they apply. Figure 224 Configuration > Network > ALG The following table describes the labels in this screen. Table 106 Configuration > Network > ALG LABEL DESCRIPTION Enable H.323 ALG Turn on the H.323 ALG to detect H.323 traffic (used for audio communications) and help build H.323 sessions through the ISG50’s NAT. Enable H.
Chapter 20 ALG Table 106 Configuration > Network > ALG (continued) LABEL DESCRIPTION Additional FTP Signaling Port for Transformations If you are also using FTP on an additional TCP port number, enter it here. Apply Click Apply to save your changes back to the ISG50. Reset Click Reset to return the screen to its last-saved settings. 20.3 ALG Technical Reference Here is more detailed information about the Application Layer Gateway.
Chapter 20 ALG RTP When you make a VoIP call using H.323, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP.
C HAPTER 21 IP/MAC Binding 21.1 IP/MAC Binding Overview IP address to MAC address binding helps ensure that only the intended devices get to use privileged IP addresses. The ISG50 uses DHCP to assign IP addresses and records to MAC address it assigned each IP address. The ISG50 then checks incoming connection attempts against this list. A user cannot manually assign another IP to his computer and use it to connect to the ISG50. Suppose you configure access privileges for IP address 192.168.1.
Chapter 21 IP/MAC Binding Interfaces Used With IP/MAC Binding IP/MAC address bindings are grouped by interface. You can use IP/MAC binding with Ethernet, bridge, and VLAN interfaces. You can also enable or disable IP/MAC binding and logging in an interface’s configuration screen. 21.2 IP/MAC Binding Summary Click Configuration > Network > IP/MAC Binding to open the IP/MAC Binding Summary screen.
Chapter 21 IP/MAC Binding 21.2.1 IP/MAC Binding Edit Click Configuration > Network > IP/MAC Binding > Edit to open the IP/MAC Binding Edit screen. Use this screen to configure an interface’s IP to MAC address binding settings. Figure 227 Configuration > Network > IP/MAC Binding > Edit The following table describes the labels in this screen.
Chapter 21 IP/MAC Binding Table 108 Configuration > Network > IP/MAC Binding > Edit (continued) LABEL DESCRIPTION OK Click OK to save your changes back to the ISG50. Cancel Click Cancel to exit this screen without saving. 21.2.2 Static DHCP Edit Click Configuration > Network > IP/MAC Binding > Edit to open the IP/MAC Binding Edit screen. Click the Add or Edit icon to open the following screen. Use this screen to configure an interface’s IP to MAC address binding settings.
Chapter 21 IP/MAC Binding 21.3 IP/MAC Binding Exempt List Click Configuration > Network > IP/MAC Binding > Exempt List to open the IP/MAC Binding Exempt List screen. Use this screen to configure ranges of IP addresses to which the ISG50 does not apply IP/MAC binding. Figure 229 Configuration > Network > IP/MAC Binding > Exempt List The following table describes the labels in this screen.
Chapter 21 IP/MAC Binding 346 ISG50 User’s Guide
C HAPTER 22 Authentication Policy 22.1 Overview Use authentication policies to control who can access the network. You can authenticate users (require them to log in). 22.1.1 What You Can Do in this Chapter Use the Configuration > Auth. Policy screens (Section 22.2 on page 347) to create and manage authentication policies. 22.1.2 What You Need to Know Authentication Policy and VPN Authentication policies are applied based on a traffic flow’s source and destination IP addresses.
Chapter 22 Authentication Policy Click Configuration > Auth. Policy to display the screen. Figure 230 Configuration > Auth.
Chapter 22 Authentication Policy The following table gives an overview of the objects you can configure. Table 111 Configuration > Auth. Policy LABEL DESCRIPTION Enable Authentication Policy Select this to turn on the authentication policy feature. Exceptional Services Use this table to list services that users can access without logging in. Click Add to change the list’s membership. A screen appears. Available services appear on the left.
Chapter 22 Authentication Policy Table 111 Configuration > Auth. Policy (continued) LABEL DESCRIPTION Destination This displays the destination address object to which this policy applies. Schedule This field displays the schedule object that dictates when the policy applies. none means the policy is active at all times if enabled. Authentication This field displays the authentication requirement for users when their traffic matches this policy. This is n/a for the default policy.
Chapter 22 Authentication Policy The following table gives an overview of the objects you can configure. Table 112 Configuration > Auth. Policy > Add LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen. Enable Policy Select this check box to activate the authentication policy. This field is available for user-configured policies. Description Enter a descriptive name of up to 60 printable ASCII characters for the policy.
Chapter 22 Authentication Policy 352 ISG50 User’s Guide
C HAPTER 23 Firewall 23.1 Overview Use the firewall to block or allow services that use static port numbers. The firewall can also limit the number of user sessions. This figure shows the ISG50’s default firewall rules in action and demonstrates how stateful inspection works. User 1 can initiate a Telnet session from within the LAN1 zone and responses to this request are allowed. However, other Telnet traffic initiated from the WAN or DMZ zone and destined for the LAN1 zone is blocked.
Chapter 23 Firewall 23.1.2 What You Need to Know Stateful Inspection The ISG50 has a stateful inspection firewall. The ISG50 restricts access by screening data packets against defined access rules. It also inspects sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first. Zones A zone is a group of interfaces or VPN tunnels. Group the ISG50’s interfaces into different zones based on your needs.
Chapter 23 Firewall You can configure a To-ISG50 firewall rule (with From Any To Device direction) for traffic from an interface which is not in a zone. Global Firewall Rules Firewall rules with from any and/or to any as the packet direction are called global firewall rules. The global firewall rules are the only firewall rules that apply to an interface or VPN tunnel that is not included in a zone.
Chapter 23 Firewall 23.1.3 Firewall Rule Example Applications Suppose that your company decides to block all of the LAN users from using IRC (Internet Relay Chat) through the Internet. To do this, you would configure a LAN to WAN firewall rule that blocks IRC traffic from any source IP address from going to any destination address. You do not need to specify a schedule since you need the firewall rule to always be in effect. The following figure shows the results of this rule.
Chapter 23 Firewall Now you configure a LAN1 to WAN firewall rule that allows IRC traffic from the IP address of the CEO’s computer (192.168.1.7 for example) to go to any destination address. You do not need to specify a schedule since you want the firewall rule to always be in effect. The following figure shows the results of your two custom rules. Figure 235 Limited LAN to WAN IRC Traffic Example LAN1 ISG Your firewall would have the following configuration.
Chapter 23 Firewall The rule for the CEO must come before the rule that blocks all LAN1 to WAN IRC traffic. If the rule that blocks all LAN1 to WAN IRC traffic came first, the CEO’s IRC traffic would match that rule and the ISG50 would drop it and not check any other firewall rules. 23.1.4 Firewall Rule Configuration Example The following Internet firewall rule example allows Doom players from the WAN to IP addresses 192.168.1.10 through 192.168.1.15 (Dest_1) on the LAN1.
Chapter 23 Firewall 5 The screen for configuring a service object opens. Configure it as follows and click OK. Figure 238 Firewall Example: Create a Service Object 6 Select From WAN and To LAN1. 7 Enter the name of the firewall rule. 8 Select Dest_1 is selected for the Destination and Doom is selected as the Service. Enter a description and configure the rest of the screen as follows. Click OK when you are done.
Chapter 23 Firewall 23.2 The Firewall Screen Asymmetrical Routes If an alternate gateway on the LAN has an IP address in the same subnet as the ISG50’s LAN IP address, return traffic may not go through the ISG50. This is called an asymmetrical or “triangle” route. This causes the ISG50 to reset the connection, as the connection has not been acknowledged. You can have the ISG50 permit the use of asymmetrical route topology on the network (not reset the connection).
Chapter 23 Firewall • If you enable intra-zone traffic blocking (see the chapter about zones), the firewall automatically creates (implicit) rules to deny packet passage between the interfaces in the specified zone. • Besides configuring the firewall, you also need to configure NAT rules to allow computers on the WAN to access LAN devices. See Chapter 18 on page 323 for more information. • The ISG50 applies NAT (Destination NAT) settings before applying the firewall rules.
Chapter 23 Firewall Table 117 Configuration > Firewall (continued) LABEL DESCRIPTION From Zone / To Zone This is the direction of travel of packets. Select from which zone the packets come and to which zone they go. Firewall rules are grouped based on the direction of travel of packets to which they apply. For example, from LAN1 to LAN1 means packets traveling from a computer or subnet on the LAN to either another computer or subnet on the LAN1.
Chapter 23 Firewall 23.2.2 The Firewall Add/Edit Screen In the Firewall screen, click the Edit or Add icon to display the Firewall Rule Edit screen. Figure 243 Configuration > Firewall > Add The following table describes the labels in this screen. Table 118 Configuration > Firewall > Add LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen. Enable Select this check box to activate the firewall rule.
Chapter 23 Firewall Table 118 Configuration > Firewall > Add (continued) LABEL DESCRIPTION Access Use the drop-down list box to select what the firewall is to do with packets that match this rule. Select deny to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender. Select reject to deny the packets and send a TCP reset packet to the sender. Any UDP packets are dropped without sending a response packet.
Chapter 23 Firewall Table 119 Configuration > Firewall > Session Limit (continued) LABEL DESCRIPTION Rule Summary This table lists the rules for limiting the number of concurrent sessions hosts can have. Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove.
Chapter 23 Firewall The following table describes the labels in this screen. Table 120 Configuration > Firewall > Session Limit > Edit LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen. Enable Rule Select this check box to turn on this session limit rule. Description Enter information to help you identify this rule. Use up to 64 printable ASCII characters. Spaces are allowed.
C HAPTER 24 IPSec VPN 24.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.
Chapter 24 IPSec VPN 24.1.2 What You Need to Know An IPSec VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the ISG50 and the remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the ISG50 and remote IPSec router.
Chapter 24 IPSec VPN Application Scenarios The ISG50’s application scenarios make it easier to configure your VPN connection settings. Table 121 IPSec VPN Application Scenarios SITE-TO-SITE SITE-TO-SITE WITH DYNAMIC PEER REMOTE ACCESS (SERVER ROLE) REMOTE ACCESS (CLIENT ROLE) Choose this if the remote IPSec router has a static IP address or a domain name. For example, a branch office with an ISG50 or a VPN router with a static IP address.
Chapter 24 IPSec VPN 24.1.3 Before You Begin This section briefly explains the relationship between VPN tunnels and other features. It also gives some basic suggestions for troubleshooting. You should set up the following features before you set up the VPN tunnel. • In any VPN connection, you have to select address objects to specify the local policy and remote policy. You should set up the address objects first.
Chapter 24 IPSec VPN Each field is discussed in the following table. See Section 24.2.2 on page 377 and Section 24.2.1 on page 371 for more information. Table 122 Configuration > VPN > IPSec VPN > VPN Connection LABEL DESCRIPTION Use Policy Route to control dynamic IPSec rules Select this to be able to use policy routes to manually specify the destination addresses of dynamic IPSec rules. You must manually create these policy routes.
Chapter 24 IPSec VPN the Add icon, you have to select a specific VPN gateway in the VPN Gateway field before the following screen appears.
Chapter 24 IPSec VPN Each field is described in the following table. Table 123 Configuration > VPN > IPSec VPN > VPN Connection > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. Create new Object Use to configure any new settings objects that you need to use in this screen. General Settings Enable Select this check box to activate this VPN connection.
Chapter 24 IPSec VPN Table 123 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL Policy Enforcement DESCRIPTION Clear this to allow traffic with source and destination IP addresses that do not match the local and remote policy to use the VPN tunnel. Leave this cleared for free access between the local and remote networks. Selecting this restricts who can use the VPN tunnel.
Chapter 24 IPSec VPN Table 123 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL Authentication DESCRIPTION Select which hash algorithm to use to authenticate packet data in the IPSec SA. Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower. The ISG50 and the remote IPSec router must both have a proposal that uses the same authentication algorithm.
Chapter 24 IPSec VPN Table 123 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION Source Select the address object that represents the original source address (or select Create Object to configure a new one). This is the address object for the computer or network outside the local network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT).
Chapter 24 IPSec VPN Table 123 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued) LABEL DESCRIPTION OK Click OK to save the changes. Cancel Click Cancel to discard all changes and return to the main VPN screen. 24.2.2 The VPN Connection Add/Edit Manual Key Screen The VPN Connection Add/Edit Manual Key screen allows you to create a new VPN connection or edit an existing one using a manual key. This is useful if you have problems with IKE key management.
Chapter 24 IPSec VPN Table 124 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key (continued) LABEL DESCRIPTION Secure Gateway Address Type the IP address of the remote IPSec router in the IPSec SA. SPI Type a unique SPI (Security Parameter Index) between 256 and 4095. The SPI is used to identify the ISG50 during authentication. The ISG50 and remote IPSec router must use the same SPI. Encapsulation Mode Select which type of encapsulation the IPSec SA uses.
Chapter 24 IPSec VPN Table 124 Configuration > VPN > IPSec VPN > VPN Connection > Add > Manual Key (continued) LABEL Encryption Key DESCRIPTION This field is applicable when you select an Encryption Algorithm. Enter the encryption key, which depends on the encryption algorithm.
Chapter 24 IPSec VPN To access this screen, click Configuration > VPN > Network > IPSec VPN > VPN Gateway. The following screen appears. Figure 251 Configuration > VPN > IPSec VPN > VPN Gateway Each field is discussed in the following table. See Section 24.3.1 on page 381 for more information. Table 125 Configuration > VPN > IPSec VPN > VPN Gateway 380 LABEL DESCRIPTION Add Click this to create a new entry.
Chapter 24 IPSec VPN 24.3.1 The VPN Gateway Add/Edit Screen The VPN Gateway Add/Edit screen allows you to create a new VPN gateway policy or edit an existing one. To access this screen, go to the VPN Gateway summary screen (see Section 24.3 on page 379), and click either the Add icon or an Edit icon.
Chapter 24 IPSec VPN Each field is described in the following table. Table 126 Configuration > VPN > IPSec VPN > VPN Gateway > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to display a greater or lesser number of configuration fields. General Settings VPN Gateway Name Type the name used to identify this VPN gateway. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 24 IPSec VPN Table 126 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL Local ID Type DESCRIPTION This field is read-only if the ISG50 and remote IPSec router use certificates to identify each other. Select which type of identification is used to identify the ISG50 during authentication.
Chapter 24 IPSec VPN Table 126 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL Content DESCRIPTION This field is disabled if the Peer ID Type is Any. Type the identity of the remote IPSec router during authentication. The identity depends on the Peer ID Type. If the ISG50 and remote IPSec router do not use certificates, IP - type an IP address; see the note at the end of this description.
Chapter 24 IPSec VPN Table 126 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION # This field is a sequential value, and it is not associated with a specific proposal. The sequence of proposals should not affect performance significantly. Encryption Select which key size and encryption algorithm to use in the IKE SA.
Chapter 24 IPSec VPN Table 126 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued) LABEL DESCRIPTION Enable Extended Authentication Select this if one of the routers (the ISG50 or the remote IPSec router) verifies a user name and password from the other router using the local user database and/or an external server. Server Mode Select this if the ISG50 authenticates the user name and password from the remote IPSec router.
Chapter 24 IPSec VPN IKE SA Proposal The IKE SA proposal is used to identify the encryption algorithm, authentication algorithm, and Diffie-Hellman (DH) key group that the ISG50 and remote IPSec router use in the IKE SA. In main mode, this is done in steps 1 and 2, as illustrated next.
Chapter 24 IPSec VPN Diffie-Hellman (DH) Key Exchange The ISG50 and the remote IPSec router use DH public-key cryptography to establish a shared secret. The shared secret is then used to generate encryption keys for the IKE SA and IPSec SA. In main mode, this is done in steps 3 and 4, as illustrated next. Figure 254 IKE SA: Main Negotiation Mode, Steps 3 - 4: DH Key Exchange Diffie-Hellman key exchange 3 ISG X 4 Y DH public-key cryptography is based on DH key groups.
Chapter 24 IPSec VPN You have to create (and distribute) a pre-shared key. The ISG50 and remote IPSec router use it in the authentication process, though it is not actually transmitted or exchanged. Note: The ISG50 and the remote IPSec router must use the same pre-shared key. Router identity consists of ID type and content. The ID type can be domain name, IP address, or email address, and the content is a (properly-formatted) domain name, IP address, or e-mail address.
Chapter 24 IPSec VPN Main mode takes six steps to establish an IKE SA. Steps 1 - 2: The ISG50 sends its proposals to the remote IPSec router. The remote IPSec router selects an acceptable proposal and sends it back to the ISG50. Steps 3 - 4: The ISG50 and the remote IPSec router exchange pre-shared keys for authentication and participate in a Diffie-Hellman key exchange, based on the accepted DH key group, to establish a shared secret.
Chapter 24 IPSec VPN • Configure the NAT router to forward packets with the extra header unchanged. (See the field description for detailed information about the extra header.) The extra header may be UDP port 500 or UDP port 4500, depending on the standard(s) the ISG50 and remote IPSec router support. Extended Authentication Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to connect to a single IPSec router. For example, this might be used with telecommuters.
Chapter 24 IPSec VPN Active Protocol The active protocol controls the format of each packet. It also specifies how much of each packet is protected by the encryption and authentication algorithms. IPSec VPN includes two active protocols, AH (Authentication Header, RFC 2402) and ESP (Encapsulating Security Payload, RFC 2406). Note: The ISG50 and remote IPSec router must use the same active protocol. Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT.
Chapter 24 IPSec VPN If you enable PFS, the ISG50 and remote IPSec router perform a DH key exchange every time an IPSec SA is established, changing the root key from which encryption keys are generated. As a result, if one encryption key is compromised, other encryption keys remain secure. If you do not enable PFS, the ISG50 and remote IPSec router use the same root key that was generated when the IKE SA was established to generate encryption keys.
Chapter 24 IPSec VPN • Destination address in inbound packets - this translation is used if you want to forward packets (for example, mail) from the remote network to a specific computer (like the mail server) in the local network. Each kind of translation is explained below. The following example is used to help explain each one.
Chapter 24 IPSec VPN Destination Address in Inbound Packets (Inbound Traffic, Destination NAT) You can set up this translation if you want the ISG50 to forward some packets from the remote network to a specific computer in the local network. For example, in Figure 258 on page 394, you can configure this kind of translation if you want to forward mail from the remote network to the mail server in the local network (A). You have to specify one or more rules when you set up this kind of NAT.
Chapter 24 IPSec VPN 396 ISG50 User’s Guide
C HAPTER 25 Bandwidth Management 25.1 Overview Bandwidth management provides a convenient way to manage the use of various services on the network. It manages general protocols (for example, HTTP and FTP) and applies traffic prioritization to enhance the performance of delay-sensitive applications like voice and video. 25.1.1 What You Can Do in this Chapter Use the BWM screens (see Section 25.
Chapter 25 Bandwidth Management Connection and Packet Directions Bandwidth management looks at the connection direction, that is from which zone the connection was initiated and to which zone the connection is going. A connection has outbound and inbound packet flows. The ISG50 controls the bandwidth of traffic of each flow as it is going out through an interface or VPN tunnel. • The outbound traffic flows from the connection initiator to the connection responder.
Chapter 25 Bandwidth Management • Inbound traffic is limited to 500 kbs. The connection initiator is on the LAN1 so inbound means the traffic traveling from the WAN to the LAN1. Figure 260 LAN1 to WAN, Outbound 200 kbps, Inbound 500 kbps Outbound 200 kbps Inbound 500 kbps Bandwidth Management Priority • The ISG50 gives bandwidth to higher-priority traffic first, until it reaches its configured bandwidth rate. • Then lower-priority traffic gets bandwidth.
Chapter 25 Bandwidth Management 1000 kbps, but the WAN is set to a maximum outgoing speed of 1000 kbps. You configure policy A for server A’s traffic and policy B for server B’s traffic. Figure 261 Bandwidth Management Behavior 1000 kbps BWM 1000 kbps ISG 1000 kbps Configured Rate Effect In the following table the configured rates total less than the available bandwidth and maximize bandwidth usage is disabled, both servers get their configured rate.
Chapter 25 Bandwidth Management Priority and Over Allotment of Bandwidth Effect Server A has a configured rate that equals the total amount of available bandwidth and a higher priority. You should regard extreme over allotment of traffic with different priorities (as shown here) as a configuration error. Even though the ISG50 still attempts to let all traffic get through and not be lost, regardless of its priority, server B gets almost no bandwidth with this configuration.
Chapter 25 Bandwidth Management • FTP traffic from the LAN1 to the DMZ can use more bandwidth since the interfaces support up to 1 Gbps connections, but it must be the lowest priority and limited so it does not interfere with SIP and HTTP traffic. Figure 262 Bandwidth Management Example SIP: Any to WAN Outbound: 200 Kbps Inbound: 200 Kbps Priority: 1 Max. B. U. SIP: WAN to Any Outbound: 200 Kbps Inbound: 200 Kbps Priority: 1 Max. B. U.
Chapter 25 Bandwidth Management • Enable maximize bandwidth usage so the SIP traffic can borrow unused bandwidth. Figure 263 SIP Any to WAN Bandwidth Management Example Outbound: 200 kbps BWM ISG BWM Inbound: 200 kbps 25.1.3.3 SIP WAN to Any Bandwidth Management Example You also create a policy for calls coming in from the SIP server on the WAN. It is the same as the SIP Any to WAN policy, but with the directions reversed (WAN to Any instead of Any to WAN). 25.1.3.
Chapter 25 Bandwidth Management • Disable maximize bandwidth usage since you do not want to give FTP more bandwidth. Figure 265 FTP WAN to DMZ Bandwidth Management Example Outbound: 300 kbps ISG BWM BWM Inbound: 100 kbps 25.1.3.6 FTP LAN to DMZ Bandwidth Management Example • The LAN and DMZ zone interfaces are connected to Ethernet networks (not an ADSL device) so you limit both outbound and inbound traffic to 50 Mbps. • Fourth highest priority (4).
Chapter 25 Bandwidth Management Click Configuration > Bandwidth Management to open the following screen. Configuration > Bandwidth Management Figure 267 The following table describes the labels in this screen. See Section 25.2.1 on page 406 for more information as well. Table 133 Configuration > Bandwidth Management LABEL DESCRIPTION Enable BWM Select this check box to activate management bandwidth.
Chapter 25 Bandwidth Management Table 133 Configuration > Bandwidth Management LABEL DESCRIPTION To This is the destination zone of the traffic to which this policy applies. Source This is the source address or address group for whom this policy applies. If any displays, the policy is effective for every source. Destination This is the destination address or address group for whom this policy applies. If any displays, the policy is effective for every destination.
Chapter 25 Bandwidth Management Management screen (see Section 25.2 on page 404), and click either the Add icon or an Edit icon. Figure 268 Configuration > Bandwidth Management > Edit The following table describes the labels in this screen. Table 134 Configuration > Bandwidth Management LABEL DESCRIPTION Create new Object Use to configure any new settings objects that you need to use in this screen. Enable Select this check box to turn on this policy.
Chapter 25 Bandwidth Management Table 134 Configuration > Bandwidth Management LABEL DESCRIPTION DSCP Marking Set how the ISG50 handles the DSCP value of the outgoing packets that match this policy. Inbound refers to the traffic the ISG50 sends to a connection’s initiator. Outbound refers to the traffic the ISG50 sends out from a connection’s initiator. Select one of the pre-defined DSCP values to apply or select User Defined to specify another DSCP value.
Chapter 25 Bandwidth Management Table 134 LABEL Configuration > Bandwidth Management DESCRIPTION OK Click OK to save your changes back to the ISG50. Cancel Click Cancel to exit this screen without saving your changes.
Chapter 25 Bandwidth Management 410 ISG50 User’s Guide
C HAPTER 26 ADP 26.1 Overview This chapter introduces ADP (Anomaly Detection and Prevention), anomaly profiles and applying an ADP profile to a traffic direction. ADP protects against anomalies based on violations of protocol standards (RFCs – Requests for Comments) and abnormal flows such as port scans. 26.1.1 ADP 1 ADP anomaly detection is in general effective against abnormal behavior. 2 ADP traffic and anomaly rules are updated when you upload new firmware. 26.1.
Chapter 26 ADP Base ADP Profiles Base ADP profiles are templates that you use to create new ADP profiles.The ISG50 comes with several base profiles. See Table 136 on page 414 for details on ADP base profiles. ADP Policy An ADP policy refers to application of an ADP profile to a traffic flow. Finding Out More • See Section 6.6.16 on page 103 for ADP prerequisites. • See Section 26.4 on page 421 for background information on these screens. 26.1.
Chapter 26 ADP Table 135 Configuration > Anti-X > ADP > General (continued) LABEL DESCRIPTION Policies Use this list to specify which anomaly profile the ISG50 uses for traffic flowing in a specific direction. Edit the policies directly in the table. Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it.
Chapter 26 ADP • Delete an existing profile 26.3.1 Base Profiles The ISG50 comes with base profiles. You use base profiles to create new profiles. In the Configuration > Anti-X > ADP > Profile screen, click Add to display the following screen. Figure 270 Base Profiles These are the default base profiles at the time of writing. Table 136 Base Profiles BASE PROFILE DESCRIPTION none All traffic anomaly and protocol anomaly rules are disabled. No logs are generated nor actions are taken.
Chapter 26 ADP The following table describes the fields in this screen. Table 137 Anti-X > ADP > Profile LABEL DESCRIPTION Add Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. # This is the entry’s index number in the list. Name This is the name of the profile you created. Base Profile This is the base profile from which the profile was created. 26.3.
Chapter 26 ADP Figure 272 Profiles: Traffic Anomaly 416 ISG50 User’s Guide
Chapter 26 ADP The following table describes the fields in this screen. Table 138 Configuration > ADP > Profile > Traffic Anomaly LABEL DESCRIPTION Name This is the name of the ADP profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 26 ADP Table 138 Configuration > ADP > Profile > Traffic Anomaly (continued) LABEL DESCRIPTION Cancel Click Cancel to return to the profile summary page without saving any changes. Save Click Save to save the configuration to the ISG50 but remain in the same page. You may then go to the another profile screen (tab) in order to complete the profile. Click OK in the final profile screen to complete the profile. 26.3.
Chapter 26 ADP Figure 273 Profiles: Protocol Anomaly ISG50 User’s Guide 419
Chapter 26 ADP The following table describes the fields in this screen. Table 139 Configuration > ADP > Profile > Protocol Anomaly LABEL DESCRIPTION Name This is the name of the profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 26 ADP Table 139 Configuration > ADP > Profile > Protocol Anomaly (continued) LABEL DESCRIPTION Log These are the log options. To edit this, select an item and use the Log icon. Action This is the action the ISG50 should take when a packet matches a rule. To edit this, select an item and use the Action icon. Log Select whether to have the ISG50 generate a log (log), log and alert (log alert) or neither (no) when traffic matches this anomaly rule. See Chapter 53 on page 705 for more on logs.
Chapter 26 ADP Decoy Port Scans Decoy port scans are scans where the attacker has spoofed the source address. These are some decoy scan types: • TCP Decoy Portscan • UDP Decoy Portscan • IP Decoy Portscan Distributed Port Scans Distributed port scans are many-to-one port scans. Distributed port scans occur when multiple hosts query one host for open services. This may be used to evade intrusion detection.
Chapter 26 ADP Flood Detection Flood attacks saturate a network with useless data, use up all available bandwidth, and therefore make communications in the network impossible. ICMP Flood Attack An ICMP flood is broadcasting many pings or UDP packets so that so much data is sent to the system, that it slows it down or locks it up.
Chapter 26 ADP A SYN flood attack is when an attacker sends a series of SYN packets. Each packet causes the receiver to reply with a SYN-ACK response. The receiver then waits for the ACK that follows the SYN-ACK, and stores all outstanding SYN-ACK responses on a backlog queue. SYN-ACKs are only moved off the queue when an ACK comes back or when an internal timer ends the three-way handshake.
Chapter 26 ADP HTTP Inspection and TCP/UDP/ICMP Decoders The following table gives some information on the HTTP inspection, TCP decoder, UDP decoder and ICMP decoder ISG50 protocol anomaly rules. Table 140 HTTP Inspection and TCP/UDP/ICMP Decoders LABEL DESCRIPTION HTTP Inspection APACHE-WHITESPACE ATTACK This rule deals with non-RFC standard of tab for a space delimiter. Apache uses this, so if you have an Apache server, you need to enable this option.
Chapter 26 ADP Table 140 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL DESCRIPTION OVERSIZE-REQUEST-URIDIRECTORY ATTACK This rule takes a non-zero positive integer as an argument. The argument specifies the max character directory length for URL directory. If a URL directory is larger than this argument size, an alert is generated. A good argument value is 300 characters. This should limit the alerts to IDS evasion type attacks, like whisker.
Chapter 26 ADP Table 140 HTTP Inspection and TCP/UDP/ICMP Decoders (continued) LABEL DESCRIPTION ICMP Decoder TRUNCATED-ADDRESSHEADER ATTACK This is when an ICMP packet is sent which has an ICMP datagram length of less than the ICMP address header length. This may cause some applications to crash. TRUNCATED-HEADER ATTACK This is when an ICMP packet is sent which has an ICMP datagram length of less than the ICMP header length. This may cause some applications to crash.
Chapter 26 ADP 428 ISG50 User’s Guide
C HAPTER 27 Global PBX Settings 27.1 Overview This chapter shows you how to set up your ISG50-wide PBX settings including SIP server, feature code, email, fake IP, peer to peer, QoS and TAPI settings. The following diagram shows SIP devices communicating with the ISG50. In SIP some devices act as clients and others as servers. For example, in the figure below, devices A-D act as clients and must register with the ISG50 before they are able to make calls via the ISG50.
Chapter 27 Global PBX Settings • Use the Peer to peer screen to set up a direct connection between two IP phones on the same subnet. See Section 27.6 on page 436. • Use the QoS screen to configure Quality of Service (QoS) settings. See Section 27.7 on page 440. • Use the TAPI screen to configure TAPI settings and download the ZyXEL TAPI driver. See Section 27.8 on page 442. 27.1.2 What You Need to Know The following terms and concepts may help you as you read through the chapter.
Chapter 27 Global PBX Settings The ISG50 can be configured to change the priority field of IP packets for all outgoing RTP (Real Time Protocol) packets. The ISG50 supports Differentiated Services (DiffServ) for implementing QoS. Configure the ISG50 with the QoS settings that your network uses for VoIP. TAPI Microsoft Windows Telephony Application Programming Interface (TAPI) integrates the ISG50’s telephone services with user computers.
Chapter 27 Global PBX Settings See Section 13.2 on page 285 to set the WAN trunk the ISG50 uses for default traffic. Figure 278 Configuration > PBX > Global > SIP Server Each field is described in the following table. Table 141 Configuration > PBX > Global > SIP Server LABEL DESCRIPTION SIP Server Realm Name A realm is a set of usernames and passwords used by SIP client devices to authenticate with a SIP server. The ISG50 supports a single realm.
Chapter 27 Global PBX Settings Table 141 Configuration > PBX > Global > SIP Server (continued) LABEL DESCRIPTION Enable Personal AA Select From external call to enable the ISG50’s auto-attendant feature for calls received from outside the PBX-managed telephone system. Select From internal call to enable the ISG50’s auto-attendant feature for calls received from within the PBX-managed telephone system. Enable Session Timer Select this to enable the session timer.
Chapter 27 Global PBX Settings The following table describes the labels in this screen. Table 142 Configuration > PBX > Global > Feature Code LABEL DESCRIPTION Group Pickup This code is used to pick up calls for your extension from a different extension in the same authority group. Call Transfer This code is used to transfer calls. Direct Pickup This code is used to pick up calls for your extension from a different extension.
Chapter 27 Global PBX Settings 27.4 The E-Mail Screen Use this screen to configure the mail server information through which the ISG50 sends voice mails and CDR (Call Detail Record) files to the email addresses which you configured in extension voice mail (see Section 29.3.3 on page 467) and CDR (see Section 54.2 on page 721) screens. Click Configuration > PBX > Global > E-Mail to view the screen as shown next.
Chapter 27 Global PBX Settings Click Configuration > PBX > Global > Fake IP to view the screen as shown next. Figure 281 Configuration > PBX > Global > Fake IP Each field is described in the following table. Table 144 Server > Fake IP LABEL DESCRIPTION Enable Fake IP Turn on fake IP to have the ISG50 replace the IP address inside all outgoing SIP packets with the IP address of the upstream NAT router on your network.
Chapter 27 Global PBX Settings Each field is described in the following table. Table 145 Configuration > PBX > Global > Peer to Peer LABEL DESCRIPTION Enable Peer to Peer Select this to have the ISG50 to set up direct connections between two IP phones on the same subnet. If you enable it, you should set up the Local Net for Peer to Peer. Local Net for Peer to peer Add Click this to add a new entry to the local net list. Remove Click this to delete the selected item(s) in this list.
Chapter 27 Global PBX Settings Note: If either phone A or B requests to use a feature specific to the ISG50, such as call parking or music on hold, the ISG50 interrupts the direct communication bridge and re-establishes control of the two SIP connections. Figure 283 A Peer-to-Peer Example Bridge A B ISG 27.6.2 Add Peer-to-Peer Local Net Use this screen to add a subnet IP address to the localnet table for making peer-to-peer connections.
Chapter 27 Global PBX Settings Each field is described in the following table. Table 146 Configuration > PBX > Global > Peer to Peer > Add LABEL DESCRIPTION IPv4 subnet in CIDR format Enter an IPv4-compatible IP address in this field then select the length of the subnet mask from the list. This option defines a subnet for which the ISG50 can set up peer-topeer networking. OK Click OK to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. 27.6.
Chapter 27 Global PBX Settings 3 However, peer-to-peer calls cannot be made between devices if one of them belongs to a subnet listed in the localnet table and the other does not. 3.3.3.3 D WAN ISG LAN Local Net = 192.168.1.0/24 192.168.1.54 A Furthermore, the devices making a peer-to-peer connection: • Must have a common codec they can use between them. • Must use SIPInfo for DTMF. • Must not be using NAT.
Chapter 27 Global PBX Settings Each field is described in the following table. Table 147 Configuration > PBX > Global > QoS LABEL DESCRIPTION SIP Select the DSCP value to mark outgoing SIP control packets. You can choose one of the AF (Assured Forwarding) values or select User Define to specify another DSCP value. When the ISG50 auto provisions phones it sets them to mark outgoing SIP control packets with this DSCP value. Audio Select the DSCP value to mark outgoing SIP audio payload packets.
Chapter 27 Global PBX Settings 27.8 The TAPI Screen Use this screen to enable TAPI, configure TAPI line settings on the ISG50 and download the ZyXEL TAPI driver. To access this screen, click Configuration > PBX > Global > TAPI. Figure 286 Configuration > PBX > Global > TAPI Each field is described in the following table. Table 148 Configuration > PBX > Global > TAPI LABEL DESCRIPTION Enable TAPI Select this option to activate TAPI on the ISG50.
Chapter 27 Global PBX Settings Table 148 Configuration > PBX > Global > TAPI (continued) LABEL DESCRIPTION Server1/2 Password Specify the password for the TAPI server account. Server TAPI Lines Settings Peer Pool lists all the extension numbers that you created in the Authority Group > Add screen (see Section 29.3.1 on page 462). Select the extensions that you want a TAPI server to manage via a TAPI connection, and click the right arrow button to add them.
Chapter 27 Global PBX Settings 444 1 Click Configuration > PBX > Global > TAPI. Click Download and save the file to your computer. 2 Unzip the file and run it, following the on-screen instructions to install it. 3 Open the ZyXEL_TAPI_for_ISG utility and click Configure....
Chapter 27 Global PBX Settings 4 In the Server window, click Settings.... 5 Enter the ISG50’s host name and IP address. If you want the computer to work as a TAPI server and manage more than one extension, enter the user name and password for a server account already configured in the ISG50. If you want the computer to work as a TAPI client, enter the number of an existing extension and its password. Click Connect and OK.
Chapter 27 Global PBX Settings 6 In the Devices window, you can view the state and channel for the TAPI lines that you can control and manage. To change the TAPI line state or make/answer a call, you need the CTI (Computer Telephony Integration) client or server software, such as xtelsio CTI Client or ESTOS UCServer. To confirm that the TAPI driver is installed, click start > Control Panel > Phone and Modem Options.
Chapter 27 Global PBX Settings 27.9 Network Technical Reference This section contains background material relevant to the Server screens. ISDN Overview ISDN (Integrated Service Digital Network) is a circuit-switched telephone network system. In ISDN, there are two types of channels: B-channels and D-channels. ISDN allows digital transmission of voice, video and data over ordinary telephone copper wires using B-channels with 64 kbps bandwidth.
C HAPTER 28 Voice Interfaces 28.1 Overview This chapter shows you how to configure parameters for FXO/FXS, and ISDN BRI channels. 28.1.1 What You Can Do in this Chapter • Use the FXS screen to configure the ISG50’s FXS ports for connecting analog phones to your ISG50. See Section 28.2 on page 449. • Use the FXO screen to configure the ISG50’s FXO ports for connecting to a traditional PBX’s FXS ports. See Section 28.3 on page 450.
Chapter 28 Voice Interfaces performance, monitoring, power transfer, and multiplexing of the channels. You must connect a TE device to a NT device to access an ISDN network. The ISG50 is a TE device. Types of ISDN Switches There are many different ISDN switch types from different vendors in the world. The BRI interface enables the ISG50 to communicate with the following BRI switches.
Chapter 28 Voice Interfaces Table 149 Configuration > PBX > Voice Interfaces > FXS (continued) LABEL DESCRIPTION Apply Click this to save your changes. Reset Click this to set every field in this screen to its last-saved value. 28.3 The FXO Screen Use this screen to configure settings related to the FXO lines configured on the ISG50. To access this screen, click Configuration > PBX > Voice Interfaces > FXO.
Chapter 28 Voice Interfaces 28.4 The BRI Screen Use this screen to configure ISDN BRI interface settings on the ISG50. Click Configuration > PBX > Voice Interfaces > BRI to view the screen as shown next. Figure 289 Configuration > PBX > Voice Interfaces > BRI Each field is described in the following table. Table 151 Configuration > PBX > Voice Interfaces > BRI LABEL DESCRIPTION BRI Configuration port Specify the BRI port to configure.
Chapter 28 Voice Interfaces Table 151 Configuration > PBX > Voice Interfaces > BRI (continued) 452 LABEL DESCRIPTION Type of Number Select the type for the prefix number which might be required by your telephone company to make outgoing calls. The options you can select are abbreviated, unknown, international, national, network-specific, and subscriber. Calling Party Number Prefix Enter a number to add in the beginning of the outgoing caller’s numbers using this trunk line.
C HAPTER 29 Extension Management 29.1 Overview This chapter shows you how to configure settings for managing groups of extensions. 29.1.1 What You Can Do in this Chapter • Use the Authority Group screen to set up, configure and manage the ISG50’s authority groups. See Section 29.2 on page 458. • Use the Group Access Code screen to configure the codes that unlock access to each authority group’s privileges. See Section 29.4 on page 471.
Chapter 29 Extension Management The following figure shows the ISG50’s extensions divided into three authority groups (AG1, 2 and 3). Each authority group can have different settings and privileges. Figure 290 Authority Group Overview AG1 ISG AG2 AG3 The group access code allows you to use the outbound dialing rules assigned to your authority group from extensions that do not have the same outbound dialing rules assigned to them.
Chapter 29 Extension Management make long distance calls). She enters the code number and is able to place a call over the long distance connection. Figure 291 Call Access Code Overview AG1 Long Distance ISG A Enter Code AG2 Group Access Codes Group access codes allow your authority group members to use their group’s privileges with whichever extension they are using. For example, you belong to an authority group allowed to make both local and long distance calls from your extension.
Chapter 29 Extension Management • Each extension can be a member of only one authority group. • SIP and FXS extensions are treated the same within an authority group. Mobile Extensions A mobile extension is essentially call forwarding to both your IP phone extension and another phone. When you set up a mobile extension and then activate it from your IP phone using a feature code (Section 27.
Chapter 29 Extension Management Click-To-Talk (CTT) A Click-To-Talk (CTT) group allows visitors to your website to click an HTML link to use a web-based IP phone to connect to the CTT group’s extensions. Figure 293 A Click-To-Talk Example A D ISG B C For example, users A and B click on an embedded Click-To-Talk link on a company’s online ordering web page, the web-based IP phone opens and lets them talk to the the CTT group’s extensions (sales agents C and D in this example).
Chapter 29 Extension Management 29.2 The Authority Group Screen Use this screen to set up authority groups on the ISG50. To access this screen, click Configuration > PBX > Extension Management > Authority Group. Figure 294 Configuration > PBX > Extension Management > Authority Group Each field is described in the following table. Table 152 Configuration > PBX > Extension Management > Authority Group LABEL DESCRIPTION Add Click this to create a new entry.
Chapter 29 Extension Management Each field is described in the following table. Table 153 Add Authority Group LABEL DESCRIPTION Authority Group Name Type a new name or modify an existing name for this authority group. You can use 1-20 alphanumeric characters (A-Z, a-z, 0-9) and underscores (_). Group ID Type 1-5 digits to use as an ID for this authority group. Description Type a brief description for this authority group. You can use 0-63 alphanumeric characters (A-Z, a-z, 0-9) and spaces.
Chapter 29 Extension Management Note: You can use a subscription to increase the number of supported extensions. See Chapter 11 on page 229. Figure 296 Authority Group Edit Each field is described in the following table. Table 154 Authority Group Edit 460 LABEL DESCRIPTION Authority Group Name This field displays the name of the authority group you are configuring. Group ID Type 1-5 digits to use as an ID for this authority group. Description Type a brief description for this authority group.
Chapter 29 Extension Management Table 154 Authority Group Edit (continued) LABEL DESCRIPTION Batch Add SIP Peer Click Batch Add if you want to configure multiple extensions for IP phones connected to the ISG50. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the extension’s settings. Remove To remove an entry, select it and click Remove. The ISG50 confirms you want to remove it before doing so.
Chapter 29 Extension Management • Call Forwarding - set up call forwarding rules for the individual extension based on the following criteria: • Your extension is busy. • You turn on DND (Do Not Disturb). You can set up a list of telephone numbers, referred to as the White List that ignore DND. • Unconditionally, forwards all calls to a specific extension or your voice mail. • There is no answer at your extension.
Chapter 29 Extension Management Table 155 Extension Add/Edit: Basic (continued) LABEL DESCRIPTION Extension Number Type the extension number for this IP phone extension. The extension number can be 310 digits. This is configurable when adding an extension. Web/VM PIN Code Type the 3-10 digit PIN code that allows the person with this extension to access the web portal or Voice Mail. SIP Auth. User Name Type the SIP user name associated with this extension.
Chapter 29 Extension Management To access this screen, click the Call Forward tab in any of the SIP extension configuration screens.
Chapter 29 Extension Management Each field is described in the following table. Table 156 Extension Add/Edit: Call Forward LABEL DESCRIPTION Office Hour The ISG50 has separate rules for call forwarding during office hours than after office hours. The settings you configure specify the office hours for this extension and affect call forwarding during those office hours.
Chapter 29 Extension Management Table 156 Extension Add/Edit: Call Forward (continued) LABEL DESCRIPTION No Answer Forward Select Disable to turn this feature off for this extension. Select Enable to forward all incoming calls to the extensions specified in the Find Me List when this extension is not answered within the default ring time. Use the Add, Edit, and Remove icons to create, modify, or delete Find Me List entries. Select Voice Mail to forward calls directly to voice mail.
Chapter 29 Extension Management 29.3.3 The Extension Voice Mail Settings Screen Use this screen to configure voice mail settings for this extension. To access this screen, click the Voice Mail tab in any of the SIP extension configuration screens. Figure 299 Extension Add/Edit: Voice Mail Each field is described in the following table. Table 157 Extension Add/Edit: Voice Mail LABEL DESCRIPTION Received E-mail Address Specify the email address you want to forward your voice message notifications to.
Chapter 29 Extension Management 29.3.4 The Extension Advanced Screen Use this screen to configure advanced settings for this extension. The fields available varies depending on the extension type. Click the Advanced tab in any of the SIP extension configuration screens to view the screen as shown. Figure 300 Extension Add/Edit: Advanced Each field is described in the following table.
Chapter 29 Extension Management Table 158 Extension Add/Edit: Advanced (continued) LABEL DESCRIPTION Codec List This column indicates the codec types used by this extension. You can organize the priority of the codecs by highlighting it and clicking the Up or Down buttons to move the codec higher or lower in priority. The SIP extension attempts to use the higher priority codecs first and tries the lower priority codecs next.
Chapter 29 Extension Management Each field is described in the following table. Table 159 Batch Add SIP Extensions LABEL DESCRIPTION Batch Add SIP Peers Group Select the authority group you want these extensions to belong to. Start Number Type the first extension number for this range of extensions. Extensions can be 3-10 digits long. Step/Interval Type the value of the increment, which the ISG50 uses to create this range of extensions. Amount Type the number of extensions you want to create.
Chapter 29 Extension Management Table 159 Batch Add SIP Extensions (continued) LABEL DESCRIPTION Codec List This column indicates the codec types used by this extension. You can organize the priority of the codecs by highlighting it and clicking the Up or Down buttons to move the codec higher or lower in priority. The SIP extension attempts to use the higher priority codecs first and tries the lower priority codecs next.
Chapter 29 Extension Management 29.5 The Click To Talk Group Screen This screen allows you to set up CTT groups and their associated extensions. A CTT group is not related to an Authority Groups; it is created solely for the purpose of connecting calls placed with the web-based utility on a web page to the related extensions. Click Configuration > PBX > Extension Management > Click To Talk Group to open this screen.
Chapter 29 Extension Management Click the Add or Edit icon in the Click To Talk Group screen to display the options as shown next. Figure 304 Click To Talk Group Settings Each field is described in the following table. Table 162 Click To Talk Group Settings LABEL DESCRIPTION Group Name Enter a name for this CTT group, using up to 20 alphanumeric characters (a-z, A-Z, 09); underscores (_) are allowed while spaces and hyphens are not. This is configurable when adding a CTT group.
Chapter 29 Extension Management 29.5.1.1 Sample HTML for a Click-To-Talk Extension This is the basic JavaScript and HTML code used to embed the ZyXEL web-based IP phone client in a web page. PAGE 475
Chapter 29 Extension Management 29.6 Authority Group Technical Reference This section contains technical background information about the Authority Group screens. Voice Codecs A codec (coder/decoder) codes analog voice signals into digital signals and decodes the digital signals back into voice signals. The following table describes the codecs supported on the ISG50 Table 163 Voice Codecs Supported CODEC DESCRIPTION G.711 This is a Pulse Code Modulation (PCM) waveform codec.
Chapter 29 Extension Management into video signals. Although the ISG50 does not perform any video coding, it does support the pass through of the following video codecs. Table 164 Video Codecs Supported 476 CODEC DESCRIPTION H.261 This is an ITU (International Telecommunication Union) video coding standard. H.261 was designed in 1990 and is considered the first practical video coding standard. The data rate of the coding algorithm is able to operate between 40 kbps and 2 Mbps. H.
C HAPTER 30 Outbound Trunk Group 30.1 Overview This covers you how to manage outside lines on the ISG50. The following diagram shows the ISG50 connected to the various types of outside connections: • FXO/BRI Trunk (A): shows the ISG50 connected to the PSTN (Public Switched Telephone Network) or ISDN (Integrated Service Digital Network) via an FXO/BRI port on the ISG50.
Chapter 30 Outbound Trunk Group • Use the LCR screens (starting in Section 31.2 on page 505) to configure the Configure Least Cost Routing (LCR) dialing rules. 30.1.2 What You Need to Know The following terms and concepts may help you as you read through the chapter. Outbound Trunk The outbound lines define a connection between the ISG50 and the PSTN, ISDN, ITSP or your trusted peer (another ISG50).
Chapter 30 Outbound Trunk Group AA (Auto Attendant) After calling the number, the caller is prompted to dial the extension number. Figure 307 Auto Attendant (AA) Example Please dial extension! AA 6 0 1 2 ISG 6012 555-123456 ISDN DDI (Direct Dial In) DDI (also called DID, Direct Inward Dial) is a feature that maps a public number to an extension number. DDI enables a caller to call an extension number without going through an operator.
Chapter 30 Outbound Trunk Group This example also shows three call examples. A - When an outsider calls 555-123457, the call is mapped to the extension 1111. B - When someone makes an outgoing call from the extension 1111, the caller ID shown to the callee is 555-123457. C - When you make a call over this outbound line from an extension that is NOT listed in the DDI mapping table, the directory number (555123456 in this example) is the number that displays on the callee’s caller ID.
Chapter 30 Outbound Trunk Group 30.1.3 Before You Begin Before you start to configure an outbound line group, please consider the following. • In order to create an FXO/BRI trunk the ISG50 must have a corresponding FXO or BRI port. • In order to create a SIP trunk you must already have a SIP account and a network connection to your VoIP service provider.
Chapter 30 Outbound Trunk Group Each field is described in the following table. Table 165 Outbound Line Management > Outbound Trunk Group LABEL DESCRIPTION SIP Trunk / Trust Peer / FXO / BRI Settings These headings divide the screen into sections based on the type of outside line you have configured: • • • • 482 SIP Trunk - refers to a connection from the ISG50 to a SIP server at your VoIP service provider.
Chapter 30 Outbound Trunk Group 30.2.1 SIP Trunk Add/Edit Use this screen to configure a SIP trunk. Click the Add or Edit icon in the SIP Trunk Settings section of the Outbound Trunk Group configuration screen to view the screen as shown.
Chapter 30 Outbound Trunk Group Each field is described in the following table. Table 166 SIP Trunk Add/Edit LABEL DESCRIPTION Trunk Name Type the name of this SIP trunk. This field can be 1-30 alphanumeric characters (A-Z, a-z, 0-9) and underscores (_). The first character must be a letter. Description Type the description for this SIP interface. This field can be 0-63 alphanumeric characters (A-Z, a-z, 0-9), underscores (_), hyphens (-) and spaces. 0 means this field can be left blank.
Chapter 30 Outbound Trunk Group Table 166 SIP Trunk Add/Edit (continued) LABEL DESCRIPTION Minimum SE Enter the minimum session expiry time in seconds. The allowable range is 90~1800 seconds. When an incoming call requests a session expiry time that is lower than this, the ISG50 uses this value instead. Session Expires Enter the session expiry time in seconds for all phone connections on this trunk. The allowable range is 90~86400 seconds. This value cannot be lower than the Minimum SE.
Chapter 30 Outbound Trunk Group Table 166 SIP Trunk Add/Edit (continued) LABEL DESCRIPTION Codec Setting Select the type of voice coder/decoder (codec) that you want this extension to use when communicating with the ISG50. The following codecs (shown in highest quality to lowest quality order) are supported by the ISG50: • • • • • • G.711 alaw (typically used in Europe) G.711 ulaw (typically used in North America and Japan) G.729 G.722 G.723.1 G.726 See Voice Codecs on page 475 for more information.
Chapter 30 Outbound Trunk Group your DID (Direct Inward Dialing) settings. In the the Outbound Trunk Group configuration screen, select a SIP trunk and click the Auto-Attendant icon to view the screen as shown. Figure 313 SIP Auto Attendant and DDI Setup Each field is described in the following table. Table 167 SIP Auto Attendant and DDI Setup LABEL DESCRIPTION Auto-Attendant Setting Apply AA Select an Auto Attendant or ACD skill profile used for the calls incoming through this outbound line trunk.
Chapter 30 Outbound Trunk Group Table 167 SIP Auto Attendant and DDI Setup LABEL DESCRIPTION Enable Routing by SIP "To" Header Select this if this auto-attendant interacts with a SIP server that uses the SIP To header to do the DDI/DID mapping. If this SIP trunk outbound line group has DDI/DID mode enabled, using this deletes all of the this SIP trunk outbound line group’s DDI/DID mapping settings and sets the DDI/DID Mask to 0. Clear this to use the SIP request URI to do the DDI/DID mapping.
Chapter 30 Outbound Trunk Group Each field is described in the following table. Table 168 Add DDI/DID Number LABEL DESCRIPTION DDI/DID Number Enter a DDI/DID number which allows outsiders to call and reach an extension directly. The number of digits you can enter in this field depends on what you set in the Representative Number DDI/DID Mask field. This field can be 1-10 digits or 1-10 digits - 1-10 digits (two sets of up to ten digits separated by a hyphen). For example, 5783900 or 5783900-5783999.
Chapter 30 Outbound Trunk Group 30.2.4 Trusted Peer Trunk Add/Edit Use this screen to configure a trusted peer trunk. Click the Add or Edit icon in the Trust Peer Settings section of the Outbound Trunk Group configuration screen to view the screen as shown.
Chapter 30 Outbound Trunk Group Each field is described in the following table. Table 169 Trusted Peer Trunk Add/Edit LABEL DESCRIPTION Trunk Name Type the name of this trunk. This field can be 1-30 alphanumeric characters (A-Z, a-z, 09) and underscores (_). The first character must be a letter. Description Type the description for this interface. This field can be 0-63 alphanumeric characters (AZ, a-z, 0-9), underscores (_), hyphens (-) and spaces. 0 means this field can be left blank.
Chapter 30 Outbound Trunk Group Table 169 Trusted Peer Trunk Add/Edit (continued) LABEL DESCRIPTION CallerID Setting Configure this section to change the format of identification you want to send when you make VoIP phone calls. The default format is “From: “Extension””. CallerID Viewer This field displays the caller ID format shown to the callees depending on the setting you configure in the CallerID Name & Number and The Extension Prefix fields.
Chapter 30 Outbound Trunk Group Table 169 Trusted Peer Trunk Add/Edit (continued) LABEL DESCRIPTION Codec Setting Select the type of voice coder/decoder (codec) that you want this extension to use when communicating with the ISG50. The following codecs (shown in highest quality to lowest quality order) are supported by the ISG50: • • • • • • G.711 alaw (typically used in Europe) G.711 ulaw (typically used in North America and Japan) G.729 G.722 G.723.1 G.
Chapter 30 Outbound Trunk Group DID (Direct Inward Dialing) settings. In the the Outbound Trunk Group configuration screen, select a trusted peer trunk and click the Auto-Attendant icon to view the screen as shown. Figure 316 Trusted Peer Auto Attendant and DDI Setup Each field is described in the following table.
Chapter 30 Outbound Trunk Group Table 170 Trusted Peer Auto Attendant and DDI Setup LABEL DESCRIPTION Representative Number This field displays the representative number configured for the trunk. Enable Routing by SIP "To" Header Select this if this auto-attendant interacts with a SIP server that uses the SIP To header to do the DDI/DID mapping.
Chapter 30 Outbound Trunk Group Each field is described in the following table. Table 171 Add/Edit FXO Trunk LABEL DESCRIPTION Trunk Name Type the name of this FXO interface group. This field can be 1-30 alphanumeric characters (A-Z, a-z, 0-9) and underscores (_). The first character must be a letter. Description Type the description for this FXO interface. This field can be 0-63 alphanumeric characters (A-Z, a-z, 0-9), underscores (_), hyphens (-) and spaces. 0 means this field can be left blank.
Chapter 30 Outbound Trunk Group Each field is described in the following table. Table 172 AA for FXO or BRI Trunk LABEL DESCRIPTION Trunk Name This field displays the name of the outbound line trunk. Apply AA Type Select the auto attendant you want to use when calls come in on this outbound line group. Select AA (Auto-Attendant) to forward all calls coming in through this outbound line group to an Auto-Attendant system first.
Chapter 30 Outbound Trunk Group Settings section of the Outbound Trunk Group configuration screen to view the screen as shown.
Chapter 30 Outbound Trunk Group Figure 321 BRI Trunk - Add/Edit: DDI/DID ISG50 User’s Guide 499
Chapter 30 Outbound Trunk Group Figure 322 BRI Trunk - Add/Edit: Direct Each field is described in the following table. Table 173 BRI Trunk Add/Edit LABEL DESCRIPTION General Settings Trunk Name Type the name of this BRI interface. This field can be 1-30 alphanumeric characters (A-Z, a-z, 0-9) and underscores (_). The first character must be a letter. Description Type the description for this BRI interface.
Chapter 30 Outbound Trunk Group Table 173 BRI Trunk Add/Edit (continued) LABEL DESCRIPTION Available Interface For DDI/DID, AA, and Direct, this list displays the available slots and ports on the ISG50. Click one slot and port and then click the Right icon if you want to add it to this outbound group. Used Interface For DDI/DID, AA, and Direct, this list displays the ports currently configured for this outbound line group.
Chapter 30 Outbound Trunk Group 30.2.9 Add BRI Trunk DDI/DID Mapping Use this screen to add or edit DDI/DID mapping table entries. Click the Add icon in the DDI/DID Mapping Setting section of the BRI Trunk - Add configuration screen to view the screen as shown. Figure 323 Add BRI Trunk DDI/DID Mapping Each field is described in the following table. Table 174 Add BRI Trunk DDI/DID Mapping LABEL DESCRIPTION Number Enter the DDI number.
C HAPTER 31 Auto-attendant 31.1 Overview This chapter shows you how to configure auto-attendant on the ISG50. An auto-attendant is software which acts as an automatic switchboard operator. Auto-attendants help route incoming calls to their proper extension. An auto-attendant is assigned to each outbound line group and it services incoming calls on those lines.
Chapter 31 Auto-attendant Default Auto-Attendant Structure The ISG50 comes with a default auto-attendant. The default auto-attendant simply prompts callers to enter the extension they wish to reach. There is only one time when a caller has to make a decision. The following figure shows the default auto-attendant structure.
Chapter 31 Auto-attendant • Direct a call to an extension. “Dial 1 to reach the operator.” • Direct a caller to the next menu. “Dial 2 to reach the sales department.” • Allow the caller to listen to the current menu again. “Dial 3 to listen to this menu again.” • Allow the caller to go back to the previous menu. “Dial 4 to go back to the previous menu.” (Not available for the first menu.) The caller dials the number specified in the prompt to navigate through the auto-attendant’s menus.
Chapter 31 Auto-attendant Click Configuration > PBX > Outbound Line Management > Auto-Attendant to view the screen as shown next. Figure 328 Auto-Attendant > Default Each field is described in the following table. Table 175 Auto-Attendant > Default LABEL DESCRIPTION Greeting Upload Audio File Click Browse to locate an audio file to be used as the auto-attendant greeting message, and Upload to copy it to the ISG50.
Chapter 31 Auto-attendant Table 175 Auto-Attendant > Default (continued) LABEL DESCRIPTION Action Type Select how the auto-attendant should proceed if no key is pressed for 5 seconds or the caller inputs an incorrect key code three times in a row. • • • • • • • Apply Hang Up disconnects the call. Extension routes the call to the specified extension. ACD engages the ACD system. See Chapter 38 on page 553 for details on this feature. Page Group forwards the call to the page group you specify.
Chapter 31 Auto-attendant Table 176 Auto-Attendant > Customized (continued) LABEL DESCRIPTION Download Select an entry and click Download to save the selected auto-attendant’s audio files to your computer. Upload Select an entry and click Upload to upload a backup audio file for it. # This field is a sequential value, and it is not associated with a specific entry. Name This field displays the name assigned to an auto-attendant.
Chapter 31 Auto-attendant 31.3.2 Auto Attendant Settings: Office Hours Use this screen to edit auto-attendant office hour settings. To access this screen, click the Add or Edit icon in the Configuration > PBX > Outbound Line Management > Auto-Attendant > Customized screen and then click the Office Hour tab. Figure 331 Office Hours Setting Each field is described in the following table.
Chapter 31 Auto-attendant Table 178 Office Hours Setting (continued) LABEL DESCRIPTION Forward to a specific extension directly Select this option to forward all calls that come into this auto-attendant to the specified extension, ACD, page group, hunt group, or user defined number. Play audio file before forward to a specific extension Select this option to play the uploaded audio file before forwarding the call to the specified extension, ACD, page group, hunt group, or user defined number.
Chapter 31 Auto-attendant 31.3.3 The Add/Edit Auto-Attendant Option Screen Use this screen to configure an option for an auto-attendant menu. To access this screen, click the Add or Edit icon for an item in the office hour or night service Options list. Figure 332 Add/Edit Option Setting Each field is described in the following table. Table 179 Add/Edit Option Setting LABEL DESCRIPTION Key Type the digit(s) a caller should dial to execute this option. This field can be 1-2 digits in length.
Chapter 31 Auto-attendant 31.3.4 The Auto-Attendant Sub Menu Screen Use this screen to configure an option for an auto-attendant sub menu (child menu). To access this screen, in the auto-attendant Office Hour or Night Service screen, select an option entry that displays sub-menu as the Action and click Add Child. Figure 333 Auto-Attendant Sub Menu Each field is described in the following table.
Chapter 31 Auto-attendant 31.3.5 Auto Attendant Settings: Night Service Use this screen to configure Night Service settings for this auto-attendant. You only need to configure this screen if you want the auto-attendant to perform different actions outside of regular office hours. In the Configuration > PBX > Outbound Line Management > Auto-Attendant > Customized screen click the Add or Edit icon for an item in the auto-attendant list and select the Night Service tab to view a screen as shown next.
Chapter 31 Auto-attendant Table 181 Night Service Setting (continued) LABEL DESCRIPTION Enable Dial Extension Number Select this to allow incoming calls to dial extensions that are not associated with specific key codes on the Options list below. Clear it to limit all input to the key codes listed on the Options table below.
Chapter 31 Auto-attendant 31.3.6 Greeting Use this screen to set up custom auto-attendant messages. The Temporary Greeting can be played before the normal auto-attendant greeting. This can be used to broadcast special messages, such as special operating hours for the office building (“We’re sorry but the Acme Mail Order Company is closed today to observe the holiday.”) The Schedule Greeting can be played during specific time range every day.
Chapter 31 Auto-attendant Each field is described in the following table. Table 182 Greeting Setting LABEL DESCRIPTION Temporary Greeting Settings Enable Temporary Greeting Select this to play the temporary greeting immediately before playing the autoattendant’s normal greeting. Clear it to turn this feature off. Upload Audio File Click Browse to locate an audio file to be used as the temporary auto-attendant greeting message, and Upload to copy it to IP-PBX.
Chapter 31 Auto-attendant Note: Make sure you have a microphone connected to your computer or that your system has an internal microphone (and that it is enabled). 1 Open your sound recording software (Sound Recorder on Windows XP). From your desktop, click Start > All Programs > Accessories > Entertainment > Sound Recorder. Figure 336 Sound Recorder 2 Record your audio file. When you are ready to record, click Record. When you are finished recording, click Stop.
Chapter 31 Auto-attendant 4 Specify the file format. In the Sound Selection window. Choose PCM in the Format field. Next, set the Attributes to 16,000 kHz, 16 Bit, Mono. Click OK when you are done. Figure 339 Audio File Settings 5 Confirm your settings. Specify a location for the audio file by browsing to a suitable location on your file system. Click Save when you are finished.
C HAPTER 32 LCR 32.1 Overview This chapter shows you how to configure dialing rules, also referred to as LCR (Least Cost Routing) on the ISG50. The following figure shows an example of two LCRs. LCR1 is composed of outbound line groups PSTN and ISDN along with the dial condition 01. (the period (.) is part of the dial condition). LCR2 is composed of outbound line group ITSP along with the dial condition 02.. When a user calls “021234” the call is routed through the outbound line group defined in LCR2.
Chapter 32 LCR only has LCR1 assigned to it, so extensions that are part of Research cannot use outbound line group ITSP. Figure 342 LCR Components Example LCR1 Sales Dial Condition = 01. PSTN ISDN Research LCR2 Dial Condition = 02. ITSP 32.1.1 What You Can Do in this Chapter Use the LCR screen to configure settings for your dialing rules for outbound calls routing. See Section 32.2 on page 521. 32.1.
Chapter 32 LCR • You have to define your outbound dialing plan. For example, dial a number starting with “0” is for local calls, “200” is for international calls, “3” is a call to branch office, etc. • You should define at least one outbound line group. See Section 30.2 on page 481. 32.2 LCR Use this screen to view outbound dialing rules (LCRs) configured on the ISG50. To access this screen, click Configuration > PBX > Outbound Line Management > LCR.
Chapter 32 LCR Note: Only the Add LCR screen is shown. In the Edit LCR screen, some of the fields are read-only. Before you configure any dial conditions for an LCR, you must first configure a name for the LCR. Figure 344 Configuration > PBX > Outbound Line Management > LCR > Add Each field is described in the following table. Table 184 Configuration > PBX > Outbound Line Management > LCR > Add LABEL DESCRIPTION LCR Settings LCR Name Type a short name to identify this outbound dialing rule (LCR).
Chapter 32 LCR Table 184 Configuration > PBX > Outbound Line Management > LCR > Add (continued) LABEL DESCRIPTION Outbound Line Group Use this section to add or remove outbound line groups from this outbound dialing rule (LCR). • • Add an outbound line group to this LCR: Highlight an outbound line group in the Pool column by clicking on it and then click the Right button to move it to the Selected column.
Chapter 32 LCR Note: Only the Add Dial Condition screen is shown. In the Edit Dial Condition screen, some of the fields are read-only. Figure 345 Configuration > PBX > Outbound Line Management > LCR > Add > Add Each field is described in the following table. Table 185 Configuration > PBX > Outbound Line Management > LCR > Add > Add LABEL DESCRIPTION LCR Name This field displays the name of the outbound dialing rule that this dialing condition applies to.
Chapter 32 LCR Table 185 Configuration > PBX > Outbound Line Management > LCR > Add > Add (continued) LABEL DESCRIPTION Prefix Specify a number which should be inserted at the beginning of the dialed number before it is sent out from the ISG50. Postfix Specify a number which should be appended to the end of the dialed number before it is sent out from the ISG50. Dial Number This field displays the number to which a dial parameter applies.
C HAPTER 33 Group Management 33.1 Overview This chapter shows you how to manage the ISG50’s authority groups and outbound line groups. Group management allows you to control the types of calls made via the ISG50. See the following figure for what you can configure in the group management. A - You can allow or disallow an extension group (defined in the authority group, AG) to call extensions in the same extension group or other extension groups.
Chapter 33 Group Management 33.1.1 What You Can Do in this Chapter Use the Group Management screens to view and manage the associations for the authority and outbound line groups configured on the ISG50. See Section 33.2 on page 530. 33.1.2 What You Need to Know The following terms and concepts may help you as you read through the chapter.
Chapter 33 Group Management and LCR2 (this could be an LCR for long distance calls via your VoIP service provider ITSP). AG2 is associated with LCR1 only. In this case extensions belonging to AG1 can make calls via all outbound line groups, whereas extensions in AG2 are limited to calls to your local telephone company and your branch office.
Chapter 33 Group Management Note: You must also configure auto-attendant settings before calls coming in from outside lines can call the extensions created on the ISG50. See Chapter 31 on page 503. The following example shows a configuration with three outbound line groups. ITSP represents a SIP trunk to your VoIP service provider. PSTN represents a link to your local traditional telephone service provider and TrustedPeer is a connection to your branch office.
Chapter 33 Group Management 33.1.3 Before You Begin Before you start to configure a group management, you need to do the following. • Configure authority group(s). See Section 29.2 on page 458. • Configure outbound line group(s) and the corresponding auto-attendant settings. See Section 30.2 on page 481. 33.2 Group Management Screen Use this screen to view and manage the associations for the authority and outbound line groups configured on the ISG50.
Chapter 33 Group Management 33.2.1 Edit Group Management Associations Use this screen to configure links from an authority group or an outbound line group to authority groups, or LCRs configured on the ISG50. To access this screen, select the group you want to configure in the Configuration > PBX > Group Management screen and click Edit. Figure 352 Configuration > PBX > Group Management > Edit Each field is described in the following table.
C HAPTER 34 Call Services 34.1 Overview This chapter shows you how to configure and use call services on the ISG50. There are a variety of call services that can be configured. 34.1.1 What You Can Do in this Chapter • Use the Auto Callback screen to configure the ISG50 to automatically call an extension once it becomes available (ends an existing conversation). This eliminates the need for you to keep trying to call a busy extension. See Section 34.2 on page 533.
Chapter 34 Call Services made from VoIP accounts to emergency dispatchers, but also provide information on the call’s originating number and, usually, location information. However, this system still has disadvantages over traditional emergency call service. For example, the physical location provided to the PSAP is usually the account-holder’s address as registered with the VoIP provider; this is not necessarily the location from which the VoIP account is being used.
Chapter 34 Call Services The following table describes the labels in this screen. Table 188 Configuration > PBX > Call Service > Auto Callback LABEL DESCRIPTION Enable Auto Callback Select this to activate the auto callback feature. Note: To enable auto callback, the personal auto-attendant for internal calls must also be enabled. Section 27.2 on page 431. Queue Size Select a limit to the number of auto callback requests for each extension. Apply Click this to save your changes.
Chapter 34 Call Services Table 189 Call Parking Progression CALLER A ISG50 CALLER B 5. The ISG50 parks the call and informs caller B of the number to call to reconnect to the call. This is called the parking slot number. 6. Caller B walks to another extension and reconnects to the call with A by dialing the parking slot number. Conversation between caller A and B continues 34.3.1 Configuring the Call Park Screen Use this screen to configure call parking on the ISG50.
Chapter 34 Call Services 34.4 The Call Waiting Screen Call waiting allows you to put a present call on hold and answer a new call. When a second call comes in, the ISG50 sends a beep tone to you. You can decide to ignore it or to switch to the second call using one of the following methods. • press the flash button on your telephone • very quickly press and release the on-hook switch on your telephone You can switch back to the first call using the same methods above.
Chapter 34 Call Services However, for extensions for which you do not enable the call waiting feature, the following happens. Table 192 No Call Waiting Example CALLER A CALLER C 1. Caller A makes a call to caller B. ISG50 RECEIVER B 2. The ISG50 routes the call to B at extension 1001. 3. B picks up the call. 4. Conversation between caller A and B. Then B is busy. 5. Caller C makes a call to caller B. 6. The ISG50 routes the call to B at extension 1001. 7. B replies with a busy tone. 8.
Chapter 34 Call Services The following table describes the labels in this screen. Table 193 Configuration > PBX > Call Service > Call Waiting Setting LABEL DESCRIPTION Extension Pool / Enabled Extension Call waiting applies to the extensions you move to the Enabled Extension list. To add an extension, select it in the Extension Pool field and click the Right button (to add it into the Enabled Extension list). You can remove extensions from the enabled list by selecting them and clicking the Left button.
Chapter 34 Call Services The following table describes the labels in this screen. Table 194 Configuration > PBX > Call Service > Emergency Call LABEL DESCRIPTION Outbound Line Summary Use this section to specify which outside line groups should be used for emergency calls. Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Edit Double-click an entry or select it and click Edit to modify it.
Chapter 34 Call Services Click Configuration > PBX > Call Service > Music On Hold to open the screen as shown. Figure 360 Configuration > PBX > Call Service > Music On Hold: The following table describes the labels in this screen. Table 195 Configuration > PBX > Call Service > Music On Hold 540 LABEL DESCRIPTION Default Music On Hold Selection Select a music on hold profile to use as the system default.
Chapter 34 Call Services 34.6.1 Add or Edit Custom Music On Hold Use this screen to create or edit a music on hold profile and upload an audio file to it. In the Configuration > PBX > Call Service > Music On Hold screen, click Add or Edit to open the screen as shown. Figure 361 Add Customized Music on Hold The following table describes the labels in this screen. Table 196 Add Customized Music on Hold LABEL DESCRIPTION Name Enter a name for the music on hold profile.
Chapter 34 Call Services 34.7.1 Configuring the Call Transfer Screen Use this screen to configure call transfer on the ISG50. Click Configuration > PBX > Call Service > Call Transfer to open the screen as following. Figure 362 Configuration > PBX > Call Service > Call Transfer The following table describes the labels in this screen.
Chapter 34 Call Services Each field is described in the following table. Table 198 Configuration > PBX > Call Service > Call Block LABEL DESCRIPTION Enable Anonymous block Select this to block calls without caller ID from being routed by the ISG50. Clear it to allow any incoming calls routed by the ISG50. Black list Select Disable to turn call blocking off on the ISG50. Select Enable to turn on call blocking on the ISG50.
C HAPTER 35 Call Recording 35.1 Overview Use the call recording feature to record all the calls going to or from specific extensions or trunks or let users record calls. This is useful if you need to monitor certain individuals’ calls. It is also useful for conference call recording, the administrator may configure the ISG50 to record a Meetme conference room and use the recording as the meeting minutes. The ISG50 supports full-time and on-demand recording.
Chapter 35 Call Recording • The maximum call recording time depends on the storage capacity of the connected USB storage device. • Once the ISG50 is recording the maximum number of channels defined by the call recording license, it does not record additional concurrent calls. See Chapter 11 on page 229. • The ISG50 generates a warning log when the remaining call recording time goes below five days and an alert if it goes below 24 hours. The ISG50 stops recording calls once the hard drive is full.
Chapter 35 Call Recording The following table describes the labels in this screen. Table 199 Configuration > PBX > Call Recording LABEL DESCRIPTION Quota Usage This bar displays what percentage of the ISG50’s call recording storage space is currently in use. When the storage space is almost full, you should consider deleting call recording files before adding more. Call Recording Quota Set the maximum number of minutes of call recording on the ISG50.
C HAPTER 36 Meet-me Conference The ISG50 allows you to set up specific extension numbers which callers can dial to join a conference call. This type of extension is referred to as a conference room number. You can restrict the number of callers that can join the conference call. You can also specify a PIN (Personal Identification Number) for the conference room. Callers must enter the PIN before they can enter the conference room.
Chapter 36 Meet-me Conference Note: The screen for editing an existing conference room has the same fields as the screen shown below. You can access the Conference Room Edit screen by clicking the Edit icon in the Conference Room List screen. Figure 366 Conference Room Add The following table describes the labels in this screen. Table 201 Conference Room Add LABEL DESCRIPTION Conference Number Enter the extension (3 to 10 digits in length) callers should dial to enter this conference room.
C HAPTER 37 Paging Group 37.1 Overview This chapter shows you how to create and manage paging groups on the ISG50. Paging groups are sets of extensions through which a caller can make a one-way announcement by dialing a single number. It works much like a public address system. A caller wanting to make an announcement dials a pre-configured number representing a group of extensions. The telephones for the group’s extensions all automatically pick up at the same time and play what the caller says.
Chapter 37 Paging Group Each field is described in the following table. Table 202 Configuration > PBX > Paging Group LABEL DESCRIPTION Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry. Edit Double-click an entry or select it and click Edit to modify it. Remove To remove an entry, select it and click Remove. The ISG50 confirms you want to remove it before doing so.
Chapter 37 Paging Group Each field is described in the following table. Table 203 Add Paging Group LABEL DESCRIPTION Paging Number Type the number you have to dial to call the extensions in this page group. This number can be from 3 to 10 digits long. PIN Code Type the password you have to dial to call the extensions in this page group. This number can be 3-10 digits long. If you leave this field blank then callers do not have to dial a PIN code to call the extensions in this page group.
Chapter 37 Paging Group 552 ISG50 User’s Guide
C HAPTER 38 ACD 38.1 Overview This chapter shows you how to configure Automatic Call Distribution (ACD). ACD utilizes Skill-Based Routing (SBR), which allows you to distribute incoming calls to specific groups of phones based on assigned skills. When the ISG50 receives an incoming call, the auto-attendant presents the caller with a list of available skills and the key codes to access them. Each skill is linked to a specific group of agents.
Chapter 38 ACD • Use the Skill Menu screen to create menus that a caller can use while in the queue waiting for an agent to respond. See Section 38.6 on page 564. 38.1.2 What You Need to Know The following terms and concepts may help you as you read through the chapter. Agent An agent is a member of an Automated Call Distribution system who receives incoming calls. Agents are usually classified according to “skills”.
Chapter 38 ACD 1 Create at least 2 agent identities in the ACD system (Section 38.3 on page 556) to ultimately receive incoming calls after they have been routed by the ISG50. You can click Configuration > PBX > ACD > Agent to open this screen. 2 Define at least 1 skill in the ACD system (Section 38.4 on page 558). The rules defined here will help the ISG50 properly route calls to the agent identities created in step 1. You can click Configuration > PBX > ACD > Skill to open this screen.
Chapter 38 ACD 38.2 The ACD Global Screen Use this screen to set the global “wrap up” time for each extension in the ACD system. This is how long the ISG50 waits before sending new calls to the agent. Click Configuration > PBX > ACD > ACD Global to open this screen. Figure 371 ACD > ACD Global Setting Each field is described in the following table.
Chapter 38 ACD Each field is described in the following table. Table 205 ACD > Agent List LABEL DESCRIPTION Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify it. Remove To remove an entry, select it and click Remove. The ISG50 confirms you want to remove it before doing so. # This field is a sequential value, and it is not associated with a specific entry.
Chapter 38 ACD Table 206 Agent List > Agent Setting (continued) LABEL DESCRIPTION Agent Name Enter the name of the agent associated with this ID. It can be any combination of 1~32 alphanumeric characters (a-z, A-Z, 0-9). No asterisks (*) or exclamation points (!) allowed. Description Enter a description for this agent ID. It can be any combination of 0~64 alphanumeric characters (a-z, A-Z, 0-9). No asterisks (*) or exclamation points (!) allowed.
Chapter 38 ACD 38.4.1 The Add/Edit Skill Screen Use this screen to create or edit a skill. A skill allows you to create rules for routing calls to a specific group of agents. You can also manage how calls to those agents are handled in the event that one or more of them is not logged on, or engaged in a conversation, and so on. Skills work in tandem with the auto-attendant.
Chapter 38 ACD Each field is described in the following table. Table 208 Add Skill LABEL DESCRIPTION Skill Setting Number Enter the number to be dialed that uses this skill. It can be any combination of 3~10 digits (0-9). No spaces, underscores, or hyphens are allowed. When this screen is in Edit mode, this number cannot be changed. Skill Name Enter a name for this skill. It can be any combination of 1~32 alphanumeric characters (a-z, A-Z, 0-9). No asterisks (*) or exclamation points (!) allowed.
Chapter 38 ACD Table 208 Add Skill (continued) LABEL DESCRIPTION Waiting Timeout Enter the duration in seconds (up to 99999) that the call to the agents associated with the skill rings before timing out. Once a call times out, the action defined in Timeout Action applies. This timeout only applies to calls in the queue that have not yet been routed to a particular agent.
Chapter 38 ACD Table 208 Add Skill (continued) LABEL DESCRIPTION Member This list indicates all members who are assigned to this skill. When adding or editing an entry select the member from the drop-down list. Priority The priority indicates to which agent incoming calls are routed first. When adding or editing an entry type the priority (1 highest to 5 lowest).
Chapter 38 ACD 38.5.1 The Add/Edit Hunt Group Screen The screens for editing or adding Hunt groups on the ISG50 contain the same fields. Click the Add (or Edit) icon in the Hunt Group configuration screen to view the screen as shown. Figure 377 Add Hunt Group Each field is described in the following table. Table 210 Add Hunt Group LABEL DESCRIPTION Hunt Group Number Type the number you have to dial to call the extensions in this hunt group. Hunt Group Name Enter a name for this hunt group.
Chapter 38 ACD Table 210 Add Hunt Group (continued) LABEL DESCRIPTION Timeout Action If a call to an extension of the hunt group times out, then this item defines how the ISG50 responds when calls are sent to that member. Possible actions are: • • • • • • • No Timeout - This action keeps the caller on the line indefinitely while the extension is rung. (Timeout Action only.) Hang Up - This action disconnects the call.
Chapter 38 ACD For example, if a caller enters the queue for the “English” skill but an English-speaking sales representative hasn’t yet picked up, he will periodically hear “Press 0 to exit. Press 3 for a Spanishspeaking representative. Press 4 for a French-speaking representative. Press 5 for a Russianspeaking representative.” The Periodic Announce settings for a skill menu can be configured in the Skill Settings screen. See Section 38.4.1 on page 559 for more details.
Chapter 38 ACD Click either the Add or Edit icon in the Skill Menu screen to display the options as shown next. Figure 379 Add Skill Menu Each field is described in the following table. Table 212 Add Skill Menu LABEL DESCRIPTION Skill Menu Enter a name for this skill menu. Description Enter a description for this skill menu. Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify it.
Chapter 38 ACD Click either the Add or Edit icons in the Skill Menu Add or Edit screen to display the options as shown next. Figure 380 Add Skill Menu Action Each field is described in the following table. Table 213 Add Skill Menu Action LABEL DESCRIPTION Code Select a keypad code that a caller can press to engage the associated action. A single code can only be used once within a skill menu. Action Select an action that happens when a caller presses an associated keypad code.
C HAPTER 39 Sound Files You can upload sound files for different language menus. You can also 39.1 Overview This chapter shows you how to change the language menus and some system sounds. You can also select the extension to record for creating audio files. 39.1.1 What You Can Do in this Chapter • Use the System Sound screens to set the default language and upload sound files for different languages. See Section 39.2 on page 568.
Chapter 39 Sound Files Click Configuration > PBX > Sound File to open this screen. Figure 381 Configuration > PBX > Sound File > System Sound Each field is described in the following table. Table 214 Configuration > PBX > Sound File > System Sound LABEL DESCRIPTION Default Language Select the default language you want to use for the PBX functions. Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify it.
Chapter 39 Sound Files Click either the Add or Edit icon in the System Sound screen to display the options as shown next. Figure 382 Add System Sound File Each field is described in the following table. Table 215 Add System Sound File LABEL DESCRIPTION Language Specify the name of the language sound files that you will upload. Upload System Sound File Click the Browse button to find the zipped set of language sound files on your computer that you want to upload.
Chapter 39 Sound Files Each field is described in the following table. Table 216 Configuration > PBX > Sound File > Specific Sound File LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to open a screen where you can modify it. # This field is a sequential value, and it is not associated with a specific entry. Name This indicates the name of the individual system sound. 39.3.1 The Add/Edit Sound File Screen Use this screen to upload a language sound file.
Chapter 39 Sound Files Click Configuration > PBX > Sound File > Record Peer to open this screen. Figure 385 Configuration > PBX > Sound File > Record Peer Each field is described in the following table. Table 218 Configuration > PBX > Sound File > Record Peer 572 LABEL DESCRIPTION Default Record Peer Select the extension the ISG50 records from for creating audio files to use for the PBX functions. Apply Click this to save your changes.
C HAPTER 40 Auto Provision 40.1 Overview This chapter shows you how to set up auto provisioning for the ISG50’s supported SIP clients. Auto provisioning allows administrators to configure VoIP related settings on snom or snomcompatible SIP clients from a central location. You can set up and maintain a configuration file associated with a SIP extension on the ISG50. Auto provisioning has the VoIP devices periodically download the configuration file from the ISG50.
Chapter 40 Auto Provision How to Configure Auto Provisioning Take the following steps to configure auto provisioning for the VoIP devices on your network. See also Section 8.2 on page 141 for an auto provisioning tutorial. 1 Configure SIP extensions that the snom VoIP devices will use. See Chapter 29 on page 453. 2 In the Auto Provision screen, map the SIP extensions to the MAC addresses of the snom VoIP devices by either adding the mappings manually or uploading a batch XML file. See Section 40.
Chapter 40 Auto Provision 40.2 Auto Provision Setup Use this screen to screens to configure auto provisioning for the snom VoIP devices connected to the ISG50. This screen displays the mapping between SIP extensions and snom VoIP device’s MAC addresses. To access this screen, click Configuration > PBX > Auto Provision. Figure 386 Configuration > PBX > Auto Provision Each field is described in the following table.
Chapter 40 Auto Provision Table 219 Configuration > PBX > Auto Provision (continued) LABEL DESCRIPTION Remove Customized Config Select a snom VoIP device extension and click the Remove Config icon to remove any custom configuration for it. View Config File Select a snom VoIP device extension and click the View Config File icon to view the configuration file for it or save a copy of the configuration file. # This field is a sequential value, and it is not associated with a specific entry.
Chapter 40 Auto Provision 40.2.2 Auto Provision Edit Use this screen to set up the auto provisioning settings for a snom extension on the ISG50. To access this screen, click Configuration > PBX > Auto Provision and then click the Edit button for a snom device’s extension. Figure 387 Configuration > PBX > Auto Provision > Edit Each field is described in the following table.
Chapter 40 Auto Provision 40.3 Auto Provision Advanced Screen Use this screen to configure the feature key settings and firmware upgrade URLs for the snom VoIP devices connected to the ISG50. To access this screen, click Configuration > PBX > Auto Provision > Auto Provision Advanced then click the snom Feature Key Setting button. Figure 388 Configuration > PBX > Auto Provision > Auto Provision Advanced Each field is described in the following table.
Chapter 40 Auto Provision Table 221 Configuration > PBX > Auto Provision > Auto Provision Advanced (continued) LABEL DESCRIPTION Firmware Upgrade File Location Settings This list corresponds to the snom products supported by the ISG50. Apply Click this to save your changes. Reset Click this to set every field in this screen to its last-saved value. ISG50 User’s Guide Enter the firmware upgrade URL for the type of device.
Chapter 40 Auto Provision 580 ISG50 User’s Guide
C HAPTER 41 Voice Mail 41.1 Overview This chapter shows you how to set up voice mail for the ISG50’s calls. Voice mail messages on the ISG50 are stored on the built-in flash memory of the ISG50. To ensure that one user does not utilize a disproportionate amount of voice mail capacity, you can limit the per user voice mail resources on a system wide basis. 41.1.1 What You Can Do in this Chapter Use the Voice Mail screen to set maximum call lengths per call or per user. See Section 41.2 on page 582. 41.1.
Chapter 41 Voice Mail 41.2 The Voice Mail Screen Use this screen to set up the voice mail settings on the ISG50. To access this screen, click Configuration > PBX > Voice Mail. Figure 389 Configuration > PBX > Voice Mail Each field is described in the following table. Table 222 Configuration > PBX > Voice Mail 582 LABEL DESCRIPTION Max Length per Call Specify the maximum number of seconds for each voice mail message. This value can be from 1 to 90 seconds.
Chapter 41 Voice Mail Table 222 Configuration > PBX > Voice Mail (continued) LABEL DESCRIPTION E-mail Body Enter up to 350 alphanumeric characters (a-z, A-Z, 1-0, all punctuation included) as the body text for e-mails sent out by the ISG50 to notify users of pending voice mails. You can also use the following ISG50-specific variables to include custom information about the voice mail: • • • • • VM_DUR: This is the duration of the voice mail in hh:mm:ss format (hours, minutes, and seconds).
Chapter 41 Voice Mail Personal Voice Mail Main Flow The following figure describes the main flow in the personal voice mail system. Figure 390 Personal Voice Mail Flow Voice Mail Feature Code + Extension Exit Failure Enter Password Authentication Success You have XX new/old messages.
Chapter 41 Voice Mail Voice Message Menu The following figure describes the Voice Message Menu. From Voice Mail Main, press number 1 on your phone keypad to enter this menu. The ISG50 will play you a new message. Then you can choose either one of the following options for the next action.
Chapter 41 Voice Mail Mail Box Options Menu The following figure describes the Mail Box Options Menu. From Voice Mail Main, press number 0 on your phone keypad to enter this menu. This menu allows you to record your messages which are played for the initial greeting or when you (your extension) is unavailable, busy.
C HAPTER 42 Phonebook 42.1 Overview This chapter shows you how to set up a phonebook for the ISG50. There are two ways to set up a phone book on the ISG50. • You can create an LDAP (Lightweight Directory Access Protocol) phonebook, which imports entries from an LDAP directory on your network. • You can also create local phonebook entries via the web configurator of the ISG50. You can configure either type of phonebook, or both.
Chapter 42 Phonebook 42.1.3 Before You Begin If you intend to configure the ISG50 to use an LDAP phonebook, you need the following information about the LDAP server on your network to issue an LDAP query from the ISG50: • LDAP Server IP address - this is the IP address of the LDAP server you want to query. • Port number - this is the port number that the LDAP user to receive LDAP queries. • RootDN - this is the username used to authenticate with the LDAP server.
Chapter 42 Phonebook 42.3 The LDAP Phonebook Summary Screen Use this screen to view the phonebook entries retrieved from the LDAP database. To access this screen, click Configuration > PBX > Phonebook > LDAP Phonebook. Figure 395 Configuration > PBX > Phonebook > LDAP Phonebook > Summary Each field is described in the following table.
Chapter 42 Phonebook the LDAP phonebook search filter. To access this screen, click Configuration > PBX > Phonebook > LDAP Phonebook > Settings. Figure 396 Configuration > PBX > Phonebook > LDAP Phonebook > Settings Each field is described in the following table. Table 225 Configuration > PBX > Phonebook > LDAP Phonebook > Settings 590 LABEL DESCRIPTION Enable LDAP Phonebook Check this box to enable LDAP based phonebook on the ISG50.
Chapter 42 Phonebook Table 225 Configuration > PBX > Phonebook > LDAP Phonebook > Settings (continued) LABEL DESCRIPTION Password Specify the password for the LDAP server. Name Specify the field name in the LDAP database that you want to map the Name field of the LDAP phonebook to. Extension Specify the field name in the LDAP database that you want to map the Ext. field of the LDAP phonebook to.
Chapter 42 Phonebook Each field is described in the following table. Table 226 Configuration > PBX > Phonebook > Local Phonebook LABEL DESCRIPTION Phonebook File Settings Use this section to upload a CSV format file containing your phonebook entries to the ISG50 or download the local phonebook from the ISG50 to your local computer or another location on your network. File Path Type the path to or click Browse and locate the text file containing a local phonebook.
Chapter 42 Phonebook entries on the ISG50. Click the Add (or Edit) icon in the Local Phonebook screen to view the screen as shown. Figure 398 Local Phonebook Add/Edit Screen Each field is described in the following table. Table 227 Local Phonebook Add/Edit Screen LABEL DESCRIPTION Name Type a Name value for this local phonebook entry. You cannot change this value if you are editing an existing local phonebook entry. Extension Type an Ext. value for this local phonebook entry.
Chapter 42 Phonebook 594 ISG50 User’s Guide
C HAPTER 43 Office Hours 43.1 Overview This chapter shows you how to set the office hours for the ISG50. You can use office hours to have the ISG50 deal with incoming calls differently at different times of day and night. 43.1.1 What You Can Do in this Chapter Use the Office Hour screen to configure the days of the week and times you are in the office. See Section 43.2 on page 595. 43.1.
Chapter 43 Office Hours Note: The office hour configuration here is used as the default for all new extensions. To customize office hours on a per-extension or per-authority group basis, you must go to those specific screens. For more, see Chapter 29 on page 453. Figure 399 Configuration > PBX > Office Hour Each field is described in the following table. Table 228 Configuration > PBX > Office Hour LABEL DESCRIPTION Office Hour Settings Use this section to specify office hours on the ISG50.
Chapter 43 Office Hours Table 228 Configuration > PBX > Office Hour (continued) LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to modify it. Remove To remove an entry, select it and click Remove. The ISG50 confirms you want to remove it before doing so. # This field is a sequential value and is not associated with a specific entry. Date Enter a date in mm/dd format (double digit month / day; for example, 02/09 for February 9th.
Chapter 43 Office Hours 598 ISG50 User’s Guide
C HAPTER 44 User/Group 44.1 Overview This chapter describes how to set up user accounts, user groups, and user settings for the ISG50. You can also set up rules that control when users have to log in to the ISG50 before the ISG50 routes traffic for them. 44.1.1 What You Can Do in this Chapter • The User screen (see Section 44.2 on page 601) provides a summary of all user accounts. • The Group screen (see Section 44.3 on page 604) provides a summary of all user groups.
Chapter 44 User/Group Note: The default admin account is always authenticated locally, regardless of the authentication method setting. (See Chapter 48 on page 631 for more information about authentication methods.) Ext-User Accounts Set up an ext-user account if the user is authenticated by an external server and you want to set up specific policies for this user in the ISG50. If you do not want to set up policies for this user, you do not have to set up an ext-user account.
Chapter 44 User/Group User Awareness By default, users do not have to log into the ISG50 to use the network services it provides. The ISG50 automatically routes packets for everyone. If you want to restrict network services that certain users can use via the ISG50, you can require them to log in to the ISG50 first. The ISG50 is then ‘aware’ of the user who is logged in and you can create ‘user-aware policies’ that define what services they can use. See Section 44.4.
Chapter 44 User/Group 44.2.1 User Add/Edit Screen The User Add/Edit screen allows you to create a new user account or edit an existing one. 44.2.1.1 Rules for User Names Enter a user name from 1 to 31 characters. The user name can only contain the following characters: • Alphanumeric A-z 0-9 (there is no unicode support) • _ [underscores] • - [dashes] The first character must be alphabetical (A-Z a-z), an underscore (_), or a dash (-). Other limitations on user names are: • User names are case-sensitive.
Chapter 44 User/Group The following table describes the labels in this screen. Table 231 Configuration > User/Group > User > Add LABEL DESCRIPTION User Name Type the user name for this user account. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. User names have to be different than user group names, and some words are reserved. See Section 44.2.1.1 on page 602.
Chapter 44 User/Group Table 231 Configuration > User/Group > User > Add (continued) LABEL DESCRIPTION OK Click OK to save your changes back to the ISG50. Cancel Click Cancel to exit this screen without saving your changes. 44.3 User Group Summary Screen User groups consist of access users and other user groups. You cannot put admin users in user groups. The Group screen provides a summary of all user groups. In addition, this screen allows you to add, edit, and remove user groups.
Chapter 44 User/Group 44.3.1 Group Add/Edit Screen The Group Add/Edit screen allows you to create a new user group or edit an existing one. To access this screen, go to the Group screen (see Section 44.3 on page 604), and click either the Add icon or an Edit icon. Figure 403 Configuration > User/Group > Group > Add The following table describes the labels in this screen. Table 233 Configuration > User/Group > Group > Add LABEL DESCRIPTION Name Type the name for this user group.
Chapter 44 User/Group To access this screen, login to the Web Configurator, and click Configuration > Object > User/ Group > Setting. Figure 404 Configuration > Object > User/Group > Setting The following table describes the labels in this screen. Table 234 Configuration > Object > User/Group > Setting LABEL DESCRIPTION User Authentication Timeout Settings 606 Default Authentication Timeout Settings These authentication timeout settings are used by default when you create a new user account.
Chapter 44 User/Group Table 234 Configuration > Object > User/Group > Setting (continued) LABEL User Type DESCRIPTION These are the kinds of user account the ISG50 supports.
Chapter 44 User/Group Table 234 Configuration > Object > User/Group > Setting (continued) LABEL Maximum number per access account DESCRIPTION This field is effective when Limit ... for access account is checked. Type the maximum number of simultaneous logins by each access user.
Chapter 44 User/Group The following table describes the labels in this screen. Table 235 Configuration > Object > User/Group > Setting > Edit LABEL DESCRIPTION User Type This read-only field identifies the type of user account for which you are configuring the default settings.
Chapter 44 User/Group The following table describes the labels in this screen. Table 236 Web Configurator for Non-Admin Users LABEL DESCRIPTION User-defined lease time (max ... minutes) Access users can specify a lease time shorter than or equal to the one that you specified. The default value is the lease time that you specified. Renew Access users can click this button to reset the lease time, the amount of time remaining before the ISG50 automatically logs them out.
Chapter 44 User/Group Figure 408 RADIUS Example: Keywords for User Attributes type=user;leaseTime=222;reauthTime=222 Creating a Large Number of Ext-User Accounts If you plan to create a large number of Ext-User accounts, you might use CLI commands, instead of the Web Configurator, to create the accounts. Extract the user names from the LDAP or RADIUS server, and create a shell script that creates the user accounts. See Chapter 55 on page 725 for more information about shell scripts.
Chapter 44 User/Group 612 ISG50 User’s Guide
C HAPTER 45 Addresses 45.1 Overview Address objects can represent a single IP address or a range of IP addresses. Address groups are composed of address objects and other address groups. 45.1.1 What You Can Do in this Chapter • The Address screen (Section 45.2 on page 613) provides a summary of all addresses in the ISG50. Use the Address Add/Edit screen to create a new address or edit an existing one. • Use the Address Group summary screen (Section 45.
Chapter 45 Addresses The Address screen provides a summary of all addresses in the ISG50. To access this screen, click Configuration > Object > Address > Address. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 409 Configuration > Object > Address > Address The following table describes the labels in this screen. See Section 45.2.1 on page 614 for more information as well.
Chapter 45 Addresses The following table describes the labels in this screen. Table 239 Configuration > Object > Address > Address > Edit LABEL DESCRIPTION Name Type the name used to refer to the address. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. Address Type Select the type of address you want to create. Choices are: HOST, RANGE, SUBNET, INTERFACE IP, INTERFACE SUBNET, and INTERFACE GATEWAY.
Chapter 45 Addresses The following table describes the labels in this screen. See Section 45.3.1 on page 616 for more information as well. Table 240 Configuration > Object > Address > Address Group LABEL DESCRIPTION Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ISG50 confirms you want to remove it before doing so.
Chapter 45 Addresses Table 241 Configuration > Object > Address > Address Group > Add (continued) LABEL DESCRIPTION Member List The Member list displays the names of the address and address group objects that have been added to the address group. The order of members is not important. Select items from the Available list that you want to be members and move them to the Member list.
Chapter 45 Addresses 618 ISG50 User’s Guide
C HAPTER 46 Services 46.1 Overview Use service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. 46.1.1 What You Can Do in this Chapter • Use the Service screens (Section 46.2 on page 620) to view and configure the ISG50’s list of services and their definitions. • Use the Service Group screens (Section 46.2 on page 620) to view and configure the ISG50’s list of service groups. 46.1.
Chapter 46 Services Service Objects and Service Groups Use service objects to define IP protocols. • TCP applications • UDP applications • ICMP messages • user-defined services (for other types of IP protocols) These objects are used in policy routes and firewall rules. Use service groups when you want to create the same rule for several services, instead of creating separate rules for each service. Service groups may consist of services and other service groups.
Chapter 46 Services To access this screen, log in to the Web Configurator, and click Configuration > Object > Service > Service. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order. Figure 413 Configuration > Object > Service > Service The following table describes the labels in this screen. Table 242 Configuration > Object > Service > Service LABEL DESCRIPTION Add Click this to create a new entry.
Chapter 46 Services 46.2.1 The Service Add/Edit Screen The Service Add/Edit screen allows you to create a new service or edit an existing one. To access this screen, go to the Service screen (see Section 46.2 on page 620), and click either the Add icon or an Edit icon. Figure 414 Configuration > Object > Service > Service > Edit The following table describes the labels in this screen.
Chapter 46 Services To access this screen, log in to the Web Configurator, and click Configuration > Object > Service > Service Group. Figure 415 Configuration > Object > Service > Service Group The following table describes the labels in this screen. See Section 46.3.1 on page 624 for more information as well. Table 244 Configuration > Object > Service > Service Group LABEL DESCRIPTION Add Click this to create a new entry.
Chapter 46 Services 46.3.1 The Service Group Add/Edit Screen The Service Group Add/Edit screen allows you to create a new service group or edit an existing one. To access this screen, go to the Service Group screen (see Section 46.3 on page 622), and click either the Add icon or an Edit icon. Figure 416 Configuration > Object > Service > Service Group > Add The following table describes the labels in this screen.
C HAPTER 47 Schedules 47.1 Overview Use schedules to set up one-time and recurring schedules for policy routes and firewall rules. The ISG50 supports one-time and recurring schedules. One-time schedules are effective only once, while recurring schedules usually repeat. Both types of schedules are based on the current date and time in the ISG50. Note: Schedules are based on the ISG50’s current date and time. 47.1.1 What You Can Do in this Chapter • Use the Schedule summary screen (Section 47.
Chapter 47 Schedules 47.2 The Schedule Summary Screen The Schedule summary screen provides a summary of all schedules in the ISG50. To access this screen, click Configuration > Object > Schedule. Figure 417 Configuration > Object > Schedule The following table describes the labels in this screen. See Section 47.2.1 on page 627 and Section 47.2.2 on page 628 for more information as well. Table 246 Configuration > Object > Schedule LABEL DESCRIPTION One Time Add Click this to create a new entry.
Chapter 47 Schedules Table 246 Configuration > Object > Schedule (continued) LABEL DESCRIPTION Start Time This field displays the time at which the schedule begins. Stop Time This field displays the time at which the schedule ends. 47.2.1 The One-Time Schedule Add/Edit Screen The One-Time Schedule Add/Edit screen allows you to define a one-time schedule or edit an existing one. To access this screen, go to the Schedule screen (see Section 47.
Chapter 47 Schedules Table 247 Configuration > Object > Schedule > Add (One Time) (continued) LABEL StopDate DESCRIPTION Specify the year, month, and day when the schedule ends. Year - 1900 - 2999 Month - 1 - 12 Day - 1 - 31 (it is not possible to specify illegal dates, such as February 31.) Hour - 0 - 23 Minute - 0 - 59 StopTime Specify the hour and minute when the schedule ends. Hour - 0 - 23 Minute - 0 - 59 OK Click OK to save your changes back to the ISG50.
Chapter 47 Schedules Table 248 Configuration > Object > Schedule > Add (Recurring) (continued) LABEL StartTime DESCRIPTION Specify the hour and minute when the schedule begins each day. Hour - 0 - 23 Minute - 0 - 59 StopTime Specify the hour and minute when the schedule ends each day. Hour - 0 - 23 Minute - 0 - 59 Weekly Week Days Select each day of the week the recurring schedule is effective. OK Click OK to save your changes back to the ISG50.
Chapter 47 Schedules 630 ISG50 User’s Guide
C HAPTER 48 AAA Server 48.1 Overview You can use a AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The AAA server can be a Active Directory, LDAP, or RADIUS server. Use the AAA Server screens to create and manage objects that contain settings for using AAA servers. You use AAA server objects in configuring ext-group-user user objects and authentication method objects (see Chapter 49 on page 639). 48.1.
Chapter 48 AAA Server user database that is limited to the memory capacity of the device. In essence, RADIUS authentication allows you to validate a large number of users from a central location. Figure 421 RADIUS Server Network Example 48.1.3 ASAS ASAS (Authenex Strong Authentication System) is a RADIUS server that works with the One-Time Password (OTP) feature. Purchase a ISG50 OTP package in order to use this feature. The package contains server software and physical OTP tokens (PIN generators).
Chapter 48 AAA Server • Directory Service (LDAP/AD) LDAP (Lightweight Directory Access Protocol)/AD (Active Directory) is a directory service that is both a directory and a protocol for controlling access to a network. The directory consists of a database specialized for fast information retrieval and filtering activities. You create and store user profile and login information on the external server.
Chapter 48 AAA Server Bind DN A bind DN is used to authenticate with an LDAP/AD server. For example a bind DN of cn=ISG50Admin allows the ISG50 to log into the LDAP/AD server using the user name of ISG50Admin. The bind DN is used in conjunction with a bind password. When a bind DN is not specified, the ISG50 will try to log in as an anonymous user. If the bind password is incorrect, the login will fail. Finding Out More • See Section 7.5.
Chapter 48 AAA Server 48.2.1 Adding an Active Directory or LDAP Server Click Object > AAA Server > Active Directory (or LDAP) to display the Active Directory (or LDAP) screen. Click the Add icon or an Edit icon to display the following screen. Use this screen to create a new AD or LDAP entry or edit an existing one. Figure 424 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add The following table describes the labels in this screen.
Chapter 48 AAA Server Table 250 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add (continued) LABEL DESCRIPTION Search time limit Specify the timeout period (between 1 and 300 seconds) before the ISG50 disconnects from the AD or LDAP server. In this case, user authentication fails. Search timeout occurs when either the user information is not in the AD or LDAP server(s) or the AD or LDAP server(s) is down. Bind DN Specify the bind DN for logging into the AD or LDAP server.
Chapter 48 AAA Server The following table describes the labels in this screen. Table 251 Configuration > Object > AAA Server > RADIUS LABEL DESCRIPTION Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ISG50 confirms you want to remove it before doing so.
Chapter 48 AAA Server The following table describes the labels in this screen. Table 252 Configuration > Object > AAA Server > RADIUS > Add LABEL DESCRIPTION Name Enter a descriptive name (up to 63 alphanumerical characters) for identification purposes. Description Enter the description of each server, if any. You can use up to 60 printable ASCII characters. Server Address Enter the address of the RADIUS server.
C HAPTER 49 Authentication Method 49.1 Overview Authentication method objects set how the ISG50 authenticates wireless, HTTP/HTTPS clients, and peer IPSec routers (extended authentication) clients. Configure authentication method objects to have the ISG50 use the local user database, and/or the authentication servers and authentication server groups specified by AAA server objects. By default, user accounts created and stored on the ISG50 are authenticated locally. 49.1.
Chapter 49 Authentication Method 4 Click OK to save the settings. Figure 427 Example: Using Authentication Method in VPN 49.2 Authentication Method Objects Click Configuration > Object > Auth. Method to display the screen as shown. Note: You can create up to 16 authentication method objects. Figure 428 Configuration > Object > Auth. Method The following table describes the labels in this screen. Table 253 Configuration > Object > Auth. Method LABEL DESCRIPTION Add Click this to create a new entry.
Chapter 49 Authentication Method 49.2.1 Creating an Authentication Method Object Follow the steps below to create an authentication method object. 1 Click Configuration > Object > Auth. Method. 2 Click Add. 3 Specify a descriptive name for identification purposes in the Name field. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. For example, “My_Device”.
Chapter 49 Authentication Method Table 254 Configuration > Object > Auth. Method > Add (continued) LABEL DESCRIPTION Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ISG50 confirms you want to remove it before doing so.
C HAPTER 50 Certificates 50.1 Overview The ISG50 can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication. 50.1.1 What You Can Do in this Chapter • Use the My Certificate screens (see Section 50.2 on page 646 to Section 50.2.
Chapter 50 Certificates 5 Additionally, Jenny uses her own private key to sign a message and Tim uses Jenny’s public key to verify the message. The ISG50 uses certificates based on public-key cryptology to authenticate users attempting to establish a connection, not to encrypt the data that you send after establishing a connection. The method used to secure the data that you send through an established connection depends on the type of connection.
Chapter 50 Certificates • Binary PKCS#12: This is a format for transferring public key and private key certificates.The private key in a PKCS #12 file is within a password-encrypted envelope. The file’s password is not connected to your certificate’s public or private passwords. Exporting a PKCS #12 file creates this and you must provide it to decrypt the contents when you import the file into the ISG50. Note: Be careful not to convert a binary file to text during the transfer process.
Chapter 50 Certificates 3 Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. Figure 431 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection. 50.
Chapter 50 Certificates The following table describes the labels in this screen. Table 255 Configuration > Object > Certificate > My Certificates LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the ISG50’s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.
Chapter 50 Certificates 50.2.1 The My Certificates Add Screen Click Configuration > Object > Certificate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the ISG50 create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request.
Chapter 50 Certificates The following table describes the labels in this screen. Table 256 Configuration > Object > Certificate > My Certificates > Add LABEL DESCRIPTION Name Type a name to identify this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters. Subject Information Use these fields to record information that identifies the owner of the certificate.
Chapter 50 Certificates Table 256 Configuration > Object > Certificate > My Certificates > Add (continued) LABEL DESCRIPTION Create a certification request and enroll for a certificate immediately online Select this to have the ISG50 generate a request for a certificate and apply to a certification authority for a certificate. You must have the certification authority’s certificate already imported in the Trusted Certificates screen.
Chapter 50 Certificates 50.2.2 The My Certificates Edit Screen Click Configuration > Object > Certificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate’s name.
Chapter 50 Certificates The following table describes the labels in this screen. Table 257 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters. Certification Path This field displays for a certificate, not a certification request.
Chapter 50 Certificates Table 257 Configuration > Object > Certificate > My Certificates > Edit LABEL DESCRIPTION Key Usage This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature” means that the key can be used to sign certificates and “KeyEncipherment” means that the key can be used to encrypt text. Basic Constraint This field displays general information about the certificate.
Chapter 50 Certificates The certificate you import replaces the corresponding request in the My Certificates screen. You must remove any spaces from the certificate’s filename before you can import it. Figure 435 Configuration > Object > Certificate > My Certificates > Import The following table describes the labels in this screen.
Chapter 50 Certificates as being trustworthy; thus you do not need to import any certificate that is signed by one of these certificates. Figure 436 Configuration > Object > Certificate > Trusted Certificates The following table describes the labels in this screen. Table 259 Configuration > Object > Certificate > Trusted Certificates LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the ISG50’s PKI storage space that is currently in use.
Chapter 50 Certificates 50.3.1 The Trusted Certificates Edit Screen Click Configuration > Object > Certificate > Trusted Certificates and then a certificate’s Edit icon to open the Trusted Certificates Edit screen. Use this screen to view in-depth information about the certificate, change the certificate’s name and set whether or not you want the ISG50 to check a certification authority’s list of revoked certificates before trusting a certificate issued by the certification authority.
Chapter 50 Certificates The following table describes the labels in this screen. Table 260 Configuration > Object > Certificate > Trusted Certificates > Edit LABEL DESCRIPTION Name This field displays the identifying name of this certificate. You can change the name. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=characters.
Chapter 50 Certificates Table 260 Configuration > Object > Certificate > Trusted Certificates > Edit (continued) LABEL DESCRIPTION Issuer This field displays identifying information about the certificate’s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same information as in the Subject Name field. Signature Algorithm This field displays the type of algorithm that was used to sign the certificate.
Chapter 50 Certificates 50.3.2 The Trusted Certificates Import Screen Click Configuration > Object > Certificate > Trusted Certificates > Import to open the Trusted Certificates Import screen. Follow the instructions in this screen to save a trusted certificate to the ISG50. Note: You must remove any spaces from the certificate’s filename before you can import the certificate.
Chapter 50 Certificates 660 ISG50 User’s Guide
C HAPTER 51 ISP Accounts 51.1 Overview Use ISP accounts to manage Internet Service Provider (ISP) account information for PPPoE/PPTP interfaces. An ISP account is a profile of settings for Internet access using PPPoE or PPTP. Finding Out More • See Section 12.4 on page 246 for information about PPPoE/PPTP interfaces. • See Section 6.7 on page 103 for related information on these screens. 51.1.1 What You Can Do in this Chapter Use the Object > ISP Account screens (Section 51.
Chapter 51 ISP Accounts The following table describes the labels in this screen. See the ISP Account Add/Edit section below for more information as well. Table 262 Configuration > Object > ISP Account LABEL DESCRIPTION Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ISG50 confirms you want to remove it before doing so.
Chapter 51 ISP Accounts The following table describes the labels in this screen. Table 263 Configuration > Object > ISP Account > Edit LABEL DESCRIPTION Profile Name This field is read-only if you are editing an existing account. Type in the profile name of the ISP account. The profile name is used to refer to the ISP account. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Chapter 51 ISP Accounts Table 263 Configuration > Object > ISP Account > Edit (continued) 664 LABEL DESCRIPTION OK Click OK to save your changes back to the ISG50. If there are no errors, the program returns to the ISP Account screen. If there are errors, a message box explains the error, and the program stays in the ISP Account Edit screen. Cancel Click Cancel to return to the ISP Account screen without creating the profile (if it is new) or saving any changes to the profile (if it already exists).
C HAPTER 52 System 52.1 Overview Use the system screens to configure general ISG50 settings. 52.1.1 What You Can Do in this Chapter • Use the System > Host Name screen (see Section 52.2 on page 666) to configure a unique name for the ISG50 in your network. • Use the System > USB Storage screen (see Section 52.2 on page 666) to configure the settings for the connected USB devices. • Use the System > Date/Time screen (see Section 52.4 on page 667) to configure the date and time for the ISG50.
Chapter 52 System 52.2 Host Name A host name is the unique name by which a device is known on a network. Click Configuration > System > Host Name to open the Host Name screen. Figure 441 Configuration > System > Host Name The following table describes the labels in this screen. Table 264 Configuration > System > Host Name LABEL DESCRIPTION System Name Choose a descriptive name to identify your ISG50 device. This name can be up to 64 alphanumeric characters long.
Chapter 52 System Click Configuration > System > USB Storage to open the screen as shown next. Figure 442 Configuration > System > USB Storage The following table describes the labels in this screen. Table 265 Configuration > System > USB Storage LABEL DESCRIPTION Activate USB storage service Select this if you want to use the connected USB device(s).
Chapter 52 System To change your ISG50’s time based on your local time zone and date, click Configuration > System > Date/Time. The screen displays as shown. You can manually set the ISG50’s time and date or have the ISG50 get the date and time from a time server. Figure 443 Configuration > System > Date and Time The following table describes the labels in this screen.
Chapter 52 System Table 266 Configuration > System > Date and Time (continued) LABEL DESCRIPTION Get from Time Server Select this radio button to have the ISG50 get the time and date from the time server you specify below. The ISG50 requests time and date settings from the time server under the following circumstances. • • • When the ISG50 starts up. When you click Apply or Synchronize Now in this screen. 24-hour intervals after starting up.
Chapter 52 System 52.4.1 Pre-defined NTP Time Servers List When you turn on the ISG50 for the first time, the date and time start at 2003-01-01 00:00:00. The ISG50 then attempts to synchronize with one of the following pre-defined list of Network Time Protocol (NTP) time servers. The ISG50 continues to use the following pre-defined list of NTP time servers if you do not specify a time server or it cannot synchronize with the time server you specified. Table 267 Default Time Servers 0.pool.ntp.org 1.pool.
Chapter 52 System 7 Click Apply. To get the ISG50 date and time from a time server 1 Click System > Date/Time. 2 Select Get from Time Server under Time and Date Setup. 3 Under Time Zone Setup, select your Time Zone from the list. 4 As an option you can select the Enable Daylight Saving check box to adjust the ISG50 clock for daylight savings. 5 Under Time and Date Setup, enter a Time Server Address (Table 267 on page 670). 6 Click Apply. 52.
Chapter 52 System 52.6 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. 52.6.1 DNS Server Address Assignment The ISG50 can get the DNS server addresses in the following ways. • The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up.
Chapter 52 System The following table describes the labels in this screen. Table 269 Configuration > System > DNS LABEL DESCRIPTION Address/PTR Record This record specifies the mapping of a Fully-Qualified Domain Name (FQDN) to an IP address. An FQDN consists of a host and domain name. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the third-level domain, “com” is the second-level domain, and “tw” is the top level domain.
Chapter 52 System Table 269 Configuration > System > DNS (continued) LABEL DESCRIPTION Add Click this to create a new entry. Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The ISG50 confirms you want to remove it before doing so. Note that subsequent entries move up by one when you take this action. # This is the index number of the MX record.
Chapter 52 System 52.6.4 PTR Record A PTR (pointer) record is also called a reverse record or a reverse lookup record. It is a mapping of an IP address to a domain name. 52.6.5 Adding an Address/PTR Record Click the Add icon in the Address/PTR Record table to add an address/PTR record. Figure 447 Configuration > System > DNS > Address/PTR Record Add The following table describes the labels in this screen.
Chapter 52 System 52.6.7 Adding a Domain Zone Forwarder Click the Add icon in the Domain Zone Forwarder table to add a domain zone forwarder record. Figure 448 Configuration > System > DNS > Domain Zone Forwarder Add The following table describes the labels in this screen. Table 271 Configuration > System > DNS > Domain Zone Forwarder Add LABEL DESCRIPTION Domain Zone A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.
Chapter 52 System be delivered to your mail server and vice versa. Each host or domain can have only one MX record, that is, one domain is mapping to one host. 52.6.9 Adding a MX Record Click the Add icon in the MX Record table to add a MX record. Figure 449 Configuration > System > DNS > MX Record Add The following table describes the labels in this screen. Table 272 Configuration > System > DNS > MX Record Add LABEL DESCRIPTION Domain Name Enter the domain name where the mail is destined for.
Chapter 52 System Table 273 Configuration > System > DNS > Service Control Rule Add (continued) LABEL DESCRIPTION Zone Select ALL to allow or prevent DNS queries through any zones. Select a predefined zone on which a DNS query to the ISG50 is allowed or denied. Action Select Accept to have the ISG50 allow the DNS queries from the specified computer. Select Deny to have the ISG50 reject the DNS queries from the specified computer. OK Click OK to save your customized settings and exit this screen.
Chapter 52 System Each user is also forced to log in the ISG50 for authentication again when the reauthentication time expires. You can change the timeout settings in the User/Group screens. 52.7.3 HTTPS You can set the ISG50 to use HTTP or HTTPS (HTTPS adds security) for Web Configurator sessions. Specify which zones allow Web Configurator access and from which IP address the access can come.
Chapter 52 System 52.7.4 Configuring WWW Service Control Click Configuration > System > WWW to open the WWW screen. Use this screen to specify from which zones you can access the ISG50 using HTTP or HTTPS. You can also specify which IP addresses the access can come from. Note: Admin Service Control deals with management access (to the Web Configurator). User Service Control deals with user access to the ISG50.
Chapter 52 System The following table describes the labels in this screen. Table 274 Configuration > System > WWW > Service Control LABEL DESCRIPTION HTTPS Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ISG50 Web Configurator using secure HTTPs connections. Server Port The HTTPS server listens on port 443 by default.
Chapter 52 System Table 274 Configuration > System > WWW > Service Control (continued) LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ISG50 Web Configurator using HTTP connections. Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service to access the ISG50.
Chapter 52 System 52.7.5 Service Control Rules Click Add or Edit in the Service Control table in a WWW, SSH, Telnet, FTP or SNMP screen to add a service control rule. Figure 453 Configuration > System > Service Control Rule > Edit The following table describes the labels in this screen. Table 275 Configuration > System > Service Control Rule > Edit LABEL DESCRIPTION Create new Object Use this to configure any new settings objects that you need to use in this screen.
Chapter 52 System displays after an access user logs into the Web Configurator to access network services like the Internet. See Chapter 44 on page 599 for more on access user accounts.
Chapter 52 System The following figures identify the parts you can customize in the login and access pages. Figure 455 Login Page Customization Logo Title Message (color of all text) Background Note Message (last line of text) Figure 456 Access Page Customization Logo Title Message (color of all text) Note Message (last line of text) Background You can specify colors in one of the following ways: • Click Color to display a screen of web-safe colors from which to choose.
Chapter 52 System • Enter a pound sign (#) followed by the six-digit hexadecimal number that represents the desired color. For example, use “#000000” for black. • Enter “rgb” followed by red, green, and blue values in parenthesis and separate by commas. For example, use “rgb(0,0,0)” for black. Your desired color should display in the preview screen on the right after you click in another field, click Apply, or press [ENTER]. If your desired color does not display, your browser may not support it.
Chapter 52 System Table 276 Configuration > System > WWW > Login Page LABEL DESCRIPTION Apply Click Apply to save your changes back to the ISG50. Reset Click Reset to return the screen to its last-saved settings. 52.7.7 HTTPS Example If you haven’t changed the default HTTPS port on the ISG50, then in your browser enter “https:// ISG50 IP Address/” as the web site address where “ISG50 IP Address” is the IP address or domain name of the ISG50 you wish to access. 52.7.7.
Chapter 52 System 52.7.7.3 Login Screen After you accept the certificate, the ISG50 login screen appears. The lock displayed in the bottom of the browser status bar denotes a secure connection. Figure 458 Login Screen (Internet Explorer) 52.7.7.4 Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ISG50.
Chapter 52 System 52.7.7.4.1 Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next. Figure 460 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. 52.7.7.4.2 Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment.
Chapter 52 System 1 Click Next to begin the wizard. Figure 461 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate.
Chapter 52 System 3 Enter the password given to you by the CA. Figure 463 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location.
Chapter 52 System 5 Click Finish to complete the wizard and begin the import process. Figure 465 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer. Figure 466 Personal Certificate Import Wizard 6 52.7.7.5 Using a Certificate When Accessing the ISG50 Example Use the following procedure to access the ISG50 via HTTPS. 1 Enter ‘https://ISG50 IP Address/ in your browser’s web address field.
Chapter 52 System 2 When Authenticate Client Certificates is selected on the ISG50, the following screen asks you to select a personal certificate to send to the ISG50. This screen displays even if you only have a single certificate as in the example. Figure 468 SSL Client Authentication 3 You next see the Web Configurator login screen. Figure 469 Secure Web Configurator Login Screen 52.8 SSH You can use SSH (Secure SHell) to securely access the ISG50’s command line interface.
Chapter 52 System following figure, computer A on the Internet uses SSH to securely connect to the WAN port of the ISG50 for a management session. Figure 470 SSH Communication Over the WAN Example ISG 52.8.1 How SSH Works The following figure is an example of how a secure connection is established between two remote hosts using SSH v1. Figure 471 How SSH v1 Works Example ISG 1 Host Identification The SSH client sends a connection request to the SSH server. The server identifies itself with a host key.
Chapter 52 System 3 Authentication and Data Transmission After the identification is verified and data encryption activated, a secure tunnel is established between the client and the server. The client then sends its authentication information (user name and password) to the server to log in to the server. 52.8.2 SSH Implementation on the ISG50 Your ISG50 supports SSH versions 1 and 2 using RSA authentication and four encryption methods (AES, 3DES, Archfour, and Blowfish).
Chapter 52 System The following table describes the labels in this screen. Table 277 Configuration > System > SSH LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ISG50 CLI using this service. Version 1 Select the check box to have the ISG50 use both SSH version 1 and version 2 protocols. If you clear the check box, the ISG50 uses only SSH version 2 protocol.
Chapter 52 System 3 A window displays prompting you to store the host key in you computer. Click Yes to continue. Figure 473 SSH Example 1: Store Host Key Enter the password to log in to the ISG50. The CLI screen displays next. 52.8.5.2 Example 2: Linux This section describes how to access the ISG50 using the OpenSSH client program that comes with most Linux distributions. 1 Test whether the SSH service is available on the ISG50. Enter “telnet 192.168.1.1 22” at a terminal prompt and press [ENTER].
Chapter 52 System 52.9 Telnet You can use Telnet to access the ISG50’s command line interface. Specify which zones allow Telnet access and from which IP address the access can come. 52.9.1 Configuring Telnet Click Configuration > System > TELNET to configure your ISG50 for remote Telnet access. Use this screen to specify from which zones Telnet can be used to manage the ISG50. You can also specify from which IP addresses the access can come.
Chapter 52 System Table 278 Configuration > System > TELNET (continued) LABEL DESCRIPTION # This the index number of the service control rule. The entry with a hyphen (-) instead of a number is the ISG50’s (non-configurable) default policy. The ISG50 applies this to traffic that does not match any other configured rule. It is not an editable rule. To apply other behavior, configure a rule that traffic will match so the ISG50 will not have to use the default policy.
Chapter 52 System The following table describes the labels in this screen. Table 279 Configuration > System > FTP LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ISG50 using this service. TLS required Select the check box to use FTP over TLS (Transport Layer Security) to encrypt communication. This implements TLS as a security mechanism to secure FTP clients and/or servers.
Chapter 52 System one (SNMPv1) and version two (SNMPv2c). The next figure illustrates an SNMP management operation. Figure 478 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ISG50). An agent translates the local management information from the managed device into a form compatible with SNMP.
Chapter 52 System 52.11.1 Supported MIBs The ISG50 supports MIB II that is defined in RFC-1213 and RFC-1215. The ISG50 also supports private MIBs (ZYXEL-ES-SMI.mib and ZYXEL-ES_COMMON.mib) to collect information about CPU and memory usage and VPN total throughput. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. You can download the ISG50’s MIBs from www.zyxel.com. 52.11.
Chapter 52 System The following table describes the labels in this screen. Table 281 Configuration > System > SNMP LABEL DESCRIPTION Enable Select the check box to allow or disallow the computer with the IP address that matches the IP address(es) in the Service Control table to access the ISG50 using this service. Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Chapter 52 System 52.12 Language Screen Click Configuration > System > Language to open the following screen. Use this screen to select a display language for the ISG50’s Web Configurator screens. Figure 480 Configuration > System > Language The following table describes the labels in this screen. Table 282 Configuration > System > Language 704 LABEL DESCRIPTION Language Setting Select a display language for the ISG50’s Web Configurator screens.
C HAPTER 53 Log and Report 53.1 Overview Use these screens to configure daily reporting and log settings. 53.1.1 What You Can Do In this Chapter • Use the Email Daily Report screen (Section 53.2 on page 705) to configure where and how to send daily reports and what reports to send. • Use the Maintenance > Log Setting screens (Section 53.3 on page 707) to specify which log messages are e-mailed, where they are e-mailed, and how often they are e-mailed. 53.
Chapter 53 Log and Report Click Configuration > Log & Report > Email Daily Report to display the following screen. Configure this screen to have the ISG50 e-mail you system statistics every day.
Chapter 53 Log and Report The following table describes the labels in this screen. Table 283 Configuration > Log & Report > Email Daily Report LABEL DESCRIPTION Enable Email Daily Report Select this to send reports by e-mail every day. Mail Server Type the name or IP address of the outgoing SMTP server. Mail Subject Type the subject line for the outgoing e-mail. Select Append system name to add the ISG50’s system name to the subject.
Chapter 53 Log and Report server names, etc.) for any log. Alternatively, if you want to edit what events is included in each log, you can also use the Active Log Summary screen to edit this information for all logs at the same time. 53.3.1 Log Setting Summary To access this screen, click Configuration > Log & Report > Log Setting. Figure 482 Configuration > Log & Report > Log Setting The following table describes the labels in this screen.
Chapter 53 Log and Report Table 284 Configuration > Log & Report > Log Setting (continued) LABEL DESCRIPTION Log Format This field displays the format of the log. Internal - system log; you can view the log on the View Log tab. VRPT/Syslog - ZyXEL’s Vantage Report, syslog-compatible format. CEF/Syslog - Common Event Format, syslog-compatible format. Summary This field is a summary of the settings for each log. Please see Section 53.3.2 on page 710 for more information.
Chapter 53 Log and Report 53.3.2 Edit System Log Settings The Log Settings Edit screen controls the detailed settings for each log in the system log (which includes the e-mail profiles). Go to the Log Settings Summary screen (see Section 53.3.1 on page 708), and click the system log Edit icon.
Chapter 53 Log and Report The following table describes the labels in this screen. Table 285 Configuration > Log & Report > Log Setting > Edit (System Log) LABEL DESCRIPTION E-Mail Server 1/2 Active Select this to send log messages and alerts according to the information in this section. You specify what kinds of log messages are included in log information and what kinds of log messages are included in alerts in the Active Log and Alert section.
Chapter 53 Log and Report Table 285 Configuration > Log & Report > Log Setting > Edit (System Log) (continued) LABEL E-mail Server 2 DESCRIPTION Use the E-Mail Server 2 drop-down list to change the settings for e-mailing logs to e-mail server 2 for all log categories. Using the System Log drop-down list to disable all logs overrides your e-mail server 2 settings. enable normal logs (green check mark) - e-mail log messages for all categories to e-mail server 2.
Chapter 53 Log and Report 53.3.3 Edit Log on USB Storage Setting The Edit Log on USB Storage Setting screen controls the detailed settings for saving logs to a connected USB storage device. Go to the Log Setting Summary screen (see Section 53.3.1 on page 708, and click the USB storage Edit icon. Figure 484 Configuration > Log & Report > Log Setting > Edit (USB Storage) The following table describes the labels in this screen.
Chapter 53 Log and Report Table 286 Configuration > Log & Report > Log Setting > Edit (USB Storage) (continued) LABEL Selection DESCRIPTION Select what information you want to log from each Log Category (except All Logs; see below).
Chapter 53 Log and Report 53.3.4 Edit Remote Server Log Settings The Log Settings Edit screen controls the detailed settings for each log in the remote server (syslog). Go to the Log Settings Summary screen (see Section 53.3.1 on page 708), and click a remote server Edit icon.
Chapter 53 Log and Report The following table describes the labels in this screen. Table 287 Configuration > Log & Report > Log Setting > Edit (Remote Server) LABEL DESCRIPTION Log Settings for Remote Server Active Select this check box to send log information according to the information in this section. You specify what kinds of messages are included in log information in the Active Log section. Log Format This field displays the format of the log information. It is read-only.
Chapter 53 Log and Report names).To access this screen, go to the Log Settings Summary screen (see Section 53.3.1 on page 708), and click the Active Log Summary button. Figure 486 Active Log Summary This screen provides a different view and a different way of indicating which messages are included in each log and each alert. Please see Section 53.3.2 on page 710, where this process is discussed. (The Default category includes debugging messages generated by open source software.
Chapter 53 Log and Report Table 288 Configuration > Log & Report > Log Setting > Active Log Summary (continued) LABEL DESCRIPTION E-mail Server 1 Use the E-Mail Server 1 drop-down list to change the settings for e-mailing logs to e-mail server 1 for all log categories. Using the System Log drop-down list to disable all logs overrides your e-mail server 1 settings. enable normal logs (green check mark) - e-mail log messages for all categories to e-mail server 1.
Chapter 53 Log and Report Table 288 Configuration > Log & Report > Log Setting > Active Log Summary (continued) LABEL DESCRIPTION Remote Server 1~4 For each remote server, select what information you want to log from each Log Category (except All Logs; see below).
C HAPTER 54 Call Detail Record (CDR) 54.1 Overview This chapter shows you how to collect and manage Call Detail Records (CDRs) on the ISG50. Call Detail Records (CDRs) are telephone records containing details such as the time of call, duration of call, source telephone number and so on. The ISG50 has a built in CDR database that automatically stores calls made to or from its extensions. You can search the CDR database to find out details about your organization’s calls.
Chapter 54 Call Detail Record (CDR) CDR Database Management via PostgreSQL PostgreSQL is a database management system based on SQL (Structured Query Language). You can configure a PostgreSQL server to collect CDRs from the ISG50 and expand the capacity of telephone records you can collect and review. 54.2 The CDR Configuration Screen Use this screen to set up an external server to collect CDR information.
Chapter 54 Call Detail Record (CDR) Each field is described in the following table. Table 289 CDR > Configuration LABEL DESCRIPTION CDR Setting Database Usage This field indicates the percentage of records currently held by the database. When the local database is full, the ISG50 removes all the CDRs from the local database and creates an “Aged File” (a compressed file containing all the CDRs). Use the Aged File field to specify how to deal with the compressed file containing the CDRs.
Chapter 54 Call Detail Record (CDR) 5 Move the cdr.sql file to “PostgreSQL installed directory”/bin and change to this directory and execute the following command: psql -h localhost -U sqlzyxel < cdr.sql 6 After the script is successfully applied, your PostgreSQL server can work with the ISG50.
Chapter 54 Call Detail Record (CDR) 724 ISG50 User’s Guide
C HAPTER 55 File Manager 55.1 Overview Configuration files define the ISG50’s settings. Shell scripts are files of commands that you can store on the ISG50 and run when you need them. You can apply a configuration file or run a shell script without the ISG50 restarting. You can store multiple configuration files and shell script files on the ISG50. You can edit configuration files or shell scripts in a text editor and upload them to the ISG50. Configuration files use a .
Chapter 55 File Manager These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below. Figure 488 Configuration File / Shell Script: Example # enter configuration mode configure terminal # change administrator password username admin password 4321 user-type admin # configure lan1 interface lan1 ip address 172.23.37.240 255.255.255.0 ip gateway 172.23.37.
Chapter 55 File Manager Line 3 in the following example exits sub command mode. interface wan1 ip address dhcp ! Lines 1 and 3 in the following example are comments and line 4 exits sub command mode. ! interface wan1 # this interface is a DHCP client ! Lines 1 and 2 are comments. Line 5 exits sub command mode.
Chapter 55 File Manager Configuration File Flow at Restart • If there is not a startup-config.conf when you restart the ISG50 (whether through a management interface or by physically turning the power off and back on), the ISG50 uses the system-default.conf configuration file with the ISG50’s default settings. • If there is a startup-config.conf, the ISG50 checks it for errors and applies it. If there are no errors, the ISG50 uses it and copies it to the lastgood.conf configuration file as a back up file.
Chapter 55 File Manager The following table describes the labels in this screen. Table 291 Maintenance > File Manager > Configuration File LABEL DESCRIPTION Rename Use this button to change the label of a configuration file on the ISG50. You can only rename manually saved configuration files. You cannot rename the lastgood.conf, system-default.conf and startup-config.conf files. You cannot rename a configuration file to the name of another configuration file in the ISG50.
Chapter 55 File Manager Table 291 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION Apply Use this button to have the ISG50 use a specific configuration file. Click a configuration file’s row to select it and click Apply to have the ISG50 use that configuration file. The ISG50 does not have to restart in order to use a different configuration file, although you will need to wait for a few minutes while the system reconfigures.
Chapter 55 File Manager Table 291 Maintenance > File Manager > Configuration File (continued) LABEL DESCRIPTION File Name This column displays the label that identifies a configuration file. You cannot delete the following configuration files or change their file names. The system-default.conf file contains the ISG50’s default settings. Select this file and click Apply to reset all of the ISG50 settings to the factory defaults. This configuration file is included when you upload a firmware package.
Chapter 55 File Manager The firmware update can take up to five minutes. Do not turn off or reset the ISG50 while the firmware update is in progress! Figure 493 Maintenance > File Manager > Firmware Package The following table describes the labels in this screen. Table 292 Maintenance > File Manager > Firmware Package LABEL DESCRIPTION Boot Module This is the version of the boot module that is currently on the ISG50. Current Version This is the firmware version and the date created.
Chapter 55 File Manager After five minutes, log in again and check your new firmware version in the HOME screen. If the upload was not successful, the following message appears in the status bar at the bottom of the screen. Figure 496 Firmware Upload Error 55.4 The Shell Script Screen Use shell script files to have the ISG50 use commands that you specify. Use a text editor to create the shell script files. They must use a “.zysh” filename extension.
Chapter 55 File Manager Each field is described in the following table. Table 293 Maintenance > File Manager > Shell Script LABEL DESCRIPTION Rename Use this button to change the label of a shell script file on the ISG50. You cannot rename a shell script to the name of another shell script in the ISG50. Click a shell script’s row to select it and click Rename to open the Rename File screen. Figure 498 Maintenance > File Manager > Shell Script > Rename Specify the new name for the shell script file.
Chapter 55 File Manager Table 293 Maintenance > File Manager > Shell Script (continued) LABEL DESCRIPTION Upload The bottom part of the screen allows you to upload a new or previously saved shell Shell Script script file from your computer to your ISG50. File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .zysh file you want to upload. Upload Click Upload to begin the upload process.
Chapter 55 File Manager 736 ISG50 User’s Guide
C HAPTER 56 Diagnostics 56.1 Overview Use the diagnostics screens for troubleshooting. 56.1.1 What You Can Do in this Chapter • Use the Maintenance > Diagnostics screen (see Section 56.2 on page 737) to generate a file containing the ISG50’s configuration and diagnostic information if you need to provide it to customer support during troubleshooting. • Use the Maintenance > Diagnostics > Packet Capture screens (see Section 56.3 on page 739) to capture packets going through the ISG50.
Chapter 56 Diagnostics The following table describes the labels in this screen. Table 294 Maintenance > Diagnostics LABEL DESCRIPTION Filename This is the name of the most recently created diagnostic file. Last modified This is the date and time that the last diagnostic file was created. The format is yyyy-mm-dd hh:mm:ss. Size This is the size of the most recently created diagnostic file.
Chapter 56 Diagnostics 56.3 The Packet Capture Screen Use this screen to capture network traffic going through the ISG50’s interfaces. Studying these packet captures may help you identify network problems. Click Maintenance > Diagnostics > Packet Capture to open the packet capture screen. Note: New capture files overwrite existing files of the same name. Change the File Suffix field’s setting to avoid this.
Chapter 56 Diagnostics Table 296 Maintenance > Diagnostics > Packet Capture (continued) LABEL DESCRIPTION Host Port This field is configurable when you set the IP Type to any, tcp, or udp. Specify the port number of traffic to capture. Continuously capture and overwrite old ones Select this to have the ISG50 keep capturing traffic and overwriting old packet capture entries when the available storage space runs out.
Chapter 56 Diagnostics Table 296 Maintenance > Diagnostics > Packet Capture (continued) LABEL DESCRIPTION Capture Click this button to have the ISG50 capture packets according to the settings configured in this screen. You can configure the ISG50 while a packet capture is in progress although you cannot modify the packet capture settings. The ISG50’s throughput or performance may be affected while a packet capture is in progress.
Chapter 56 Diagnostics Table 297 Maintenance > Diagnostics > Packet Capture > Files (continued) LABEL DESCRIPTION File Name This column displays the label that identifies the file. The file name format is interface name-file suffix.cap. Size This column displays the size (in bytes) of a configuration file. Last Modified This column displays the date and time that the individual files were saved. 56.3.
Chapter 56 Diagnostics Click Maintenance > Diagnostics > Core Dump to open the following screen. Figure 505 Maintenance > Diagnostics > Core Dump The following table describes the labels in this screen. Table 298 Maintenance > Diagnostics > Core Dump LABEL DESCRIPTION Save core dump to USB storage (if ready) Select this to have the ISG50 save a process’s core dump to an attached USB storage device if the process terminates abnormally (crashes).
Chapter 56 Diagnostics The following table describes the labels in this screen. Table 299 Maintenance > Diagnostics > Core Dump > Files LABEL DESCRIPTION Remove Select files and click Remove to delete them from the ISG50. Use the [Shift] and/or [Ctrl] key to select multiple files. A pop-up window asks you to confirm that you want to delete. Download Click a file to select it and click Download to save it to your computer. # This column displays the number for each packet capture file entry.
C HAPTER 57 Packet Flow Explore 57.1 Overview Use this to get a clear picture on how the ISG50 determines where to forward a packet and how to change the source IP address of the packet according to your current settings. This function provides you a summary of all your routing and SNAT settings and helps troubleshoot any related problems. 57.1.1 What You Can Do in this Chapter • Use the Routing Status screen (see Section 57.
Chapter 57 Packet Flow Explore Note: Once a packet matches the criteria of a routing rule, the ISG50 takes the corresponding action and does not perform any further flow checking.
Chapter 57 Packet Flow Explore Figure 511 Maintenance > Packet Flow Explore > Routing Status (SitetoSite VPN) Figure 512 Maintenance > Packet Flow Explore > Routing Status (Dynamic VPN) Figure 513 Maintenance > Packet Flow Explore > Routing Status (Static-Dynamic Route) ISG50 User’s Guide 747
Chapter 57 Packet Flow Explore Figure 514 Maintenance > Packet Flow Explore > Routing Status (Default WAN Trunk) Figure 515 Maintenance > Packet Flow Explore > Routing Status (Main Route) The following table describes the labels in this screen. Table 301 Maintenance > Packet Flow Explore > Routing Status LABEL DESCRIPTION Routing Flow This section shows you the flow of how the ISG50 determines where to route a packet. Click a function box to display the related settings in the Routing Table section.
Chapter 57 Packet Flow Explore Table 301 Maintenance > Packet Flow Explore > Routing Status (continued) LABEL DESCRIPTION Metric This is the route’s priority among the displayed routes. Flags This indicates additional information for the route.
Chapter 57 Packet Flow Explore Table 301 Maintenance > Packet Flow Explore > Routing Status (continued) LABEL DESCRIPTION System Service Traffic This section displays information about traffic originating from the ISG50 itself. # This field is a sequential value, and it is not associated with any entry. Source This is the source IP address(es) from which the packets are sent. any means any IP address. Destination This is the destination IP address(es) to which the packets are transmitted.
Chapter 57 Packet Flow Explore Note: Once a packet matches the criteria of an SNAT rule, the ISG50 takes the corresponding action and does not perform any further flow checking.
Chapter 57 Packet Flow Explore The following table describes the labels in this screen. Table 302 Maintenance > Packet Flow Explore > SNAT Status LABEL DESCRIPTION SNAT Flow This section shows you the flow of how the ISG50 changes the source IP address for a packet according to the rules you have configured in the ISG50. Click a function box to display the related settings in the SNAT Table section.
C HAPTER 58 Reboot 58.1 Overview Use this to restart the device (for example, if the device begins behaving erratically). See also Section 1.7 on page 35 for information on different ways to start and stop the ISG50. 58.1.1 What You Need To Know If you applied changes in the Web configurator, these were saved automatically and do not change when you reboot. If you made changes in the CLI, however, you have to use the write command to save the configuration before you reboot.
Chapter 58 Reboot 754 ISG50 User’s Guide
C HAPTER 59 Shutdown 59.1 Overview Use this to shutdown the device in preparation for disconnecting the power. See also Section 1.7 on page 35 for information on different ways to start and stop the ISG50. Always use the Maintenance > Shutdown > Shutdown screen or the “shutdown” command before you turn off the ISG50 or remove the power. Not doing so can cause the firmware to become corrupt. 59.1.1 What You Need To Know Shutdown writes all cached data to the local storage and stops the system processes.
Chapter 59 Shutdown 756 ISG50 User’s Guide
C HAPTER 60 Extension Portal 60.1 Overview Use the extension portal to make calls via the web phone and manage settings for individual users. The extension portal is a HTML-based phone as well as a management tool that allows users to manage some of the settings related to their telephone extension. Each extension created on the ISG50 has an associated account which allows it to log into the extension portal. When you login to the extension portal you can pick up and make calls using your browser.
Chapter 60 Extension Portal • Use the Call Recording screen to play back calls you recorded on your extension. See Section 60.6 on page 764 60.1.2 What You Need to Know The following terms and concepts may help you as you read through the chapter. Extension Portal Login 1 Open Internet Explorer (the extension portal supports Internet Explorer). 2 Type “https://” and the IP address of the ISG50 (for example, the default LAN IP address is 192.168.1.1) in the Location or Address field. Press [ENTER].
Chapter 60 Extension Portal 60.2 Web Phone Use this screen to make calls from the web phone. To access this screen, click the Web Phone tab in the extension portal. Figure 525 Web Phone Each field is described in the following table. Table 303 Web Phone LABEL DESCRIPTION Phone Book Click the Phone Book tab on the right side of the Web Phone screen to display or hide the phone book feature.
Chapter 60 Extension Portal 60.3 Peer Info Use this screen to manage the passwords associated with your extension. To access this screen, click Peer info. Note: Some of the fields are not applicable for FXS extensions and do not display when analog phone users log into the personal extension portal. Figure 526 Peer Info Each field is described in the following table. Table 304 Peer Info LABEL DESCRIPTION Group This is a read-only field showing the authority group this extension belongs to. SIP Auth.
Chapter 60 Extension Portal 60.4 Call Forwarding and Blocking Use this screen to set up call forwarding and call blocking rules for your extension. To access this screen, click Forward/Block in the extension portal.
Chapter 60 Extension Portal Each field is described in the following table. Table 305 Forward/Block LABEL DESCRIPTION Call Forward Settings Use this section to configure call forwarding settings for your extension. Office Hour The ISG50 has separate rules for call forwarding during office hours than after office hours. For information, see Chapter 43 on page 595. Select Authority Group to have the extension use the office hours defined for the authority group to which it belongs.
Chapter 60 Extension Portal Table 305 Forward/Block (continued) LABEL DESCRIPTION No Answer Forward Select Disable to turn this feature off for this extension. Select Enable to forward all incoming calls to the extensions specified in the Find Me List when this extension is not answered within the default ring time. Use the Add, Edit, and Remove icons to create, modify, or delete Find Me List entries. Select Voice Mail to forward calls directly to voice mail.
Chapter 60 Extension Portal Each field is described in the following table. Table 306 Voice Mail LABEL DESCRIPTION Received E-mail Address Specify the e-mail address you want to forward your voice message notifications to. If you select the Attached Voice File option, then complete voice messages are sent to this email address. Attached Voice File Select this feature if you want complete voice messages to be sent to the e-mail address you specified in the Received E-mail Address field.
C HAPTER 61 Troubleshooting This chapter offers some suggestions to solve problems you might encounter. • You can also refer to the logs (see Chapter 10 on page 220). For individual log descriptions, see the User’s Guide appendix Appendix A on page 775. • For the order in which the ISG50 applies its features and checks, see Section 6.5 on page 94. None of the LEDs turn on. Make sure that you have the power cord connected to the ISG50 and plugged in to an appropriate power source.
Chapter 61 Troubleshooting • If you’ve forgotten the ISG50’s IP address, you can use the commands through the console port to check it. Connect your computer to the CONSOLE port using a console cable. Your computer should have a terminal emulation communications program (such as HyperTerminal) set to VT100 terminal emulation, no parity, 8 data bits, 1 stop bit, no flow control and 115200 bps port speed. I cannot access the Internet.
Chapter 61 Troubleshooting • The format of interface names other than the Ethernet interface names is very strict. Each name consists of 2-4 letters (interface type), followed by a number (x, limited by the maximum number of each type of interface). For example, VLAN interfaces are vlan0, vlan1, vlan2, ...; and so on. • The names of virtual interfaces are derived from the interfaces on which they are created.
Chapter 61 Troubleshooting • Make sure the cellular interface has the correct user name, password, and PIN code configured with the correct casing. • If the ISG50 has multiple WAN interfaces, make sure their IP addresses are on different subnets. I cannot configure a particular VLAN interface on top of an Ethernet interface even though I have it configured it on top of another Ethernet interface. Each VLAN interface is created on top of only one Ethernet interface.
Chapter 61 Troubleshooting • You may need to configure the DDNS entry’s IP Address setting to Auto if the interface has a dynamic IP address or there are one or more NAT routers between the ISG50 and the DDNS server. • The ISG50 may not determine the proper IP address if there is an HTTP proxy server between the ISG50 and the DDNS server. I cannot create a second HTTP redirect rule for an incoming interface. You can configure up to one HTTP redirect rule for each (incoming) interface.
Chapter 61 Troubleshooting • The ISG50’s local and peer ID type and content must match the remote IPSec router’s peer and local ID type and content, respectively. • The ISG50 and remote IPSec router must use the same active protocol. • The ISG50 and remote IPSec router must use the same encapsulation. • The ISG50 and remote IPSec router must use the same SPI.
Chapter 61 Troubleshooting The ISG50 automatically updates address objects based on an interface’s IP address, subnet, or gateway if the interface’s IP address settings change. However, you need to manually edit any address objects for your LAN that are not based on the interface. I cannot get the RADIUS server to authenticate the ISG50‘s default admin account. The default admin account is always authenticated locally, regardless of the authentication method setting.
Chapter 61 Troubleshooting • Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates. • PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable form. • Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that may be encrypted. A PKCS #7 file is used to transfer a public key certificate.
Chapter 61 Troubleshooting The commands in my configuration file or shell script are not working properly. • In a configuration file or shell script, use “#” or “!” as the first character of a command line to have the ISG50 treat the line as a comment. • Your configuration files or shell scripts can use “exit” or a command line consisting of a single “!” to have the ISG50 exit sub command mode. • Include write commands in your scripts. Otherwise the changes will be lost when the ISG50 restarts.
Chapter 61 Troubleshooting 61.1 Resetting the ISG50 If you cannot access the ISG50 by any method, try restarting it by turning the power off and then on again. If you still cannot access the ISG50 by any method or you forget the administrator password(s), you can reset the ISG50 to its factory-default settings. Any configuration files or shell scripts that you saved on the ISG50 should still be available afterwards. Use the following procedure to reset the ISG50 to its factory-default settings.
A PPENDIX A Log Descriptions This appendix provides descriptions of example log messages for the ISG50. The logs do not all apply to all of the ISG50s. You will not necessarily see all of these logs in your device. The PBX call service logs deal with call service errors. Table 308 PBX Call Service Logs LOG MESSAGE DESCRIPTION The call from extension %s was hung up due to emergency call is coming. The listed extension’s call was disconnected to free up resources for an emergency call.
Appendix A Log Descriptions Table 308 PBX Call Service Logs (continued) LOG MESSAGE DESCRIPTION The call was reject due to there are % memebrs in conference. Conference licenses have reached the maximun number of %d. The call was reject due to teher are % memebrs in conference room %s The call was rejected because there are % memebrs in conference room %s .
Appendix A Log Descriptions The PBX dialplan logs deal with dialplan information and errors.. Table 310 PBX Dialplan Logs LOG MESSAGE DESCRIPTION ACD agent %s called to extension %s has failed due to extension is busy. The call failed because the ACD agent was busy. ACD agent %s call to extension %s has failed due to extension didn't answer. The call failed because the ACD agent did not answer. ACD agent %s call to extension %s has failed due to extension didn't register.
Appendix A Log Descriptions Table 310 PBX Dialplan Logs (continued) 778 LOG MESSAGE DESCRIPTION The call from extension %s was blocked due to no caller ID. A call from the specified extenstion was blocked because it did not provide caller ID. The call from extension was blocked due to caller id is in callee block list. A call was blocked because the caller ID is in the callee’s block list. The call from extension %s to extension %s has been forwarded to voicemail due to after office hour.
Appendix A Log Descriptions Table 310 PBX Dialplan Logs (continued) LOG MESSAGE DESCRIPTION The incoming call dials number is an invalid number The incoming call dialed an invalid number. The caller did not dial any number in the Auto-Attendant menu The incoming call does not presses any number. before the time out period. Call forwarding failed because the extension did not have any The find-me list numbers configured in the find-me list. forward failed.
Appendix A Log Descriptions Table 310 PBX Dialplan Logs (continued) LOG MESSAGE DESCRIPTION Mobile extension %s logon failed. The inputing PIN code is incorrect. The listed mobile extension failed to log on because the PIN code was not input properly. Mobile extension %s logoff successfully. The listed mobile extension logged off sucessfully. Mobile extension %s logoff failed. The mobile extension is an invalid number. The listed mobile extension failed to log off because there is no such number.
Appendix A Log Descriptions The PBX SIP logs deal with SIP information and errors. Table 311 PBX SIP Logs LOG MESSAGE DESCRIPTION The call %s peer '%s' was rejected due to the call reaches the call limit of %d. The call was rejected becaure it exceeded the call limit. 1st %s: Call direction, from or to 2nd%s: Peer name, 3rd%d: Call limit The call was rejected by peer device %s. Received 403 Forbidden SIP reply from peer device. The call was rejected by the peer device.
Appendix A Log Descriptions Table 311 PBX SIP Logs (continued) LOG MESSAGE DESCRIPTION Call rejected due to SDP issue (Got "488 Not acceptable here"). There was an SDP processing error. Call rejected due to unacceptable codecs.. The call was rejected because of unacceptable codecs (received a 488 Not acceptable here SIP reply). Call rejected due to callee does not support required crypto. The target does not support required encryption. Call rejected due to no compatible codecs.
Appendix A Log Descriptions Table 311 PBX SIP Logs (continued) LOG MESSAGE DESCRIPTION Unknown SIP response. Response code: %d. Response method: %s. Address: %s. The ISG50 received an unknown SIP response. 1st %d: Response code 1st %s: Response method 2nd %s: Address Registration from extension '%s' failed for '%s'. Reason: %s. The listed extension’s registration failed. 1st %s: "To" header from Request 2nd %s: Request address 3rd %s: Reason The call can't be configured as peer-topeer call.
Appendix A Log Descriptions The PBX trunk logs deal with the SIP trunk being disconnected or recovered. Table 312 PBX Trunk Logs LOG MESSAGE DESCRIPTION The SIP trunk %s is disconnected. The SIP trunk %s is disconnected. The SIP trunk %s is disconnected over %d minutes. The SIP trunk %s has been disconnected for over %d mins. The SIP trunk %s is recovered. The SIP trunk %s is recovered.
Appendix A Log Descriptions Table 314 PBX Physical Port Logs (continued) LOG MESSAGE DESCRIPTION FXO port %u is down. The listed FXO port is offline. 1st %u: Port number FXS initialization has succeeded. FXS module initialization succeeded. FXS initialization has failed. FXS module initialization failed. Table 315 PBX Default Logs LOG MESSAGE DESCRIPTION Extension '%s' makes call to extension '%s' is terminated due to the Max. Call Time timeout.
Appendix A Log Descriptions Table 315 PBX Default Logs (continued) LOG MESSAGE DESCRIPTION Phonebook LDAP server Base DN is empty. The ISG50 tried to perform an automatic LDAP phonebook update and found that the LDAP server Base DN was not configured. LDAP phonebook refresh failed due to LDAP is not activate. The LDAP phonebook refresh failed because the LDAP server was not active. Phonebook LDAP server update failed due to wrong server IP or port.
Appendix A Log Descriptions Table 315 PBX Default Logs (continued) LOG MESSAGE DESCRIPTION Failed login attempt to Extension Portal due to the extesion is blank An extension portal login attempt failed due to the extesion being blank. Extension [%s] has logged in Extension Portal The user of the specified extension {Extension Number} has logged into the extension portal. 1st %s: Extension number The ZySH logs deal with internal system errors.
Appendix A Log Descriptions Table 316 ZySH Logs (continued) LOG MESSAGE DESCRIPTION can't get reference count: %s! 1st:zysh list name can't print entry name: %s! 1st:zysh entry name Can't append entry: %s! 1st:zysh entry name Can't set entry: %s! 1st:zysh entry name Can't define entry: %s! 1st:zysh entry name %s: list is full! 1st:zysh list name Can't undefine %s 1st:zysh list name Can't remove %s 1st:zysh list name Table OPS 788 %s: cannot retrieve entries from table! 1st:zysh table name
Appendix A Log Descriptions Table 317 ADP Logs LOG MESSAGE DESCRIPTION from to [type=] , Action: , Severity: The ISG50 detected an anomaly in traffic traveling between the specified zones. The = {scan-detection() | flooddetection() | http-inspection() | tcpdecoder()}. The gives details about the attack, although the message is dropped if the log is more than 128 characters.
Appendix A Log Descriptions Table 318 User Logs LOG MESSAGE DESCRIPTION %s %s from %s has logged in ISG50 A user logged into the ISG50. 1st %s: The type of user account. 2nd %s: The user’s user name. 3rd %s: The name of the service the user is using (HTTP, HTTPS, FTP, Telnet, SSH, or console). %s %s from %s has logged out ISG50 A user logged out of the ISG50. 1st %s: The type of user account. 2nd %s: The user’s user name.
Appendix A Log Descriptions Table 318 User Logs (continued) LOG MESSAGE DESCRIPTION Failed login attempt to ISG50 from %s (reach the max. number of simultaneous logon) The ISG50 blocked a login because the maximum simultaneous login capacity for the administrator or access account has already been reached. User %s has been denied access from %s The ISG50 blocked a login according to the access control configuration.
Appendix A Log Descriptions Table 319 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION Trial service activation has failed. Because of lack must fields. The device received an incomplete response from the myZyXEL.com server and it caused a parsing error for the device. Standard service activation has failed:%s. Standard service activation failed, this log will append an error message returned by the MyZyXEL.com server. Standard service activation has succeeded.
Appendix A Log Descriptions Table 319 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION Verify server's certificate has failed. Update stop. The device could not process an HTTPS connection because it could not verify the myZyXEL.com server's certificate. The update has stopped. Send download request to update server has failed. The device’s attempt to send a download message to the update server failed. Get server response has failed. The device sent packets to the MyZyXEL.
Appendix A Log Descriptions Table 319 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION Expiration dailycheck has failed:%s. The daily check for service expiration failed, an error message returned by the MyZyXEL.com server will be appended to this log. %s: error message returned by myZyXEL.com server 794 Do expiration dailycheck has failed. Because of lack must fields.
Appendix A Log Descriptions Table 319 myZyXEL.com Logs (continued) LOG MESSAGE DESCRIPTION Certification verification failed: Depth: %d, Error Number(%d):%s. Verification of a server’s certificate failed while processing an HTTPS connection. This log identifies the reason for the failure. 1st %d: certificate chain level 2nd %d: error number %s: error message Certificate issuer name:%s. Verification of the specified certificate failed because the device could not get the certificate’s issuer name.
Appendix A Log Descriptions Table 320 IKE Logs (continued) 796 LOG MESSAGE DESCRIPTION [ID] : Tunnel [%s] Phase 2 Remote ID mismatch %s is the tunnel name. When negotiating Phase-2 and checking IPsec SAs or the ID is IPv6 ID. [ID] : Tunnel [%s] Remote IP mismatch %s is the tunnel name. When negotiating Phase-1, the peer tunnel IP did not match the secure gateway address in VPN gateway. [SA] : Malformed IPSec SA proposal When selecting a matched proposal, some protocol was given more than once.
Appendix A Log Descriptions Table 320 IKE Logs (continued) LOG MESSAGE DESCRIPTION [SA] : Tunnel [%s] Phase 2 SA protocol mismatch %s is the tunnel name. When negotiating Phase-2, the SA protocol did not match. [SA] : Tunnel [%s] SA %s is the tunnel name. When negotiating Phase-2, the SA sequence sequence size mismatch size did not match.
Appendix A Log Descriptions Table 320 IKE Logs (continued) LOG MESSAGE DESCRIPTION The cookie pair is : 0x%08x%08x / 0x%08x%08x Indicates the initiator/responder cookie pair. The IPSec tunnel "%s" %s is the tunnel name. When dialing a tunnel, the tunnel is already is already established dialed. 798 Tunnel [%s] built successfully %s is the tunnel name. The phase-2 tunnel negotiation is complete. Tunnel [%s] Phase 1 pre-shared key mismatch %s is the tunnel name.
Appendix A Log Descriptions Table 320 IKE Logs (continued) LOG MESSAGE DESCRIPTION Tunnel [%s:%s] Sending IKE request The variables represent the phase 1 name and tunnel name. The device sent an IKE request. Tunnel [%s:0x%x] is disconnected The variables represent the tunnel name and the SPI of a tunnel that was disconnected. Tunnel [%s] rekeyed successfully %s is the tunnel name. The tunnel was rekeyed successfully.
Appendix A Log Descriptions Table 322 Firewall Logs LOG MESSAGE DESCRIPTION priority:%lu, from %s to %s, service %s, %s 1st variable is the global index of rule, 2nd is the from zone, %s:%d: in %s(): Firewall is dead, trace to %s is which file, %d is which line, %s is which function Firewall has been %s. %s is enabled/disabled Firewall rule %d has been moved to %d. 1st %d is the old global index of rule, 2nd %d is the new global index of rule Firewall rule %d has been deleted.
Appendix A Log Descriptions Table 324 Policy Route Logs LOG MESSAGE DESCRIPTION Can't open bwm_entries Policy routing can't activate BWM feature. Can't open link_down Policy routing can't detect link up/down status. Cannot get handle from UAM, user-aware PR is disabled User-aware policy routing is disabled due to some reason. mblock: allocate memory failed! Allocating policy routing rule fails: insufficient memory.
Appendix A Log Descriptions Table 324 Policy Route Logs (continued) LOG MESSAGE DESCRIPTION Interface %s alive, related policy route rules will be reenabled An interface came back up so the ISG50 will use the related policy route rules again. An interface went down so the ISG50 will stop using the related Interface %s dead, policy route rules.
Appendix A Log Descriptions Table 325 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION TELNET port has been changed to port %s. An administrator changed the port number for TELNET. TELNET port has been changed to default port. An administrator changed the port number for TELNET back to the default (23). FTP certificate:%s does not exist. An administrator assigned a nonexistent certificate to FTP. FTP port has been changed to port %s. An administrator changed the port number for FTP.
Appendix A Log Descriptions Table 325 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION DNS access control rule %u has been appended An administrator appended a new rule. DNS access control rule %u has been modified An administrator modified the rule %u. DNS access control rule %u has been deleted. An administrator removed the rule %u. DNS access control rule %u has been moved to %d. An administrator moved the rule %u to index %d.
Appendix A Log Descriptions Table 325 Built-in Services Logs (continued) LOG MESSAGE DESCRIPTION Access control rule %u of %s was appended. A new built-in service access control rule was appended. %u is the index of the access control rule. %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET. Access control rule %u of %s was inserted. An access control rule was inserted successfully. %u is the index of the access control rule. %s is HTTP/HTTPS/SSH/SNMP/FTP/TELNET. Access control rule %u of %s was modified.
Appendix A Log Descriptions Table 326 System Logs (continued) LOG MESSAGE DESCRIPTION DHCP Server executed with cautious mode enabled DHCP Server executed with cautious mode enabled. DHCP Server executed with cautious mode disabled DHCP Server executed with cautious mode disabled. Received packet is not A packet was received but it is not an ARP response packet. an ARP response packet 806 Receive an ARP response The device received an ARP response.
Appendix A Log Descriptions Table 326 System Logs (continued) LOG MESSAGE DESCRIPTION NTP update failed The device was not able to synchronize with the NTP time server successfully. Device is rebooted by administrator! An administrator restarted the device. Insufficient memory. Cannot allocate system memory. Connect to dyndns server has failed. Cannot connect to members.dyndns.org to update DDNS. Update the profile %s has failed because of strange server response.
Appendix A Log Descriptions Table 326 System Logs (continued) LOG MESSAGE DESCRIPTION Update the profile %s has failed because the feature requested is only available to donators. Update profile failed because the feature requested is only available to donators, %s is the profile name. Update the profile %s has failed because of error response. Update profile failed because the response is incorrect, %s is the profile name.
Appendix A Log Descriptions Table 326 System Logs (continued) LOG MESSAGE DESCRIPTION DDNS profile %s has been renamed as %s. Rename DDNS profile, 1st %s is the original profile name, 2nd %s is the new profile name. DDNS profile %s has been deleted. Delete DDNS profile, %s is the profile name, DDNS Initialization has failed. Initialize DDNS failed, All DDNS profiles are deleted All DDNS profiles have been removed. Collect Diagnostic Information has failed - Server did not respond.
Appendix A Log Descriptions Table 327 Connectivity Check Logs (continued) LOG MESSAGE DESCRIPTION The connectivitycheck is activate for %s interface The link status of interface is still activate after check of connectivity check process. The connectivitycheck is fail for %s interface The link status of interface is fail after check of connectivity check process. Can't get gateway IP of %s interface The connectivity check process can't get the gateway IP address for the specified interface.
Appendix A Log Descriptions Table 327 Connectivity Check Logs (continued) LOG MESSAGE DESCRIPTION The %s routing status seted ACTIVATE by connectivity-check The interface routing can forward packet. The link status of %s interface is inactive The specified interface failed a connectivity check.
Appendix A Log Descriptions Table 328 Routing Protocol Logs (continued) 812 LOG MESSAGE DESCRIPTION RIP text authentication key has been deleted. RIP text authentication key has been deleted. RIP md5 authentication id and key have been deleted. RIP md5 authentication id and key have been deleted. RIP global version has been deleted. RIP global version has been deleted. RIP redistribute OSPF routes has been disabled. RIP redistribute OSPF routes has been disabled.
Appendix A Log Descriptions Table 328 Routing Protocol Logs (continued) LOG MESSAGE DESCRIPTION Invalid OSPF virtuallink %s authentication of area %s. Virtual-link %s authentication has been set to same-as-area but the area has invalid authentication configuration. %s: Virtual-Link ID Invalid OSPF md5 authentication on interface %s. Invalid OSPF md5 authentication is set on interface %s. %s: Interface Name Invalid OSPF text authentication on interface %s.
Appendix A Log Descriptions Table 330 PKI Logs 814 LOG MESSAGE DESCRIPTION Generate X509certifiate "%s" successfully The router created an X509 format certificate with the specified name. Generate X509 certificate "%s" failed, errno %d The router was not able to create an X509 format certificate with the specified name. See Table 331 on page 816 for details about the error number. Generate certificate request "%s" successfully The router created a certificate request with the specified name.
Appendix A Log Descriptions Table 330 PKI Logs (continued) LOG MESSAGE DESCRIPTION Import PKCS#7 certificate "%s" into "My Certificate" successfully The device imported a PKCS#7 format certificate into My Certificates. %s is the certificate request name. Import PKCS#7 certificate "%s" into "Trusted Certificate" successfully The device imported a PKCS#7 format certificate into Trusted Certificates. %s is the certificate request name.
Appendix A Log Descriptions Table 331 Certificate Path Verification Failure Reason Codes CODE DESCRIPTION 1 Algorithm mismatch between the certificate and the search constraints. 2 Key usage mismatch between the certificate and the search constraints. 3 Certificate was not valid in the time interval. 4 (Not used) 5 Certificate is not valid. 6 Certificate signature was not verified correctly. 7 Certificate was revoked by a CRL. 8 Certificate was not added to the cache.
Appendix A Log Descriptions Table 332 Interface Logs (continued) LOG MESSAGE DESCRIPTION Interface %s has been added. An administrator added a new interface. %s: interface name. Interface %s is enabled. An administrator enabled an interface. %s: interface name. Interface %s is disabled. An administrator disabled an interface. %s: interface name. %s MTU > (%s MTU - 8), %s may not work correctly.
Appendix A Log Descriptions Table 332 Interface Logs (continued) 818 LOG MESSAGE DESCRIPTION Interface %s connect failed: MS-CHAP authentication failed. MS-CHAP authentication failed (the server must support MS-CHAP and verify that the authentication failed, this does not include cases where the server does not support MS-CHAP). %s: interface name. Interface %s connect failed: CHAP authentication failed.
Appendix A Log Descriptions Table 332 Interface Logs (continued) LOG MESSAGE DESCRIPTION "SIM card has been successfully unlocked by PUK code on interface cellular%d. You entered the correct PUK code and unlocked the SIM card for the cellular device associated with the listed cellular interface (%d). "Incorrect PUK code of interface cellular%d. Please check the PUK code setting.
Appendix A Log Descriptions Table 332 Interface Logs (continued) LOG MESSAGE DESCRIPTION "Cellular device [%s %s] has been removed from %s. The cellular device (identified by its manufacturer and model) has been removed from the specified slot. Interface cellular%d required authentication password.Please set password in cellular%d edit page. You need to manually enter the password for the listed cellular interface (%d). "Cellular%d (IMSI=%s or ESN=%s) over time budget!(budget = %d seconds).
Appendix A Log Descriptions Table 332 Interface Logs (continued) LOG MESSAGE DESCRIPTION Configured interface name match reserved prefix. A reserved pre-fix was not permitted to be used in an interface name. Duplicated interface name. A duplicate name was not permitted for an interface. This Interface can not be renamed. An interface’s name cannot be changed. Virtual interface is not supported on this type of interface.
Appendix A Log Descriptions Table 332 Interface Logs (continued) LOG MESSAGE DESCRIPTION name=%s,status=%s,TxP kts=%u, RxPkts=%u,Colli.=%u,T xB/s=%u, RxB/s=%u,UpTime=%s This log is sent to the VRPT server to show the specified PPP/Cellular interface’s statistics and uptime. Interface %s has been renamed from '%s' to '%s ' The user-configurable name of the specified interface (internal system name) has been renamed from one name to another.
Appendix A Log Descriptions Table 335 Force Authentication Logs LOG MESSAGE DESCRIPTION Force User Authentication will be enabled due to http server is enabled. Force user authentication will be turned on because HTTP server was turned on. Force User Authentication will be disabled due to http server is disabled. Force user authentication will be turned off because HTTP server was turned off.
Appendix A Log Descriptions Table 337 DHCP Logs LOG MESSAGE DESCRIPTION Can't find any lease for this client - %s, DHCP pool full! All of the IP addresses in the DHCP pool are already assigned to DHCP clients, so there is no IP address to give to the listed DHCP client. DHCP server offered %s to %s(%s) The DHCP server feature gave the listed IP address to the computer with the listed hostname and MAC address.
Appendix A Log Descriptions Table 339 IP-MAC Binding Logs LOG MESSAGE DESCRIPTION Drop packet %s%u.%u.%u.%u%02X:%02X:%02X:%02X: %02X:%02X The IP-MAC binding feature dropped an Ethernet packet. The interface the packet came in through and the sender’s IP address and MAC address are also shown. Cannot bind ip-mac from dhcpd: %s#%u.%u.%u.%u#%02X: %02X:%02X:%02X:%02X: %02X. The IP-MAC binding feature could not create an IP-MAC binding hash table entry.
Appendix A Log Descriptions 826 ISG50 User’s Guide
A PPENDIX B Common Services The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. • Name: This is a short, descriptive name for the service. You can use this one or create a different one, if you like. • Protocol: This is the type of IP protocol used by the service.
Appendix B Common Services Table 341 Commonly Used Services (continued) 828 NAME PROTOCOL PORT(S) DESCRIPTION HTTP TCP 80 Hyper Text Transfer Protocol - a client/ server protocol for the world wide web. HTTPS TCP 443 HTTPS is a secured http session often used in e-commerce. ICMP User-Defined 1 Internet Control Message Protocol is often used for diagnostic or routing purposes. ICQ UDP 4000 This is a popular Internet chat program.
Appendix B Common Services Table 341 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION SMTP TCP 25 Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another. SNMP TCP/UDP 161 Simple Network Management Program. SNMP-TRAPS TCP/UDP 162 Traps for use with the SNMP (RFC:1215).
Appendix B Common Services 830 ISG50 User’s Guide
A PPENDIX C Importing Certificates This appendix shows you how to import public key certificates into your web browser. Public key certificates are used by web browsers to ensure that a secure web site is legitimate. When a certificate authority such as VeriSign, Comodo, or Network Solutions, to name a few, receives a certificate request from a website operator, they confirm that the web domain and contact information in the request match those on public record with a domain name registrar.
Appendix C Importing Certificates 1 If your device’s Web Configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. Figure 530 Internet Explorer 7: Certification Error 2 Click Continue to this website (not recommended). Figure 531 Internet Explorer 7: Certification Error 3 In the Address Bar, click Certificate Error > View certificates.
Appendix C Importing Certificates 4 In the Certificate dialog box, click Install Certificate. Figure 533 Internet Explorer 7: Certificate 5 In the Certificate Import Wizard, click Next.
Appendix C Importing Certificates 6 If you want Internet Explorer to Automatically select certificate store based on the type of certificate, click Next again and then go to step 9. Figure 535 Internet Explorer 7: Certificate Import Wizard 7 Otherwise, select Place all certificates in the following store and then click Browse. Figure 536 Internet Explorer 7: Certificate Import Wizard 8 In the Select Certificate Store dialog box, choose a location in which to save the certificate and then click OK.
Appendix C Importing Certificates 9 In the Completing the Certificate Import Wizard screen, click Finish. Figure 538 Internet Explorer 7: Certificate Import Wizard 10 If you are presented with another Security Warning, click Yes. Figure 539 Internet Explorer 7: Security Warning 11 Finally, click OK when presented with the successful certificate installation message.
Appendix C Importing Certificates 12 The next time you start Internet Explorer and go to a ZyXEL Web Configurator page, a sealed padlock icon appears in the address bar. Click it to view the page’s Website Identification information.
Appendix C Importing Certificates 2 In the security warning dialog box, click Open. Figure 543 Internet Explorer 7: Open File - Security Warning 3 Refer to steps 4-12 in the Internet Explorer procedure beginning on page 831 to complete the installation process. Removing a Certificate in Internet Explorer This section shows you how to remove a public key certificate in Internet Explorer 7. 1 Open Internet Explorer and click Tools > Internet Options.
Appendix C Importing Certificates 2 In the Internet Options dialog box, click Content > Certificates. Figure 545 Internet Explorer 7: Internet Options 3 In the Certificates dialog box, click the Trusted Root Certificates Authorities tab, select the certificate that you want to delete, and then click Remove.
Appendix C Importing Certificates 4 In the Certificates confirmation, click Yes. Figure 547 Internet Explorer 7: Certificates 5 In the Root Certificate Store dialog box, click Yes. Figure 548 Internet Explorer 7: Root Certificate Store 6 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears.
Appendix C Importing Certificates 2 Select Accept this certificate permanently and click OK. Figure 549 Firefox 2: Website Certified by an Unknown Authority 3 The certificate is stored and you can now connect securely to the Web Configurator. A sealed padlock appears in the address bar, which you can click to open the Page Info > Security window to view the web page’s security information.
Appendix C Importing Certificates 1 Open Firefox and click Tools > Options. Figure 551 Firefox 2: Tools Menu 2 In the Options dialog box, click Advanced > Encryption > View Certificates.
Appendix C Importing Certificates 3 In the Certificate Manager dialog box, click Web Sites > Import. Figure 553 4 Use the Select File dialog box to locate the certificate and then click Open. Figure 554 5 842 Firefox 2: Certificate Manager Firefox 2: Select File The next time you visit the web site, click the padlock in the address bar to open the Page Info > Security window to see the web page’s security information.
Appendix C Importing Certificates Removing a Certificate in Firefox This section shows you how to remove a public key certificate in Firefox 2. 1 Open Firefox and click Tools > Options. Figure 555 Firefox 2: Tools Menu 2 In the Options dialog box, click Advanced > Encryption > View Certificates.
Appendix C Importing Certificates 3 In the Certificate Manager dialog box, select the Web Sites tab, select the certificate that you want to remove, and then click Delete. Figure 557 4 Firefox 2: Certificate Manager In the Delete Web Site Certificates dialog box, click OK. Figure 558 Firefox 2: Delete Web Site Certificates 5 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears.
Appendix C Importing Certificates 2 Click Install to accept the certificate. Figure 559 Opera 9: Certificate signer not found 3 The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details.
Appendix C Importing Certificates 1 Open Opera and click Tools > Preferences. Figure 561 Opera 9: Tools Menu 2 In Preferences, click Advanced > Security > Manage certificates.
Appendix C Importing Certificates 3 In the Certificates Manager, click Authorities > Import. Figure 563 4 Opera 9: Certificate manager Use the Import certificate dialog box to locate the certificate and then click Open.
Appendix C Importing Certificates 5 In the Install authority certificate dialog box, click Install. Figure 565 6 Next, click OK. Figure 566 7 Opera 9: Install authority certificate Opera 9: Install authority certificate The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web page’s security details. Removing a Certificate in Opera This section shows you how to remove a public key certificate in Opera 9.
Appendix C Importing Certificates 1 Open Opera and click Tools > Preferences. Figure 567 Opera 9: Tools Menu 2 In Preferences, Advanced > Security > Manage certificates.
Appendix C Importing Certificates 3 In the Certificates manager, select the Authorities tab, select the certificate that you want to remove, and then click Delete. Figure 569 4 Opera 9: Certificate manager The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Note: There is no confirmation when you delete a certificate authority, so be absolutely certain that you want to go through with it before clicking the button.
Appendix C Importing Certificates 3 Click Forever when prompted to accept the certificate. Figure 571 Konqueror 3.5: Server Authentication 4 Click the padlock in the address bar to open the KDE SSL Information window and view the web page’s security details. Figure 572 Konqueror 3.
Appendix C Importing Certificates 2 In the Certificate Import Result - Kleopatra dialog box, click OK. Figure 574 Konqueror 3.5: Certificate Import Result The public key certificate appears in the KDE certificate manager, Kleopatra. Figure 575 Konqueror 3.5: Kleopatra 3 The next time you visit the web site, click the padlock in the address bar to open the KDE SSL Information window to view the web page’s security details.
Appendix C Importing Certificates 1 Open Konqueror and click Settings > Configure Konqueror. Figure 576 Konqueror 3.5: Settings Menu 2 In the Configure dialog box, select Crypto. 3 On the Peer SSL Certificates tab, select the certificate you want to delete and then click Remove. Figure 577 Konqueror 3.5: Configure 4 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears.
Appendix C Importing Certificates 854 ISG50 User’s Guide
A PPENDIX D Legal Information Copyright Copyright © 2012 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation.
Appendix D Legal Information Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com for global products, or at www.us.zyxel.com for North American products. Open Source Licenses This product contains in part some free software distributed under GPL license terms and/or GPL like licenses. Open source licenses are provided with the firmware package. You can download the latest firmware at www.zyxel.com.
Index Index Symbols Numbers idle timeout 607 logging in 347 multiple logins 608 see also users 599 Web Configurator 609 access users, see also force user authentication policies 3DES 387 account myZyXEL.
Index and SNMP 703 and SSH 696 and Telnet 699 and VPN connections 370 and WWW 683 HOST 613 RANGE 613 SUBNET 613 types of 613 where used 103 address record 674 admin user troubleshooting 771 admin users 599 multiple logins 607 see also users 599 ADP 411 base profiles 412, 414 configuration overview 103 false negatives 415 false positives 415 inline profile 415 monitor profile 415 port scanning 421 prerequisites 102, 103 protocol anomaly 411 traffic anomaly 411, 415 ADPCM 475 Advanced Encryption Standard, se
Index self-directory-traversal attack 426 truncated-address-header 427 truncated-header 426, 427 truncated-options 426 truncated-timestamp-header 427 TTCP-detected 426 u-encoding 426 undersize-len 426 undersize-offset 426 UTF-8-encoding 426 audio files 532, 533 for auto-attendant 510 recording 516 on hold 539 sampling 475 creation guidelines 455 creation tutorial 137 descriptions 458 edit 458 extensions 455 features 462 call blocking 462 call forwarding 462 group names 458 grouping 455 LCRs 146, 152, 158,
Index bad-length-options attack 426 bandwidth 430 egress 256 ingress 256 bandwidth limit troubleshooting 768 bandwidth management and policy routes 297 interface, outbound, see interfaces maximize bandwidth usage 297, 300, 400, 401 see also policy routes bare byte encoding 425 bare byte encoding attack 425 Base DN 633 base profiles in ADP 412, 414 base36-encoding 425 base36-encoding attack 425 basic PBX setup tutorial 135 Basic Rate Interface see BRI Bind DN 634, 636 black list 466, 761, 763 blind forward
Index CDR 720 aged file 720 backup results 223 executing SQL script 721 external server 721 local database 720 management 721 overview 720 PostgreSQL 721 query 225, 227 remote server configuring procedure 722 types of files 720 CEF (Common Event Format) 709, 716 cellular 109, 251 APN 255 band selection 257 interfaces 234 signal quality 208, 209 SIM card 256 status 210 system 208, 209 troubleshooting 767 certificate troubleshooting 771 Certificate Authority (CA) see certificates Certificate Management Proto
Index text file 141 configuration file troubleshooting 773 configuration files 725 at restart 728 backing up 727 downloading 729 downloading with FTP 699 editing 725 how applied 726 lastgood.conf 728, 731 managing 727 not stopping or starting the device 36 startup-config.conf 731 startup-config-bad.conf 728 syntax 726 system-default.
Index DiffServ 299, 430, 447 Dynu 317 DiffServ Code Point see DSCP digit handling 451 digital sampling 475 Digital Signature Algorithm public-key algorithm, see DSA direct pickup 433 direct routes 292 directory 631 directory service 631 file structure 633 directory traversal attack 425 E E911 532 echo 430 EGP (Exterior Gateway Protocol) 421 egress bandwidth 256 e-mail daily statistics report 706 email, attaching voice file 764 disclaimer 855 emergency calls 532, 533 configuration 538 overview 532 Dis
Index export phonebook 588 filtered port scan 422 extended authentication and VPN gateways 370 IKE SA 391 find me list 761 extension portal 757 account settings 760 call forward and blocking 761 call recording 764 restrictions 760 voice mail 763 web phone dial 759 extensions 27, 87, 89, 136 busy 532 call transfer 532 for analog phones 88 FXS 88 grouping 455 ISDN BRI 88 portal 757 query number 458 ring groups 549 SIP 87 user login 757 voice mail 467 external lines see outbound line groups ext-user troub
Index forcing login 347 global PBX settings 429 Foreign Exchange Office see FXO GRE 279 forwarding calls 463 group management 526 associate to authority and outbound line groups 530 granting calling rights 526 FQDN 674 group pickup 433, 468, 469 fragmenting IPSec packets 371 groups, ring 549 FTP 699 additional signaling port 339 ALG 335 and address groups 700 and address objects 700 and certificates 700 and zones 700 signaling port 338 with Transport Layer Security (TLS) 700 GSM 256 Foreign Exc
Index authenticating clients 679 avoiding warning messages 687 example 687 vs HTTP 679 with Internet Explorer 687 peer identity 389 pre-shared key 389 proposal 387 see also VPN user name 391 hunt group 562 import phonebook 588 HyperText Transfer Protocol over Secure Socket Layer, see HTTPS inbound calls, and auto-attendant 503, 504 I ICMP 619 datagram length 427 decoder 418, 425 echo 423 flood attack 423 portsweep 422 Time Stamp header length 427 unreachables 422 IEEE 802.
Index PPPoE/PPTP, see also PPPoE/PPTP interfaces. prerequisites 98, 235 relationships between 235 static DHCP 278 subnet mask 276 trunks, see also trunks. types 234 virtual, see also virtual interfaces. VLAN, see also VLAN interfaces.
Index Perfect Forward Secrecy (PFS) 392 proposal 392 remote policy 391 search by name 212 search by policy 212 Security Parameter Index (SPI) (manual keys) 393 see also IPSec see also VPN source NAT for inbound traffic 394 source NAT for outbound traffic 394 status 211 transport mode 392 tunnel mode 392 when IKE SA is disconnected 391 IPSec VPN configuration overview 102 prerequisites 101, 102 see also IPSec troubleshooting 769 tutorial 113 where used 102 ISDN 447, 448 B-channels 447 BRI 447, 448 BRI exten
Index search time limit 636 user attributes 610 Least Cost Routing see LCR least load first load balancing 283 LED troubleshooting 765 formats 709 log consolidation 712 settings 707 syslog servers 707 system 707 types of 707 legacy PBX 28 license key 232 upgrading 232 licensing 229 Lightweight Directory Access Protocol see LDAP Lightweight Directory Access Protocol, see LDAP listening volume 450 load balancing 281 algorithms 282, 287 least load first 283 round robin 288 see also trunks 281 session-orient
Index ACD queue 219 BRI trunk 218 call recordings 222 CDR backup 223 CTI peer 216 FXO trunk 217 FXS peer 214 SA 211 SIP peer 213 SIP trunk 215 monitor profile ADP 415 Motion Picture Experts Group see MPEG mounting rack 31 MPEG 476 MPPE (Microsoft Point-to-Point Encryption) 663 MSCHAP (Microsoft Challenge-Handshake Authentication Protocol) 663 MSCHAP-V2 (Microsoft Challenge-Handshake Authentication Protocol Version 2) 663 MSN 500 MTU 256 mu-law 470 multiple SIP extensions, tutorial 138 multiple slash encodi
Index addresses and address groups 613 authentication method 639 certificates 643 for configuration 91 introduction to 91 schedules 625 services and service groups 619 users, user groups 599 obsolete-options attack 426 office hours 465, 595 after hours 466, 763 One-Time Password (OTP) 632 Online Certificate Status Protocol (OCSP) 659 vs CRL 659 Open Shortest Path First, see OSPF operator, internal 433 order of feature application 94 OSPF 304 and Ethernet interfaces 239 and RIP 306 and static routes 306 and
Index adding 550, 563 editing 550, 563 PAP (Password Authentication Protocol) 663 parking lot extension 534 parking, call 532 Password Authentication Protocol (PAP) 663 PBX 27, 429 ACD queue 219 BRI trunk monitor 218 call recording 764 call recordings 222 CTI peer 216 FXO trunk monitor 217 FXS peer monitor 214 global setting 429 packet capturing 171 peer info 760 SIP peer monitor 213 SIP trunk monitor 215 tutorials 135 voice interfaces 448 PCM 475 Peanut Hull 317 peer IP PBX 37 Point-to-Point Tunneling Pr
Index subnet mask 276 PPPoE 279 and RADIUS 279 TCP port 1723 279 PPPoE/PPTP interfaces 234, 246 and ISP accounts 247, 661 basic characteristics 234 gateway 247 subnet mask 247 PPTP 279 and GRE 279 as VPN 279 precedence 447 priority 431 privileges 454 Quick Start Guide 2 R rack-mounting 31 RADIUS 631, 633 advantages 631 and IKE SA 391 and PPPoE 279 and users 600 user attributes 611 RADIUS server troubleshooting 771 problems 765 Real Time Transport Protocol see RTP product overview 28 realm 432 produc
Index reports collecting data 201 configuration overview 105 daily 706 daily e-mail 706 specifications 203 traffic statistics 200 representative number 484 SIP trunk 484 reset 774 vs reboot 753 RESET button 36, 774 restricting outgoing calls 455 resuming parked calls 532 RFC 1058 (RIP) 302 1389 (RIP) 302 1587 (OSPF areas) 305 1631 (NAT) 299 1889 (RTP) 340 2131 (DHCP) 277 2132 (DHCP) 277 2328 (OSPF) 304 2402 (AH) 374, 392 2406 (ESP) 374, 392 2510 (Certificate Management Protocol or CMP) 650 2516 (PPPoE) 279
Index service groups 620 and firewall 363 and port triggering 297 where used 103 service objects 619 and firewall 620 and IP protocols 620 and policy routes 620 service subscription status 232 services 619, 827 and firewall 363 and port triggering 297 where used 103 Session Initiation Protocol see SIP session limits 355, 364 sessions 203 sessions usage 189, 191 SHA1 387 shell script troubleshooting 773 shell scripts 725 and users 611 downloading 734 editing 733 how applied 726 managing 733 not stopping or
Index SSL 679 stac compression 663 starting the device 35, 36 startup-config.conf 731 if errors 728 missing at restart 728 present at restart 728 startup-config-bad.
Index and OSPF 304 and remote management 354 and RIP 303 and service control 678 and VPN 770 global rules 354 see also firewall 354 token 632 tones 470 trademarks 855 traditional PBX 478 traffic forwarding 447 marking 447 port triggering 768 PPP 767 RADIUS server 771 routing 768 schedules 771 security settings 766 shell scripts 773 SNAT 768 throughput rate 772 VLAN 768 VPN 770 truncated-address-header attack 427 truncated-header attack 426, 427 truncated-options attack 426 traffic anomaly 411, 415 trunc
Index access, see also access users admin (type) 599 admin, see also admin users and AAA servers 600 and authentication method objects 600 and firewall 363, 366 and LDAP 600 and policy routes 294, 295, 405, 407 and RADIUS 600 and service control 679 and shell scripts 611 attributes for Ext-User 600 attributes for LDAP 610 attributes for RADIUS 611 attributes in AAA servers 610 configuration overview 104 currently logged in 188, 193 default lease time 607, 609 default reauthentication time 607, 609 default
Index Virtual Private Network, see VPN VLAN 259 advantages 260 and MAC address 260 ID 260 troubleshooting 768 security associations (SA) 368 see also IKE SA see also IPSec 367 see also IPSec SA status 192 troubleshooting 770 VLAN interfaces 234, 260 and Ethernet interfaces 261, 768 basic characteristics 234 VPN connections and address objects 370 and policy routes 295, 770 vocal synthesizer 475 VPN gateways and certificates 370 and extended authentication 370 and interfaces 370 and to-Device firewall
Index see also HTTP, HTTPS 123, 680 Z zones 92, 313 and firewall 354, 362 and FTP 700 and interfaces 92, 313 and SNMP 703 and SSH 696 and Telnet 699 and VPN 92, 313 and WWW 683 block intra-zone traffic 316, 361 configuration overview 99 default 93 extra-zone traffic 314 inter-zone traffic 314 intra-zone traffic 314 prerequisites 100 types of traffic 313 where used 100 µ-law 470, 475 880 ISG50 User’s Guide
