4ipnet MSG100 User’s Manual V1.
Copyright Notice The contents of this publication may not be reproduced in any part or as a whole, stored, transcribed in an information retrieval system, translated into any language, or transmitted in any form or by any means, mechanical, magnetic, electronic, optical, photocopying, manual, or otherwise, without the prior written permission of 4IPNET, INC. Disclaimer 4IPNET, INC. does not assume any liability arising out the application or use of any products, or software described herein.
FCC CAUTION This equipment has been tested and proven to comply with the limits for a class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.
ipnet MSG100 User’s Manual Table of Contents 1. 2. 3. 4. Introduction ................................................................................................................................................ 3 1.1 Introduction of MSG100 .............................................................................................................. 3 1.2 System Concept ..........................................................................................................................
4ipnet MSG100 User’s Manual 4.2.4 Policy................................................................................................................................. 57 4.2.5 Additional Control.............................................................................................................. 60 4.3 Network...................................................................................................................................... 63 4.3.1 NAT....................................
4ipnet MSG100 User’s Manual 1. Introduction 1.1 Introduction of MSG100 The 4ipnet MSG100 Multi-service Wireless Office Gateway is a “network-service-in-a-box” business gateway that that provides remote, centralized management of data and voice services for small and branch offices and teleworkers.
4ipnet MSG100 User’s Manual 1.3 Document Conventions Represents essential steps, actions, or messages that should not be ignored. 8 Note: Contains related information that corresponds to a topic. Indicates that clicking this button will return to the system Homepage. Logout the system. Access Online Help interface. Indicates that clicking this button will apply all of your settings. Indicates that clicking this button will clear what you have set before the settings are applied.
4ipnet MSG100 User’s Manual 2. System Overview 2.1 Package Contents The standard package of MSG100 includes: Ÿ MSG100 x1 Ÿ Quick Installation Guide (QIG) x1 Ÿ CD-ROM (with User’s Manual and QIG) x1 Ÿ Power Cord x1 Ÿ Power Adapter (12DC, 2A) x1 Ÿ Cross-over Ethernet RJ-45 Cable x1 Ÿ RS-232 DB9 Console Cable x1 It is recommended to keep the original packing material for possible future shipment when repair or maintenance is required.
4ipnet MSG100 User’s Manual 2.2.2 Technical Specification Networking † Support Router, NAT mode † Support Static IP, DHCP, PPPoE mode on WAN interfaces and PPTP (WAN 1 only) † Controllable LAN ports requiring authentication † Support IP Plug and Play (IP PnP) † Built-in DHCP server and support for DHCP relay † Support NAT: (1) IP/Port Destination Redirection (2) DMZ Server Mapping (3) Virtual Server Mapping (4) H.
4ipnet MSG100 User’s Manual (4) Session/account expiration control (5) Email message with a hyperlink and login reminder for accessing login page (6) Windows domain transparent login (7) Configurable login time frame † Instant account (200 accounts) generation for guests by authorized users without IT’s intervention † User account roaming support † Support local account Grouping to classify users System Administration † Multi-lingual, web-based management UI † Customizable login and logout portal pages † S
4ipnet MSG100 User’s Manual 3. Installation 3.1 Panel Function Description Front Panel 1. Power: 2. Status: ON indicates the power on, and OFF indicates the power off. Power and Status both ON indicate system ready, OFF indicates BIOS running, and BLINKING indicates OS running. 3. WAN: ON indicates connection, OFF indicates no connection, and BLINKING indicates data transmitting. 4. LAN: ON indicates connection, OFF indicates no connection, and BLINKING indicates data transmitting. Rear Panel 1.
4ipnet MSG100 User’s Manual 3.2 Hardware Installation Please follow the steps mentioned below to install the hardware of MSG100. 1. Connect the power adapter to the power socket on the rear panel. The Power LED on the front panel should be ON to indicate a proper connection. 2. Connect an Ethernet cable to WAN1 Port on the rear panel. Per your needs, connect the other end of the cable to a networking device such as ADSL modem, cable modem, switch or hub.
4ipnet MSG100 User’s Manual 3.3 Software Configuration 3.3.1 Instruction of Web Management Interface 4ipnet MSG100 supports web-based configuration. Upon the completion of hardware installation, MSG100 can be configured through a PC by using its web browser with JavaScript enabled such as Internet Explorer version 6.0. Step 1: Set DHCP in TCP/IP of the administrator PC to get an IP address dynamically. Connect the PC to any LAN Port of MSG100.
4ipnet MSG100 User’s Manual Step 4: After a successful login, a “Home” page with four links called Setup Wizard, Quick Links, System Overview, and Main Menu will appear. Ø Setup Wizard: provides a four-step quick configuration of the system. Please refer to Section 3.2.2. Quick Configuration for more information.
4ipnet MSG100 User’s Manual Ø System Overview: provides an overview of the system status for the administrator. Certain hyperlinks of associated configuration pages are provided in this page for the administrator to access directly. à Ø Main Menu: provides detailed configuration pages for administrators to configure the system manually. Please refer to Section 4. Main Menu for more information.
4ipnet MSG100 User’s Manual 3.3.2 Setup Wizard MSG100 provides a Setup Wizard for quick configuration. The Configuration Wizard comprises of four basic steps. Follow the instructions of Configuration Wizard to enter the required information step by step, save your settings, and restart MSG100. Then, the system is ready to use. The four steps of Configuration Wizard are listed below: Step I. General Step 2. WAN1 Interface Step 3. Local User Account (Optional) Step 4.
4ipnet MSG100 User’s Manual Step 2: WAN1 Interface and Wireless • Select a proper type of Internet connection for WAN1 interface from the following three available connections: Static, Dynamic, or PPPoE. Your ISP or network administrator can advise on the connection type available to you. Below depicts an example for Dynamic. • Click Next to continue. Step 3: Local User Account (Optional) New local accounts can be created and added into the database via this optional function.
4ipnet MSG100 User’s Manual • A confirmation dialog box will then appear. Click OK to continue. • A Confirm and Restart message will appear on the screen during the restarting process. Please do not interrupt the system until the Administrator Login Page appears. 8 Note: • The system is trying to locate a DNS server at this stage. Therefore, a longer startup time is required if the configured DNS cannot be found.
4ipnet MSG100 User’s Manual 3.3.3 User Login Portal Page In order to be granted network access via MSG100’s controlled port, a user must be authenticated first by entering a correct username and password on the User Login Portal Page. To verify whether the configuration of the new local user account(s) created via the Setup Wizard has been completed successfully: 1. Connect a client device (e.g. laptop, PC) to the LAN1 Port of MSG100. The device will obtain an IP address automatically via DHCP. 2.
4ipnet MSG100 User’s Manual 4. Web Interface Configuration This chapter will guide you through further detailed settings. The following table shows all the UI functions of MSG100.
4ipnet MSG100 User’s Manual 4.1 System Configuration 4.1 System This section includes the following functions: General, WAN1, WAN2, WAN Traffic, LAN Port Mapping, and Service Zones. 4.1.1 General Main information about MSG100 is shown on this page, including System Name, Internal Domain Name, Homepage Redirect URL, User Log Access IP Address, Management IP Address List, SNMP, HTTPS Protected Login, and Network Time Protocol (NTP) Server. 18 © 2008 4IPNET, INC.
4ipnet MSG100 User’s Manual Ÿ System Name: Set the name of the system or use the default. Ÿ Internal Domain Name: A fully qualified domain name (FQDN) of the system. The domain name entered here will be shown at the top left of the Login Success page. In addition, when HTTPS is enabled, entering the domain name of the uploaded certificate will not only change the URL of the User Login page, but also increase login speed. For example, if the Internal Domain Name is configured as “ ashop.
4ipnet MSG100 User’s Manual Ÿ HTTPS Protected Login: The system supports HTTPS (encrypted) and HTTP (non-encrypted) for clients to log into the system. When this function is enabled, the Secured Socket Layer (SSL) will be activated and implemented into the Web-based user login page. Ÿ Time: The system time can be set up manually or synchronized with remote NTP (Network Time Protocol) servers. It supports up to five NTP servers.
4ipnet MSG100 User’s Manual 4.1.2 WAN1 There are 4 connection types supported on the WAN1 Port: Static, Dynamic, PPPoE and PPTP. Ÿ Static (Use the following IP Settings): Select this option to specify a static IP address for the WAN1 port manually when a static IP address is available for MSG100. The fields with red asterisk are required. Ÿ Ø IP Address: The IP address of the WAN1 port. Ø Subnet Mask: The subnet mask of the WAN1 port. Ø Default Gateway: The gateway of the WAN1 port.
4ipnet MSG100 User’s Manual Ÿ PPPoE: Select this option when PPPoE is the connection protocol provided by your ISP. To properly configure PPPoE connection type, set the Username, Password, MTU and Clamp MSS. When Dial on Demand is enabled, the Maximum Idle Time field is required to be filled in. The system will disconnect itself from the Internet automatically when the Maximum Idle Time is reached. Ÿ PPTP: Select this option when PPTP is the connection protocol provided by your ISP.
4ipnet MSG100 User’s Manual 4.1.3 WAN2 WAN2 can be disabled when selecting None. When WAN2 Port is enabled, it supports 3 connection types: Static, Dynamic and PPPoE. Ÿ None: The WAN2 Port is disabled. Ÿ Static (Use the following IP Settings): Select this option to specify a static IP address for the WAN2 port manually when a static IP address is available for MSG100. The fields with red asterisk are required.
4ipnet MSG100 User’s Manual 4.1.4 WAN Traffic MSG100 supports uplink/downlink bandwidth management features, including Load Balancing and WAN Failover, and Connection Detection. • Available Bandwidth on WAN Interface: Ø Uplink Bandwidth: The maximum uplink bandwidth of the WAN interface to be shared by clients. The same setting will be applied to WAN1 and WAN2. Ø Downlink Bandwidth: The maximum downlink bandwidth of the WAN interface to be shared by clients.
4ipnet MSG100 User’s Manual Ø Enable WAN Failover: Select to enable the WAN Failover function to ensure continuous uptime for Internet connection. Furthermore, select “Fall back to WAN1 when WAN1 is available again” to allow the traffic goes back to WAN1 when WAN1 becomes active again after a disconnection. Ø Warning of Internet Disconnection: MSG100 supports Internet disconnection detection feature. When this function is enabled, a text box will appear for the administrator to enter a warning message.
4ipnet MSG100 User’s Manual 4.1.5 LAN Port Mapping MSG100 supports multiple Service Zones in either of the two VLAN modes, Port-Based or Tag-Based, but not concurrently. In Port-Base mode, each LAN port can only serve traffic from one Service Zone as each Service Zone is identified by physical LAN ports. In Tag-Based mode, each LAN port can serve traffic from any Service Zone as each Service Zone is identified by VLAN tags carried within message frames.
4ipnet MSG100 User’s Manual Ø Port-Based: When Port-Based mode is selected, traffic from different virtual Service Zones will be distinguished by physical LAN ports. Each LAN port can be mapped to a Service Zone in the form of a many-to-one mapping between ports and Service Zones. o Specify a desired Service Zone for each LAN Port: For each LAN port, select a Service Zone to which the LAN port is to be mapped from the drop-down list box.
4ipnet MSG100 User’s Manual 4.1.6 Service Zone There are five Service Zones: Default, SZ1, SZ2, SZ3 and SZ4. Click Configure to complete the settings of each Service Zone. The management interface of the Port-Based Service Zone is different from that of the Tag-Based Service Zone 【 Port-Based】 【 Tag-Based】 Ÿ Service Zone Name: The name of the respective Service Zones.
4ipnet MSG100 User’s Manual Ÿ Details: Detailed settings of the Service Zone. Click Configure to enter the Basic Settings, SIP Interface Configuration and Authentication Setting interfaces for further configuration. Ø Basic Settings (1) Service Zone Status: Indicates the current activating status of the Service Zone. (2) Service Zone Name: The name of the Service Zone. (3) Network Interface: When the system is in Tag-Based Service Zone mode, the VLAN Tag column will appear.
4ipnet MSG100 User’s Manual o Operation Mode: When NAT mode is selected, the Service Zone will run in NAT mode. When Router mode is selected, the Service Zone will then run in Router mode. (4) o IP address: Specify the IP Address assigned to this Service Zone. o Subnet Mask: Specify the Subnet Mask assigned to this Service Zone. o VLAN Tag: Enter the VLAN tag number for this Service Zone. DHCP Server: MSG100 supports three DHCP modes: Disable DHCP server, Enable DHCP Server or Enable DHCP Relay.
4ipnet MSG100 User’s Manual . For more information on DHCP replay, please refer to Appendix D. DHCP Replay. Ø SIP Interface Configuration The system provides SIP proxy that helps SIP clients pass through NAT. After enabling SIP and completing SIP Authentication configuration, all authenticated SIP traffic can pass through NAT via a selective and fixed WAN interface. (For more information on SIP Authentication configuration, refer to 4.2.1.7 SIP Authentication.
4ipnet MSG100 User’s Manual (1) Authentication Required for the Zone: Enable or disable this feature. (2) Authentication Options: o Auth Option: The authentication options supported by MSG100. Click the hyperlink of the respective options, including Server1 to Server4, Guest Users, and SIP Authentication, to enter the Authentication Option configuration page. o Authentication Database: The type of authentication database used.
4ipnet MSG100 User’s Manual detailed settings (refer to Section 4.2.4. Policy). (5) E-mail Message for Login Reminding: The system will send an automatic POP3 e-mail to notify clients who should have logged into the system. The administrator can customize the content of this notification e-mail. Each Service Zone can have its own message. Click on Edit Mail Message to enter the POP3 Email Message Editing page.
4ipnet MSG100 User’s Manual a-2. Login Page – Template Page Choose Template Page to make a customized login page. Click the hyperlink of Select to pick a color and then fill in all of the blanks. Click Preview to view the result first. a-3. Login Page - Uploaded Page Choose Uploaded Page to upload a new/edited login page. The user-defined login page must include the following HTML codes to provide the necessary fields for username and password.
4ipnet MSG100 User’s Manual Next, enter or browse the filename of the images to be uploaded in the Upload Images field on the Upload Images Files page and then click Submit. The system will show the used space and the image file limit (512K). After the image file is uploaded, the file name will show on the Existing Image Files field. Check the file and click Delete to delete the file. Upon the completion of the upload process, the new login page can be previewed by clicking Preview button on the bottom.
4ipnet MSG100 User’s Manual the administrator wishes to restore the factory default setting of Logout Page, click the Use Default Page button. As the process is similar to that of Login Page, please refer to the configuration instructions of Login Page for more details. The HTML codes of the admin-defined logout interface are different from those of Login Page. The following HTML codes must be included to allow users to enter the username and password. 8 Note: c.
4ipnet MSG100 User’s Manual 4.2 Users This section includes the following functions: Authentication, Black List, Group, Policy and Additional Control. 4.2.1 Authentication The function is used to configure a list of authentication options which can be enabled or disabled in the management interface of each Service Zone. When “ Authentication required for the Zone” of a Service Zone (shown on each Service Zone’s management interface) is enabled, at least one of the authentication options must be activated.
4ipnet MSG100 User’s Manual Ÿ Authentication Database: The system supports five types of authentication databases: Local, POP3, RADIUS, LDAP, and NT Domain. Ÿ Postfix: A postfix is used to inform the system which authentication option is used for authenticating an account (e.g. bob@BostonLdap or tim@TokyoRadius) when multiple options are concurrently in use. One of authentication options can be assigned as default. The postfix can be omitted only when the default authentication option is used.
4ipnet MSG100 User’s Manual of the default option, Bob can log in with either "bob" or "bob@BostonLdap ” as his username. Ÿ Black List: There are 5 sets of black lists provided by the system. A user account listed in the black list is not allowed to log into the system. Select one black list from the drop-down list box to be applied to this specific authentication option. Ÿ Group: Select one Group from the drop-down list box for this specific authentication option.
4ipnet MSG100 User’s Manual For more information on Group configuration, please refer to Section 4.2.3. Group. o Upload User: Click Upload User to enter the Upload User from File interface. Click the Browse button to select the text file for uploading user accounts, then click Upload to complete the upload process.
4ipnet MSG100 User’s Manual o Download User: Use this function to create a .txt file with all built-in user account information and then save it on disk. o Search: Enter a keyword of a username to be searched in the text filed, and click Search to perform the search. All usernames matching the keyword will be listed. o Del All: Click on Del All to delete all the users at once, and click on Delete to delete the user individually. 41 © 2008 4IPNET, INC.
4ipnet MSG100 User’s Manual o Edit User: If editing the content of individual user account is needed, click the username of the desired user account to enter the Editing Existing User Data Interface for that particular user, and then modify or add any desired information such as Username, Password, MAC Address (optional), Applied Group (optional), Enable Local VPN (optional) and Remark (optional). Click Apply to complete the modification. Ø Roaming Out & 802.
4ipnet MSG100 User’s Manual 4.2.1.2 POP3 Authentication Database The system supports authentication by an external POP3 authentication server. The system is capable of supporting two POP3 servers, primary and secondary, for fault tolerance. When POP3 Authentication Database is enabled, at least one external POP3 server must be activated. The Local VPN function can be enabled for the clients authenticated by POP3 authentication method.
4ipnet MSG100 User’s Manual Ø Port: The authentication port of the external POP3 Server. Ø SSL Setting: The system supports POP3S. Check the Enable check box to enable POP3S. 4.2.1.3 RADIUS Authentication Database The system supports authentication by an external RADIUS authentication server by functioning as a RADIUS authenticator for the RADIUS server. The system is capable of supporting two RADIUS servers, primary and secondary, for fault tolerance.
4ipnet MSG100 User’s Manual Ø 802.1X Authentication: The system supports 802.1X. When 802.1X Authentication is enabled, the Local Authentication Database will be used as a RADIUS database for connection with 802.1X enabled devices such as access points or switches. When the option is enabled, the hyperlink of 802.1X Client Device Settings will appear. Click the hyperlink of 802.1X Client Device Settings to enter the Roaming Out and 802.1X Client Device Settings page.
4ipnet MSG100 User’s Manual from the RADIUS server. When the clients classified by RADIUS class attributes log into the system via the RADIUS server, each client will be mapped to its assigned Group. Ø Server: The IP address of the external RADIUS server. Ø Authentication Port: Enter the authentication port of the RADIUS server. Ø Accounting Port: The accounting port of the external RADIUS server. Ø Secret Key: The Secret Key for RADIUS authentication.
4ipnet MSG100 User’s Manual in use. One of authentication options can be assigned as default. The postfix can be omitted only when the default authentication option is used. For example, if "BostonLdap" is the postfix of the default option, Bob can log in with either "bob" or "bob@BostonLdap ” as his username. Ÿ Black List: There are five sets of the black lists. A user account listed in the black list is not allowed to log into the system.
4ipnet MSG100 User’s Manual 4.2.1.5 NT Domain Authentication Database The system supports authentication by an external NT Domain authentication server. Ÿ Name: Set a name for the authentication option by using numbers (0~9), alphabets (a~z or A ~Z), dash (-), underline (_) and dot (.) within a maximum of 40 characters. All other characters are not allowed. Ÿ Postfix: Set a postfix that is easy to distinguish (e.g.
4ipnet MSG100 User’s Manual Ø Transparent Login: This function refers to Windows NT Domain single sign on. When Transparent Login is enabled, clients will log in to the system automatically after they have logged in to the NT domain, which means that clients only need to log in once. 4.2.1.6 ONDEMAND Authentication Database The system provides an ONDEMAND Authentication Database of Instant Accounts for temporary users such as visitors.
4ipnet MSG100 User’s Manual A postfix is used to inform the system which authentication option is used for authenticating an account (e.g. bob@BostonLdap or tim@TokyoRadius) when multiple options are concurrently in use. One of authentication options can be assigned as default. The postfix can be omitted only when the default authentication option is used. For example, if "BostonLdap" is the postfix of the default option, Bob can log in with either "bob" or "bob@BostonLdap” as his username.
4ipnet MSG100 User’s Manual administrator can configure up to 2 usage plans. Ø Plan: The ID of a plan. Ø Status: Enable or Disable the plan. Ø Time Volume: The Time Volume is how long guest users are allowed to access the Internet. Ø 1st Login Expiration Time: It is a given time period that a guest account must be activated after it is generated. The account will become expired if the guest user does not login within the given time.
4ipnet MSG100 User’s Manual WAN interface. Up to four trusted SIP Registrars can be set in the SIP Authentication Configuration page. All SIP clients can be selected as a Group. Click SIP to enter the SIP Authentication Configuration page. Ÿ Trusted Registrar: The SIP Authentication supports up to 4 trusted SIP registrars. When SIP clients try to use the network service, they must be authenticated by one of the configured SIP registrars.
4ipnet MSG100 User’s Manual 4.2.2 Black List The administrator can add or delete users in the black list for user access control. There are 5 sets of black lists provided by the system. A user account listed in the black list is not allowed to log into the system. The administrator can select one black list from the drop-down list box to be applied to this specific authentication option. Ÿ Select Black List: Select one black list from the drop-down list box.
4ipnet MSG100 User’s Manual 4.2.3 Group 8 sets of Group options including QoS Profile, Privilege Profile with Instant Account Privilege and Change Password Privilege, and Zone Permission Configuration & Policy Assignment can be defined respectively to enforce access controls on different Groups of users. Local users can be classified by applying Group options. A Group which is allowed to access a Service Zone can be applied with a Policy within this zone.
4ipnet MSG100 User’s Manual o Individual Maximum Uplink: Defines the maximum uplink bandwidth allowed for an individual client belonging to this Group. The Individual Maximum Uplink cannot exceed the value of Group Total Uplink. o Individual Request Uplink: Defines the guaranteed minimum bandwidth allowed for an individual client belonging to this Group. The Individual Request Uplink cannot exceed the value of Group Total Uplink and Individual Maximum Uplink.
4ipnet MSG100 User’s Manual Click the hyperlink in the To Group Permission Configuration column to enter the Group Permission Configuration & Policy Assignment interface, which is based on the role of Service Zone, to configure the relation between Group and Zone. o Group Option: The name of Group options available for selection. o Enabled: Select Enabled to allow clients of the enabled Groups to log in to this Service Zone under constraints of the selected Policies.
4ipnet MSG100 User’s Manual 4.2.4 Policy MSG100 supports multiple Policies, including one Global Policy and 12 individual Policy. Each Policy consists of access control profiles that can be configured respectively and applied to a certain Group of users. Global Policy is the system’s universal policy and applied to all clients, while other individual Policy can be selected and defined to be applied to any Service Zone. The clients belonging to a Service Zone will be bound by an applied Policy.
4ipnet MSG100 User’s Manual Ø Firewall Rules: Click on the hyperlink in the No. column to edit individual rules and then click Apply to save the settings. The rule status will show on the list. Check the Active check box and click Apply to enable that rule. This link leads to the Firewall Rules page. Rule No.1 has the highest priority; Rule No.2 has the second priority and so on. Each firewall rule is defined by Source, Destination and Pass/Block action.
4ipnet MSG100 User’s Manual o Source / Destination – Subnet Mask: Enter the source and destination subnet masks. o Source / MAC Address: The MAC Address of the source IP address. This is for specific MAC address filter. o Source / Destination – IPSec Encrypted: Check the box to filter the encrypted traffic only. o Service Protocol: Select a defined protocol from the drop-down list box. o Schedule: Defines the time when this firewall rule will be activated.
4ipnet MSG100 User’s Manual 4.2.5 Additional Control In this section, additional settings are provided for user management. Ÿ User Session Control: Functions under this section applies to all general users. Ø Idle Timeout: Defines the time when the system will log out a user when he has been inactive for a time period set in this field. This setting will be applied to all users. Ø Multiple Login: When Multiple Login is enabled, different clients can log in with the same account at the same time.
4ipnet MSG100 User’s Manual Ÿ Customization: The administrator can upload a new private key and an external certificate issued by public or private authority. Click Certificate button to enter the configuration interface. Click the first Browse button to locate the file of the Private Key. Click the second Browse button to locate the file of the Certificate to be uploaded. Next, click Apply to complete the upload process. 61 © 2008 4IPNET, INC.
4ipnet MSG100 User’s Manual Ÿ Remaining Time Reminder: There is a Remaining Time Reminder supported by the system to remind guest users that their accounts are about to expire within the given time. When this function is enabled, there will be a reminding message appearing on guest users’ screen at a given time before expiration. Ÿ MAC ACL: Click Edit to enter Access Control List for further configuration. Enter the MAC Address of network devices.
4ipnet MSG100 User’s Manual 4.3 Network This section provides information on NAT, Privilege, Monitor IP, Walled Garden, Proxy Server, DDNS, Client Mobility and VPN. 4.3.1 NAT There are three options of Network Address Translation that can be configured: DMZ, Virtual Servers and Port and IP Redirect. Ÿ DMZ (Demilitarized Zone) The administrator can use DMZ to define mandatory external to internal IP mapping, so that clients on the WAN can access a private machine (e.g.
4ipnet MSG100 User’s Manual Ÿ Public Accessible Server The administrator can set virtual servers by using this function, so that the computers outside the managed network can access the servers within the managed network via WAN ports of MSG100. Enter the External Service Port, Local Server IP Address and Local Server Port accordingly. Different virtual servers can be configured for different sets of physical services, such as TCP and UDP services in general.
4ipnet MSG100 User’s Manual 4.3.2 Privilege List MSG100 provides two privilege lists: IP Address List and MAC Address List. The IP addresses and MAC addresses stated in these lists are allowed to access the network without authentication. Ÿ IP Address List The clients (such as workstations) in the Granted Access by IP Address list are allowed to access the Internet directly without authentication. Enter the IP Address of the clients. The Remark is optional but useful for tracking purpose.
4ipnet MSG100 User’s Manual 4.3.3 Monitor IP The system can monitor the devices listed in the Monitor IP List by pinging them periodically. The administrator can use this function to monitor third-party APs or any other IP-based devices, and moreover, hyperlinks of destination IP addresses can be created to access the monitoring devices. A notification e-mail of monitored status can be set to notify the administrator in a configured time period. Click Apply to activate the settings immediately.
4ipnet MSG100 User’s Manual 4.3.4 Walled Garden The Walled Garden supported by the system provides free surfing areas for clients to access before they are authenticated by the system. IP addresses or domain names of the websites can be defined in this list. Clients without network access right can still have a chance to experience actual network services free of charge. This function allows clients to access specified websites before login and authentication.
4ipnet MSG100 User’s Manual 4.3.5 Proxy Server This feature can be used for clients whose computers are with proxy server enabled configuration. The system supports external proxy servers and will match the proxy settings of External Proxy Servers listed here to that of clients in their browsers when they are trying to access the Internet. If there is no match, clients will not be able to get User Login Page, and therefore, be unable to access the Internet.
4ipnet MSG100 User’s Manual 4.3.6 DDNS The system provides a convenient dynamic DNS (DDNS) function to translate the IP address of WAN port to a domain name that helps the administrator memorize and connect to WAN1 port. When the DDNS is enabled, the system will send the latest IP address regularly to the specified DNS server if the WAN1 interface is set to Dynamic. These settings will become effective immediately after clicking Apply. Ÿ DDNS: Enable or disable this function.
4ipnet MSG100 User’s Manual 4.3.8 VPN Virtual Private Network (VPN) is designed to increase the security of information transmitted over the Internet. VPN can work with wired or wireless networks and create a private encrypted independent tunnel from a client device to the system, or through the Internet to corporate servers and databases. There are 3 types of VPN connection supported by the system: Local, Remote, and Site-to-Site.
4ipnet MSG100 User’s Manual Ø Remote VPN Status: Check Enable to activate Remote VPN and allow client devices with Windows Vista enabled to use Local VPN, or Disable to inactivate it. Ø IP Address Range Assignment: Enter the start IP address to be used, and the system will automatically assign up to 10 IP address for clients as the system supports up to 10 remote VPN connections.
4ipnet MSG100 User’s Manual Ø Client Login Page: The administrator can use the default remote VPN login page or customize the page by setting the template page, uploading the page or downloading from a specific website. Click Preview to view the page configured. For more information on customizing this page, please refer to “ Custom Pages” in Section 4.1.6. Service Zone.
4ipnet MSG100 User’s Manual Ø Local Site Configuration: Click Add a Local Site to enter the Local Site Information page for further configuration. Click Add a New Host to enter the Remote VPN Gateway page for further configuration. 73 © 2008 4IPNET, INC.
4ipnet MSG100 User’s Manual 4.4 Utilities This section provides four utilities to maintain the system, including Password Change, Backup & Restore, System Upgrade, Restart, and Network Utilities. 4.4.1 Password Change The administrator can change the password of the system. The default admin password of the system is "admin". Enter the original password and a new password, and then re-type the new password in the Verify field. Click Apply to activate the new password.
4ipnet MSG100 User’s Manual 4.4.2 Backup & Restore This function is used to backup/restore the settings of MSG100. Also, MSG100 can be reset to the factory default settings here. Ÿ Backup System Settings: Click Backup to save the current system settings to a backup file on a local disk through the management console. A backup file will contain the current system settings as well as the local user accounts information. Ÿ Restore System Settings: Click Browse to locate a .
4ipnet MSG100 User’s Manual 4.4.3 System Upgrade To upgrade the system firmware, click Browse to locate a new firmware file and then click Apply to execute the upgrade process. It may take a few minutes before the upgrade process completes. Upon completion, the system must be restarted for the new firmware to take effect. Ÿ Firmware upgrade may sometimes result in data loss. Please ensure you read the release note thoroughly before installing. 8 Note: Ÿ Please restart the system after the upgrade.
4ipnet MSG100 User’s Manual 4.4.5 Network Utilities The administrator can remotely boot up a local powered off device with Wake-on-LAN enabled, via the system’s Wake-on-LAN feature, and also be able to diagnose the network status via web-based PING, Trace Route, and ARP Table functions. • Wake-on-LAN: Enter the MAC address of the desired device and click Wake Up to execute this function. • Ping: Enter the desired IP address or domain name such as “www.4ipnet.
4ipnet MSG100 User’s Manual • ARP Table: Click Show, and then all the IP address and MAC address of devices linked to this gateway will be displayed in the Result field. 78 © 2008 4IPNET, INC.
4ipnet MSG100 User’s Manual 4.5 Status This section states the status on System, Interface, Routing Table, Online Users, User Logs, and E-mail & SYSLOG. 4.5.1 System This section provides an overview of the system status for the administrator. 79 © 2008 4IPNET, INC.
4ipnet MSG100 User’s Manual The description of the table is as follows: ITEM DESCRIPTION Firmware Version Build The current firmware version of MSG100. The current build version of firmware. System Name The system name. The default is MSG100. Homepage Redirect URL The page to which the users are directed after successful login. SYSLOG server - System Log The IP address and port number of the external SYSLOG Server. N/A means that it is not configured.
4ipnet MSG100 User’s Manual 4.5.2 Interface This section provides an overview of the interface for the administrator including WAN1, WAN2, Service Zone – Default, Service Zone – Default DHCP Server, Service Zone – SZ1/SZ2/SZ3/SZ4, and Service Zone – SZ1/SZ2/SZ3/SZ4 DHCP Server.. 81 © 2008 4IPNET, INC.
4ipnet MSG100 User’s Manual The description of the table is as follows: ITEM DESCRIPTION MAC Address WAN1/WAN2 IP Address Subnet Mask Service Zone - Default/ SZ1 The subnet mask of the WAN port. The mode address of the default Service Zone. MAC Address The MAC Address of the default Service Zone. IP Address Status WINS IP Address The IP address of the default Service Zone. The subnet mask of the default Service Zone.
4ipnet MSG100 User’s Manual 4.5.3 Routing Table The route rules of Global Policy and all individual Policies and are listed here. It also shows the route rules for each interface of the System. Ÿ Policy 1~12: Shows the information of each individual Policy from 1 to 12. Ÿ Global Policy: Shows the information of the Global Policy Ÿ System: Shows the information of the system Ø Destination: The Destination IP address of each interface of the system.
4ipnet MSG100 User’s Manual 4.5.4 Online Users In this function, each online user’s information can be obtained, including Username, IP Address, MAC Address, Pkts In, Pkts Out, Bytes In, Bytes Out, Idle, and Kick Out. The administrator can use this function to force a specific online user to log out, or terminate any user session by clicking the hyperlink of Logout. Click Refresh to renew the current users list. 84 © 2008 4IPNET, INC.
4ipnet MSG100 User’s Manual 4.5.5 User Logs This function is used to check the history of the system. The history of each day will be saved separately for at least 3 days (72 full hours). Please note that these records are stored in the volatile memory and will be lost if the system is powered off. If the Receiver E-mail Address has been provided and Users Log has been selected under the E-mail & SYSLOG tab, then the system will automatically send the history report to that e-mail address.
4ipnet MSG100 User’s Manual Ÿ Guest Users Log: The Guests User Log provides information on the login and logout activities of guest users. Ø System Name: The system name. Ø 1st Login Expiration Time: This is a given time period that the account must be activated after it is generated and it is a constant value of one day. Ø Ÿ Account Valid Through: The expiration time of the account.
4ipnet MSG100 User’s Manual 4.5.6 E-mail & SYSLOG The system supports multiple reporting options via different methods including email, SYSLOG, and FTP. • Notification Email Settings: All the four types of report, including Monitor IP Report, User Log, Guests Log and Session Log, can be sent to up to three email boxes. Ø Receiver E-mail Address (es): The e-mail address of the receiver to which the history report is sent. Ø Check Box: Select which type of reports to be sent.
4ipnet MSG100 User’s Manual Ÿ SYSLOG Server Settings: Three types of report, including System Log, Guests User Log and Session Log, can be sent to a specified syslog server. Ÿ Ø IP Address: The IP address of the syslog server for receiving the respective reports. Ø Port: The port number of the IP address. FTP Server Settings: Session logs can be uploaded to a specified FTP server periodically. Ø Session Log: o IP Address: The IP address of the FTP server.
4ipnet MSG100 User’s Manual 4.6 Help On the screen, the Help button is at the top right hand corner. Click Help for the Online Help window and then click the hyperlink of the items for more information. â 89 © 2008 4IPNET, INC.
4ipnet MSG100 User’s Manual Appendix A. Network Configuration on PC After MSG100 is installed, the following configurations must be set up on the PC: Internet Connection Setup and TCP/IP Network Setup. 1. Internet Connection Setup If the Internet Connection of the client PC has been configured to use local area network, you can skip this setup. Below shows the setup steps for a PC with Windows XP pre-installed. Step 1: Choose Start > Control Panel > Internet Option.
4ipnet MSG100 User’s Manual Step 3: When the Welcome to the New Connection Wizard window appears, click Next. Step 4: Select “ Connect to the Internet” and then click Next. Step 5: Select “ Set up my connection manually” and then click Next. 91 © 2008 4IPNET, INC.
4ipnet MSG100 User’s Manual Step 6: Select “ Connect using a broadband connection that is always on” and then click Next. Step 7: Finally, click Finish to exit the Connection Wizard. Now, the setup is completed. 2. TCP/IP Network Setup By default, MSG100 will assign an appropriate IP address to a client PC configured to use DHCP to obtain IP addresses automatically. However, you can also use a static IP to connect to MSG100 LAN port.
4ipnet MSG100 User’s Manual Step 1: Select Start > Control Panel > Network Connection. Step 2: Right click on the Local Area Connection icon and select Properties. Step 3: Select General tab, and check “ Internet Protocol (TCP/IP)” and then click Properties. Now, you can choose to use DHCP or a specific IP address. 93 © 2008 4IPNET, INC.
4ipnet MSG100 User’s Manual 3-1: Using DHCP: If you want to use DHCP, choose “ Obtain an IP address automatically” and click OK. This is also the default setting of Windows. Then, reboot the PC to make sure an IP address is obtained from MSG100. 3-2: Using Specific IP Address: If you want to use a specific IP address, acquire the following information from the network administrator: the IP Address, Subnet Mask and DNS Server address provided by your ISP and the Gateway address of MSG100.
4ipnet MSG100 User’s Manual Appendix B. Port-based Service Zone Deployment Example In Port-Based mode, each LAN port can only serve traffic from one Service Zone. An example of network application diagram is shown as below: one Service Zone for Staff and one for Guests. The switches deployed under MSG100 in Port-Based mode must be Layer 2 switches only.
4ipnet MSG100 User’s Manual Step 2: Configure Basic Settings for SZ1 Check the Enabled radio button of Service Zone Status to activate SZ1. Enter a name for SZ1 (e.g. “ Guests” ) in the Service Zone Name field. Step 3: Configure Authentication Settings for SZ1 Check the Enabled radio button to enable Authentication Required for the Zone. Check the Default button and Enabled box of Guest Users to set ONDEMAND authentication method as default. Disable all other authentication options.
4ipnet MSG100 User’s Manual A warning message “ You should restart the system to activate the changes.” will appear at the bottom of the page. Do NOT restart the system until you have completed all the configuration steps. LAN1 is now configured for Guests. Step 5: Configure Service Zone 2 for Staff Assume that LAN2 is assigned to the Service Zone 2 (SZ2) for Staff. Select the Service Zones tab and click Configure of SZ2.
4ipnet MSG100 User’s Manual other authentication options. Then, click Apply to activate the settings made so far. A warning message “ You should restart the system to activate the changes.” will appear at the bottom of the page. Do NOT restart the system until you have completed all the configuration steps. Step 8: Configure LAN Port Mapping for SZ2 Select the LAN Port Mapping tab from the System menu to enter the LAN Ports and Service Zone Mapping page. Select Staff from the drop-down list box of LAN2.
4ipnet MSG100 User’s Manual Step 9: Restart the System A confirmation message of “ Do you want to restart the system?” will appear. Click Yes to start the restarting process. A confirmation dialog box will then pop out. Click OK to continue. Please do not interrupt the system during the restarting process. Once the settings of two Service Zones are completed, the configured result will be displayed in the Service Zone Settings page: SZ1 and SZ2 are both enabled. 99 © 2008 4IPNET, INC.
4ipnet MSG100 User’s Manual Appendix C. Tag-based Service Zone Deployment Example In Tag-Based mode, each LAN port can serve traffic from any Service Zone as each Service Zone is identified by VLAN tags carried within message frames. An example of network application diagram is shown as below: one Service Zone for Staff and another for Guests. The switch deployed under MSG100 in Tag-Based mode must be a VLAN switch only.
4ipnet MSG100 User’s Manual Step 2: Configure Service Zone 1 for Staff Select the Service Zones tab and click Configure of SZ1. Step 3: Configure Basic Settings for SZ1 • Check the Enabled radio button of Service Zone Status to activate SZ1. • Enter a name for SZ1 (e.g. “ Employee” ) in the Service Zone Name field. • Enter a VLAN tag for SZ1 (e.g. “ 1111” ) in the VLAN Tag field. 101 © 2008 4IPNET, INC.
4ipnet MSG100 User’s Manual Step 4: Configure Authentication Settings for SZ1 • Check the Enabled radio button to enable Authentication Required for the Zone. • Check the Default button and Enabled box of Server 1 to set LOCAL authentication method as default. Disable all other authentication options. Step 5: Set Policy SZ1 • Select Policy 1 from the drop-down list box. • Click Apply to activate the settings made so far. A warning message “ You should restart the system to activate the changes.
4ipnet MSG100 User’s Manual Step 7: Restart the System • Click Apply to activate the settings. A warning message “ You should restart the system to activate the changes.” will appear at the bottom of the page. Click the hyperlink of Restart to restart the system and activate all changes you have made. • A confirmation message of “ Do you want to restart the system?” will appear. Click Yes to start the restarting process. A confirmation dialog box will then pop out. Click OK to continue.
4ipnet MSG100 User’s Manual Appendix D. Certificate Setting for IE7 and IE6 • Certificate Setting for the Company with Certificate Authority Any website or high-value Web Applications will require a client to access their websites via Secure Sockets Layer (SSL). The browser will automatically ask for a public SSL certificate from the website and check if it is valid.
4ipnet MSG100 User’s Manual Ø Certificate setting for Internet Explorer 7 o For IE7, the certificate issue may be caused because the certificate publisher is not trusted by IE7. The following steps may be taken to provide a workaround or to bypass this issue. Step 1: Open the IE7 browser, and you should be redirected to the default User Login Page. If the certificate is not trusted, the following page will appear. Click “ Continue to this website” .
4ipnet MSG100 User’s Manual o To install a trusted certificate to solve the IE7 certificate issue, please follow instructions below: Step 1: When the User Login page appears, click Certificate Error on the top. Step 2: Click View Certificate. 106 © 2008 4IPNET, INC.
4ipnet MSG100 User’s Manual Step 3: Click Certification Path. This is to check whether the certificate is currently in the correct path. Step 4: Make sure the certificate path is correct as shown in the following figure. Click OK to continue. 107 © 2008 4IPNET, INC.
4ipnet MSG100 User’s Manual Step 5: Select the General tab. Click Install Certificate to install the certificate. Step 6: Click Next to continue. 108 © 2008 4IPNET, INC.
4ipnet MSG100 User’s Manual Step 7: Select “ Automatically select the certificate store based on the type of certificate” and then click Next. Step 8: Click Finish. 109 © 2008 4IPNET, INC.
4ipnet MSG100 User’s Manual Step 9: Click OK. Step 10: Launch a new IE7 browser. The key symbol will appear on the top next to the address field, which means the certificate is now trusted via IE7. 110 © 2008 4IPNET, INC.
4ipnet MSG100 User’s Manual Ø Certificate setting for Internet Explorer 6 For IE6, the certificate issue may be caused because the certificate publisher is not trusted by IE6. The following steps may be taken to provide a workaround or to bypass this issue. Step 1: Open an IE6 browser, the Security Alert message will appear if the certificate is not trusted. Click Yes to bypass this issue and proceed. Step 2: Next, the User Login Page will appear, so that users can now login normally.
4ipnet MSG100 User’s Manual Appendix E. DHCP Replay MSG100 supports DHCP Relay defined in RFC 3046. When forwarding client-originated DHCP packets to an external DHCP server, a new option called the “Relay Agent Information option” is inserted by the DHCP relay agent of MSG100. External DHCP servers that recognize the Relay Agent Information option may use the information to implement IP address or other parameter assignment policies.
4ipnet MSG100 User’s Manual Here is an example of configuration file of the DHCP server: From the file, a client that connects to MSG100 sends out a DHCP request. DHCP relay function in MSG100 is enabled and sending a Circuit ID 00:90:0B:07:60:91_192.168.1.254 to the external DHCP server. When DHCP server gets the Circuit ID, it recognizes that the request is sent from g1_public_lan and thus assigns the client a DNS server of 169.95.1.1, an IP that can be in the range of 192.168.1.30 and 192.168.1.
4ipnet MSG100 User’s Manual Appendix F. Proxy Setting for Enterprise Enterprises usually isolate their intranet and the Internet by using more elaborated network architecture. Many enterprises have their own proxy server which is usually at the intranet or DMZ under firewall protection. In enterprises, network managers or MIS staff may often ask their users to enable the proxy setting of their browsers (e.g. IE and Firefox) to reduce Internet access loading.
4ipnet MSG100 User’s Manual Please follow the steps below to complete the proxy configuration: Ø Gateway setting Step 1: Log in to the Main Menu of the web management interface. Step 2: Click on the Network menu to enter the homepage of Network. Step 3: Select the Proxy Server tab to enter the External Proxy Server page. 115 © 2008 4IPNET, INC.
4ipnet MSG100 User’s Manual Step 4: Enter the IP address and port number of your proxy Server in the IP Address and Port fields. Step 5: Disable the Built-in Proxy Server. Step 6: Click Apply to save the settings. If your proxy server is disabled, it will cause a problem with the user authentication operation. When users open a browser, the login page won’t appear because that proxy server is down. Please make sure your proxy server is always available. 116 © 2008 4IPNET, INC.
4ipnet MSG100 User’s Manual Ø Client setting It is necessary for clients to specify the default gateway IP address in the proxy exceptions box, so that the user login successful page can show up normally. Step 1: Use command “ ipconfig” to get Default Gateway IP Address. Step 2: Open a browser to specify the default gateway IP address (e.g. 192.168.1.254) and logout page IP address “ 1.1.1.1” in the proxy exceptions box. o For I.E 117 © 2008 4IPNET, INC.
4ipnet MSG100 User’s Manual o For Firefox 118 © 2008 4IPNET, INC.
4ipnet MSG100 User’s Manual Appendix G. IPSec VPN MSG100 supports IPSec VPN for clients with Windows XP SP2 (with patch) and Windows 2000. To fully utilize the nature supported IPSec VPN by Microsoft Windows XP SP2 (with patch) and Windows 2000 operating systems, MSG100 implements IPSec VPN tunnels between clients and MSG100 itself, no matter through wired or wireless network.
4ipnet MSG100 User’s Manual During the first-time login to MSG100, Internet Explorer will ask clients to download an ActiveX component of IPSec VPN. Once this ActiveX component is downloaded, it will run in parallel with the “Login Success Page” after the page being brought up successfully. The ActiveX component helps set up individual IPSec VPN tunnels between clients and MSG100 and check the validity of IPSec VPN tunnels between them.
4ipnet MSG100 User’s Manual • Internet Connection Firewall In Windows XP and Windows XP SP1, the Internet Connection Firewall is not compatible with IPSec. Internet Connection Firewall will drop packets from tunneling of IPSec VPN. Please TURN OFF Internet Connection Firewall feature or upgrade the Windows OS into Windows XP SP2. • ICMP and Active Mode FTP In Windows XP SP2 without patching by KB889527, it will drop ICMP packets from IPSec tunnel. This problem can be fixed by upgrading patch KB889527.
4ipnet MSG100 User’s Manual (3) Execution of instructions given by the following Windows messages: † Close the Windows Internet Explorer. † Click Logout on Login Success page. † Click Back or Refresh of the same Internet Explorer browser page. † Enter a new URL in the same Internet Explorer browser page. † Open a URL from the other application (e.g. email of Outlook) that occupies this existing Internet Explorer. Click Cancel if you do not intend to stop the IPSec VPN connection.
4ipnet MSG100 User’s Manual Appendix H. Console Interface The administrator can enter the console interface via this port to handle problems occurring during operation. Certain system status such as boot-up time, firmware version and interface status can be found in this console interface. 1. To connect the console port of MSG100, you need a console cable and a terminal simulation program, such as the Hyper Terminal. 2.
4ipnet MSG100 User’s Manual Ÿ Utilities for network debugging The console interface provides several utilities to assist the administrator to check the system conditions and to debug problems. The utilities are described as follows: Ø Ping host (IP): By sending ICMP echo request to a specified host and wait for the response to test the network status. Ø Trace routing path: Trace and inquire the routing path to a specific target.
4ipnet MSG100 User’s Manual Ÿ Change admin password The default username and password are both “ admin” , the same setting for web management interface. You can use this option to change the system administrator password. Even if you forget the password and are unable to log in the web management interface or the remote end of the SSH, you can still use the null modem to connect the console management interface and set the administrator password again.
4ipnet MSG100 User’s Manual Appendix I. • Session Limit and Session Log Session Limit To prevent ill-behaved clients or malicious software from using up system’s connection resources, the administrator will have to restrict the number of concurrent sessions that a user can establish.
4ipnet MSG100 User’s Manual Ø An example of session log data is shown as below: Aug 30 12:35:05 2007 [New]user1@local TCP MAC=00:09:6b:cd:83:8c SIP=10.1.1.37 SPort=1626 DIP=203.125.164.132 DPort=80 Aug 30 12:35:05 2007 [New]user1@local TCP MAC=00:09:6b:cd:83:8c SIP=10.1.1.37 SPort=1627 DIP=203.125.164.132 DPort=80 Aug 30 12:35:06 2007 [New]user1@local TCP MAC=00:09:6b:cd:83:8c SIP=10.1.1.37 SPort=1628 DIP=203.125.164.142 DPort=80 Aug 30 12:35:06 2007 [New]user1@local TCP MAC=00:09:6b:cd:83:8c SIP=10.1.1.