How To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (

47  Download (0)

Full text

(1)

UAG715

Support Note

Revision 1.00

August, 2012

Written by CSO

(2)

Scenario 1 - Trunk Interface (Dual WAN)

Application Scenario

The Internet has become an integral part of our lives; therefore, a smooth

Internet connection is highly demanded. The Trunk interface (Dual WAN) not just increases the overall network throughput; this design also provides more

flexibility for administrator in managing WAN traffic. The UAG provides three load balancing methods; Spillover, Least Load First, and Weighted Round Robin.

In this scenario, we will demonstrate one of the load balancing methods known as Least Load First. As a reminder to users who use static IP addresses, we will provide guidance in this scenario to configure DNS on the UAG to point all DNS queries to the ISP’s DNS Server to prevent the DNS query timeout. This will enable users to have a better Internet browsing experience.

(3)

Network Conditions

UAG:

WAN1 (PPPoE)  118.160.193.194/255.255.255.255 WAN2 (Static IP)  59.124.163.153/255.255.255.224

Goals to Achieve

We will have two WAN interfaces to share the Internet workload.

UAG Configuration

1) Determine the bandwidth in both WAN interfaces.

 This is important as the Least Load First load balancing algorithm determines the traffic loading based on the percentage of the “used bandwidth” out of the

“ISP-assigned bandwidth” of each interface. For example, if WAN1 has a bandwidth of 10 Mbps, and 5 Mbps are used while WAN2 has 20 Mbps, and 6Mbps are consumed, WAN1 is actually taking a heavier network loading as 50%

of its total bandwidth is occupied; therefore, WAN2 should share the traffic load.

Step 1: Go to “CONFIGURATION” > “Interface” > “PPP” > double-click on

“wan1_ppp”.

(4)

Step 2: Click on “Show Advanced Settings” to configure Egress and Ingress bandwidth

Step 3: Set the “Egress Bandwidth” (Upload) to 2Mbps; set “Ingress Bandwidth” to be 10Mbps > click on “OK” to confirm the change.

(5)

Step 4: Go to “CONFIGURATION” > “Interface” > “Ethernet” > double-click on

“wan2”.

Step 5: Click on “Show Advanced Settings” to configure Egress and Ingress bandwidth.

Step 6: Set the “Egress Bandwidth” (Upload) as 5Mbps; set “Ingress Bandwidth” to be 20Mbps > click on “OK” to confirm the change.

(6)

2) Configuring the “Trunk” interface

Step 1: Go to “CONFIGURATION” > “Network” > “Interface” > “Trunk” > click on

“Add” to add a new rule for the Trunk interface.

(7)

Step 2: Click on “Add” to add an interface as a member to this Trunk.

Step 3: Click on the drop-down menu ( ) to select an interface.

(8)

Step 4: Choose “Least Load First” as the “Load Balancing Algorithm”, use “Inbound”

for the “Load Balancing Index(es)”, and keep both interfaces in the “Active” mode.

Click on “OK” to confirm the setting.

Step 5: When you return to the Trunk main page, please select the “User Configured Trunk” > click on “OK” to confirm the change.

(9)

3) Add a DNS Server for WAN2

Step 1: Go to “CONFIGURATION” > “System” > “DNS” > click on “Add” to add a new DNS rule.

Step 2: Fill in the info > choose “wan2” > click on “OK” to confirm.

A new DNS entry will be created for wan2

(10)

Scenario 2 – SMTP Redirect

SMTP redirect forwards the authenticated client’s SMTP message to an SMTP Server that handles all outgoing email messages. .

The UAG forwards SMTP traffic using TCP port 25.

Application Scenario

Many ISPs are blocking SMTP to send email. They are doing this to cut down on the amount of spam that is sent from their networks. On occasion, you may need to redirect SMTP traffic. We can use the UAG’s SMTP Redirect function, when they send these emails.

On the other hand, must be ensured that no spam emails have been sent using a company’s public IP address. All outgoing SMTP requests will be redirected to an external SMTP server. This way, we are able to know who initialed these spam emails.

SMTP redirect forwards the authenticated client’s SMTP message to an SMTP server that handles all outgoing email messages. .

The UAG forwards SMTP traffic using TCP port 25.

(11)

Network Conditions Incoming Interface: lan1

Source Address: LAN1_SUBNET SMTP Server: mail.zyxel.com.tw

Goals to Achieve

SMTP traffic is received from lan1 for the UAG to forward it to the SMTP Server:

mail.zyxel.com.tw SMTP. Then the user can send emails using the SMTP protocol.

UAG Configuration

Select this option to enable the SMTP redirect feature on the UAG.

Step1: Click “Configuration” > “Network” > “SMTP Redirect”.

Step2: Click “Network” > “SMTP Redirect” > “Add”.

Step3: SMTP Redirect setting.

(12)

Scenario 3 – Web Authentication

Application Scenario

Web Authentication is a user-friendly administrative tool that enables an

administrator to control users’ access to the company’s network. On the UAG, we provide two ways to authenticate users; internal authentication and external authentication.

3.1 Internal Authentication

In the first scenario, we will start off by authenticating users with the user database on the UAG.

Network Conditions

UAG WAN2-Static: 59.124.163.153/255.255.255.224 User PC: 192.168.1.34

Goals to Achieve

Users will be authenticated by the UAG before they can access the Internet

(13)

UAG Configuration

1) Create an Auth. Policy to authenticate users from LAN1, 192.168.1.0/24.

Step 1: Go to “CONFIGURATION” > “Network” > “Web Authentication” >

double-click on the existing policy to modify the rule.

Step 2: Enter a name for this Auth. Policy > choose “LAN1_SUBNET” to authenticate all users coming from this subnet > click on “OK” to create this policy.

(14)

2) Create a user account for the PC to login

Step 1: Click on “Add” to create a user for LAN1_SUBNET users to login.

Step 2: Enter the necessary login credential and click on “OK” to confirm.

(15)

Verification

If the user launches an Internet browser and wants to visit www.zyxel.com, the user will be redirected to the login page. After specifying the User Name and Password, please click on “Login” to continue.

If the user passes the authentication, they will see the lease time.

(16)

3.2 RADIUS Authentication (External Authentication)

For enterprises that have their own RADIUS server running in the DMZ (server farm), the UAG is able to integrate with these RADIUS servers for authentication.

In this scenario, we will demonstrate how the UAG co-operates with the RADIUS server for authenticating users.

Network Conditions

UAG:

DMZ: 192.168.3.1

RADIUS Server: 192.168.3.168 User’s Laptop: 192.168.1.34

Goals to Achieve

The users will be authenticated by the RADIUS server before they can access the Internet.

(17)

UAG Configuration

1) Create a new RADIUS rule

Step 1: Go to “Configuration” > “Object” > “AAA Server” > “RADIUS” tab > click on

“Add” to create a RADIUS server relation.

Step 2: A window will appear for information. Enter required information and click on “OK” to confirm the settings. “Key” will be the shared secret with the RADIUS server.

(18)

Step 3: We can see a new RADIUS server entry has been added to the page.

2) Add the RADIUS server that was just created into an authentication method Step 1: Go to “CONFIGURATION” > “Object” > “Auth. Method” > double-click on

“default “ and a new window will appear.

(19)

Step 2: Click on “Add” to add a RADIUS authentication method into this rule

Step 3: Choose “group RADIUS_168” > click on “OK” to confirm this modification

Finally, we can see that the authentication over a RADIUS server has been added to the “default” authentication method.

(20)

Scenario 4 – Content Filter

The World Wide Web has become the main target for network threats. When users in a hotel are browsing some unsafe websites that may contain phishing or malicious programs, we have to take the risk of having others computers in the hotel being infected. The Content Filter will stops malware and Web threats to prevent users’ from accessing these harmful sites.

Application Scenario

In this scenario, we are going to demonstrate how to protect users’ access to unsafe website. It ensures real-time protection and monitors certain sites to maintain network traffic.

Network Conditions

LAN1 Subnet: 192.168.1.0/24

Goals to Achieve

Users who try to browse unsafe website will be redirected to another webpage www.zyxel.com.

UAG Configuration

Step 1: Choose your licensed content filtering service and start its setup

(21)

Step 2: Add a profile which allows users to visit all websites.

Enable the Enable Content Filter Category Service checkbox.

Set Action for Security threat (Unsafe) to “Warn” and enable the “Log”

checkbox.

Set Action for Managed Web Pages to “Pass” and enable the “Log”

checkbox.

Set Action for Unrated Web Pages to “Warn” and enable the “Log”

checkbox.

Set Action When Category Server is Unavailable to “Warn” and enable the

“Log” checkbox.

Step 3: Switch to “Configuration” > “Anti-X “> “Content filter” > “General” to enable Content Filter.

(22)

Step 4: Add an access policy for customers outside.

Schedule: none.

Address: LAN1 subnet.

Filter Profile: CF

Step 5: Check the created policies.

The UAG will check them, and when the customers try to access a website, they will trigger the policy. If customers access harmful websites, it will show a denied

message and redirect to http://www.zyxel.com.

(23)

Scenario 5 – How to Export System Logs to an External Server

Application Scenario

For the management purposes, administrators can easily monitor events occurring on UAG by reading syslog; these syslogs are classified into 3 severity levels. This report is very useful for administrators; especially, when the

administrator receives complains from the users regarding the slow or unstable Internet connection. The administrator can use these reports as a troubleshooting reference.

In this scenario, we are going to show how the UAG exports system logs to a Kiwi syslog server.

Network Conditions:

UAG:

Kiwi Syslog Server: 192.168.3.168

Goals to achieve:

The administrator will be able to see system logs appear on the Kiwi syslog server.

UAG Configuration:

1) Configure system log settings on the UAG

Step 1: Go to “CONFIGURATION” > “Log & Report” > click on “Log Setting” to view the log settings

(24)

Step 2: Double-click on the 4th server setting to configure the UAG for exporting system logs

Step 3: Check the “Active” box, choose “CEF” as the syslog file format, and specify the Kiwi syslog server IP address.

(25)

Step 4: Click on the “Selection” button to switch log preference to normal .

Step 5: We can see logs generated on the Kiwi syslog server

(26)

Scenario 6 – Web Authentication White List

Web authentication allows the administrator to control who can access the network. However, internal servers do not need to be authenticated, so we can create a white list to include the IP addresses of these servers. Also, to ensure that servers always acquire the same IP address, we will use IP/MAC Binding to fulfill this task.

Network Conditions

UAG:

LAN1: 192.168.2.1

User’s Laptop: 192.168.1.34 DMZ: 192.168.3.1

RADIUS Server IP address: 192.168.3.168 RADIUS Server MAC: 00:C0:A8:FA:FF:4D Web Server: 192.168.3.169

Web Server MAC: 00:C0:A8:FA:FF:4E

Goals to Achieve

1. The internal servers will always receive the same IP address from the DHCP server, UAG.

2. After we enable the Web Authentication, users will be prompted to login while the servers will not.

(27)

UAG Configuration

1) Reserve an IP address for the Web Server

Step 1: Go to “CONFIGURATION” > “Network” > “Interface” > double-click on “dmz”

to open the configuration page of DMZ subnet.

Step 2: Scroll down the page and click on “Add” to assign the Web Server a static IP address.

Step 3: Fill in the MAC address of the Web Server and the RADIUS Server > click on

“OK” to confirm the change.

(28)

2) Add the server’s IP address to the authentication exemption.

Step 1: Go to “CONFIGURATION” > “Network” > “Web Authentication” > click on

“Add” to create a new rule for the servers.

Step 2: Enter a description for this rule > click on “Create new Object” to create an address range for the Web and RADIUS servers.

(29)

Step 3: Fill in the IP addresses of the servers; please select “Range” to include an extent of IP addresses > Click on “OK” to confirm.

Step 4: Select “Servers” under “Source Address” > choose “unnecessary” for

“Authentication” > click on “OK” to finish.

(30)

Scenario 7 – Using SSL VPN to Manage Internal Devices

In an enterprise, when an administrator wants to manage the servers or the devices in the server farm from outside, it brings in security concerns. The SSL VPN function on the UAG facilitates this burden; this enables administers to access servers or devices through an Internet browser from outside of the company.

Network Conditions

UAG:

WAN2: 59.124.163.153

SSL VPN IP Pool: 192.168.168.0 255.255.255.0

Goals to Achieve

The administrator will be able to access internal servers and devices with the SSL VPN.

(31)

UAG Configuration:

1) Create a user for using SSL VPN

Step 1: Go to “CONFIGURATION” > “Object” > “User/Group” > click on “Add” to create a SSL VPN user.

Step 2: Fill-in the required information and click on “OK” to confirm.

(32)

2) Allow a user for SSL VPN login and assign an IP address to the user.

Step 1: Go to “CONFIGURATION” > “VPN” > “SSL VPN” > click on “Add” to create an access policy.

Step 2: Fill-in the required information and select the user we just created, “ssluser”, in the pool.

(33)

Step 3: Scroll down the page and click on “Create new Object” > click on “Address”

to create a subnet for SSL VPN users.

Step 4: Fill-in the necessary information and click on “OK” to finish

(34)

Step 5: Check the “Enable Network Extension” box > select the IP pool that we want to assign to the SSL VPN users > let the device be the DNS Proxy > set an external DNS Server for backup

Step 6: Choose the subnet that the SSL VPN user is allowed to reach (choose DMZ_SUBNET in this case) > Click on “OK” to finish.

(35)

Scenario 8 – IPSec VPN

Application Scenario

A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.

For example, when computers need to access the database server at the company’s headquarters, we can use IPSec VPN on the UAG to secure traffics between branch offices, partners and the headquarters as shown below.

Network Conditions

UAG715 (1): UAG715(2):

WAN IP: 10.59.1.175 WAN IP: 10.59.1.30

Local subnet: 192.168.50.0/24 Local subnet: 192.168.60.0/24

IPSec VPN Conditions Phase 1:

- Authentication: 1234567890 - Local/Peer ID type: IP 0.0.0.0 - Encryption Algorithm: 3DES - Authentication Algorithm: MD5 - Key Group: DH1

(36)

Phase 2:

- Encapsulation Mode: Tunnel - Active Protocol: ESP

- Encryption Algorithm: DES - Authentication Algorithm: SHA1 - Perfect Forward Secrecy: None

Goals to Achieve

Entablish an IPSec VPN tunnel between UAG715 and UAG715 UTM with the above configuration

UAG configuration:

Step 1: Click “CONFIGURATION” > “VPN” > “IPSec VPN” > “VPN Gateway” to open the configuration screen. Then click the” Add” button to add a VPN gateway rule.

Step 2: Edit VPN gateway rule.

(37)

Step 3: Click “CONFIGURATION” > “VPN “> “IPSec VPN” >” VPN Connection” to open the configuration screen to add a rule.

(38)

Step 4: Edit Phase 2 rule.

Step 5: After setting the rule, the user can select the rule and click the Connect button to establish the VPN link. Once the tunnel is established, a connected icon will be displayed in front of the rule.

(39)

Step 6: When the VPN tunnel is established, the user can find the SA information on

“MONITOR “> “VPN MONITOR” > “IPSec”.

(40)

Scenario 9 – Customize Portal

For security concerns, the network administrator will want to control the access of the users to the enterprise’s network. When users are asked to login, they will see a login page; this page can be customized by the enterprises depending on what kind of business image the enterprise wants to give to the users.

9-1 Application scenario Internal Web Portal

Web authentication intercepts all network traffic, regardless of address or port, until the user authenticates his or her connection, usually through a specifically

designated login web page. This means all web pages requests can initially be redirected to a special web page that requires users to authenticate their sessions.

Once authentication is successful, they can then connect to the rest of the network or Internet.

Network Conditions Enable Internal Web Portal Create the user name: guest

Login URL: Specify the login page’s URL, http://10.59.1.35:8080/login.html Logout URL: Specify the logout page’s URL, http://10.59.1.35:8080/logout.html Welcome URL:Specify the welcome page’s URL,

http://10.59.1.35:8080/welcome.html

Session URL: Specify the session page’s URL, http://10.59.1.35:8080/session.html Error URL: Specify the error page’s URL, http://10.59.1.35:8080/error.html

Goals to Archieve

(41)

UAG Configuration

Step 1: Select Internal Web Portalto use the default login page built into the UAG.

Configuration > Web Authentication

When the guest log in to the UAG, it shows the default page.

(42)

9-2 Application Scenario:

External Web Portal

Select External Web Portal to use a custom login page from an external web portal instead of the default one built into the UAG. You can configure the look and feel of the web portal page.

In this scenario, we will demonstrate how to redirect users to an external portal for login authentication. A customized portal page will be displayed.

Network Conditions:

Enable Internal Web Portal Create the user name: guest

Login URL: Specify the login page’s URL, http://10.59.1.35:8080/login.html Logout URL: Specify the logout page’s URL, http://10.59.1.35:8080/logout.html Welcome URL:Specify the welcome page’s URL,

http://10.59.1.35:8080/welcome.html

Session URL: Specify the session page’s URL, http://10.59.1.35:8080/session.html Error URL: Specify the error page’s URL, http://10.59.1.35:8080/error.html

Goals to Achieve

Guest will see a customized portal page at login and logout.

(43)

UAG Configuration:

Configuration > Web Authentication

Customize the Login / Logout / Welcome URL

Click on this to download an example web portal file for your reference.

Step 1: Enable “Web Authentication” and chose “External Web Portal”.

Select this to use a custom login page from an external web portal instead of the default one built into the UAG.

Please click download the external web portal example, you can configure the look and feel of the web portal page.

When the guest log in, it displays the customized portal.

This screen displays the welcome page.

(44)

This screen displays the session page.

This screen displays the logout page.

This screen displays the error page.

(45)

Scenario 10 – VPN 1-1 Mapping

Application Scenario

NAT traversal is a general technology to establish and maintain internet protocol connections traversing network address translation gateway. When you use VPN to connect to your company’s network, NAT traversal will cause some problem. If one site has enable the NAT traversal function and the other site does not enable it, it will be disconnected due to response packet with the different source IP address.

With VPN 1-1 mapping, each guest that logs into the UAG and matches a

pre-configured mapping rule can obtain an individual public IP address. Each guest can use a unique public IP address to transmit traffic through a separate VPN tunnel.

This helps especially when multiple guests need to access different remote servers through separate VPN tunnels using the UAG.

Network Conditions WAN IP: 59.124.163.149

IP Pool: 59.124.163.150~59.124.163.155

Goals to Achieve

We will demonstrate how the guest can get a static public IP address to access the network.

(46)

UAG Configuration:

Step1: Select this option to enable VPN 1-1 mapping on the UAG.

Step 2: Create a Pool object before adding profile. Click “Configuration” > “Object” >

“Address” > “Address”.

Step 3: A pool profile defines the public IP address(es) that the UAG assigns to the matched guests and the interface through which the guest’s traffic is forwarded.

Click “Configuration” >” Network” > “VPN 1-1 Mapping” >” Profile”.

(47)

Step 4: A pool profile defines the public IP address(es) that the UAG assigns to the matched guests and the interface through which the guest’s traffic is forwarded.

Step 5: When guest accesses the internet, we can go to “Monitor” >” VPN 1-1 Mapping” to check the status of the active guests to which the UAG applied a VPN 1-1 mapping rule.

Figure

Updating...

References