ZyXEL Communications ISG50 manuals
Computer Equipment > Network Router
When we buy new device such as ZyXEL Communications ISG50 we often through away most of the documentation but the warranty.
Very often issues with ZyXEL Communications ISG50 begin only after the warranty period ends and you may want to find how to repair it or just do some service work.
Even oftener it is hard to remember what does each function in Network Router ZyXEL Communications ISG50 is responsible for and what options to choose for expected result.
Fortunately you can find all manuals for Network Router on our side using links below.
ZyXEL Communications ISG50 Manual
880 pages 22.73 Mb
1 LAN IPhttps://192.168.1.1 READ CAREFULLY Address User Name admin Password Copyright © ZyXEL Communications Corporation 2 •Quick Start Guide•CLI Reference Guide Note: It is recommended you use the Web Configurator to configure the ISG50 • Web Configurator Online Help Read Chapter 1 on page Chapter 3 on page Chapter 4 on page Chapter 5 on page It is highly recommended you read Chapter 6 on page Chapter 7 on page To find specific information in this guide, use the Contents Overview Table of Contents Index 3 Contents Overview5 Table of ContentsPart I: User’s Guide 6 4.1.1 Internet Access Setup - WAN Interface4.1.2 Internet Access: Ethernet 4.1.4 Internet Access: PPTP 4.1.6 Internet Access Setup - Second WAN Interface 4.1.7 Internet Access - Finish 7 General Tutorials8 How to Use a RADIUS Server to Authenticate User Accounts Based on Groups8.2.1 Configuring the snom VoIP Phones for Auto Provisioning 8.6.3 Example 3: Company with Existing PBX and Expanding Employees 9 8.7 Using Call Features8.7.1 Customizing Feature Codes 8.7.2 Using the Voicemail Feature 8.8 Using the Extension Portal 8.8.1 Your Information 8.8.2 Accessing the Extension Portal 8.8.3 Using the Web Phone (IP Phone Users Only) 8.8.4 Changing Your Security Information 8.8.5 Personalizing Your Settings 8.8.6 Setting Up Voicemail 8.9 Capturing Packets Using the Web Configurator 8.10 Creating an Automated Menu System 8.10.1 Menu Design and Call Routing 8.10.2 Create an Agent Identity 8.10.3 Create a Skill 8.10.4 Create an Auto-Attendant Dashboard 9.1 Overview 9.1.1 What You Can Do in this Chapter 9.2 The Dashboard Screen 9.2.1 The CPU Usage Screen 9.2.2 The Memory Usage Screen 9.2.3 The Active Sessions Screen 9.2.4 The VPN Status Screen 9.2.5 The DHCP Table Screen 9.2.6 The Number of Login Users Screen Overview 10.1.1 What You Can Do in this Chapter The Port Statistics Screen 10.2.1 The Port Statistics Graph Screen Interface Status Screen The Traffic Statistics Screen The Session Monitor Screen The DDNS Status Screen 10 10.11.1 Regular Expressions in Searching IPSec SAs11 Policy and Static Routes12 16.1.1 What You Can Do in this Chapter16.1.2 What You Need to Know 17.1 DDNS Overview 17.1.1 What You Can Do in this Chapter 17.1.2 What You Need to Know 17.2 The DDNS Screen 17.2.1 The Dynamic DNS Add/Edit Screen 18.1.1 What You Can Do in this Chapter 18.1.2 What You Need to Know 18.2.1 The NAT Add/Edit Screen 19.1.1 What You Can Do in this Chapter 19.1.2 What You Need to Know 19.2.1 The HTTP Redirect Edit Screen 20.1.1 What You Can Do in this Chapter 20.1.2 What You Need to Know 20.1.3 Before You Begin 13 Authentication PolicyFirewall 14 Global PBX SettingsVoice Interfaces 15 Outbound Trunk Group16 Auto-attendantGroup Management Call Services 17 Call RecordingMeet-meConference Paging Group 18 Sound FilesAuto Provision Voice Mail Phonebook 19 Office HoursUser/Group Addresses Services 20 47.1 Overview47.2 The Schedule Summary Screen 48.1 Overview 48.2 Active Directory or LDAP Server Summary 48.3 RADIUS Server Summary 49.1 Overview 49.2 Authentication Method Objects 50.1 Overview 50.2 The My Certificates Screen 50.3 The Trusted Certificates Screen 21 50.3.2 The Trusted Certificates Import Screen22 52.8.5 Secure Telnet Using SSH Examples52.10.1 Configuring FTP 27 Introducing the ISG5037 Features and Applications43 Web Configurator3.1 Web Configurator Requirements 3.2 Web Configurator Access44 Chapter 3 Web Configurator3Type the user name (default: “admin”) and password (default: “1234”) One-Time Login Update Admin Info Figure 18 Update Admin Info Screen Ignore Installation Setup Wizard 45 3.3 Web Configurator Screens Overview46 Table 4 Title Bar: Web Configurator Icons (continued)Object Reference object Console the CLI Reference Guide for details on the commands CLI Configurator Figure 21 Title Bar The following table describes labels that can appear in this screen Table 5 Title Bar: Web Configurator Icons Boot Module ISG50 Current Version This shows the firmware version of the ISG50 Released Date Click this to close the screen 47 Figure 22 Navigation PanelChapter 9 on page The monitor menu screens display status and statistics information Table 6 Monitor Menu Screens Summary FOLDER OR LINK FUNCTION System Status Port Statistics Displays packet statistics for each physical port Interface Status Displays general interface information and packet statistics Traffic Statistics Collect and display traffic statistics Session Monitor Displays the status of all current sessions DDNS Status Displays the status of the ISG50’s DDNS domain names IP/MAC Binding MAC binding Login Users Lists the users currently logged into the ISG50 Cellular Status Displays details about the ISG50’s 3G connection status USB Storage Displays details about USB-connectedstorage devices VPN Monitor IPSec Displays and manages the active IPSec SAs PBX SIP Peer Displays status information about SIP extensions configured on the ISG50 FXS Peer Displays status information about FXS extensions configured on the ISG50 SIP Trunk CTI Peer connections FXO Trunk 48 Table 6 Monitor Menu Screens Summary (continued)BRI Trunk ACD Queue Monitor phone call activity for Automatic Call Distribution (ACD) agents Lists system log entries Call Recording Listen to or delete call recordings on the ISG50 CDR Query the CDR database Use the configuration menu screens to configure the ISG50’s features Table 7 Configuration Menu Screens Summary TAB Quick Setup Quickly configure WAN interfaces or VPN connections Licensing Registration Register the device and activate trial services Network Port Role Ethernet Manage Ethernet interfaces and virtual Ethernet interfaces PPP Create and manage PPPoE and PPTP interfaces Cellular VLAN Bridge Create and manage bridges and virtual bridge interfaces Create and manage trunks (groups of interfaces) for load balancing and link High Availability (HA) Routing Create and manage routing policies Static Route Create and manage IP static routing information RIP Configure device-levelRIP settings OSPF links Configure zones used to define various policies DDNS Define and manage the ISG50’s DDNS domain names NAT Set up and manage port forwarding rules HTTP Redirect Set up and manage HTTP redirection rules ALG Configure H.323 and FTP pass-throughsettings Summary Configure IP to MAC address bindings for devices connected to each supported interface Exempt List Configure ranges of IP addresses to which the ISG50 does not apply IP/MAC binding Auth. Policy Define rules to force user authentication Firewall Create and manage level-3traffic rules Session Limit Limit the number of concurrent client NAT/firewall sessions 49 Table 7 Configuration Menu Screens Summary (continued)52 Table 8 Maintenance Menu Screens SummaryFigure 23 Warning Message 53 Site MAPFigure 24 Site Map Refresh 54 Table 9 Object ReferencesObject Name This field is a sequential value, and it is not associated with any entry display the service’s configuration screen in the main window Priority otherwise N/A displays This field identifies the configuration item that references the object Description Refresh Click this to update the information in this screen Click Cancel to close the screen CLI Figure 26 CLI Messages Click Clear to remove the currently displayed information See the Command Reference Guide for information about the commands Here are some of the ways you can manipulate the Web Configurator tables 56 Figure 30 Changing the Column OrderFigure 31 Navigating Pages of Table Entries Figure 32 Common Table Icons Here are descriptions for the most common table icons Table 10 Common Table Icons new entry after the selected entry changes that you have not yet applied remove it before doing so Activate To turn on an entry, select it and click Activate 57 Table 10 Common Table Icons (continued)Inactivate To turn off an entry, select it and click Inactivate To connect an entry, select it and click Connect To disconnect an entry, select it and click Disconnect Object References settings use the entry. See Section 12.3.2 on page 246 for an example (or down) one Figure 33 Field Information 58 Figure 34 iNotes59 Installation Setup Wizard69 Quick Setup5.1 Quick Setup Overview 70 5.2 WAN Interface Quick Setup71 WAN Type SelectionEthernet PPPoE PPTP Figure 47 WAN Interface Setup: Step 73 Figure 49 WAN and ISP Connection Settings: (PPTP Shown)The following table describes the labels in this screen Table 11 WAN and ISP Connection Settings ISP Parameter This section appears if the interface uses a PPPoE or PPTP Internet connection Encapsulation This displays the type of Internet connection you are configuring Options are: node CHAP - Your ISG50 accepts CHAP only PAP - Your ISG50 accepts PAP only MSCHAP - Your ISG50 accepts MSCHAP only MSCHAP-V2 - Your ISG50 accepts MSCHAP-V2only User Name characters, and it can be up to 31 characters long Password except the [] and ?. This field can be blank 74 Table 11 WAN and ISP Connection Settings (continued)Retype to Type your password again for confirmation Confirm Nailed-Up Select Nailed-Up if you do not want the connection to time out Idle Timeout the PPPoE server. 0 means no timeout PPTP Configuration Base Interface modem or router Type the (static) IP address assigned to you by your ISP IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given) Server IP Type the IP address of the PPTP server Connection ID "n:name" format. For example, C:12 or N:My ISP This field is optional and depends on the requirements of your DSL modem WAN Interface Setup belong interface uses a static IP address, enter it in this field First DNS IP address(es) in the field(s) to the right Second DNS it DDNS and the time server Back Click Back to return to the previous screen Next Click Next to continue 75 This screen displays the WAN interface’s settingsFigure 50 Interface Wizard: Summary WAN (PPTP Shown) Table 12 Interface Wizard: Summary WAN Service Name name specified in the ISP account This is the user name given to you by your ISP Yes timeout disconnects from the PPPoE server. 0 means no timeout If you specified a connection ID, it displays here This identifies the interface you configure to connect with your ISP This field displays whether the WAN IP address is static or dynamic (Auto) Assignment First DNS Server If the IP Address Assignment is Static, these fields display the DNS server IP address(es) Close Click Close to exit the wizard 76 5.3 VPN Quick Setup77 5.4 VPN Setup Wizard: Wizard Type78 5.5 VPN Express Wizard - Scenario79 Figure 54 VPN Express Wizard: StepPre-Shared Local Policy (IP/Mask) Remote Policy (IP/Mask) 80 Figure 55 VPN Express Wizard: Step•Rule Name: Identifies the VPN gateway policy Local Policy Configuration for Secure Gateway 81 Close83 Figure 58 VPN Advanced Wizard: Phase 1 SettingsMy Address (interface) Negotiation Mode Main Aggressive Encryption Algorithm Authentication Algorithm SHA-1 Key Group 84 NAT TraversalVPN, NAT, and NAT Traversal on page Dead Peer Detection (DPD) Authentication Method : Select to use a password or to use one of the ISG50’s certificates Figure 59 VPN Advanced Wizard: Step •Active Protocol: ESP is compatible with NAT, AH is not •Encapsulation: Tunnel is compatible with NAT, Transport is not Null 85 This is a read-onlysummary of the VPN tunnel settingsFigure 60 VPN Advanced Wizard: Step •Rule Name: Identifies the VPN connection (and the VPN gateway) •Secure Gateway: IP address or domain name of the remote IPSec device •Pre-SharedKey: VPN tunnel password Copy and paste the Configuration for Remote Gateway •Click Save to save the VPN rule 87 Configuration Basics6.1PBX Features Overview88 Chapter 6 Configuration BasicsOutbound Line Group •ISDN BRI Trunk - This is a connection to your ISDN Service Provider Trusted Peer FXO (Foreign Exchange Office) Trunk The figure below shows the relationship between FXS and FXO ports Figure 62 FXS and FXO Ports ISG FXS FXO FXS FXO LCR (Least Cost Routing) 89 AA1Figure 63 Auto-Attendant extension you AA1 would like to reach ISG The configuration requirement for setting up internal call routing are: 1Create an authority group 2Create extensions in the authority group 90 Figure 64 Outbound Call Routing - BasicAuthority Outbound LCR SALES Figure 65 Outbound Call Routing - Advanced LCR - Local Sales R&D The configuration requirement for setting up outbound call routing are: 3Create an outbound line group 4Create LCRs and add outbound line groups to them 5Associate LCRs to authority groups 91 6.2 Object-basedConfiguration92 6.3 Zones, Interfaces, and Physical Ports93 Virtual interfacesvirtual Ethernet interfaces virtual VLAN interfaces virtual bridge interfaces PORT INTERFACE ZONE IP ADDRESS AND DHCP SETTINGS SUGGESTED USE WITH DEFAULT SETTINGS wan1 lan2 94 6.4 Terminology in the ISG506.5 Packet Flow95 •A policy route can be automatically disabled if the next-hopis dead•You do not need to set up policy routes for IPSec traffic •Policy routes can override direct routes •You do not need to set up policy routes for 1:1 NAT entries •Static and dynamic routes have their own category Figure 69 Routing Table Checking Flow Direct-connected Subnets Use Policy Route to Override Direct Route Section 14.1 on page 96 Policy RoutesChapter 14 on page 1 to 1 and Many 1 to 1 NAT Auto VPN Policy Use Policy Route to control dynamic IPSec rules Section 24.2 on page Static and Dynamic Routes Default WAN Trunk Section 13.2 on page Main Routing Table Figure 70 NAT Table Checking Flow 97 6.6Other Features Configuration OverviewPREQUISITES 98 Configuration > Licensing > RegistrationInternet access to myZyXEL.com See Section 6.3 on page 92 for background information Configuration > Network > Interface (except Network > Interface (except Trunk) Port groups (configured in the Interface > Port Grouping screen) Network > Interface > Ethernet Use trunks to set up load balancing using two or more interfaces Configuration > Network > Interface > Trunk Interfaces Policy routes Example: See Chapter 7 on page Configuration > Network > Routing > Policy Route 99 Example:1Create an address object for the FTP server (Object > Address) to go to the policy route configuration screen. Add a policy route 3Name the policy route 4Select the interface that the traffic comes in through (P3 in this example) 5Select the FTP server’s address as the source address 6You don’t need to specify the destination address or the schedule 7For the service, select FTP For the Next Hop Type Select the interface that you are using for your WAN connection Configuration > Network > Routing > Static Route 100 Network > ZoneConfiguration > Network > NAT Mapped IP field 6In Mapping Type, select Port Original Mapped Port 101 Configuration > Network > HTTP Redirect1Click Configuration > Network > HTTP Redirect 2Add an entry 3Name the entry Select the interface from which you want to redirect incoming HTTP requests 5Specify the IP address of the HTTP proxy server Configuration > Network > ALG Configuration > Auth. Policy 102 Configuration > Firewall(source, destination), services, service groups Create a VoIP service object for UDP port 5060 traffic Configuration > Object > Service Create an address object for the VoIP server Configuration > Object > Address 3Click Configuration > Firewall to go to the firewall configuration Select from the DMZ •You don’t need to specify the schedule or the user •In the Source field, select the address object of the VoIP server •You don’t need to specify the destination address •Leave the Access field set to Allow and the Log field set to No wizard Interfaces, certificates (authentication), authentication methods (extended firewall Policy routes, zones Configuration > BWM Zones 103 6.7 Objects104 6.8 System107 General Tutorials135 PBX Tutorials185 Dashboard9.1 Overview 9.2The Dashboard Screen186 Chapter 9 DashboardFigure 135 Dashboard Table 26 Dashboard Widget Settings (A) out Expand/collapse Click this to expand or collapse a widget widget (B) Refresh time Set the interval for refreshing the information displayed in the widget setting (C) Refresh Now (D) Click this to update the widget’s information immediately Close widget (E) Click this to close the widget. Use Widget Settings to re-openit 187 Chapter 9 DashboardTable 26 Dashboard (continued) Virtual Device interface or slot appears grayed out This identifies a device installed in one of the ISG50’s USB ports The configuration name of the interface Status depend on what type of interface it is For Ethernet interfaces: Inactive - The Ethernet interface is disabled Ethernet interface is enabled but not connected the port speed and duplex setting (Full or Half) This field displays the zone to which the interface is currently assigned This field displays the current IP address assigned to the interface Mask This field displays the current subnet mask assigned to the interface 1~4 FXO: Off - The port is not connected Blinking - The line is ringing On - A phone is plugged into the port and connected BRI: Blinking - The port has at least one connection active Off - The port is not connected or on-hook Blinking - The phone is ringing for an inbound call On - The port is off-hook Information System Name open the screen where you can change it. See Section 52.2 on page Model Name This field displays the model name of this ISG50 Serial Number This field displays the serial number of this ISG50 MAC Address Range assigned to physical port 2, and so on Firmware Version 55.3 on page Uptime turned on 188 Current DateTime hh:mm:ss VPN Status page DHCP Table Current Login 44 on page Number of on page Boot Status This field displays details about the ISG50’s startup state OK - The ISG50 started up successfully Firmware update OK - A firmware update was successful Problematic configuration after firmware update - The application of the - The application of the configuration failed after a firmware upgrade reset the ISG50 to the system default settings Fallback to system default configuration - The ISG50 was unable to apply the - The ISG50 was unable to apply the (system-default.conf) Booting in progress - The ISG50 is still applying the system configuration screen of interface statistics This field displays the name of each interface what type of interface it is Section 10.10 on page appear IP Addr Netmask subnet mask via DHCP IP Assignment IP address (Static) 189 Use this field to get or to update the IP address for the interfaceClick Renew to send a new DHCP request to a DHCP server displays n/a Click the Disconnect icon to stop a PPPoE/PPTP connection SIP Extension This shows the number of SIP extensions currently configured in the ISG50 This shows the number of SIP trunks currently configured in the ISG50 Trust Peer This shows the number of trusted peers currently configured in the ISG50 This shows the number of FXO trunks currently configured in the ISG50 This shows the number of BRI trunks currently configured in the ISG50 Licensed Service associated with specific services This is the name of the licensed service This is the current status of the license This is the type of registration required to use the licensed service license does not have a limited period of validity Count This shows how many units the licensed service permits CPU Usage you to a chart of the ISG50’s recent CPU usage Memory Usage chart of the ISG50’s recent memory usage Flash Usage being used Usage used Active Sessions Show Active Sessions recent session usage Extension Slot This section of the screen displays the status of the USB ports This field displays how many USB ports there are Slot This field displays the name of each extension slot device is detected) 190 Show CPU UsageShow Memory Usage 191 Table 28 Dashboard > Show Memory UsageShow Active Sessions Figure 138 Dashboard > Show Active Sessions Table 29 Dashboard > Show Active Sessions 192 VPN StatusFigure 139 Dashboard > VPN Status Table 30 Dashboard > VPN Status This field is a sequential value, and it is not associated with a specific SA This field displays the name of the IPSec SA This field displays how the IPSec SA is encapsulated Algorithm Select how often you want this window to be updated automatically Figure 140 Dashboard > DHCP Table 193 Table 31 Dashboard > DHCP Tableaddress. Click the heading cell again to reverse the sort order static DHCP entry by MAC address. Click the heading cell again to reverse the sort order field is blank for dynamic DHCP entries Reserve MAC address DHCP client then click Apply To remove a static DHCP entry, clear this field, and then click Apply Number of Login Users Figure 141 Dashboard > Number of Login Users Table 32 Dashboard > Number of Login Users This field is a sequential value and is not associated with any entry User ID Reauth Lease T time remaining for each user. See Chapter 44 on page This field displays the way the user logged in to the ISG50 194 Table 32 Dashboard > Number of Login Users (continued) 195 Monitor10.1 Overview 196 10.2The Port Statistics Screen197 Monitor > System Status > Port Statistics (continued)This field displays the current status of the physical port Down - The physical port is not connected duplex setting (Full or Half) TxPkts since it was last connected RxPkts it was last connected Tx B/s one-secondinterval before the screen updated Rx B/s Up Time This field displays how long the physical port has been connected Port Statistics Status Switch to Graphic View Button Figure 143 Monitor > System Status > Port Statistics > Switch to Graphic View 198 10.3 Interface Status Screen199 Each field is described in the following tableTable 35 Monitor > System Status > Interface Status displayed in light gray text Expand/Close Ethernet interfaces type of interface it is port speed and duplex setting (Full or Half) does not appear in the list interface is disabled, it does not appear in the list For PPP interfaces: Connected - The PPP interface is connected Disconnected - The PPP interface is not connected If the PPP interface is disabled, it does not appear in the list This field displays the zone to which the interface is assigned address and subnet mask via DHCP This field displays how the interface gets its IP address Static - This interface has a static IP address DHCP Client - This interface gets its IP address from a DHCP server Services does not provide any services to the network new DHCP request to a DHCP server. Click Connect to try to connect a PPPoE/PPTP this field displays n/a This table provides packet statistics for each interface Statistics Click this button to update the information in the screen 200 10.4 The Traffic Statistics Screen201 Traffic StatisticsFigure 145 Monitor > System Status > Traffic Statistics Table 37 on page Table 36 Monitor > System Status > Traffic Statistics Data Collection Collect Statistics real-time,but you can click the Refresh button to update it Click Apply to save your changes back to the ISG50 Reset Click Reset to return the screen to its last-savedsettings Ethernet, VLAN, bridge and PPPoE/PPTP interfaces 202 Table 36 Monitor > System Status > Traffic Statistics (continued)Top Select the type of report to display. Choices are: much traffic has been sent to and from each one for each one been visited Each type of report has different information in the report (below) Click this button to update the report display Flush Data These fields are available when the Traffic Type is Host IP Address/User of traffic IP Address/User addresses or users in this report is indicated in Table 37 on page Ingress- traffic is coming from the IP address or user to the ISG50 Egress - traffic is going from the ISG50 to the IP address or user Amount number of bytes passes the byte count limit. See Table 37 on page These fields are available when the Traffic Type is Service/Port amount of traffic Service/Port and service ports in this report is indicated in Table 37 on page Protocol This field indicates what protocol the service was using traffic Ingress - traffic is coming into the router through the interface Egress - traffic is going out from the router through the interface zero if the number of bytes passes the byte count limit. See Table 37 on page These fields are available when the Traffic Type is Web Site Hits Web Site is indicated in Table 37 on page Hits the hit count limit. See Table 37 on page 203 10.5 The Session Monitor Screen204 Table 38 Monitor > System Status > Session MonitorSelect how you want the information to be displayed. Choices are: sessions by users - display all active sessions grouped by user sessions by services sessions by source IP sessions by destination IP Destination Address, and display each session individually (sorted by user) automatically when you open and close the screen of sessions you must enter the whole user name is defined. (See Chapter 46 on page 619 for more information about services.) sessions you want to view. You cannot include the source port Destination whose sessions you want to view. You cannot include the destination port and Destination Address fields fields Active Sessions This is the total number of active sessions that matched the search criteria Show on the right to change pages This field displays the user in each active session display or hide details about a user’s sessions This field displays the protocol used in each active session details about a protocol’s sessions This field displays the source IP address and port in each active session details about a source IP address’s sessions This field displays the destination IP address and port in each active session details about a destination IP address’s sessions 205 10.6 The DDNS Status Screen10.7 IP/MAC Binding Monitor 206 10.8 The Login Users Screen207 10.9 Cellular Status Screen208 Table 42 Monitor > System Status > Cellular Status (continued)No device - no 3G device is connected to the ISG50 Limited Service Internet Device detected - displays when you connect a 3G device Device error - a 3G device is connected but there is an error Probe device fail - the ISG50’s test of the 3G device failed Probe device ok - the ISG50’s test of the 3G device succeeded Init device fail - the ISG50 was not able to initialize the 3G device Init device ok - the ISG50 initialized the 3G card Device locked - the 3G device is locked SIM error - there is a SIM card error on the 3G device SIM locked-PUK - the PUK is locked on the 3G device’s SIM card SIM locked-PIN - the PIN is locked on the 3G device’s SIM card entered an incorrect PUK entered an incorrect PIN entered an incorrect device code device Get dev-infofail - The ISG50 cannot get cellular device information Get dev-infook - The ISG50 succeeded in retrieving 3G device information Searching network - The 3G device is searching for a network Get signal fail - The 3G device cannot get a signal from a network Network found - The 3G device found a network Apply config - The ISG50 is applying your configuration to the 3G device Inactive - The 3G interface is disabled Active - The 3G interface is enabled Incorrect device - The connected 3G device is not compatible with the ISG50 Correct device - The ISG50 detected a compatible 3G device Set band fail - Applying your band selection was not successful Set band ok - The ISG50 successfully applied your band selection Set profile fail - Applying your ISP settings was not successful Set profile ok - The ISG50 successfully applied your ISP settings PPP fail edit screen the 3G connection Service Provider not been paid or the account has expired Cellular System when you insert a CDMA 3G card Signal Quality base station 209 Monitor > System Status > More InformationFigure 151 Monitor > System Status > More Information Table 43 Monitor > System Status > More Information Signal Strength This is the Signal Quality measured in dBm This shows the name of the company that produced the 3G device Manufacturer Device Model 210 10.10 USB Storage Screen211 10.11 The IPSec Monitor Screen212 Table 45 Monitor > VPN Monitor > IPSeccan use a keyword or regular expression. Use up to 30 alphanumeric and _+ .()!$*^:?|{}[]<>/ characters. See Section 10.11.1 on page 212 for more details Policy click Search to find it. You can use a keyword or regular expression. Use up to for more details above Select an IPSec SA and click this button to disconnect it Total Connection This field displays the total number of associated IPSec SAs connection per Select how many entries you want to display on each page Page x of entries addresses, not the address objects, are displayed N/A if the IPSec SA uses manual keys Timeout manual keys Inbound (Bytes) remote IPSec router to the ISG50 since the IPSec SA was established Outbound (Bytes) ISG50 to the remote IPSec router since the IPSec SA was established Click Refresh to update the information in the display 213 10.12 SIP Peer Screen214 10.13 FXS Peer Screen215 10.14 SIP Trunk Screen216 10.15 CTI Peer Screen217 10.16 FXO Trunk Screen218 10.17 BRI Trunk Screen219 10.18 ACD Queue Screen220 10.19 Log Screen221 Table 53 Monitor > LogShow Filter Click this button to show or hide the filter settings Hide Filter fields are available Address, Service, Keyword, and Search fields are available Display time, or you can view the Debug Log read-onlyif the Category is Debug Log that generated the log message. Do not include the port in this filter filter Source Interface generated the log message service to select which log messages you see Keyword Message not allowed would like to see filter settings Email Log Now Send Log To field on the Log Settings page (see Section 53.3.2 on page 710) Clear Log This field displays the time the log message was recorded Priority field above Category Display and (other) Category fields Message to generate into this one 222 10.20 Querying Call Recordings223 10.21 CDR Backup Screen224 Table 56 Monitor > Log > CDR (continued)Backup Now Click the Backup Now button to save a CDR backup file on the ISG50 delete from the ISG50 and click the Remove button Filename filename of the CDR takes the “cdr.YYYYMMDDHHMMSS.sgi.tgz” or “cdr.YYYYMMDDHHMMSS.csv.tgz” format Where: • cdr - indicates this is a Call Detail Record file • YYYYMMDD - is the year, month, and day indicating when the backup file was created minute, second format • tgz - indicates that this is a compressed. That can be decompressed using a compression utility such as WinRAR. The resulting decompressed files are MySQL database files that can be managed via a MySQL DBMS (Database Management System). See CDR Database Management via PostgreSQL on page deleted from the system 225 10.22 CDR Query Screen226 Table 57 Monitor > Log > CDR > Query (continued)Call Time hangs up limited by other search criteria Talk Time Caller Group Partially group configured on the ISG50 that you want to use as your search criterion Channel The channels can be either FXS extensions, FXO outbound channels, or SIP based use as your search criterion from this channel (SRC.), terminating via this channel (Dest.) or both (Both) Caller Number want to enter only a part of the telephone number to search for Dialed Number Displayed Item • Call Date - The date and time the call took place (start time) Caller ID • Caller Number - The telephone number from which the call originated • Called Number - The telephone number of a callee Caller Group outbound line group used to make the call Src. Channel originated • Dst. Channel - The type of outbound line group, if the callee is outside your organization or the extension type (SIP or FXS) if the callee is within your organization the parties hung up one of the parties hung up call was not answered • Record - Whether or not the call was recorded on the ISG50 • RTCP - RTCP information for voice quality troubleshooting 227 10.23 CDR Query Result Screen229 Registration11.1 Overview 230 11.2 The Registration Screen231 11.3 The Service Screen232 (license key) in this screen. Clickto open the screen as shown next Figure 169 Configuration > Licensing > Registration > Service Table 60 Configuration > Licensing > Registration > Service License Status This is the entry’s position in the list This lists the services that available on the ISG50 or expired (Expired) Registration Type is not activated Expiration date This field displays the date your service expires license. This field does not apply to the other services License Activation License Key service and expiration day) 233 Interfaces12.1 Interface Overview234 •Many interfaces can share the same physical port•An interface belongs to at most one zone •Many interfaces can belong to the same zone •Layer-3virtualization (IP alias, for example) is a kind of interface You can create several types of interfaces in the ISG50 VLAN interfaces •Cellular interfaces are for 3G WAN connections via a connected 3G device •Trunk interfaces manage load balancing between interfaces CHARACTERISTICS ETHERNET PPP CELLULAR VLAN BRIDGE VIRTUAL 235 Table 62 Relationships Between Different Types of InterfacesREQUIRED PORT / INTERFACE port group physical port Ethernet interface VLAN interface bridge interface Ethernet interface VLAN interface PPP interface WAN1, WAN2 virtual interface (virtual Ethernet interface) (virtual VLAN interface) (virtual bridge interface) trunk Cellular interface Section 6.6.3 on page •See Section 12.8 on page 276 for background information on interfaces Section 7.1 on page Section 7.2 on page •See Chapter 13 on page 281 to configure load balancing using trunks 236 12.2 Port Role237 12.3 Ethernet Summary Screen238 Table 64 Configuration > Network > Interface > EthernetDouble-clickan entry or select it and click Edit to open a screen where you can modify the entry’s settings want to remove it before doing so To turn on an interface, select it and click Activate To turn off an interface, select it and click Inactivate Create Virtual To open the screen where you can create a virtual Ethernet interface, select an Ethernet interface and click Create Virtual Interface This field displays the name of the interface the interface does not have an IP address yet This field displays the interface’s subnet mask in dot decimal notation Ethernet Edit Ethernet Summary Section 12.3 on page The WAN interface’s Edit > Configuration screen is shown here as an example With RIP, you can use Ethernet interfaces to do the following things •Enable and disable RIP in the underlying physical port or port group Select which version of RIP to support in each direction - The ISG50 supports Select the broadcasting method used by 242 This screen’s fields are described in the table belowTable 65 Configuration > Network > Interface > Ethernet > Edit Show Advance Settings / Hide Advance Settings Enable Interface Select this to enable this interface. Clear this to disable this interface Interface Type This field is read-only internal options: DHCP server and DHCP relay. The ISG50 automatically adds default SNAT settings for traffic flowing from this interface to an external interface automatically adds this interface to the default WAN trunk Interface Name underscores, and it can be up to 11 characters long This is the name of the Ethernet interface’s physical port such as firewall and remote management and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long subnet address object Get Automatically interface a DHCP client and automatically get the IP address, subnet mask, and gateway address from a DHCP server Use Fixed IP specify the IP address, subnet mask, and gateway manually Enter the IP address for this interface Subnet Mask interface Metric have the same priority, the ISG50 uses the one that was configured first Parameters Egress Enter the maximum amount of traffic, in kilobits per second, the ISG50 can send through the interface to the network. Allowed values are 0 Ingress This is reserved for future use from the network through the interface. Allowed values are 0 243 Table 65 Configuration > Network > Interface > Ethernet > Edit (continued)MTU smaller fragments. Allowed values are 576 - 1500. Usually, this value is These fields appear when Interface Properties is external failures are required before the ISG50 stops routing to the gateway. The ISG50 check Select this to turn on the connection check Connectivity Check Method Select the method that the gateway allows still available specify to make sure it is still available Check Period Enter the number of seconds between connection check attempts Check Timeout Check Fail Tolerance gateway Check Default Select this to use the default gateway for the connectivity check Check this domain name or IP address in the field next to it Check Port This field only displays when you set the Check Method to tcp. Specify the port number to use for a TCP connectivity check DHCP Setting These fields appear when Interface Properties is Internal or General These fields appear when on the network DHCP Relay - the ISG50 routes DHCP requests to one or more DHCP servers you specify. The DHCP server(s) may be on another network and DNS server information to the network. The ISG50 is the DHCP server for the The following fields appear if the ISG50 is a DHCP Relay Relay Server Enter the IP address of a DHCP server for the network The following fields appear if the ISG50 is a DHCP Server IP Pool Start Static DHCP Table interface’s IP address 244 Pool Sizelimited by the interface’s Subnet Mask. For example, if the Subnet Mask is 255.255.255.0 and IP Pool Start Address is 10.10.10.10, the ISG50 can allocate 10.10.10.10 to 10.10.10.254, or 245 IP addresses and the interface’s IP address Server, Second of the following ways to specify these IP addresses DNS Server Third DNS Custom Defined - enter a static IP address DNS relay First WINS want to send to the DHCP clients. The WINS server keeps a mapping table of the WINS Server Lease time before it has to request the information again. Choices are: infinite - select this if IP addresses never expire days, hours, and minutes Enable IP/MAC Binding users get to use specific IP addresses Enable Logs for Violation Static DHCP Table IP Pool Start Address and Pool Size Click this to create a new entry Select an entry and click this to be able to modify it Select an entry and click this to delete it Enter the IP address to assign to a device with this entry’s MAC address MAC Enter the MAC address to which to assign this entry’s IP address ()+/:=?!*#@$_% RIP Setting See Section 15.2 on page 302 for more information about RIP Enable RIP Select this to enable RIP in this interface list box BiDir - This interface sends and receives routing information In-Only - This interface receives routing information Out-Only - This interface sends routing information 245 Send VersionRIP packets. Choices are 1, 2, and 1 and Receive Version V2-Broadcast subnet broadcasting; otherwise, the ISG50 uses multicasting OSPF Setting See Section 15.3 on page 304 for more information about OSPF Area Designated Router (DR) or Backup Designated Router (BDR). The highest-priority Set the priority to zero if the interface can not be the DR or BDR Link Cost Enter the cost (between 1 and 65,535) to route packets through this interface Passive result, this interface only receives routing information that they use. Choices are: Same-as-Area - use the default authentication method in the area None - disable authentication Text - authenticate OSPF routing information using a plain-textpassword MD5 - authenticate OSPF routing information using MD5 encryption it can be up to eight characters long This field is available if the Authentication is MD5. Type the ID for MD5 authentication. The ID can be between 1 and This field is available if the Authentication is MD5. Type the password for MD5 authentication. The password can consist of alphanumeric characters and the underscore, and it can be up to 16 characters long address, or clone the MAC address of another device or computer By default, the ISG50 uses the factory assigned MAC address to identify itself Overwrite Default MAC or upload a different configuration file Related Setting Configure Click PPPoE/PPTP if this interface’s Internet connection uses PPPoE or PPTP PPPoE/PPTP Click OK to save your changes back to the ISG50 Click Cancel to exit this screen without saving 246 12.4 PPP Interfaces247 ConfigurationNetwork > Interface > PPP 248 Each field is described in the table belowTable 67 Configuration > Network > Interface > PPP The ISG50 comes with the (non-removable) System Default PPP interfaces pre System Default configured. You can create (and delete) User Configuration PPP interfaces Click this to create a new user-configuredPPP interface the entry’s settings confirms you want to remove it before doing so the interface is inactive The connect icon is lit when the interface is connected and dimmed when it is disconnected Account Profile This field displays the ISP account used by this PPPoE/PPTP interface 249 Figure 177 Configuration > Network > Interface > PPP > AddEach field is explained in the following table Table 68 Configuration > Network > Interface > PPP > Add 250 Table 68 Configuration > Network > Interface > PPP > Add (continued)Select the interface upon which this PPP interface is built Note: Multiple PPP interfaces can use the same base interface security settings the ISG50 uses for the interface keep the connection up all the time Dial-on-Demand costs money to keep the connection available ISP Setting (see Chapter 51 on page 661 for details) This field is read-only.It displays the protocol specified in the ISP account This field is read-only.It displays the user name for the ISP account This field is blank if the ISP account uses PPTP Click Show Advanced Settings to display more settings. Click Hide Advanced Settings to display fewer settings IP address automatically. The subnet mask and gateway are always defined automatically in PPPoE/PPTP interfaces Select this if you want to specify the IP address manually This field is enabled if you select Use Fixed IP Address two or more gateways have the same priority, the ISG50 uses the one that was configured first 251 12.5 Cellular Configuration Screen (3G)252 2G, 2.5G, 2.75G, 3G and 3.5G Wireless TechnologiesNAME MOBILE PHONE AND DATA STANDARDS DATA GSM-BASED CDMA-BASED SPEED To change your 3G WAN settings, click Note: Install (or connect) a compatible 3G USB to use a cellular connection 253 Figure 178 Configuration > Network > Interface > CellularTable 70 Configuration > Network > Interface > Cellular Click this to create a new cellular interface entry’s settings before doing so interface or to manually establish the connection References use the entry. See Section 12.3.2 on page 246 for an example inactive Connected This field displays the name of the cellular card ISP Settings To change your 3G settings, click (or ). In the pop-up 255 Table 71 Configuration > Network > Interface > Cellular > AddSelect this option to turn on this interface Select a name for the interface the security settings the ISG50 uses for the interface This is the USB slot that you are configuring for use with a 3G card the ISG50. Otherwise, it displays none available Idle timeout This value specifies the time in seconds (0~360) that elapses before the ISG50 Profile Selection profile (use Profile 1 unless your ISP instructed you to do otherwise) Select Custom to configure your device settings yourself APN method You can enter up to 63 ASCII printable characters. Spaces are allowed Dial String initialize the 3G card This field is available only when you insert a GSM 3G card The ISG50 supports PAP (Password Authentication Protocol) and CHAP (Challenge readily available on more platforms None: No authentication for outgoing calls CHAP - Your ISG50 accepts CHAP requests only PAP - Your ISG50 accepts PAP requests only 256 Table 71 Configuration > Network > Interface > Cellular > Add (continued)be alphanumeric or -_@$./.Spaces are not allowed exactly as the service provider gave it to you Spaces are not allowed SIM Card Setting This field displays with a GSM or HSDPA 3G card. A PIN (Personal Identification account to access the Internet If your ISP disabled PIN code authentication, enter an arbitrary number used in WAN load balancing and bandwidth management 257 Configure PolicyRoute selection Select this option If the ISP assigned a fixed IP address Address Device Settings Device Selection detect the type of card Band Selection you in your region do not know what networks are available You may want to manually specify the type of network to use if you are charged to you Select GPRS / EDGE (GSM) only to have this interface only use a 2.5G or 2.75G to select this so the ISG50 does not spend time looking for a WCDMA network does not use the GSM network 258 Home network is the network to which you are originally subscribednetwork is down, the ISG50's 3G Internet connection is also unavailable not subscribed when necessary, for example when the home network is down or another 3G base station's signal is stronger. This is recommended if you need of a different network Budget Setup Enable Budget Control when a limit is exceeded during the month Time Budget control, the ISG50 resets the statistics Data Budget can be transmitted via the 3G connection within one month Select Download/Upload to set a limit on the total traffic in both directions Reset time and data budget counters on on the last day of the month This button is available only when you enable budget control in this screen counters the time and data budget counters will still reset on the second Actions when Specify the actions the ISG50 takes when the time or data limit is exceeded over budget minutes) to send the log or alert New 3G Select Allow to permit new 3G connections or Disallow to drop/block new 3G connection Current 3G time new connection if the existing connection is disconnected 259 12.6 VLAN Interfaces260 Figure 181 Example: After VLANTraffic inside each VLAN is This approach provides a few advantages In this example, the new switch handles the following types of traffic: •Inside VLAN •Between the router and VLAN 261 Note: Each VLAN interface is created on top of only one Ethernet interfaceConfiguration > Network > Interface VLAN Figure 182 Configuration > Network > Interface > VLAN Table 72 Configuration > Network > Interface > VLAN Click this to create a new VLAN interface Create Virtual Create Virtual Interface the entry. See Section 12.3.2 on page 246 for an example Port/VID For VLAN interfaces, this field displays • the Ethernet interface on which the VLAN interface is created • the VLAN ID For virtual interfaces, this field is blank interface does not have an IP address yet assigned (DHCP). IP addresses are always static in virtual interfaces 262 VLAN Summary264 Table 73 Configuration > Network > Interface > VLAN > EditSelect this to turn this interface on. Clear this to disable this interface VLANs you can configure on the ISG50. For example, vlan0, vlan8, and so on Select the zone to which the VLAN interface belongs Base Port Select the Ethernet interface on which the VLAN interface runs VLAN ID are 1 - 4094. (0 and 4095 are reserved.) IP address, subnet mask, and gateway automatically same network as the interface 265 Table 73 Configuration > Network > Interface > VLAN > Edit (continued)the gateway the first time the gateway passes the connectivity check The DHCP settings are available for the OPT, LAN and DMZ interfaces to assign a static IP address to a specific computer, click Add Static DHCP 266 infinite - select this if IP addresses never expireonly the intended users get to use specific IP addresses attempts to use an IP address that is bound to another device’s MAC address Select this to enable RIP on this interface 267 12.7 Bridge Interfaces276 12.8 Interface Technical Reference281 Trunks13.1 Overview282 Chapter 13 Trunks• You can define multiple trunks for the same physical interfaces Figure 188 Link Sticking LAN user The ISG50 is using active/active load balancing. So when LAN user 283 Figure 189 Least Load First ExampleTable 83 Least Load First Example OUTBOUND LOAD BALANCING INDEX AVAILABLE (A) MEASURED (M) (M/A) 285 13.2 The Trunk Summary Screen286 The following table describes the items in this screenTable 84 Configuration > Network > Interface > Trunk Enable Link Sticking accessing server that are incompatible with a user's sessions coming from different links For example, this is useful when a server requires authentication This setting applies when you use load balancing and have multiple WAN interfaces set to active mode Specify the time period during which sessions from one source to the same destination are to use the same link Passive Connection Select this to drop a passive mode interface’s connections when the trunk’s active mode interface comes back up Enable Default SNAT ISG50 automatically adds SNAT settings for traffic it routes from internal interfaces to external interfaces Default Trunk Select the WAN trunk the ISG50 uses for routing traffic going through the Selection for Forwarding Traffic Select the WAN trunk the ISG50 uses for routing traffic originating from the System Service interface set to active mode Traffic User Configuration You can create your own User Configuration trunks system default SYSTEM_DEFAULT_WAN_TRUNK. You cannot delete it Click this to create a new user-configuredtrunk To remove a user-configuredtrunk, select it and click Remove. The ISG50 Select an entry and click Object References to open a screen that shows This field displays the label that you specified to identify the trunk This field displays the load balancing method the trunk is set to use Click this button to save your changes to the ISG50 Click this button to return the screen to its last-savedsettings 287 13.3 Configuring a Trunk288 13.4 Trunk Technical Reference289 Policy and Static Routes14.1 Policy and Static Routes Overview290 Source-BasedCost Savings – IPPR allows organizations to distribute interactive traffic on NAT - The ISG50 performs NAT by default for traffic going to or from the 291 14.2Policy Route Screen292 Note: Policy routes do not apply to the routing of PBX trafficFigure 195 Configuration > Network > Routing > Policy Route Table 86 Configuration > Network > Routing > Policy Route Advance Settings Enable BWM ISG50. You must enable this setting to have individual policy routes Use Policy Route to Override Direct See Section 6.5.1 on page 95 for how this option affects the routing table entry after the selected entry display a field to type a number for where you want to put that rule and press [ENTER] to move the rule to the number that you typed The ordering of your rules is important as they are applied in order of their numbering This is the number of an individual policy route down, and dimmed when the entry is inactive means all users This is the name of the schedule object. none means the route is active at all times if enabled 293 Chapter 14 Policy and Static RoutesTable 86 Configuration > Network > Routing > Policy Route (continued) Incoming This is the interface on which the packets are received This is the name of the source IP address (group) object. any means all IP addresses DSCP Code This is the DSCP value of incoming packets to which this policy route applies any means all DSCP values or no DSCP marker The “af” entries stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences. See Assured Forwarding (AF) PHB for DiffServ on page 299 for more details This is the name of the service object. any means all services Next-Hop destinations and can be a router, VPN tunnel, outgoing interface or trunk DSCP Marking the route’s outgoing packets preserve means the ISG50 does not modify the DSCP value of the route’s outgoing packets The “af” choices stand for Assured Forwarding. The number following the “af” This is the source IP address that the route uses It displays none if the ISG50 does not perform NAT for this route This is the maximum bandwidth allotted to the policy. 0 means there is no bandwidth limitation for this route 295 Table 87 Configuration > Network > Routing > Policy Route > Edit (continued)interface or VPN tunnel connection Select a source IP address object from which the packets are sent configuration here only best-efforttreatment any means all DSCP value or no DSCP marker User-Defined Use this field to specify a custom DSCP code point Select a schedule to control when the policy route is active. none means the route is active at all times if enabled route applies Select Auto to have the ISG50 use the routing table to find a next-hopand forward the matched packets automatically switch as a HOST address object first group based on the load balancing algorithm interface to a gateway (which is connected to the interface) the same segment as your ISG50's interface(s) tunnel through which the packets are sent to the remote network that is connected to the ISG50 directly have the ISG50 use the local network of the peer router that initiated an incoming dynamic IPSec tunnel as the destination address of the policy Leave this cleared if you want to manually specify the destination address to have the ISG50 send the packets via the interfaces in the group 296 This field displays when you select Interface in the Type field. Select anthe specified interface Auto-Disable connection is down this route details Select preserve to have the ISG50 keep the packets’ original DSCP value Select default to have the ISG50 set the DSCP value of the packets to Use this field to specify a custom DSCP value Translation to policy routes that use a VPN tunnel as the next hop Source Network Select none to not use NAT for the route interface, you can also configure port trigger settings for this interface interface must be in different subnets Otherwise, select a pre-definedaddress (group) to use as the source IP address(es) of the packets that match this route as the source IP address(es) of the packets that match this route Port Triggering and a dedicated range of ports on the server side port triggering rule click an entry to be able to modify it field that appears, specify the number to which you want to move the entry This is the rule index number 297 14.3 IP Static Route Screen298 Table 88 Configuration > Network > Routing > Static RouteClick this to create a new static route This is the number of an individual static route This is the destination IP address This is the IP subnet mask ISG50's interface(s). The gateway helps forward packets to their destinations higher priority the route has Figure 198 Configuration > Network > Routing > Static Route > Add Table 89 Configuration > Network > Routing > Static Route > Add Destination IP is always based on network number. If you need to specify a route to a single network number to be identical to the host ID Enter the IP subnet mask here Gateway IP The gateway helps forward packets to their destinations Select the radio button and a predefined interface through which the traffic is sent 299 14.4 Policy Routing Technical Reference302 Routing Protocols15.1 Routing Protocols Overview 15.2 The RIP Screen303 redistributeMetric Click Configuration > Network > Routing > RIP to open the following screen 304 15.3 The OSPF Screen305 Each type of area is illustrated in the following figureFigure 201 OSPF: Types of Areas 306 SOURCE \ TYPE OF AREANORMAL NSSA STUB 307 OSPF Add/Edit308 Click Configuration > Network > Routing > OSPF to open the following screenFigure 204 Configuration > Network > Routing > OSPF Table 94 Configuration > Network > Routing Protocol > OSPF Normal NSSA Stub 309 Chapter 15 Routing ProtocolsTable 94 Configuration > Network > Routing Protocol > OSPF (continued) Type the external cost for routes provided by static routes. The metric represents the “cost” of transmission for routing purposes. The way this is OSPF AS, and it can be between 1 and This section displays information about OSPF areas in the ISG50 Click this to create a new OSPF area can modify the entry’s settings to remove it before doing so This field displays the 32-bitID for each area in IP address format This field displays the default authentication method in the area Figure 205 Configuration > Network > Routing > OSPF > Add 310 Table 95 Configuration > Network > Routing > OSPF > AddArea ID Type the unique, 32-bitidentifier for the area in IP address format Select the type of OSPF area AS and about networks outside the OSPF AS send information outside the OSPF AS are directly connected to the NSSA. It does not have information about other networks outside the OSPF AS authentication. The key can consist of alphanumeric characters and the Authentication ID authentication in the area. The ID can be between 1 and characters and the underscore, and it can be up to 16 characters long Virtual Link to connect a different area (that does not have a direct connection to the Click this to create a new virtual link Peer Router ID This is the authentication method the virtual link uses. This authentication Hover your cursor over this label to display the password cursor over this label to display the authentication ID and key 311 15.4 Routing Protocol Technical Reference313 Zones16.1 Zones Overview 314 16.2The Zone Screen315 16.3 Zone Edit316 Table 98 Network > Zone > EditFor a system default zone, the name is read only 1-31alphanumeric characters, underscores(_), or dashes (-),but the first character cannot be a number. This value is case-sensitive Select this check box to block network traffic between members in the zone Member List editing, and click the right arrow button to add them to remove them Click OK to save your customized settings and exit this screen 317 DDNS17.1 DDNS Overview 318 17.2 The DDNS Screen319 Chapter 17 DDNSTable 100 Configuration > Network > DDNS (continued) Backup This field displays the alternate interface to use for updating the IP address mapped to the domain name followed by how the ISG50 determines the IP address for the domain name. The ISG50 uses the backup interface and IP check fails Figure 211 Configuration > Network > DDNS > Add 320 Table 101 Configuration > Network > DDNS > AddEnable DDNS Select this check box to use this DDNS entry dashes (-),but the first character cannot be a number. This value is case sensitive This field is read-onlywhen you are editing an entry Select the type of DDNS service you are using Username to 31 alphanumeric characters and the underscore. Spaces are not allowed Type the password provided by the DDNS provider. You can use up to alphanumeric characters and the underscore. Spaces are not allowed DDNS Settings Domain name Type the domain name you registered. You can use up to 255 characters Primary Binding Address if the interface specified by these settings is not available Select the interface to use for updating the IP address mapped to the domain name. Select Any to let the domain name be used with any interface The options available in this field vary by DDNS provider Interface field field between the ISG50 and the DDNS server Note: The ISG50 may not determine the proper IP address if there is an HTTP proxy server between the ISG50 and the DDNS server Custom - If you have a static IP address, you can select this to use it for the Custom IP to use for the domain name Backup Binding the interface specified by the Primary Binding Interface settings is not name. Select Any to let the domain name be used with any interface. Select None to not use a backup address 321 Table 101 Configuration > Network > DDNS > Add (continued)there are one or more NAT routers between the ISG50 and the DDNS server Enable Wildcard This option is only available with a DynDNS account Enable the wildcard feature to alias subdomains to be aliased to the same IP able to use, for example, www.yourhost.dyndns.org and still reach your hostname Mail Exchanger exchanger). For example, DynDNS routes e-mailfor john doe@yourhost.dyndns.org to the host record specified as the mail exchanger If you are using this service, type the host record of your mail server here Otherwise leave the field blank See www.dyndns.org for more information about mail exchangers Backup Mail Exchanger you. See www.dyndns.org for more information about this service 323 NAT18.1 NAT Overview 324 18.2The NAT Screen325 Table 102 Configuration > Network > NAT (continued)Mapped Port there is no restriction on the original destination port NAT Add/Edit Section 18.2 on page Figure 214 Configuration > Network > NAT > Add Table 103 Configuration > Network > NAT > Add Enable Rule Use this option to turn the NAT rule on or off Rule Name first character cannot be a number. This value is case-sensitive 326 Table 103 Configuration > Network > NAT > Add (continued)Classification Select what kind of NAT this rule is to perform available to a public network outside the ISG50 (like the Internet) 1:1 NAT - If the private network server will initiate sessions to the outside clients, select this to have the ISG50 translate the source IP address of the to access the server server. The private and public ranges must have the same number of IP One many 1:1 NAT rule works like multiple 1:1 NAT rules, but it eases configuration effort since you only create one rule an Ethernet, VLAN, bridge, or PPPoE/PPTP interface Specify the destination IP address of the packets received by this NAT rule’s specified incoming interface any - Select this to use all of the incoming interface’s IP addresses including dynamic addresses or those of any virtual interfaces built upon the selected incoming interface having to create a virtual interface for it address This field is available if Original IP is User Defined. Type the destination IP address that this NAT rule supports Subnet/Range subnets or ranges must have the same number of IP addresses Defined field HOST address - the drop-downbox lists all the HOST address objects in the by the address object This field is available if Mapped IP is User Defined. Type the translated destination IP address that this NAT rule supports and mapped IP address subnets or ranges must have the same number of IP 327 Port Mappingany - this NAT rule supports all the destination ports Service - this NAT rule maps one service to another Port - this NAT rule supports one destination port one service See Appendix B on page 827 for some common port numbers Protocol Type UDP, or Any) used by the service requesting the connection this NAT rule supports port if this NAT rule forwards the packet Original Start of original destination ports this NAT rule supports Original End Port original destination ports this NAT rule supports Mapped Start of translated destination ports if this NAT rule forwards the packet Mapped End Port range and the mapped port range must be the same size Enable NAT Loopback specified Incoming Interface) to use the NAT rule’s specified Original IP address to access the Mapped IP device. For users connected to the same the source address for the traffic it sends from the users to the Mapped IP on page 328 for more details on the rule’s specified incoming interface rule to allow the NAT rule’s traffic to come in checks other firewall rules according to the source IP address and mapped IP (if it is new) or saving any changes (if it already exists) 328 18.3 NAT Technical Reference331 HTTP Redirect335 ALG341 IP/MAC Binding21.1 IP/MAC Binding Overview 342 21.2 IP/MAC Binding Summary343 Figure 227 Configuration > Network > IP/MAC Binding > EditTable 108 Configuration > Network > IP/MAC Binding > Edit IP address and subnet mask Enable IP Select this option to have this interface enforce links between specific IP MAC Binding addresses and specific MAC addresses. This stops anyone else from manually to make use only the intended users get to use specific IP addresses Enable Logs for IP/MAC interface attempts to use an IP address not assigned by the ISG50 This table lists the bound IP and MAC addresses. The ISG50 checks this table Bindings the interface’s edit screen This is the index number of the static DHCP entry This is the IP address that the ISG50 assigns to a device with the entry’s MAC This helps identify the entry 344 Table 108 Configuration > Network > IP/MAC Binding > Edit (continued)screen. Click the Figure 228 Configuration > Network > IP/MAC Binding > Edit > Add Table 109 Configuration > Network > IP/MAC Binding > Edit > Add you may want to list the computer’s owner 345 21.3 IP/MAC Binding Exempt List347 Authentication Policy22.1 Overview 22.2 Authentication Policy Screen348 Click Configuration > Auth. Policy to display the screen349 The following table gives an overview of the objects you can configureTable 111 Configuration > Auth. Policy Select this to turn on the authentication policy feature Exceptional Use this table to list services that users can access without logging in appear on the left. Select any services you want users to be able to access without logging in and click the right arrow button to add them. The member services are the right. Select any service that you want to remove from the member list, and click the left arrow button to remove them IP addresses Figure 231 Configuration > Auth. Policy > Add Exceptional Service Use this table to manage the ISG50’s list of authentication policies Policy Summary authentication policy that the ISG50 uses on traffic that does not match any but not delete it This displays the source address object to which this policy applies 350 Table 111 Configuration > Auth. Policy (continued)This displays the destination address object to which this policy applies means the policy is active at all times if enabled This field displays the authentication requirement for users when their traffic matches this policy. This is n/a for the default policy unnecessary - Users do not need to be authenticated screen. The ISG50 will not redirect them to the login screen If the entry has a description configured, it displays here Figure 232 Configuration > Auth. Policy > Add 351 Table 112 Configuration > Auth. Policy > AddEnable Policy user-configuredpolicies Spaces are allowed. This field is available for user-configuredpolicies Use this section of the screen to determine which traffic requires (or does not require) the senders to be authenticated in order to be routed default policy for the default policy policy Select the authentication requirement for users when their traffic matches this the default policy. See Chapter 53 on page 705 for more on logs Force User who have not logged in yet try to send HTTP traffic 353 Firewall23.1 Overview 360 23.2 The Firewall Screen361 If you enableChapter 18 on page •The ordering of your rules is very important as rules are applied in sequence Figure 242 Configuration > Firewall Table 117 Configuration > Firewall Enable Firewall when the firewall is activated Asymmetrical an asymmetrical or “triangle” route. This causes the ISG50 to reset the connection, as the connection has not been acknowledged Select this check box to have the ISG50 permit the use of asymmetrical route topology on the network (not reset the connection) LAN without passing through the ISG50. A better solution is to use virtual interfaces to put the ISG50 and the backup gateway on separate subnets Firewall Rule Summary 362 Table 117 Configuration > Firewall (continued)From Zone / To and to which zone they go or subnet on the LAN to either another computer or subnet on the LAN1 Zone From any to any displays all of the firewall rules To ISG50 rules are for traffic that is destined for the ISG50 and control which computers can manage the ISG50 ISG50 performs on traffic that does not match any other firewall rule This is the direction of travel of packets to which the firewall rule applies active at all times if enabled This is the user name or user group name to which this firewall rule applies This displays the source address object to which this firewall rule applies This displays the service object to which this firewall rule applies Access packets and sends a TCP reset packet to the sender (reject) or permits the passage of packets (allow) rule or not 363 Table 118 Configuration > Firewall > AddSelect this check box to activate the firewall rule rule applies any (Excluding DEVICE) means all interfaces or VPN tunnels Device means packets destined for the ISG50 itself rule. Spaces are allowed the rule is always effective This field is not available when you are configuring a to-ISG50rule disabled when the user logs out Otherwise, select any and there is no need for user logging any the user’s IP address should be within the IP address range if the policy is effective for every source any if the policy is effective for every destination Select a service or service group from the drop-downlist box 364 23.3 The Session Limit Screen365 Chapter 23 FirewallTable 119 Configuration > Firewall > Session Limit (continued) Rule Summary rule This is the address object to which this session limit rule applies This displays the information entered to help identify this rule Limit and the icon to display the Figure 245 Configuration > Firewall > Session Limit > Edit 366 Table 120 Configuration > Firewall > Session Limit > EditSelect this check box to turn on this session limit rule Enter information to help you identify this rule. Use up to 64 printable ASCII characters. Spaces are allowed when the user logs out any below, the user’s IP address should be within the IP address range if the policy is effective for every source address Session Limit per rule’s users or addresses can have per Host setting in the general Firewall Session Limit screen setting in the general 367 IPSec VPN24.1 IPSec VPN Overview369 Table 121 IPSec VPN Application ScenariosSITE-TO-SITE SITE-TO-SITEWITH REMOTE ACCESS DYNAMIC PEER (SERVER ROLE) (CLIENT ROLE) •See Section 6.6.14 on page 102 for related information on these screens •See Section 24.4 on page 386 for IPSec VPN background information •See Section 5.4 on page 77 for the IPSec VPN quick setup wizard •See Section 7.4 on page 113 for an example of configuring IPSec VPN 370 24.2The VPN Connection Screen371 Section 24.2.2 on pageSection 24.2.1 on page Table 122 Configuration > VPN > IPSec VPN > VPN Connection Select this to be able to use policy routes to manually specify the destination dynamic IPSec rules IPSec rules that do not match any of the policy routes for all dynamic IPSec rules Ignore ""Don't Fragment setting in packet header the header turned on To connect an IPSec SA, select it and click Connect To disconnect an IPSec SA, select it and click Disconnect entry is inactive field displays “manual key” This field displays what encapsulation the IPSec SA uses IPSec SA uses This field displays the local policy and the remote policy, respectively VPN Connection Add/Edit Gateway Configuration > VPN Connection Section 24.2 on page 373 Table 123 Configuration > VPN > IPSec VPN > VPN Connection > EditCreate new Object Select this check box to activate this VPN connection Connection when the SA life time expires Enable Replay Detection against Denial-of-Serviceattacks Enable NetBIOS Broadcast over Output System) packets through the IPSec SA and communicate with a LAN. It may sometimes be necessary to allow to find computers on the remote network and vice versa Application Select the scenario that best describes your intended VPN connection Scenario or a domain name. This ISG50 can initiate the VPN tunnel tunnel known as dial-inusers. Only the clients can initiate the VPN tunnel This ISG50 is the client (dial-inuser) and can initiate the VPN tunnel to add another VPN gateway for this VPN connection to use Manual Key the manual key fields Note: Only use manual key as a temporary solution, because it is not as secure as a regular IPSec SA Local Policy Select the address corresponding to the local network. Use Create new Object if you need to configure a new one Remote Policy 374 Table 123 Configuration > VPN > IPSec VPN > VPN Connection > Edit (continued)Enforcement for free access between the local and remote networks with source and destination IP addresses that do not match the local and Phase 2 Settings SA Life Time Type the maximum number of seconds the IPSec SA can last. Shorter life SA before the current one expires, if there are users who are accessing remote resources Active Protocol Select which protocol you want to use in the IPSec SA. Choices are: resistance), and non-repudiationbut not encryption. If you select AH, you must select an Authentication algorithm but its authentication is weaker. If you select ESP, you must select an Encryption algorithm and Authentication algorithm algorithm and algorithm Both AH and ESP increase processing requirements and latency (delay) The ISG50 and remote IPSec router must use the same active protocol Select which type of encapsulation the IPSec SA uses. Choices are Tunnel - this mode encrypts the IP header information and the data Transport - this mode only encrypts the data The ISG50 and remote IPSec router must use the same encapsulation Proposal This field is a sequential value, and it is not associated with a specific proposal. The sequence of proposals should not affect performance significantly Encryption and encryption algorithm to use in the IPSec SA. Choices are: NULL - no encryption key or algorithm DES - a 56-bitkey with the DES encryption algorithm 3DES - a 168-bitkey with the DES encryption algorithm AES128 - a 128-bitkey with the AES encryption algorithm AES192 - a 192-bitkey with the AES encryption algorithm AES256 - a 256-bitkey with the AES encryption algorithm that uses use the same encryption and the same key increased latency and decreased throughput 375 DH1DH2 DH5 376 Select the address object that represents the original source address (orsource address range (SNAT) the remote network the local network. The size of the original source address range (Source) must be equal to the size of the translated source address range (SNAT) Inbound Traffic the local network the original source address. The size of the original source address range (SNAT) Destination NAT This translation forwards packets (for example, mail) from the remote network to a specific computer (for example, the mail server) in the local display a field to type a number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed This field is a sequential value, and it is not associated with a specific NAT checked and executed Select the address object that represents the original destination address This is the address object for the remote network example, this is the address object for the mail server All These fields are available if the protocol is TCP or UDP. Enter the original Start / Original Port End port range must be the same size as the size of the mapped port range Start / Mapped destination port or range of translated destination ports. The size of the original port range must be the same size as the size of the mapped port range 377 VPN Connection Add/Edit Manual KeyVPN Connection summary Manual Key 378 Secure GatewayType the IP address of the remote IPSec router in the IPSec SA SPI is used to identify the ISG50 during authentication The ISG50 and remote IPSec router must use the same SPI Tunnel - this mode encrypts the IP header information and the data IPSec SA is used for communication between the ISG50 and remote IPSec router change select an Authentication Algorithm select an Encryption Algorithm and Authentication Algorithm The ISG50 and remote IPSec router must use the same protocol decreased throughput but it is also slower The ISG50 and remote IPSec router must use the same algorithm 379 24.3 The VPN Gateway Screen380 . The following screen appearsFigure 251 Configuration > VPN > IPSec VPN > VPN Gateway Section 24.3.1 on page Table 125 Configuration > VPN > IPSec VPN > VPN Gateway 381 VPN Gateway Add/EditVPN Gateway summary 382 Table 126 Configuration > VPN > IPSec VPN > VPN Gateway > EditType the name used to identify this VPN gateway. You may use alphanumeric characters, underscores(_), or dashes (-),but the first Gateway Settings Select how the IP address of the ISG50 in the IKE SA is defined Ethernet interface, virtual VLAN interface or PPPoE/PPTP interface. The IP address of the ISG50 in the IKE SA is the IP address of the interface address or the IP address corresponding to the domain name. 0.0.0.0 is invalid Peer Gateway Select how the IP address of the remote IPSec router in the IKE SA is defined for the ISG50 to try if it cannot establish an IKE SA with the first one Select Dynamic Address if the remote IPSec router has a dynamic IP address (and does not use DDNS) Note: The ISG50 and remote IPSec router must use the same authentication method to establish the IKE SA Pre-SharedKey pre-sharedkey in the field to the right. The pre-sharedkey can be • 8 - 32 alphanumeric characters or ,;|`~!@#$%^&*()_+\{}': • 8 - 32 pairs of hexadecimal (0-9, A-F)characters, preceded by “0x” enter twice as many characters since you need to enter pairs The ISG50 and remote IPSec router must use the same pre-sharedkey Select this to have the ISG50 and remote IPSec router use certificates to authenticate each other when they negotiate the IKE SA. Then select the certificate the ISG50 uses to identify itself to the remote IPsec router is self-signed,import it into the remote IPsec router. If this certificate is signed by a CA, the remote IPsec router must trust that CA Note: The IPSec routers must trust each other’s certificates IPSec router’s certificate. The trusted certificate can be a self-signed certificate or that of a trusted CA that signed the remote IPSec router’s certificate 383 Table 126 Configuration > VPN > IPSec VPN > VPN Gateway > Edit (continued)Local ID Type ISG50 during authentication. Choices are: IP - the ISG50 is identified by an IP address DNS - the ISG50 is identified by a domain name E-mail - the ISG50 is identified by an e-mailaddress Content identity depends on the Local ID Type situations: • There is a NAT router between the ISG50 and remote IPSec router SA requests that come from IPSec routers with dynamic WAN IP Type DNS - type the domain name; you can use up to 31 ASCII characters used for identification and can be any string This value is only used for identification and can be any string Peer ID Type during authentication. Choices are: IP - the remote IPSec router is identified by an IP address DNS - the remote IPSec router is identified by a domain name E-mail - the remote IPSec router is identified by an e-mailaddress Any - the ISG50 does not check the identity of the remote IPSec router If the ISG50 and remote IPSec router use certificates, there is one more choice the certificate 384 Peer ID TypeID Type Note: If Peer ID Type is IP, please read the rest of this section Gateway Address Peer ID Main Aggressive 386 24.4 IPSec VPN Background Information397 Bandwidth Management25.1 Overview 404 25.2 The Bandwidth Management Screen405 Click Configuration > Bandwidth Management to open the following screenFigure 267 Configuration > Bandwidth Management Section 25.2.1 on page Table 133 Configuration > Bandwidth Management Select this check box to activate management bandwidth Highest call sound quality. This has the ISG50 immediately send SIP traffic upon Priority for SIP Traffic and does not record SIP traffic bandwidth usage statistics [ENTER] to move the entry to the number that you typed sequence does not affect the functionality, you might improve the performance of the ISG50 by putting more common conditions at the top of the list Destination Port This field displays the specific port number to which this policy applies always applies the policy applies to all users This is the source zone of the traffic to which this policy applies 406 This is the destination zone of the traffic to which this policy appliesdisplays, the policy is effective for every source any displays, the policy is effective for every destination this policy In - Inbound, the traffic the ISG50 sends to a connection’s initiator Out - Outbound, the traffic the ISG50 sends out from a connection’s initiator If this field displays a DSCP value, the ISG50 applies that DSCP value to the route’s outgoing packets These fields show the amount of bandwidth the traffic can use In - This is how much inbound bandwidth, in kilobits per second, this policy management for the inbound traffic Out - This is how much outgoing bandwidth, in kilobits per second, this policy bandwidth management for the outbound traffic treated as being set to the lowest priority (7) regardless of this field’s configuration 407 ManagementFigure 268 Configuration > Bandwidth Management > Edit Table 134 Configuration > Bandwidth Management Select this check box to turn on this policy zero, if this policy applies for every port number any to make the policy always effective 602 for details). Select any to apply the policy for every user Select the source zone of the traffic to which this policy applies Select the destination zone of the traffic to which this policy applies Select a source address or address group for whom this policy applies. Use is effective for every source is effective for every destination Select any to apply the policy to both TCP and UDP traffic 408 this policy. Inbound refers to the traffic the ISG50 sends to a connection’sinitiator number following the “af” identifies one of four classes and one of three drop Inbound kbps traffic to use. Inbound refers to the traffic the ISG50 sends to a connection’s matching traffic that the ISG50 sends to the initiator. Traffic with bandwidth treated as the lowest priority (7) Outbound traffic to use. Outbound refers to the traffic the ISG50 sends out from a connection’s initiator set to 0. Enter a number between 1 and 7 to set the priority for traffic that matches this policy. The smaller the number, the higher the priority between traffic flows with the same priority priority (7) regardless of this field’s configuration “borrow” any unused bandwidth on the out-goinginterface out-goinginterface amongst applications and traffic types that need more bandwidth and have maximize bandwidth usage enabled 411 ADP26.1 Overview 412 26.2 The ADP General Screen413 26.3 The Profile Summary Screen414 •Delete an existing profileFigure 270 Base Profiles These are the default base profiles at the time of writing Table 136 Base Profiles BASE PROFILE none All traffic anomaly and protocol anomaly rules are disabled. No logs are generated nor actions are taken all taken on packets that trigger them Click OK to save your changes Select Configuration > Anti-X> ADP > Profile Figure 271 Configuration > Anti-X> ADP > Profile 415 Traffic Anomaly417 Table 138 Configuration > ADP > Profile > Traffic Anomalyvalue is case-sensitive.These are valid, unique profile names: MyProfile mYProfile Mymy12_3-4 These are invalid profile names: 1mYProfile My Profile MyProfile Whatalongprofilename123456789012 Scan/Flood Sensitivity your network. If you choose low sensitivity, then scan thresholds and sample traffic anomaly attacks may not be detected If you choose high sensitivity, then scan thresholds and sample times are set high, so most traffic anomaly attacks will be detected; however you will have more logs and false positives Block Period victim (destination) of a detected anomaly attack To edit what action the ISG50 takes when a packet matches a rule, select the signature and use the Action icon none: The ISG50 takes no action when a packet matches the signature(s) nor receiver are notified sort in ascending or descending order according to the rule name These are the log options. To edit this, select an item and use the Log icon this, select an item and use the Action icon Threshold that causes the ISG50 to take the configured action the profile summary page 418 Protocol Anomaly420 Table 139 Configuration > ADP > Profile > Protocol AnomalyThis is the name of the profile. You may use 1-31alphanumeric characters HTTP Inspection/TCP Decoder/UDP Decoder/ICMP Decoder have the ISG50 take no action when a packet matches a rule have the ISG50 silently drop a packet that matches a rule. Neither sender nor receiver are notified flag. If it is an ICMP or UDP attack packet, the ISG50 will send an ICMP unreachable packet reject-receiver:Select this action on an individual signature or a complete service group to have the ISG50 send a reset to the receiver when a packet a ‘RST’ flag. If it is an ICMP or UDP attack packet, the ISG50 will do nothing group to have the ISG50 send a reset to both the sender and receiver when a the ISG50 will send an ICMP unreachable packet #This is the entry’s index number in the list sort in ascending or descending order according to the protocol anomaly rule Activation Click the icon to enable or disable a rule or group of rules 421 26.4 ADP Technical Reference429 Global PBX Settings27.1 Overview430 Chapter 27 Global PBX SettingsPeer to peer Section 27.6 on page QoS Section 27.7 on page TAPI Section 27.8 on page The following terms and concepts may help you as you read through the chapter The following problems can occur on a congested network with poor QoS settings: Latency Jitter Packet Loss 431 27.2 The SIP Server Screen432 Table 141 Configuration > PBX > Global > SIP Servermust provide for authentication your SIP clients need to use to register with the ISG50 You can also enter up to two different alternate ports Default SIP Client Expiration password and realm when you register registration record is deleted than the time set in this field RTP Port Range handle voice data transfer the end of the range in the second field Default Ring Time incoming calls 433 27.3 The Feature Code Screen434 Table 142 Configuration > PBX > Global > Feature CodeGroup Pickup authority group This code is used to transfer calls Direct Pickup Follow Me On This code is used to turn the Follow Me feature on for this extension Follow Me Off This code is used to turn the Follow Me feature off for this extension This code is used to access voice mail on the ISG50 mobile extension extension; they are sent strictly to your regular extension calls intended for your extension to your cell phone Demand must also be enabled in the call recording setup. See Section 35.2 on page Second Dial your phone, the ISG50 opens a connection to the outside telephone network returned specific number to access an outside line Second Dial number in conjunction with any phone numbers dialed Internal Operator (0 or 9) extension must already exist in the ISG50 435 27.4 The E-MailScreen27.5 The Fake IP Screen 436 27.6 The Peer to Peer Screen437 Table 145 Configuration > PBX > Global > Peer to PeerEnable Peer to Peer Local Net for Peer to Peer Local Net for Peer to peer Click this to add a new entry to the local net list Click this to delete the selected item(s) in this list This field is a sequential value and is not associated with a specific entry Local Net for Peer to Peer if the Local Net IP address is 192.168.1.0/24, then any device with an IP from same host range The first phone Next, the ISG50 accepts the invite on behalf of the second phone The ISG50 sends an new invite to When The ISG50 sends out a 438 BridgePeer to Peer and click the Add icon in the Local Net for Peer to Peer 439 Table 146 Configuration > PBX > Global > Peer to Peer > AddIPv4 subnet in CIDR format peer networking Peer-to-peercalls can be made through the ISG50, but with certain limitations: Peer-to-peer Local Net =192.168.1.0/24 Local Net = 192.168.1.0/24 440 27.7 The QoS Screen442 27.8 The TAPI Screen443 Table 148 Configuration > PBX > Global > TAPI (continued)Server1/2 Specify the password for the TAPI server account You can use up to 63 printable ASCII characters (see button to exclude them Client TAPI Lines connection, and click the right arrow button to add them arrow button to exclude them Licensed Not Licensed) or expired (Expired) License Type Trial service with your iCard’s PIN number (Standard). This field shows None when the service is not activated Apply New activate or extend a service TAPI Driver sure your ISG50 has Internet access order to communicate with the ISG50 using TAPI connections To download and install the driver: 444 DownloadConfigure 445 SettingsConnect 446 Devicesstart > Control Panel > Phone and Modem Options 447 27.9 Network Technical Reference448 Voice Interfaces453 Extension Management29.1 Overview 458 29.2 The Authority Group Screen459 Table 153 Add Authority Groupalphanumeric characters (A-Z, a-z, 0-9)and underscores (_) Type 1-5digits to use as an ID for this authority group Type a brief description for this authority group. You can use 0-63alphanumeric characters (A-Z, a-z, 0-9)and spaces. 0 means this field can be left blank 460 Figure 296 Authority Group EditTable 154 Authority Group Edit This field displays the name of the authority group you are configuring after the selected entry 461 29.3 Extension Features462 •Your extension is busyUnconditionally, forwards all calls to a specific extension or your voice mail There is no answer at your extension. This also allows you to set up a Find Me List Call Blocking Voice Mail Forwarding Authority Group Edit Figure 297 Extension Add/Edit: Basic Table 155 Extension Add/Edit: Basic Select the authority group you want this extension to belong to vary based on the interface type FXS Interface Select the port upon which to configure the FXS interface 463 Table 155 Extension Add/Edit: Basic (continued)10 digits. This is configurable when adding an extension Web/VM PIN Code web portal or Voice Mail SIP Auth. User the ISG50 must provide this for authentication. The user name can be alphanumeric characters (A-Z, a-z, 0-9) SIP Auth. Password can be 3-32alphanumeric characters (A-Z, a-z, 0-9).Spaces are not allowed Department Type the department for this SIP extension. This field can be 0-40alphanumeric can be left blank First Name means this field can be left blank Last Name characters (A-Z, a-z, 0-9)and spaces. 0 means the field can be left blank Chapter 31 on page Section 34.8 on page 465 Table 156 Extension Add/Edit: Call Forwardcall forwarding during those office hours this screen for this extension Day of Week spaces, underscores and hyphens allowed) Call Forward Use this section to configure call forwarding settings for the extension DND (Do Not Select Disable to turn this feature off for this extension Disturb) off. Use the Add, Edit, and Remove icons to create, modify, or delete entries Select Voice Mail and the ISG50 will forward calls directly to voice mail Blind Forward The ISG50 will forward all incoming calls to that extension Busy Forward (analog phones) extensions incoming calls are put into a call waiting queue Select Voice Mail to forward calls directly to voice mail 466 Table 156 Extension Add/Edit: Call Forward (continued)No Answer Forward List Edit, and Remove icons to create, modify, or delete Find Me List entries After Office Hours Call Blocking Use this section to configure call blocking settings for the extension Black List delete entries Block the calls without Caller ID Use this section to configure your mobile extension settings Mobile feature codes calls to use this feature For more information on feature codes, see Section 27.3 on page Dial Rule Least Cost Routing rules used in Configuration > PBX > Outbound Line Least Cost Routing rules used in Management > LCR. For more information, see Chapter 32 on page outbound connections such as FXO cannot use this option 467 Figure 299 Extension Add/Edit: Voice MailTable 157 Extension Add/Edit: Voice Mail Received E-mail this email address Attached Voice File you specified in the Received E-mailAddress field Delete Voice Message After emailed Mailed 468 Figure 300 Extension Add/Edit: AdvancedTable 158 Extension Add/Edit: Advanced Codec ISG50: • G.711 alaw (typically used in Europe) • G.711 ulaw (typically used in North America and Japan) G.729 G.722 G.723.1 G.726 See Voice Codecs on page 475 for more information When two SIP devices start a SIP session, they must agree on a codec H.261 H.263 H.264 MP4 See Video Codecs on page 475 for more information Codec Pool Right button 469 Table 158 Extension Add/Edit: Advanced (continued)Codec List Extra use the same mode as your VoIP service provider. The choices are: rfc2833 inband are using a codec that does not use compression (like G.711). Codecs that use compression (like G.729) can distort the tones • info - Send the DTMF tones in SIP messages MWI Enable any one of them Batch Add Figure 301 Batch Add SIP Extensions 470 Table 159 Batch Add SIP ExtensionsSelect the authority group you want these extensions to belong to Start Number digits long Step/Interval Type the value of the increment, which the ISG50 uses to create this range of extensions page 229) ISG50. The user names for these SIP accounts are the extension numbers. The more secure you can add a prefix or a postfix to these extensions extensions you create become “1 + extension number” the Prefix and Postfix fields your VoIP service provider. The choices are: communicating with the ISG50. The following codecs are supported by the ISG50: 471 29.4 The Group Access Code Screen472 29.5 The Click To Talk Group Screen473 Table 162 Click To Talk Group Settingswhen adding a CTT group 0-9) Extensions List This section lists the extensions that belong to this CTT group Click this to add an extension to this CTT list Click this to edit the selected entry Sample Code Sample Code a web page for calling the extension Extension Name Extensions list cannot be changed Dial Number This indicates the extension associated with this CTT item. This extension must authorized in Group Management authorized in 474 WEB_SERVER_ADDR475 29.6 Authority Group Technical Reference477 Outbound Trunk Group30.1 Overview 481 30.2Outbound Trunk Group Screen482 Table 165 Outbound Line Management > Outbound Trunk GroupSIP Trunk / Trust Peer / FXO / BRI configured: service provider Trust Peer ISG50) that has configured your ISG50 as a trusted peer • FXO - refers to a connection from the ISG50 to the PSTN (your local telephone company) via the FXO port on the ISG50 BRI port on the ISG50 Auto Attendant line group Trunk Name This field displays the name of an outbound line trunk This field displays the description for an outbound line trunk 483 SIP Trunk SettingsOutbound Trunk Group Figure 312 SIP Trunk Add/Edit 484 Table 166 SIP Trunk Add/Edit0-9)and underscores (_). The first character must be a letter blank Representative ASCII characters SIP Proxy Server SIP server is a proxy, redirect or register server Otherwise, keep the default value SIP Register Server Address Server Address field. You can use up to 64 printable ASCII characters Server Port Port field Service Domain set characters. If you choose not to use a service domain, select Disable Outbound Proxy Select Define Outbound Proxy and enter the IP address or domain name of the one. Otherwise, leave it as the default ‘5060’ If the outbound proxy is disabled, then this port will be ignored provider. The choices are: Enable Privacy “Anonymous”<Anonymous@172.1.1.253 Proxy Require SIP service provider Channel-limit connection at one time Session Timer your network or Internet, then it is suggested that you use the session timer 485 Chapter 30 Outbound Trunk GroupTable 166 SIP Trunk Add/Edit (continued) seconds uses this value instead certain period of inactivity CallerID Setting make VoIP phone calls The default format is “From: “Extension”<Extension@Server IP>” The default format is CallerID Viewer configure in the CallerID Name & Number and The Extension Prefix fields configure in the CallerID Name & Select the caller ID display format to use for the SIP trunk’s outgoing calls address (C). The caller ID has the following format: “A”<B@C The choices are: 12345555 can map to the extension 1111.) • Extension + Extension: Displays the caller’s extension number in A and B. For example, “1111”<1111@10.1.1.1 the SIP trunk’s representative number in B. For example “1111”<12345678@10.1.1.1 • Representative Num. + Representative Num.: Displays the SIP trunk’s : Displays the SIP trunk’s • Extension + Representative Num (DDI/DID mapped): Displays the caller’s : Displays the caller’s the representative number in B • Representative Num (DDI/DID mapped) + Representative Num (DDI/DID displays the representative number in A and B The Extension Specify whether to add a prefix number in the callerID name when you make calls format of CallerID Name & Number you selected (:), periods (.), hyphens (-)and pluses (+) ISG50 must provide this for authentication This field can be 1-20alphanumeric characters (A-Z, a-z, 0-9) (+), periods (.), and “at” symbols (@) 486 Codec Settingquality order) are supported by the ISG50: See Video Codecs on page 475 for more information on video codecs Chapter 31 on page 487 Figure 313 SIP Auto Attendant and DDI SetupTable 167 SIP Auto Attendant and DDI Setup outbound line trunk extension’s settings group of agents associated with a specific skill name machine located at a specific extension line group to an extension agents to associate with this outbound line trunk Number for Fax the fax machine you want to forward calls to extension you want to forward calls to DDI/DID Mapping This field displays the representative number configured for the trunk 488 SIP "To" Headerdo the DDI/DID mapping. If this SIP trunk outbound line group has DDI/DID mode mapping settings and sets the DDI/DID Mask to Clear this to use the SIP request URI to do the DDI/DID mapping DDI/DID Mask DID number(s). 0 means you can enter any number of digits for the next DDI/DID number(s) extensions directly DDI/DID Number directly DID number DDI/DID Mapping Summary Figure 314 Add DDI/DID Number 489 Table 168 Add DDI/DID NumberThe number of digits you can enter in this field depends on what you set in the Representative Number DDI/DID Mask field separated by a hyphen). For example, 5783900 or Select Extension Number and enter the extension number to which the DDI/DID ten digits separated by a hyphen). For example, 5783900 or Alternatively, select Auto-Attendant to forward the matched DDI calls to auto attendant 490 Trust Peer Settings491 Table 169 Trusted Peer Trunk Add/Edit9) and underscores (_). The first character must be a letter 492 Table 169 Trusted Peer Trunk Add/Edit (continued)make external calls through this trunk connection. The default is “zyxel” Select the caller ID display format you want to use when you make calls 494 Figure 316 Trusted Peer Auto Attendant and DDI SetupTable 170 Trusted Peer Auto Attendant and DDI Setup the Fax machine you want to forward calls to Option Select DDI/DID to map a dialed number through this outbound line group to an extension or direct it to the auto attendant for incoming calls their called numbers 495 Enable Routing byand sets the DDI/DID Mask to mapping FXO Trunk Figure 317 Add/Edit FXO Trunk 496 Table 171 Add/Edit FXO Trunk(A-Z, a-z, 0-9)and underscores (_). The first character must be a letter and click the Right icon if you want to add it to this outbound line group Used Interface outbound line group and pick one of them available for an outgoing call Figure 318 AA for FXO or BRI Trunk 497 Table 172 AA for FXO or BRI TrunkThis field displays the name of the outbound line trunk Apply AA Type group to an Auto-Attendantsystem first display ISG50 for this option to display Option BRI 498 Settings500 Figure 322 BRI Trunk - Add/Edit: DirectTable 173 BRI Trunk Add/Edit a-z, 0-9)and underscores (_). The first character must be a letter Specify the service type for this BRI trunk be required by your telephone company for outgoing calls using DDI/DID. See DDI (Direct Dial In) on page 479 for more information Attendant system first. See Section 31.1 on page 503 for more information extensions. See page 478 for more information Directory Number 501 Table 173 BRI Trunk Add/Edit (continued)Direct outbound group the outbound group This field displays for MSN. There the MSN number the interface is to use use Use this section to configure your DDI mapping table DDI mask of 2 applied to the incoming ISDN number 555-123456would identify the numbers This is the DDI number This is the DDI number’s associated extension number sees when the ISG50 sends a call out through this BRI trunk number defined in the Directory Number field number in the field. This field can be 3-20digits in length extension number Hide Calling Party DID 502 BRI Trunk - AddFigure 323 Add BRI Trunk DDI/DID Mapping Table 174 Add BRI Trunk DDI/DID Mapping 5783900 or Section 30.2.7 on page 503 Auto-attendant31.1 Overview504 IncomingCall Menu1 Sales Incoming Call Home Menu Customer Service Operator Home Menu Customer Service Menu-1 Menu-21 505 31.2 The Default Auto-AttendantScreen506 Figure 328 Auto-Attendant> DefaultTable 175 Auto-Attendant> Default Greeting Upload Audio File and Upload to copy it to the ISG50 The audio file you upload must meet the following criteria: • PCM format, 16 kHz, 16-bit,mono mode (*.wav) Record Audio File Audio File State Playback the audio file to hear how it sounds Operator Settings key, his calls is routed to the associated Extension the call is routed to this extension 507 31.3 The Customized Auto-AttendantScreen508 Table 176 Auto-Attendant> Customized (continued)your computer Upload Select an entry and click Upload to upload a backup audio file for it This field displays the name assigned to an auto-attendant This field displays the description for an auto-attendant Audio File Use this section to manage your auto attendant audio files Quota Usage files before adding more Total This is the ISG50’s total available audio recording time Used This is how much of the ISG50’s audio recording time is already used Free This is the ISG50’s remaining available audio recording time Delete Audio File to use or All to delete all of the audio recordings Outbound Line Management Figure 330 Auto-Attendant> Add/Edit Table 177 Auto-Attendant> Add/Edit a-z, 0-9)and underscores (_) (A-Z, a-z, 0-9)and spaces. 0 means this field can be left blank 509 Figure 331 Office Hours SettingTable 178 Office Hours Setting and Upload to copy it to IP-PBX Enable Dial the Options table below 510 Table 178 Office Hours Setting (continued)Forward to a specific extension extension, ACD, page group, hunt group, or user defined number directly Play audio file before forward to a specific extension Action for Time Out This section displays the actions configured for this auto-attendantmenu Add Option Click this to create a new option entry Add Child sub-entry.See Section 31.3.4 on page 512 for details Select an entry and click Edit to open a screen where you can modify it This field displays the digits a caller must dial to perform an action This field displays the function of an option a sub menu Click Next Menu to configure the settings for a sub menu This field displays the description for this action •PCM format, 16 kHz, 16-bit,mono mode (*.wav) 511 OptionsFigure 332 Add/Edit Option Setting Table 179 Add/Edit Option Setting length Specify the action for this auto-attendantoption. The choices are: • Forward to an extension - to forward a call to a specific extension details on using this feature Forward to page group Chapter 37 on page 549 for details on this feature Forward to hunt group Section 38.5 on page 562 for details on this feature • Forward to an Auto-Attendant - to forward the call to the auto attendant you specify. See Chapter 31 on page 503 for details on this feature phone number you specify. Enter a number 3-20digits in length • Forward to a sub menu - to forward a call to child menu that you configure • Repeat menu - to replay the auto-attendantaudio file for this menu field can be 3-20digits in length 512 Night Servicesub-menu Figure 333 Auto-AttendantSub Menu Table 180 Auto-AttendantSub Menu action you specify. The choices are: Section 38.5 on page configured digits in length 513 screen click theicon for an item in the auto-attendant list and select the tab to view a screen as shown next Figure 334 Night Service Setting Table 181 Night Service Setting Enable Night them off 514 Table 181 Night Service Setting (continued)Section 31.3.3 on page 515 Temporary GreetingSchedule Greeting 516 31.4 Technical Reference519 LCR32.1 Overview520 Chapter 32 LCRResearch Figure 342 LCR Components Example Research Section 32.2 on page Chapter 30 on page Chapter 33 on page Authority Groups Trusted SIP Peers Outbound Line Groups Section 30.1 on page Before you start to configure an LCR, please consider the following 521 32.2LCR523 Chapter 32 LCR(LCR) column Pool column to specify the priority of the outbound line groups Selected click the Up button to raise its priority click the Down button to lower its priority Number Pattern Test Dial Condition field X appears, if the number you typed does not match the dial condition dialing rule (LCR) 525 is sent out from the ISG50Postfix sent out from the ISG50 This field displays the number to which a dial parameter applies 526 Group Management33.1 Overview 530 33.2Group Management Screen531 Configuration > PBX > Group ManagementFigure 352 Configuration > PBX > Group Management > Edit Table 187 Configuration > PBX > Group Management > Edit link This field identifies whether you are creating a link to: Authority Group - another set of extensions on the ISG50 LCR - an outbound dialing rule containing outbound line groups Association between the group you are configuring and another group 532 Call Services544 Call Recording35.1 Overview 545 35.2Configuring the Call Recording Screen546 Table 199 Configuration > PBX > Call RecordingSet the maximum number of minutes of call recording on the ISG50 Quota Recording calls that it records Prompt Beep Frequency recording. Set the interval here. 0 means there is no beep Enable On demand to set the number a user dials to enable on-demandcall recording Full-time Use this list boxes to select the trunks the ISG50 records all the time Recording Peer it for recording trunk’s calls select it for recording this extension’s calls 547 Meet-meConference549 Paging Group37.1 Overview 37.2 The Paging Group Screen550 Chapter 37 Paging GroupTable 202 Configuration > PBX > Paging Group Paging Group Figure 369 Add Paging Group 551 Table 203 Add Paging Groupnumber can be from 3 to 10 digits long have to dial a PIN code to call the extensions in this page group Max Paging Time Type the maximum number of seconds that a person can page a group of extensions. Use 0 to set the paging time to “unlimited” Type a description for this page group Extensions Move the extensions you want to be in this page group to the Selected clicking the Right button Remove the extensions you don’t want to be in this page group from the 553 ACD38.1 Overview554 Chapter 38 ACDSkill Menu Section 38.6 on page ***03 ***04 Section 27.3 on page To link the ACD system with the auto-attendantfeature: 556 38.2 The ACD Global Screen38.3 The Agent Screen557 Table 205 ACD > Agent Listmodify it This indicates the identification number of the agent This indicates the name of the agent This displays a brief description about the agent Use this screen to create or edit an agent’s settings Table 206 Agent List > Agent Setting Enter an identification number for this agent. It can be 3~20 digits (0-9).No existing extension numbers An agent must use this ID to log into the ACD system ***03 You can also use this code to log out later No spaces, underscores, or hyphens are allowed An agent must use this password to log into the ACD system 558 38.4 The Skill Screen559 Click Add or Edit in the Skill screen to display this screenFigure 375 Add Skill Add Skill 560 Table 208 Add SkillSkill Setting 3~10 digits (0-9).No spaces, underscores, or hyphens are allowed When this screen is in Edit mode, this number cannot be changed Enter a name for this skill. It can be any combination of 1~32 alphanumeric Select the method for the ISG50 to decide the ring order of extensions associated with this skill least recently called • Round Robin - This strategy takes turns ringing each available agent number of calls, in order, from lowest to highest • Random - This strategy rings a random extension • Ring All - This strategy rings all extensions at the same time until one answers No Login Action Fields: No Available • No Logon Action - If all agents associated with a skill do not log in or log them Timeout Action • No Available Action - If no agent associated with this skill is available to sent to that agent • Timeout Action - If a call to an agent associated with this skill times out agent Possible actions are: this skill. (No Available Action only.) • No Timeout - This action keeps the caller on the line indefinitely while the extension is rung. (Timeout Action only.) • Hang Up - This action disconnects the call more than 1 skill, a submenu with all available skill appears • Page Group - This action forwards the call to the page group you specify See Chapter 37 on page 549 for details on this feature • Hunt Group - This action forwards the call to the hunt group you specify See Section 38.5 on page 562 for details on this feature • Auto Attendant - This action routes the call back to the auto attendant system you specify • Extension - This action routes the call to the specified extension • Voice Mail - This action engages the extension owner’s voice mail Waiting Music on Music On Hold, see Section 34.6 on page Max. Waiting Calls the agents associated with this skill 561 Table 208 Add Skill (continued)Waiting Timeout Enter the duration in seconds (up to 99999) that the call to the agents associated with the skill rings before timing out Once a call times out, the action defined in Timeout Action applies. This timeout only applies to calls in the queue that have not yet been routed to a particular agent Ring Member Enter the duration in seconds (up to 99999) that a call to a specific agent associated with this skill rings before timing out Once a call times out, it is routed to a different agent Position Report Enter the duration in seconds (up to 99999) that the ISG50 waits before Frequency informing the caller on hold what their current position in the queue is. This agent answers currently call number 2” every 60 seconds If you enter a “0” for this field, the option is disabled Periodic Announce a previously uploaded audio file. This announcement occurs periodically and continues until either the caller hangs up or the agent answers calling us. A service representative will be with you momentarily” every Agent Logon the incoming caller requires, which is especially useful when one agent is Upload Periodic skills “English” and “Spanish”, then the announce audio file played before speaks English.” • Periodic Announce - The ISG50 plays this file to a caller on hold every number of seconds and can be used to keep the caller apprised of their status. For example, a caller may hear the following every 30 seconds: “Thank you for your patience. Please continue holding.” to upload • Click the Upload button to upload the selected file to the ISG50 • Click the Playback button to listen to the audio file once it has been uploaded • Click the Remove button to delete an uploaded audio file • The play time of each audio file must be less than 30 seconds Skill Member 562 38.5 The Hunt Group Screen564 38.6 The Skill Menu Screen565 Periodic AnnounceSkill Settings Click Configuration > PBX > ACD > Skill Menu to open this screen Figure 378 ACD > Skill Menu Table 211 ACD > Skill Menu Use this screen to create or edit a skill menu 566 Table 212 Add Skill MenuConfiguration > PBX > ACD > Skill screen Use this screen to create or edit a skill menu action 567 Skill Menu Add568 Sound Files39.1 Overview 39.2The System Sound Screen569 Chapter 39 Sound FilesClick Configuration > PBX > Sound File to open this screen Figure 381 Configuration > PBX > Sound File > System Sound Table 214 Configuration > PBX > Sound File > System Sound Default Language Select the default language you want to use for the PBX functions This indicates the name for this set of language sound files or All to delete all of the language sound files Use this screen to upload a language sound file 570 39.3 The Specific Sound File Screen571 39.4 The Record Peer Screen573 Auto Provision40.1 Overview 575 40.2 Auto Provision Setup576 Table 219 Configuration > PBX > Auto Provision (continued)remove any custom configuration for it Config View Config File the configuration file for it or save a copy of the configuration file This field displays the extension number configured on the ISG50 This field displays the MAC address of the snom device specified to receive to non-snomVoIP SIP extensions Phone Type blank for extensions assigned to non-snomVoIP SIP extensions Config Exist No if there is not Here is an example of the snom batch configuration XML file <?xml version="1.0" encoding="utf-8"?><settings <phone-settingse="2 </phone-settings></settings 577 Figure 387 Configuration > PBX > Auto Provision > EditTable 220 Configuration > PBX > Auto Provision > Edit from the ISG50 for this extension Select how to apply auto provisioning to this extension • Update automatically - Automatically update this extension’s firmware and/or configuration whenever an update of is available • Ask for update - Update this extension’s firmware and/or configuration whenever it checks for an update • Never update, load settings only - Do not update this extension’s firmware, only update its configuration • Never update, do not load settings - Do not update this extension’s - Do not update this extension’s firmware, and do not update its configuration Product ensures greater compatibility between it and the ISG50 578 40.3 Auto Provision Advanced Screen581 Voice Mail41.1 Overview 582 41.2 The Voice Mail Screen583 41.3 Accessing Voice Mail585 Voice Message MenuVoice Mail Main Voice Message Menu Play Previous Message 5 Repeat Current Message 6 Play Next Message 7 Delete Current Message 9 Save Current Message * Assistance # Exit Change Folder Menu Change Folder Menu To New Message Folder To Old Message Folder 586 Mail Box Options MenuVoice Mail Main Figure 393 Personal Voice Mail: Mail Box Options Menu Mail Box Options Menu Record Your Unavailable Message Record Your Busy Message Record Your Temporary Greeting Message Record Erase Return to Main Menu •1 - accept what you recorded and save •2 - play what you recorded •3 - re-recordthe message 587 Phonebook42.1 Overview 588 42.2The Phonebook General Screen589 42.3 The LDAP Phonebook Summary Screen42.4 The LDAP Phonebook Settings Screen590 >LDAP Phonebook > SettingsFigure 396 Configuration > PBX > Phonebook > LDAP Phonebook > Settings Table 225 Configuration > PBX > Phonebook > LDAP Phonebook > Settings Enable LDAP Check this box to enable LDAP based phonebook on the ISG50 Regular update update the LDAP phonebook with the LDAP database Specify the address of the server containing the LDAP database Specify the port the LDAP server uses for sending the phonebook to the ISG50 Base DN need for your phonebook is stored Search time limit day’s update time Bind DN Specify the login name of the LDAP server 591 42.5 The Local Phonebook Screen595 Office Hours43.1 Overview 43.2 Office Hour Screen596 Chapter 43 Office HoursFigure 399 Configuration > PBX > Office Hour Table 228 Configuration > PBX > Office Hour end time “13:00” for 1 PM) Holiday Settings then treat as “after office hours” 597 Chapter 43 Office HoursTable 228 Configuration > PBX > Office Hour (continued) 9th.) Enter a description of the holiday Select an auto-attendantpolicy to be used for office hours: to the auto-attendantand all authority groups office hours to the auto-attendant,all authority groups, and all extensions Click this to set every field in this screen to its default value 599 User/Group44.1 Overview 601 44.2User Summary Screen602 User Add/Edit603 Table 231 Configuration > User/Group > User > AddType the user name for this user account. You may use 1-31alphanumeric User Type Select what type of user this is. Choices are: • admin - this user can look at and change the configuration of the ISG50 • limited-admin - this user can look at the configuration of the ISG50 but not to change it configuration • ext-user - this user account is maintained in a remote server, such as about this type information about this type characters Retype Group Identifier This field is available for a ext-group-user type user account that identifies the group to which this user belongs Associated AAA Server Object server to use to authenticate this account’s users characters. Default descriptions are provided This field is not available if you select the ext-group-user type Timeout Settings If you want to set authentication timeout to a value other than the default fields that follow time the main screen refreshes in the Web Configurator. Access users can is automatically renewed before the lease time expires Reauthentication Type the number of minutes this user can be logged into the ISG50 in one the user has no opportunity to renew the session without logging out Validation 604 44.3 User Group Summary Screen605 44.4 Setting Screen610 44.5 User /Group Technical Reference613 Addresses45.1 Overview 45.2Address Summary Screen614 Chapter 45 AddressesConfiguration > Object Address > Address Figure 409 Configuration > Object > Address > Address Section 45.2.1 on page Table 238 Configuration > Object > Address > Address This field displays the configured name of each address object This field displays the type of each address object. “INTERFACE” means the object uses the settings of one of the ISG50’s interfaces object’s settings are based on one of the ISG50’s interfaces, the name of the interface displays first followed by the object’s current address settings Configuration > Address Add/Edit Section 45.2 on page Figure 410 Configuration > Object > Address > Address > Edit 615 45.3 Address Group Summary Screen619 Services46.1 Overview 620 46.2The Service Summary Screen622 46.3 The Service Group Summary Screen623 >Service GroupFigure 415 Configuration > Object > Service > Service Group Section 46.3.1 on page Table 244 Configuration > Object > Service > Service Group This field displays the name of each service group rules to allow certain services to connect to the ISG50 This field displays the description of each service group, if any 624 Service Group Add/EditSection 46.3 on page Figure 416 Configuration > Object > Service > Service Group > Add Table 245 Configuration > Object > Service > Service Group > Add 625 Schedules631 AAA Server48.1 Overview632 Chapter 48 AAA ServerFigure 421 RADIUS Server Network Example See the documentation included on the ASAS’ CD for details 1Install the ASAS server software on a computer 2Create user accounts on the ISG50 and in the ASAS server Import each token’s database file (located on the included CD) into the server 4Assign users to OTP tokens (on the ASAS server) Configure the ASAS as a RADIUS server in the ISG50’s Configuration > Object > AAA Server 6Give the OTP tokens to (local or remote) users ) screens Section 48.2 on page ) to configure Active Directory or LDAP server objects Section 48.3 on page The following lists the types of authentication server the ISG50 supports •Local user database 634 48.2Active Directory or LDAP Server Summary635 ) screen. Click theicon or an purposes Enter the address of the AD or LDAP server Backup Server If the AD or LDAP server has a backup server, enter its address here authentication requests. Enter a number between 1 and Specify the directory (up to 127 alphanumerical characters). For example o=ZyXEL, c=US 636 48.3 RADIUS Server Summary638 Table 252 Configuration > Object > AAA Server > RADIUS > AddEnter the address of the RADIUS server Specify the port number on the RADIUS server to which the ISG50 sends If the RADIUS server has a backup server, enter its address here disconnects from the RADIUS server. In this case, user authentication fails Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down Enter a password (up to 15 alphanumeric characters) as the key to be shared between the external authentication server and the ISG50 authentication server and the ISG50 of the attribute that the ISG50 is to check to determine to which group a user belongs. If it does not display, select user-definedand specify the attribute’s on these group identifier values For example you could have an attribute named “memberOf” with values like 639 Authentication Method49.1 Overview 640 49.2Authentication Method Objects641 Follow the steps below to create an authentication method object1Click Configuration > Object > Auth. Method 2Click Add Specify a descriptive name for identification purposes in the 4Click Add to insert an authentication method in the table 5Select a server object from the Method List drop-downlist box You can add up to four server objects to the table. The ordering of the Note: You can NOT select two server objects of the same type Cancel Figure 429 Configuration > Object > Auth. Method > Add Table 254 Configuration > Object > Auth. Method > Add Specify a descriptive name for identification purposes “My_Device” 642 Table 254 Configuration > Object > Auth. Method > Add (continued)the authentication methods in the order they appear in this screen The ISG50 authenticates the users using the databases (in the local user specify, the ISG50 does not continue the search on the second authentication the first authentication server Click Delete to delete an entry 643 Certificates50.1 Overview 646 50.2The My Certificates Screen647 Table 255 Configuration > Object > Certificate > My CertificatesPKI Storage This bar displays the percentage of the ISG50’s PKI storage space that is Space in Use currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates Click this to go to the screen where you can have the ISG50 generate a certificate or a certification request list of information about the certificate The ISG50 keeps all of your certificates unless you specifically delete them Uploading a new firmware or default configuration file does not delete your when you take this action alphabetical order that you give each certificate a unique name This field displays what kind of certificate this is request SELF represents a self-signedcertificate CERT represents a certificate issued by a certification authority Subject or company) and C (Country). It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate’s issuing certification authority, such as a common name, organizational unit or this is the same information as in the Subject field Valid From This field displays the date that the certificate becomes applicable Valid To and includes an Expired! message if the certificate has expired Import Click Refresh to display the current validity status of the certificates 649 Table 256 Configuration > Object > Certificate > My Certificates > Addand ;‘~!@#$%^&()_+[]{}’,.=- characters Subject Information Use these fields to record information that identifies the owner of the Host IP Address, Host Domain Name, or E-Mail.The certification The certification when it issues a certificate. It is recommended that each certificate have mail address is for identification purposes only and can be any string A domain name can be up to 255 characters. You can use alphanumeric characters, the hyphen and periods characters, the hyphen, the @ symbol, periods and the underscore Organizational Unit belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore Organization can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore Town (City) the underscore State, (Province) and the underscore underscore Key Type Select RSA to use the Rivest, Shamir and Adleman public-keyalgorithm Select DSA to use the Digital Signature Algorithm public-keyalgorithm Key Length A longer key also uses more PKI storage space Enrollment Options These radio buttons deal with how and when the certificate is to be generated Create a self-signed Select this to have the ISG50 generate the certificate and act as the certificate Certification Authority (CA) itself. This way you do not need to apply to a certification authority for certificates Create a certification request and save it locally for later copy it to send to the certification authority manual enrollment 650 to a certification authority for a certificatea certificate immediately online Trusted Certificates screen When you select this option, you must select the certification authority’s also need to fill in the Reference Number and Key if the certification authority requires them Enrollment Protocol This field applies when you select Create a certification request and enroll for a certificate immediately online. Select the certification . Select the certification authority’s enrollment protocol from the drop-downlist box Simple Certificate Enrollment Protocol (SCEP) is a TCP-based is a TCP-based enrollment protocol that was developed by VeriSign and Cisco Certificate Management Protocol (CMP) is a TCP-basedenrollment enrollment CA Server Address of the certification authority server :.=?;!*#@$_% CA Certificate authority’s certificate from the CA Certificate drop-downlist box Trusted Certificates screen. Click Trusted CAs to go to the Trusted screen. Click to go to the certificates of trusted certification authorities Request When you select Create a certification request and enroll for a When you select to include a reference number and key to identify you when you send a certification request authority uses the CMP enrollment protocol. Just the Key field displays if your certification authority uses the SCEP enrollment protocol For the reference number, use 0 to For the key, use up to 31 of the following characters. a-zA-Z0 9;|`~!@#$%^&*()_+\{}': Click OK to begin certificate or certification request generation Click Cancel to quit and return to the My Certificates screen My Certificate Create Return 652 Table 257 Configuration > Object > Certificate > My Certificates > Editalphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters Certification Path This field displays for a certificate, not a certification request of certification authorities that validate the certificate (and the certificate itself) certification authority, it may be the only certification authority in the list has expired or been revoked Click Refresh to display the certification path These read-onlyfields display detailed information about the certificate certificate’s owner signed the certificate (not a certification authority) ITU-TX.509 recommendation that defines the formats for public-key certificates This field displays the X.509 version number. “ This field displays the certificate’s identification number given by the certification authority or generated by the ISG50 as Common Name (CN), Organizational Unit (OU), Organization (O), State (ST), and Country (C) certification authority, such as Common Name, Organizational Unit Organization and Country With self-signedcertificates, this is the same as the Subject Name field “none” displays for a certification request and the SHA1 hash algorithm). Some certification authorities may use rsa algorithm) This field displays the date that the certificate becomes applicable. “none” displays for a certification request and includes an Expired! message if the certificate has expired. “none” Key Algorithm This field displays the type of algorithm that was used to generate the key set in bits (1024 bits for example) Subject Alternative or e-mailaddress (EMAIL) 653 Chapter 50 CertificatesKey Usage This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature” means that the key can be used to sign text Basic Constraint This field displays general information about the certificate. For example “Path Length Constraint=1” means that there can only be one certification MD5 Fingerprint This is the certificate’s message digest that the ISG50 calculated using the MD5 algorithm SHA1 Fingerprint SHA1 algorithm Certificate in PEM This read-onlytext box displays the certificate or certification request in (Base-64)Encoded Format letters and numerals to convert a binary certificate into a printable form and save the file on a management computer for later manual enrollment You can copy and paste a certificate into an e-mailto send to friends or example) Export that you want to use and click Save Export Certificate Only opens, browse to the location that you want to use and click Save use it if you import the certificate to another device with Private Key use and click Save 654 50.3 The Trusted Certificates Screen655 Figure 436 Configuration > Object > Certificate > Trusted CertificatesTable 259 Configuration > Object > Certificate > Trusted Certificates This field displays the name used to identify this certificate Click Import to open a screen where you can save the certificate of a certification authority that you trust, from your computer to the ISG50 Click this button to display the current validity status of the certificates 657 Table 260 Configuration > Object > Certificate > Trusted Certificates > Editname. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’ Click the Refresh button to have this read-onlytext box display the end the hierarchy of certification authorities that validate the end entity’s the path has expired or been revoked Distribution Points and OCSP checking server. You also need to configure the OSCP or LDAP server details OCSP Server Select this check box if the directory server uses OCSP (Online Certificate Status Protocol) URL Type the protocol, IP address and pathname of the OCSP server the server (usually a certification authority) OCSP server (usually a certification authority) LDAP Server directories of certificates and lists of revoked certificates Type the IP address (in dotted decimal notation) of the directory server port number for LDAP server. Type the login name (up to 31 ASCII characters) from the entity maintaining the server (usually a certification authority) CRL directory server (usually a certification authority) means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-keycertificates This field displays the X.509 version number certification authority as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C) 658 Name fieldSome certification authorities use rsa-pkcs1-sha1(RSA public-privatekey encryption algorithm and the SHA1 hash algorithm). Other certification authorities may use rsa-pkcs1-md5(RSA public-privatekey encryption algorithm and the MD5 hash algorithm) yet become applicable and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired This field displays the certificate’s owner‘s IP address (IP), domain name (DNS) or e-mailaddress (EMAIL) authority in the certificate’s path (over the phone for example) that this is actually their certificate You can copy and paste the certificate into an e-mailto send to friends or screen opens, browse to the location that you want to use and click Save Click Cancel to quit and return to the Trusted Certificates screen 659 50.4 Certificates Technical Reference661 ISP Accounts51.1 Overview 51.2 ISP Account Summary662 Chapter 51 ISP Accountsthe ISP Account Add/Edit section Table 262 Configuration > Object > ISP Account This field displays the profile name of the ISP account. This name is used to identify the ISP account This field displays the protocol used by the ISP account This field displays the authentication type used by the ISP account This field displays the user name of the ISP account ISP Account Add ISP Account Edit Figure 440 Configuration > Object > ISP Account > Add 663 Table 263 Configuration > Object > ISP Account > Editthe first character cannot be a number. This value is case-sensitive used by the ISP account. Options are: pppoe - This ISP account uses the PPPoE protocol pptp - This ISP account uses the PPTP protocol remote node Method down list box to select the type of Microsoft Point-to-PointEncryption (MPPE) nomppe - This ISP account does not use MPPE mppe-40 - This ISP account uses 40-bitMPPE mppe-128 - This ISP account uses 128-bitMMPE Type the user name given to you by your ISP consist of alphanumeric characters (A-Z, a-z, 0-9).This field can be blank Type your password again to make sure that you have entered is correctly If this ISP account uses the PPPoE protocol, this field is not displayed This field is available if this ISP account uses the PPTP protocol. Type your identification name for the PPTP server. This field can be blank If this ISP account uses the PPPoE protocol, type the PPPoE service name to server. This field can be blank If this ISP account uses the PPTP protocol, this field is not displayed Compression Select On button to turn on stac compression, and select Off to turn off stac compression. Stac compression is a data compression technique capable of compressing data by a factor of about four This value must be an integer between 0 and 360. If this value is zero, this timeout is disabled 664 Table 263 Configuration > Object > ISP Account > Edit (continued)Click OK to save your changes back to the ISG50. If there are no errors, the explains the error, and the program stays in the ISP Account Edit screen it is new) or saving any changes to the profile (if it already exists) 665 System52.1 Overview 666 52.2 Host Name52.3 USB Storage 667 52.4 Date and Time668 Configuration > System > Date/TimeFigure 443 Configuration > System > Date and Time Table 266 Configuration > System > Date and Time Current Time and Current Time This field displays the present time of your ISG50 Current Date This field displays the present date of your ISG50 Time and Date Manual click Apply ss) configured manually field and then click Apply New Date (yyyy-mm-dd) 669 Chapter 52 SystemTable 266 Configuration > System > Date and Time (continued) Get from Time time server under the following circumstances • When the ISG50 starts up • When you click Apply or Synchronize Now in this screen • 24-hourintervals after starting up Time Server administrator if you are unsure of this information Sync. Now the daylight saving settings) Time Zone Setup Time Zone your time zone and Greenwich Mean Time (GMT) Enable Daylight Saving light in the evening Select this option if you use Daylight Saving Time Start Date couple of examples: Sunday of March. Each time zone in the United States starts using Daylight Saving Time at 2 A.M. local time. So in the United States you would select Second, Sunday, March and type 2 in the at field zone is one hour ahead of GMT or UTC (GMT+1) End Date Daylight Saving Time ends in the United States on the first Sunday of Time at 2 A.M. local time. So in the United States you would select First Sunday, November and type 2 in the at field Daylight Saving Time ends in the European Union on the last Sunday of on your time zone. In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1) Enter a number from 1 to 5.5 (by 0.5 increments) time will appear as if it had occurred at 10:30 P.M 670 Synchronize NowTime Server Address Please Wait Current Time Current Date 1Click System > Date/Time 2Select Manual under Time and Date Setup New Time New Date Time Zone Setup Time Zone 671 52.5Console Port Speed672 52.6 DNS Overview673 Table 269 Configuration > System > DNSAddress/PTR an IP address. An FQDN consists of a host and domain name. For example the top level domain to remove it before doing so. Note that subsequent entries move up by one This is the index number of the address/PTR record FQDN This is a host’s fully qualified domain name This is the IP address of a host Domain Zone Forwarder resolve domain zones for features like VPN, DDNS and the time server zone forwarder entries in the order that they appear in this list your rules is important as rules are applied in sequence that needs to be resolved does not match any of the other domain zone forwarder records zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified A “*” means all domain zones This displays whether the DNS server IP address is assigned by the ISP dynamically through a specified interface or configured manually (User Defined) DNS Server interface is not active Query Via DNS server. If the ISG50 connects through a VPN tunnel, tunnel displays FQDN) particular domain 674 Table 269 Configuration > System > DNS (continued)This is the index number of the MX record This is the domain name where the mail is destined for IP/FQDN that handles the mail for the domain specified in the field above The entry with a hyphen (-)instead of a number is the ISG50’s (non configure a rule that traffic will match so the ISG50 will not have to use the This is the zone on the ISG50 the user is allowed or denied to access or denied to send DNS queries them (Deny) 675 Address/PTR RecordFigure 447 Configuration > System > DNS > Address/PTR Record Add Table 270 Configuration > System > DNS > Address/PTR Record Add host name and continues all the way up to the top-leveldomain name. For “tw” is the top level domain. Underscores are not allowed Use "*." as a prefix in the FQDN for a wildcard domain name (for example *.example.com) Enter the IP address of the host in dotted decimal notation Click Cancel to exit this screen without saving 676 Table 271 Configuration > System > DNS > Domain Zone Forwarder AddEnter * if all domain zones are served by the specified DNS server(s) the ISP does not assign an IP address DNS server's IP address in the field to the right. The ISG50 must be able to DNS queries to a DNS server the field to the right. You cannot use 677 Click the Add icon in the MX Record table to add a MX recordFigure 449 Configuration > System > DNS > MX Record Add Table 272 Configuration > System > DNS > MX Record Add Enter the domain name where the mail is destined for IP Address/FQDN Click the Add icon in the Service Control table to add a service control rule Figure 450 Configuration > System > DNS > Service Control Rule Add Table 273 Configuration > System > DNS > Service Control Rule Add Address Object Select ALL to allow or deny any computer to send DNS queries to the ISG50 address that you specified to send DNS queries to the ISG50 678 52.7 WWW Overview679 HTTPWWW 680 Admin Service ControlUser Service Control 681 Table 274 Configuration > System > WWW > Service ControlHTTPS ISG50 Web Configurator using secure HTTPs connections “https://ISG50 IP Address:8443” as the URL Authenticate Client Certificates importing certificates for details) Server Certificate Certificates screen Redirect HTTP to connection requests to the HTTPS server Admin/User Service HTTPS to manage the ISG50 (using the Web Configurator). You can also specify the IP addresses from which the administrators can manage the log into the ISG50. You can also specify the IP addresses from which the users can access the ISG50 Double-clickan entry or select it and click Edit to be able to modify the one when you take this action To change an entry’s position in the numbered list, select the method and and press [ENTER] to move the rule to the number that you typed This is the index number of the service control rule match any other configured rule. It is not an editable rule. To apply other use the default policy This is the object name of the IP address(es) with which the computer is allowed or denied to access access the ISG50 zone(s) configured in the Zone field (Accept) or not (Deny) HTTP 682 Table 274 Configuration > System > WWW > Service Control (continued)ISG50 Web Configurator using HTTP connections HTTP to manage the ISG50 (using the Web Configurator). You can also can access the ISG50 Client Authentication Select a method the HTTPS or HTTP server uses to authenticate a client 683 in thetable in a screen to add a service control rule Figure 453 Configuration > System > Service Control Rule > Edit Table 275 Configuration > System > Service Control Rule > Edit this service address that you specified to access the ISG50 using this service 685 Logo Title(color of all text) Logo Title Color 686 Enter a pound sign (#) followed by theThe following table describes the labels in the screen Table 276 Configuration > System > WWW > Login Page Select Type customize in the rest of this screen Logo File Configurator login screen and access page Note: Use a GIF, JPG, or PNG of 100 kilobytes or less Click Upload to transfer the specified graphic file from your computer to the Use this section to set how the Web Configurator login screen looks Title Spaces are allowed Title Color Specify the color of the screen’s title text Message Color Specify the color of the screen’s text Note Message Background Set how the screen background looks name of the logo graphic or click Browse to locate it To use a color, select Color and specify the color Access Page the Web Configurator to access network services like the Internet 687 View CertificateSecurity Alert 688 Trusted CA689 Install Certificate690 File nameBrowse 691 Place all certificates in the following store692 Finish693 52.8 SSH695 Configuration > System > SSH696 Table 277 Configuration > System > SSHusing this service must use the same port number in order to use that service for remote management This specifies from which computers you can access which ISG50 zones screen that opens you take this action This the index number of the service control rule or denied to access 2Configure the SSH client to accept connection using SSH version 697 A window displays prompting you to store the host key in you computer. ClickEnter the password to log in to the ISG50. The CLI screen displays next 1Test whether the SSH service is available on the ISG50 $ telnet 192.168.1.1 22 Trying Connected to 192.168.1.1. Escape character is '^]'. SSH-1.5-1.0.0 Then enter the password to log in to the ISG50 Figure 475 SSH Example 2: Log in $ ssh –1192.168.1.1 3The CLI screen displays next 698 52.9 Telnet699 52.10 FTP700 52.11 SNMP701 Figure 478 SNMP Management Model•Get - Allows the manager to retrieve an object variable from the agent •Set - Allows the manager to set values for object variables within an agent •Trap - Used by the agent to inform the manager of some events 702 Table 280 SNMP TrapsOBJECT LABEL OBJECT ID Configuration > System > SNMP 703 Table 281 Configuration > System > SNMPGet Community Enter the Get Community, which is the password for the incoming Get and all requests Set Community the management station. The default is private and allows all requests Trap Community manager. The default is public and allows all requests Type the IP address of the station to send your SNMP traps to 704 52.12 Language Screen705 Log and Report53.1 Overview 53.2 Email Daily Report 707 53.3 Log Setting Screens708 Active Log SummaryTo access this screen, click Configuration > Log & Report > Log Setting Figure 482 Configuration > Log & Report > Log Setting Table 284 Configuration > Log & Report > Log Setting This field is a sequential value, and it is not associated with a specific log USB storage device, or one of the remote servers) 709 Table 284 Configuration > Log & Report > Log Setting (continued)Log Format This field displays the format of the log Internal - system log; you can view the log on the View Log tab VRPT/Syslog - ZyXEL’s Vantage Report, syslog-compatibleformat CEF/Syslog - Common Event Format, syslog-compatibleformat Active Log Click this button to open the Active Log Summary Edit screen effect 710 Log Settings EditLog Settings Summary 711 Table 285 Configuration > Log & Report > Log Setting > Edit (System Log)E-MailServer 1/2 what kinds of log messages are included in alerts in the Active Log and Alert section Type the subject line for the outgoing e-mail Send From used in replies Send Log To Type the e-mailaddress to which the outgoing e-mailis delivered Send Alerts To Type the e-mailaddress to which alerts are delivered Sending Log When Full, Daily and When Full, and Weekly and When Full , and Day for Sending is e-mailed Time for Sending (hours and minutes) when the log is e-mailed.Use 24-hournotation SMTP server user name to provide to the SMTP server when the log is e-mailed Active Log and Alert System log Use the System Log drop-downlist to change the log settings for all of the log categories log or e-mailany logs to e-mailserver 1 or the ISG50 will e-maillogs to them alerts, and debugging information for all categories. The ISG50 does not e-mail debugging information, even if this setting is selected E-mailServer e-mailserver 1 for all log categories 1 settings e-mailserver server 712 e-mailserver 2 for all log categories2 settings This field displays each category of messages. It is the same value used in the debugging messages generated by open source software disable all logs (red X) - do not log any information from this category category debugging information, however, even if this setting is selected information, even if it is recorded in the System log Log Consolidation appended at the end of the Message field, when multiple log messages were aggregated Interval appears multiple times, it is aggregated into one log message with the text the Message field Click this to save your changes and return to the previous screen Click this to return to the previous screen without saving your changes 713 Edit Log on USB Storage SettingLog Setting Summary USB storage Edit Figure 484 Configuration > Log & Report > Log Setting > Edit (USB Storage) Table 286 Configuration > Log & Report > Log Setting > Edit (USB Storage) Duplicate logs to USB storage (if ready) alerts for all log categories messages, alerts, and debugging information for all log categories messages generated by open source software 714 below). Choices are:alerts, and debugging information from this category 716 Table 287 Configuration > Log & Report > Log Setting > Edit (Remote Server)Log Settings for Remote Server This field displays the format of the log information. It is read-only information Log Facility Active Log Summary 717 Figure 486 Active Log SummarySection 53.3.2 on page Table 288 Configuration > Log & Report > Log Setting > Active Log Summary or e-mailany logs to e-mailserver 1 or enable normal logs (green check mark) - create log messages and alerts for all ISG50 will e-maillogs to them information, even if this setting is selected USB Storage connected USB storage device storage device categories and save them to a connected USB storage device 718 server 1 for all log categoriesserver 2 for all log categories of the log categories Select which events you want to log by Log Category. There are three choices: information, however, even if this setting is selected even if it is recorded in the System log is recorded in the System log 719 (except All Logs; see below). Choices are:720 Call Detail Record (CDR)54.1 Overview 721 54.2 The CDR Configuration Screen722 Table 289 CDR > ConfigurationCDR Setting Database Usage field to specify how to deal with the compressed file containing the CDRs Generate CDR internal calls Enable Alert mail Address field when the CDR database is half full Aged File delete it or drop to delete the file from the system Backup File Type Select whether you want the ISG50 to send a SQL database file or a CSV file E-mailAddress are full (reach approximately 10000 records) Database Location collects the CDR information from the ISG50 Use Built-in Select this to have the ISG50 uses the built-inPostgreSQL server to collect CDR Use remote you specify in the Server field telephone calls from the ISG50 your CDR files Schema database server to establish a database to work with your ISG50 Click the Apply button to save your changes The procedure to configure your remote server is as follows: screen select 2Save the cdr.sql file to your computer 4Restart the PostgreSQL database server 725 File Manager55.1 Overview726 Chapter 55 File ManagerFigure 488 Configuration File / Shell Script: Example #enter configuration mode configure terminal #change administrator password username admin password 4321 user-typeadmin #configure lan1 interface lan1 ip address 172.23.37.240 255.255.255.0 ip gateway 172.23.37.254 metric 1 exit #create address objects for remote management / to-Devicefirewall rules #enable Telnet access (not enabled by default, unlike other services) ip telnet server write Table 290 Configuration Files and Shell Scripts in the ISG50 Privilege 727 55.2 The Configuration File Screen728 If there is not asystem-default.conf If there is a lastgood.conf startup-config-bad.conf Figure 489 Maintenance > File Manager > Configuration File 729 Table 291 Maintenance > File Manager > Configuration Fileonly rename manually saved configuration files. You cannot rename the lastgood.conf, system-default.conf and startup-config.conf files files File screen Figure 490 Maintenance > File Manager > Configuration File > Rename Specify the new name for the configuration file. Use up to 25 characters (including a-zA-Z0-9;‘~!@#$%^&()_+[]{}’,.=-) a duplicate of the configuration file the system-default.conf, startup-config.conf and lastgood.conf files without deleting the configuration file Click a configuration file’s row to select it and click Download to save the configuration to your computer Use this button to save a duplicate of a configuration file on the ISG50 Figure 491 Maintenance > File Manager > Configuration File > Copy Specify a name for the duplicate configuration file. Use up to 25 characters 730 Table 291 Maintenance > File Manager > Configuration File (continued)Use this button to have the ISG50 use a specific configuration file that configuration file. The ISG50 does not have to restart in order to use a the system reconfigures an error in the configuration file Figure 492 Maintenance > File Manager > Configuration File > Apply 731 55.3 The Firmware Package Screen732 Figure 493 Maintenance > File Manager > Firmware PackageTable 292 Maintenance > File Manager > Firmware Package Boot This is the version of the boot module that is currently on the ISG50 Module Current This is the firmware version and the date created Released This is the date that the version of the firmware was created decompress compressed (.zip) files before you can upload them Firmware Upload in Process Figure 494 Firmware Upload In Process Note: The ISG50 automatically reboots after a successful upload Figure 495 Network Temporarily Disconnected 733 55.4 The Shell Script Screen734 Table 293 Maintenance > File Manager > Shell ScriptUse this button to change the label of a shell script file on the ISG50 Rename Rename File Figure 498 Maintenance > File Manager > Shell Script > Rename Z0-9;‘~!@#$%^&()_+[]{}’,.=-) duplicate of the configuration file from the ISG50 shell script file Use this button to save a duplicate of a shell script file on the ISG50 Figure 499 Maintenance > File Manager > Shell Script > Copy 9;‘~!@#$%^&()_+[]{}’,.=-) Use this button to have the ISG50 use a specific shell script file This column displays the number for each shell script file entry This column displays the label that identifies a shell script file This column displays the size (in KB) of a shell script file Last Modified changed or saved 735 Chapter 55 File ManagerTable 293 Maintenance > File Manager > Shell Script (continued) script file from your computer to your ISG50 Click Browse... to find the .zysh file you want to upload 737 Diagnostics56.1 Overview 56.2 The Diagnostic Screen738 Chapter 56 DiagnosticsTable 294 Maintenance > Diagnostics This is the name of the most recently created diagnostic file Last modified This is the date and time that the last diagnostic file was created. The format is yyyy-mm-ddhh:mm:ss This is the size of the most recently created diagnostic file to USB storage (if a connected USB storage device Collect Now Click this to have the ISG50 create a new diagnostic file Click this to save the most recent diagnostic file to a computer Maintenance > Diagnostics > Files Figure 501 Maintenance > Diagnostics > Files Table 295 Maintenance > Diagnostics > Files to delete Click a file to select it and click Download to save it to your computer can save depends on the file sizes and the available storage space This column displays the label that identifies the file This column displays the size (in bytes) of a file This column displays the date and time that the individual files were saved 739 56.3 The Packet Capture ScreenFile Suffix 740 Table 296 Maintenance > Diagnostics > Packet Capture (continued)available Note: The ISG50 reserves some USB storage space as a buffer Note: If you have existing capture files and have not selected the Continuously capture and overwrite old ones option, you may option, you may need to set this size larger or delete existing capture files Duration 741 Chapter 56 DiagnosticsCapture Click this button to have the ISG50 capture packets according to the settings configured in this screen you cannot modify the packet capture settings capture is in progress After the ISG50 finishes the capture it saves a separate capture file for separate capture file for each selected interface Figure 503 Maintenance > Diagnostics > Packet Capture > Files Table 297 Maintenance > Diagnostics > Packet Capture > Files window asks you to confirm that you want to delete 742 56.4 Core Dump Screen744 56.5 The System Log Screen745 Packet Flow Explore57.1 Overview 57.2 The Routing Status Screen748 Figure 515 Maintenance > Packet Flow Explore > Routing Status (Main Route)Table 301 Maintenance > Packet Flow Explore > Routing Status Routing Flow function box to display the related settings in the Routing Table section Routing Table Routing Flow section Direct Route Static-Dynamic Route Main Route Routing Flow #This field is a sequential value, and it is not associated with any entry This is the destination IP address of a route routed This is the name of an interface associated with the route 749 Table 301 Maintenance > Packet Flow Explore > Routing Status (continued)This is the route’s priority among the displayed routes Flags This indicates additional information for the route. The possible flags are: • A - this route is currently activated • S - this is a static route • C - this is a direct connected route • O - this is a dynamic route learned through OSPF • R - this is a dynamic route learned through RIP • G - the route is to a gateway (router) in the same network • ! - this is a route which forces a route lookup to fail • B - this is a route which discards packets • L - this is a recursive route Persist this time period is counted down to zero PR # route, this screen only displays the route at the scheduled time This is the source IP address(es) from which the packets are sent This is the destination IP address(es) to which the packets are transmitted on page 291 for more information Next Hop This is the type of the next hop to which packets are directed • This is the main route if the next hop type is Auto Info • This is the tunnel name if the next hop type is VPN Tunnel • This is the trunk name if the next hop type is Trunk NAT Rule This is the name of an activated 1:1 or Many 1:1 NAT rule in the NAT table This is the original source IP address(es). any means any IP address This is the original destination IP address(es). any means any IP address This is the name of an interface which transmits packets out of the ISG50 SiteToSite VPN Dynamic VPN This is the IP address(es) of the local VPN network This is the IP address(es) for the remote VPN network This is the name of the VPN tunnel Default WAN Trunk Forwarding This section displays information about traffic going through the ISG50 750 57.3 The SNAT Status Screen752 Table 302 Maintenance > Packet Flow Explore > SNAT StatusSNAT Flow related settings in the SNAT Table section SNAT Table Flow section Policy Route SNAT SNAT Flow This is the number of an activated policy route which uses SNAT This is the outgoing interface that the route uses to transmit packets This is the source IP address(es) that the SNAT rule uses finally This is the name of an activated NAT rule which uses SNAT This is the original source IP address(es) This is the original destination IP address(es) This is the outgoing interface that the SNAT rule uses to transmit packets Loopback SNAT Interface IP source IP address for the matched packets it sends out through this rule Default SNAT This indicates internal interface(s) on which the packets are received This indicates external interface(s) from which the packets are transmitted 753 Reboot58.1 Overview 58.2 The Reboot Screen 755 Shutdown59.1 Overview 59.2 The Shutdown Screen 757 Extension Portal765 Troubleshooting766 Chapter 61 TroubleshootingCONSOLE I cannot access the Internet I cannot use the web phone •You must use Internet Explorer to use the extension portal and web phone •Your computer must also have a microphone and speakers connected and enabled The ISG50 is not applying the custom policy route I configured The ISG50 is not applying the custom firewall rule I configured I cannot enter the interface name I want 767 My rules and settings that apply to a particular interface no longer workI cannot set up a PPP interface You have to set up an ISP account before you create a PPPoE or PPTP interface I created a cellular interface but cannot connect through it •Make sure you have the cellular interface enabled 768 The ISG50 is not applying an interface’s configured ingress bandwidth limitThe ISG50’s performance seems slower after configuring ADP Interface Type Internal External The ISG50 is not applying a policy route’s port triggering settings I cannot get Dynamic DNS to work 769 You may need to configure the DDNS entry’s IP Address setting toI cannot create a second HTTP redirect rule for an incoming interface You can configure up to one HTTP redirect rule for each (incoming) interface The ISG50 keeps resetting the connection Asymmetrical Routes on page I cannot set up an IPSec VPN tunnel to another device Here are some general suggestions. See also Chapter 24 on page •The system log can often help to identify a configuration problem IKE SA •Both routers must use the same negotiation mode When using 770 •The ISG50 and remote IPSec router must use the same active protocol•The ISG50 and remote IPSec router must use the same encapsulation •The ISG50 and remote IPSec router must use the same SPI Check the configuration for the following ISG50 features Make sure the Trusted Certificates If you have the screen’s I changed the LAN IP address and can no longer access the Internet 771 The ISG50 fails to authentication the ext-useruser accounts I configuredI cannot add the admin users to a user group with access users You cannot put access users and admin users in the same user group I cannot add the default admin account to a user group You cannot put the default admin account into any user group The schedule I configured is not being applied at the configured times Make sure the ISG50’s current date and time are correct I cannot get a certificate to import into the ISG50 For My Certificates 772 I cannot access the ISG50 from a computer connected to the InternetCheck the service control rules and to-ISG50firewall rules Make sure the logo file is a GIF, JPG, or PNG of 100 kilobytes or less Data collection may decrease the ISG50’s traffic throughput rate I can only see newer logs. Older logs are missing 773 The commands in my configuration file or shell script are not working properlyI cannot get the firmware uploaded using the commands My packet capture captured less than I wanted or failed File Size Duration My earlier packet capture files are missing File Suffix 774 61.1 Resetting the ISG5061.2Getting More Troubleshooting Help775 The PBX call service logs deal with call service errorsTable 308 PBX Call Service Logs LOG MESSAGE The call from extension emergency call is coming Direct pickup was was found for extension '%s The call in hunt group or ACD skill was hung up due to timeout Set %s to system default MOH failed due missing Loading Customized Auto Attendant sound file package was failed due upload correct sound file package Sound file named '%s was uploaded Delete all sound files for Auto Attendant Delete unused sound Attendant The call was rejected doesn't support in conference function 776 Table 308 PBX Call Service Logs (continued)The call was reject due to there are % memebrs in conference in conference room %s The PBX supplemental service logs deal with supplemental service errors Table 309 PBX Supplemental Service Logs The call can't be recorded due to usb storage is not ready recording time has reached the Call Recording Quota the maximum call recording license: %d codec doesn't support in recording function The call can not be parking space The call was dropped due to codec is not compatible There is no any DTMF can be detected while call transfer The call that parked by extension %s was timeout Group pickup was failed was found Call transfer timeout digit: '%s 777 The PBX dialplan logs deal with dialplan information and errorsTable 310 PBX Dialplan Logs ACD agent %s called to extension %s has failed busy ACD agent %s call to answer register rejected the call Auto Callback booking maximum number of %s Dial emergency call %s%s through outbound outbound line is %s Emergency call second retry failed. Dial through outbound line %s failed due to Emergency call third The call forwarded to forward to caller extension %s failed due answered 778 Table 310 PBX Dialplan Logs (continued)no caller ID was blocked due to block list been forwarded to voicemail due to after caller id isn't in DND white list of extension %s to extension %s has voicemail due to DND forward voicemail due to blind foward Call to unregistered exntension number %s Call to un-pluggedBRI number %s voicemail due no answer voicemail due busy The incoming call presses a wrong Group Access Code The incoming call dials number %s is an invalid 779 numberThe incoming call does not presses any number The find-melist is no number me list on extension %s LCR %s accepts the The extension %s dials %s in LCR %s is %s %s line %s in LCR %s is Mobile extension %s logon successfully mobile extension is an invalid number configuration is incomplete 780 inputing PIN code isincorrect logoff successfully Mobile Extension %s Mobile extension auto failed. No caller ID The extension %s has an invalid mobile extension number %s The extension %s change to %s by inputing Group The extension %s inputs a wrong Group Access Code %s 781 The PBX SIP logs deal with SIP information and errorsTable 311 PBX SIP Logs The call %s peer '%s was rejected due to the limit of %d by peer device %s Register failed due to authentication failed for peer device The call to extension %s was rejected due to extension %s not found Call from %s to rejected due to extension not found register to %s@%s giving up (check config) The call to device %s is rejected due to too many calls Call failed due to network loop detected Call from '%s' to extension '%s' was rejected due to callee address incomplete 782 Table 311 PBX SIP Logs (continued)Call rejected due to acceptable here") unacceptable codecs callee does not support required crypto Call rejected due to no compatible codecs is rejected due to PBX service unavailable one pick up call for %s in pick up group can not find call (no channel) The call is failed due codecs Extension '%s' was unregistered due to time expired Extension '%s requested to unregister The expire time is set as %d due to extension %s is behind NAT registered successfully %d SIP trunk registered '%s@%s 784 The PBX trunk logs deal with the SIP trunk being disconnected or recoveredTable 312 PBX Trunk Logs The SIP trunk %s is disconnected over %d minutes recovered The PBX DSP logs deal with the Digital Signal Processor Table 313 PBX DSP Logs DSP initialization has failed succeeded The PBX physical port logs deal with the ISG50’s physical PBX ports Table 314 PBX Physical Port Logs BRI port %u FXO initialization has 785 Table 314 PBX Physical Port Logs (continued)FXS initialization has Table 315 PBX Default Logs call to extension '%s the Max. Call Time System internal error Failed to load PBX module %s - %s modules directory '%s Attendant console Total license: %d Softphone license is not enough. Total license: %d Extension license is Local phonebook importing failed. Row error Local phonebook items had reached maximum Import Local phonebook items address is empty 786 Table 315 PBX Default Logs (continued)Base DN is empty LDAP phonebook refresh not activate Phonebook LDAP server wrong server IP or port wrong bind DN or password update failed File convert from %s to %s was failed Extension %s request extension has been locked password. Fail count: locked due to request retry fail reach %d times Extension %s login rejected due to the PIN code. Fail count: Extension %s has been times Failed login attempt to Extension Portal 787 Table 316 ZySH Logs788 Table 316 ZySH Logs (continued)can't get reference count: %s can't print entry name: Table OPS entries from table %s: index is out of range %s: cannot set entry #%d %s: invalid old/new index Unable to move entry #%d Unable to delete entry Unable to change entry %s: apply failed at initial stage main stage closing stage 789 Table 317 ADP LogsADP Logs from <zone> to <zone , Action: <action Severity: <severity ADP rule <num> has been deleted moved to <num New ADP rule has been appended inserted modified ADP profile <name> has been deleted been changed to <name been created been modified Packet payload length system handle length LAND attack packet as Destination IP 790 Table 318 User LogsUser Logs %s %s from %s has logged in ISG50 logged out ISG50 %s %s from %s has been auth timeout) logged out ISG50 (lease timeout) logged out ISG50 (idle into lockout state Address %u.%u.%u.%u has state a lockout address) the max. number of user) 791 Table 318 User Logs (continued)ISG50 from %s (reach simultaneous logon) access from %s Table 319 myZyXEL.com Logs Send registration message to MyZyXEL.com server has failed has failed response User has existed User does not exist Internal server error has failed:%s Device registration has succeeded Registration has lack must fields activation has failed:%s %s:Trial service 792 Table 319 myZyXEL.com Logs (continued)Trial service Because of lack must Standard service check has failed:%s Service expiration check has succeeded Verify server's Connect to MyZyXEL.com Do trial service activation Do standard service failed. Update stop 793 certificate hasSend download request Send update request to Update has failed now. File download after %d seconds Device has latest update need to update Connect to update packets received Update stop 794 check has failedDo expiration daily Expiration daily interface. Do self System bootup. Do After register. Do check immediately Time is up. Do expiration daily Read MyZyXEL.com storage has failed Open /proc/MRD has version: %d certificates has Certificate has expired Self signed certificate certificate chain Verify peer 795 CertificationDepth: %d, Error Number(%d):%s name:%s The wrong format for HTTP header Download file size is wrong Table 320 IKE Logs IKE Logs DPD capability [COOKIE] Invalid cookie, no sa found [DPD] No response from Phase-1SA in %u seconds. Trying with Phase-1rekey [HASH] : Tunnel [%s] Phase 1 hash mismatch Phase 2 hash mismatch information [ID] : Tunnel [%s] Local IP mismatch [ID] : Tunnel [%s] My IP mismatch Phase 1 ID mismatch Phase 2 Local ID mismatch 796 Table 320 IKE Logs (continued)Phase 2 Remote ID Remote IP mismatch [SA] : Malformed IPSec SA proposal [SA] : No proposal chosen [SA] : Tunnel [%s] Phase 1 authentication algorithm mismatch method mismatch Phase 1 encryption Phase 1 invalid protocol transform Phase 1 key group Phase 1 negotiation mode mismatch Phase 2 authentication Phase 2 encapsulation Phase 2 encryption Phase 2 pfs mismatch Phase 2 pfs unsupported: %d Phase 2 SA encapsulation 797 [SA] : Tunnel [%s] SAsequence size mismatch [XCHG] exchange type is not IP, AGGR, or INFO Addr %s for Tunnel [%s] Gateway Addr %s for Tunnel [%s] tunnel "%s Could not dial incomplete tunnel "%s Could not dial manual key tunnel "%s DPD response with invalid ID DPD response with no active request IKE Packet Retransmit Phase 1 IKE SA process done from [%s] request from [%s] Recv:[SA][KE][ID][CER CE][DEL][VID][ATTR][N OTFY:%s] to [%s] request to [%s] Send:[SA][KE][ID][CER T][CR][HASH][SIG][NON Start Phase 2: Quick Mode 798 The cookie pair is :0x%08x%08x The IPSec tunnel "%s is already established Tunnel [%s] built successfully Tunnel [%s] Phase Tunnel [%s] Recving IKE request Tunnel [%s] Sending Tunnel [%s] IKE process VPN gateway %s was disabled enabled XAUTH fail! My name: user: %s XAUTH succeed! My name: %s Dynamic Tunnel [%s:%s:0x%x:0x%x:%s] rekeyed successfully Tunnel Tunnel [%s:%s] Phase Recving IKE request 799 Sending IKE requestdisconnected Tunnel [%s] rekeyed Table 321 IPSec Logs IPSec Logs Corrupt packet operation fail too big with length fail Inbound transform Fragment Off Execute transform step fail, ret=%d SPI:0x%x SEQ:0x%x No rule found, Dropping packet SPI:0x%x SEQ:0x%x detected VPN connection %s was enabled Due to active exceeded, %s was 800 Table 322 Firewall Logspriority:%lu, from %s to %s, service %s, %s been moved to %d Firewall rule %d has Firewall rules have been flushed Firewall rule %d was Firewall %s %s rule %d was %s has been moved to %d has been deleted Firewall %s %s rules have been flushed abnormal TCP flag attack detected The Asymmetrical Route has been enabled has been disabled Table 323 Sessions Limit Logs Maximum sessions per host (%d) was exceeded 801 Table 324 Policy Route LogsCannot get handle from UAM, user-awarePR is mblock: allocate memory failed pt: allocate memory failed To send message to The policy route %d allocates memory fail uses empty user group uses empty source address group uses empty destination uses empty service Policy-routerule %d was inserted was appended was modified was moved to %d was deleted Policy-routerules were flushed activated deactivated 802 Table 324 Policy Route Logs (continued)Interface %s alive rules will be re Interface %s dead rules will be disabled Trunk %s alive Trunk %s dead, related will be disabled Table 325 Built-inServices Logs User on %u.%u.%u.%u from %s HTTPS certificate:%s does not exist. HTTPS service will not work HTTPS port has been changed to port %s HTTP port has changed to port %s to default port SSH port has been SSH certificate:%s does not exist. SSH 803 Table 325 Built-inServices Logs (continued)TELNET port has been FTP certificate:%s does not exist FTP port has been SNMP port has been Console baud has been changed to %s reset to %d has changed Set timezone to default Enable daylight saving Disable daylight DNS access control reached the maximum rule %u of DNS has been appended rule %u has been 804 appendedmodified rule %u has been moved to %d The default record of Zone Forwarder have number of 128 DNS servers Interface %s ping check is successful DNS servers in records check is failed. Zone servers in records check is disabled Wizard apply DNS server failed Wizard adds DNS server %s failed because DNS conflictd Forwarder numbers have number of Access control rules of %s have reached the maximum number of %u 805 Access control rule %uof %s was appended of %s was inserted of %s was modified of %s was deleted Access control rule %d of %s was moved to %d SNMP trap can not be sent successfully Table 326 System Logs %s process count is incorrect at %s %s becomes Zombie at 806 Table 326 System Logs (continued)DHCP Server executed with cautious mode Received packet is not an ARP response packet Receive an ARP response Receive ARP response from %s (%s) The request IP is: %s sent from %s Received ARP response client issuing the DHCP request response from an unknown client In total, received %d for the requested IP Clear arp cache Client MAC address is not an Ethernet DHCP request received %s (%s:%s), src_mac: %s with requested IP: IP confliction is DHCP-NAK Set manual time has succeeded. Current time is %s NTP update successful current time is %s 807 NTP updatefailed Device is rebooted by administrator Insufficient memory Connect to dyndns server has Update the profile %s strange server has succeeded because the IP address of FQDN %s was not changed has failed because the FQDN %s is invalid FQDN %s is malformed FQDN %s is not under your control FQDN %s was blocked for abuse authentication fail invalid system parameters FQDN %s was blocked many or too few hosts found dyndns internal error 808 feature requested isonly available to donators has failed because of error response has failed because %s unknown error has failed because Username was empty Password was empty Domain name was empty Custom IP was empty has failed because WAN interface was empty interface was link down interface was not has failed because IP ping-checkof WAN interface has failed Disable DDNS has Enable DDNS has 809 been renamed as %sDDNS profile %s has DDNS Initialization All DDNS profiles are deleted Collect Diagnostic - Server did not respond Infomation has Release interface %s capture Release address packet capture The interface %s is capture for this interface will not take effect Directory existed. Create it automatically Directory debug not existed! Create it Table 327 Connectivity Check Logs Can't open link_up2 Can not open %s.pid Can not open %s.arg 810 Table 327 Connectivity Check Logs (continued)The connectivity %s interface of %s interface function of %s module Can't get IP address Can't get flags of %s Can't get remote Can't get NETMASK Can't get BROADCAST for destination The destination is destination IP is broadcast IP Can't get MAC address of %s interface To send ARP REQUEST error The %s routing status seted to DEAD by connectivity-check 811 The %s routing status seted ACTIVATE by connectivity-checkTable 328 Routing Protocol Logs have been stopped RIP on interface %s has been activated RIP direction on changed to In-Only changed to Out-Only RIP authentication mode has been changed to %s RIP text been changed RIP md5 authentication id and key have been changed RIP global version has been changed to %s RIP redistribute OSPF routes has been RIP redistribute has been deactivated changed to BiDir RIP authentication has benn disabled 812 Table 328 Routing Protocol Logs (continued)RIP v2-broadcaston RIP send-versionon RIP receive-versionon reset to current global version %s Area %s cannot be in use Invalid OSPF %s Invalid OSPF virtual authentication of area 813 link %s authenticationof area %s Invalid OSPF md5 interface %s Invalid OSPF text belong to any OSPF area %s on interface %s Table 329 NAT Logs NAT Logs %s FTP ALG has Extra signal port of FTP ALG has been Signal port of FTP ALG has been modified %s H.323 ALG has H.323 ALG has been Signal port of H.323 ALG has been modified Register H.323 ALG extra port=%d failed signal port=%d failed Register FTP ALG extra port=%d failed Register FTP ALG 814 Table 330 PKI LogsPKI Logs Generate certificate "%s failed, errno %d Generate certificate request "%s" failed errno %d Generate PKCS#12 Prepare to import "%s into "My Certificate into Trusted Certificate successfully, CA "%s URL "%s failed, CA "%s", URL "%s SCEP enrollment "%s My Certificate Trusted Certificate Import PKCS#12 "My Certificate 815 Table 330 PKI Logs (continued)Import PKCS#7 "Trusted Certificate Decode imported Export PKCS#12 Export incorrect password trusted: %s 816 Table 331 Certificate Path Verification Failure Reason CodesCODE Interface Logs Interface %s has been Create interface %s has been failed disabled. Interface %s is disabled now 817 Table 332 Interface Logs (continued)added Interface %s is %s may not work correctly down. Default route interface %s links up name=%s,status=%s,TxP kts=%u xB/s=%u RxB/s=%u,UpTime=%s RxB/s=%u Interface %s start dailing Interface %s connect Interface %s connection terminated terminated: idle failed: MS-CHAPv2 mutual authentication 818 failed: MS-CHAPfailed: CHAP responding failed: PAP Interface %s create failed because has no member "Interface cellular %d\n occurred while negotiating with the device in %s. Please try to remove then insert the device "Unable to negotiate Please try to remove then insert the the selected frequency band to the device in remove then insert the "PIN code is required cellular%d. Please check the PIN code setting 819 successfully unlockedby PUK code on interface cellular%d Please check the PUK code setting cellular%d in %s is damaged or not inserted. Please then check the SIM card PUK code to unlock "Incorrect PIN code of signal quality from the device in %s "Interface cellular%d cannot connect to the service provider is configured with incorrect APN incorrect phone incorrect username or password device %s, but current inserted device is %s "Cellular device [%s %s] has been inserted into %s 820 %s] has been removedfrom %s Interface cellular%d password in cellular%d edit page or ESN=%s) over time budget!(budget = %d seconds) budget %d%% (budget %d seconds) or ESN=%s) over data budget!(budget = %lld Mbytes, used = %lld Mbytes) %.2f Mbytes, used %.2f Mbytes) The interface name is not accepted Configured interface name is reserved word 821 prefixDuplicated interface name This Interface can not be renamed Virtual interface is type of interface Virtual interface need changing the interface property Virtual interface can not configured at external interface Interface property is The property can not be changed at this System default ppp with other ethernet Related system default deactivate first be activated since interface property is internal removed Interface property can since interface is the member of other trunk Port-groupingis not support can not set 3rd-dns 822 RxPkts=%u,Colli.=%u,T'%s Table 333 Account Logs Account %s %s has been Table 334 Port Grouping Logs because of changing DHCP client down because of changing Port Group Disable DHCP client changed. Renew DHCP client Port Grouping %s has 823 Table 335 Force Authentication LogsForce User enabled due to http server is enabled disabled due to http server is disabled Authentication may not work properly Table 336 File Manager Logs ERROR:#%s, %s WARNING:#%s, %s Resetting system System resetted. Now apply %s Running %s Going to rollback previous running config 824 Table 337 DHCP LogsDHCP Logs Table 338 E-mailDaily Report Logs Email Daily Report has been activated been deactivated Email daily report has been sent server address %s Mail server authentication failed Mail From address %s1 SMTP account %s2 Failed to connect to mail server %s 825 Table 339 IP-MACBinding LogsTable 340 Auth. Policy Logs 827 USER-DEFINEDPort(s Port(s) •If the Protocol is TCP, UDP, or TCP/UDP, this is the IP port number •If the Protocol is USER, this is the IP protocol number Table 341 Commonly Used Services PROTOCOL PORT(S) 828 Appendix B Common ServicesTable 341 Commonly Used Services (continued) 831 In this appendix, you can import a public key certificate for:•Internet Explorer on page •Firefox on page •Opera on page •Konqueror on page 832 2Click Continue to this website (not recommended)3In the Address Bar, click Certificate Error > View certificates 833 4In the Certificate dialog box, click Install Certificate5In the Certificate Import Wizard, click Next 834 Select Certificate Store835 9In the Completing the Certificate Import Wizard screen, click FinishSecurity Warning 836 Website Identification837 1Open Internet Explorer and click Tools > Internet Options838 2In the Internet Options dialog box, click Content > Certificates839 CertificatesRoot Certificate Store 840 2Select Accept this certificate permanently and click OKPage Info > Security 841 1Open Firefox and click Tools > Options2In the Options dialog box, click Advanced > Encryption > View Certificates 842 Select File844 Certificate ManagerWeb Sites 4In the Delete Web Site Certificates dialog box, click OK 845 InstallSecurity information 847 3In the Certificates Manager, click Authorities > ImportImport certificate Open 848 5In the Install authority certificate dialog box, click Install850 Certificates managerAuthorities 2Click Continue 851 ForeverClick the padlock in the address bar to open the KDE SSL Information Figure 572 Konqueror 3.5: KDE SSL Information Figure 573 Konqueror 3.5: Public Key Certificate File 852 2In the Certificate Import Result - Kleopatra dialog box, click OKKleopatra 853 1Open Konqueror and click Settings > Configure KonquerorConfigure Crypto Peer SSL Certificates Remove 855 CopyrightDisclaimer Trademarks Certifications Federal Communications Commission (FCC) Interference Statement Notices Viewing Certifications ZyXEL Limited Warranty Note 856 Appendix D Legal InformationRegistration Open Source Licenses Safety Warnings 857 AA 479, 497AD 631, 633, 634, 635 port 635 DN 633, 634, 635 LDAP 631 351 RADIUS 631, 633 296 858 SIP 335412 102 466 374 707, 711, 712, 713, 716, 717 335 860 BRI 447861 647109 208 468 470 709 244, 266, 273 532 653 737 863 ESP 374293, 295, 430, 447 468, 469, 470, 484 864 fax 89865 433, 468125 88 88, 144, 156 757 123 867 35537 868 ITSP 27, 88LCR 88, 89 869 526587, 591 categories 712, 713, 716, 717 MOH 532 221 870 MWI 468NAT 299 NBNS 244, 266, 273 872 550PBX 27 336 295, 405 and users 294, 295, 405 375 phonebook 587, 588, 591, 592 196 36 873 QoS 290, 397, 430, 431874 486649, 652 340, 430 351, 363, 405 469 549 875 SIP 37quality 430, 447 876 431877 411281 145 766 144, 151 879 23438, 433, 467, 581 WINS 244, 266, 273 59
Also you can find more ZyXEL Communications manuals or manuals for other Computer Equipment.