UAG715 Support Note Revision 1.00 August, 2012 Written by CSO
Scenario 1 - Trunk Interface (Dual WAN) Application Scenario The Internet has become an integral part of our lives; therefore, a smooth Internet connection is highly demanded. The Trunk interface (Dual WAN) not just increases the overall network throughput; this design also provides more flexibility for administrator in managing WAN traffic. The UAG provides three load balancing methods; Spillover, Least Load First, and Weighted Round Robin. In this scenario, we will demonstrate one of the load balancing methods known as Least Load First. As a reminder to users who use static IP addresses, we will provide guidance in this scenario to configure DNS on the UAG to point all DNS queries to the ISP s DNS Server to prevent the DNS query timeout. This will enable users to have a better Internet browsing experience.
Network Conditions UAG: WAN1 (PPPoE) 118.160.193.194/255.255.255.255 WAN2 (Static IP) 59.124.163.153/255.255.255.224 Goals to Achieve We will have two WAN interfaces to share the Internet workload. UAG Configuration 1) Determine the bandwidth in both WAN interfaces. This is important as the Least Load First load balancing algorithm determines the traffic loading based on the percentage of the used bandwidth out of the ISP-assigned bandwidth of each interface. For example, if WAN1 has a bandwidth of 10 Mbps, and 5 Mbps are used while WAN2 has 20 Mbps, and 6Mbps are consumed, WAN1 is actually taking a heavier network loading as 50% of its total bandwidth is occupied; therefore, WAN2 should share the traffic load. Step 1: Go to CONFIGURATION > Interface > PPP > double-click on wan1_ppp.
Step 2: Click on Show Advanced Settings to configure Egress and Ingress bandwidth Step 3: Set the Egress Bandwidth (Upload) to 2Mbps; set Ingress Bandwidth to be 10Mbps > click on OK to confirm the change.
Step 4: Go to CONFIGURATION > Interface > Ethernet > double-click on wan2. Step 5: Click on Show Advanced Settings to configure Egress and Ingress bandwidth. Step 6: Set the Egress Bandwidth (Upload) as 5Mbps; set Ingress Bandwidth to be 20Mbps > click on OK to confirm the change.
2) Configuring the Trunk interface Step 1: Go to CONFIGURATION > Network > Interface > Trunk > click on Add to add a new rule for the Trunk interface.
Step 2: Click on Add to add an interface as a member to this Trunk. Step 3: Click on the drop-down menu ( ) to select an interface.
Step 4: Choose Least Load First as the Load Balancing Algorithm, use Inbound for the Load Balancing Index(es), and keep both interfaces in the Active mode. Click on OK to confirm the setting. Step 5: When you return to the Trunk main page, please select the User Configured Trunk > click on OK to confirm the change.
3) Add a DNS Server for WAN2 Step 1: Go to CONFIGURATION > System > DNS > click on Add to add a new DNS rule. Step 2: Fill in the info > choose wan2 > click on OK to confirm. A new DNS entry will be created for wan2
Scenario 2 SMTP Redirect SMTP redirect forwards the authenticated client s SMTP message to an SMTP Server that handles all outgoing email messages.. The UAG forwards SMTP traffic using TCP port 25. Application Scenario Many ISPs are blocking SMTP to send email. They are doing this to cut down on the amount of spam that is sent from their networks. On occasion, you may need to redirect SMTP traffic. We can use the UAG s SMTP Redirect function, when they send these emails. On the other hand, must be ensured that no spam emails have been sent using a company s public IP address. All outgoing SMTP requests will be redirected to an external SMTP server. This way, we are able to know who initialed these spam emails. SMTP redirect forwards the authenticated client s SMTP message to an SMTP server that handles all outgoing email messages.. The UAG forwards SMTP traffic using TCP port 25.
Network Conditions Incoming Interface: lan1 Source Address: LAN1_SUBNET SMTP Server: mail.zyxel.com.tw Goals to Achieve SMTP traffic is received from lan1 for the UAG to forward it to the SMTP Server: mail.zyxel.com.tw SMTP. Then the user can send emails using the SMTP protocol. UAG Configuration Select this option to enable the SMTP redirect feature on the UAG. Step1: Click Configuration > Network > SMTP Redirect. Step2: Click Network > SMTP Redirect > Add. Step3: SMTP Redirect setting.
Scenario 3 Web Authentication Application Scenario Web Authentication is a user-friendly administrative tool that enables an administrator to control users access to the company s network. On the UAG, we provide two ways to authenticate users; internal authentication and external authentication. 3.1 Internal Authentication In the first scenario, we will start off by authenticating users with the user database on the UAG. Network Conditions UAG WAN2-Static: 59.124.163.153/255.255.255.224 User PC: 192.168.1.34 Goals to Achieve Users will be authenticated by the UAG before they can access the Internet
UAG Configuration 1) Create an Auth. Policy to authenticate users from LAN1, 192.168.1.0/24. Step 1: Go to CONFIGURATION > Network > Web Authentication > double-click on the existing policy to modify the rule. Step 2: Enter a name for this Auth. Policy > choose LAN1_SUBNET to authenticate all users coming from this subnet > click on OK to create this policy.
2) Create a user account for the PC to login Step 1: Click on Add to create a user for LAN1_SUBNET users to login. Step 2: Enter the necessary login credential and click on OK to confirm.
Verification If the user launches an Internet browser and wants to visit www.zyxel.com, the user will be redirected to the login page. After specifying the User Name and Password, please click on Login to continue. If the user passes the authentication, they will see the lease time.
3.2 RADIUS Authentication (External Authentication) For enterprises that have their own RADIUS server running in the DMZ (server farm), the UAG is able to integrate with these RADIUS servers for authentication. In this scenario, we will demonstrate how the UAG co-operates with the RADIUS server for authenticating users. Network Conditions UAG: DMZ: 192.168.3.1 RADIUS Server: 192.168.3.168 User s Laptop: 192.168.1.34 Goals to Achieve The users will be authenticated by the RADIUS server before they can access the Internet.
UAG Configuration 1) Create a new RADIUS rule Step 1: Go to Configuration > Object > AAA Server > RADIUS tab > click on Add to create a RADIUS server relation. Step 2: A window will appear for information. Enter required information and click on OK to confirm the settings. Key will be the shared secret with the RADIUS server.
Step 3: We can see a new RADIUS server entry has been added to the page. 2) Add the RADIUS server that was just created into an authentication method Step 1: Go to CONFIGURATION > Object > Auth. Method > double-click on default and a new window will appear.
Step 2: Click on Add to add a RADIUS authentication method into this rule Step 3: Choose group RADIUS_168 > click on OK to confirm this modification Finally, we can see that the authentication over a RADIUS server has been added to the default authentication method.
Scenario 4 Content Filter The World Wide Web has become the main target for network threats. When users in a hotel are browsing some unsafe websites that may contain phishing or malicious programs, we have to take the risk of having others computers in the hotel being infected. The Content Filter will stops malware and Web threats to prevent users from accessing these harmful sites. Application Scenario In this scenario, we are going to demonstrate how to protect users access to unsafe website. It ensures real-time protection and monitors certain sites to maintain network traffic. Network Conditions LAN1 Subnet: 192.168.1.0/24 Goals to Achieve Users who try to browse unsafe website will be redirected to another webpage www.zyxel.com. UAG Configuration Step 1: Choose your licensed content filtering service and start its setup
Step 2: Add a profile which allows users to visit all websites. Enable the Enable Content Filter Category Service checkbox. Set Action for Security threat (Unsafe) to Warn and enable the Log checkbox. Set Action for Managed Web Pages to Pass and enable the Log checkbox. Set Action for Unrated Web Pages to Warn and enable the Log checkbox. Set Action When Category Server is Unavailable to Warn and enable the Log checkbox. Step 3: Switch to Configuration > Anti-X > Content filter > General to enable Content Filter.
Step 4: Add an access policy for customers outside. Schedule: none. Address: LAN1 subnet. Filter Profile: CF Step 5: Check the created policies. The UAG will check them, and when the customers try to access a website, they will trigger the policy. If customers access harmful websites, it will show a denied message and redirect to http://www.zyxel.com.
Scenario 5 How to Export System Logs to an External Server Application Scenario For the management purposes, administrators can easily monitor events occurring on UAG by reading syslog; these syslogs are classified into 3 severity levels. This report is very useful for administrators; especially, when the administrator receives complains from the users regarding the slow or unstable Internet connection. The administrator can use these reports as a troubleshooting reference. In this scenario, we are going to show how the UAG exports system logs to a Kiwi syslog server. Network Conditions: UAG: Kiwi Syslog Server: 192.168.3.168 Goals to achieve: The administrator will be able to see system logs appear on the Kiwi syslog server. UAG Configuration: 1) Configure system log settings on the UAG Step 1: Go to CONFIGURATION > Log & Report > click on Log Setting to view the log settings
Step 2: Double-click on the 4 th server setting to configure the UAG for exporting system logs Step 3: Check the Active box, choose CEF as the syslog file format, and specify the Kiwi syslog server IP address.
Step 4: Click on the Selection button to switch log preference to normal. Step 5: We can see logs generated on the Kiwi syslog server
Scenario 6 Web Authentication White List Web authentication allows the administrator to control who can access the network. However, internal servers do not need to be authenticated, so we can create a white list to include the IP addresses of these servers. Also, to ensure that servers always acquire the same IP address, we will use IP/MAC Binding to fulfill this task. Network Conditions UAG: LAN1: 192.168.2.1 User s Laptop: 192.168.1.34 DMZ: 192.168.3.1 RADIUS Server IP address: 192.168.3.168 RADIUS Server MAC: 00:C0:A8:FA:FF:4D Web Server: 192.168.3.169 Web Server MAC: 00:C0:A8:FA:FF:4E Goals to Achieve 1. The internal servers will always receive the same IP address from the DHCP server, UAG. 2. After we enable the Web Authentication, users will be prompted to login while the servers will not.
UAG Configuration 1) Reserve an IP address for the Web Server Step 1: Go to CONFIGURATION > Network > Interface > double-click on dmz to open the configuration page of DMZ subnet. Step 2: Scroll down the page and click on Add to assign the Web Server a static IP address. Step 3: Fill in the MAC address of the Web Server and the RADIUS Server > click on OK to confirm the change.
2) Add the server s IP address to the authentication exemption. Step 1: Go to CONFIGURATION > Network > Web Authentication > click on Add to create a new rule for the servers. Step 2: Enter a description for this rule > click on Create new Object to create an address range for the Web and RADIUS servers.
Step 3: Fill in the IP addresses of the servers; please select Range to include an extent of IP addresses > Click on OK to confirm. Step 4: Select Servers under Source Address > choose unnecessary for Authentication > click on OK to finish.
Scenario 7 Using SSL VPN to Manage Internal Devices In an enterprise, when an administrator wants to manage the servers or the devices in the server farm from outside, it brings in security concerns. The SSL VPN function on the UAG facilitates this burden; this enables administers to access servers or devices through an Internet browser from outside of the company. Network Conditions UAG: WAN2: 59.124.163.153 SSL VPN IP Pool: 192.168.168.0 255.255.255.0 Goals to Achieve The administrator will be able to access internal servers and devices with the SSL VPN.
UAG Configuration: 1) Create a user for using SSL VPN Step 1: Go to CONFIGURATION > Object > User/Group > click on Add to create a SSL VPN user. Step 2: Fill-in the required information and click on OK to confirm.
2) Allow a user for SSL VPN login and assign an IP address to the user. Step 1: Go to CONFIGURATION > VPN > SSL VPN > click on Add to create an access policy. Step 2: Fill-in the required information and select the user we just created, ssluser, in the pool.
Step 3: Scroll down the page and click on Create new Object > click on Address to create a subnet for SSL VPN users. Step 4: Fill-in the necessary information and click on OK to finish
Step 5: Check the Enable Network Extension box > select the IP pool that we want to assign to the SSL VPN users > let the device be the DNS Proxy > set an external DNS Server for backup Step 6: Choose the subnet that the SSL VPN user is allowed to reach (choose DMZ_SUBNET in this case) > Click on OK to finish.
Scenario 8 IPSec VPN Application Scenario A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication. For example, when computers need to access the database server at the company s headquarters, we can use IPSec VPN on the UAG to secure traffics between branch offices, partners and the headquarters as shown below. Network Conditions UAG715 (1): UAG715(2): WAN IP: 10.59.1.175 WAN IP: 10.59.1.30 Local subnet: 192.168.50.0/24 Local subnet: 192.168.60.0/24 IPSec VPN Conditions Phase 1: - Authentication: 1234567890 - Local/Peer ID type: IP 0.0.0.0 - Encryption Algorithm: 3DES - Authentication Algorithm: MD5 - Key Group: DH1
Phase 2: - Encapsulation Mode: Tunnel - Active Protocol: ESP - Encryption Algorithm: DES - Authentication Algorithm: SHA1 - Perfect Forward Secrecy: None Goals to Achieve Entablish an IPSec VPN tunnel between UAG715 and UAG715 UTM with the above configuration UAG configuration: Step 1: Click CONFIGURATION > VPN > IPSec VPN > VPN Gateway to open the configuration screen. Then click the Add button to add a VPN gateway rule. Step 2: Edit VPN gateway rule.
Step 3: Click CONFIGURATION > VPN > IPSec VPN > VPN Connection to open the configuration screen to add a rule.
Step 4: Edit Phase 2 rule. Step 5: After setting the rule, the user can select the rule and click the Connect button to establish the VPN link. Once the tunnel is established, a connected icon will be displayed in front of the rule.
Step 6: When the VPN tunnel is established, the user can find the SA information on MONITOR > VPN MONITOR > IPSec.
Scenario 9 Customize Portal For security concerns, the network administrator will want to control the access of the users to the enterprise s network. When users are asked to login, they will see a login page; this page can be customized by the enterprises depending on what kind of business image the enterprise wants to give to the users. 9-1 Application scenario Internal Web Portal Web authentication intercepts all network traffic, regardless of address or port, until the user authenticates his or her connection, usually through a specifically designated login web page. This means all web pages requests can initially be redirected to a special web page that requires users to authenticate their sessions. Once authentication is successful, they can then connect to the rest of the network or Internet. Network Conditions Enable Internal Web Portal Create the user name: guest Login URL: Specify the login page s URL, http://10.59.1.35:8080/login.html Logout URL: Specify the logout page s URL, http://10.59.1.35:8080/logout.html Welcome URL:Specify the welcome page s URL, http://10.59.1.35:8080/welcome.html Session URL: Specify the session page s URL, http://10.59.1.35:8080/session.html Error URL: Specify the error page s URL, http://10.59.1.35:8080/error.html Goals to Archieve By default the UAG is an internal web portal and it shows the user s login page.
UAG Configuration Step 1: Select Internal Web Portal to use the default login page built into the UAG. Configuration > Web Authentication When the guest log in to the UAG, it shows the default page.
9-2 Application Scenario: External Web Portal Select External Web Portal to use a custom login page from an external web portal instead of the default one built into the UAG. You can configure the look and feel of the web portal page. In this scenario, we will demonstrate how to redirect users to an external portal for login authentication. A customized portal page will be displayed. Network Conditions: Enable Internal Web Portal Create the user name: guest Login URL: Specify the login page s URL, http://10.59.1.35:8080/login.html Logout URL: Specify the logout page s URL, http://10.59.1.35:8080/logout.html Welcome URL:Specify the welcome page s URL, http://10.59.1.35:8080/welcome.html Session URL: Specify the session page s URL, http://10.59.1.35:8080/session.html Error URL: Specify the error page s URL, http://10.59.1.35:8080/error.html Goals to Achieve Guest will see a customized portal page at login and logout.
UAG Configuration: Configuration > Web Authentication Customize the Login / Logout / Welcome URL Click on this to download an example web portal file for your reference. Step 1: Enable Web Authentication and chose External Web Portal. Select this to use a custom login page from an external web portal instead of the default one built into the UAG. Please click download the external web portal example, you can configure the look and feel of the web portal page. When the guest log in, it displays the customized portal. This screen displays the welcome page.
This screen displays the session page. This screen displays the logout page. This screen displays the error page.
Scenario 10 VPN 1-1 Mapping Application Scenario NAT traversal is a general technology to establish and maintain internet protocol connections traversing network address translation gateway. When you use VPN to connect to your company s network, NAT traversal will cause some problem. If one site has enable the NAT traversal function and the other site does not enable it, it will be disconnected due to response packet with the different source IP address. With VPN 1-1 mapping, each guest that logs into the UAG and matches a pre-configured mapping rule can obtain an individual public IP address. Each guest can use a unique public IP address to transmit traffic through a separate VPN tunnel. This helps especially when multiple guests need to access different remote servers through separate VPN tunnels using the UAG. Network Conditions WAN IP: 59.124.163.149 IP Pool: 59.124.163.150~59.124.163.155 Goals to Achieve We will demonstrate how the guest can get a static public IP address to access the network.
UAG Configuration: Step1: Select this option to enable VPN 1-1 mapping on the UAG. Step 2: Create a Pool object before adding profile. Click Configuration > Object > Address > Address. Step 3: A pool profile defines the public IP address(es) that the UAG assigns to the matched guests and the interface through which the guest s traffic is forwarded. Click Configuration > Network > VPN 1-1 Mapping > Profile.
Step 4: A pool profile defines the public IP address(es) that the UAG assigns to the matched guests and the interface through which the guest s traffic is forwarded. Step 5: When guest accesses the internet, we can go to Monitor > VPN 1-1 Mapping to check the status of the active guests to which the UAG applied a VPN 1-1 mapping rule.