FCC ID: TDW-WVRTD-100G-W Converged Access Point

CAP - Converged Access PointTM User Guide Version 2.0 August 1, 2005 Part # 721-001020-00 Rev. B Converged Access Inc. 31 Dunham Road Billerica, MA 01821 http://www.convergedaccess.com Tel. +1.978.436.9111 Fax +1.978.436.9922 Converged Access Point User Guide Version 2.0 Copyright 2004-2005 by Converged Access Inc. Billerica, MA 01821-5729 USA All rights reserved Printed in the United States of America. No part of this publication may be reproduced, photocopied, or transmitted without express, written consent of Converged Access Inc. The information in the manual is provided without warranty of any kind and is subject to change without notice. Converged Access Inc. assumes no responsibility, and shall have no liability of any kind, arising from supply or use of this publication or any material contained herein. Regulatory Compliance Converged Access Point (CAP) devices meet the EMC requirements of:

FCC Part 15 Class A EN55022:1998 EN55024-1:1997 Federal Communication Commission Interference Statement This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions:

This device may not cause harmful interference, and This device must accept any interference received, including interference that may cause undesired operation. This model has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when this equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio and television communications. Operation of this equipment in a residence area is likely to cause interference in which cause the user will be required to correct the interference at his or her own expense. Converged Access Inc. declares that CAP-1000-E-4A-W ( FCC ID: TDW-WVRTD-100G-W ) is limited in CH1~CH11 for 2.4GHz by specified firmware controlled in Unit. Canadian Department of Communications (DOC) Notices This digital apparatus does not exceed the Class A limits for radio noise emissions from digital apparatus set out in the Radio Interference Regulations of the Canadian Department of Communications. Le present appareil numerique n' emet pas de bruits radioelectriques depassant les limites applicables aux appareils numeriques de la class A prescrites dans le Reglement sur le brouillage radioelectrique edicte par le ministere des Communications du Canada. Safety Warnings Electric Shock Hazard To prevent electric shock, do not remove the cover. This unit contains hazardous voltages and should only be opened by a trained and qualified technician. Disconnect electric power to the product before connecting or disconnecting Ethernet cables to the LAN and WAN ports. Lightning Danger Do not work on equipment or cables during periods of lightning activity. Grounding This equipment must be grounded. The power plug must be connected to a properly wired earth-

ground socket outlet. An improperly wired socket outlet could place hazardous voltages on accessible metal parts. Power Cord The power cord supplied with the system must only be plugged into a 110-volt outlet. Mounting Mount equipment such that a hazardous condition is not created due to uneven loading. The CAP meets the safety requirements of:

UL 1950 CSA C22.2 NO 950-93-CAN/CSA EN60950 (IEC 950:1991, Modified) Caution Air vents must not be blocked and must have free access to the room ambient air for cooling. Do not attempt to repair or modify this equipment. Any repairs to the unit must be performed by Converged Access or a Converged Access authorized representative. Converged Access Point and CAP are trademarks of Converged Access Inc. This product also includes software developed by third parties including SMCC Technology Development Group at Sun Microsystems, Inc., Sony Computer Science Laboratories Inc., and Network Research group at Lawrence Berkeley Laboratory. There is no affiliation or sponsorship between these parties and Converged Access Inc. All parties retain all rights title and interest in their content including all copyrights. Copyright Sun Microsystems, Inc. 1993-98. Copyright Sony Computer Science Laboratories, Inc.1997-99. Copyright Regents of the University of California, 1991-97. Table of Contents 1.0 INTRODUCTION TO THE CONVERGED ACCESS POINT........................................................1 1.1 WHAT IS THE CONVERGED ACCESS POINT? .........................................................................................1 1.2 FEATURES ............................................................................................................................................2 1.2.1 Network Interfaces .......................................................................................................................2 1.2.3 Network Security ..........................................................................................................................2 1.2.4 Virtual Private Networks..............................................................................................................2 1.2.5 Simplicity......................................................................................................................................3 1.2.6 Control & Provisioning................................................................................................................3 1.2.7 Future-Proof............................................................................................................................3 2.0 GETTING STARTED ..........................................................................................................................4 2.1 CONNECTING A COMPUTER TO THE CAP .............................................................................................5 2.1.1 Step 1 - PC Network Configuration.............................................................................................5 2.1.2 Step 2 - LAN Physical Connection ..............................................................................................7 2.1.3 Step 3 - Internet Physical Connection.........................................................................................7 2.1.4 Step 4 - Web Based Management................................................................................................8 2.2 QUICK SETUP ......................................................................................................................................9 2.2.1 Router Mode or Bridge Mode Selection........................................................................................9 2.2.2 Configuring Your Internet/WAN Connection ..............................................................................10 2.3 CONFIGURING YOUR LAN ETHERNET INTERFACE .............................................................................12 2.3.1 Accessing the LAN Bridge to Configure Your LAN Connection..............................................13 3.0 NAVIGATING THE WEB-BASED MANAGEMENT INTERFACE...........................................17 3.1 ACCESSING THE WEB-BASED MANAGEMENT.....................................................................................18 3.2 THE CAPS NETWORK MAP...............................................................................................................18 3.3 LEFT SIDEBAR....................................................................................................................................20 3.4 MANAGING LISTS...............................................................................................................................21 4.0 CREATING VPN CONNECTIONS..................................................................................................22 4.1 OVERVIEW .........................................................................................................................................22 4.2 CONFIGURING THE CAP AS A PPTP SERVER .....................................................................................23 4.2.1 Email Notification on the PPTP client .......................................................................................25 4.3 IPSEC VPN CONNECTIONS ................................................................................................................26 4.3.1 Technical Specifications.............................................................................................................26 4.3.2 Basic IPSec Settings...................................................................................................................27 4.3.3 Key Management........................................................................................................................28 4.3.4 Log Settings................................................................................................................................29 4.3.5 Configuring an IPSec VPN.........................................................................................................30 4.3.6 IPSec Advanced Configuration Parameters Definitions ............................................................36 4.3.6 Example IPSec VPNC Scenario .................................................................................................38 5.0 SECURITY ..........................................................................................................................................44 5.1 FIREWALL SECURITY OVERVIEW .......................................................................................................45 5.1.1 Configuring the Firewall Security Level ....................................................................................47 5.2 ADDING ACCESS CONTROLS ..............................................................................................................47 5.3 USER-DENED SERVICES ...................................................................................................................49 5.4 LOCAL SERVERS (PORT FORWARDING)..............................................................................................51 July 21, 2005 Converged Access Point

- i -

5.5 DESIGNATING A DEMILITARIZED (DMZ) HOST .................................................................................53 5.6 PORT TRIGGERING .............................................................................................................................54 5.6.1 Defining Port Triggering............................................................................................................54 5.7 REMOTE MANAGEMENT OF THE CAP ................................................................................................56 5.8 IP-HOSTNAME FILTERING...................................................................................................................57 5.9 SECURITY LOG...................................................................................................................................60 5.10 ADVANCED FILTERING.....................................................................................................................63 5.10.1 Adding an Advanced Filtering Rule .........................................................................................66 5.11 APPLYING CORPORATE SECURITY ...................................................................................................72 6.0 QOS TRAFFIC MANAGEMENT CAPABILITIES .......................................................................74 6.1 CONFIGURING QOS IN THE CAP ..........................................................................................................74 7.0 ADVANCED........................................................................................................................................88 7.1 SYSTEM SETTINGS .............................................................................................................................89 7.1.1 Management Console Settings ...................................................................................................89 7.1.2 Management Application Ports Settings ....................................................................................89 7.1.3 System Logging Settings.............................................................................................................90 7.1.4 Security Logging Settings...........................................................................................................90 7.1.5 Outgoing Mail Server Settings ...................................................................................................90 7.2 MANAGING THE DNS SERVER...........................................................................................................91 7.2.1 Viewing and Modifying the DNS Table......................................................................................91 7.3 DYNAMIC DNS ..................................................................................................................................93 7.3.1 Using Dynamic DNS ..................................................................................................................94 7.4 DHCP - MANAGING IP ADDRESS DISTRIBUTION...............................................................................94 7.4.1 DHCP Server Summary..............................................................................................................95 7.4.2 Editing DHCP Server Settings ...................................................................................................97 7.4.3 DHCP Connections....................................................................................................................97 7.5 NETWORK OBJECTS ...........................................................................................................................99 7.6 ROUTING..........................................................................................................................................101 7.6.1 Managing Routing Table Rules................................................................................................101 7.6.2 Multicasting..............................................................................................................................102 7.7 MANAGING & DEFINING USERS.......................................................................................................103 7.7.1 Email Notification ....................................................................................................................104 7.8 RADIUS..........................................................................................................................................104 7.9 DATE & TIME ..................................................................................................................................105 7.10 SCHEDULER RULES ........................................................................................................................106 7.11 POINT-TO-POINT TUNNELING PROTOCOL (PPTP) ..........................................................................109 7.11.1 Managing Remote Users ........................................................................................................109 7.11.2 Email Notification ..................................................................................................................110 7.11.3 Advanced PPTP Server Settings.............................................................................................112 7.11.4 Advanced PPTP Client Settings .............................................................................................113 7.15 SIMPLE NETWORK MANAGEMENT PROTOCOL (SNMP)...................................................................116 7.15.1 Configuring the CAPs SNMP Agent .......................................................................................116 7.16 MAC CLONING.............................................................................................................................117 7.17 DIAGNOSTICS.................................................................................................................................118 7.17.1 Diagnosing Network Connectivity..........................................................................................118 7.18 REMOTE ADMINISTRATION ............................................................................................................118 7.18.1 Configuring Remote Administration Services ........................................................................119 7.20 RESTART........................................................................................................................................120 7.21 SAVING, RESTORING & RESETTING THE CAP CONFIGURATION ....................................................121 7.22 TUNNELING IP V6 INSIDE OF IP V4...............................................................................................124 8.0 SYSTEM MONITORING................................................................................................................125 8.1 MONITORING CONNECTIONS..............................................................................................................126 8.2 TRAFFIC STATISTICS ........................................................................................................................127 July 21, 2005 Converged Access Point

- ii -

8.3 QOS TRAFFIC...................................................................................................................................128 8.4 SYSTEM LOG....................................................................................................................................129 8.5 SYSTEM UP TIME .............................................................................................................................130 9.0 FIRMWARE UPGRADE .................................................................................................................131 9.1 UPGRADING FROM THE INTERNET....................................................................................................131 9.2 UPGRADING FROM A LOCAL COMPUTER..........................................................................................132 10.0 ANALOG VOICE GATEWAY CONFIGURATION...................................................................134 10.1 CONGURING VOIP ATA............................................................................................................135 10.1.1 The IP Telephony Tab........................................................................................................135 10.1.2 The Phone Settings tab.......................................................................................................138 10.1.3 Creating and editing Speed Dial and the Address Book ........................................................139 10.1.4 Telephony Features................................................................................................................140 11.0 GLOSSARY.....................................................................................................................................142 July 21, 2005 Converged Access Point

- iii -

List of Acronyms Application-Level Gateway Application Programming Interface Converged Access Point Dynamic Host Configuration Protocol Demilitarized Zone Domain Name System Data Over Cable Service Interface Specification Digital Subscriber Line File Transfer Protocol HyperText Transport Protocol Integrated Access Device Internet Control Message Protocol Internet Group Multicast Protocol Internet Protocol IP Security Local Area Network Media Access Control Maximum Transmission Unit Network Address Port Translation Operations and Maintenance Personal Digital Assistant Post Office Protocol 3 Point-to-Point Protocol Point-to-Point Tunneling Protocol Routing Information Protocol Simple Network Management Protocol Stateful Packet Inspection Transmission Control Protocol Trivial File Transfer Protocol User Datagram Protocol Universal Resource Locator Universal Serial Bus Virtual Private Network Wide Area Network ALG API CAP DHCP DMZ DNS DOCSIS DSL FTP HTTP IAD ICMP IGMP IP IPSec LAN MAC MTU NAPT OAM PDA POP3 PPP PPTP RIP SNMP SPI TCP TFTP UDP URL USB VPN WAN July 21, 2005 Converged Access Point

- iv -

Contacting Converged Access Inc. Corporate Headquarters Converged Access, Inc. 31 Dunham Road Billerica, MA 01821-5729 http://www.convergedaccess.com Technical Support If you require technical assistance, contact the company through whom you acquired the CAP device and the Service Contract. To expedite assistance, have the following information available:

Your service contract number. Your name, company name, and phone number. Product Model Number Product Serial Number A brief description of the problem. Then forward your problem, together with the above information, to your Technical Support Provider. July 21, 2005 Converged Access Point

- v -

1 1.0 Introduction to the Converged Access Point 1.1 What is the Converged Access Point?

The Converged Access Point is a customer premise platform that by operating at layer seven, enables enterprises to converge voice, video and data applications across a single wide area network while guaranteeing toll quality voice and data application performance. The CAP allows the simultaneous usage of a wide range of compelling broadband-based applications, while allowing you to secure your network and prioritize business critical applications towards and from your WAN link. The CAP delivers a set of highly integrated solutions required for the small enterprise market, including:

Integral Ethernet switching Advanced QoS Traffic management Integral VoIP gateway Network security (Stateful Packet Inspection) Virtual Private Networking (VPN) Remote management (web and SNMP based) Remote update capabilities August 3, 2005 Converged Access Point 1 1.2 Features 1.2.1 Network Interfaces The CAP can be used with a variety of wide area networking services including DSL, T1 and broadband cable. These wide area network services are connected to the CAP via 10/100 Ethernet WAN port. There are also four 10/100 Mbps, auto-sensing switched Ethernet LAN interfaces to connect local LAN traffic to the CAP. Each port supports half-or full-duplex operation, although it is recommended that for full, bi-directional QoS, you should either connect PCs and IP-phones etc. directly to the CAP, or connect them to the CAP via a Switch, which supports full-duplex operation. 1.2.3 Network Security The CAP maintains network security using an ICSA 4.0 certifiable Stateful Packet Inspection

(SPI) firewall, and a wide variety of advanced filtering options to properly secure your network entities as well as your data and VoIP traffic. 1.2.4 Virtual Private Networks The CAP has an integrated VPNC certifiable VPN hardware accelerator, ensuring a secure communications path over the Internet to access remote computers or sites. By implementing industry standard encryption, authentication and key management schemes, the CAPs VPN capability is interoperable with leading VPN technologies such as IPSec and PPTP. Converged Access CAP August 3, 2005 Converged Access Point 2 1.2.5 Simplicity The CAP has been designed to provide seamless connectivity with minimal user configuration. Auto-learning DNS enables communication between LAN computers using host names instead of IP addresses, and the DHCP client/server completely automates the network connection process. Advanced security and prioritization is easily configured via a point and click Web management interface. 1.2.6 Control & Provisioning An intuitive web-based management interface offers comprehensive control over the CAP. If allowed, the CAP can allow remote management access by service providers using the web-

based management, SNMP or telnet protocols. By default, remote administrative access via the WAN interface is completely disabled. 1.2.7 Future-Proof The CAPs simple, on-line firmware upgrade capabilities, allows you to quickly and easily upgrade the firmware to enable the latest features and functionality. Information on the latest releases and features is available on the http://www.convergedaccess.com website, to allow you to quickly determine if a new version would be applicable to your business needs. August 3, 2005 Converged Access Point 3 2 2.0 Getting Started Connecting both your LAN and WAN network devices to the CAP is a simple procedure. The setup is designed to seamlessly integrate CAP with your existing network. The Windows default network settings dictate that in most cases the setup procedure described below will be unnecessary. For example, the default DHCP setting in Windows 2000 is client, requiring no further modification. However, it is advised to follow the setup procedure described below to verify that all communication parameters are valid and that the physical cable connections are correct. August 3, 2005 Converged Access Point 4 2.1 Connecting a Computer to the CAP The basic setup procedure consists of four configuration steps:

1. 2. 3. 4. PC network configuration. Connecting a computer to the CAP (LAN connection). Connecting the CAP to the outside world (WAN/Internet connection). Definition of your traffic and bandwidth management objectives via the Web-based management interface. Converged Access CAP 2.1.1 Step 1 - PC Network Configuration The CAP is designed to run as a DHCP client, initiating the DHCP protocol with a network DHCP server in order to dynamically obtain an IP address on the CAPs WAN interface. August 3, 2005 Converged Access Point 5 Similarly, the computers operating system regards the CAP as a DHCP server, thus the computers connected to the LAN ports of the CAP can be configured as DHCP clients. The following diagrams show the steps necessary to configure your PC to be a DHCP client of the CAP, if automatic client configuration via DHCP is preferred. This configuration principle is identical in each operating system, but the steps to be performed are different on each operating system. The figure above displays the TCP/IP Properties dialog box as it appears in Windows 2000. The following are TCP/IP DHCP client configuration instructions for all supported operating systems. If you already have DHCP enabled, and want to release your current IP address and obtain a new one from the CAP, you can open a command prompt window on your PC and enter ipconfig

/release, followed by ipconfig /renew to obtain your IP address information directly from the CAP. 2.1.1.1 Windows XP 1. Access Network Connections from the Control Panel. 2. Right-click on the Ethernet connections icon, and select Properties to display the connections 3. From the General tab, select the Internet Protocol (TCP/IP) component, and press the properties. Properties button. 4. The Internet Protocol (TCP/IP) properties will be displayed.

(a) Select the Obtain an IP address automatically radio button.

(b) Select the Obtain DNS server address automatically radio button. 5. Continue to section 2.2. August 3, 2005 Converged Access Point 6 2.1.1.2 Windows 2000/98/Me 1. Access Network and Dialing Connections from the Control Panel. 2. Right-click on the Ethernet connections icon, and select Properties to display the connections properties. 3. Select the Internet Protocol (TCP/IP) component, and press the Properties button. 4. The Internet Protocol (TCP/IP) properties will be displayed.

(a) Select the Obtain an IP address automatically radio button.

(b) Select the Obtain DNS server address automatically radio button. 5. Continue to section 2.2. 2.1.1.3 Windows NT 1. Access Network from the Control Panel to display the network control panel. 2. From the Protocol tab, select the Internet Protocol (TCP/IP) component, and press the Properties button. 3. From the IP Address tab select the Obtain an IP address automatically radio button. 4. From the DNS tab, verify that no DNS server is dened in the DNS Service Search Order box and no suffix is dened in the Domain Suffix Search Order box. 5. Reboot. 6. Continue to section 2.2. 2.1.1.4 Linux 1. Login into the system as a super-user, by entering su at the prompt. 2. Type ifcong to display the network devices and allocated IPs. 3. Type pump -i dev, where dev is the network device name. 4. Type ifcong again to view the new allocated IP address. 5. Continue to section 2.2. 2.1.2 Step 2 - LAN Physical Connection Plug your computer into a LAN ethernet port on the CAP via a category 3/5 ethernet cable. At this point, your PC will have obtained an IP address automatically from the CAP. On Windows systems, you can open a command prompt on your PC, and type ipconfig to see the IP address automatically provided to your PC by the CAP. 2.1.3 Step 3 - Internet Physical Connection Connect the CAPs WAN interface to your DSL or cable modem, or to a bridge/router with an integral CSU/DSU. Consult your external devices documentation regarding specific cables necessary for connection. August 3, 2005 Converged Access Point 7 2.1.4 Step 4 - Web Based Management The CAPs web-based management interface allows you to configure and monitor various system parameters. The interface is accessed through a web browser as follows:

1. Launch a web browser on your PC 2. Enter the URL address http://192.168.1.1 to display the web-base management interface. When rst logging on to the web-based management, the Welcome Screen" will appear, enabling you to place a shortcut to this screen in your Favorites folder. Press OK to continue, the Login Setup screen will appear . 3. To configure your login settings, enter a user name and password. To verify correctness, retype the password, and press OK to login to the management console. The default user name is admin, and there is no password by default. You should enter a new password to provide system security. August 3, 2005 Converged Access Point 8 2.2 Quick Setup The Quick Setup utility is designed to help you quickly and easily set up your CAPs Internet WAN connection. 2.2.1 Router Mode or Bridge Mode Selection The first and most important configuration option on the CAP is whether to set it up in Bridge mode, or Router mode. As youll note from the following screen shots, many of the benefits of the CAP cannot be enabled if the CAP is configured to be a Bridge, such as NAT/NAPT, IP-Sec VPNs, and the DHCP server. Unless the CAP is set up behind an Internet/WAN router already, you should configure the CAP in Router mode to have access to the entire suite of benefits the CAP provides. August 3, 2005 Converged Access Point 9 2.2.2 Configuring Your Internet/WAN Connection When subscribing to a broadband service, you should be well aware of the method by which you are connecting to the Internet. Technical information regarding the properties of your Internet connection should be provided by your Internet Service Provider (ISP). For example, your ISP should inform you whether you connect to the Internet using a static or dynamic IP address, or what protocols, such as PPTP or PPPoE, you will be using to communicate over the Internet. The Quick Setup page is launched automatically when you log on to the CAP for the rst time. Your WAN connection can be configured using one of the following methods:

Manual IP Address Ethernet Connection Automatic IP Address Ethernet Connection Point-to-point protocol over Ethernet (PPPoE) Point-to-Point Tunneling Protocol (PPTP) August 3, 2005 Converged Access Point 10 2.2.2.1 Manual IP Address WAN Ethernet Connection 1. Select Manual IP Address Ethernet Connection from the Connection Type combo-.box 2. According to your service providers instructions, specify the following parameters:

IP address Subnet mask Default gateway Primary DNS server Secondary DNS server 3. Specify the gateways host name in the CAPs Hostname field. This address is used to access the gateways web-based management, assuming you have an entry established for this name already defined in your company DNS server. 4. Specify the administrators email in the email field. System alerts and notifications are sent to this email address. 5. Clicking on the Apply button. 6. Clicking the OK button will exit you from your current location within the Web management interface, and place your view at the next level higher up in the management interface. 7. Continue to section 3.0. 2.2.2.2 Automatic IP Address WAN Ethernet Connection 1. Select Automatic IP Address Ethernet Connection from the Connection Type combo-box. 2. Specify the gateways host name in the CAPs Hostname field. This address is used to access the gateways web-based management, assuming you have an entry established for this name already defined in your company DNS server. 3. Specify the administrators email in the email field. System alerts and notifications are sent to this address. 4. Click on the Apply button. 5. Clicking the OK button will exit you from your current location within the Web management interface, and place your view at the next level higher up in the management interface. 6. Continue to section 3.0. 2.2.2.3 Point-to-Point Protocol over Ethernet (PPPoE) 1. Select Point-to-Point Protocol over Ethernet (PPPoE) from the Connection Type combo-

2. Your Internet Service Provider (ISP) should provide you with the following information:

3. Specify the gateways host name in the CAPs Hostname field. This address is used to access the gateways web-based management, assuming you have an entry established for this name already defined in your company DNS server. 4. Specify the administrators email in the email field. System alerts and notifications are sent 5. Click on the Apply button. 6. Clicking the OK button will exit you from your current location within the Web management interface, and place your view at the next level higher up in the management interface. 7. Continue to section 3.0. box. Login user name Login password to this address. August 3, 2005 Converged Access Point 11 2.2.2.4 Configuring the CAP as a PPTP Client 1. Select Point-to-Point Tunneling Protocol (PPTP) from the Connection Type combo box. 2. Your Internet Service Provider (ISP) should provide you with the following information:

Login user name Login password to this address. 3. Specify the gateways host name in the CAPs Hostname field. This address is used to access the gateways web-based management, assuming you have an entry established for this name already defined in your company DNS server. 4. Specify the administrators email in the email field. System alerts and notifications are sent 5. Click on the Apply button. 6. Clicking the OK button will exit you from your current location within the Web management interface, and place your view at the next level higher up in the management interface. 7. Continue to section 3.0. 2.3 Configuring your LAN Ethernet Interface Your LAN Ethernet(s) ship pre-configured with an IP address of 192.168.1.1, as well as are pre-

configured to provide DHCP services to clients requesting DHCP services through the LAN interfaces. The default IP pool is from 192.168.1.1 through 192.168.1.244. You can change this LAN information, along with a number of other LAN features via the Network Connections section of the web interface. August 3, 2005 Converged Access Point 12 2.3.1 Accessing the LAN Bridge to Configure Your LAN Connection Click on Network Connections to open up the network connection list NOTE:

The WAN Ethernet shown is your Internet/WAN link. You can click on WAN Ethernet, then Settings, to review its full configuration. The LAN Bridge shown above, is actually a reference point to an internal LAN Bridge within the CAP. If you have enabled Routing on your Internet/WAN interface, configuring the LAN Bridge, does not disable your Routing features in any way. This again, is simply a reference point within the CAP, is where you should currently configure your LAN interface options, and will be the logical connection point between the Wired LAN ports and the Wireless LAN ports when 802.11b/g wireless becomes available in the CAP. August 3, 2005 Converged Access Point 13 Click on LAN Bridge to open up the pre-configured Ethernet. At this point, if youd prefer, you could simply change the Name: of the LAN Bridge to another name of your choice such as Ethernet at this location, but it is actually a reference point to an internal device at this point in the product. Then click on Settings to open up the full LAN Bridge (Ethernet LAN) configuration window. August 3, 2005 Converged Access Point 14 This screen shows the configuration options available to customize your Ethernet LAN configuration to your needs. Click on Apply to activate and save your changes, and click on OK to exit this area of the web configuration. August 3, 2005 Converged Access Point 15 You can enable Dynamic Routing updates on the Ethernet interface, and/or add static routes by clicking on the down-arrow in the Routing section (defaults to Basic), and changing it to Advanced. This will then allow you to enable RIP, create a metric for the CAP to advertise about its route(s), and establish static routes. By clicking on New Route, a window opens up for you to enter new static routes on the CAP. NOTE: Static Routes can also be entered in the Advanced section of the management interface. This will be reiterated later in the Advanced section of the manual. August 3, 2005 Converged Access Point 16 3 3.0 Navigating the Web-based Management Interface The CAP does not require any further basic configuration in order to start working as an Internet/WAN firewall and 4 port ethernet bridge. After the setup described in section 2, has been completed, you can immediately start using your Convergence Access Point to:

Share a broadband Internet/WAN connection among multiple LAN devices and the WAN (if enabled) for applications such as HTTP, FTP, Telnet, NetMeeting, etc. Via the default firewall security level implemented (aka - Typical Security), outbound connections can be established, and the stateful inspection firewall will subsequently allow the inbound traffic associated with those sessions, but inbound initiated sessions will be rejected. Build a complete business network by connecting additional PCs and/or switches/hubs to the CAP. Share resources (les, printers, etc.) between computers in the business network using their names. Auto-learning DNS enables CAP to automatically detect the network identification names of the LAN PCs, enabling mutual communication using names, not IP addresses. Control network parameters, including DHCP, DNS and WAN settings. View network status, traffic statistics, system logs, etc. At this point, the system administrator can then begin to implement the advanced features of the CAP to:

Allow access from the Internet to services on your CAPs LAN network (ie. Web Server, IP-PBX, FTP server, etc.). Block network access to specific Internet web sites or to all WAN services. Fully configure and control all bandwidth management and QoS prioritization functionality Increase or decrease the security level on the system for traffic and management. August 3, 2005 Converged Access Point 17 3.1 Accessing the Web-based Management To access the management console:

1. Launch a Web-browser on a PC in the LAN. 2. Type the gateways IP address or name as provided with your gateway in the address bar

(Internet Explorer) or location bar (Netscape Navigator). The default IP address is 192.168.1.1, and default name is CAP. 3. Enter your username and password to log on to the web-based management. The default user name is admin, and there is no password by default. Note: for security reasons, you should change these settings after the initial login. See section 5 for details. 4. The web interface is configured to time out in 900 seconds to protect the CAP from un-

authorized access. You can change this under the System Settings (see section 7 for details). 3.2 The CAPs Network Map When you log into the management console you will see the Home Network Map. The network map simply depicts the various network elements associated with the CAP, including:

Local network computers that have learned their addresses from the CAP via DHCP Firewall Converged Access Point External Internet/WAN network interface Internal network interface (Ethernet) August 3, 2005 Converged Access Point 18 Since the CAP is equipped with multiple LAN interfaces, the local network is shown sub-divided into sub-networks (or subnets) and you can see which computers are part of each sub-network. You can click on each computer shown to see its IP configuration and test access to that station. August 3, 2005 Converged Access Point 19 3.3 Left Sidebar The web-based management screens have been grouped into several subject areas and may be accessed by clicking on the appropriate icon in the left sidebar. The subject areas are:

Home: Display the CAPs network map Quick Setup: Quickly configure your Internet/WAN connection (see section 2 for details) Network Connections: More detailed configuration of the network interfaces, and also the location to create and configure VPNs (see section 4 for details). Security: Configure the Firewall and regulate communications between the Internet and the enterprise network (see section 5 for details). Quality of Service: Bandwidth management and traffic prioritization configuration (see section 6 for details). Voice Over IP: Analog voice gateway configuration, phone and address book settings (see section 10 for details). Advanced: System upgrade, static routes, SNMP, system setting, Dynamic DNS, Radius, Date/Time, Users, etc. (see section 7 for details) System Monitoring: View network status, traffic statistics and the system log (see section 8 for details) Logout: Log out from the CAP August 3, 2005 Converged Access Point 20 3.4 Managing Lists Lists are structures used throughout the web-based management. Lists handle user-defined entries relating to elements such as network connections, local servers, restrictions and configurable parameters. The principles outlined in this section apply to all list structures in the web-based management. This figure illustrates a typical list structure. Each row defines an entry in the list. The following buttons located in the Action column enable adding, editing and deleting list entries:

Use the Add button to add an item to the list Use the Edit button to edit an item from the list. Use the Delete button to delete an item from the list. August 3, 2005 Converged Access Point 21 4 4.0 Creating VPN Connections When you initially configured your CAPs Internet/WAN connection under the Quick Setup, depending on your link, you may have configured the CAP as a PPTP VPN client. This section details how to configure the CAP for additional VPN terminations beyond the PPTP client setup. 4.1 Overview The New Connection button is where you start to create a new virtual connection such as a IPSec or L2TP VPN, or to establish the CAP as a PPTP server for remote clients. The management interface guides you through a series of selection choices, collecting all the necessary information for the new connection, and checks the status of the connection once you complete it. In some cases, you will be required to specify networking parameters that must be provided by your Internet Service Provider (ISP). To create a new connection, click on the Network Connection icon on the side bar. The Network Connections screen will appear, listing all current connections. To create a new connection, click on either the New Connection text, or the Edit icon provided at the end of its row. August 3, 2005 Converged Access Point 22 NOTE: As you click through the configuration screens, you will find the following buttons at the bottom of many of them: Back, Next and Cancel. Use the Back button to go back and change selections and parameters, or the Next button to confirm your selection choices and advance. The Cancel button will exit the setup and return you to the Network Connections screen. 4.2 Configuring the CAP as a PPTP Server Point-to-Point Tunneling Protocol (PPTP) is an extension of the Internets Point-to-Point Protocol

(PPP) that allows two systems to establish a Virtual Private Network (VPN) over the Internet by creating a virtual serial link. PPP encapsulates data from the Network layer (e.g.: IP, IPX) into the HDLC format, this data is encapsulated into the GRE protocol format and is sent over the public network. The CAP can terminate up to 25 total VPN tunnels, including IPSec, L2TP, and/or PPTP tunnels. To enable and configure the CAP as a PPTP server in order to terminate PPTP clients onto the CAP, perform the following steps:

1. Click on Advanced, then click on PPTP August 3, 2005 Converged Access Point 23 2. Under this configuration window, you can configure the CAP as both a PPTP client, and as a PPTP Server. You may already have configured the CAP as a client under the Quick Setup section, but if you need to terminate PPTP clients on the CAP, this is the proper location to activate the PPTP server and define your clients list. As stated previously, the CAP can terminate up to 25 simultaneous VPN tunnels. Check the Server Enabled box, then click on Users to configure your list of PPTP clients that may connect to the CAP. 3. Configure your user PPTP User List by clicking on New User August 3, 2005 Converged Access Point 24 Enter the new users information and hit the OK button to save it. Repeat process for 4. each PPTP client of the CAP. After configuring your PPTP clients, note that changing any of the user parameters will 5. prompt the connection associated with the user to terminate. You should manually re-activate the connection to re-establish the tunnel. 4.2.1 Email Notification on the PPTP client You can use email notification to receive indications of system events for a pre-defined severity classification. The available types of events are System or Security events. The available severity of events are Error, Warning and Information. If the Information level is selected, the user will receive notification of Information, Warning and Error events. If the Warning level is selected the user will receive notification of Warning and Error events etc. To configure email notification for a specific user:

First make sure you have configured an outgoing mail server in System Settings. A click on the Configure Mail Server link will display the System Settings page were you can configure the outgoing mail server. Enter the users email address in the Address field in the Email section. Security Notify Level combo boxes respectively. Select the System and Security notification levels in the System Notify Level and August 3, 2005 Converged Access Point 25 4.3 IPSec VPN Connections IPSec is a series of guidelines for the protection of Internet Protocol (IP) communications. It specifies procedures for securing private information transmitted over public networks. The IPSec protocols include:

other two services. AH (Authentication Header) provides packet-level authentication. ESP (Encapsulating Security Payload) provides encryption and authentication. IKE (Internet Key Exchange) negotiates connection parameters, including keys, for the IPSec also specifies methodologies for key management. Internet Key Exchange (IKE), the IPSec key management protocol, defines a series of steps to establish keys for encrypting and decrypting information; it defines a common language on which communications between two parties is based. Developed by the Internet Engineering Task Force (IETF), IPSec and IKE together standardize the way data protection is performed, thus making it possible for security systems developed by different vendors to inter-operate. 4.3.1 Technical Specifications Security architecture for the Internet Protocol Connection type: Tunnel, Transport Key management: Manual, Automatic, Internet Key Exchange Gateway authentication: X.509, RSA signatures, pre-shared secret key, ISAKMP (manual and aggressive modes) IP protocols: ESP, AH Encryption: AES, 3DES, DES, HW encryption integration Authentication: MD5, SHA-1 IP Payload compression Interoperability: Windows 2000, FreeS/WAN, OpenBSD, FreeBSD, Cisco Routers, Nortel, Windows NT, Checkpoint Firewall-1, F-Secure VPN for Windows, Xedia Access Point/QVPN, PGP 6.5 Mac and Windows IPSec Client, PGPnet, IRE Safenet/Intel LANrover, Sun Solaris, NetScreen NOTE: The CAP supports the creation of up a total of to 25 VPN tunnels, including IPSec, PPTP, and L2TP tunnels. The CAPs IPSec configuration supports two IPSec modes: Network-to-Network and Network-

to-Host IPSec. With Network-to-Network, all traffic to and from a remote NETWORK is tunneled within IPSec between the CAP and a remote IPSec capable device, such as a VPN Router. With Network-to-Host, all traffic to and from a remote HOST is tunneled within IPSec between the CAP and a IPSec capable hosts, such as Windows 2000 VPN clients. August 3, 2005 Converged Access Point 26 4.3.2 Basic IPSec Settings 1. Press the Advanced icon, then the IPSec icon. 2. Select the Enabled checkbox to block unauthorized IPSec network connection to the CAP. To define what an unauthorized IPSec connection means and how long to block it, specify the following:

Maximum number of authentication failures Block period (in seconds) August 3, 2005 Converged Access Point 27 4.3.3 Key Management 1. Press the Settings button view the CAPs public key. If necessary, you can copy the public key from this screen. 2. Press the Recreate Key button to recreate the pubic key, or the Refresh button to refresh the key displayed in this screen. August 3, 2005 Converged Access Point 28 4.3.4 Log Settings The IPSec Log can be used to identify and analyze the history of the IPSec package commands, attempts to create connections, etc. IPSec activity, as well as that of other CAP modules, is displayed together in this view. 1. Press the Log Settings button. 2. Select the check-boxes relevant to the information you would like the IPSec log to record. August 3, 2005 Converged Access Point 29 4.3.5 Configuring an IPSec VPN 4.3.5.1 Network-to-Network IPSec VPN Configuration With Network-to-Network, all traffic to and from a remote NETWORK is tunneled within IPSec between the CAP and a remote IPSec capable device, such as a VPN Router. To configure a Network-to-Network IPSec VPN, perform the following steps:

1. Under Advanced, IPSec, click on New Connection 2. Make sure the radio button for Network-to-Network is selected, then hit Next August 3, 2005 Converged Access Point 30 3. You need to specify if you want Any Remote Gateway to be allowed into this IPSec connection, or if you need to have a single Remote Gateway Address defined. Also, you need to define if the source addresses allowed through this VPN will be allowed from a Any Remote Subnet, or from a single Remote Subnet. Make your selection and click Next. Well assume you are defining the IP address of the IPSec tunnel endpoint, as well as specifying the subnet address allowed through the connection. August 3, 2005 Converged Access Point 31 4. Enter the IP address of your IPSec VPN gateway at the far end of this connection, as well as define the subnet allowed thru the link. 5. Click Finish to save your IPSec Network-to-Network VPN connection August 3, 2005 Converged Access Point 32 You can find your new IPSec connection under the IPSec Connections display Click on the Connection Name (ie. Site B above) to see a summary of the VPN. Then, click on Settings to enable further options on the IPSec VPN connection. August 3, 2005 Converged Access Point 33 August 3, 2005 Converged Access Point 34 August 3, 2005 Converged Access Point 35 4.3.6 IPSec Advanced Configuration Parameters Definitions As you can see, there are an extensive variety of options you can configure on IPSec VPN connections. The following information provides summary details on what those options represent to your IPSec VPN connection. Enable those options that your connection requires, and hit Apply to activate them. MTU Mode:

Maximum Transmission Unit (MTU) is the largest physical packet size, measured in bytes, that will be transmitted through the IPSec connection. Packets larger than the MTU are divided into smaller packets before being sent. You can set the MTU size manually, or select an automatic MTU mode. Host Name or IP Address of Remote Tunnel Endpoint:

The IP address of your IPSec peer. Transport Type:

Transport type can be Tunneling or Transport. Transport needs no explicit configuration. Transport type requires that you configure the following parameters:

Local Subnet Local Subnet Mask Remote Subnet Remote Subnet Mask Compress (Support IPCOMP protocol):

Select this check-box to use the IPComp protocol. Key Exchange Method:

The key exchange method can be Manual or Automatic. The following are the parameters that are required to configure an Automatic key exchange:

Negotiation attempts:

Select the number of negotiation attempts to be performed in Phase 1 of the automatic key exchange method. August 3, 2005 Converged Access Point 36 Life Time in Seconds:

The length of time before a security association automatically performs a re-negotiation. A short Life Time increases security by forcing the VPN hosts to update the encryption and authentication keys. However, every time the VPN Tunnel renegotiates, users accessing remote resources are disconnected. Therefore, the default Life Time is recommended. Rekey Margin:

Species how long before connection expiry should attempts to negotiate a replacement begin. It is similar to that of the Key Life Time and is given as an integer denoting seconds. Rekey Fuzz Percent:

Species the maximum percentage by which Rekey Margin should be randomly increased to randomize rekeying intervals. Phase 1 Peer Authentication:

Select the method by which the CAP will authenticate you IPSec peer:

Shared secret RSA Signature Certicate Phase 1 Encryption Algorithm:

Select the encryption algorithms that the CAP will attempt to use when negotiating with the IPSec peer. Hash Algorithm:

Select the hash algorithms that the CAP will attempt to use when negotiating with the IPSec peer. Use Perfect Forward Secrecy (PFS):

Select whether Perfect Forward Secrecy of keys is desired on the connections keying channel

(with PFS, penetration of the key-exchange protocol does not compromise keys negotiated earlier). ESP:

Select the encryption and authentication algorithms the CAP will use during Phase 2 of the automatic key exchange method. You can choose 3DES-CBC, DES-CBC or NULL encryption al-

gorithms; MD5 or SHA1 authentication algorithms. AH:

Select the hash algorithms the CAP will use during Phase 2 of the automatic key exchange method. You can choose MD5 or SHA1 authentication header algorithms. August 3, 2005 Converged Access Point 37 The following are the parameters that are required to configure a Manual key exchange:

Security Parameter Index SPI:

A 32 bit value which together with IP address and security protocol uniquely identies a particular security association. This value must be the same for both Local and Remote Tunnel. IPSec Protocol:

Select the encryption and authentication algorithms. All algorithms values should be entered in HEX format. Routing:

Dene the connections routing rules. DNS Server:

Select whether the connection should obtain a DNS server address automatically. If not, configure the DNS servers IP address. Internet Connection Firewall:

Select this check-box to include the IPSec connection as a network interface monitored by the gateways Firewall. 4.3.6 Example IPSec VPNC Scenario This section provides an example, describing how the VPN Consortium implemented a CAP to configure an IPSec Gateway-to-Gateway connection, with pre-shared secrets. 4.3.6.1 IPSec Example Diagram An IPSec tunnel is established between Gateways A and B, serving as a transparent and secure network for clients from subnets A and B. Because the configuration of the gateways is the same except of their IP addresses this section describes only the configuration of Gateway A. The configuration of gateway B is identical, where A and B are replaced by B and A respectively. August 3, 2005 Converged Access Point 38 4.3.6.2 LAN Interface Settings 1. Click the Network Connections icon on the side-bar, the Network Connections screen will appear. 2. Click the LAN Bridge link to access the LAN Bridges Ethernet properties, the following screen will appear. August 3, 2005 Converged Access Point 39 3. Click the Settings button, the LAN settings page will appear. Configure the following parameters. Select Use the Following IP Address. Internet Protocol:

Specify 10.5.6.1 IP Address:

Subnet Mask:

Specify 255.255.255.0 IP Address Distribution: Select DHCP Server Start IP Address:

End IP Address:

Subnet Mask:

Specify 10.5.6.1 Specify 10.5.6.254 Specify 255.255.255.0 4. Press the Apply and OK buttons. August 3, 2005 Converged Access Point 40 4.3.6.2 WAN Interface Settings 1. Click the Network Connections icon on the side-bar, the Network Connections screen will appear. 2. Click the WAN Ethernet link to access the WAN Ethernet properties, the following screen will appear. 3. Click the Settings button, the WAN settings page will appear. Configure the following parameters. Internet Protocol:

IP Address Subnet Mask Default Gateway Select Use the Following IP Address Specify 14.15.16.17 Specify the appropriate subnet mask. Specify the appropriate Default Gateway in order to enable IP routing. 4. Press the Apply and OK buttons. August 3, 2005 Converged Access Point 41 4.3.6.3 Example: Gateway-to-Gateway with Pre-shared Secrets The following is a typical gateway-to-gateway VPN that uses a pre-shared secret for authentication. Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway As LAN interface has the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17. The diagrams are not provided in this example. Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway Bs WAN

(Internet) interface has the address 22.23.24.25. The IKE Phase 1 parameters used are:

Main mode 3DES (Triple DES) SHA-1 MODP group 2 (1024 bits) preshared secret of hr5xb84l6aa9r6 SA lifetime of 28800 seconds (eight hours) with no Kbytes re-keying The IKE Phase 2 parameters used are:

3DES (Triple DES) SHA-1 ESP tunnel mode MODP group 2 (1024 bits) Perfect forward secrecy for re-keying SA lifetime of 3600 seconds (one hour) with no Kbytes re-keying Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4 subnets To set up Gateway A for this scenario, use the following steps:

1. Click the Network Connections icon on the side-bar, the Network Connections screen will appear. 2. Click the New Connection link. 3. Select Internet Protocol Security (IPSec). 4. Press the Next button. The IPSec Topology screen will appear. 5. Select Network-to-Network to create a secure connection between your LAN and a remote network. 6. 7. 8. 9. Press the Next button. The Remote Address Type screen will appear. Select Remote Gateway Address to allow an IPSec connection from a specific address. Select Remote Subnet to allow an IPSec connection from a specific remote subnet. Press the Next button. The Connection Parameters screen will appear. 10. Specify the following parameters: Remote Tunnel Endpoint Address Specify August 3, 2005 Converged Access Point 42 22.23.24.25 Remote Subnet IP Address Specify 172.23.9.0 Remote Subnet Mask Specify 255.255.255.0 Shared Secret Specify hr5xb84l6aa9r6 11. Press the Next button. The Connection Summary screen will appear. 12. Press the Finish button. The Network Connections screen will now list the newly created IPSec connection. 13. Press the Edit action button. The Connection Properties screen will appear. 14. Press the Settings button. The IPSec Configuration screen will appear. 15. De-select the Compress checkbox. 16. De-select the Allow Peers to Use MD5 checkbox (located under Hash Algorithm. 17. De-select the DH Group 5 (1536 bit) checkbox (located under Group Description Attribute. 18. De-select the Allow AH Protocol (No Encryption) checkbox (located under Encryption Algorithm. 19. Press the OK button. The Connection Properties screen will appear. 20. Press the OK button. The Network Connections screen will appear. Note that the IPSec connections status has changed to Connected. 21. Press the Enterprise button on the side-bar to view the Network Maps depiction of the IPSec connection. August 3, 2005 Converged Access Point 43 5 5.0 Security The CAPs security suite includes comprehensive and robust security services: Stateful Packet Inspection Firewall, user authentication protocols and password protection mechanisms. These features together allow users to connect their computers to the Internet and simultaneously be protected from the security threats of the Internet. The Firewall, the cornerstone of your CAPs security suite, has been exclusively tailored to the needs of the enterprise user and has been pre-congured to provide optimum security. In addition, the Firewall has many advanced features that allow you to further customize it to your needs. Using the management screens in the Security section you can:

Choose the Security Level for the Firewall Configure Access Control lists to further restrict access from the enterprise network to the Internet . The Local Servers screen can be used to enable access from the Internet to specified services provided by computers in the enterprise network and special Internet applications. The DMZ Host screen allows you to configure a LAN host to receive all traffic arriving to your gateway, which is not belonged to a known session. The Port Triggering screen allows you to dene port triggering entries, to dynamically open the Firewall for some protocols or ports. The Remote Administration screen can be used to enable remote configuration of the CAP from any Internet-accessible computer. The IP/Hostname Filtering allows you to block LAN access to a certain host or web site on the Internet. August 3, 2005 Converged Access Point 44 Advanced Filtering allows you to implicitly control the Firewall setting and rules. (see section. View and configure the Firewall Log. 5.1 Firewall Security Overview Use the Security Settings screen to configure the CAPs basic security settings. The Firewall regulates the flow of data between the enterprise network and the Internet. Both incoming and outgoing data are inspected and then accepted (allowed to pass through the CAP) or rejected (barred from passing through the CAP) according to a flexible and configurable set of rules. These rules are designed to prevent unwanted intrusions from the outside while allowing enterprise users access to the Internet services that they require. The Firewall rules specify what types of services available on the Internet may be accessed from the enterprise network and what types of services available in the enterprise network may be accessed from the Internet. Each request for a service that the Firewall receives, whether originating in the Internet or from a computer in the enterprise network, must be checked against August 3, 2005 Converged Access Point 45

the set of Firewall rules to determine whether the request should be allowed to pass through the Firewall. If the request is permitted to pass, then all subsequent data associated with this request

(a session) will also be allowed to pass, regardless of its direction. For example, when you point your Web browser to a Web page on the Internet a request is sent out to the Internet for this page. When the request reaches the CAP the Firewall will identify the request type and originHTTP and a specific PC in your enterprise network, in this case. Unless you have congured access control to block requests of this type from this computer the Firewall will allow this request to pass out onto the Internet. When the Web page is returned from the Web server the Firewall will associate it with this session and allow it to pass, regardless of whether HTTP access from the Internet to the enterprise network is blocked or permitted. The important thing to note here is that it is the origin of the request, not subsequent responses to this request, that determines whether a session can be established or not. You may choose from among three pre-dened security levels for the CAP: Minimum, Typical, and Maximum (the default setting). The table below summarizes the behavior of the CAP for each of the three security levels. Security Level Maximum

(Default) Typical Minimum Requests Originating In the WAN Blocked:

No access to enterprise network from Internet, except as configured in the Local Servers, DMZ host and Remote Access screens Blocked:

No access to the enterprise Network from the Internet, except As congured in the Local servers, DMZ host and Remote Access screens Unrestricted:

Permits full access from Internet to enterprise Network; all connection Requests originating in the LAN Limited:

Only commonly-used services, such as Web-

browsing and e-mail, are permitted Unrestricted:

All services are permitted, except as congured in the Access Control screen Unrestricted:

All services are permitted, except as configured in the Access Control attempts permitted. screen These services include Telnet, FTP, HTTP, HTTPS, DNS, IMAP, POP3 and SMTP. Attention: Some applications (such as some Internet messengers and Peer-To-Peer client applications) tend to use these ports, if they can not connect with their own default ports. When applying this behavior, those applications will not be blocked outbound, even at Maximum August 3, 2005 Converged Access Point 46 5.1.1 Configuring the Firewall Security Level To configure the CAPs security settings:

1. Choose from among the three pre-defined security levels described in the table above. Typical Security is the default setting. 2. Check the Block IP Fragments box in order to protect your enterprise network from a common type of hacker attack that could make use of fragmented data packets to sabotage your enterprise network. Note that VPN over IPSec and some UDP-based services make legitimate use of IP fragments. You will need to allow IP fragments to pass into the enterprise network in order to make use of these select services. 3. Click the Apply button to save your changes. 5.2 Adding Access Controls You may want to block specific computers within the local enterprise network (or even the whole network) from accessing certain services on the Internet. For example, you may want to prohibit one computer from surng the Web, another computer from transferring les using FTP, and the whole network from receiving incoming e-mail. Access Controls work by placing restrictions on the types of requests that may pass from the enterprise network out to the Internet, and thus may block trafc owing in both directions. In the e-mail example given above, you may prevent computers in the enterprise network from receiving incoming e-mail by blocking their outgoing requests to POP3 servers on the Internet. Click the Access Control button to view a list of services that have been restricted. August 3, 2005 Converged Access Point 47 To add a new service or services to the Access Control table:

Click the New Entry button. The Add Access Control Rule screen will appear. Select the service or services that you would like to block. Select the group of computers to which you would like to apply the access control rule. You can either select from a pre-defined list of groups by selecting one from the Applied To combo box, or create a new group by pressing the New link. To learn how to create groups to which you can apply rules, see the section 7.5 on Network Objects. Define the time period during which the access control rule will take effect. You can either select from a pre-defined list of schedules by selecting one from the Schedule combo box, or create a new schedule by pressing the New link. To learn how to create a new time schedule, see section 7.10. Click the OK button to save your changes and return to the Access Control screen. August 3, 2005 Converged Access Point 48 You can edit/change the computer(s) prohibited from accessing a particular service by modifying the appropriate entry in the Access Control table. To modify an entry in the Access Control table:

Click the Edit button for the service. The Edit Service screen will appear. Select the network group to which you would like to apply the rule, and the schedule during which the rule will take effect. 3. Click the OK button to save your changes and return to the Access Control screen. You can disable an access control and make the service available without having to remove the service from the Access Control table. This may be useful if you wish to make the service available only temporarily and expect that you will want to reinstate the restriction in the future. To temporarily disable an access control Clear the check box next to the service name. To reinstate the restriction at a later time Select the check box next to the service name. To remove an access restriction from the Access Control table Click the Remove button for the service. The service will be removed from the Access Control table. Note: When Web Filtering is enabled, HTTP services cannot be blocked by Access Control. 5.3 User-Dened Services The tables that appear on the Add Access Control Rule and Add Local Servers screens are pre-congured to include most of the services that users may wish 80 to block or activate. Sometimes, however, the need arises to add a non-predened service. The CAP provides the User-Dened Services list for this purpose. This list appears at the top of the Add Access Control Rule and Add Local Servers screens. When a service is added to one list it automatically appears in the others. In this way, user-dened services never need to be entered twice. To add a new service to the list:

1. Click the New User-Dened Service link. The Edit Service screen will appear. 2. Enter a name for the service. 3. Enter a description for the service. August 3, 2005 Converged Access Point 49 4. Click the New Server Ports link. The Edit Service Server Ports screen will appear. 5. Choose a port type and enter a port range for this service to use as appropriate. Usually this information is available as part of the documentation that accompanies the program. 6. Click the OK button to save your changes and return to the previous screen. To modify a user-dened service already in the list:

1. Click the Edit button for the service. The Edit Service screen will appear. 2. Modify the service name or port information as necessary. 3. Click the OK button to save your changes and return to the previous screen. To remove a service from the list:

1. Click the Remove button for the service. The service will be removed from the list. August 3, 2005 Converged Access Point 50 5.4 Local Servers (Port Forwarding) In its default state, the CAP blocks all external users from connecting to or communicating with your network, therefore your network is safe from hackers who may try to intrude on the network and damage it. However, you may need to expose your network to the Internet in certain limited and controlled ways in order to enable some applications to work from the LAN (game, voice and chat applications, for example) and to establish servers in the enterprise network. The Local Servers feature supports both of these functions. If you are familiar with networking terminology and concepts, you may have encountered this topic referred to as Port Forwarding. The Local Servers screen in the Management Console provides a list of the most commonly used applications that require special handling by the CAP. All you have to do is identify which of them you want to use, and provide the local IP address of the computer that will be using the service. Soft-phone example:

For example, if you wanted to use the Net2Phone voice application on one of your PCs, you would simply select Net2Phone from the list and enter the local IP address of that computer in the right-hand column. All Net2Phone-related data arriving at the CAP from the Internet will henceforth be forwarded to the computer specified as the recipient of in-bound Net2Phone traffic. Web Server example:

Similarly, if you want to grant Internet users access to servers inside your enterprise network, you must identify each service that you want to provide and the address of the computer that will provide it. For example, if you want to host a Web server inside the enterprise network you must select HTTP - Web Server from the list and enter the local IP address of the computer that will host the Web server in the right-hand column. Then when an Internet user points her browser to the external IP address of the CAP, the product will forward the incoming HTTP request to the computer that is hosting the Web server. Local Server with a Forwarded Port a port different than what was requested:

Additionally, Local Servers enable you to redirect traffic to a port different than the port it was designated. Lets say, that you have a web server running on your PC on port 8080 and you want to grant access to this server to anyone who accesses the CAP via HTTP. To accomplish this, do the following:

Define a local server for the HTTP service, with the PCs IP or hostname Specify 8080 in the Forwarded Port field All incoming HTTP traffic will now be forward to the PC running the Web Server on port 8080. Note that if an Internet application that you wish to use or a service that you wish to provide is not already in the list, you can easily add it. To add a new service to the list of active local servers:

August 3, 2005 Converged Access Point 51 1. Click the New Entry button. The Add Local Servers screen will appear. 2. Select the service that you would like to provide. 3. Enter the local IP address of the computer that will provide the service (the server). Note that only one LAN computer can be assigned to provide a specific service or application. 4. Select a port to forward communications to (Note that this parameter is optional). 5. Dene the time period during which the local server will be active. You can either select from a predened list of schedules by selecting one from the Schedule combo box, or create a new schedule by pressing the New link. 6. Click the OK button to save your changes and return to the Local Servers screen. To edit an entry in the Local Servers table so that a service can be provided by a different local computer:

1. Click the Edit button for the service. The Edit Service screen will appear. 2. Enter the IP address of the computer that you would like to provide this service. 3. Click the OK button to save your changes and return to the Local Servers screen. You may disable a service and make the service unavailable without having to remove the service from the Local Servers table. This may be useful if you wish to make the service unavailable only temporarily and expect that you will want to make it available again in the future. August 3, 2005 Converged Access Point 52 5.5 Designating a Demilitarized (DMZ) Host The DMZ Host feature allows one local computer to be exposed to the Internet. Designate a DMZ host when:

You wish to use a special-purpose Internet service, such as an on-line game or video-

conferencing program, that is not present in the Local Servers list and for which no port range information is available. You are not concerned with security and wish to expose one computer to all services, without restriction. To designate a local computer as a DMZ Host:

1. Click the DMZ Host button. The DMZ Host screen will appear. 2. Enter the local IP address of the computer that you would like to designate as a DMZ host. Note that only one LAN computer may be a DMZ host at any time. 3. Click the OK button to save your changes and return to the DMZ Host screen. You may disable the DMZ host so that it will not be fully exposed to the Internet, but keep its IP address recorded on the DMZ Host screen. This may be useful if you wish to disable the DMZ host but expect that you will want to enable it again in the future. To disable the DMZ host so that it will not be fully exposed to the Internet:

Clear the check-box next to the DMZ IP designation. To enable the DMZ host:

Select the check-box next to the DMZ IP designation August 3, 2005 Converged Access Point 53 5.6 Port Triggering Port triggering can be used for dynamic port forwarding configuration. By setting port triggering rules, you can allow inbound traffic to arrive at a specific LAN host, using ports different than those used for the outbound traffic. This is called port triggering since the outbound traffic triggers to which ports inbound traffic is directed. The Firewalls blocks inbound traffic by default. The server replies to the CAPs IP, and the connection is not NATed back to your host. In order to solve this you need to dene a Port Triggering entry, which allows inbound traffic on port 3333 TCP, only after a LAN host generated traffic to port 2222 TCP. This will result in accepting the inbound trafc from the gaming server, and sending it back to the LAN Host which originated the outgoing trafc to port 2222. 5.6.1 Defining Port Triggering This section describes how to define a port triggering entry. The entry values are relevant to the gaming example provided in the previous section. 1. Click the Security icon on the side-bar. 2. Click the Port Triggering tab on the security screen, the Port Triggering screen will appear. This screen will list all of the port triggering entries. 3. Click the New Entry link to add an entry. August 3, 2005 Converged Access Point 54 4. Click the New User-Dened Service link to add an entry. 5. Specify the following port triggering entries in the New Server Ports and New Opened Ports respectively. Server Ports: TCP ANY->2222 Opened Ports: TCP ANY->3333 6. Mark the Add Port Triggering Rule check-box next to your service description in the general Port Triggering screen to enable port redirection. NOTE: There may be a few default port triggering rules listed when you rst access the port triggering screen. Please note that disabling these rules may result in impaired gateway functionality. August 3, 2005 Converged Access Point 55 5.7 Remote Management of the CAP It is possible to access and control the CAP not only from within the local enterprise network, but also from the Internet. This allows your support staff or a Managed Service Provider to manage the system and view statistics remotely Remote management access to the CAP is blocked by default to ensure the security of your local enterprise network, however, by modifying settings under Security, then Remote Administration, you can enable remote management for the following services:

Telnet:

Used to obtain a command-line and gain access to all system settings and parameters. Web-Management/HTTP:

Used to obtain access to the Management Console and gain access to all system settings and parameters. Allow SNMP Control and Diagnostic Requests:

Used for granting access to incoming SNMP requests. Diagnostic Tools:

Used for troubleshooting and remote system management by your support staff or Managed Service Provider. August 3, 2005 Converged Access Point 56 To allow remote access to CAP services:

1. Click the Remote Administration button. The Remote Access Configuration screen will appear. 2. Select the services that you would like to make available to computers on the Internet. These services include:

Telnet:

Grants command-line access to the CAP. While this service is password-

protected, it is not considered a secured protocol. If a local server is configured to use port 23 select port 8023 to avoid conflicts. Web-based Management:

Grants access to password-protected Web-based management. If a local server is configured to use port 80 select port 8080 to avoid conflicts. Allow SNMP Control and Diagnostic Requests;

Grants access to incoming SNMP requests. Diagnostic tools:

Includes Ping and Traceroute (over UDP). These services may be used for troubleshooting and remote system management by the service provider. 3. Click the Apply button to save your changes and return to the Security settings screen. Note: Encrypted remote administration is done using a secure SSL connection, requiring a SSL certificate. When accessing the CAP for the first time using encrypted remote administration, your web browser will prompt you with a warning regarding certificate authentication. This is due to the fact that the CAPs SSL certificate is self-generated. When encountering this message under these circumstances, ignore it and continue. It is also possible to assign a user-defined certificate to the CAP. 5.8 IP-Hostname Filtering You may configure the CAP to block specific Internet Web sites so that they can not be accessed from computers in the local enterprise network. Restrictions can be applied to a comprehensive automatically updated list of sites to which access is not recommended. To view the list of Web sites currently being blocked:

Click the IP/Host-name Filtering tab August 3, 2005 Converged Access Point 57 To add a new Web site to the list:

1. Click the New Entry button. The Restricted IP Address or Host-name screen will appear. 2. Enter the web site address (IP or URL) that you would like to make inaccessible from your enterprise network (all web pages within the site will also be blocked). If the web site address has multiple IP addresses, the CAP will resolve all additional addresses and automatically add them to the restrictions list. 3. Select the group of computers to which you would like to apply the filtering rule. You can either select from a pre-defined list of groups by selecting one from the Applied To combo box, or create a new group by pressing the New link. 4. Define the time period during which the rule will take effect. You can either select from a pre-

defined list of schedules by selecting one from the Schedule combo box, or create a new schedule by pressing the New link. 5. Click the OK button to add the web site to the list. You will be returned to the previous screen while the CAP attempts to nd the site. Youll see the Resolving. status indication appear in the Status column while the site is being located, indicating that the URL is being Resolved into one or more IP addresses. 6. If the site is successfully located then Resolved will appear in the status bar, otherwise Error will appear. Click the Refresh button to update the status if necessary. August 3, 2005 Converged Access Point 58 If the CAP appears not to be able to resolve the address, do the following:

Use a Web browser to verify that the Web site is available. If it is available, then you probably entered the Web site address incorrectly. Skip to To modify a Web site address currently in the list below. If the Web site is not available, return to the Restrictions List screen and click the Resolve Now button to verify that the Web site can be found and blocked by the CAP. To modify a Web site address currently in the list:

1. Click the Edit button that appears in the Action column. The Restricted IP Address or Hostname screen will appear. 2. Modify the Web site address, group and schedule as necessary. If it is long and/or complicated you may want to use your browsers Copy and Paste functions to copy the address from the address bar to the management console. Be sure to omit the http:// at the beginning and the / at the end of the address. 3. Click the OK button to save your changes. To ensure that all current IP addresses corresponding to Web sites in the list are blocked:

Click the Resolve Now button. The CAP will check each of the Web site addresses in the list and ensure that all IP addresses at which this Web site can be found are included in the IP addresses column. You may disable a restriction and make the Web site available again without having to remove the site from the Restrictions List. This may be useful if you wish to make the Web site available only temporarily and expect that you will want to block it again in the future. To temporarily disable a restriction:

Clear the check box next to the restricted URL To reinstate the restriction at a later time:

Select the check box next to the URL To remove a restriction:

Click the Remove button. The restriction will be removed from the Restrictions List. August 3, 2005 Converged Access Point 59 5.9 Security Log The Security log displays a list of Firewall-related events, including attempts to establish inbound and outbound connections, attempts to authenticate at an administrative interface (Web-

based Management or Telnet terminal), Firewall configuration modifications, and system start-up. To view the Security Log:

Click the Security Log button appearing on the Security Time:

Event:

The time the event occurred. Inbound Traffic:

Outbound Traffic:

Firewall Setup:

The event is a result of an incoming packet. The event is a result of outgoing packet Configuration message Event-Type: Textual description of the event (see full description below). Blocked: Means that the packet was blocked. Message is colored with red. Accepted: Means that the packet was accepted. Message is colored with green. Details:

More details about the packet or the event, Such as protocol, IP addresses, ports, etc. August 3, 2005 Converged Access Point 60 The following are the available Event-Types that can be recorded in the Firewall log:

1. Firewall internal 2. Firewall status changed 3. STP packet 4. Illegal packet options 5. Fragmented packet 6. WinNuke protection 7. ICMP replay 8. ICMP redirect protection 9. Packet invalid in connection 10. ICMP protection 11. Broadcast/Multicast protection 12. Spoofing protection 13. DMZ network packet 14. Trusted device 15. Default policy 16. Remote administration 17. Access control 18. Parental control 19. NAT out failed 20. DHCP request 21. DHCP response 22. DHCP relay agent 23. IGMP packet 24. Multicast IGMP connection 25. RIP packet 26. PPTP connection 27. Kerberos key management 1293 28. Kerberos 88 29. AUTH:113 request 30. Packet-Cable 31. IPV6 over IPV4 32. ARP 33. PPP Discover 34. PPP Session 35. 802.1Q 36. Outbound Auth1X 37. IP Version 6 38. CAP initiated traffic 39. Maximum security enabled service 40. SynCookies Protection 41. ICMP Flood Protection 42. UDP Flood Protection 43. Service 44. Rule 45. Fragmented packet, header too small 46. Fragmented packet, header too big 47. Fragmented packet, drop all 48. Fragmented packet, bad align 49. Fragmented packet, packet too big 50. Fragmented packet, packet exceeds 51. Fragmented packet, no memory 52. Fragmented packet, overlapped 53. De-fragmentation failed 54. Connection opened 55. Wildcard connection opened 56. Wildcard connection hooked 57. Connection closed 58. Echo/Chargen/Quote/Snork protection 59. First packet in connection is not a SYN packet 60. Error : No memory 61. NAT Error : connection pool is full. No connection created 62. NAT Error: No free NAT IP 63. NAT Error: Conflict Mapping already exists 64. Malformed packet -Failed parsing 65. Passive attack on ftp-server: Client attempted to open Server ports 66. FTP port request to 3rd party is forbidden (Possible bounce attack) 67. Firewall Rules were changed 68. User authentication August 3, 2005 Converged Access Point 61 To view or change the Firewall Log settings:

1. Click the Settings button that appears at the top of the Firewall Log screen. The Security Log Settings screen will appear. 2. Select the types of activities for which you would a log entry generated:

Accepted Incoming Connections: Logs a message for each successful attempt to establish an inbound connection to the enterprise network. Accepted Outgoing Connections: Logs a message for each successful attempt to establish an outgoing connection to the public network. Blocked Connection Attempts: Logs a message for each blocked attempt to establish an inbound connection to the enterprise network or vice versa. You can enable logging of blocked packets of specific types by disabling this option, and enabling some of the more specific options below it. Specify the blocked events that should be monitored. Use this to monitor specific event such as synood. A log message will be generated if either the corresponding check-box is checked, or the Blocked Connection Attempts check-box is checked. Remote Administration Attempts: The log a message for each remote-administration connection attempt, whether successful or not. Connection States: Give extra information about every change in a connection opened by the rewall. Use this option to track connection handling by the rewall and Application August 3, 2005 Converged Access Point 62 Level Gateways (ALGs). Prevent Log Overrun: Stop logging Firewall activities when the memory allocated for the log is completely full. 3. Click the OK button to save your changes and return to the Firewall Log screen. 5.10 Advanced Filtering Advanced filtering is designed to allow comprehensive control over the Firewalls behavior. You can define specific input and output rules, control the order of logically similar sets of rules and make a distinction between rules that apply to WAN and LAN network devices. To access the Advanced Filtering screen:

Press the Security icon on the sidebar to display the security features Press the Advanced Filtering button. The Advanced Filtering screen will appear August 3, 2005 Converged Access Point 63 You can configure two sets of rules, Input Rules and Output rules. Initial Rules Each set of rules is comprised of three subsets:

Network Devices Rules Final Rules These subsets determine the sequencing by which the rules will be applied. The following is a description of the set ordering for In-bound and Out-bound packets. Inbound Packets Input Rule Sets Initial rules All rules in the set of the network device the packet is on. Local Server rules from the local server tab in the security screen. Rules to accept all the packets on a device for which the Firewall check box Internet Connection Firewall in the connection settings screen is unchecked. Remote administration rules from the remote administration tab. DMZ host rules from the DMZ tab. Final rules. Outbound Packets Output Rules Sets Initial rules. All rules in the set of the network device the packet is on. Rules to accept all the packets on a device for which the Firewall check box Internet Connection Firewall in the connection settings screen is unchecked. IP/hostname filtering rules and access control rules from the tabs in the security screen. Final rules. There other numerous rules automatically inserted by the Firewall in order to provide improved security and block harmful attacks. August 3, 2005 Converged Access Point 64 Defining Advanced Filtering rules:

Press the Edit button next to the rule title, or click on the title (such as Initial Rules) directly. The Configure Rules screen will appear, displaying the entries currently constituting the rule subset you selected. August 3, 2005 Converged Access Point 65 5.10.1 Adding an Advanced Filtering Rule To add an advanced filtering rule, click on New Entry, then carefully define the following rule parameters:

1. Matching:

To apply a Firewall rule, a match must be made between IP addresses or ranges and ports. Use the Source IP and Destination IP to define the coupling of source and destination traffic. Port matching will be defined when selecting services (see step 5). For example, if you select the FTP service, port 21 will be checked for matching traffic flow between the defined source and destination IPs. 2. Operation:

Where you define what action the rule will take, by selecting one of the following radio buttons:

Drop: Deny access to packets that match the source and destination IP addresses and service ports defined in Matching. No response is sent to the sending station. Reject: Reject s packets as Drop does, but also sends a response to the sending station. Accept: Allow access to packets that match the source and destination IP addresses and service ports defined in Matching. The data transfer session will be handled using Stateful Packet Inspection

(SPI). Accept Packet: Allow access to packets that match the source and destination IP addresses and service ports defined in Matching. The data transfer session will not be handled using Stateful Packet Inspection (SPI), meaning that other packets that match this rule will not be automatically allowed access. For example, this can be useful when creating rules that allow broadcasting. Select this check-box to add entries relating to this rule to the security log. Select or create a schedule for the rule. For information on how to configure Scheduler Rules refer to section 7.10. Select the services to which you would like to apply this rule. You can add user-defined services by clicking the New User-Defined Service. 3. Logging:

4. Scheduler:

5. Services:

August 3, 2005 Converged Access Point 66 August 3, 2005 Converged Access Point 67 August 3, 2005 Converged Access Point 68 August 3, 2005 Converged Access Point 69 August 3, 2005 Converged Access Point 70 August 3, 2005 Converged Access Point 71 5.11 Applying Corporate Security The following set of instructions is designed to assist you in applying corporate security standards to your network. When implementing these instructions, it is important to execute the configuration steps in the exact order they are presented. To apply corporate Firewall security standards perform the following:

Configure the CAP to permit only HTTPS as a means of remote administration:

1. Click the Security icon on the side-bar. 2. Click the Remote Administration tab. 3. Enable the following check boxes:

Using Primary HTTPS Port (443) Using Secondary HTTPS Port (8443) 4. Press the OK button. August 3, 2005 Converged Access Point 72 Apply Firewall protection on the LAN:

1. Click the Network Connections icon on the side-bar. 2. Click the LAN Ethernet connection link. 3. Click the Settings button. 4. Enable the Internet Connection Firewall check box. 5. Press the OK button. At this point you have set your Firewall to Corporate-Grade Security. August 3, 2005 If you wish to allow additional LAN services, or other outbound services, refer to the Converged Access Point Advanced Filtering section 5.10. 73 6 6.0 QoS Traffic Management Capabilities One of the major capabilities of the CAP is the ability to guarantee both In-bound and Out-bound Quality of Service for business critical network traffic passing through the CAP. Every network environment has its own unique requirements as to which types of applications are absolutely critical to their business, therefore, the QoS capabilities within the CAP have been designed to be extremely flexible to meet each network administrators unique QoS desires. An example of how a network would benefit greatly by implementing the CAPs QoS functionality, might be a company desiring to best utilize an existing T1 (1.544Mb/s) WAN link, that is currently supporting the following:

Time-sensitive data applications (such as Point-of-Sale or Citrix) Time-sensitive voice applications (such as an IP-Centrex based VoIP network) Dozens of other less business critical and/or time-critical applications (such as recreational Web browsing, gaming, music downloads, etc.). If this company typically experiences WAN congestion, leading to excessive delays in the delivery of these time-sensitive applications, typically, adding more bandwidth to try and solve the problem doesnt always guaranteed a fix. Implementing the CAP, a QoS-aware, enterprise class, bandwidth management solution, can guarantee the delivery of business critical traffic both in and out of the enterprise WAN link and solve this problem. 6.1 Configuring QoS in the CAP In order to configure QoS traffic management parameters in the CAP you must first:

Understand which applications you need to prioritize through the CAP Know how much total bandwidth is available on the entire WAN link If implementing VoIP, be able to define how many calls of each type of codec you need to concurrently support August 3, 2005 Converged Access Point 74 Know which applications are business critical, and need be allocated guaranteed amounts of the available WAN bandwidth Define which of the business critical applications are the most time-sensitive, and will require higher prioritization than others This section is documented as a configuration example, to show the relationship between the screens as clearly as possible The example configuration below is based on the following requirements:

Total of 1.536 Mbps WAN bandwidth available 6 * G.711 SIP signaled VoIP calls need to be supported with highest priority 256 Kbps required for Citrix, and require the 2nd highest priority behind VoIP All other traffic to share remaining bandwidth as best effort

(Note: Youll also need to have a defined plan such as shown in this example for your own specific network environment and requirements) To input the configuration supporting the above requirements:

Start by selecting the Quality of Service icon on the left side of the screen. This will launch the main QoS screen. August 3, 2005 Converged Access Point 75 Click on the Enabled box to activate QoS on the CAP, then define the total amount of bandwidth that is available in the Total Bandwidth box. This value is entered in kbps, therefore, a T1 would be entered at 1536 (and a 384Kbps link would be 384). Next, click on New Entry, to take you to the Class definition screen. You will create a New Entry for each class you need to support in the CAP, including a Default class to catch all other traffic that is not being prioritized by QoS. August 3, 2005 Converged Access Point 76 Define the Default class:

Give it a Class Name. Default would probably be best for this class, but you can call it whatever name makes the most sense to you. Leave Rate Shape enabled. This will ensure that the CAP will be authorized to slow down bursty data traffic as required to support time sensitive traffic such as the VoIP. If you will be supporting a VoIP class, you should also limit the MTU of this class to 576 Bytes, to ensure that voice traffic has the shortest queuing times, while providing for the least amount of data re-transmissions in the best effort/Default class. Dont click the Voice Class box, as this is not a voice class (more on this later) Set the guaranteed Bandwidth (kbps) to 256 Set the Burst Bandwidth (kbps) to the maximum link bandwidth, which is 1536. If other, higher priority traffic is not using their allocated bandwidth, other lower priority traffic such as this Default class can use it Set the Priority at the lowest priority setting (ie. Very Low = lowest of the 5 classes) August 3, 2005 Converged Access Point 77 Click OK to accept these settings for the Default class You now have a Default class defined on the CAP. If you made a mistake, you can either completely delete the class by clicking the delete icon to the right of the new Default class, or click on the class itself or edit button to edit it. Next, click on New Entry again to define your Citrix class. August 3, 2005 Converged Access Point 78 Define your Citrix Traffic class, using the same principles as you did for the Default class above, except increase the Priority to High, and setting the Guaranteed Bandwidth to 256

(kbps), as required in our planning. Click on OK. August 3, 2005 Converged Access Point 79 Click on New Entry once more to create your VoIP Traffic class. Define your VoIP class:

Enter a Class Name ie. VoIP_Traffic or whatever you prefer. Select Voice Class - This tells the CAP to open up a larger set of parameters that are specific to VoIP traffic, allowing you to provide fine detail in the VoIP class. Enter the number of simultaneous call of each CODEC class that need to be supported simultaneously in this class. Note: The CAP automatically calculates the total bandwidth required for this class, based upon your selections. If the original total available WAN bandwidth that you defined in Step 2 is exceeded by adding up the total of all of your classes, the CAP automatically warns you, so you can make modifications as necessary. When you click the OK button, the bandwidth calculations occur automatically for you. Set your Priority to Very High, which is the highest of the 5 class priorities. Click OK'

August 3, 2005 Converged Access Point 80 Summary of all 3 classes weve defined. August 3, 2005 Converged Access Point 81 Next, you need to define what specific traffic is in your two non-Default classes. Click on the Citrix_Traffic class to begin. At the bottom of the screen, youll notice that you can now see items to click on to allow you to define this class traffic further. August 3, 2005 Converged Access Point 82 Click on New Entry in the Inbound Filters (WAN LAN) area. You can specify the Source IP and Destination IP to be ANY, SINGLE, or RANGE. For this example, well leave these as ANY, but you can define this to meet your filtering requirements. Note: You can filter traffic applicable to the class based upon TOS settings already existing on incoming traffic. You can define how many bits to match, and what the bits should have in them, to be applicable to this class of traffic. Also, if you not only specify the TOS marking requirements, but also specify additional data application information below this in the filter, it results in an ANDing of the two (or more). What this means is that the incoming traffic MUST match BOTH the TOS requirements and the application protocol, to be traffic applicable to this class filter. Select Accept, as we will be accepting this traffic in this class. Then, either scroll down until you find Citrix Winframe Server, or on your web browser, do an Edit/Find on this page for Citrix, to locate the box to check to make this a Citrix class. Note: If a particular class needs to support more than one application, just make the class name something common to all the traffic types. Then click on all of the appropriate boxes in the filter selection area (see filter area on the next page) to combine all of them into one single class definition. August 3, 2005 Converged Access Point 83 August 3, 2005 Converged Access Point 84 Click OK. Then do the same for your Outbound Filters (LAN WAN), if required. Returning back to your Citrix_Traffic screen will show the following. Note: In the screen above, you can define Type of Service (TOS). Defining TOS in this screen, marks all packets associated with this class with the TOS setting you define here. This is NOT for in-bound filtering, but for TOS marking, or re-marking. Inbound TOS filtering is defined in the class Filter section, as described later in this example. August 3, 2005 Converged Access Point 85 Click Apply then OK to save and exit from this screen. When you hit OK, you are returned to the QoS screen. Click on your VoIP_Traffic class to define the SIP traffic specific to this class. The principle is exactly the same as the Citrix_Traffic class, except this time, well specify the application is SIP. The ALGs in the CAP, include a SIP ALG, therefore, the CAP is intelligent enough to know that when a SIP call is initiated, there will be RTP and RTCP associated with it. Therefore, you do not have to check any boxes other than SIP. The screen below shows the SIP ALG selection. August 3, 2005 Converged Access Point 86 QoS has been defined for all 3 classes. Click Apply. Click on QoS Traffic to see statistics on the QoS traffic classes. QoS traffic monitoring. If you click on Automatic Refresh, it will update statistics on this screen about every 15 seconds. August 3, 2005 Converged Access Point 87 7 7.0 Advanced Note: The Advanced section of the Management Console consolidates a number of previously described services into an easy to browse section of the management interface, as well as is the location for other new services such as User Administration, Defining Network Objects, Firmware Review and Upgrade, SNMP service definitions, etc. To get to these services, click on Advanced in the side-bar. The following services are available under this section:

August 3, 2005 Converged Access Point 88 7.1 System Settings The System Settings button allows you to configure various system and man-

agement parameters. Use this section to configure the following:

1. Specify the gateways host name. The host name is the gateways URL address. 2. Specify your networks local domain. 7.1.1 Management Console Settings Use this section to configure the following:

Automatic Refresh of System Monitoring Web Pages:

Select this checkbox to enable the automatic refresh of system monitoring web pages. Warn User Before Network Configuration Changes:

Select this checkbox to activate user warnings before network configuration changes take effect. 7.1.2 Management Application Ports Settings This section allows you to configure the following management application ports. 1. Primary/secondary HTTP ports 2. Primary/secondary HTTPS ports 3. Primary/secondary Telnet ports 4. Secure Telnet over SSL ports August 3, 2005 Converged Access Point 89 7.1.3 System Logging Settings Use this section to configure the following:

1. System Log buffer size 2. Remote system notify level None Error Warning Information 7.1.4 Security Logging Settings Use this section to configure the following:

1. Security Log buffer size 2. Remote system notify level None Error Warning Information 7.1.5 Outgoing Mail Server Settings Use this section to configure the following:

1. Enter the hostname of your outgoing (SMTP) server in the Server eld. 2. Each email requires a from address and some outgoing servers refuse to forward email without a valid from address for anti-spam considerations. Enter a from email address in the From Email Address eld. 3. If your outgoing email server requires authentication check the Server Requires Authentication checkbox and enter your user name and password in the User Name and Password elds respectively. August 3, 2005 Converged Access Point 90 7.2 Managing the DNS Server Domain Name System (DNS) provides a service that translates domain names into IP addresses and vice versa. The CAPs DNS server is an auto-learning DNS, which means that when a new computer is connected to the network the DNS server learns its name and automatically adds it to the DNS table. Other network users may immediately communicate with this computer using either its name or its IP address. In addition, your gateways DNS:

Shares a common database of domain names and IP addresses with the DHCP server. Supports multiple subnets within the LAN simultaneously. Automatically appends a domain name to un-qualied names. Allows new domain names to be added to the database using the CAPs Web-based Management. Permits a computer to have multiple host names. Permits a host name to have multiple IPs (needed if a host has multiple network cards). The DNS server does not require configuration. However, you may wish to view the list of computers known by the DNS, edit the host name or IP address of a computer on the list, or manually add a new computer to the list. 7.2.1 Viewing and Modifying the DNS Table To view the list of computers stored in the DNS table:

1. Click the DNS Server icon in the Advanced screen of the Management Console. The DNS table will be displayed. August 3, 2005 Converged Access Point 91 To add a new entry to the list:

1. Click the New DNS Entry button. The DNS Entry screen will appear. 2. Enter the computers host name and IP address. 3. Click the OK button to save your changes. To edit the host name or IP address of an entry:

1. Click the Edit button that appears in the Action column. The DNS Entry screen will appear. 2. If the host was manually added to the DNS Table then you may modify its host name and/or IP address, otherwise you may only modify its host name. 3. Click the OK button to save your changes. To remove a host from the DNS table:

1. Click the Delete button that appears in the Action column. the table. The entry will be removed from August 3, 2005 Converged Access Point 92

7.3 Dynamic DNS The Dynamic DNS service allows you to alias a dynamic IP address to a static hostname, allowing your computer to be more easily accessible from various locations on the Internet. Typically, when you connect to the Internet, your service provider assigns an unused IP address from a pool of IP addresses, and this address is used only for the duration of a specific connection. Dynamically assigning addresses extends the usable pool of available IP addresses, whilst maintaining a constant domain name. Each time the IP address provided by your ISP changes, the DNS database will change dynamically to reflect the change in IP address. In this way, even though a domain names IP address will change often, your domain name will still be accessible to other hosts. To be able to use the Dynamic DNS feature you must open a DDNS account, free of charge, at http://www.dyndns.org/account/create.html. When applying for an account, you will need to specify a user name and password. Please have them readily available when customizing the CAPs DDNS support. For more information regarding Dynamic DNS, please refer to http://www.dyndns.org. August 3, 2005 Converged Access Point 93 7.3.1 Using Dynamic DNS 1. Click the DDNS icon in the Advanced screen of the Management Con sole. The DDNS table will appear. 2. Specify the Dynamic DNS parameters:

Connection to Update:

Select the connection to which you would like to couple the Dynamic DNS service. Oflne User Name Host Name Wildcard Mail Exchanger Backup MX Select the Ofine checkbox if the host is not currently online, and you need to let people know who try to use the host. Enter your Dyndns user name. Enter a subdomain name, and select a sufx from the do-

main combo-box to dene your host name. Select the Wildcard checkbox if you want anything-

here.yourhost.dyndns.org to work (ie. to make things like www.yourhost.dyndns.org work). Enter your mail exchange server address, to redirect all e-

mails arriving at your Dyndns address to your mail server. Select this check box to designate the mail exchange server to be a backup server. 7.4 DHCP - Managing IP Address Distribution Your gateways DHCP server makes it possible to easily add computers that are configured as DHCP clients to the enterprise network. It provides a mechanism for allocating IP addresses to these hosts and for delivering network configuration parameters to them. A client (host) sends out a broadcast message on the LAN requesting an IP address for itself. The DHCP server then checks its list of available addresses and leases a local IP address to the host for a specific period of time and simultaneously designates this IP address as taken. At this point the host is configured with an IP address for the duration of the lease. The host can choose to renew an expiring lease or let it expire. If it chooses to renew a lease then it will also receive current information about network services, as it did with the original lease. This allows it to update its network configuration to reflect any changes that may have occurred since it first connected to the network. If the host wishes to terminate a lease before its expiration it can send a release message to the DHCP server, which will then make the IP address available for use by others. August 3, 2005 Converged Access Point 94 The CAPs DHCP server:

Displays a list of all DHCP hosts devices connected to The CAP Defines the range of IP addresses that can be allocated in the LAN Defines the length of time for which dynamic IP addresses are allocated Provides the above configurations for each LAN device and can be configured and enabled/disabled separately for each LAN device Can assign a static lease to a LAN PC so that it receives the same IP address each time it connects to the network, even if this IP address is within the range of addresses that the DHCP server may assign to other computers Provides the DNS server with the host name and IP address of each PC that is connected to the LAN 7.4.1 DHCP Server Summary To view a summary of the services currently being provided by the DHCP server, click the IP Address Distribution icon in the Advanced screen of the Management Console. The IP Address Distribution screen will appear. You can view the status of your DHCP Server here for all available interfaces on the CAP. Select/ the connection Name check-box to view the status of DHCP services on this interface

(ie. LAN Bridge) August 3, 2005 Converged Access Point 95 Enable/disable the DHCP server for a device. August 3, 2005 Converged Access Point 96 7.4.2 Editing DHCP Server Settings To edit the DHCP server settings for a device:

1. Click the Edit button in the Action column. The DHCP Settings for this device will appear. 2. Choose whether to enable or disable the DHCP server for this device. This can also be done on the DHCP Server Summary screen. 3. Complete the following fields:

IP Address Range (Start and End): Determines the number of hosts that may be connected to the network in this subnet. Start specifies the first IP address that may be assigned in this subnet and End specifies the last IP address in the range. Subnet Mask: A mask used to determine what subnet an IP address belongs to. An example of a subnet mask value is 255.255.0.0. Lease Time: Each device will be assigned an IP address by the DHCP server for a limited time (Lease Time) when it connects to the network. When the lease expires the server will determine if the computer has disconnected from the network. If it has, then the server may reassign this IP address to a newly-

connected computer. This feature ensures that IP addresses that are not in use will become available for other computers on the network. WINS Server IP Address: You can define a relay server / WINS Server, allowing LAN clients to access Windows services over the WAN. Provide host name if not specified by client: If the DHCP client does not have a host name, the gateway will assign the client a default name. Click the OK button to save your changes. 7.4.3 DHCP Connections To view a list of computers currently recognized by the DHCP server click the Connection List button that appears at the bottom of the DHCP Server Summary screen. The DHCP Connections screen will be displayed. August 3, 2005 Converged Access Point 97 To edit the properties for a static connection:

Click the Edit button that appears in the Action column. The DHCP Connection Settings screen will appear. To define a new connection with a xed IP address:

1. Click the New Static Connection button that appears on top of the DHCP Connections screen. The DHCP Connection Settings screen will appear. 2. Enter a host name for this connection. 3. Enter the fixed IP address that you would like to have assigned to the computer. 4. Enter the MAC address of the computers network card. 5. Click the OK button to save your changes. August 3, 2005 Converged Access Point 98 To remove a host from the table:

Click the Delete button that appears in the Action column. 7.5 Network Objects Network Objects is a method of abstractly defining a set of LAN hosts. Defining such a group can assist when configuring system rules. For example, network objects can be used when configuring the CAPs security filtering settings such as IP address filtering, host name filtering or MAC address filtering. You can use network objects in order to apply security rules based on host names instead of IP addresses. This may be useful, since IP addresses change from time to time. Moreover, it is possible to define network objects according to MAC addresses, making rule application even more low-level. To define a network object:

1. Click the Advanced icon on the side-bar. 2. Click the Network Objects icon the Network Objects screen will appear. 3. Click the New Entry link the Network Object screen will appear. August 3, 2005 Converged Access Point 99 4. Specify a name for the network object in the Description field. 5. Click the New Entry link the Item screen will appear. 6. Select the type of network object type from the Network Object Type combo-box:

IP Address MAC Address Host Name 7. Specify the appropriate description for the network object type. 8. Press the OK button. August 3, 2005 Converged Access Point 100 7.6 Routing The Routing control available under the Advanced section of the management interface allows you to add, edit and delete routing rules from the Routing Table. 7.6.1 Managing Routing Table Rules You can access the routing table rules by clicking the Routing icon from the Advanced screen. The Routing screen will appear. When adding a routing rule, you need to specify:

Device: Select the network device. Destination: The destination is the destination host, subnet address, network address, or default route. The destination for a default route is 0.0.0.0. Netmask: The network mask is used in conjunction with the destination to determine when a route is used. Gateway: Enter the gateways IP address. Metric: A measurement of the preference of a route. Typically, the lowest metric is the most preferred route. If multiple routes exist to a given destination network, the route with the lowest metric is used. August 3, 2005 Converged Access Point 101 7.6.2 Multicasting The CAP provides support for IGMP multicasting, which allows hosts connected to a network to be updated whenever an important change occurs in the network. A multicast is simply a message that is sent simultaneously to a pre-dened group of recipients. When you join a multicast group you will receive all messages addressed to the group, much like what happens when an e-mail message is sent to a mailing list. IGMP multicasting enables UPnP capabilities over wireless networks and may also be useful when connected to the Internet through a router. When an application running on a computer in the enterprise network sends out a request to join a multicast group, the CAP intercepts and processes the request. If The CAP is set to Minimum Security no further action is required. However, if The CAP is set to Typical Security or Maximum Security you must add the groups IP address to the CAPs Multicast Groups screen. This will allow incoming messages addressed to the group to pass through the Firewall and on to the correct LAN computer. 1. Click the Routing icon in the Advanced screen. 2. Select the Multicast Groups Management check-box. 3. Press the OK button. August 3, 2005 Converged Access Point 102 7.7 Managing & Defining Users You can add, edit and delete users on the CAP. These users could be system administrators capable of accessing the CAPs management interface, or they could be PPTP clients with their login credentials stored on the CAP. When adding a user, you need to specify the following parameters:

Full Name: The remote users full name. User Name: The name a remote user will use to access your enterprise network. New Password: Type a new password for the remote user. If you do not want to change the remote users password leave this eld empty. Retype New Password: If a new password was assigned, type it again to verify correctness. Permissions: Select the remote users privileges on your enterprise network. Remote Access by PPTP Grants access with no system modification privileges. Administrator Privileges Grants remote system setting modification via web-

based management or telnet. Note: Changing any of the user parameters will prompt the connection associated with the user to terminate. For changes to take effect you should activate the connection manually after modifying user parameters. August 3, 2005 Converged Access Point 103 7.7.1 Email Notification You can use email notification to receive indications of system events for a pre-dened severity classification. The available types of events are System or Security events. The available severity of events are Error, Warning and Information. If the Information level is selected the user will receive notification of Information, Warning and Error events. If the Warning level is selected the user will receive notification of Warning and Error events etc. To configure email notification for a specific user:

First make sure you have configured an outgoing mail server in System Settings. A click on the Configure Mail Server link will display the System Settings page were you can configure the outgoing mail server. Enter the users email address in the Address field in the Email section. Select the System and Security notification levels in the System Notify Level and Security Notify Level combo boxes respectively. 7.8 RADIUS For 802.1x client authentication to work over the LAN, either the CAP must have static entries for every LAN client to be authenticated through its LAN, or it must consult a RADIUS (Remote Authentication Dial-in User Service) server for authenticating users. The RADIUS server verifies the clients credentials to determine whether the device is authorized to connect to the LAN. If the RADIUS server accepts the client, the server responds by exchanging data with the CAP, including security keys for subsequent encrypted sessions. To configure the RADIUS authentication mechanism, perform the following:

1. Click the RADIUS icon in the Advanced screen of the Management Console. The RADIUS screen will appear. Specify the following parameters: RADIUS Client Select this check-box to enable RADIUS client authentication. Server IP Server Port Shared Secret Type in the RADIUS servers IP address. Type in the RADIUS servers port. Type in your shared secret. August 3, 2005 Converged Access Point 104 7.9 Date & Time To configure date, time and daylight savings time settings perform the following:

1. Click the Date and Time icon in the Advanced screen of the Management Console. The Date & Time settings screen will be displayed. 2. Select the local time zone from the pull-down menu. The CAP can automatically detect daylight saving setting for selected time zones. If the daylight saving settings for your time zone are not automatically detected, the following fields will be displayed:

Enabled Select this check box to enable daylight saving time. Start End Offset Date and time when daylight saving starts. Date and time when daylight saving ends. Daylight saving time offset. 3. If you want the gateway to perform an automatic time update, perform the following:

Select the Enabled checkbox under the Automatic Time Update section. Select the protocol to be used to perform the time update by selecting wither the Time of Day or Network Time Protocol radio button. Specify how often to perform the update in the Update Every field. You can define time server addresses by pressing the New Entry link on the bottom of the Automatic Time Update section. August 3, 2005 Converged Access Point 105 7.10 Scheduler Rules Scheduler rules are used for limiting the application of Firewall rules to specific time periods, specied in days and hours. To define a Rule:

1. Click the Advanced icon on the side-bar. 2. Click the Scheduler Rules icon the Scheduler Rules screen will appear. August 3, 2005 Converged Access Point 106 3. Click the New Scheduler Entry link the Scheduler Rule Edit screen will appear. 4. Specify a name for the rule in the Name field. 5. Specify if the rule will be active/inactive during the designated time period, by selecting the appropriate Rule Activity Settings check-box. 6. Click the New Time Segment Entry link to define the time segment to which the rule will apply Select active/inactive days of the week. Click the New Time Segment Entry to define an active/inactive hourly range. August 3, 2005 Converged Access Point 107 7. Press the OK button. August 3, 2005 Converged Access Point 108 7.11 Point-to-Point Tunneling Protocol (PPTP) To access the PPTP settings click the PPTP icon from the Advanced screen. The Advanced PPTP Settings screen will appear. This screen enables you to configure:

The remote users that will be granted access to your enterprise network. The IP address range an authorized remote user can use when accessing your enterprise network. Advanced PPTP client/server connection settings. 7.11.1 Managing Remote Users Select the Users link to define and manage remote users. You can add, edit and delete users. When adding a user, you need to specify the following parameters:

Full Name:

User Name:

The remote users full name. The name a remote user will use to access your enterprise net work. August 3, 2005 Converged Access Point 109 New Password:

want to change the remote users password, leave this field empty. Type a new password for the remote user. If you do not Retype New Password: If a new password was assigned, type it again to verify correctness. Permissions:

Select the remote users privileges on your enterprise network. Remote Access by PPTP: Grants access with no system modification privileges. Administrator Privileges: Grants remote system setting modification via web-

based management or telnet. 7.11.2 Email Notification You can use email notification to receive indications of system events for a pre-dened severity classification. The available types of events are System or Security events. The available severity of events are Error, Warning and Information. If the Information level is selected the user will receive notification of Information, Warning and Error events. If the Warning level is selected the user will receive notification of Warning and Error events etc. August 3, 2005 Converged Access Point 110 To configure email notification for a specific user:

First make sure you have configured an outgoing mail server in System Settings. A click on the Configure Mail Server link will display the System Settings page were you can configure the outgoing mail server. Enter the users email address in the Address field in the Email section. Select the System and Security notification levels in the System Notify Level and Security Notify Level combo boxes respectively. August 3, 2005 Converged Access Point 111 7.11.3 Advanced PPTP Server Settings To configure advanced PPTP server settings press the Advanced button on the PPTP screen. The Advanced PPTP Settings screen will appear. This screen enables you to configure the following:

Enabled: Enable or disable the PPTP server. Maximum Idle Time to Disconnect: Specify the amount of idle time (during which no data is sent or received) that should elapse before the gateway disconnects a PPTP connection. Force User Security: Select whether PPTP will use authentication, encryption, or both. Allowed Authentication Algorithms: Select the algorithms the server may use when authenticating its clients. Allowed Encryption Algorithms: Select the algorithms the server may use when encrypting data. Remote Address Range: Specify the range of IP addresses remote users can use to access your enterprise network. Note: Please note that the client settings must be in tune with the server settings. August 3, 2005 Converged Access Point 112 7.11.4 Advanced PPTP Client Settings The PPTP connections are displayed in the Advanced PPTP Settings screen. To configure advanced PPTP client and server settings perform the following steps:

1. Press a specific connections Edit button. The Connection Summary screen will appear. August 3, 2005 Converged Access Point 113 2. Press the Settings button. The Advanced PPTP Client Settings screen will appear, enabling you to configure the following advanced PPTP client settings:

PPP Settings Host Name:

The host name of your PPTP server. Login User Name:

Login Password:

Your user name. Your password. Idle Time Before Hanging Up: The period of idle time (during which no data is sent or received) that should elapse before the gateway disconnects the PPTP client connection. PPP Authentication:

PPP Encryption:

Select the authentication algorithms your gate way may use when negotiating with a PPTP server. Select all the check-boxes if no information is available about the servers authentication methods. Select the encryption algorithms your gateway may use when negotiating with a PPTP server. Select all the check boxes if no information is available about the servers encryption methods. Routing:

Define the connections routing rules. August 3, 2005 Converged Access Point 114 DNS Server:

Internet Connection Firewall:

Select whether the PPTP client should obtain a DNS server address automatically. If not, configure the DNS servers IP address. Select this check-box to include the PPTP client connection as a network interface monitored by the CAPs Firewall. August 3, 2005 Converged Access Point 115 7.15 Simple Network Management Protocol (SNMP) SNMP enables network management systems to remotely configure and monitor the CAP. Your Internet service provider (ISP) may use SNMP in order to identify and resolve technical problems. 7.15.1 Configuring the CAPs SNMP Agent Technical information regarding the properties of the CAPs SNMP manager and agent should be provided by your system administrator or Managed Service Provider. To configure the CAPs SNMP agent perform the following:

1. Click the SNMP icon in the Advanced screen of the Management Console. The SNMP screen will appear. 2. Specify the following SNMP parameters, as provided by your Internet service provider:

SNMP Trusted Peer: The IP address, or subnet of addresses, that identify which remote management stations are allowed to perform SNMP operations on the CAP. Read-only/Write Community Names: SNMP community strings are passwords used in SNMP messages between the management system and the CAP. A read-only community allows the manager to monitor the CAP. A read-write community allows the manager to both monitor and configure the CAP. SNMP Traps:

Messages sent by the CAP to a remote management station, in order to notify the manager about the occurrence of important events or serious conditions. The CAP supports both SNMP version 1 and SNMP version 2c traps. August 3, 2005 Converged Access Point 116 7.16 MAC Cloning A MAC address is the numeric code that identifies a device on a network, such as your external cable/DSL modem or a PC network card. Your service provider may ask you to supply the MAC address of your PC, external modem, or both. When replacing an external modem with the CAP (a future capability), you can simplify the instal-

lation process by copying the MAC address of your existing PC to the CAP. In such a case, you do not need to delay the setup process by informing your service provider of newly installed equipment. Configuring MAC Cloning:

1. Click the MAC Cloning icon in the Advanced screen of the Management Console. The MAC Cloning screen will appear. 2. Enter the physical MAC address to be cloned. 3. Press OK. Note: If you want the CAP to clone your PCs MAC address, press the Clone My MAC Address button, then press OK August 3, 2005 Converged Access Point 117 7.17 Diagnostics The Diagnostics screen can assist you in testing network connectivity. This feature will enable you to ping (ICMP echo) an IP address and view statistics such as the number of packets transmitted and received, round trip time and success status. 7.17.1 Diagnosing Network Connectivity To diagnose network connectivity perform the following steps:

1. Click the Diagnostics icon from the Advanced screen in the management console. The Diagnostics screen will appear. 2. Enter the IP address to be tested in the Destination field. 3. Press the Go button under the Ping section. 4. In a few seconds, diagnostics statistics will be displayed. If no new information is displayed, press the Refresh button. 7.18 Remote Administration In its default state, the CAP blocks all external (WAN side) users from connecting to or communicating with it. Therefore the system is safe from hackers who may try to intrude on the network and damage it. However, you may wish to enable certain services that grant remote users administrative privileges in your network. August 3, 2005 Converged Access Point 118 7.18.1 Configuring Remote Administration Services 1. Click the Remote Administration icon in the Advanced screen of the Management Console. The Remote Administration screen will appear. 2. Select the check-boxes next to the service names that you wish to enable. 3. Press the OK button. August 3, 2005 Converged Access Point 119 7.19 Restoring Default Settings You may sometimes wish to restore the CAPs factory default settings. This may happen, for example, when you wish to build a new network from the beginning, or when you cannot recall changes made to the network and wish to go back to the default configuration. To restore default settings:

1. Click the Restore Defaults icon in the Advanced screen of the Management Console. The Restore Defaults screen will be displayed. 2. Click the OK button to restore the CAPs factory default settings. 7.20 Restart To restart the CAP:

1. Click the Restart icon in the Advanced screen of the Management Console. The Restart screen will be displayed. 2. Click the OK button to restart the CAP. This may take up to one minute. To reenter the Management Console after restarting the gateway click the browsers Refresh button. August 3, 2005 Converged Access Point 120 7.21 Saving, Restoring & Resetting the CAP Configuration You can review technical system information regarding the CAP, such as the firmware version, when it was created, and the CAPs current configuration file. To view technical information regarding the CAP:

4. Click the Technical Info icon in the Advanced screen of the Management Console. The Technical Information screen will appear. August 3, 2005 Converged Access Point 121 2. Click the Configuration File button to view the complete contents of the CAPs configuration le. 5. Click the Save Configuration File to save a copy of the configuration le to your PC. August 3, 2005 Converged Access Point 122 6. Click the Load Configuration File to load a configuration le and restart the CAP. Hit the Browse button to select a configuration file from your PC. August 3, 2005 Converged Access Point 123 7.22 Tunneling IP V6 Inside of IP V4 You can configure the CAP to tunnel IP version 6 traffic inside of an IP version 4 packet. To enable IP V6 tunneling:

Click on Advanced, then click on IPV6 icon Check the Enabled box and then click OK August 3, 2005 Converged Access Point 124 8 8.0 System Monitoring The System Monitoring screen displays important system information, including:

Key network device parameters Network traffic statistics QoS statistics The system log The amount of time that has passed since the CAP was last started Click on System Monitoring to access the monitoring screens August 3, 2005 Converged Access Point 125 8.1 Monitoring Connections 1. Click the System Monitoring icon in the left sidebar to display a table summarizing the monitored connection data. 2. Click the Refresh button to update the display, or press the Automatic Refresh button to constantly update the displayed parameters. August 3, 2005 Converged Access Point 126 8.2 Traffic Statistics The CAP is constantly monitoring traffic within the local network and between the local network and the Internet. You can view up-to-the-second statistical information about data received from and transmitted to the Internet (WAN) and about data received from and transmitted to computers in the local network (LAN). August 3, 2005 Converged Access Point 127 8.3 QoS Traffic The QoS Traffic report displays statistics specific to Links and configured Classes on the CAP. August 3, 2005 Converged Access Point 128 8.4 System Log Press the System button to display the amount of time that has passed since the system was last started. August 3, 2005 Converged Access Point 129 8.5 System Up Time Press the System button to display the amount of time that has passed since the system was last started. August 3, 2005 Converged Access Point 130 9 9.0 Firmware Upgrade There are two ways to upgrade the system software:

1. Upgrading from the Internet automatically retrieve an updated system software le. 2. Upgrading from a local computer use an update system software le located on a local disc drive. The following are instructions for each of these methods. 9.1 Upgrading From the Internet The Remote Update mechanism makes it easy to perform a software upgrade. Each day, the system automatically checks to see if there is a newer software version available.1 If an upgrade is available, the Upgrade screen will be displayed upon logging into the Management Console. If no upgrade is available the Network Map will appear, as usual. To learn if an upgrade is available, click the CAP Firmware Upgrade button from the Advanced screen. You will be informed whether an upgrade is available, and if not, be opted to choose an image le from which to upgrade The CAP. August 3, 2005 Converged Access Point 131 If an upgrade is available:

To upgrade click the Yes button. The CAP must be connected to the Internet in order to communicate with the Remote Update server. Those CAP will check each time the system restarts and at 24-hour intervals thereafter. To wait and upgrade later, do one of the following:

Click the No button. The system will continue to perform its daily checks for the availability of a software update as scheduled, and will notify you the next time you log into the Management Console. Move to another screen by clicking an icon in the left sidebar. Return to the Upgrade screen at a later time by clicking the CAP Firmware Upgrade icon in the Advanced screen. 9.2 Upgrading From a Local Computer To upgrade The CAP using a le that you have previously downloaded from the Internet or received on CD:

1. When you receive notification that a new software version of is available, retrieve the le as instructed and store it on a computer in the enterprise network. 2. Open the Management Console from this same computer and click the CAP Firmware Upgrade icon that appears in the Advanced screen. 3. Click the Browse button. A dialog box will appear. Choose the le to upload to The CAP and click Open. 4. Click the OK button that appears at the bottom of the Upgrade screen. The le will be uploaded to The CAP. 5. After the le has been transferred to the CAP its validity will be verified and you will be asked to confirm that you wish to upgrade the CAP with this new le. 6. Click Yes to confirm. The upgrade process will begin and should take no longer than one minute to complete. 7. At the conclusion of the upgrade process, the CAP will automatically reboot. The new software version of will be running, and your custom configurations and settings will be maintained. August 3, 2005 Converged Access Point 132 August 3, 2005 Converged Access Point 133 10 10.0 Analog Voice Gateway Configuration The CAPs Voice over IP (VoIP) support allows you to connect multiple phones over a single broadband connection, providing the benets and quality of digital voice. Further, the CAP enables you to place and receive calls over the Internet using a standard telephone set connected to CAP. This section describes how to configure the CAPs Analog Voice Gateway functionality. Voice Gateway / Analog Telephony Adapter (ATA) Physical Setup Connect a WAN port with the appropriate network cable to your network. Connect a POTS telephone to one of the available voice ports. Connect CAP to the power supply. August 3, 2005 Converged Access Point 134 10.1 Conguring VoIP ATA Click on Voice Over IP on the CAPs web management GUI, will show you up to 3 configuration tabs, depending on the VoIP protocol that will be implemented to support the analog voice gateway functionality. 10.1.1 The IP Telephony Tab August 3, 2005 Converged Access Point 135 Dialing Parameters Dialing Timeout - This value denes the maximum allowed time of inactivity between dialed digits, in seconds. If this limit is exceeded, the dialing process will time out and you will hear a warning tone. When you work with a proxy or gatekeeper, the number you have dialed before the dialing process has timed out will be sent to the proxy/gate-keeper as the user ID to be called. This is useful for calling a remote party without creating an entry in the phone book (assuming the remote party is registered with the proxy/gatekeeper). Phone Number Size - This is the maximum length of shortcut numbers that you can enter and the maximum number of digits that you can dial. VoIP Gateway Signaling Protocol You can choose between SIP, H.323 and MGCP. Different subsets of parameters will become visible with each of these choices. NOTE: To make the relevant parameters visible, the screen will be refreshed. However, to apply the change of protocol you must click either OK (this will apply the change and the main CAP screen will be displayed) or Apply (this will apply the changes and the same screen will be displayed). SIP Parameters:

Media Port - Denes the port to use for voice transport (RTP). SIP Transport Protocol - The underlying transport protocol to be used for SIP signaling -either TCP or UDP. SIP Port - The number of port to be used for SIP signaling (TCP)

. Use SIP Proxy - Register the user with a SIP proxy, thus allowing other parties to call the user through this proxy. When this item is checked, the following elds become visible:

SIP Proxy Address - The IP address of the proxy, in dotted number notation. SIP Proxy User Name - The login name used for authentication with this proxy. SIP Proxy Password - The password used for authentication with this proxy. August 3, 2005 Converged Access Point 136 H.323 Parameters:

Use Fast Start - Use the fast start connect method, which may result in quicker connection establishment, depending on the remote partys settings. NOTE:

Microsoft NetMeeting does not support this option, so in order to inter-operate with Microsoft NetMeeting this option must be disabled. Q.931 Signaling Port - Number of port to use for Q.931 signaling (H.323 call signaling is based upon Q.931) Register with a Gatekeeper - Register the user with a gatekeeper, thus allow-

ing other parties to call the user through this gatekeeper. When this item is checked, the following elds become visible:

Gatekeeper Address - The IP address of the gatekeeper, in dotted number notation. Gatekeeper Port - The port on which the gatekeeper is listening for connections. MGCP Parameters:

Media Gateway Controller Address - The IP address of the MGC (MGCP server), in dotted number notation. Media Gateway Controller Port - The port on which the MGC is listening for connections. Media Gateway Port - The port which CAP will use for MGCP connections. Codecs The IP Telephony tab contains a list of supported audio codecs, with check boxes next to them. Each codec denes a method of relaying the voice data. Different codecs have different characteristics such as data compression and voice quality. For example, G.723 is a codec which uses compression that is effective where bandwidth is limited, but its voice quality is not as good compared to other codecs such as G.711. Note that you can have all the codecs checked or just some of them, but at least one of the codecs must be checked, or else you will not be able to make a call. When you start a call to a remote party, your available codecs are compared against the remote partys to determine which codec will be used. If there is no codec that both parties have made available, the call attempt will fail. If more than one codec is common to both parties, you cannot force which of the common codecs that were found will be used by the August 3, 2005 Converged Access Point 137 remote partys client. If you do wish to force the use of a specic codec, leave only that codec checked. 10.1.2 The Phone Settings tab The screen shot above shows the different conguration parameters:

Line: A telephone port in CAP to which you can connect a POTS telephone. You can manage which telephone is operational by marking the check-box next to it. User ID: This telephones VoIP user ID, used for identication to initiate and accept calls. Description: A free text description for you to conveniently identify which telephone is connected to which port. Before starting to make phone calls, you need to congure each lines parameters. Using Line 1 as an example:

Click the edit icon under the Action column for line 1, the Line Settings screen will appear. August 3, 2005 Converged Access Point 138 Specify the User ID and Description for this line number and click OK. Send Caller ID - This option, which is checked by default, controls whether your user ID is sent when you call a remote party. If it is unchecked, the remote party will not receive your identication. Configure as many of the line settings as needed. The Description will be useful later on when defining speed dial settings in the address book. 10.1.3 Creating and editing Speed Dial and the Address Book Click the Speed Dial tab. Note: the screen shot below already has speed dial numbers configured. On initial configuration, only the New Entry choice will be visible. Add a new speed dial phone book entry using the following:

Select New Entry August 3, 2005 Converged Access Point 139 Assign a Speed Dial number (a shortcut number which you will dial to call this remote party). Example- Speed Dial: 11 Select what type of call will be made when the speed dial is used. Proxy Call destination will be resolved by a defined SIP Proxy Local Line Call is local within the defined user IDs in CAP Direct Call - Call is defined by a remote partys IP address, either as a domain name or in numbers and dots notation. This can be the address of partys gateway or the address of the proxy/gatekeeper at which this party is registered. The Speed Dial entries will be displayed under the Speed Dial tab. This acts as a Speed Dial Address Book and displays the option to create new entries. To delete an existing Speed Dial entry, click the delete icon on this entrys line in the Action column. To edit an existing phone book entry, click the edit icon on this entrys line in the Action column. 10.1.4 Telephony Features Placing a Call:

1. Pick up the handset on the POTS telephone. 2. Call the remote party by dialing the number you congured in the phone book. August 3, 2005 Converged Access Point 140 Call Hold:

To place the remote party on hold, do the following:

1. Press Flash. 2. Press 1. 3. The phone will sound a dial-tone. At this point you can initiate a second call by dialing another partys number. To cancel the hold state and resume the previous phone call, press Flash. Call Transfer With Consultation:

To transfer an existing call (B) to a third party (C):

1. Press Flash. 2. Press 2. Party B will now be placed on hold, and you will hear a dial tone. 3. Dial party Cs shortcut number (You can engage in conversation). 4. Press Flash to complete the transfer -you will hear a warning tone, B and C are now talking to each other. 3-Way Conference:

To extend an existing call (B) into a 3-way conference by bringing in an additional party

(C):

1. Press Flash. 2. Press 33. Party B will now be placed on hold and you will hear a dial tone. 3. Dial party Cs shortcut number (You can engage in conversation). 4. Press Flash to join both C and B to a single conference. August 3, 2005 Converged Access Point 141 11 11.0 Glossary 100Base-T 10Base-T 802.11, 802.11b 802.3 Access point Ad hoc network Adapter Administrator Authentication Also known as Fast Ethernet, an Ethernet cable standard with a data transfer rate of up to 100 Mbps. An older Ethernet cable standard with a data transfer rate of up to 10 Mbps. A family of IEEE (Institute of Electrical and Electronics Engineers)-

dened specications for wireless networks. Includes the 802.11b stan-

dard, which supports high-speed (up to 11 Mbps) wireless data trans-

mission. The IEEE (Institute of Electrical and Electronics Engineers -dened specication that describes the characteristics of Ethernet (wired) con-

nections. A device that exchanges data between computers on a network. An access point typically does not have any Firewall or NAT capabilities. A solely wireless computer-to-computer network. Unlike an infrastructure network, an ad hoc network does not include a gateway router. Also known as a network interface card (NIC). An expansion card or other device used to provide network access to a computer, printer, or other device. A person responsible for planning, conguring, and managing the day-to-

day operation of a computer network. The duties of an administrator include installing new workstations and other devices, adding and removing individuals from the list of authorized users, archiving les, overseeing password protection and other security measures, monitoring usage of shared resources, and handling malfunctioning equipment. The process of identifying an individual, usually based on a username and password. In security systems, authentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Bandwidth The amount of information, or size of le, that can be sent through a August 3, 2005 Converged Access Point 142 Bridge network connection at one time. A connection with more bandwidth can transfer information more quickly. A device that forwards packets of information from one segment of a network to another. A bridge forwards only those packets necessary for communication between the segments. Broadband connection A high-speed connection, typically 256 Kbps or faster. Broadband services include cable modems and DSL. Broadband modem Broadcast Bus Cable modem CAT 5 cable Channel CHAP Client A device that enables a broadband connection to access the Internet. The two most common types of broadband modems are cable modems, which rely on cable television infrastructure, and DSL modems, which rely on telephone lines operating at DSL speeds. Broadcasting sends a message to everyone on the network whereas multicasting sends a message to a select list of recipients. A set of hardware lines used for data transfer among the components of a computer system. A bus essentially allows different parts of the system to share data. For example, a bus connects the disk-drive controller, memory, and input/output ports to the microprocessor. A device that enables a broadband connection to access the Internet. Cable modems rely on cable television infrastructure, in other words, the data travels on the same lines as you cable television. Abbreviation for Category 5 cable. A type of Ethernet cable that has a maximum data rate of 100 Mbps. A path or link through which information passes between two devices. Challenge Handshake Authentication Protocol, a type of authentication in which the authentication agent (typically a network server) sends the client program a random value that is used only once and an ID value. The sender and peer must share a pre-dened secret. Any computer or program that connects to, or requests the services of, another computer or program on a network. For a local area network or the Internet, a client is a computer that uses shared network resources provided by a server. Client/server network A network of two or more computers that rely on a central server to mediate the connections or provide additional system resources. This dependence on a server differentiating a client/server network from a peer-to-peer network. Computer name A name that uniquely identies a computer on the network so that all its shared resources can be accessed by other computers on the network. One computer name cannot be the same as any other computer or domain name on the network. Crossover cable A type of cable that facilitates network communications. A crossover cable is a cable that is used to interconnect two computers by crossing over (reversing) their respective pin contacts. DHCP Acronym for Dynamic Host Configuration Protocol. A TCP/IP protocol August 3, 2005 Converged Access Point 143 that automatically assigns temporary IP addresses to computers on a local area network (LAN). The CAP supports the use of DHCP. You can use DHCP to share one Internet connection with multiple computers on a network. An Internet connection of limited duration that uses a public telephone network rather than a dedicated circuit or some other type of private network. Acronym for demilitarized zone. A collection of devices and subnets placed between a private network and the Internet to help protect the private network from unauthorized Internet users. Acronym for Domain Name System. A data query service chiey used on the Internet for translating host names into Internet addresses. The DNS database maps DNS domain names to IP addresses, so that users can locate computers and services through user-friendly names. In a networked computer environment, a collection of computers that share a common domain database and security policy. A domain is administered as a unit with common rules and procedures, and each domain has a unique name. An address of a network connection that identies the owner of that address in a hierarchical format: server.organization.type. For example, www.whitehouse.gov identies the Web server at the White House, which is part of the U.S. government. Within a networking context, a device that mediates communication between a computer and a network adapter installed on that computer. Acronym for Digital Subscriber Line. A constant, high-speed digital connection to the Internet that uses standard copper telephone wires. Dial-up connection DMZ DNS Domain Domain name Driver DSL DSL modem A device that enables a broadband connection to access the Internet. DSL modems rely on telephone lines that operate at DSL speeds. Duplex Dynamic IP address Edge computer Encryption A mode of connection. Full-duplex transmission allows for the simul-

taneous transfer of information between the sender and the receiver. Half-duplex transmission allows for the transfer of information in only one direction at a time. The IP address assigned (using the DHCP protocol) to a device that requires it. A dynamic IP address can also be assigned to a gateway or router by an ISP. The computer on a network that connects the network to the Internet. Other devices on the network connect to this computer. The computer running the most current, reliable operating system is the best choice to designate as the edge computer. The translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted le, you must have access to a secret key or password that enables you to de-

crypt it. August 3, 2005 Converged Access Point 144 Ethernet Ethernet cable Firewall Firmware Flash memory FTP Gateway A networking standard that uses cables to provide network access. Ethernet is the most widely-installed technology to connect computers together. A type of cable that facilitates network communications. An Ethernet cable comes in a couple of avors. there is twisted pair, and coax Ethernet cables. Each of these allow data to travel at 10Mbit per second. A security system that helps protect a network from external threats, such as hacker attacks, originating outside the network. A hardware Firewall is a connection routing device that has specific data checking settings and that helps protect all of the devices connected to it. Software information stored in nonvolatile memory on a device. A type of memory that does not lose data when power is removed from it. Flash memory is commonly used as a supplement to or replacement for hard disks in portable computers. In this context, ash memory either is built in to the unit or, more commonly, is available as a PC Card that can be plugged in to a PCMCIA slot. Acronym for File Transfer Protocol. The standard Internet protocol for downloading, or transferring, les from one computer to another. A device that acts as a central point for networked devices, receives transmitted messages, and forwards them. The CAP can link many computers on a single network, and can share an encrypted Internet connection with wired and wireless devices. Gateway address The IP address you use when you make a connection outside your immediate network. Hexadecimal A numbering system that uses 16 rather than 10 as the base for representing numbers. It is therefore referred to as a base-16 numbering system. The hexadecimal system uses the digits 0 through 9 and the letters A through F (uppercase or lowercase) to represent the decimal numbers 0 through 15. For example, the hexadecimal letter D represents the decimal number 13. One hexadecimal digit is equivalent to 4 bits, and 1 byte can be expressed by two hexadecimal digits. Host name The DNS name of a device on a network, used to simplify the process of locating computers on a network. Hub IEEE A device that has multiple ports and that serves as a central connection point for communication lines from all devices on a network. When data arrives at one port, it is copied to the other ports. Acronym for Institute of Electrical and Electronics Engineers. A society of engineering and electronics professionals that develops standards for the electrical, electronics, computer engineering, and science-related industries. The IEEE (Eye-triple-E) is a non-prot, technical professional association of more than 377,000 individual members in 150 countries. The full name is the Institute of Electrical and Electronics Engineers, Inc., although the organization is most popularly known and referred to by the letters I-E-E-E. August 3, 2005 Converged Access Point 145 Infrastructure network A network configuration in which wireless devices connect to a wireless access point (such as The CAP) instead of connecting to each other directly. Internet domain Intranet IP IP address In a networked computer environment, a collection of computers that share a common domain database and security policy. A domain is administered as a unit with common rules and procedures, and each domain has a unique name. A network within an organization that uses Internet technologies (such a Web browser for viewing information) and protocols (such as TCP/IP), but is available only to certain people, such as employees of a company. Also called a private network. Some intranets offer access to the Internet, but such connections are directed through a Firewall. Acronym for Internet Protocol. The protocol within TCP/IP that is used to send data between computers over the Internet. More specifically, this protocol governs the routing of data messages, which are transmitted in smaller components called packets. Acronym for Internet Protocol address. IP is the protocol within TCP/IP that is used to send data between computers over the Internet. An IP address is an assigned number used to identify a computer that is connected to a network through TCP/IP. An IP address consists of four numbers (each of which can be no greater than 255) separated by periods, such as 192.168.1.1. ISO/OSI reference model Abbreviation for International Organization for Standardization Open Systems Interconnection reference model. An architecture that standardizes levels of service and types of interaction for computers that exchange information through a communications network. The ISO/OSI reference model separates computer-to-computer communications into seven protocol layers, or levels; each builds on and relies on the standards contained in the levels below it. The lowest of the seven layers deals solely with hardware links; the highest deals with software interactions at the program level. It is a fundamental blueprint designed to help guide the creation of hardware and software for networks. Acronym for Internet service provider. A company that provides in-

dividuals or companies access to the Internet. Abbreviation of kilobits per second. Data transfer speed, as through a modem or on a network, measured in multiples of 1,000 bits per second. Acronym for local area network. A group of computers and other devices dispersed over a relatively limited area (for example, a building) and connected by a communications link that enables any device to interact with any other on the network. ISP Kbps LAN MAC address Abbreviation for media access control address. The address that is used for communication between network adapters on the same subnet. Each network adapter is manufactured with its own unique MAC address. MAC layer Abbreviation for media access control layer. The lower of two sub layers August 3, 2005 Converged Access Point 146 that make up the data-link layer in the ISO/OSI reference model. The MAC layer manages access to the physical network, so a protocol like Ethernet works at this layer. A process that allows one computer to communicate with a resource located on another computer on the network. For example, if you want to access a folder that resides on another computer, you map to that folder, as long as the computer that holds the folder has been congured to share it. Abbreviation of megabits per second. A unit of bandwidth measurement that denes the speed at which information can be transferred through a network or Ethernet cable. One megabyte is roughly equivalent to eight megabits. A device that transmits and receives information between computers. Microsoft Point to Point Encryption (MPPE) is a means of representing Point to Point Protocol (PPP) packets in an encrypted form. To transmit a single message to a select group of recipients. A simple example of multicasting is sending an e-mail message to a mailing list. Teleconferencing and videoconferencing also use multicasting, but require more robust protocols and networks. Acronym for network address translation. The process of converting between IP addresses used within a private network and Internet IP addresses. NAT enables all of the computers on a network to share one IP address. A collection of two or more computers that are connected to each other through wired or wireless means. These computers can share access to the Internet and the use of les, printers, and other equipment. Also known as a network interface card (NIC). An expansion card or other device used to provide network access to a computer, printer, or other device. The single name of a grouping of computers that are linked together to form a network. A printer that is not connected directly to a computer, but is instead connected directly to a network through a wired or wireless connection. A unit of information transmitted as a whole from one device to another on a network. Password Authentication Protocol, the most basic form of authentication, in which a users name and password are transmitted over a network and compared to a table of name-password pairs. Typically, the passwords stored in the table are encrypted. The Basic Authentication feature built into the HTTP protocol uses PAP. A peripheral device that adds memory, mass storage, modem capability, or other networking services to portable computers. Acronym for Peripheral Component Interconnect. A specific bus type Mapping Mbps Modem MPPE Multicast NAT Network Network adapter Network name Network printer Packet PAP PC Card PCI August 3, 2005 Converged Access Point 147 PCI card designed to be used with devices that have high bandwidth require-

ments. A card designed to t into a PCI expansion slot in a personal computer. PCI cards provide additional functionality; for example, two types of PCI cards are video adapters and network interface cards. See PCI. PCI expansion slot A connection socket designed to accommodate PCI cards. PCMCIA Peer-to-peer network PING Plug and Play Port PPPoE PPTP PPTP Prole Protocol Resource Acronym for Personal Computer Memory Card International As-

sociation. A non-prot organization of manufacturers and vendors formed to promote a common technical standard for PC Card-based peripherals and the slot designed to hold them, primarily on portable computers and intelligent electronic devices. A network of two or more computers that communicate without using a central server. This lack of reliance on a server differentiates a peer-to-

peer network from a client/server network. A protocol for testing whether a particular computer is connected to the Internet by sending a packet to the computers IP address and waiting for a response. A set of specifications that allows a computer to automatically detect and configure various peripheral devices, such as monitors, modems, and printers. A physical connection through which data is transferred between a computer and other devices (such as a monitor, modem, or printer), a network, or another computer. Also, a software channel for network communications. Acronym for Point-to-Point Protocol over Ethernet. A specification for connecting users on an Ethernet network to the Internet by using a broadband connection (typically through a DSL modem). IP Security, a set of protocols developed to support secure exchange of packets at the IP layer. IPsec has been deployed widely to implement Virtual Private Networks (VPNs). Point-to-Point Tunneling Protocol, a technology for creating Virtual Pri-

vate Networks (VPNs). Because the Internet is essentially an open net-

work, the Point-to-Point Tunneling Protocol (PPTP) is used to ensure that messages transmitted from one VPN node to another are secure. With PPTP, users can dial in to their corporate network via the Internet. A computer-based record that contains an individual networks software settings and identification information. A set of rules that computers use to communicate with each other over a network. Any type of hardware (such as a modem or printer) or software (such as an application, le, or game) that users can share on a network. Restore factory defaults August 3, 2005 Converged Access Point 148 The term used to describe the process of erasing your base stations current settings to restore factory settings. You accomplish this by pressing the Reset button and holding it for ve or more seconds. Note that this is different from resetting the base station. An attachment used to join a telephone line to a device such as a modem or the external telephone lines. An attachment found on the ends of all Ethernet cables that connects Ethernet (wired) cables to other devices and computers A computer that provides shared resources, such as storage space or processing power, to network users. A folder (on a computer) that has been made available for other people to use on a network. A printer (connected to a computer) that has been made available for other people to use on a network. To make the resources associated with one computer available to users of other computers on a network. Acronym for Simple Network Time Protocol. A protocol that enables client computers to synchronize their clocks with a time server over the Internet. Acronym for Service Set Identier, also known as a wireless network name. An SSID value uniquely identies your network and is case sen-

sitive. RJ-11 connector RJ-45 connector Server Shared folder Shared printer Sharing SNTP SSID Static IP address A permanent Internet address of a computer (assigned by an ISP). Straight-through cable A type of cable that facilitates network communications. An Ethernet cable comes in a couple of avors. There is twisted pair, and coax Ethernet cables. Each of these allow data to travel at 10Mbit per second. Unlike the Crossover cable, straight-through cable has the same order of pin contacts on each end-plug of the cable. Subnet Subnet mask Switch A distinct network that forms part of a larger computer network. Subnets are connected through routers and can use a shared network address to connect to the Internet. Typically, a subnet may represent all the machines at one geographic location, in one building, or on the same local area network (LAN). Having an organizations network divided into subnets allows it to be connected to the Internet with a single shared network address. Similar in form to an IP address and typically provided by an ISP. An example of a subnet mask value is 255.255.0.0. A central device that functions similarly to a hub, forwarding packets to specific ports rather than broadcasting every packet to every port. A switch is more efcient when used on a high-volume network. Switched network Switching A communications network that uses switching to establish a connection between parties. A communications method that uses temporary rather than permanent August 3, 2005 Converged Access Point 149 TCP/IP Throughput USB connections to establish a link or to route information between two parties. In computer networks, message switching and packet switching allow any two parties to exchange information. Messages are routed

(switched) through intermediary stations that together serve to connect the sender and the receiver. Acronym for Transmission Control Protocol/Internet Protocol. A networking protocol that allows computers to communicate across in-

terconnected networks and the Internet. Every computer on the Internet communicates by using TCP/IP. The data transfer rate of a network, measured as the number of kilobytes per second transmitted. Acronym for universal serial bus. USB (Universal Serial Bus) is a plug-

and-play interface between a computer and add-on devices (such as audio players, joysticks, keyboards, telephones, scanners, and printers). With USB, a new device can be added to your computer without having to add an adapter card or even having to turn the computer off. USB adapter A device that connects to a USB port. USB connector The plug end of the USB cable that is connected to a USB port. It is about half an inch wide, rectangular and somewhat at. USB port UTP A rectangular slot in a computer into which a USB connector is inserted. Acronym for unshielded twisted pair. A cable that contains one or more twisted pairs of wires without additional shielding. Its more exible and takes less space than a shielded twisted pair (STP) cable, but has less bandwidth. Virtual server One of multiple Web sites running on the same server, each with a unique domain name and IP address. VPN WAN Wi-Fi Wireless A Virtual Private Network (VPN) is a private Network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling Protocol and security procedures. Acronym for wide area network. A geographically widespread network that might include many linked local area networks. A term commonly used to mean the wireless 802.11b standard. Refers to technology that connects computers without the use of wires and cables. Wireless devices use radio transmission to connect computers on a network to one another. Radio signals can be transmit-

ted through walls, ceilings, and oors, so you can connect computers that are in different rooms in the house without physically attaching them to one another. Wireless access point A device that exchanges data between wireless computers or between wireless computers and wired computers on a network. Wireless network name The single name of a grouping of computers that are linked together to form a network. August 3, 2005 Converged Access Point 150 Wireless security A wireless network encryption mechanism that helps to protect data transmitted over wireless networks. WLAN Acronym for wireless local area network. A network that exclusively relies on wireless technology for device connections. August 3, 2005 Converged Access Point 151